npm - speclock - Versions diffs - 1.6.0 → 2.0.0 - Mend

speclock 1.6.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/src/core/storage.js CHANGED Viewed

@@ -73,6 +73,7 @@ export function makeBrain(root, hasGitRepo, defaultBranch) {
       },
       recentChanges: [],
       reverts: [],
+      violations: [],
     },
     events: { lastEventId: "", count: 0 },
   };
@@ -104,6 +105,11 @@ export function migrateBrainV1toV2(brain) {
     brain.facts.deploy.url = "";
   }
+  // Add violations array if missing
+  if (brain.state && !brain.state.violations) {
+    brain.state.violations = [];
+  }
   // Remove old importance field
   delete brain.importance;
@@ -120,6 +126,10 @@ export function readBrain(root) {
     brain = migrateBrainV1toV2(brain);
     writeBrain(root, brain);
   }
+  // Ensure violations array exists (added in v1.7.0)
+  if (brain.state && !brain.state.violations) {
+    brain.state.violations = [];
+  }
   return brain;
 }
@@ -184,3 +194,11 @@ export function addRecentChange(brain, item) {
 export function addRevert(brain, item) {
   brain.state.reverts.unshift(item);
 }
+export function addViolation(brain, item) {
+  if (!brain.state.violations) brain.state.violations = [];
+  brain.state.violations.unshift(item);
+  if (brain.state.violations.length > 100) {
+    brain.state.violations = brain.state.violations.slice(0, 100);
+  }
+}

package/src/core/templates.js ADDED Viewed

@@ -0,0 +1,114 @@
+// SpecLock Constraint Templates — Pre-built lock packs for common frameworks
+export const TEMPLATES = {
+  nextjs: {
+    name: "nextjs",
+    displayName: "Next.js",
+    description: "Constraints for Next.js applications — protects routing, API routes, and middleware",
+    locks: [
+      "Never modify the authentication system without explicit permission",
+      "Never change the Next.js routing structure (app/ or pages/ directory layout)",
+      "API routes must not expose internal server logic to the client",
+      "Middleware must not be modified without review",
+      "Environment variables must not be hardcoded in source files",
+    ],
+    decisions: [
+      "Framework: Next.js (App Router or Pages Router as configured)",
+      "Server components are the default; client components require 'use client' directive",
+    ],
+  },
+  react: {
+    name: "react",
+    displayName: "React",
+    description: "Constraints for React applications — protects state management, component architecture",
+    locks: [
+      "Never modify the authentication system without explicit permission",
+      "Global state management pattern must not change without review",
+      "Component prop interfaces must maintain backward compatibility",
+      "Shared utility functions must not have breaking changes",
+      "Environment variables must not be hardcoded in source files",
+    ],
+    decisions: [
+      "Framework: React with functional components and hooks",
+      "Styling approach must remain consistent across the project",
+    ],
+  },
+  express: {
+    name: "express",
+    displayName: "Express.js API",
+    description: "Constraints for Express.js backends — protects middleware, routes, and database layer",
+    locks: [
+      "Never modify authentication or authorization middleware without explicit permission",
+      "Database connection configuration must not change without review",
+      "No breaking changes to public API endpoints",
+      "Rate limiting and security middleware must not be disabled",
+      "Environment variables and secrets must not be hardcoded",
+    ],
+    decisions: [
+      "Backend: Express.js with REST API pattern",
+      "Error handling follows centralized middleware pattern",
+    ],
+  },
+  supabase: {
+    name: "supabase",
+    displayName: "Supabase",
+    description: "Constraints for Supabase projects — protects auth, RLS policies, and database schema",
+    locks: [
+      "Database must always be Supabase — never switch to another provider",
+      "Row Level Security (RLS) policies must not be disabled or weakened",
+      "Supabase auth configuration must not change without explicit permission",
+      "Database schema migrations must not drop tables or columns without review",
+      "Supabase client initialization must not be modified",
+    ],
+    decisions: [
+      "Database and auth provider: Supabase",
+      "All database access must go through Supabase client (no direct SQL in application code)",
+    ],
+  },
+  stripe: {
+    name: "stripe",
+    displayName: "Stripe Payments",
+    description: "Constraints for Stripe integration — protects payment logic, webhooks, and pricing",
+    locks: [
+      "Payment processing logic must not be modified without explicit permission",
+      "Stripe webhook handlers must not change without review",
+      "Pricing and subscription tier definitions must not change without permission",
+      "Stripe API keys must never be hardcoded or exposed to the client",
+      "Payment error handling must not be weakened or removed",
+    ],
+    decisions: [
+      "Payment provider: Stripe",
+      "All payment operations must be server-side only",
+    ],
+  },
+  "security-hardened": {
+    name: "security-hardened",
+    displayName: "Security Hardened",
+    description: "Strict security constraints — protects auth, secrets, CORS, input validation",
+    locks: [
+      "Never modify authentication or authorization without explicit permission",
+      "No secrets, API keys, or credentials in source code",
+      "CORS configuration must not be loosened without review",
+      "Input validation must not be weakened or bypassed",
+      "Security headers and CSP must not be removed or weakened",
+      "Dependencies must not be downgraded without security review",
+    ],
+    decisions: [
+      "Security-first development: all inputs validated, all outputs encoded",
+      "Authentication changes require explicit user approval",
+    ],
+  },
+};
+export function getTemplateNames() {
+  return Object.keys(TEMPLATES);
+}
+export function getTemplate(name) {
+  return TEMPLATES[name] || null;
+}

package/src/mcp/http-server.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /**
  * SpecLock MCP HTTP Server — for Railway / remote deployment
- * Wraps the same 19 tools as the stdio server using Streamable HTTP transport.
+ * Wraps the same 22 tools as the stdio server using Streamable HTTP transport.
  * Developed by Sandeep Roy (https://github.com/sgroy10)
  */
@@ -19,10 +19,15 @@ import {
   updateDeployFacts,
   logChange,
   checkConflict,
+  checkConflictAsync,
   getSessionBriefing,
   endSession,
   suggestLocks,
   detectDrift,
+  listTemplates,
+  applyTemplate,
+  generateReport,
+  auditStagedFiles,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -41,7 +46,7 @@ import {
 } from "../core/git.js";
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "1.2.0";
+const VERSION = "2.0.0";
 const AUTHOR = "Sandeep Roy";
 function createSpecLockServer() {
@@ -172,7 +177,7 @@ function createSpecLockServer() {
   // Tool 12: speclock_check_conflict
   server.tool("speclock_check_conflict", "Check if a proposed action conflicts with any active SpecLock.", { proposedAction: z.string().min(1).describe("Description of the action") }, async ({ proposedAction }) => {
     ensureInit(PROJECT_ROOT);
-    const result = checkConflict(PROJECT_ROOT, proposedAction);
+    const result = await checkConflictAsync(PROJECT_ROOT, proposedAction);
     return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
   });
@@ -253,6 +258,41 @@ function createSpecLockServer() {
     return { content: [{ type: "text", text: `## SpecLock Health Check\n\nScore: **${score}/100** (Grade: ${grade})\nEvents: ${brain.events.count} | Reverts: ${brain.state.reverts.length}\n\n### Checks\n${checks.join("\n")}${agentTimeline}\n\n---\n*SpecLock v${VERSION} — Developed by ${AUTHOR}*` }] };
   });
+  // Tool 20: speclock_apply_template
+  server.tool("speclock_apply_template", "Apply a pre-built constraint template (nextjs, react, express, supabase, stripe, security-hardened).", { name: z.string().optional().describe("Template name. Omit to list.") }, async ({ name }) => {
+    ensureInit(PROJECT_ROOT);
+    if (!name) {
+      const templates = listTemplates();
+      const text = templates.map(t => `- **${t.name}** (${t.displayName}): ${t.description} — ${t.lockCount} locks, ${t.decisionCount} decisions`).join("\n");
+      return { content: [{ type: "text", text: `## Available Templates\n\n${text}\n\nCall again with a name to apply.` }] };
+    }
+    const result = applyTemplate(PROJECT_ROOT, name);
+    if (!result.applied) return { content: [{ type: "text", text: result.error }], isError: true };
+    return { content: [{ type: "text", text: `Template "${result.displayName}" applied: ${result.locksAdded} lock(s) + ${result.decisionsAdded} decision(s).` }] };
+  });
+  // Tool 21: speclock_report
+  server.tool("speclock_report", "Violation report — how many times SpecLock blocked changes.", {}, async () => {
+    ensureInit(PROJECT_ROOT);
+    const report = generateReport(PROJECT_ROOT);
+    const parts = [`## Violation Report`, `Total blocked: **${report.totalViolations}**`];
+    if (report.mostTestedLocks.length > 0) {
+      parts.push("", "### Most Tested Locks");
+      for (const l of report.mostTestedLocks) parts.push(`- ${l.count}x — "${l.text}"`);
+    }
+    parts.push("", report.summary);
+    return { content: [{ type: "text", text: parts.join("\n") }] };
+  });
+  // Tool 22: speclock_audit
+  server.tool("speclock_audit", "Audit staged files against active locks.", {}, async () => {
+    ensureInit(PROJECT_ROOT);
+    const result = auditStagedFiles(PROJECT_ROOT);
+    if (result.passed) return { content: [{ type: "text", text: result.message }] };
+    const text = result.violations.map(v => `- [${v.severity}] **${v.file}** — ${v.reason}\n  Lock: "${v.lockText}"`).join("\n");
+    return { content: [{ type: "text", text: `## Audit Failed\n\n${text}\n\n${result.message}` }] };
+  });
   return server;
 }
@@ -292,7 +332,7 @@ app.get("/", (req, res) => {
     version: VERSION,
     author: AUTHOR,
     description: "AI Continuity Engine — Kill AI amnesia",
-    tools: 19,
+    tools: 22,
     mcp_endpoint: "/mcp",
     npm: "https://www.npmjs.com/package/speclock",
     github: "https://github.com/sgroy10/speclock",

package/src/mcp/server.js CHANGED Viewed

@@ -12,12 +12,17 @@ import {
   updateDeployFacts,
   logChange,
   checkConflict,
+  checkConflictAsync,
   getSessionBriefing,
   endSession,
   suggestLocks,
   detectDrift,
   syncLocksToPackageJson,
   autoGuardRelatedFiles,
+  listTemplates,
+  applyTemplate,
+  generateReport,
+  auditStagedFiles,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -52,7 +57,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 // --- MCP Server ---
-const VERSION = "1.2.0";
+const VERSION = "2.0.0";
 const AUTHOR = "Sandeep Roy";
 const server = new McpServer(
@@ -423,7 +428,7 @@ server.tool(
       .describe("Description of the action you plan to take"),
   },
   async ({ proposedAction }) => {
-    const result = checkConflict(PROJECT_ROOT, proposedAction);
+    const result = await checkConflictAsync(PROJECT_ROOT, proposedAction);
     return {
       content: [{ type: "text", text: result.analysis }],
     };
@@ -766,6 +771,118 @@ server.tool(
   }
 );
+// ========================================
+// TEMPLATE, REPORT & AUDIT TOOLS (v1.7.0)
+// ========================================
+// Tool 20: speclock_apply_template
+server.tool(
+  "speclock_apply_template",
+  "Apply a pre-built constraint template (e.g., nextjs, react, express, supabase, stripe, security-hardened). Templates add recommended locks and decisions for common frameworks.",
+  {
+    name: z
+      .string()
+      .optional()
+      .describe("Template name to apply. Omit to list available templates."),
+  },
+  async ({ name }) => {
+    if (!name) {
+      const templates = listTemplates();
+      const formatted = templates
+        .map((t) => `- **${t.name}** (${t.displayName}): ${t.description} — ${t.lockCount} locks, ${t.decisionCount} decisions`)
+        .join("\n");
+      return {
+        content: [
+          {
+            type: "text",
+            text: `## Available Templates\n\n${formatted}\n\nCall again with a name to apply.`,
+          },
+        ],
+      };
+    }
+    const result = applyTemplate(PROJECT_ROOT, name);
+    if (!result.applied) {
+      return {
+        content: [{ type: "text", text: result.error }],
+        isError: true,
+      };
+    }
+    return {
+      content: [
+        {
+          type: "text",
+          text: `Template "${result.displayName}" applied: ${result.locksAdded} lock(s) + ${result.decisionsAdded} decision(s) added.`,
+        },
+      ],
+    };
+  }
+);
+// Tool 21: speclock_report
+server.tool(
+  "speclock_report",
+  "Get a violation report showing how many times SpecLock blocked constraint violations, which locks were tested most, and recent violations.",
+  {},
+  async () => {
+    const report = generateReport(PROJECT_ROOT);
+    const parts = [`## SpecLock Violation Report`, ``, `Total violations blocked: **${report.totalViolations}**`];
+    if (report.timeRange) {
+      parts.push(`Period: ${report.timeRange.from.substring(0, 10)} to ${report.timeRange.to.substring(0, 10)}`);
+    }
+    if (report.mostTestedLocks.length > 0) {
+      parts.push("", "### Most Tested Locks");
+      for (const lock of report.mostTestedLocks) {
+        parts.push(`- ${lock.count}x — "${lock.text}"`);
+      }
+    }
+    if (report.recentViolations.length > 0) {
+      parts.push("", "### Recent Violations");
+      for (const v of report.recentViolations) {
+        parts.push(`- [${v.at.substring(0, 19)}] ${v.topLevel} (${v.topConfidence}%) — "${v.action}"`);
+      }
+    }
+    parts.push("", `---`, report.summary);
+    return {
+      content: [{ type: "text", text: parts.join("\n") }],
+    };
+  }
+);
+// Tool 22: speclock_audit
+server.tool(
+  "speclock_audit",
+  "Audit git staged files against active SpecLock constraints. Returns pass/fail with details on which files violate locks. Used by the pre-commit hook.",
+  {},
+  async () => {
+    const result = auditStagedFiles(PROJECT_ROOT);
+    if (result.passed) {
+      return {
+        content: [{ type: "text", text: result.message }],
+      };
+    }
+    const formatted = result.violations
+      .map((v) => `- [${v.severity}] **${v.file}** — ${v.reason}\n  Lock: "${v.lockText}"`)
+      .join("\n");
+    return {
+      content: [
+        {
+          type: "text",
+          text: `## Audit Failed\n\n${formatted}\n\n${result.message}`,
+        },
+      ],
+    };
+  }
+);
 // --- Smithery sandbox export ---
 export default function createSandboxServer() {
   return server;