npm - speclock - Versions diffs - 1.7.0 → 2.1.0 - Mend

speclock 1.7.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/src/core/storage.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import fs from "fs";
 import path from "path";
 import crypto from "crypto";
+import { signEvent, isAuditEnabled } from "./audit.js";
 export function nowIso() {
   return new Date().toISOString();
@@ -140,6 +141,14 @@ export function writeBrain(root, brain) {
 }
 export function appendEvent(root, event) {
+  // HMAC audit chain — sign event if audit is enabled
+  try {
+    if (isAuditEnabled(root)) {
+      signEvent(root, event);
+    }
+  } catch {
+    // Audit error — write event without hash (graceful degradation)
+  }
   const line = JSON.stringify(event);
   fs.appendFileSync(eventsPath(root), `${line}\n`);
 }

package/src/mcp/http-server.js CHANGED Viewed

@@ -19,6 +19,7 @@ import {
   updateDeployFacts,
   logChange,
   checkConflict,
+  checkConflictAsync,
   getSessionBriefing,
   endSession,
   suggestLocks,
@@ -27,6 +28,8 @@ import {
   applyTemplate,
   generateReport,
   auditStagedFiles,
+  verifyAuditChain,
+  exportCompliance,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -45,8 +48,51 @@ import {
 } from "../core/git.js";
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "1.7.0";
+const VERSION = "2.1.0";
 const AUTHOR = "Sandeep Roy";
+const START_TIME = Date.now();
+// --- Rate Limiting ---
+const RATE_LIMIT = parseInt(process.env.SPECLOCK_RATE_LIMIT || "100", 10);
+const RATE_WINDOW_MS = 60_000;
+const rateLimitMap = new Map();
+function checkRateLimit(ip) {
+  const now = Date.now();
+  if (!rateLimitMap.has(ip)) {
+    rateLimitMap.set(ip, []);
+  }
+  const timestamps = rateLimitMap.get(ip).filter((t) => now - t < RATE_WINDOW_MS);
+  timestamps.push(now);
+  rateLimitMap.set(ip, timestamps);
+  return timestamps.length <= RATE_LIMIT;
+}
+// Clean up stale entries every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, timestamps] of rateLimitMap) {
+    const active = timestamps.filter((t) => now - t < RATE_WINDOW_MS);
+    if (active.length === 0) rateLimitMap.delete(ip);
+    else rateLimitMap.set(ip, active);
+  }
+}, 5 * 60_000);
+// --- CORS Configuration ---
+const ALLOWED_ORIGINS = process.env.SPECLOCK_CORS_ORIGINS
+  ? process.env.SPECLOCK_CORS_ORIGINS.split(",").map((s) => s.trim())
+  : ["*"];
+function setCorsHeaders(res) {
+  const origin = ALLOWED_ORIGINS.includes("*") ? "*" : ALLOWED_ORIGINS.join(", ");
+  res.setHeader("Access-Control-Allow-Origin", origin);
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+  res.setHeader("Access-Control-Max-Age", "86400");
+}
+// --- Request Size Limit ---
+const MAX_BODY_SIZE = 1024 * 1024; // 1MB
 function createSpecLockServer() {
   const server = new McpServer(
@@ -176,7 +222,7 @@ function createSpecLockServer() {
   // Tool 12: speclock_check_conflict
   server.tool("speclock_check_conflict", "Check if a proposed action conflicts with any active SpecLock.", { proposedAction: z.string().min(1).describe("Description of the action") }, async ({ proposedAction }) => {
     ensureInit(PROJECT_ROOT);
-    const result = checkConflict(PROJECT_ROOT, proposedAction);
+    const result = await checkConflictAsync(PROJECT_ROOT, proposedAction);
     return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
   });
@@ -292,13 +338,57 @@ function createSpecLockServer() {
     return { content: [{ type: "text", text: `## Audit Failed\n\n${text}\n\n${result.message}` }] };
   });
+  // Tool 23: speclock_verify_audit
+  server.tool("speclock_verify_audit", "Verify the integrity of the HMAC audit chain.", {}, async () => {
+    ensureInit(PROJECT_ROOT);
+    const result = verifyAuditChain(PROJECT_ROOT);
+    return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+  });
+  // Tool 24: speclock_export_compliance
+  server.tool("speclock_export_compliance", "Generate compliance reports (SOC 2, HIPAA, CSV).", { format: z.enum(["soc2", "hipaa", "csv"]).describe("Export format") }, async ({ format }) => {
+    ensureInit(PROJECT_ROOT);
+    const result = exportCompliance(PROJECT_ROOT, format);
+    if (result.error) return { content: [{ type: "text", text: result.error }], isError: true };
+    const output = format === "csv" ? result.data : JSON.stringify(result.data, null, 2);
+    return { content: [{ type: "text", text: output }] };
+  });
   return server;
 }
 // --- HTTP Server ---
 const app = createMcpExpressApp({ host: "0.0.0.0" });
+// CORS preflight handler
+app.options("*", (req, res) => {
+  setCorsHeaders(res);
+  res.writeHead(204).end();
+});
 app.post("/mcp", async (req, res) => {
+  setCorsHeaders(res);
+  // Rate limiting
+  const clientIp = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket?.remoteAddress || "unknown";
+  if (!checkRateLimit(clientIp)) {
+    return res.status(429).json({
+      jsonrpc: "2.0",
+      error: { code: -32000, message: `Rate limit exceeded (${RATE_LIMIT} req/min). Try again later.` },
+      id: null,
+    });
+  }
+  // Request size check
+  const contentLength = parseInt(req.headers["content-length"] || "0", 10);
+  if (contentLength > MAX_BODY_SIZE) {
+    return res.status(413).json({
+      jsonrpc: "2.0",
+      error: { code: -32000, message: `Request too large (max ${MAX_BODY_SIZE / 1024}KB)` },
+      id: null,
+    });
+  }
   const server = createSpecLockServer();
   try {
     const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined });
@@ -317,22 +407,47 @@ app.post("/mcp", async (req, res) => {
 });
 app.get("/mcp", async (req, res) => {
+  setCorsHeaders(res);
   res.writeHead(405).end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message: "Method not allowed." }, id: null }));
 });
 app.delete("/mcp", async (req, res) => {
+  setCorsHeaders(res);
   res.writeHead(405).end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message: "Method not allowed." }, id: null }));
 });
-// Health check endpoint
+// Health check endpoint (enhanced for enterprise)
+app.get("/health", (req, res) => {
+  setCorsHeaders(res);
+  let auditStatus = "unknown";
+  try {
+    const result = verifyAuditChain(PROJECT_ROOT);
+    auditStatus = result.valid ? "valid" : "broken";
+  } catch {
+    auditStatus = "unavailable";
+  }
+  res.json({
+    status: "healthy",
+    version: VERSION,
+    uptime: Math.floor((Date.now() - START_TIME) / 1000),
+    tools: 24,
+    auditChain: auditStatus,
+    rateLimit: { limit: RATE_LIMIT, windowMs: RATE_WINDOW_MS },
+  });
+});
+// Root info endpoint
 app.get("/", (req, res) => {
+  setCorsHeaders(res);
   res.json({
     name: "speclock",
     version: VERSION,
     author: AUTHOR,
-    description: "AI Continuity Engine — Kill AI amnesia",
-    tools: 22,
+    description: "AI Continuity Engine with enterprise audit, compliance, and enforcement",
+    tools: 24,
     mcp_endpoint: "/mcp",
+    health_endpoint: "/health",
     npm: "https://www.npmjs.com/package/speclock",
     github: "https://github.com/sgroy10/speclock",
   });

package/src/mcp/server.js CHANGED Viewed

@@ -12,6 +12,7 @@ import {
   updateDeployFacts,
   logChange,
   checkConflict,
+  checkConflictAsync,
   getSessionBriefing,
   endSession,
   suggestLocks,
@@ -22,6 +23,10 @@ import {
   applyTemplate,
   generateReport,
   auditStagedFiles,
+  verifyAuditChain,
+  exportCompliance,
+  checkLimits,
+  getLicenseInfo,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -56,7 +61,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 // --- MCP Server ---
-const VERSION = "1.7.0";
+const VERSION = "2.1.0";
 const AUTHOR = "Sandeep Roy";
 const server = new McpServer(
@@ -427,7 +432,7 @@ server.tool(
       .describe("Description of the action you plan to take"),
   },
   async ({ proposedAction }) => {
-    const result = checkConflict(PROJECT_ROOT, proposedAction);
+    const result = await checkConflictAsync(PROJECT_ROOT, proposedAction);
     return {
       content: [{ type: "text", text: result.analysis }],
     };
@@ -882,6 +887,77 @@ server.tool(
   }
 );
+// ========================================
+// ENTERPRISE TOOLS (v2.1)
+// ========================================
+// Tool 23: speclock_verify_audit
+server.tool(
+  "speclock_verify_audit",
+  "Verify the integrity of the HMAC audit chain. Detects tampering or corruption in the event log. Returns chain status, total events, and any broken links.",
+  {},
+  async () => {
+    ensureInit(PROJECT_ROOT);
+    const result = verifyAuditChain(PROJECT_ROOT);
+    const status = result.valid ? "VALID" : "BROKEN";
+    const parts = [
+      `## Audit Chain Verification`,
+      ``,
+      `Status: **${status}**`,
+      `Total events: ${result.totalEvents}`,
+      `Hashed events: ${result.hashedEvents}`,
+      `Legacy events (pre-v2.1): ${result.unhashedEvents}`,
+    ];
+    if (!result.valid && result.errors) {
+      parts.push(``, `### Errors`);
+      for (const err of result.errors) {
+        parts.push(`- Line ${err.line}: ${err.error}${err.eventId ? ` (${err.eventId})` : ""}`);
+      }
+    }
+    parts.push(``, result.message);
+    parts.push(``, `Verified at: ${result.verifiedAt}`);
+    return {
+      content: [{ type: "text", text: parts.join("\n") }],
+    };
+  }
+);
+// Tool 24: speclock_export_compliance
+server.tool(
+  "speclock_export_compliance",
+  "Generate compliance reports for enterprise auditing. Supports SOC 2 Type II, HIPAA, and CSV formats. Reports include constraint management, access logs, audit chain integrity, and violation history.",
+  {
+    format: z
+      .enum(["soc2", "hipaa", "csv"])
+      .describe("Export format: soc2 (JSON), hipaa (JSON), csv (spreadsheet)"),
+  },
+  async ({ format }) => {
+    ensureInit(PROJECT_ROOT);
+    const result = exportCompliance(PROJECT_ROOT, format);
+    if (result.error) {
+      return {
+        content: [{ type: "text", text: result.error }],
+        isError: true,
+      };
+    }
+    if (format === "csv") {
+      return {
+        content: [{ type: "text", text: `## Compliance Export (CSV)\n\n\`\`\`csv\n${result.data}\n\`\`\`` }],
+      };
+    }
+    return {
+      content: [{ type: "text", text: `## Compliance Export (${format.toUpperCase()})\n\n\`\`\`json\n${JSON.stringify(result.data, null, 2)}\n\`\`\`` }],
+    };
+  }
+);
 // --- Smithery sandbox export ---
 export default function createSandboxServer() {
   return server;