speclock 2.5.0 → 3.5.0

package/src/mcp/http-server.js

@@ -5,6 +5,7 @@
  */
 
 import os from "os";
+import fs from "fs";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js";
@@ -51,9 +52,46 @@ import {
   createTag,
   getDiffSummary,
 } from "../core/git.js";
+import {
+  isAuthEnabled,
+  validateApiKey,
+  checkPermission,
+  createApiKey,
+  rotateApiKey,
+  revokeApiKey,
+  listApiKeys,
+  enableAuth,
+  disableAuth,
+  TOOL_PERMISSIONS,
+} from "../core/auth.js";
+import { isEncryptionEnabled } from "../core/crypto.js";
+import {
+  evaluatePolicy,
+  listPolicyRules,
+  addPolicyRule,
+  removePolicyRule,
+  initPolicy,
+  exportPolicy,
+  importPolicy,
+} from "../core/policy.js";
+import {
+  isTelemetryEnabled,
+  trackToolUsage,
+  getTelemetrySummary,
+} from "../core/telemetry.js";
+import {
+  isSSOEnabled,
+  getAuthorizationUrl,
+  handleCallback as ssoHandleCallback,
+  validateSession,
+  revokeSession,
+  listSessions,
+} from "../core/sso.js";
+import { fileURLToPath } from "url";
+import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "2.5.0";
+const VERSION = "3.5.0";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -403,6 +441,16 @@ app.options("*", (req, res) => {
   res.writeHead(204).end();
 });
 
+// --- Auth middleware helper ---
+function authenticateRequest(req) {
+  if (!isAuthEnabled(PROJECT_ROOT)) {
+    return { valid: true, role: "admin", authEnabled: false };
+  }
+  const authHeader = req.headers["authorization"] || "";
+  const rawKey = authHeader.startsWith("Bearer ") ? authHeader.slice(7).trim() : "";
+  return validateApiKey(PROJECT_ROOT, rawKey);
+}
+
 app.post("/mcp", async (req, res) => {
   setCorsHeaders(res);
 
@@ -426,6 +474,28 @@ app.post("/mcp", async (req, res) => {
     });
   }
 
+  // Authentication (v3.0)
+  const auth = authenticateRequest(req);
+  if (!auth.valid) {
+    return res.status(401).json({
+      jsonrpc: "2.0",
+      error: { code: -32000, message: auth.error || "Authentication required." },
+      id: null,
+    });
+  }
+
+  // RBAC check — extract tool name from JSON-RPC body for permission check
+  if (auth.authEnabled && req.body && req.body.method === "tools/call") {
+    const toolName = req.body.params?.name;
+    if (toolName && !checkPermission(auth.role, toolName)) {
+      return res.status(403).json({
+        jsonrpc: "2.0",
+        error: { code: -32000, message: `Permission denied. Role "${auth.role}" cannot access "${toolName}". Required: ${TOOL_PERMISSIONS[toolName] || "admin"}` },
+        id: req.body.id || null,
+      });
+    }
+  }
+
   const server = createSpecLockServer();
   try {
     const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined });
@@ -443,6 +513,51 @@ app.post("/mcp", async (req, res) => {
   }
 });
 
+// --- Auth management endpoint (v3.0) ---
+app.post("/auth", async (req, res) => {
+  setCorsHeaders(res);
+  const auth = authenticateRequest(req);
+
+  const { action } = req.body || {};
+
+  // Creating the first key doesn't require auth (bootstrap)
+  if (action === "create-key" && !isAuthEnabled(PROJECT_ROOT)) {
+    const { role, name } = req.body;
+    const result = createApiKey(PROJECT_ROOT, role || "admin", name || "");
+    return res.json(result);
+  }
+
+  // All other auth actions require admin role
+  if (auth.authEnabled && (!auth.valid || auth.role !== "admin")) {
+    return res.status(auth.valid ? 403 : 401).json({
+      error: auth.valid ? "Admin role required for auth management." : auth.error,
+    });
+  }
+
+  switch (action) {
+    case "create-key": {
+      const { role, name } = req.body;
+      return res.json(createApiKey(PROJECT_ROOT, role || "developer", name || ""));
+    }
+    case "rotate-key": {
+      const { keyId } = req.body;
+      return res.json(rotateApiKey(PROJECT_ROOT, keyId));
+    }
+    case "revoke-key": {
+      const { keyId, reason } = req.body;
+      return res.json(revokeApiKey(PROJECT_ROOT, keyId, reason || "manual"));
+    }
+    case "list-keys":
+      return res.json(listApiKeys(PROJECT_ROOT));
+    case "enable":
+      return res.json(enableAuth(PROJECT_ROOT));
+    case "disable":
+      return res.json(disableAuth(PROJECT_ROOT));
+    default:
+      return res.status(400).json({ error: `Unknown auth action: "${action}". Valid: create-key, rotate-key, revoke-key, list-keys, enable, disable` });
+  }
+});
+
 app.get("/mcp", async (req, res) => {
   setCorsHeaders(res);
   res.writeHead(405).end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message: "Method not allowed." }, id: null }));
@@ -468,8 +583,9 @@ app.get("/health", (req, res) => {
     status: "healthy",
     version: VERSION,
     uptime: Math.floor((Date.now() - START_TIME) / 1000),
-    tools: 24,
+    tools: 28,
     auditChain: auditStatus,
+    authEnabled: isAuthEnabled(PROJECT_ROOT),
     rateLimit: { limit: RATE_LIMIT, windowMs: RATE_WINDOW_MS },
   });
 });
@@ -482,7 +598,7 @@ app.get("/", (req, res) => {
     version: VERSION,
     author: AUTHOR,
     description: "AI Continuity Engine with enterprise audit, compliance, and enforcement",
-    tools: 24,
+    tools: 28,
     mcp_endpoint: "/mcp",
     health_endpoint: "/health",
     npm: "https://www.npmjs.com/package/speclock",
@@ -490,7 +606,136 @@ app.get("/", (req, res) => {
   });
 });
 
+// ========================================
+// DASHBOARD (v3.5)
+// ========================================
+
+// Serve dashboard HTML
+app.get("/dashboard", (req, res) => {
+  setCorsHeaders(res);
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = _path.dirname(__filename);
+  const htmlPath = _path.join(__dirname, "..", "dashboard", "index.html");
+  try {
+    const html = fs.readFileSync(htmlPath, "utf-8");
+    res.setHeader("Content-Type", "text/html");
+    res.end(html);
+  } catch {
+    res.status(404).end("Dashboard not found.");
+  }
+});
+
+// Dashboard API: brain data
+app.get("/dashboard/api/brain", (req, res) => {
+  setCorsHeaders(res);
+  try {
+    ensureInit(PROJECT_ROOT);
+    const brain = readBrain(PROJECT_ROOT);
+    if (!brain) return res.json({});
+    // Add metadata for dashboard
+    brain._encryption = isEncryptionEnabled();
+    brain._authEnabled = isAuthEnabled(PROJECT_ROOT);
+    try {
+      const keys = listApiKeys(PROJECT_ROOT);
+      brain._authKeys = keys.keys.filter(k => k.active).length;
+    } catch { brain._authKeys = 0; }
+    res.json(brain);
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Dashboard API: recent events
+app.get("/dashboard/api/events", (req, res) => {
+  setCorsHeaders(res);
+  try {
+    const events = readEvents(PROJECT_ROOT, { limit: 50 });
+    res.json({ events });
+  } catch {
+    res.json({ events: [] });
+  }
+});
+
+// Dashboard API: telemetry summary
+app.get("/dashboard/api/telemetry", (req, res) => {
+  setCorsHeaders(res);
+  res.json(getTelemetrySummary(PROJECT_ROOT));
+});
+
+// ========================================
+// POLICY-AS-CODE ENDPOINTS (v3.5)
+// ========================================
+
+app.get("/policy", (req, res) => {
+  setCorsHeaders(res);
+  res.json(listPolicyRules(PROJECT_ROOT));
+});
+
+app.post("/policy", async (req, res) => {
+  setCorsHeaders(res);
+  const auth = authenticateRequest(req);
+  if (auth.authEnabled && (!auth.valid || !checkPermission(auth.role, "speclock_add_lock"))) {
+    return res.status(auth.valid ? 403 : 401).json({ error: "Write permission required." });
+  }
+
+  const { action } = req.body || {};
+  switch (action) {
+    case "init":
+      return res.json(initPolicy(PROJECT_ROOT));
+    case "add-rule":
+      return res.json(addPolicyRule(PROJECT_ROOT, req.body.rule || {}));
+    case "remove-rule":
+      return res.json(removePolicyRule(PROJECT_ROOT, req.body.ruleId));
+    case "evaluate":
+      return res.json(evaluatePolicy(PROJECT_ROOT, req.body.action || {}));
+    case "export":
+      return res.json(exportPolicy(PROJECT_ROOT));
+    case "import":
+      return res.json(importPolicy(PROJECT_ROOT, req.body.yaml || "", req.body.mode || "merge"));
+    default:
+      return res.status(400).json({ error: `Unknown policy action. Valid: init, add-rule, remove-rule, evaluate, export, import` });
+  }
+});
+
+// ========================================
+// SSO ENDPOINTS (v3.5)
+// ========================================
+
+app.get("/auth/sso/login", (req, res) => {
+  setCorsHeaders(res);
+  if (!isSSOEnabled(PROJECT_ROOT)) {
+    return res.status(400).json({ error: "SSO not configured." });
+  }
+  const result = getAuthorizationUrl(PROJECT_ROOT);
+  if (!result.success) return res.status(400).json(result);
+  res.redirect(result.url);
+});
+
+app.get("/auth/callback", async (req, res) => {
+  setCorsHeaders(res);
+  const { code, state, error } = req.query || {};
+  if (error) return res.status(400).json({ error });
+  if (!code || !state) return res.status(400).json({ error: "Missing code or state." });
+  const result = await ssoHandleCallback(PROJECT_ROOT, code, state);
+  if (!result.success) return res.status(401).json(result);
+  res.json({ message: "SSO login successful", ...result });
+});
+
+app.get("/auth/sso/sessions", (req, res) => {
+  setCorsHeaders(res);
+  res.json(listSessions(PROJECT_ROOT));
+});
+
+app.post("/auth/sso/logout", (req, res) => {
+  setCorsHeaders(res);
+  const { sessionId } = req.body || {};
+  res.json(revokeSession(PROJECT_ROOT, sessionId));
+});
+
+// ========================================
+
 const PORT = parseInt(process.env.PORT || "3000", 10);
 app.listen(PORT, "0.0.0.0", () => {
   console.log(`SpecLock MCP HTTP Server v${VERSION} running on port ${PORT} — Developed by ${AUTHOR}`);
+  console.log(`  Dashboard: http://localhost:${PORT}/dashboard`);
 });

package/src/mcp/server.js

@@ -33,6 +33,16 @@ import {
   getOverrideHistory,
   getEnforcementConfig,
   semanticAudit,
+  evaluatePolicy,
+  listPolicyRules,
+  addPolicyRule,
+  removePolicyRule,
+  initPolicy,
+  exportPolicy,
+  importPolicy,
+  isTelemetryEnabled,
+  getTelemetrySummary,
+  trackToolUsage,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -49,6 +59,29 @@ import {
   createTag,
   getDiffSummary,
 } from "../core/git.js";
+import {
+  isAuthEnabled,
+  validateApiKey,
+  checkPermission,
+} from "../core/auth.js";
+
+// --- Auth via env var (v3.0) ---
+function getAuthRole() {
+  if (!isAuthEnabled(PROJECT_ROOT)) return "admin";
+  const key = process.env.SPECLOCK_API_KEY;
+  if (!key) return "admin"; // No key env var = local use, allow all
+  const result = validateApiKey(PROJECT_ROOT, key);
+  return result.valid ? result.role : null;
+}
+
+function requirePermission(toolName) {
+  const role = getAuthRole();
+  if (!role) return { allowed: false, error: "Invalid SPECLOCK_API_KEY." };
+  if (!checkPermission(role, toolName)) {
+    return { allowed: false, error: `Permission denied. Role "${role}" cannot access "${toolName}".` };
+  }
+  return { allowed: true, role };
+}
 
 // --- Project root resolution ---
 function parseArgs(argv) {
@@ -67,7 +100,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "2.5.0";
+const VERSION = "3.5.0";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(
@@ -1137,6 +1170,144 @@ server.tool(
   }
 );
 
+// ========================================
+// POLICY-AS-CODE TOOLS (v3.5)
+// ========================================
+
+// Tool 29: speclock_policy_evaluate
+server.tool(
+  "speclock_policy_evaluate",
+  "Evaluate policy-as-code rules against a proposed action. Returns violations for any matching rules. Use alongside speclock_check_conflict for comprehensive protection.",
+  {
+    description: z.string().min(1).describe("Description of the action to evaluate"),
+    files: z.array(z.string()).optional().default([]).describe("Files affected by the action"),
+    type: z.enum(["modify", "delete", "create", "export"]).optional().default("modify").describe("Action type"),
+  },
+  async ({ description, files, type }) => {
+    const result = evaluatePolicy(PROJECT_ROOT, { description, text: description, files, type });
+
+    if (result.passed) {
+      return {
+        content: [{ type: "text", text: `Policy check passed. ${result.rulesChecked} rule(s) evaluated, no violations.` }],
+      };
+    }
+
+    const formatted = result.violations
+      .map(v => `- [${v.severity.toUpperCase()}] **${v.ruleName}** (${v.enforce})\n  ${v.description}\n  Files: ${v.matchedFiles.join(", ") || "(pattern match)"}`)
+      .join("\n\n");
+
+    return {
+      content: [{ type: "text", text: `## Policy Violations (${result.violations.length})\n\n${formatted}` }],
+      isError: result.blocked,
+    };
+  }
+);
+
+// Tool 30: speclock_policy_manage
+server.tool(
+  "speclock_policy_manage",
+  "Manage policy-as-code rules. Actions: list (show all rules), add (create new rule), remove (delete rule), init (create default policy), export (portable YAML).",
+  {
+    action: z.enum(["list", "add", "remove", "init", "export"]).describe("Policy action"),
+    rule: z.object({
+      name: z.string().optional(),
+      description: z.string().optional(),
+      match: z.object({
+        files: z.array(z.string()).optional(),
+        actions: z.array(z.string()).optional(),
+      }).optional(),
+      enforce: z.enum(["block", "warn", "log"]).optional(),
+      severity: z.enum(["critical", "high", "medium", "low"]).optional(),
+      notify: z.array(z.string()).optional(),
+    }).optional().describe("Rule definition (for add action)"),
+    ruleId: z.string().optional().describe("Rule ID (for remove action)"),
+  },
+  async ({ action, rule, ruleId }) => {
+    switch (action) {
+      case "list": {
+        const result = listPolicyRules(PROJECT_ROOT);
+        if (result.total === 0) {
+          return { content: [{ type: "text", text: "No policy rules defined. Use action 'init' to create a default policy." }] };
+        }
+        const formatted = result.rules.map(r =>
+          `- **${r.name}** (${r.id}) [${r.enforce}/${r.severity}]\n  Files: ${(r.match?.files || []).join(", ")}\n  Actions: ${(r.match?.actions || []).join(", ")}`
+        ).join("\n\n");
+        return { content: [{ type: "text", text: `## Policy Rules (${result.active}/${result.total} active)\n\n${formatted}` }] };
+      }
+      case "add": {
+        if (!rule || !rule.name) {
+          return { content: [{ type: "text", text: "Rule name is required." }], isError: true };
+        }
+        const result = addPolicyRule(PROJECT_ROOT, rule);
+        if (!result.success) return { content: [{ type: "text", text: result.error }], isError: true };
+        return { content: [{ type: "text", text: `Policy rule added: "${result.rule.name}" (${result.ruleId}) [${result.rule.enforce}]` }] };
+      }
+      case "remove": {
+        if (!ruleId) return { content: [{ type: "text", text: "ruleId is required." }], isError: true };
+        const result = removePolicyRule(PROJECT_ROOT, ruleId);
+        if (!result.success) return { content: [{ type: "text", text: result.error }], isError: true };
+        return { content: [{ type: "text", text: `Policy rule removed: "${result.removed.name}"` }] };
+      }
+      case "init": {
+        const result = initPolicy(PROJECT_ROOT);
+        if (!result.success) return { content: [{ type: "text", text: result.error }], isError: true };
+        return { content: [{ type: "text", text: "Policy-as-code initialized. Edit .speclock/policy.yml to add rules." }] };
+      }
+      case "export": {
+        const result = exportPolicy(PROJECT_ROOT);
+        if (!result.success) return { content: [{ type: "text", text: result.error }], isError: true };
+        return { content: [{ type: "text", text: `## Exported Policy\n\n\`\`\`yaml\n${result.yaml}\`\`\`` }] };
+      }
+      default:
+        return { content: [{ type: "text", text: `Unknown action: ${action}` }], isError: true };
+    }
+  }
+);
+
+// ========================================
+// TELEMETRY TOOLS (v3.5)
+// ========================================
+
+// Tool 31: speclock_telemetry
+server.tool(
+  "speclock_telemetry",
+  "Get telemetry and analytics summary. Shows tool usage counts, conflict rates, response times, and feature adoption. Opt-in only (SPECLOCK_TELEMETRY=true).",
+  {},
+  async () => {
+    const summary = getTelemetrySummary(PROJECT_ROOT);
+    if (!summary.enabled) {
+      return { content: [{ type: "text", text: summary.message }] };
+    }
+
+    const parts = [
+      `## Telemetry Summary`,
+      ``,
+      `Total API calls: **${summary.totalCalls}**`,
+      `Avg response: **${summary.avgResponseMs}ms**`,
+      `Sessions: **${summary.sessions.total}**`,
+      ``,
+      `### Conflicts`,
+      `Total: ${summary.conflicts.total} | Blocked: ${summary.conflicts.blocked} | Advisory: ${summary.conflicts.advisory}`,
+    ];
+
+    if (summary.topTools.length > 0) {
+      parts.push(``, `### Top Tools`);
+      for (const t of summary.topTools.slice(0, 5)) {
+        parts.push(`- ${t.name}: ${t.count} calls (avg ${t.avgMs}ms)`);
+      }
+    }
+
+    if (summary.features.length > 0) {
+      parts.push(``, `### Feature Adoption`);
+      for (const f of summary.features) {
+        parts.push(`- ${f.name}: ${f.count} uses`);
+      }
+    }
+
+    return { content: [{ type: "text", text: parts.join("\n") }] };
+  }
+);
+
 // --- Smithery sandbox export ---
 export default function createSandboxServer() {
   return server;