speclock 4.3.3 → 4.4.0

package/SPECLOCK-INSTRUCTIONS.md

@@ -144,3 +144,59 @@ AI:   🔓 Unlocked. Proceeding with auth file changes.
 1. Add to `~/.claude.json` or `.mcp.json`: `{"mcpServers":{"speclock":{"command":"npx","args":["-y","speclock","serve","--project","."]}}}`
 2. Add the instruction above to `CLAUDE.md`
 3. Done.
+
+---
+
+## For Bolt.new, Kimi, Replit, and other platforms WITHOUT MCP
+
+These platforms don't have MCP connectors. SpecLock works via `npm install` + direct JavaScript API. The conflict checking uses a cloud proxy to get Gemini LLM coverage automatically — no API key needed.
+
+### Setup:
+1. Install: `npm install speclock`
+2. Paste the instructions below into the platform's Knowledge / System Prompt / Project Instructions.
+
+### Instructions to paste:
+
+```
+## SpecLock Rules (MANDATORY — follow on every message)
+
+This project uses SpecLock for constraint protection. SpecLock is installed via npm.
+
+### How to check conflicts:
+Before making ANY significant code change, run this check:
+
+const { checkConflictAsync } = await import("speclock/src/core/engine.js");
+const result = await checkConflictAsync("description of what you are about to do", ["lock text 1", "lock text 2"]);
+if (result.hasConflict) {
+  // STOP — warn the user about the conflict
+  // result.analysis contains the details
+}
+
+### How to check conflicts (alternative — pass lock text directly):
+const { checkConflictAsync } = await import("speclock/src/core/engine.js");
+const result = await checkConflictAsync("Add Razorpay payment gateway", "Never change from Stripe payment integration");
+// result.hasConflict will be true
+
+### Rules:
+1. MAINTAIN A LIST of user constraints (locks) in memory. When the user says "never", "always", "don't touch", "lock this" — add it to your lock list.
+2. BEFORE MODIFYING CODE: Call checkConflictAsync with what you're about to do and ALL active locks. If hasConflict is true, STOP and warn the user.
+3. The function is ASYNC — always use await. It calls a cloud API for accurate detection across all domains.
+4. If the function is unavailable, at minimum do a manual check: does your proposed action violate any of the user's stated constraints?
+```
+
+### Example usage in code:
+```javascript
+import { checkConflictAsync } from "speclock/src/core/engine.js";
+
+// Check a single lock
+const r = await checkConflictAsync("Switch to MongoDB", "Never change the database technology");
+console.log(r.hasConflict); // true
+console.log(r.analysis);    // "1 conflict(s) confirmed..."
+
+// Check multiple locks
+const r2 = await checkConflictAsync("Add Razorpay payments", [
+  "Never change from Stripe",
+  "Never modify the payment system"
+]);
+console.log(r2.hasConflict); // true
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "speclock",
-  "version": "4.3.3",
+  "version": "4.4.0",
   "description": "AI constraint engine with Gemini LLM universal detection, Policy-as-Code DSL, OAuth/OIDC SSO, admin dashboard, telemetry, API key auth, RBAC, AES-256-GCM encryption, hard enforcement, semantic pre-commit, HMAC audit chain, SOC 2/HIPAA compliance. Cross-platform: MCP + direct API. 31 MCP tools + CLI. Enterprise platform.",
   "type": "module",
   "main": "src/mcp/server.js",

package/src/cli/index.js

@@ -116,7 +116,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v4.3.3 — AI Constraint Engine (Gemini LLM + Policy-as-Code + SSO + Dashboard + Telemetry + Auth + RBAC + Encryption)
+SpecLock v4.4.0 — AI Constraint Engine (Gemini LLM + Policy-as-Code + SSO + Dashboard + Telemetry + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "4.3.3";
+const VERSION = "4.4.0";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/conflict.js

@@ -59,13 +59,18 @@ const GUARD_TAG = "SPECLOCK-GUARD";
 /**
  * Detect if the first argument is a file-system path (brain mode)
  * or natural text (direct mode for cross-platform usage).
+ * Must be strict: "spay/neuter" is NOT a path, "/app" IS a path.
  */
 function isDirectoryPath(str) {
   if (!str || typeof str !== "string") return false;
   // Absolute paths: /foo, C:\foo, \\server
-  if (str.startsWith("/") || str.startsWith("\\") || /^[A-Z]:/i.test(str)) return true;
-  // Relative path with separator or current dir
-  if (str === "." || str === ".." || str.includes("/") || str.includes("\\")) return true;
+  if (/^[A-Z]:/i.test(str)) return true;                 // C:\Users\...
+  if (str.startsWith("\\\\")) return true;                 // \\server\share
+  if (str.startsWith("/") && !str.includes(" ")) return true; // /app, /usr/local (no spaces = likely path)
+  // Relative path starting with . or ..
+  if (/^\.\.?[/\\]/.test(str)) return true;                // ./foo, ../bar
+  if (str === "." || str === "..") return true;
+  // Natural language with / in the middle (spay/neuter, TCP/IP, etc.) is NOT a path
   return false;
 }
 

package/src/core/telemetry.js

@@ -257,7 +257,7 @@ export async function flushToRemote(root) {
   // Build anonymized payload
   const payload = {
     instanceId: summary.instanceId,
-    version: "4.3.3",
+    version: "4.4.0",
     totalCalls: summary.totalCalls,
     avgResponseMs: summary.avgResponseMs,
     conflicts: summary.conflicts,

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v4.3.3 &mdash; AI Constraint Engine</div>
+    <div class="meta">v4.4.0 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v4.3.3 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v4.4.0 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -91,7 +91,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "4.3.3";
+const VERSION = "4.4.0";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -221,13 +221,8 @@ function createSpecLockServer() {
   // Tool 7: speclock_add_note
   server.tool("speclock_add_note", "Add a pinned note for reference.", { text: z.string().min(1).describe("The note text"), pinned: z.boolean().default(true).describe("Whether to pin this note") }, async ({ text, pinned }) => {
     ensureInit(PROJECT_ROOT);
-    const brain = readBrain(PROJECT_ROOT);
-    const note = { id: newId(), text, pinned, createdAt: nowIso() };
-    brain.state.notes.push(note);
-    writeBrain(PROJECT_ROOT, brain);
-    appendEvent(PROJECT_ROOT, { type: "note_added", noteId: note.id, text });
-    bumpEvents(PROJECT_ROOT);
-    return { content: [{ type: "text", text: `Note added [${note.id}]: ${text}` }] };
+    const result = addNote(PROJECT_ROOT, text, pinned);
+    return { content: [{ type: "text", text: `Note added [${result.noteId}]: ${text}` }] };
   });
 
   // Tool 8: speclock_set_deploy_facts

package/src/mcp/server.js

@@ -100,7 +100,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "4.3.3";
+const VERSION = "4.4.0";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(