speclock 4.3.4 → 4.4.1

package/SPECLOCK-INSTRUCTIONS.md

@@ -144,3 +144,59 @@ AI:   🔓 Unlocked. Proceeding with auth file changes.
 1. Add to `~/.claude.json` or `.mcp.json`: `{"mcpServers":{"speclock":{"command":"npx","args":["-y","speclock","serve","--project","."]}}}`
 2. Add the instruction above to `CLAUDE.md`
 3. Done.
+
+---
+
+## For Bolt.new, Kimi, Replit, and other platforms WITHOUT MCP
+
+These platforms don't have MCP connectors. SpecLock works via `npm install` + direct JavaScript API. The conflict checking uses a cloud proxy to get Gemini LLM coverage automatically — no API key needed.
+
+### Setup:
+1. Install: `npm install speclock`
+2. Paste the instructions below into the platform's Knowledge / System Prompt / Project Instructions.
+
+### Instructions to paste:
+
+```
+## SpecLock Rules (MANDATORY — follow on every message)
+
+This project uses SpecLock for constraint protection. SpecLock is installed via npm.
+
+### How to check conflicts:
+Before making ANY significant code change, run this check:
+
+const { checkConflictAsync } = await import("speclock/src/core/engine.js");
+const result = await checkConflictAsync("description of what you are about to do", ["lock text 1", "lock text 2"]);
+if (result.hasConflict) {
+  // STOP — warn the user about the conflict
+  // result.analysis contains the details
+}
+
+### How to check conflicts (alternative — pass lock text directly):
+const { checkConflictAsync } = await import("speclock/src/core/engine.js");
+const result = await checkConflictAsync("Add Razorpay payment gateway", "Never change from Stripe payment integration");
+// result.hasConflict will be true
+
+### Rules:
+1. MAINTAIN A LIST of user constraints (locks) in memory. When the user says "never", "always", "don't touch", "lock this" — add it to your lock list.
+2. BEFORE MODIFYING CODE: Call checkConflictAsync with what you're about to do and ALL active locks. If hasConflict is true, STOP and warn the user.
+3. The function is ASYNC — always use await. It calls a cloud API for accurate detection across all domains.
+4. If the function is unavailable, at minimum do a manual check: does your proposed action violate any of the user's stated constraints?
+```
+
+### Example usage in code:
+```javascript
+import { checkConflictAsync } from "speclock/src/core/engine.js";
+
+// Check a single lock
+const r = await checkConflictAsync("Switch to MongoDB", "Never change the database technology");
+console.log(r.hasConflict); // true
+console.log(r.analysis);    // "1 conflict(s) confirmed..."
+
+// Check multiple locks
+const r2 = await checkConflictAsync("Add Razorpay payments", [
+  "Never change from Stripe",
+  "Never modify the payment system"
+]);
+console.log(r2.hasConflict); // true
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "speclock",
-  "version": "4.3.4",
+  "version": "4.4.1",
   "description": "AI constraint engine with Gemini LLM universal detection, Policy-as-Code DSL, OAuth/OIDC SSO, admin dashboard, telemetry, API key auth, RBAC, AES-256-GCM encryption, hard enforcement, semantic pre-commit, HMAC audit chain, SOC 2/HIPAA compliance. Cross-platform: MCP + direct API. 31 MCP tools + CLI. Enterprise platform.",
   "type": "module",
   "main": "src/mcp/server.js",

package/src/cli/index.js

@@ -116,7 +116,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v4.3.4 — AI Constraint Engine (Gemini LLM + Policy-as-Code + SSO + Dashboard + Telemetry + Auth + RBAC + Encryption)
+SpecLock v4.4.1 — AI Constraint Engine (Gemini LLM + Policy-as-Code + SSO + Dashboard + Telemetry + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "4.3.4";
+const VERSION = "4.4.1";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/semantics.js

@@ -104,6 +104,10 @@ export const SYNONYM_GROUPS = [
    "ledger", "general ledger", "accounts"],
   ["trade", "trades", "executed trade", "trade record", "order",
    "position", "portfolio"],
+  ["salary", "salaries", "payroll", "wages", "compensation",
+   "remuneration", "stipend"],
+  ["payment gateway", "payment provider", "payment processor",
+   "payment service", "payment platform"],
 
   // --- IoT / firmware ---
   ["firmware", "firmware update", "ota", "over the air",
@@ -384,6 +388,36 @@ export const CONCEPT_MAP = {
                         "transaction"],
   "invoice":           ["billing", "payment", "charge", "transaction", "accounts receivable"],
 
+  // Salary / Payroll / Compensation
+  "salary":            ["payroll", "wages", "compensation", "financial records",
+                        "accounting", "payment"],
+  "payroll":           ["salary", "wages", "compensation", "financial records",
+                        "accounting", "payment"],
+  "wages":             ["salary", "payroll", "compensation", "financial records"],
+  "compensation":      ["salary", "payroll", "wages", "financial records"],
+
+  // Payment providers (brand names → payment gateway concept)
+  "razorpay":          ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "phonepe":           ["payment gateway", "payment processing", "payment",
+                        "upi", "transaction"],
+  "ccavenue":          ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "paytm":             ["payment gateway", "payment processing", "payment",
+                        "upi", "transaction"],
+  "paypal":            ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "stripe":            ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "square":            ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "adyen":             ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "braintree":         ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "upi":               ["payment gateway", "payment processing", "phonepe",
+                        "paytm", "transaction", "payment"],
+
   // Logistics / Supply Chain
   "shipment":          ["cargo", "freight", "consignment", "delivery", "package",
                         "manifest", "tracking", "shipping"],
@@ -425,9 +459,18 @@ export const CONCEPT_MAP = {
   // E-commerce
   "cart":              ["checkout", "purchase", "shopping cart"],
   "payment processing":["payment", "billing", "transaction",
-                        "stripe", "payment gateway"],
+                        "stripe", "payment gateway", "payment provider"],
   "payment gateway":   ["payment processing", "stripe", "paypal",
-                        "billing", "transaction"],
+                        "billing", "transaction", "payment provider",
+                        "payment processor"],
+  "payment provider":  ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "payment processor": ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "payment service":   ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
+  "payment platform":  ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing"],
   "product":           ["item", "sku", "catalog", "merchandise", "product listing"],
   "price":             ["pricing", "cost", "amount", "rate", "charge"],
 
@@ -761,6 +804,22 @@ export function tokenize(text) {
       words.push(w.slice(0, -1));
     }
   }
+
+  // Verb tense normalization — so "changed" matches "change",
+  // "processed" matches "process", "modifying" matches "modify"
+  for (const w of rawWords) {
+    if (w.endsWith("ed") && w.length > 4) {
+      words.push(w.slice(0, -1));  // "changed" → "change" (verb+d)
+      words.push(w.slice(0, -2));  // "processed" → "process" (verb+ed)
+      if (w.endsWith("ied") && w.length > 5) {
+        words.push(w.slice(0, -3) + "y");  // "modified" → "modify"
+      }
+    }
+    if (w.endsWith("ing") && w.length > 5) {
+      words.push(w.slice(0, -3));         // "processing" → "process"
+      words.push(w.slice(0, -3) + "e");   // "changing" → "change"
+    }
+  }
   const uniqueWords = [...new Set(words)];
 
   const all = [...new Set([...phrases, ...uniqueWords])];
@@ -979,15 +1038,38 @@ function extractProhibitedVerb(lockText) {
   for (const pattern of patterns) {
     const match = lower.match(pattern);
     if (match) {
-      const verb = match[1].trim();
+      let verb = match[1].trim();
+      // Handle passive voice: "must not be changed" → "changed" → stem → "change"
+      if (verb.startsWith("be ")) verb = verb.slice(3);
       // Check multi-word markers first
       const allMarkers = [...NEGATIVE_INTENT_MARKERS, ...POSITIVE_INTENT_MARKERS]
         .sort((a, b) => b.length - a.length);
       for (const marker of allMarkers) {
         if (verb.startsWith(marker)) return marker;
       }
-      // Return the first word
-      return verb.split(/\s+/)[0];
+      // Stem -ed/-ing verb forms: "changed" → "change", "modified" → "modify"
+      const firstWord = verb.split(/\s+/)[0];
+      if (firstWord.endsWith("ed") && firstWord.length > 4) {
+        const stem1 = firstWord.slice(0, -1);  // changed → change
+        const stem2 = firstWord.slice(0, -2);  // processed → process
+        for (const marker of allMarkers) {
+          if (stem1 === marker || stem2 === marker) return marker;
+        }
+        if (firstWord.endsWith("ied") && firstWord.length > 5) {
+          const stem3 = firstWord.slice(0, -3) + "y";  // modified → modify
+          for (const marker of allMarkers) {
+            if (stem3 === marker) return marker;
+          }
+        }
+      }
+      if (firstWord.endsWith("ing") && firstWord.length > 5) {
+        const stem1 = firstWord.slice(0, -3);       // processing → process
+        const stem2 = firstWord.slice(0, -3) + "e"; // changing → change
+        for (const marker of allMarkers) {
+          if (stem1 === marker || stem2 === marker) return marker;
+        }
+      }
+      return firstWord;
     }
   }
   return null;
@@ -1098,6 +1180,7 @@ const _CONTAMINATING_VERBS = new Set([
   "reconcile", "reverse", "recalculate", "backdate", "rebalance",
   "reroute", "divert", "reassign", "rebook", "cancel",
   "upgrade", "downgrade", "patch", "bump",
+  "optimize", "streamline", "modernize", "overhaul", "revamp",
 ]);
 
 const _FILLER_WORDS = new Set([
@@ -1806,6 +1889,30 @@ export function scoreConflict({ actionText, lockText }) {
           `no scope overlap — different components despite shared vocabulary`);
       }
     }
+
+    // 5c: UI/cosmetic changes that share a location word with a system lock.
+    // "Change the font on the login page" shares "login" with auth locks,
+    // but changing a font/color/style is a visual change, not a system modification.
+    // Only applies when scope overlap is WEAK (shared location word, not shared target).
+    const UI_COSMETIC_WORDS = new Set([
+      "font", "fonts", "color", "colors", "colour", "theme", "themes",
+      "styling", "style", "styles", "css", "icon", "icons", "layout",
+      "margin", "padding", "border", "background", "typography", "spacing",
+      "alignment", "animation", "transition", "hover", "tooltip",
+      "placeholder", "logo", "image", "banner", "hero", "avatar",
+      "sidebar", "navigation", "menu", "breadcrumb", "footer",
+    ]);
+    if (!intentAligned && !hasStrongScopeMatch && !hasStrongVocabMatch) {
+      const actionLower = actionText.toLowerCase();
+      const actionWords = actionLower.split(/\s+/).map(w => w.replace(/[^a-z]/g, ""));
+      const hasUISubject = actionWords.some(w => UI_COSMETIC_WORDS.has(w));
+      if (hasUISubject) {
+        intentAligned = true;
+        reasons.push(
+          `intent alignment: UI/cosmetic change — visual modification, ` +
+          `not system logic change`);
+      }
+    }
   }
 
   // If intent is ALIGNED, the action is COMPLIANT — slash the score to near zero
@@ -1821,10 +1928,6 @@ export function scoreConflict({ actionText, lockText }) {
     //    Either: scope overlap (subject extraction confirms same target)
     //    Or: 2+ direct word overlaps (not just a single shared word)
     //    Or: phrase overlap (multi-word match is strong signal)
-    //    Or: concept match (domain-level relevance)
-    // Concept matches contribute to base score but should NOT gate the negation
-    // bonus — they're too indirect ("account" → "ledger" via concept map shouldn't
-    // trigger the +35 negation bonus). Only direct evidence counts.
     const hasStrongSubjectMatch = hasStrongScopeMatch ||
       directOverlap.length >= 2 ||
       phraseOverlap.length > 0;

package/src/core/telemetry.js

@@ -257,7 +257,7 @@ export async function flushToRemote(root) {
   // Build anonymized payload
   const payload = {
     instanceId: summary.instanceId,
-    version: "4.3.4",
+    version: "4.4.1",
     totalCalls: summary.totalCalls,
     avgResponseMs: summary.avgResponseMs,
     conflicts: summary.conflicts,

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v4.3.4 &mdash; AI Constraint Engine</div>
+    <div class="meta">v4.4.1 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v4.3.4 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v4.4.1 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -91,7 +91,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "4.3.4";
+const VERSION = "4.4.1";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -221,13 +221,8 @@ function createSpecLockServer() {
   // Tool 7: speclock_add_note
   server.tool("speclock_add_note", "Add a pinned note for reference.", { text: z.string().min(1).describe("The note text"), pinned: z.boolean().default(true).describe("Whether to pin this note") }, async ({ text, pinned }) => {
     ensureInit(PROJECT_ROOT);
-    const brain = readBrain(PROJECT_ROOT);
-    const note = { id: newId(), text, pinned, createdAt: nowIso() };
-    brain.state.notes.push(note);
-    writeBrain(PROJECT_ROOT, brain);
-    appendEvent(PROJECT_ROOT, { type: "note_added", noteId: note.id, text });
-    bumpEvents(PROJECT_ROOT);
-    return { content: [{ type: "text", text: `Note added [${note.id}]: ${text}` }] };
+    const result = addNote(PROJECT_ROOT, text, pinned);
+    return { content: [{ type: "text", text: `Note added [${result.noteId}]: ${text}` }] };
   });
 
   // Tool 8: speclock_set_deploy_facts

package/src/mcp/server.js

@@ -100,7 +100,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "4.3.4";
+const VERSION = "4.4.1";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(