speclock 4.5.5 → 4.5.7

package/README.md

@@ -30,7 +30,7 @@ AI:     ⚠️  BLOCKED — violates lock "Never touch the auth system"
         Should I find another approach?
 ```
 
-**60 test suites. 100% detection. 0% false positives. Gemini Flash hybrid for universal domain coverage.**
+**557 tests. 98% pass rate. 0 false positives across 5 domains. Gemini Flash hybrid for universal domain coverage.**
 
 ---
 
@@ -109,7 +109,7 @@ Same config — add to `.cursor/mcp.json` or equivalent.
 |---|:---:|:---:|:---:|:---:|
 | Remembers context | Yes | Yes | Manual | **Yes** |
 | **Blocks the AI from breaking things** | No | No | No | **Yes** |
-| **Semantic conflict detection** | No | No | No | **100% detection, 0% FP** |
+| **Semantic conflict detection** | No | No | No | **98% detection, 0% FP** |
 | **Tamper-proof audit trail** | No | No | No | **HMAC-SHA256 chain** |
 | **Hard enforcement (AI cannot proceed)** | No | No | No | **Yes** |
 | **SOC 2 / HIPAA compliance exports** | No | No | No | **Yes** |
@@ -134,7 +134,7 @@ Not keyword matching — **real semantic analysis** with Gemini Flash hybrid for
 <tr><td>Dilution attacks</td><td>100%</td><td>Violation buried in multi-part request</td></tr>
 <tr><td>Compound sentences</td><td>100%</td><td>"Update UI and also drop users table"</td></tr>
 <tr><td>Synonym substitution</td><td>100%</td><td>"Sunset the API" = remove the API</td></tr>
-<tr><td>Payment brand names</td><td>100%</td><td>"Add Razorpay" vs "Never change payment gateway"</td></tr>
+<tr><td>Payment brand names (11 gateways)</td><td>100%</td><td>"Add Razorpay" / "Implement PayU" vs "Must use Stripe"</td></tr>
 <tr><td>Salary/payroll cross-vocab</td><td>100%</td><td>"Optimize salary" vs "Payroll records locked"</td></tr>
 <tr><td>Safety system bypass</td><td>100%</td><td>"Disable safety interlock" = bypass safety</td></tr>
 <tr><td>Unknown domains (via Gemini)</td><td>100%</td><td>Gaming, biotech, aerospace, music, legal</td></tr>
@@ -386,7 +386,7 @@ The AI opens the file and sees:
 ┌────────────▼──────────────────▼──────────────────┐
 │            SpecLock Core Engine                    │
 │                                                    │
-│  Semantic Engine ─── 55 synonym groups             │
+│  Semantic Engine ─── 65+ synonym groups            │
 │  HMAC Audit ──────── SHA-256 hash chain            │
 │  Enforcer ────────── advisory / hard block         │
 │  Auth + RBAC ─────── 4 roles, API keys             │
@@ -409,17 +409,35 @@ The AI opens the file and sees:
 
 ---
 
+## Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SPECLOCK_API_KEY` | — | API key for authenticated access |
+| `SPECLOCK_ENCRYPTION_KEY` | — | Enables AES-256-GCM encryption at rest |
+| `SPECLOCK_NO_PROXY` | `false` | Set `true` for heuristic-only mode (~250ms). Skips the Gemini proxy (~2s) |
+| `SPECLOCK_LLM_KEY` | — | Your own LLM API key (Gemini/OpenAI/Anthropic) |
+| `GEMINI_API_KEY` | — | Google Gemini API key for hybrid conflict detection |
+| `SPECLOCK_TELEMETRY` | `false` | Opt-in anonymous usage analytics |
+
+> **Tip:** The heuristic engine alone scores 95%+ accuracy at ~250ms. The Gemini proxy adds cross-domain coverage but takes ~2s. For fastest response, set `SPECLOCK_NO_PROXY=true`.
+
+---
+
 ## Test Results
 
-| Suite | Tests | Pass Rate |
-|-------|------:|----------:|
-| Direct Mode (heuristic) | 17 | 100% |
-| Payment/Salary Domain | 18 | 100% |
-| Gemini Hybrid (8 domains) | 16 | 100% |
-| Proxy API Endpoint | 9 | 100% |
-| **Total** | **60** | **100%** |
+| Suite | Tests | Pass Rate | What it covers |
+|-------|------:|----------:|----------------|
+| Adversarial Conflict | 61 | 100% | Euphemisms, temporal evasion, compound sentences |
+| Phase 4 (Multi-domain) | 91 | 100% | Fintech, e-commerce, IoT, healthcare, SaaS |
+| John (Indie Dev Journey) | 86 | 100% | 8-session Bolt.new build with 5 locks |
+| Sam (Enterprise HIPAA) | 124 | 100% | HIPAA locks, PHI, encryption, RBAC |
+| Real-World Testers | 105 | 95% | 5 developers, 30+ locks, diverse domains |
+| Payment/Salary/PII | 35 | 100% | Cross-vocabulary: payroll, salary, compensation |
+| Claude Tester (G-Suite) | 55 | 95% | Independent AI tester, adversarial probing |
+| **Total** | **557** | **98%** | |
 
-Tested across: fintech, e-commerce, IoT, healthcare, SaaS, gaming, biotech, aerospace, music, legal, payments, payroll. Zero false positives on UI/cosmetic actions.
+Tested across: fintech, e-commerce, IoT, healthcare, SaaS, gaming, biotech, aerospace, payments, payroll. All 11 Indian payment gateways detected (Razorpay, PayU, Cashfree, PhonePe, Paytm, CCAvenue, BillDesk, Instamojo, Juspay, Stripe, PayPal). Zero false positives on UI/cosmetic actions.
 
 ---
 
@@ -457,4 +475,4 @@ Built by **[Sandeep Roy](https://github.com/sgroy10)**
 
 ---
 
-<p align="center"><i>v4.5.5 — 600+ tests, 31 MCP tools, 0 false positives, Gemini hybrid. Because remembering isn't enough.</i></p>
+<p align="center"><i>v4.5.7 — 557 tests, 98% pass rate, 31 MCP tools, Gemini hybrid. Because remembering isn't enough.</i></p>

package/package.json

@@ -2,9 +2,9 @@
 
   "name": "speclock",
 
-  "version": "4.5.5",
+  "version": "4.5.7",
 
-  "description": "AI constraint engine with Gemini LLM universal detection, Policy-as-Code DSL, OAuth/OIDC SSO, admin dashboard, telemetry, API key auth, RBAC, AES-256-GCM encryption, hard enforcement, semantic pre-commit, HMAC audit chain, SOC 2/HIPAA compliance. Cross-platform: MCP + direct API. 31 MCP tools + CLI. Enterprise platform.",
+  "description": "AI constraint engine — stops AI from breaking what you locked. Semantic detection, Gemini LLM hybrid, 31 MCP tools, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance. Works with Claude Code, Cursor, Bolt.new, Lovable.",
 
   "type": "module",
 

package/src/cli/index.js

@@ -117,7 +117,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v4.5.5 — AI Constraint Engine (Gemini LLM + Policy-as-Code + SSO + Dashboard + Telemetry + Auth + RBAC + Encryption)
+SpecLock v4.5.7 — AI Constraint Engine (Gemini LLM + Policy-as-Code + SSO + Dashboard + Telemetry + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "4.5.5";
+const VERSION = "4.5.7";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/semantics.js

@@ -124,7 +124,7 @@ export const SYNONYM_GROUPS = [
    "payment service", "payment platform"],
   ["razorpay", "stripe", "paypal", "phonepe", "paytm", "ccavenue",
    "cashfree", "braintree", "adyen", "square", "google pay", "gpay",
-   "juspay", "billdesk", "instamojo"],
+   "juspay", "billdesk", "instamojo", "payu"],
 
   // --- IoT / firmware ---
   ["firmware", "firmware update", "ota", "over the air",
@@ -467,6 +467,8 @@ export const CONCEPT_MAP = {
                         "transaction", "billing", "razorpay", "ccavenue"],
   "instamojo":         ["payment gateway", "payment processing", "payment",
                         "transaction", "billing", "razorpay", "cashfree"],
+  "payu":              ["payment gateway", "payment processing", "payment",
+                        "transaction", "billing", "razorpay", "stripe", "cashfree"],
   "upi":               ["payment gateway", "payment processing", "phonepe",
                         "paytm", "google pay", "razorpay",
                         "transaction", "payment"],
@@ -2077,7 +2079,7 @@ export function scoreConflict({ actionText, lockText }) {
       // These are specific nouns (not verbs, not stopwords) that identify the technology
       const TECH_BRANDS = new Set([
         "stripe", "razorpay", "paypal", "phonepe", "paytm", "ccavenue", "cashfree",
-        "braintree", "adyen", "square", "billdesk", "instamojo", "juspay",
+        "braintree", "adyen", "square", "billdesk", "instamojo", "juspay", "payu",
         "postgresql", "postgres", "mysql", "mongodb", "mongo", "firebase",
         "firestore", "supabase", "dynamodb", "redis", "sqlite", "mariadb",
         "cassandra", "couchdb", "neo4j",

package/src/core/telemetry.js

@@ -257,7 +257,7 @@ export async function flushToRemote(root) {
   // Build anonymized payload
   const payload = {
     instanceId: summary.instanceId,
-    version: "4.5.5",
+    version: "4.5.7",
     totalCalls: summary.totalCalls,
     avgResponseMs: summary.avgResponseMs,
     conflicts: summary.conflicts,

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v4.5.5 &mdash; AI Constraint Engine</div>
+    <div class="meta">v4.5.7 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v4.5.5 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v4.5.7 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -91,7 +91,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "4.5.5";
+const VERSION = "4.5.7";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 

package/src/mcp/server.js

@@ -100,7 +100,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "4.5.5";
+const VERSION = "4.5.7";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(