speclock 5.1.0 → 5.2.1

package/src/core/semantics.js

@@ -272,6 +272,10 @@ export const EUPHEMISM_MAP = {
   "reconcile":      ["modify", "adjust", "change", "alter"],
   "reverse":        ["undo", "revert", "modify", "change"],
   "recalculate":    ["modify", "change", "update", "alter"],
+  "recompute":      ["modify", "change", "recalculate", "alter"],
+  "reprocess":      ["override", "modify", "recalculate", "delete", "redo"],
+  "round up":       ["modify", "tamper", "falsify", "alter", "inflate"],
+  "round down":     ["modify", "tamper", "falsify", "alter", "deflate"],
   "backdate":       ["modify", "tamper", "falsify", "change"],
   "rebalance":      ["modify", "adjust", "change", "redistribute"],
   "reclassify":     ["modify", "change", "recategorize"],
@@ -319,7 +323,7 @@ export const EUPHEMISM_MAP = {
   "bridge":         ["connect", "link", "merge", "join"],
   "segment":        ["split", "separate", "isolate", "divide"],
   "flatten":        ["merge", "simplify", "restructure"],
-  "consolidate":    ["merge", "combine", "reduce"],
+  "consolidate":    ["merge", "combine", "reduce", "delete", "expose"],
   "spin up":        ["create", "deploy", "start"],
   "spin down":      ["delete", "remove", "stop"],
   "tear down":      ["delete", "remove", "destroy"],
@@ -349,6 +353,23 @@ export const EUPHEMISM_MAP = {
   "scrape":         ["extract", "collect", "harvest"],
   "harvest":        ["collect", "extract", "scrape"],
 
+  // Verification/compliance bypass euphemisms
+  "skip check":     ["bypass", "disable", "remove"],
+  "skip verification": ["bypass", "disable", "remove"],
+  "streamline verification": ["bypass", "weaken", "remove", "skip"],
+  "streamline application":  ["bypass", "skip", "remove"],
+  "streamline detection":    ["weaken", "disable", "bypass"],
+  "for research purposes": ["excuse", "bypass", "unauthorized"],
+  "in dev":         ["excuse", "bypass"],
+  "mock change":    ["bypass", "modify", "test excuse"],
+
+  // Record manipulation/destruction euphemisms
+  "clean up records":   ["delete", "remove", "destroy"],
+  "clean up old":       ["delete", "remove", "purge"],
+  "archive and delete": ["delete", "remove", "destroy"],
+  "refresh timestamps": ["falsify", "tamper", "modify"],
+  "refresh inspection": ["falsify", "tamper", "modify"],
+
   // Encryption euphemisms
   "unencrypted":    ["without encryption", "disable encryption", "no encryption", "plaintext"],
   "plaintext":      ["without encryption", "unencrypted", "no encryption"],
@@ -689,6 +710,45 @@ export const CONCEPT_MAP = {
   "k8s":               ["kubernetes", "cluster", "infrastructure",
                         "container orchestration"],
   "cluster":           ["kubernetes", "k8s", "infrastructure", "nodes"],
+
+  // Education / student records
+  "gpa":               ["grades", "grade point", "academic record", "transcript"],
+  "grades":            ["gpa", "academic record", "transcript", "marks", "scores"],
+  "transcript":        ["grades", "gpa", "academic record", "student record"],
+  "financial aid":     ["student loans", "scholarships", "grants", "student data", "student records"],
+  "student records":   ["grades", "transcript", "enrollment", "academic data"],
+  "weighted averages": ["grades", "gpa", "academic calculation"],
+
+  // Government / benefits
+  "voter rolls":       ["voter registration", "election records", "voter data"],
+  "citizen database":  ["pii", "personal data", "government records", "citizen data"],
+  "benefit applications": ["claims", "welfare", "government benefits"],
+  "denied applications":  ["rejected claims", "denied benefits", "denied requests"],
+
+  // Insurance / claims
+  "claims":            ["insurance claims", "benefit claims", "applications"],
+  "denied claims":     ["rejected claims", "denied applications"],
+  "cancelled applications": ["denied claims", "rejected applications", "voided applications"],
+
+  // Aerospace / aviation safety
+  "inspection records": ["safety records", "maintenance records", "compliance records"],
+  "discrepancy reports": ["safety reports", "incident reports", "audit findings"],
+  "black box":         ["flight recorder", "flight data", "telemetry data", "safety data"],
+  "inspection timestamps": ["safety records", "maintenance dates", "compliance dates"],
+
+  // Gaming / virtual economy
+  "virtual currency":  ["in-game currency", "game tokens", "game economy"],
+  "player data":       ["user data", "gamer data", "player records", "pii"],
+  "player ips":        ["ip addresses", "pii", "player data", "network data"],
+  "cheat detection":   ["anti-cheat", "cheat prevention", "security", "game integrity"],
+
+  // Real estate / tenant screening
+  "background check":  ["tenant screening", "verification", "due diligence"],
+  "tenant screening":  ["background check", "credit check", "verification"],
+
+  // Telecom / billing
+  "call records":      ["cdr", "call data", "telecom records", "billing records"],
+  "subscriber data":   ["customer data", "user data", "telecom records"],
 };
 
 // ===================================================================
@@ -780,7 +840,9 @@ const NEGATIVE_INTENT_MARKERS = [
   "clean up", "sunset", "retire", "phase out",
   "decommission", "wind down", "take down",
   "take offline", "pull the plug",
-  "streamline",
+  "streamline", "consolidate",
+  "round up", "round down", "reprocess", "recompute",
+  "falsify", "tamper",
 ].sort((a, b) => b.length - a.length);
 
 // ===================================================================
@@ -1892,15 +1954,50 @@ export function scoreConflict({ actionText, lockText }) {
       rawWordOverlap &&
       euphemismMatches.some(m => m.includes(`euphemism for ${_prohibVerb}`));
 
-    if (!euphemismMatchesProhibitedVerb) {
+    // NEW: Check if euphemism maps to lock's prohibited verb even without
+    // word overlap. Cross-domain attacks like "truncate audit_log" vs
+    // "Never delete student records" have no shared nouns but the euphemism
+    // still proves destructive intent matching the lock's prohibition.
+    const _DESTRUCTIVE_VERBS = new Set([
+      "delete", "remove", "destroy", "wipe", "purge", "erase",
+      "disable", "bypass", "expose", "tamper", "falsify",
+      "override", "leak", "steal", "skip", "weaken",
+    ]);
+    const euphemismMatchesDestructiveProhibition = !euphemismMatchesProhibitedVerb &&
+      _prohibVerb && _DESTRUCTIVE_VERBS.has(_prohibVerb) &&
+      euphemismMatches.some(m => m.includes(`euphemism for ${_prohibVerb}`));
+
+    if (euphemismMatchesProhibitedVerb) {
+      // Full bypass — euphemism matches prohibited verb AND has content overlap
+      // No reduction applied (existing behavior)
+    } else if (euphemismMatchesDestructiveProhibition) {
+      // Euphemism maps to destructive prohibited verb but no subject overlap
+      // Apply moderate reduction (not 0.15) — still suspicious enough to flag
+      score = Math.floor(score * 0.50);
+      reasons.push("scope gate softened: euphemism matches destructive prohibition without subject overlap");
+    } else {
       // NO subject match at all — verb-only match → heavy reduction
       score = Math.floor(score * 0.15);
       reasons.push("subject gate: no subject overlap — verb-only match, likely false positive");
     }
   } else if (hasVocabSubjectMatch && !hasScopeMatch && subjectComparison.lockSubjects.length > 0 && subjectComparison.actionSubjects.length > 0) {
     // Vocabulary overlap exists but subjects point to DIFFERENT scopes
-    score = Math.floor(score * 0.35);
-    reasons.push(`scope gate: shared vocabulary but different scope — lock targets "${subjectComparison.lockSubjects[0]}", action targets "${subjectComparison.actionSubjects[0]}"`);
+    // If euphemism maps to a destructive verb, soften the gate
+    const _prohibVerb2 = extractProhibitedVerb(lockText);
+    const _DESTRUCTIVE_VERBS2 = new Set([
+      "delete", "remove", "destroy", "wipe", "purge", "erase",
+      "disable", "bypass", "expose", "tamper", "falsify",
+      "override", "leak", "steal", "skip", "weaken",
+    ]);
+    const hasDestructiveEuphemism = _prohibVerb2 && _DESTRUCTIVE_VERBS2.has(_prohibVerb2) &&
+      euphemismMatches.some(m => m.includes(`euphemism for ${_prohibVerb2}`));
+    if (hasDestructiveEuphemism) {
+      score = Math.floor(score * 0.55);
+      reasons.push(`scope gate softened: destructive euphemism with different scope — lock targets "${subjectComparison.lockSubjects[0]}", action targets "${subjectComparison.actionSubjects[0]}"`);
+    } else {
+      score = Math.floor(score * 0.35);
+      reasons.push(`scope gate: shared vocabulary but different scope — lock targets "${subjectComparison.lockSubjects[0]}", action targets "${subjectComparison.actionSubjects[0]}"`);
+    }
   }
 
   const prohibitedVerb = extractProhibitedVerb(lockText);

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.1.0 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.2.1 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.1.0 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.2.1 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -54,6 +54,10 @@ import {
   getCriticalPaths,
   reviewPatch,
   reviewPatchAsync,
+  reviewPatchDiff,
+  reviewPatchDiffAsync,
+  reviewPatchUnified,
+  parseUnifiedDiff,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -109,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.1.0";
+const VERSION = "5.2.1";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -883,7 +887,7 @@ app.get("/health", (req, res) => {
     status: "healthy",
     version: VERSION,
     uptime: Math.floor((Date.now() - START_TIME) / 1000),
-    tools: 40,
+    tools: 42,
     auditChain: auditStatus,
     authEnabled: isAuthEnabled(PROJECT_ROOT),
     rateLimit: { limit: RATE_LIMIT, windowMs: RATE_WINDOW_MS },
@@ -897,8 +901,8 @@ app.get("/", (req, res) => {
     name: "speclock",
     version: VERSION,
     author: AUTHOR,
-    description: "AI Constraint Engine for autonomous systems governance. Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints (numerical, range, state, temporal), REST API v2 with batch checking & SSE streaming. Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, hard enforcement, HMAC audit chain, SOC 2/HIPAA compliance. 40 MCP tools. 940 tests, 99.4% accuracy.",
-    tools: 40,
+    description: "AI Constraint Engine — AI Patch Firewall. Patch Gateway (ALLOW/WARN/BLOCK verdicts), diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact). Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, HMAC audit chain, SOC 2/HIPAA compliance. 42 MCP tools. 1073 tests, 99.4% accuracy.",
+    tools: 42,
     mcp_endpoint: "/mcp",
     health_endpoint: "/health",
     npm: "https://www.npmjs.com/package/speclock",
@@ -909,45 +913,60 @@ app.get("/", (req, res) => {
 // Smithery server card for listing metadata
 app.get("/.well-known/mcp/server-card.json", (req, res) => {
   setCorsHeaders(res);
+  // Smithery-compatible server card format (SEP-1649)
   res.json({
-    name: "SpecLock",
-    version: VERSION,
-    description: "AI Constraint Engine for autonomous systems governance. Spec Compiler (NL→constraints via Gemini Flash), Code Graph (dependency parsing, blast radius, lock-to-file mapping), Typed constraints (numerical, range, state, temporal), REST API v2, Python SDK + ROS2 Guardian Node. Hybrid heuristic + Gemini LLM. Policy-as-Code, RBAC, AES-256-GCM encryption, hard enforcement, HMAC audit chain, SOC 2/HIPAA compliance. 40 MCP tools. 940 tests, 99.4% accuracy. Works with Claude Code, Cursor, Windsurf, Cline, Bolt.new, Lovable.",
-    author: {
-      name: "Sandeep Roy",
-      url: "https://github.com/sgroy10",
-    },
-    repository: "https://github.com/sgroy10/speclock",
-    homepage: "https://sgroy10.github.io/speclock/",
-    license: "MIT",
-    capabilities: {
-      tools: 40,
-      categories: [
-        "Memory Management",
-        "Change Tracking",
-        "Constraint Enforcement",
-        "Git Integration",
-        "AI Intelligence",
-        "Templates & Reports",
-        "Compliance & Audit",
-        "Hard Enforcement",
-        "Policy-as-Code",
-        "Telemetry",
-        "Typed Constraints",
-        "REST API v2",
-        "Real-Time Streaming",
-        "Robotics / ROS2",
-        "Python SDK",
-      ],
+    serverInfo: {
+      name: "speclock",
+      version: VERSION,
     },
-    keywords: [
-      "ai-memory", "constraint-enforcement", "mcp", "policy-as-code",
-      "sso", "oauth", "rbac", "encryption", "audit", "compliance",
-      "soc2", "hipaa", "dashboard", "telemetry", "claude-code",
-      "cursor", "bolt-new", "lovable", "enterprise",
-      "robotics", "ros2", "autonomous-systems", "iot", "typed-constraints",
-      "real-time", "sse", "batch-api", "python-sdk", "safety",
+    tools: [
+      { name: "speclock_init", description: "Initialize SpecLock in the current project directory.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_get_context", description: "THE KEY TOOL. Returns the full structured context pack.", inputSchema: { type: "object", properties: { format: { enum: ["markdown","json"], type: "string", default: "markdown" } } } },
+      { name: "speclock_set_goal", description: "Set or update the project goal.", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 } } } },
+      { name: "speclock_add_lock", description: "Add a non-negotiable constraint (SpecLock).", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 }, tags: { type: "array", items: { type: "string" }, default: [] }, source: { enum: ["user","agent"], type: "string", default: "agent" } } } },
+      { name: "speclock_remove_lock", description: "Remove (deactivate) a SpecLock by its ID.", inputSchema: { type: "object", properties: { lockId: { type: "string", minLength: 1 } } } },
+      { name: "speclock_add_decision", description: "Record an architectural or design decision.", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 }, tags: { type: "array", items: { type: "string" }, default: [] }, source: { enum: ["user","agent"], type: "string", default: "agent" } } } },
+      { name: "speclock_add_note", description: "Add a pinned note for reference.", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 }, pinned: { type: "boolean", default: true } } } },
+      { name: "speclock_set_deploy_facts", description: "Record deployment configuration facts.", inputSchema: { type: "object", properties: { provider: { type: "string" }, branch: { type: "string" }, url: { type: "string" }, autoDeploy: { type: "boolean" }, notes: { type: "string" } } } },
+      { name: "speclock_log_change", description: "Manually log a significant change.", inputSchema: { type: "object", properties: { summary: { type: "string", minLength: 1 }, files: { type: "array", items: { type: "string" }, default: [] } } } },
+      { name: "speclock_get_changes", description: "Get recent file changes tracked by SpecLock.", inputSchema: { type: "object", properties: { limit: { type: "integer", default: 20, minimum: 1, maximum: 100 } } } },
+      { name: "speclock_get_events", description: "Get the event log, optionally filtered by type.", inputSchema: { type: "object", properties: { type: { type: "string" }, limit: { type: "integer", default: 50, minimum: 1, maximum: 200 }, since: { type: "string" } } } },
+      { name: "speclock_check_conflict", description: "Check if a proposed action conflicts with any active SpecLock. In hard mode, blocks above threshold.", inputSchema: { type: "object", properties: { proposedAction: { type: "string", minLength: 1 } } } },
+      { name: "speclock_session_briefing", description: "Start a new session and get a full briefing.", inputSchema: { type: "object", properties: { toolName: { enum: ["claude-code","cursor","codex","windsurf","cline","unknown"], type: "string", default: "unknown" } } } },
+      { name: "speclock_session_summary", description: "End the current session and record what was accomplished.", inputSchema: { type: "object", properties: { summary: { type: "string", minLength: 1 } } } },
+      { name: "speclock_checkpoint", description: "Create a named git tag checkpoint for easy rollback.", inputSchema: { type: "object", properties: { name: { type: "string", minLength: 1 } } } },
+      { name: "speclock_repo_status", description: "Get current git repository status.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_suggest_locks", description: "AI-powered lock suggestions based on project patterns.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_detect_drift", description: "Scan recent changes for constraint violations.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_health", description: "Health check with completeness score and multi-agent timeline.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_apply_template", description: "Apply a pre-built constraint template (nextjs, react, express, supabase, stripe, security-hardened).", inputSchema: { type: "object", properties: { name: { type: "string" } } } },
+      { name: "speclock_report", description: "Violation report — how many times SpecLock blocked changes.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_audit", description: "Audit staged files against active locks.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_verify_audit", description: "Verify the integrity of the HMAC audit chain.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_export_compliance", description: "Generate compliance reports (SOC 2, HIPAA, CSV).", inputSchema: { type: "object", properties: { format: { enum: ["soc2","hipaa","csv"], type: "string" } } } },
+      { name: "speclock_set_enforcement", description: "Set enforcement mode: advisory (warn) or hard (block).", inputSchema: { type: "object", properties: { mode: { enum: ["advisory","hard"], type: "string" }, blockThreshold: { type: "integer", default: 70, minimum: 0, maximum: 100 } } } },
+      { name: "speclock_override_lock", description: "Override a lock with justification. Logged to audit trail.", inputSchema: { type: "object", properties: { lockId: { type: "string", minLength: 1 }, action: { type: "string", minLength: 1 }, reason: { type: "string", minLength: 1 } } } },
+      { name: "speclock_semantic_audit", description: "Semantic pre-commit: analyzes code changes vs locks.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_override_history", description: "Show lock override history.", inputSchema: { type: "object", properties: { lockId: { type: "string" } } } },
+      { name: "speclock_policy_evaluate", description: "Evaluate policy-as-code rules against proposed actions.", inputSchema: { type: "object", properties: { files: { type: "array", items: { type: "string" } }, actionType: { type: "string" } } } },
+      { name: "speclock_policy_manage", description: "Policy CRUD: list, add, remove policy rules.", inputSchema: { type: "object", properties: { action: { enum: ["list","add","remove"], type: "string" } } } },
+      { name: "speclock_telemetry", description: "Opt-in usage analytics summary.", inputSchema: { type: "object", properties: { action: { enum: ["status","enable","disable","report"], type: "string" } } } },
+      { name: "speclock_guard_file", description: "Add SPECLOCK-GUARD header to lock specific files.", inputSchema: { type: "object", properties: { file: { type: "string" }, lockId: { type: "string" } } } },
+      { name: "speclock_auto_guard", description: "Auto-guard files related to lock keywords.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_add_typed_lock", description: "Add typed constraint (numerical/range/state/temporal).", inputSchema: { type: "object", properties: { constraintType: { enum: ["numerical","range","state","temporal"], type: "string" }, metric: { type: "string" }, operator: { type: "string" }, value: {}, unit: { type: "string" }, description: { type: "string" } } } },
+      { name: "speclock_check_typed", description: "Check proposed values against typed constraints.", inputSchema: { type: "object", properties: { metric: { type: "string" }, value: {} } } },
+      { name: "speclock_list_typed_locks", description: "List all typed constraints with current thresholds.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_update_threshold", description: "Update typed lock thresholds dynamically.", inputSchema: { type: "object", properties: { lockId: { type: "string" }, value: {}, operator: { type: "string" } } } },
+      { name: "speclock_compile_spec", description: "Compile natural language (PRDs, READMEs) into structured constraints via Gemini Flash.", inputSchema: { type: "object", properties: { text: { type: "string" }, autoApply: { type: "boolean", default: false } } } },
+      { name: "speclock_build_graph", description: "Build/refresh code dependency graph from imports (JS/TS/Python).", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_blast_radius", description: "Calculate blast radius — transitive dependents, impact %, depth.", inputSchema: { type: "object", properties: { file: { type: "string" } } } },
+      { name: "speclock_map_locks", description: "Map active locks to actual code files via the dependency graph.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_review_patch", description: "ALLOW/WARN/BLOCK verdict — combines semantic conflict + lock-file mapping + blast radius.", inputSchema: { type: "object", properties: { description: { type: "string" }, files: { type: "array", items: { type: "string" } } } } },
+      { name: "speclock_review_patch_diff", description: "Diff-native review — parses actual diffs for interface breaks, protected symbols, dependency drift, schema changes.", inputSchema: { type: "object", properties: { description: { type: "string" }, diff: { type: "string" } } } },
+      { name: "speclock_parse_diff", description: "Parse unified diff into structured changes — imports, exports, symbols, routes, schema detection.", inputSchema: { type: "object", properties: { diff: { type: "string" } } } },
     ],
+    resources: [],
+    prompts: [],
   });
 });
 
@@ -1541,6 +1560,51 @@ app.post("/api/v2/gateway/review", async (req, res) => {
   }
 });
 
+app.post("/api/v2/gateway/review-diff", async (req, res) => {
+  setCorsHeaders(res);
+
+  const clientIp = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket?.remoteAddress || "unknown";
+  if (!checkRateLimit(clientIp)) {
+    return res.status(429).json({ error: "Rate limit exceeded", api_version: "v2" });
+  }
+
+  const { description, files, diff, useLLM, options } = req.body || {};
+  if (!description || typeof description !== "string") {
+    return res.status(400).json({ error: "Missing 'description' field", api_version: "v2" });
+  }
+  if (!diff || typeof diff !== "string") {
+    return res.status(400).json({ error: "Missing 'diff' field (provide git diff output)", api_version: "v2" });
+  }
+
+  try {
+    ensureInit(PROJECT_ROOT);
+    const fileList = Array.isArray(files) ? files : [];
+    const result = useLLM
+      ? await reviewPatchDiffAsync(PROJECT_ROOT, { description, files: fileList, diff, options })
+      : reviewPatchUnified(PROJECT_ROOT, { description, files: fileList, diff, options });
+
+    return res.json({ ...result, api_version: "v2" });
+  } catch (err) {
+    return res.status(500).json({ error: err.message, api_version: "v2" });
+  }
+});
+
+app.post("/api/v2/gateway/parse-diff", (req, res) => {
+  setCorsHeaders(res);
+
+  const { diff } = req.body || {};
+  if (!diff || typeof diff !== "string") {
+    return res.status(400).json({ error: "Missing 'diff' field", api_version: "v2" });
+  }
+
+  try {
+    const parsed = parseUnifiedDiff(diff);
+    return res.json({ ...parsed, api_version: "v2" });
+  } catch (err) {
+    return res.status(500).json({ error: err.message, api_version: "v2" });
+  }
+});
+
 // ========================================
 // SSO ENDPOINTS (v3.5)
 // ========================================

package/src/mcp/server.js

@@ -59,6 +59,10 @@ import {
   getCriticalPaths,
   reviewPatch,
   reviewPatchAsync,
+  reviewPatchDiff,
+  reviewPatchDiffAsync,
+  reviewPatchUnified,
+  parseUnifiedDiff,
 } from "../core/engine.js";
 import { generateContext, generateContextPack } from "../core/context.js";
 import {
@@ -116,7 +120,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.1.0";
+const VERSION = "5.2.1";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(
@@ -1782,6 +1786,115 @@ server.tool(
   }
 );
 
+// --- Diff-Native Patch Review (v5.2) ---
+
+server.tool(
+  "speclock_review_patch_diff",
+  "Review a code change using actual diff content (git diff output). Analyzes interface breaks, protected symbol edits, dependency drift, schema changes, and public API impact. Returns ALLOW/WARN/BLOCK with per-signal scoring. When diff is provided, runs unified review (intent + diff merged, 35/65 weight).",
+  {
+    description: z.string().describe("What the change does"),
+    files: z.array(z.string()).optional().default([]).describe("Files being changed"),
+    diff: z.string().describe("Raw unified diff (git diff output)"),
+    useLLM: z.boolean().optional().default(false).describe("Use LLM for enhanced detection"),
+    options: z.object({
+      includeSymbolAnalysis: z.boolean().optional().default(true),
+      includeDependencyAnalysis: z.boolean().optional().default(true),
+      includeSchemaAnalysis: z.boolean().optional().default(true),
+      includeApiAnalysis: z.boolean().optional().default(true),
+    }).optional().default({}),
+  },
+  async ({ description, files, diff, useLLM, options }) => {
+    const perm = requirePermission("speclock_review_patch_diff");
+    if (!perm.allowed) return { content: [{ type: "text", text: perm.error }], isError: true };
+
+    const result = useLLM
+      ? await reviewPatchDiffAsync(PROJECT_ROOT, { description, files, diff, options })
+      : reviewPatchUnified(PROJECT_ROOT, { description, files, diff, options });
+
+    if (result.verdict === "ERROR") {
+      return { content: [{ type: "text", text: result.error }], isError: true };
+    }
+
+    const lines = [
+      `Patch Review Verdict: ${result.verdict}`,
+      `Risk Score: ${result.riskScore}/100`,
+      `Review Mode: ${result.reviewMode}`,
+      `Source: ${result.source || "diff-native"}`,
+      ``,
+      result.summary,
+    ];
+
+    if (result.intentVerdict) {
+      lines.push(``, `Layer Breakdown:`, `  Intent: ${result.intentVerdict} (${result.intentRisk}/100)`, `  Diff: ${result.diffVerdict} (${result.diffRisk}/100)`);
+    }
+
+    if (result.parsedDiff) {
+      lines.push(``, `Diff Stats:`, `  Files: ${result.parsedDiff.filesChanged}`, `  Additions: +${result.parsedDiff.additions}`, `  Deletions: -${result.parsedDiff.deletions}`, `  Hunks: ${result.parsedDiff.hunks}`);
+    }
+
+    if (result.signals) {
+      const activeSignals = Object.entries(result.signals).filter(([_, s]) => s.score > 0);
+      if (activeSignals.length > 0) {
+        lines.push(``, `Active Signals:`);
+        for (const [name, sig] of activeSignals) {
+          lines.push(`  ${name}: ${sig.score} pts`);
+        }
+      }
+    }
+
+    if (result.reasons && result.reasons.length > 0) {
+      lines.push(``, `Reasons:`);
+      for (const r of result.reasons) {
+        const icon = r.severity === "critical" ? "CRITICAL" : r.severity === "high" ? "HIGH" : r.severity === "medium" ? "MEDIUM" : "LOW";
+        lines.push(`  [${icon}] ${r.type}: ${r.message} (conf: ${typeof r.confidence === "number" ? (r.confidence > 1 ? r.confidence + "%" : Math.round(r.confidence * 100) + "%") : "N/A"})`);
+      }
+    }
+
+    if (result.recommendation) {
+      lines.push(``, `Recommendation: ${result.recommendation.action}`, `  ${result.recommendation.why}`);
+    }
+
+    return {
+      content: [{ type: "text", text: lines.join("\n") }],
+      isError: result.verdict === "BLOCK",
+    };
+  }
+);
+
+server.tool(
+  "speclock_parse_diff",
+  "Parse a raw unified diff into structured changes. Shows imports added/removed, exports changed, symbols touched, route changes, and schema file detection. Useful for debugging, observability, and inspecting what SpecLock thinks changed.",
+  {
+    diff: z.string().describe("Raw unified diff (git diff output)"),
+  },
+  async ({ diff }) => {
+    const parsed = parseUnifiedDiff(diff);
+
+    const lines = [
+      `Parsed Diff:`,
+      `  Files Changed: ${parsed.stats.filesChanged}`,
+      `  Additions: +${parsed.stats.additions}`,
+      `  Deletions: -${parsed.stats.deletions}`,
+      `  Hunks: ${parsed.stats.hunks}`,
+    ];
+
+    for (const file of parsed.files) {
+      lines.push(``, `File: ${file.path} (${file.language})`);
+      lines.push(`  +${file.additions} / -${file.deletions}`);
+      if (file.importsAdded.length > 0) lines.push(`  Imports Added: ${file.importsAdded.join(", ")}`);
+      if (file.importsRemoved.length > 0) lines.push(`  Imports Removed: ${file.importsRemoved.join(", ")}`);
+      if (file.exportsAdded.length > 0) lines.push(`  Exports Added: ${file.exportsAdded.map(e => e.symbol).join(", ")}`);
+      if (file.exportsRemoved.length > 0) lines.push(`  Exports Removed: ${file.exportsRemoved.map(e => e.symbol).join(", ")}`);
+      if (file.exportsModified.length > 0) lines.push(`  Exports Modified: ${file.exportsModified.map(e => e.symbol).join(", ")}`);
+      if (file.symbolsTouched.length > 0) lines.push(`  Symbols Touched: ${file.symbolsTouched.map(s => `${s.symbol} (${s.changeType})`).join(", ")}`);
+      if (file.routeChanges.length > 0) lines.push(`  Route Changes: ${file.routeChanges.map(r => `${r.method} ${r.path} [${r.changeType}]`).join(", ")}`);
+      if (file.isSchemaFile) lines.push(`  ** Schema/Migration File **`);
+    }
+
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+  }
+);
+
 // --- Smithery sandbox export ---
 export default function createSandboxServer() {
   return server;