speclock 5.2.0 → 5.2.2

package/README.md

@@ -305,25 +305,118 @@ pip install speclock-sdk
 ```
 
 ```python
-from speclock import ConstraintChecker
-checker = ConstraintChecker(constraints)
-result = checker.check({"metric": "speed_mps", "value": 3.5})
+from speclock import SpecLock
+
+sl = SpecLock(project_root=".")
+
+# Check text constraints (semantic conflict detection)
+result = sl.check_text("Switch database to MongoDB")
+# → { has_conflict: True, conflicting_locks: [...] }
+
+# Check typed constraints (numerical/range/state/temporal)
+result = sl.check_typed(metric="speed_mps", value=3.5)
 # → violation: speed exceeds 2.0 m/s limit
+
+# Combined check (text + typed in one call)
+result = sl.check(action="Increase speed", speed_mps=3.5)
+```
+
+Uses the same `.speclock/brain.json` as the Node.js MCP server — constraints stay in sync across all environments.
+
+**ROS2 Guardian Node:** Real-time constraint enforcement for robots and autonomous systems.
+
+```yaml
+# config/constraints.yaml
+constraints:
+  - type: range
+    metric: joint_position_rad
+    min: -3.14
+    max: 3.14
+  - type: numerical
+    metric: velocity_mps
+    operator: "<="
+    value: 2.0
+  - type: state
+    metric: system_mode
+    forbidden:
+      - from: emergency_stop
+        to: autonomous
+```
+
+- Subscribes to `/joint_states`, `/cmd_vel`, `/speclock/state_transition`
+- Publishes violations to `/speclock/violations`
+- Triggers emergency stop via `/speclock/emergency_stop`
+- Checks constraints on every incoming ROS2 message at configurable rate
+
+---
+
+## Patch Gateway (v5.1)
+
+One API call gates every change. Takes a description + file list, returns ALLOW/WARN/BLOCK:
+
+```
+speclock_review_patch({
+  description: "Add social login to auth page",
+  files: ["src/auth/login.js"]
+})
+
+→ { verdict: "BLOCK", riskScore: 85,
+    reasons: [{ type: "semantic_conflict", lock: "Never modify auth" }],
+    blastRadius: { impactPercent: 28.3 },
+    summary: "BLOCKED. 1 constraint conflict. 12 files affected." }
+```
+
+Combines semantic conflict detection + lock-to-file mapping + blast radius + typed constraint awareness into a single risk score (0-100).
+
+---
+
+## AI Patch Firewall (v5.2)
+
+Reviews actual diffs, not just descriptions. Catches things intent review misses:
+
+```
+POST /api/v2/gateway/review-diff
+{
+  "description": "Remove password column",
+  "diff": "diff --git a/migrations/001.sql ..."
+}
+
+→ { verdict: "BLOCK",
+    reviewMode: "unified",
+    intentVerdict: "ALLOW",     ← description alone looks safe
+    diffVerdict: "BLOCK",       ← diff reveals destructive schema change
+    signals: {
+      schemaChange: { score: 12, isDestructive: true },
+      interfaceBreak: { score: 10 },
+      protectedSymbolEdit: { score: 8 },
+      dependencyDrift: { score: 5 },
+      publicApiImpact: { score: 0 }
+    },
+    recommendation: { action: "require_approval" } }
 ```
 
-**ROS2 Guardian Node:** Real-time constraint enforcement for robots. Subscribes to sensor topics, checks constraints at configurable rate, publishes violations, triggers emergency stop.
+**Signal detection:** Interface breaks (removed/changed exports), protected symbol edits in locked zones, dependency drift (critical package add/remove), schema/migration destructive changes, public API route changes.
+
+**Hard escalation rules:** Auto-BLOCK on destructive schema changes, removed API routes, protected symbol edits, or multiple critical findings — regardless of score.
+
+**Unified review:** Merges intent (35%) + diff (65%), takes the stronger verdict. Falls back to intent-only when no diff is available.
 
 ---
 
-## REST API v2 (v5.0)
+## REST API v2
 
-Real-time constraint checking for autonomous systems:
+Real-time constraint checking, patch review, and autonomous systems:
 
 ```bash
-# Single check
-POST /api/v2/check-typed    { metric, value, entity }
+# Patch Gateway (v5.1)
+POST /api/v2/gateway/review        { description, files, useLLM }
+
+# AI Patch Firewall (v5.2)
+POST /api/v2/gateway/review-diff   { description, files, diff, options }
+POST /api/v2/gateway/parse-diff    { diff }
 
-# Batch check (up to 100)
+# Typed constraint checking
+POST /api/v2/check-typed    { metric, value, entity }
 POST /api/v2/check-batch    { checks: [...] }
 
 # SSE streaming (real-time violations)
@@ -335,6 +428,7 @@ POST /api/v2/compiler/compile  { text, autoApply }
 # Code Graph
 GET  /api/v2/graph/blast-radius?file=src/core/memory.js
 GET  /api/v2/graph/lock-map
+POST /api/v2/graph/build
 ```
 
 ---
@@ -436,6 +530,17 @@ GET  /api/v2/graph/lock-map
 
 </details>
 
+<details>
+<summary><b>Patch Gateway & AI Patch Firewall</b> — change review, diff analysis (v5.1/v5.2)</summary>
+
+| Tool | What it does |
+|------|-------------|
+| `speclock_review_patch` | ALLOW/WARN/BLOCK verdict for proposed changes |
+| `speclock_review_patch_diff` | Diff-native review with signal scoring + unified verdict |
+| `speclock_parse_diff` | Parse unified diff into structured changes (debug/inspect) |
+
+</details>
+
 ---
 
 ## CLI
@@ -611,4 +716,4 @@ Built by **[Sandeep Roy](https://github.com/sgroy10)**
 
 ---
 
-<p align="center"><i>v5.0.0 — 1073 tests, 99.4% pass rate, 42 MCP tools, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2, REST API v2. Because remembering isn't enough.</i></p>
+<p align="center"><i>v5.2.0 — 1073 tests, 99.4% pass rate, 42 MCP tools, Patch Gateway, AI Patch Firewall, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2, REST API v2. Because remembering isn't enough.</i></p>

package/package.json

@@ -2,7 +2,7 @@
 
   "name": "speclock",
 
-  "version": "5.2.0",
+  "version": "5.2.2",
 
   "description": "AI Constraint Engine — AI Patch Firewall. Diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact), Patch Gateway (ALLOW/WARN/BLOCK verdicts), Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK, ROS2 integration. 42 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance.",
 

package/src/cli/index.js

@@ -117,7 +117,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v5.2.0 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.2.2 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]
@@ -1102,6 +1102,135 @@ Tip: When starting a new chat, tell the AI:
     return;
   }
 
+  // --- RELEASE: Automated version bump + publish + deploy ---
+  if (cmd === "release") {
+    const bump = args[0]; // "patch", "minor", or "major"
+    if (!bump || !["patch", "minor", "major"].includes(bump)) {
+      console.log("Usage: speclock release <patch|minor|major>");
+      console.log("  Bumps version in ALL files, commits, pushes, npm publishes, deploys.");
+      process.exit(1);
+    }
+
+    const { execSync } = await import("child_process");
+    const fs = await import("fs");
+
+    // Read current version
+    const pkgPath = path.join(root, "package.json");
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+    const [major, minor, patch] = pkg.version.split(".").map(Number);
+    let newVersion;
+    if (bump === "patch") newVersion = `${major}.${minor}.${patch + 1}`;
+    else if (bump === "minor") newVersion = `${major}.${minor + 1}.0`;
+    else newVersion = `${major + 1}.0.0`;
+
+    console.log(`\n  Releasing v${newVersion} (was ${pkg.version})\n`);
+
+    // Step 1: Version bump in all 7 files
+    const VERSION_FILES = [
+      { file: "package.json", pattern: `"version": "${pkg.version}"`, replacement: `"version": "${newVersion}"` },
+      { file: "src/mcp/http-server.js", pattern: `const VERSION = "${pkg.version}"`, replacement: `const VERSION = "${newVersion}"` },
+      { file: "src/mcp/server.js", pattern: `const VERSION = "${pkg.version}"`, replacement: `const VERSION = "${newVersion}"` },
+      { file: "src/core/compliance.js", pattern: `const VERSION = "${pkg.version}"`, replacement: `const VERSION = "${newVersion}"` },
+      { file: "src/cli/index.js", pattern: `SpecLock v${pkg.version}`, replacement: `SpecLock v${newVersion}` },
+      { file: "src/dashboard/index.html", pattern: `v${pkg.version}`, replacement: `v${newVersion}` },
+    ];
+
+    let filesUpdated = 0;
+    for (const { file, pattern, replacement } of VERSION_FILES) {
+      const filePath = path.join(root, file);
+      if (!fs.existsSync(filePath)) {
+        console.log(`  SKIP  ${file} (not found)`);
+        continue;
+      }
+      const content = fs.readFileSync(filePath, "utf8");
+      const updated = content.replaceAll(pattern, replacement);
+      if (updated !== content) {
+        fs.writeFileSync(filePath, updated);
+        const count = (content.split(pattern).length - 1);
+        console.log(`  DONE  ${file} (${count} replacement${count > 1 ? "s" : ""})`);
+        filesUpdated++;
+      } else {
+        console.log(`  SKIP  ${file} (pattern not found)`);
+      }
+    }
+    console.log(`\n  ${filesUpdated} files updated to v${newVersion}\n`);
+
+    // Step 2: Git commit + push
+    console.log("  Committing...");
+    try {
+      execSync(`git add -A`, { cwd: root, stdio: "pipe" });
+      execSync(`git commit -m "v${newVersion}"`, { cwd: root, stdio: "pipe" });
+      console.log("  DONE  git commit");
+    } catch (e) {
+      console.error("  FAIL  git commit:", e.message);
+      process.exit(1);
+    }
+
+    console.log("  Pushing...");
+    try {
+      execSync(`git push origin main`, { cwd: root, stdio: "pipe" });
+      console.log("  DONE  git push");
+    } catch (e) {
+      console.error("  FAIL  git push:", e.message);
+    }
+
+    // Step 3: npm publish
+    console.log("  Publishing to npm...");
+    try {
+      execSync(`npm publish`, { cwd: root, stdio: "pipe" });
+      console.log("  DONE  npm publish speclock@" + newVersion);
+    } catch (e) {
+      console.error("  FAIL  npm publish:", e.message);
+    }
+
+    // Step 4: Git tag
+    console.log("  Tagging...");
+    try {
+      execSync(`git tag v${newVersion}`, { cwd: root, stdio: "pipe" });
+      execSync(`git push origin v${newVersion}`, { cwd: root, stdio: "pipe" });
+      console.log(`  DONE  git tag v${newVersion}`);
+    } catch (e) {
+      console.error("  FAIL  git tag:", e.message);
+    }
+
+    // Step 5: Railway deploy
+    console.log("  Deploying to Railway...");
+    try {
+      execSync(`railway up`, { cwd: root, stdio: "pipe", timeout: 120000 });
+      console.log("  DONE  railway up");
+    } catch (e) {
+      console.log("  WARN  railway up (may need manual deploy):", e.message?.slice(0, 100));
+    }
+
+    // Step 6: Verify
+    console.log("\n  Verifying...");
+    try {
+      const health = execSync(`curl -s https://speclock-mcp-production.up.railway.app/health`, { timeout: 15000 }).toString();
+      const parsed = JSON.parse(health);
+      if (parsed.version === newVersion) {
+        console.log(`  DONE  Railway health: v${parsed.version} (${parsed.tools} tools)`);
+      } else {
+        console.log(`  WARN  Railway shows v${parsed.version}, expected v${newVersion} (may need a moment)`);
+      }
+    } catch (e) {
+      console.log("  WARN  Health check failed (Railway may still be deploying)");
+    }
+
+    try {
+      const npmVer = execSync(`npm view speclock version`, { timeout: 10000 }).toString().trim();
+      if (npmVer === newVersion) {
+        console.log(`  DONE  npm: speclock@${npmVer}`);
+      } else {
+        console.log(`  WARN  npm shows ${npmVer}, expected ${newVersion} (cache delay)`);
+      }
+    } catch (e) {
+      console.log("  WARN  npm check failed");
+    }
+
+    console.log(`\n  Release v${newVersion} complete.\n`);
+    return;
+  }
+
   console.error(`Unknown command: ${cmd}`);
   console.error("Run 'speclock --help' for usage.");
   process.exit(1);

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "5.2.0";
+const VERSION = "5.2.2";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/diff-analyzer.js

@@ -14,7 +14,7 @@ import { analyzeConflict } from "./semantics.js";
 // --- Signal score caps (from ChatGPT spec) ---
 
 const CAPS = {
-  semanticConflict: 20,
+  semanticConflict: 45,
   lockFileOverlap: 20,
   blastRadius: 15,
   typedConstraintRelevance: 10,
@@ -514,6 +514,17 @@ export function calculateVerdict(signals, reasons) {
     hardBlockReason = "Multiple critical issues with high confidence.";
   }
 
+  // Semantic conflict at HIGH confidence (>=0.7) should hard-block
+  // even if other signals are absent — the engine is certain this
+  // action violates a lock.
+  const highConfSemantic = reasons.filter(r =>
+    r.type === "semantic_conflict" && (r.confidence || 0) >= 0.7
+  );
+  if (highConfSemantic.length > 0) {
+    hardBlock = true;
+    hardBlockReason = `High-confidence semantic conflict: ${highConfSemantic[0].message || "action violates active lock"}.`;
+  }
+
   // --- Determine verdict ---
   let verdict;
   if (hardBlock || riskScore >= 50) {

package/src/core/semantics.js

@@ -272,6 +272,10 @@ export const EUPHEMISM_MAP = {
   "reconcile":      ["modify", "adjust", "change", "alter"],
   "reverse":        ["undo", "revert", "modify", "change"],
   "recalculate":    ["modify", "change", "update", "alter"],
+  "recompute":      ["modify", "change", "recalculate", "alter"],
+  "reprocess":      ["override", "modify", "recalculate", "delete", "redo"],
+  "round up":       ["modify", "tamper", "falsify", "alter", "inflate"],
+  "round down":     ["modify", "tamper", "falsify", "alter", "deflate"],
   "backdate":       ["modify", "tamper", "falsify", "change"],
   "rebalance":      ["modify", "adjust", "change", "redistribute"],
   "reclassify":     ["modify", "change", "recategorize"],
@@ -319,7 +323,7 @@ export const EUPHEMISM_MAP = {
   "bridge":         ["connect", "link", "merge", "join"],
   "segment":        ["split", "separate", "isolate", "divide"],
   "flatten":        ["merge", "simplify", "restructure"],
-  "consolidate":    ["merge", "combine", "reduce"],
+  "consolidate":    ["merge", "combine", "reduce", "delete", "expose"],
   "spin up":        ["create", "deploy", "start"],
   "spin down":      ["delete", "remove", "stop"],
   "tear down":      ["delete", "remove", "destroy"],
@@ -349,6 +353,23 @@ export const EUPHEMISM_MAP = {
   "scrape":         ["extract", "collect", "harvest"],
   "harvest":        ["collect", "extract", "scrape"],
 
+  // Verification/compliance bypass euphemisms
+  "skip check":     ["bypass", "disable", "remove"],
+  "skip verification": ["bypass", "disable", "remove"],
+  "streamline verification": ["bypass", "weaken", "remove", "skip"],
+  "streamline application":  ["bypass", "skip", "remove"],
+  "streamline detection":    ["weaken", "disable", "bypass"],
+  "for research purposes": ["excuse", "bypass", "unauthorized"],
+  "in dev":         ["excuse", "bypass"],
+  "mock change":    ["bypass", "modify", "test excuse"],
+
+  // Record manipulation/destruction euphemisms
+  "clean up records":   ["delete", "remove", "destroy"],
+  "clean up old":       ["delete", "remove", "purge"],
+  "archive and delete": ["delete", "remove", "destroy"],
+  "refresh timestamps": ["falsify", "tamper", "modify"],
+  "refresh inspection": ["falsify", "tamper", "modify"],
+
   // Encryption euphemisms
   "unencrypted":    ["without encryption", "disable encryption", "no encryption", "plaintext"],
   "plaintext":      ["without encryption", "unencrypted", "no encryption"],
@@ -689,6 +710,45 @@ export const CONCEPT_MAP = {
   "k8s":               ["kubernetes", "cluster", "infrastructure",
                         "container orchestration"],
   "cluster":           ["kubernetes", "k8s", "infrastructure", "nodes"],
+
+  // Education / student records
+  "gpa":               ["grades", "grade point", "academic record", "transcript"],
+  "grades":            ["gpa", "academic record", "transcript", "marks", "scores"],
+  "transcript":        ["grades", "gpa", "academic record", "student record"],
+  "financial aid":     ["student loans", "scholarships", "grants", "student data", "student records"],
+  "student records":   ["grades", "transcript", "enrollment", "academic data"],
+  "weighted averages": ["grades", "gpa", "academic calculation"],
+
+  // Government / benefits
+  "voter rolls":       ["voter registration", "election records", "voter data"],
+  "citizen database":  ["pii", "personal data", "government records", "citizen data"],
+  "benefit applications": ["claims", "welfare", "government benefits"],
+  "denied applications":  ["rejected claims", "denied benefits", "denied requests"],
+
+  // Insurance / claims
+  "claims":            ["insurance claims", "benefit claims", "applications"],
+  "denied claims":     ["rejected claims", "denied applications"],
+  "cancelled applications": ["denied claims", "rejected applications", "voided applications"],
+
+  // Aerospace / aviation safety
+  "inspection records": ["safety records", "maintenance records", "compliance records"],
+  "discrepancy reports": ["safety reports", "incident reports", "audit findings"],
+  "black box":         ["flight recorder", "flight data", "telemetry data", "safety data"],
+  "inspection timestamps": ["safety records", "maintenance dates", "compliance dates"],
+
+  // Gaming / virtual economy
+  "virtual currency":  ["in-game currency", "game tokens", "game economy"],
+  "player data":       ["user data", "gamer data", "player records", "pii"],
+  "player ips":        ["ip addresses", "pii", "player data", "network data"],
+  "cheat detection":   ["anti-cheat", "cheat prevention", "security", "game integrity"],
+
+  // Real estate / tenant screening
+  "background check":  ["tenant screening", "verification", "due diligence"],
+  "tenant screening":  ["background check", "credit check", "verification"],
+
+  // Telecom / billing
+  "call records":      ["cdr", "call data", "telecom records", "billing records"],
+  "subscriber data":   ["customer data", "user data", "telecom records"],
 };
 
 // ===================================================================
@@ -780,7 +840,9 @@ const NEGATIVE_INTENT_MARKERS = [
   "clean up", "sunset", "retire", "phase out",
   "decommission", "wind down", "take down",
   "take offline", "pull the plug",
-  "streamline",
+  "streamline", "consolidate",
+  "round up", "round down", "reprocess", "recompute",
+  "falsify", "tamper",
 ].sort((a, b) => b.length - a.length);
 
 // ===================================================================
@@ -1892,15 +1954,50 @@ export function scoreConflict({ actionText, lockText }) {
       rawWordOverlap &&
       euphemismMatches.some(m => m.includes(`euphemism for ${_prohibVerb}`));
 
-    if (!euphemismMatchesProhibitedVerb) {
+    // NEW: Check if euphemism maps to lock's prohibited verb even without
+    // word overlap. Cross-domain attacks like "truncate audit_log" vs
+    // "Never delete student records" have no shared nouns but the euphemism
+    // still proves destructive intent matching the lock's prohibition.
+    const _DESTRUCTIVE_VERBS = new Set([
+      "delete", "remove", "destroy", "wipe", "purge", "erase",
+      "disable", "bypass", "expose", "tamper", "falsify",
+      "override", "leak", "steal", "skip", "weaken",
+    ]);
+    const euphemismMatchesDestructiveProhibition = !euphemismMatchesProhibitedVerb &&
+      _prohibVerb && _DESTRUCTIVE_VERBS.has(_prohibVerb) &&
+      euphemismMatches.some(m => m.includes(`euphemism for ${_prohibVerb}`));
+
+    if (euphemismMatchesProhibitedVerb) {
+      // Full bypass — euphemism matches prohibited verb AND has content overlap
+      // No reduction applied (existing behavior)
+    } else if (euphemismMatchesDestructiveProhibition) {
+      // Euphemism maps to destructive prohibited verb but no subject overlap
+      // Apply moderate reduction (not 0.15) — still suspicious enough to flag
+      score = Math.floor(score * 0.50);
+      reasons.push("scope gate softened: euphemism matches destructive prohibition without subject overlap");
+    } else {
       // NO subject match at all — verb-only match → heavy reduction
       score = Math.floor(score * 0.15);
       reasons.push("subject gate: no subject overlap — verb-only match, likely false positive");
     }
   } else if (hasVocabSubjectMatch && !hasScopeMatch && subjectComparison.lockSubjects.length > 0 && subjectComparison.actionSubjects.length > 0) {
     // Vocabulary overlap exists but subjects point to DIFFERENT scopes
-    score = Math.floor(score * 0.35);
-    reasons.push(`scope gate: shared vocabulary but different scope — lock targets "${subjectComparison.lockSubjects[0]}", action targets "${subjectComparison.actionSubjects[0]}"`);
+    // If euphemism maps to a destructive verb, soften the gate
+    const _prohibVerb2 = extractProhibitedVerb(lockText);
+    const _DESTRUCTIVE_VERBS2 = new Set([
+      "delete", "remove", "destroy", "wipe", "purge", "erase",
+      "disable", "bypass", "expose", "tamper", "falsify",
+      "override", "leak", "steal", "skip", "weaken",
+    ]);
+    const hasDestructiveEuphemism = _prohibVerb2 && _DESTRUCTIVE_VERBS2.has(_prohibVerb2) &&
+      euphemismMatches.some(m => m.includes(`euphemism for ${_prohibVerb2}`));
+    if (hasDestructiveEuphemism) {
+      score = Math.floor(score * 0.55);
+      reasons.push(`scope gate softened: destructive euphemism with different scope — lock targets "${subjectComparison.lockSubjects[0]}", action targets "${subjectComparison.actionSubjects[0]}"`);
+    } else {
+      score = Math.floor(score * 0.35);
+      reasons.push(`scope gate: shared vocabulary but different scope — lock targets "${subjectComparison.lockSubjects[0]}", action targets "${subjectComparison.actionSubjects[0]}"`);
+    }
   }
 
   const prohibitedVerb = extractProhibitedVerb(lockText);

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.2.0 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.2.2 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.2.0 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.2.2 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.2.0";
+const VERSION = "5.2.2";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -901,7 +901,7 @@ app.get("/", (req, res) => {
     name: "speclock",
     version: VERSION,
     author: AUTHOR,
-    description: "AI Constraint Engine for autonomous systems governance. Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints (numerical, range, state, temporal), REST API v2 with batch checking & SSE streaming. Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, hard enforcement, HMAC audit chain, SOC 2/HIPAA compliance. 42 MCP tools. 940 tests, 99.4% accuracy.",
+    description: "AI Constraint Engine — AI Patch Firewall. Patch Gateway (ALLOW/WARN/BLOCK verdicts), diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact). Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, HMAC audit chain, SOC 2/HIPAA compliance. 42 MCP tools. 1073 tests, 99.4% accuracy.",
     tools: 42,
     mcp_endpoint: "/mcp",
     health_endpoint: "/health",
@@ -913,45 +913,60 @@ app.get("/", (req, res) => {
 // Smithery server card for listing metadata
 app.get("/.well-known/mcp/server-card.json", (req, res) => {
   setCorsHeaders(res);
+  // Smithery-compatible server card format (SEP-1649)
   res.json({
-    name: "SpecLock",
-    version: VERSION,
-    description: "AI Constraint Engine for autonomous systems governance. Spec Compiler (NL→constraints via Gemini Flash), Code Graph (dependency parsing, blast radius, lock-to-file mapping), Typed constraints (numerical, range, state, temporal), REST API v2, Python SDK + ROS2 Guardian Node. Hybrid heuristic + Gemini LLM. Policy-as-Code, RBAC, AES-256-GCM encryption, hard enforcement, HMAC audit chain, SOC 2/HIPAA compliance. 42 MCP tools. 940 tests, 99.4% accuracy. Works with Claude Code, Cursor, Windsurf, Cline, Bolt.new, Lovable.",
-    author: {
-      name: "Sandeep Roy",
-      url: "https://github.com/sgroy10",
-    },
-    repository: "https://github.com/sgroy10/speclock",
-    homepage: "https://sgroy10.github.io/speclock/",
-    license: "MIT",
-    capabilities: {
-      tools: 42,
-      categories: [
-        "Memory Management",
-        "Change Tracking",
-        "Constraint Enforcement",
-        "Git Integration",
-        "AI Intelligence",
-        "Templates & Reports",
-        "Compliance & Audit",
-        "Hard Enforcement",
-        "Policy-as-Code",
-        "Telemetry",
-        "Typed Constraints",
-        "REST API v2",
-        "Real-Time Streaming",
-        "Robotics / ROS2",
-        "Python SDK",
-      ],
+    serverInfo: {
+      name: "speclock",
+      version: VERSION,
     },
-    keywords: [
-      "ai-memory", "constraint-enforcement", "mcp", "policy-as-code",
-      "sso", "oauth", "rbac", "encryption", "audit", "compliance",
-      "soc2", "hipaa", "dashboard", "telemetry", "claude-code",
-      "cursor", "bolt-new", "lovable", "enterprise",
-      "robotics", "ros2", "autonomous-systems", "iot", "typed-constraints",
-      "real-time", "sse", "batch-api", "python-sdk", "safety",
+    tools: [
+      { name: "speclock_init", description: "Initialize SpecLock in the current project directory.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_get_context", description: "THE KEY TOOL. Returns the full structured context pack.", inputSchema: { type: "object", properties: { format: { enum: ["markdown","json"], type: "string", default: "markdown" } } } },
+      { name: "speclock_set_goal", description: "Set or update the project goal.", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 } } } },
+      { name: "speclock_add_lock", description: "Add a non-negotiable constraint (SpecLock).", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 }, tags: { type: "array", items: { type: "string" }, default: [] }, source: { enum: ["user","agent"], type: "string", default: "agent" } } } },
+      { name: "speclock_remove_lock", description: "Remove (deactivate) a SpecLock by its ID.", inputSchema: { type: "object", properties: { lockId: { type: "string", minLength: 1 } } } },
+      { name: "speclock_add_decision", description: "Record an architectural or design decision.", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 }, tags: { type: "array", items: { type: "string" }, default: [] }, source: { enum: ["user","agent"], type: "string", default: "agent" } } } },
+      { name: "speclock_add_note", description: "Add a pinned note for reference.", inputSchema: { type: "object", properties: { text: { type: "string", minLength: 1 }, pinned: { type: "boolean", default: true } } } },
+      { name: "speclock_set_deploy_facts", description: "Record deployment configuration facts.", inputSchema: { type: "object", properties: { provider: { type: "string" }, branch: { type: "string" }, url: { type: "string" }, autoDeploy: { type: "boolean" }, notes: { type: "string" } } } },
+      { name: "speclock_log_change", description: "Manually log a significant change.", inputSchema: { type: "object", properties: { summary: { type: "string", minLength: 1 }, files: { type: "array", items: { type: "string" }, default: [] } } } },
+      { name: "speclock_get_changes", description: "Get recent file changes tracked by SpecLock.", inputSchema: { type: "object", properties: { limit: { type: "integer", default: 20, minimum: 1, maximum: 100 } } } },
+      { name: "speclock_get_events", description: "Get the event log, optionally filtered by type.", inputSchema: { type: "object", properties: { type: { type: "string" }, limit: { type: "integer", default: 50, minimum: 1, maximum: 200 }, since: { type: "string" } } } },
+      { name: "speclock_check_conflict", description: "Check if a proposed action conflicts with any active SpecLock. In hard mode, blocks above threshold.", inputSchema: { type: "object", properties: { proposedAction: { type: "string", minLength: 1 } } } },
+      { name: "speclock_session_briefing", description: "Start a new session and get a full briefing.", inputSchema: { type: "object", properties: { toolName: { enum: ["claude-code","cursor","codex","windsurf","cline","unknown"], type: "string", default: "unknown" } } } },
+      { name: "speclock_session_summary", description: "End the current session and record what was accomplished.", inputSchema: { type: "object", properties: { summary: { type: "string", minLength: 1 } } } },
+      { name: "speclock_checkpoint", description: "Create a named git tag checkpoint for easy rollback.", inputSchema: { type: "object", properties: { name: { type: "string", minLength: 1 } } } },
+      { name: "speclock_repo_status", description: "Get current git repository status.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_suggest_locks", description: "AI-powered lock suggestions based on project patterns.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_detect_drift", description: "Scan recent changes for constraint violations.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_health", description: "Health check with completeness score and multi-agent timeline.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_apply_template", description: "Apply a pre-built constraint template (nextjs, react, express, supabase, stripe, security-hardened).", inputSchema: { type: "object", properties: { name: { type: "string" } } } },
+      { name: "speclock_report", description: "Violation report — how many times SpecLock blocked changes.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_audit", description: "Audit staged files against active locks.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_verify_audit", description: "Verify the integrity of the HMAC audit chain.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_export_compliance", description: "Generate compliance reports (SOC 2, HIPAA, CSV).", inputSchema: { type: "object", properties: { format: { enum: ["soc2","hipaa","csv"], type: "string" } } } },
+      { name: "speclock_set_enforcement", description: "Set enforcement mode: advisory (warn) or hard (block).", inputSchema: { type: "object", properties: { mode: { enum: ["advisory","hard"], type: "string" }, blockThreshold: { type: "integer", default: 70, minimum: 0, maximum: 100 } } } },
+      { name: "speclock_override_lock", description: "Override a lock with justification. Logged to audit trail.", inputSchema: { type: "object", properties: { lockId: { type: "string", minLength: 1 }, action: { type: "string", minLength: 1 }, reason: { type: "string", minLength: 1 } } } },
+      { name: "speclock_semantic_audit", description: "Semantic pre-commit: analyzes code changes vs locks.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_override_history", description: "Show lock override history.", inputSchema: { type: "object", properties: { lockId: { type: "string" } } } },
+      { name: "speclock_policy_evaluate", description: "Evaluate policy-as-code rules against proposed actions.", inputSchema: { type: "object", properties: { files: { type: "array", items: { type: "string" } }, actionType: { type: "string" } } } },
+      { name: "speclock_policy_manage", description: "Policy CRUD: list, add, remove policy rules.", inputSchema: { type: "object", properties: { action: { enum: ["list","add","remove"], type: "string" } } } },
+      { name: "speclock_telemetry", description: "Opt-in usage analytics summary.", inputSchema: { type: "object", properties: { action: { enum: ["status","enable","disable","report"], type: "string" } } } },
+      { name: "speclock_guard_file", description: "Add SPECLOCK-GUARD header to lock specific files.", inputSchema: { type: "object", properties: { file: { type: "string" }, lockId: { type: "string" } } } },
+      { name: "speclock_auto_guard", description: "Auto-guard files related to lock keywords.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_add_typed_lock", description: "Add typed constraint (numerical/range/state/temporal).", inputSchema: { type: "object", properties: { constraintType: { enum: ["numerical","range","state","temporal"], type: "string" }, metric: { type: "string" }, operator: { type: "string" }, value: {}, unit: { type: "string" }, description: { type: "string" } } } },
+      { name: "speclock_check_typed", description: "Check proposed values against typed constraints.", inputSchema: { type: "object", properties: { metric: { type: "string" }, value: {} } } },
+      { name: "speclock_list_typed_locks", description: "List all typed constraints with current thresholds.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_update_threshold", description: "Update typed lock thresholds dynamically.", inputSchema: { type: "object", properties: { lockId: { type: "string" }, value: {}, operator: { type: "string" } } } },
+      { name: "speclock_compile_spec", description: "Compile natural language (PRDs, READMEs) into structured constraints via Gemini Flash.", inputSchema: { type: "object", properties: { text: { type: "string" }, autoApply: { type: "boolean", default: false } } } },
+      { name: "speclock_build_graph", description: "Build/refresh code dependency graph from imports (JS/TS/Python).", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_blast_radius", description: "Calculate blast radius — transitive dependents, impact %, depth.", inputSchema: { type: "object", properties: { file: { type: "string" } } } },
+      { name: "speclock_map_locks", description: "Map active locks to actual code files via the dependency graph.", inputSchema: { type: "object", properties: {} } },
+      { name: "speclock_review_patch", description: "ALLOW/WARN/BLOCK verdict — combines semantic conflict + lock-file mapping + blast radius.", inputSchema: { type: "object", properties: { description: { type: "string" }, files: { type: "array", items: { type: "string" } } } } },
+      { name: "speclock_review_patch_diff", description: "Diff-native review — parses actual diffs for interface breaks, protected symbols, dependency drift, schema changes.", inputSchema: { type: "object", properties: { description: { type: "string" }, diff: { type: "string" } } } },
+      { name: "speclock_parse_diff", description: "Parse unified diff into structured changes — imports, exports, symbols, routes, schema detection.", inputSchema: { type: "object", properties: { diff: { type: "string" } } } },
     ],
+    resources: [],
+    prompts: [],
   });
 });
 

package/src/mcp/server.js

@@ -120,7 +120,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.2.0";
+const VERSION = "5.2.2";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(