npm - speclock - Versions diffs - 5.2.2 → 5.2.4 - Mend

speclock 5.2.2 → 5.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "speclock",
-  "version": "5.2.2",
+  "version": "5.2.4",
   "description": "AI Constraint Engine — AI Patch Firewall. Diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact), Patch Gateway (ALLOW/WARN/BLOCK verdicts), Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK, ROS2 integration. 42 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance.",

package/src/cli/index.js CHANGED Viewed

@@ -117,7 +117,7 @@ function refreshContext(root) {
 function printHelp() {
   console.log(`
-SpecLock v5.2.2 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.2.4 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 Usage: speclock <command> [options]

package/src/core/compliance.js CHANGED Viewed

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
-const VERSION = "5.2.2";
+const VERSION = "5.2.4";
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/semantics.js CHANGED Viewed

@@ -118,9 +118,10 @@ export const SYNONYM_GROUPS = [
   ["financial records", "financial data", "accounting records",
    "ledger", "general ledger", "accounts"],
   ["trade", "trades", "executed trade", "trade record", "order",
-   "position", "portfolio"],
+   "position"],
+  ["portfolio", "holdings", "investment portfolio"],
   ["salary", "salaries", "payroll", "wages", "compensation",
-   "remuneration", "stipend"],
+   "remuneration", "stipend", "earnings", "ytd"],
   ["payment gateway", "payment provider", "payment processor",
    "payment service", "payment platform"],
   ["razorpay", "stripe", "paypal", "phonepe", "paytm", "ccavenue",
@@ -130,8 +131,9 @@ export const SYNONYM_GROUPS = [
   // --- IoT / firmware ---
   ["firmware", "firmware update", "ota", "over the air",
    "flash", "rom", "bios", "bootloader", "embedded software"],
-  ["device", "iot", "sensor", "actuator", "controller",
+  ["device", "iot", "controller",
    "microcontroller", "mcu", "plc", "edge device"],
+  ["sensor", "actuator", "probe", "detector"],
   ["signed", "unsigned", "verified", "unverified",
    "trusted", "untrusted", "certified", "uncertified"],
@@ -234,7 +236,7 @@ export const EUPHEMISM_MAP = {
   "thin out":       ["delete", "remove", "reduce"],
   // Modification euphemisms
-  "streamline":     ["remove", "simplify", "modify", "reduce"],
+  "streamline":     ["remove", "simplify", "modify", "reduce", "weaken", "bypass", "disable"],
   "optimize":       ["modify", "change", "remove", "reduce"],
   "modernize":      ["replace", "rewrite", "change"],
   "revamp":         ["replace", "rewrite", "change"],
@@ -446,6 +448,9 @@ export const CONCEPT_MAP = {
                         "accounting", "payment"],
   "wages":             ["salary", "payroll", "compensation", "financial records"],
   "compensation":      ["salary", "payroll", "wages", "financial records"],
+  "earnings":          ["salary", "payroll", "compensation", "income", "wages",
+                        "financial records"],
+  "ytd":               ["year to date", "payroll", "earnings", "salary"],
   // Payment providers (brand names → payment gateway concept + cross-references)
   "razorpay":          ["payment gateway", "payment processing", "payment",
@@ -737,18 +742,81 @@ export const CONCEPT_MAP = {
   "inspection timestamps": ["safety records", "maintenance dates", "compliance dates"],
   // Gaming / virtual economy
-  "virtual currency":  ["in-game currency", "game tokens", "game economy"],
+  "virtual currency":  ["in-game currency", "game tokens", "game economy",
+                        "currency distribution"],
+  "currency distribution": ["virtual currency", "game economy", "in-game currency",
+                        "game tokens"],
+  "game economy":      ["virtual currency", "in-game currency", "currency",
+                        "currency distribution", "virtual economy"],
+  "virtual economy":   ["virtual currency", "in-game currency", "game economy",
+                        "currency distribution", "game tokens"],
   "player data":       ["user data", "gamer data", "player records", "pii"],
   "player ips":        ["ip addresses", "pii", "player data", "network data"],
-  "cheat detection":   ["anti-cheat", "cheat prevention", "security", "game integrity"],
+  "cheat detection":   ["anti-cheat", "cheat prevention", "security",
+                        "game integrity", "anti-cheat system"],
+  "anti-cheat":        ["cheat detection", "cheat prevention", "game integrity",
+                        "anti-cheat system"],
   // Real estate / tenant screening
-  "background check":  ["tenant screening", "verification", "due diligence"],
+  "background check":  ["tenant screening", "verification", "due diligence",
+                        "screening"],
   "tenant screening":  ["background check", "credit check", "verification"],
+  // Insurance / claims
+  "denied claims":     ["claim decisions", "claims processing", "claim status"],
+  "claim decisions":   ["denied claims", "claims processing", "claim approvals"],
+  "claims processing": ["denied claims", "claim decisions", "claims pipeline"],
+  // Government / benefits
+  "denied applications": ["application decisions", "application processing",
+                        "benefits decisions"],
   // Telecom / billing
   "call records":      ["cdr", "call data", "telecom records", "billing records"],
   "subscriber data":   ["customer data", "user data", "telecom records"],
+  "roaming":           ["telecom", "billing", "subscriber", "mobile charges",
+                        "roaming charges"],
+  "roaming charges":   ["billing", "telecom billing", "subscriber charges",
+                        "mobile charges"],
+  "location data":     ["subscriber data", "tracking data", "geolocation",
+                        "user location", "pii"],
+  // Frontend frameworks (alternatives = change framework conflict)
+  "react":             ["frontend framework", "ui framework", "vue", "angular",
+                        "svelte", "sveltekit", "next.js", "nextjs"],
+  "vue":               ["frontend framework", "ui framework", "react", "angular",
+                        "svelte", "sveltekit", "nuxt"],
+  "vue 3":             ["frontend framework", "ui framework", "react", "angular",
+                        "svelte", "sveltekit", "nuxt", "vue"],
+  "vue.js":            ["frontend framework", "ui framework", "react", "angular",
+                        "svelte", "sveltekit", "nuxt", "vue"],
+  "svelte":            ["frontend framework", "ui framework", "react", "vue",
+                        "angular", "sveltekit"],
+  "sveltekit":         ["frontend framework", "ui framework", "react", "vue",
+                        "angular", "svelte", "next.js", "nuxt"],
+  "angular":           ["frontend framework", "ui framework", "react", "vue",
+                        "svelte", "sveltekit"],
+  "next.js":           ["frontend framework", "ui framework", "react", "nuxt",
+                        "sveltekit", "nextjs"],
+  "nextjs":            ["frontend framework", "ui framework", "react", "nuxt",
+                        "sveltekit", "next.js"],
+  "nuxt":              ["frontend framework", "ui framework", "vue", "next.js",
+                        "nextjs", "sveltekit"],
+  "frontend framework":["react", "vue", "angular", "svelte", "sveltekit",
+                        "ui framework", "next.js", "nuxt"],
+  "ui framework":      ["frontend framework", "react", "vue", "angular",
+                        "svelte", "sveltekit"],
+  // Backend frameworks (alternatives = change backend conflict)
+  "express":           ["backend framework", "fastify", "koa", "hapi", "nestjs"],
+  "fastify":           ["backend framework", "express", "koa", "hapi", "nestjs"],
+  "django":            ["backend framework", "flask", "fastapi", "rails"],
+  "flask":             ["backend framework", "django", "fastapi"],
+  "fastapi":           ["backend framework", "django", "flask"],
+  "rails":             ["backend framework", "django", "laravel", "ruby on rails"],
+  "laravel":           ["backend framework", "rails", "django", "symfony"],
+  "spring":            ["backend framework", "spring boot", "java framework"],
+  "nestjs":            ["backend framework", "express", "fastify"],
 };
 // ===================================================================
@@ -1773,6 +1841,12 @@ export function scoreConflict({ actionText, lockText }) {
     [/\bmake\s+\w+\s+visible\b/i, "expose", "make ... visible"],
     [/\bmake\s+\w+\s+accessible\b/i, "expose", "make ... accessible"],
     [/\bmake\s+\w+\s+(?:data\s+)?public\b/i, "expose", "make ... public"],
+    // "streamline X detection/verification/authentication/checks" patterns
+    [/\bstreamline\s+\w+\s+detection\b/i, "weaken", "streamline ... detection"],
+    [/\bstreamline\s+\w+\s+detection\b/i, "disable", "streamline ... detection"],
+    [/\bstreamline\s+\w+\s+verification\b/i, "bypass", "streamline ... verification"],
+    [/\bstreamline\s+\w+\s+authentication\b/i, "weaken", "streamline ... authentication"],
+    [/\bstreamline\s+\w+\s+(?:check|checks)\b/i, "bypass", "streamline ... checks"],
   ];
   for (const [pattern, meaning, label] of SPLIT_PHRASE_PATTERNS) {
     if (pattern.test(actionText) && lockExpanded.expanded.includes(meaning)) {
@@ -2160,6 +2234,51 @@ export function scoreConflict({ actionText, lockText }) {
     }
   }
+  // Check 3d: Non-destructive sub-activities against ANY prohibitive lock
+  // These patterns are inherently safe regardless of subject overlap:
+  // "Write tests for X" → testing never modifies the system
+  // "Update X library version" → version bumps are maintenance
+  // "Add validation to X" → adding safety checks is constructive
+  // "Optimize X queries/performance" → performance tuning ≠ schema change
+  //
+  // GUARD: compound sentences may hide destructive ops behind safe prefixes.
+  // "Optimize DB performance by moving data to unencrypted replica" is NOT safe.
+  // Skip safe-intent if text also contains clearly destructive/insecure content.
+  if (!intentAligned && lockIsProhibitive) {
+    const _actionLowerSafe = actionText.toLowerCase();
+    const _compoundDestructive = /\b(?:unencrypted|plaintext|without\s+encryption|without\s+auth|unsigned|untrusted|insecure|delet(?:e|ing)|remov(?:e|ing)|drop(?:ping)?|destroy|purg(?:e|ing)|wip(?:e|ing)|eras(?:e|ing)|bypass|disabl(?:e|ing)|expos(?:e|ing)|leak|truncat(?:e|ing)|nuk(?:e|ing))\b/i.test(_actionLowerSafe);
+    // Pattern 1: Writing/creating/running tests
+    if (!_compoundDestructive && /\b(?:write|create|add|run)\s+(?:unit\s+|integration\s+|e2e\s+|end-to-end\s+)?tests?\b/i.test(_actionLowerSafe)) {
+      intentAligned = true;
+      reasons.push("intent alignment: writing/running tests is non-destructive — does not modify locked system");
+    }
+    // Pattern 2: Updating library/client/package version
+    if (!intentAligned && !_compoundDestructive && /\b(?:update|upgrade|bump)\s+\S+\s+(?:library|client|package|dependency|sdk|version)\b/i.test(_actionLowerSafe)) {
+      intentAligned = true;
+      reasons.push("intent alignment: updating library/client version is maintenance — does not modify locked system");
+    }
+    // Pattern 3: Adding validation/sanitization (safety improvement)
+    if (!intentAligned && !_compoundDestructive && /\b(?:add|implement|create)\s+(?:input\s+)?(?:validation|sanitization|sanitizing|input\s+checks?)\b/i.test(_actionLowerSafe)) {
+      intentAligned = true;
+      reasons.push("intent alignment: adding validation/sanitization is a safety improvement — does not modify locked system");
+    }
+    // Pattern 4: Optimizing queries/performance (non-structural)
+    if (!intentAligned && !_compoundDestructive && /\boptimize\s+\S+\s+(?:query|queries|performance|speed|latency|throughput)\b/i.test(_actionLowerSafe)) {
+      intentAligned = true;
+      reasons.push("intent alignment: optimizing queries/performance is non-destructive — does not modify locked schema/system");
+    }
+    // Pattern 5: Adding database indexes (performance optimization, not schema modification)
+    if (!intentAligned && !_compoundDestructive && /\b(?:add|create)\s+(?:an?\s+)?index\b/i.test(_actionLowerSafe)) {
+      intentAligned = true;
+      reasons.push("intent alignment: adding a database index is a performance optimization — does not modify locked schema");
+    }
+  }
   // Check 3c: Working WITH locked technology (not replacing it)
   // "Update the Stripe UI components" vs "must always use Stripe" → working WITH Stripe → safe
   // "Update the Stripe payment UI" vs "Stripe API keys must never be exposed" → different subject → safe
@@ -2315,7 +2434,12 @@ export function scoreConflict({ actionText, lockText }) {
       "placeholder", "logo", "banner", "hero", "avatar",
       "sidebar", "navigation", "menu", "breadcrumb", "footer",
     ]);
-    if (!intentAligned && !hasStrongVocabMatch) {
+    // Guard: structural verbs (redesign, overhaul, rewrite) targeting a locked component
+    // are NOT cosmetic — "Redesign the checkout page with a new layout" is a real change
+    // to the checkout flow, even though "layout" is a cosmetic word.
+    const _structuralVerbs = /\b(?:redesign|overhaul|restructure|rebuild|rewrite|rearchitect|revamp)\b/i;
+    const _hasStructuralVerbWithOverlap = _structuralVerbs.test(actionText) && directOverlap.length >= 1;
+    if (!intentAligned && !hasStrongVocabMatch && !_hasStructuralVerbWithOverlap) {
       const actionLower = actionText.toLowerCase();
       const actionWords = actionLower.split(/\s+/).map(w => w.replace(/[^a-z]/g, ""));
       const hasUISubject = actionWords.some(w => UI_COSMETIC_WORDS.has(w));
@@ -2407,6 +2531,7 @@ const QUESTION_PREFIXES = [
   /^is\s+(?:it\s+)?(?:a\s+)?(?:good\s+idea\s+)?(?:to\s+)?/i,
   /^let\s+me\s+/i,
   /^we\s+should\s+(?:probably\s+)?(?:consider\s+)?(?:look\s+at\s+)?/i,
+  /^how\s+hard\s+(?:would|will|could)\s+it\s+be\s+to\s+/i,
   /^explore\s+(?:using\s+)?/i,
 ];

package/src/dashboard/index.html CHANGED Viewed

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.2.2 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.2.4 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.2.2 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.2.4 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 <script>

package/src/mcp/http-server.js CHANGED Viewed

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.2.2";
+const VERSION = "5.2.4";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();

package/src/mcp/server.js CHANGED Viewed

@@ -120,7 +120,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 // --- MCP Server ---
-const VERSION = "5.2.2";
+const VERSION = "5.2.4";
 const AUTHOR = "Sandeep Roy";
 const server = new McpServer(