speclock 5.2.3 → 5.2.5

package/package.json

@@ -2,7 +2,7 @@
 
   "name": "speclock",
 
-  "version": "5.2.3",
+  "version": "5.2.5",
 
   "description": "AI Constraint Engine — AI Patch Firewall. Diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact), Patch Gateway (ALLOW/WARN/BLOCK verdicts), Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK, ROS2 integration. 42 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance.",
 

package/src/cli/index.js

@@ -117,7 +117,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v5.2.3 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.2.5 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "5.2.3";
+const VERSION = "5.2.5";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/semantics.js

@@ -91,7 +91,7 @@ export const SYNONYM_GROUPS = [
    "private key", "access key", "api secret", "api token",
    "credentials", "credential"],
   ["frontend", "frontend code", "client-side", "client side",
-   "browser", "react state", "ui component"],
+   "browser", "react state", "ui component", "ui"],
 
   // --- Dependencies ---
   ["dependency", "package", "library", "module", "import", "require",
@@ -118,9 +118,10 @@ export const SYNONYM_GROUPS = [
   ["financial records", "financial data", "accounting records",
    "ledger", "general ledger", "accounts"],
   ["trade", "trades", "executed trade", "trade record", "order",
-   "position", "portfolio"],
+   "position"],
+  ["portfolio", "holdings", "investment portfolio"],
   ["salary", "salaries", "payroll", "wages", "compensation",
-   "remuneration", "stipend"],
+   "remuneration", "stipend", "earnings", "ytd"],
   ["payment gateway", "payment provider", "payment processor",
    "payment service", "payment platform"],
   ["razorpay", "stripe", "paypal", "phonepe", "paytm", "ccavenue",
@@ -130,8 +131,9 @@ export const SYNONYM_GROUPS = [
   // --- IoT / firmware ---
   ["firmware", "firmware update", "ota", "over the air",
    "flash", "rom", "bios", "bootloader", "embedded software"],
-  ["device", "iot", "sensor", "actuator", "controller",
+  ["device", "iot", "controller",
    "microcontroller", "mcu", "plc", "edge device"],
+  ["sensor", "actuator", "probe", "detector"],
   ["signed", "unsigned", "verified", "unverified",
    "trusted", "untrusted", "certified", "uncertified"],
 
@@ -234,9 +236,10 @@ export const EUPHEMISM_MAP = {
   "thin out":       ["delete", "remove", "reduce"],
 
   // Modification euphemisms
-  "streamline":     ["remove", "simplify", "modify", "reduce"],
+  "streamline":     ["remove", "simplify", "modify", "reduce", "weaken", "bypass", "disable"],
   "optimize":       ["modify", "change", "remove", "reduce"],
   "modernize":      ["replace", "rewrite", "change"],
+  "reorganize":     ["modify", "change", "tamper", "alter"],
   "revamp":         ["replace", "rewrite", "change"],
   "overhaul":       ["replace", "rewrite", "change", "modify"],
   "refresh":        ["replace", "update", "change"],
@@ -446,6 +449,9 @@ export const CONCEPT_MAP = {
                         "accounting", "payment"],
   "wages":             ["salary", "payroll", "compensation", "financial records"],
   "compensation":      ["salary", "payroll", "wages", "financial records"],
+  "earnings":          ["salary", "payroll", "compensation", "income", "wages",
+                        "financial records"],
+  "ytd":               ["year to date", "payroll", "earnings", "salary"],
 
   // Payment providers (brand names → payment gateway concept + cross-references)
   "razorpay":          ["payment gateway", "payment processing", "payment",
@@ -737,26 +743,57 @@ export const CONCEPT_MAP = {
   "inspection timestamps": ["safety records", "maintenance dates", "compliance dates"],
 
   // Gaming / virtual economy
-  "virtual currency":  ["in-game currency", "game tokens", "game economy"],
+  "virtual currency":  ["in-game currency", "game tokens", "game economy",
+                        "currency distribution"],
+  "currency distribution": ["virtual currency", "game economy", "in-game currency",
+                        "game tokens"],
+  "game economy":      ["virtual currency", "in-game currency", "currency",
+                        "currency distribution", "virtual economy"],
+  "virtual economy":   ["virtual currency", "in-game currency", "game economy",
+                        "currency distribution", "game tokens"],
   "player data":       ["user data", "gamer data", "player records", "pii"],
   "player ips":        ["ip addresses", "pii", "player data", "network data"],
-  "cheat detection":   ["anti-cheat", "cheat prevention", "security", "game integrity"],
+  "cheat detection":   ["anti-cheat", "cheat prevention", "security",
+                        "game integrity", "anti-cheat system"],
+  "anti-cheat":        ["cheat detection", "cheat prevention", "game integrity",
+                        "anti-cheat system"],
 
   // Real estate / tenant screening
-  "background check":  ["tenant screening", "verification", "due diligence"],
+  "background check":  ["tenant screening", "verification", "due diligence",
+                        "screening"],
   "tenant screening":  ["background check", "credit check", "verification"],
 
+  // Insurance / claims
+  "denied claims":     ["claim decisions", "claims processing", "claim status"],
+  "claim decisions":   ["denied claims", "claims processing", "claim approvals"],
+  "claims processing": ["denied claims", "claim decisions", "claims pipeline"],
+
+  // Government / benefits
+  "denied applications": ["application decisions", "application processing",
+                        "benefits decisions"],
+
+  // Privacy / data protection
+  "privacy":           ["confidential", "pii", "personal data", "data protection",
+                        "restricted access"],
+  "confidential":      ["privacy", "private", "restricted", "pii", "data protection"],
+
   // Telecom / billing
   "call records":      ["cdr", "call data", "telecom records", "billing records"],
   "subscriber data":   ["customer data", "user data", "telecom records"],
+  "roaming":           ["telecom", "billing", "subscriber", "mobile charges",
+                        "roaming charges"],
+  "roaming charges":   ["billing", "telecom billing", "subscriber charges",
+                        "mobile charges"],
+  "location data":     ["subscriber data", "tracking data", "geolocation",
+                        "user location", "pii"],
 
   // Frontend frameworks (alternatives = change framework conflict)
-  "react":             ["frontend framework", "ui framework", "vue", "angular",
-                        "svelte", "sveltekit", "next.js", "nextjs"],
-  "vue":               ["frontend framework", "ui framework", "react", "angular",
-                        "svelte", "sveltekit", "nuxt"],
-  "vue 3":             ["frontend framework", "ui framework", "react", "angular",
-                        "svelte", "sveltekit", "nuxt", "vue"],
+  "react":             ["frontend framework", "ui framework", "frontend", "ui",
+                        "vue", "angular", "svelte", "sveltekit", "next.js", "nextjs"],
+  "vue":               ["frontend framework", "ui framework", "frontend", "ui",
+                        "react", "angular", "svelte", "sveltekit", "nuxt"],
+  "vue 3":             ["frontend framework", "ui framework", "frontend", "ui",
+                        "react", "angular", "svelte", "sveltekit", "nuxt", "vue"],
   "vue.js":            ["frontend framework", "ui framework", "react", "angular",
                         "svelte", "sveltekit", "nuxt", "vue"],
   "svelte":            ["frontend framework", "ui framework", "react", "vue",
@@ -775,6 +812,11 @@ export const CONCEPT_MAP = {
                         "ui framework", "next.js", "nuxt"],
   "ui framework":      ["frontend framework", "react", "vue", "angular",
                         "svelte", "sveltekit"],
+  "tech stack":        ["frontend framework", "backend framework", "react", "vue",
+                        "angular", "svelte", "express", "django", "technology stack"],
+  "technology stack":  ["tech stack", "frontend framework", "backend framework"],
+  "application framework": ["frontend framework", "backend framework", "react",
+                        "vue", "angular", "express", "django"],
 
   // Backend frameworks (alternatives = change backend conflict)
   "express":           ["backend framework", "fastify", "koa", "hapi", "nestjs"],
@@ -1018,6 +1060,15 @@ export function tokenize(text) {
     }
   }
 
+  // Split hyphenated tokens — "react-based" also adds "react", "based"
+  for (const w of [...rawWords]) {
+    if (w.includes('-')) {
+      for (const part of w.split('-')) {
+        if (part.length >= 2 && !rawWords.includes(part)) rawWords.push(part);
+      }
+    }
+  }
+
   // Basic plural normalization — add both singular and plural forms
   // so "databases" matches "database" and vice versa
   const words = [...rawWords];
@@ -1810,6 +1861,12 @@ export function scoreConflict({ actionText, lockText }) {
     [/\bmake\s+\w+\s+visible\b/i, "expose", "make ... visible"],
     [/\bmake\s+\w+\s+accessible\b/i, "expose", "make ... accessible"],
     [/\bmake\s+\w+\s+(?:data\s+)?public\b/i, "expose", "make ... public"],
+    // "streamline X detection/verification/authentication/checks" patterns
+    [/\bstreamline\s+\w+\s+detection\b/i, "weaken", "streamline ... detection"],
+    [/\bstreamline\s+\w+\s+detection\b/i, "disable", "streamline ... detection"],
+    [/\bstreamline\s+\w+\s+verification\b/i, "bypass", "streamline ... verification"],
+    [/\bstreamline\s+\w+\s+authentication\b/i, "weaken", "streamline ... authentication"],
+    [/\bstreamline\s+\w+\s+(?:check|checks)\b/i, "bypass", "streamline ... checks"],
   ];
   for (const [pattern, meaning, label] of SPLIT_PHRASE_PATTERNS) {
     if (pattern.test(actionText) && lockExpanded.expanded.includes(meaning)) {
@@ -2234,6 +2291,12 @@ export function scoreConflict({ actionText, lockText }) {
       intentAligned = true;
       reasons.push("intent alignment: optimizing queries/performance is non-destructive — does not modify locked schema/system");
     }
+
+    // Pattern 5: Adding database indexes (performance optimization, not schema modification)
+    if (!intentAligned && !_compoundDestructive && /\b(?:add|create)\s+(?:an?\s+)?index\b/i.test(_actionLowerSafe)) {
+      intentAligned = true;
+      reasons.push("intent alignment: adding a database index is a performance optimization — does not modify locked schema");
+    }
   }
 
   // Check 3c: Working WITH locked technology (not replacing it)
@@ -2391,10 +2454,18 @@ export function scoreConflict({ actionText, lockText }) {
       "placeholder", "logo", "banner", "hero", "avatar",
       "sidebar", "navigation", "menu", "breadcrumb", "footer",
     ]);
-    if (!intentAligned && !hasStrongVocabMatch) {
+    // Guard: structural verbs (redesign, overhaul, rewrite) targeting a locked component
+    // are NOT cosmetic — "Redesign the checkout page with a new layout" is a real change
+    // to the checkout flow, even though "layout" is a cosmetic word.
+    const _structuralVerbs = /\b(?:redesign|overhaul|restructure|rebuild|rewrite|rearchitect|revamp)\b/i;
+    const _hasStructuralVerbWithOverlap = _structuralVerbs.test(actionText) && directOverlap.length >= 1;
+    if (!intentAligned && !hasStrongVocabMatch && !_hasStructuralVerbWithOverlap) {
       const actionLower = actionText.toLowerCase();
       const actionWords = actionLower.split(/\s+/).map(w => w.replace(/[^a-z]/g, ""));
-      const hasUISubject = actionWords.some(w => UI_COSMETIC_WORDS.has(w));
+      // Guard: "background" in "background check/screening/process" is NOT cosmetic CSS
+      const _hasNonCosmeticBackground = /\bbackground\s+(?:check|screening|investigation|process|task|job|worker|service)\b/i.test(actionLower);
+      const hasUISubject = actionWords.some(w =>
+        UI_COSMETIC_WORDS.has(w) && !(w === "background" && _hasNonCosmeticBackground));
       if (hasUISubject) {
         intentAligned = true;
         reasons.push(

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.2.3 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.2.5 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.2.3 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.2.5 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.2.3";
+const VERSION = "5.2.5";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 

package/src/mcp/server.js

@@ -120,7 +120,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.2.3";
+const VERSION = "5.2.5";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(