speclock 5.2.4 → 5.2.6

package/package.json

@@ -2,7 +2,7 @@
 
   "name": "speclock",
 
-  "version": "5.2.4",
+  "version": "5.2.6",
 
   "description": "AI Constraint Engine — AI Patch Firewall. Diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact), Patch Gateway (ALLOW/WARN/BLOCK verdicts), Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK, ROS2 integration. 42 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance.",
 

package/src/cli/index.js

@@ -117,7 +117,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v5.2.4 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.2.6 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "5.2.4";
+const VERSION = "5.2.6";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/semantics.js

@@ -91,7 +91,7 @@ export const SYNONYM_GROUPS = [
    "private key", "access key", "api secret", "api token",
    "credentials", "credential"],
   ["frontend", "frontend code", "client-side", "client side",
-   "browser", "react state", "ui component"],
+   "browser", "react state", "ui component", "ui"],
 
   // --- Dependencies ---
   ["dependency", "package", "library", "module", "import", "require",
@@ -239,6 +239,7 @@ export const EUPHEMISM_MAP = {
   "streamline":     ["remove", "simplify", "modify", "reduce", "weaken", "bypass", "disable"],
   "optimize":       ["modify", "change", "remove", "reduce"],
   "modernize":      ["replace", "rewrite", "change"],
+  "reorganize":     ["modify", "change", "tamper", "alter"],
   "revamp":         ["replace", "rewrite", "change"],
   "overhaul":       ["replace", "rewrite", "change", "modify"],
   "refresh":        ["replace", "update", "change"],
@@ -771,6 +772,11 @@ export const CONCEPT_MAP = {
   "denied applications": ["application decisions", "application processing",
                         "benefits decisions"],
 
+  // Privacy / data protection
+  "privacy":           ["confidential", "pii", "personal data", "data protection",
+                        "restricted access"],
+  "confidential":      ["privacy", "private", "restricted", "pii", "data protection"],
+
   // Telecom / billing
   "call records":      ["cdr", "call data", "telecom records", "billing records"],
   "subscriber data":   ["customer data", "user data", "telecom records"],
@@ -782,12 +788,12 @@ export const CONCEPT_MAP = {
                         "user location", "pii"],
 
   // Frontend frameworks (alternatives = change framework conflict)
-  "react":             ["frontend framework", "ui framework", "vue", "angular",
-                        "svelte", "sveltekit", "next.js", "nextjs"],
-  "vue":               ["frontend framework", "ui framework", "react", "angular",
-                        "svelte", "sveltekit", "nuxt"],
-  "vue 3":             ["frontend framework", "ui framework", "react", "angular",
-                        "svelte", "sveltekit", "nuxt", "vue"],
+  "react":             ["frontend framework", "ui framework", "frontend", "ui",
+                        "vue", "angular", "svelte", "sveltekit", "next.js", "nextjs"],
+  "vue":               ["frontend framework", "ui framework", "frontend", "ui",
+                        "react", "angular", "svelte", "sveltekit", "nuxt"],
+  "vue 3":             ["frontend framework", "ui framework", "frontend", "ui",
+                        "react", "angular", "svelte", "sveltekit", "nuxt", "vue"],
   "vue.js":            ["frontend framework", "ui framework", "react", "angular",
                         "svelte", "sveltekit", "nuxt", "vue"],
   "svelte":            ["frontend framework", "ui framework", "react", "vue",
@@ -806,6 +812,11 @@ export const CONCEPT_MAP = {
                         "ui framework", "next.js", "nuxt"],
   "ui framework":      ["frontend framework", "react", "vue", "angular",
                         "svelte", "sveltekit"],
+  "tech stack":        ["frontend framework", "backend framework", "react", "vue",
+                        "angular", "svelte", "express", "django", "technology stack"],
+  "technology stack":  ["tech stack", "frontend framework", "backend framework"],
+  "application framework": ["frontend framework", "backend framework", "react",
+                        "vue", "angular", "express", "django"],
 
   // Backend frameworks (alternatives = change backend conflict)
   "express":           ["backend framework", "fastify", "koa", "hapi", "nestjs"],
@@ -1049,6 +1060,15 @@ export function tokenize(text) {
     }
   }
 
+  // Split hyphenated tokens — "react-based" also adds "react", "based"
+  for (const w of [...rawWords]) {
+    if (w.includes('-')) {
+      for (const part of w.split('-')) {
+        if (part.length >= 2 && !rawWords.includes(part)) rawWords.push(part);
+      }
+    }
+  }
+
   // Basic plural normalization — add both singular and plural forms
   // so "databases" matches "database" and vice versa
   const words = [...rawWords];
@@ -2277,6 +2297,39 @@ export function scoreConflict({ actionText, lockText }) {
       intentAligned = true;
       reasons.push("intent alignment: adding a database index is a performance optimization — does not modify locked schema");
     }
+
+    // Pattern 6: Technology maintenance/refactoring vs exposure/secrets locks
+    // "Refactor React component file structure" vs "never expose API keys in frontend code" → safe
+    // "Update React Router to v7" vs "never expose API keys in frontend code" → safe
+    // But: "Expose React state to window" → action mentions "expos" → NOT safe
+    // But: "Add API key to React config" → action mentions "api key" → NOT safe
+    // But: "Update endpoint to include email" vs "never expose email" → direct subject overlap → NOT safe
+    // Root cause: concept map links react→frontend, matching "frontend" in exposure lock.
+    // Fix: constructive tech verbs against exposure locks are safe when action doesn't touch secrets
+    // AND there's no direct subject overlap (overlap is only through concept map expansion).
+    if (!intentAligned && !_compoundDestructive) {
+      const _isMaintenanceAction = /\b(?:refactor|restructure|reorganize|update|upgrade|bump|install|configure|optimize|improve|enhance|test|debug|fix|review|clean|format|lint|style|document|migrate)\b/i.test(_actionLowerSafe);
+      const _lockMentionsExposure = /\b(?:expos(?:e|ed|es|ing)?|leak(?:s|ed|ing)?|secrets?|credentials?|api.?keys?|passwords?|tokens?|sensitive)\b/i.test(lockText);
+      const _actionMentionsExposure = /\b(?:expos(?:e|ed|es|ing)?|leak(?:s|ed|ing)?|secrets?|credentials?|api.?keys?|passwords?|tokens?|sensitive|plain.?text|unencrypt)\b/i.test(_actionLowerSafe);
+      // Guard: check for direct subject overlap between action and lock.
+      // If the action directly mentions the lock's protected subjects (not via concept map),
+      // Pattern 6 should not apply — the action touches the lock's domain.
+      const _p6Exclude = /^(?:expos(?:e[ds]?|ing)?|leak(?:s|ed|ing)?|secrets?|credentials?|passwords?|tokens?|sensitive|never|must|should|always|code|dont|does|through|from|with|into|that|this)$/;
+      const _lockSubjects = lockText.toLowerCase()
+        .split(/[\s,]+/)
+        .map(w => w.replace(/[^a-z0-9]/g, ''))
+        .filter(w => w.length > 3 && !_p6Exclude.test(w));
+      const _actionWords6 = new Set(
+        _actionLowerSafe.split(/[\s,]+/)
+          .map(w => w.replace(/[^a-z0-9]/g, ''))
+          .filter(w => w.length > 3)
+      );
+      const _directSubjectOverlap = _lockSubjects.some(w => _actionWords6.has(w));
+      if (_isMaintenanceAction && _lockMentionsExposure && !_actionMentionsExposure && !_directSubjectOverlap) {
+        intentAligned = true;
+        reasons.push("intent alignment: technology maintenance action does not involve secrets/exposure — safe against exposure lock");
+      }
+    }
   }
 
   // Check 3c: Working WITH locked technology (not replacing it)
@@ -2442,7 +2495,10 @@ export function scoreConflict({ actionText, lockText }) {
     if (!intentAligned && !hasStrongVocabMatch && !_hasStructuralVerbWithOverlap) {
       const actionLower = actionText.toLowerCase();
       const actionWords = actionLower.split(/\s+/).map(w => w.replace(/[^a-z]/g, ""));
-      const hasUISubject = actionWords.some(w => UI_COSMETIC_WORDS.has(w));
+      // Guard: "background" in "background check/screening/process" is NOT cosmetic CSS
+      const _hasNonCosmeticBackground = /\bbackground\s+(?:check|screening|investigation|process|task|job|worker|service)\b/i.test(actionLower);
+      const hasUISubject = actionWords.some(w =>
+        UI_COSMETIC_WORDS.has(w) && !(w === "background" && _hasNonCosmeticBackground));
       if (hasUISubject) {
         intentAligned = true;
         reasons.push(

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.2.4 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.2.6 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.2.4 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.2.6 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.2.4";
+const VERSION = "5.2.6";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 

package/src/mcp/server.js

@@ -120,7 +120,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.2.4";
+const VERSION = "5.2.6";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(