speclock 5.2.5 → 5.2.6

package/package.json

@@ -2,7 +2,7 @@
 
   "name": "speclock",
 
-  "version": "5.2.5",
+  "version": "5.2.6",
 
   "description": "AI Constraint Engine — AI Patch Firewall. Diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact), Patch Gateway (ALLOW/WARN/BLOCK verdicts), Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK, ROS2 integration. 42 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance.",
 

package/src/cli/index.js

@@ -117,7 +117,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v5.2.5 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.2.6 — AI Constraint Engine (Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "5.2.5";
+const VERSION = "5.2.6";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/semantics.js

@@ -2297,6 +2297,39 @@ export function scoreConflict({ actionText, lockText }) {
       intentAligned = true;
       reasons.push("intent alignment: adding a database index is a performance optimization — does not modify locked schema");
     }
+
+    // Pattern 6: Technology maintenance/refactoring vs exposure/secrets locks
+    // "Refactor React component file structure" vs "never expose API keys in frontend code" → safe
+    // "Update React Router to v7" vs "never expose API keys in frontend code" → safe
+    // But: "Expose React state to window" → action mentions "expos" → NOT safe
+    // But: "Add API key to React config" → action mentions "api key" → NOT safe
+    // But: "Update endpoint to include email" vs "never expose email" → direct subject overlap → NOT safe
+    // Root cause: concept map links react→frontend, matching "frontend" in exposure lock.
+    // Fix: constructive tech verbs against exposure locks are safe when action doesn't touch secrets
+    // AND there's no direct subject overlap (overlap is only through concept map expansion).
+    if (!intentAligned && !_compoundDestructive) {
+      const _isMaintenanceAction = /\b(?:refactor|restructure|reorganize|update|upgrade|bump|install|configure|optimize|improve|enhance|test|debug|fix|review|clean|format|lint|style|document|migrate)\b/i.test(_actionLowerSafe);
+      const _lockMentionsExposure = /\b(?:expos(?:e|ed|es|ing)?|leak(?:s|ed|ing)?|secrets?|credentials?|api.?keys?|passwords?|tokens?|sensitive)\b/i.test(lockText);
+      const _actionMentionsExposure = /\b(?:expos(?:e|ed|es|ing)?|leak(?:s|ed|ing)?|secrets?|credentials?|api.?keys?|passwords?|tokens?|sensitive|plain.?text|unencrypt)\b/i.test(_actionLowerSafe);
+      // Guard: check for direct subject overlap between action and lock.
+      // If the action directly mentions the lock's protected subjects (not via concept map),
+      // Pattern 6 should not apply — the action touches the lock's domain.
+      const _p6Exclude = /^(?:expos(?:e[ds]?|ing)?|leak(?:s|ed|ing)?|secrets?|credentials?|passwords?|tokens?|sensitive|never|must|should|always|code|dont|does|through|from|with|into|that|this)$/;
+      const _lockSubjects = lockText.toLowerCase()
+        .split(/[\s,]+/)
+        .map(w => w.replace(/[^a-z0-9]/g, ''))
+        .filter(w => w.length > 3 && !_p6Exclude.test(w));
+      const _actionWords6 = new Set(
+        _actionLowerSafe.split(/[\s,]+/)
+          .map(w => w.replace(/[^a-z0-9]/g, ''))
+          .filter(w => w.length > 3)
+      );
+      const _directSubjectOverlap = _lockSubjects.some(w => _actionWords6.has(w));
+      if (_isMaintenanceAction && _lockMentionsExposure && !_actionMentionsExposure && !_directSubjectOverlap) {
+        intentAligned = true;
+        reasons.push("intent alignment: technology maintenance action does not involve secrets/exposure — safe against exposure lock");
+      }
+    }
   }
 
   // Check 3c: Working WITH locked technology (not replacing it)

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.2.5 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.2.6 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.2.5 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.2.6 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.2.5";
+const VERSION = "5.2.6";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 

package/src/mcp/server.js

@@ -120,7 +120,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.2.5";
+const VERSION = "5.2.6";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(