speclock 5.3.1 → 5.4.0

package/README.md

@@ -8,7 +8,7 @@
   <a href="https://www.npmjs.com/package/speclock"><img src="https://img.shields.io/npm/v/speclock.svg?style=flat-square&color=4F46E5" alt="npm version" /></a>
   <a href="https://www.npmjs.com/package/speclock"><img src="https://img.shields.io/npm/dm/speclock.svg?style=flat-square&color=22C55E" alt="npm downloads" /></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="MIT License" /></a>
-  <a href="https://modelcontextprotocol.io"><img src="https://img.shields.io/badge/MCP-42_tools-green.svg?style=flat-square" alt="MCP 46 tools" /></a>
+  <a href="https://modelcontextprotocol.io"><img src="https://img.shields.io/badge/MCP-42_tools-green.svg?style=flat-square" alt="MCP 49 tools" /></a>
 </p>
 
 <p align="center">
@@ -205,6 +205,73 @@ One command. Instant protection. `npx speclock setup --template safe-defaults`
 
 ---
 
+## Drift Score (v5.4)
+
+How much has your AI-built project drifted from your original intent? Only SpecLock can answer this — because only SpecLock knows what was *intended* vs what was *done*.
+
+```bash
+$ speclock drift
+
+Drift Score: 23/100 (B) — minor drift
+Trend: improving | Period: 30 days | Active locks: 8
+
+Signal Breakdown:
+  Violations:      6/30  (4 violations in 12 checks)
+  Overrides:       5/20  (1 override)
+  Reverts:         3/15  (1 revert detected)
+  Lock churn:      0/15  (0 removed, 3 added)
+  Goal stability:  0/10  (1 goal change)
+  Session gaps:    9/10  (3/5 unsummarized)
+
+README badge: ![Drift Score](https://img.shields.io/badge/drift_score-23%2F100-brightgreen.svg)
+```
+
+Put the badge in your README. Show the world your AI respects your architecture.
+
+---
+
+## Lock Coverage Audit (v5.4)
+
+SpecLock scans your codebase and tells you what's **unprotected**:
+
+```bash
+$ speclock coverage
+
+Lock Coverage: 60% (B) — partially protected
+
+  [COVERED] CRITICAL authentication   2 file(s)
+  [EXPOSED] CRITICAL payments         1 file(s)
+  [COVERED] CRITICAL secrets          0 file(s)
+  [COVERED] HIGH     api-routes       2 file(s)
+
+Suggested Locks (ready to apply):
+  1. [CRITICAL] payments (1 file at risk)
+     speclock lock "Never modify payment processing or billing without permission"
+```
+
+Like a security scanner, but for AI constraint gaps. Solo founders building fast don't know what they haven't protected — SpecLock tells them.
+
+---
+
+## Lock Strengthener (v5.4)
+
+Your locks might be too vague. SpecLock grades each one and suggests improvements:
+
+```bash
+$ speclock strengthen
+
+Lock Strength: 72/100 (B) — 3 strong, 1 weak
+
+[WEAK  ] 45/100 (D)  "don't touch auth"
+          Issue: Too vague — short locks miss edge cases
+          Issue: No specific scope
+          Suggested: "Never modify, refactor, or delete auth..."
+
+[STRONG] 90/100 (A)  "Never expose API keys in client-side code, logs, or error messages"
+```
+
+---
+
 ## Semantic Engine
 
 Not keyword matching — **real semantic analysis** with Gemini Flash hybrid for universal domain coverage. Scored **100/100** on Claude's independent adversarial test battery (7 suites, including false positives, question framing, patch gateway, and diff analysis).
@@ -514,7 +581,7 @@ POST /api/v2/graph/build
 
 ---
 
-## 46 MCP Tools
+## 49 MCP Tools
 
 <details>
 <summary><b>Memory</b> — goal, locks, decisions, notes, deploy facts</summary>
@@ -631,6 +698,9 @@ POST /api/v2/graph/build
 | `speclock_list_sync_formats` | List all available sync formats |
 | `speclock_replay` | Replay a session's activity — what AI tried and what was caught |
 | `speclock_list_sessions` | List available sessions for replay |
+| `speclock_drift_score` | 0-100 project integrity metric — how much AI deviated from intent |
+| `speclock_coverage` | Lock Coverage Audit — find unprotected code areas |
+| `speclock_strengthen` | Grade locks and suggest stronger versions |
 
 </details>
 
@@ -679,6 +749,12 @@ speclock replay                                # Replay last session
 speclock replay --list                         # List sessions
 speclock replay --session <id>                 # Replay specific session
 
+# Project Health
+speclock drift                                 # Drift Score (0-100)
+speclock drift --days 7                        # Last 7 days only
+speclock coverage                              # Lock Coverage Audit
+speclock strengthen                            # Grade and improve locks
+
 # Auth
 speclock auth create-key --role developer
 speclock auth rotate-key <keyId>
@@ -721,7 +797,7 @@ The AI opens the file and sees:
 │     AI Tool (Claude Code, Cursor, Bolt.new...)    │
 └────────────┬──────────────────┬──────────────────┘
              │                  │
-   MCP Protocol (46 tools)    npm File-Based
+   MCP Protocol (49 tools)    npm File-Based
              │              (SPECLOCK.md + CLI)
              │                  │
 ┌────────────▼──────────────────▼──────────────────┐
@@ -791,7 +867,7 @@ The AI opens the file and sees:
 | PII/Export Detection | 8 | 100% | SSN, email export, data access violations |
 | **Total** | **929** | **100%** | **18 suites, 15+ domains** |
 
-**External validation:** Claude's independent 7-suite adversarial test battery — **100/100 (100%)** on v5.3.0. Zero false positives. Zero missed violations. 15.7ms per check.
+**External validation:** Claude's independent 7-suite adversarial test battery — **100/100 (100%)** on v5.4.0. Zero false positives. Zero missed violations. 15.7ms per check.
 
 Tested across: fintech, e-commerce, IoT, healthcare, SaaS, gaming, biotech, aerospace, payments, payroll, robotics, autonomous systems, telecom, insurance, government. All 11 Indian payment gateways detected. Zero false positives on UI/cosmetic actions.
 
@@ -829,11 +905,11 @@ Issues and PRs welcome on [GitHub](https://github.com/sgroy10/speclock).
 
 **SpecLock** is created and maintained by **[Sandeep Roy](https://github.com/sgroy10)**.
 
-Sandeep Roy is the sole developer of SpecLock — the AI Constraint Engine that enforces project rules across AI coding sessions. All 46 MCP tools, the semantic conflict detection engine, enterprise security features (SOC 2, HIPAA, RBAC, encryption), and the pre-publish test gate were designed and built by Sandeep Roy.
+Sandeep Roy is the sole developer of SpecLock — the AI Constraint Engine that enforces project rules across AI coding sessions. All 49 MCP tools, the semantic conflict detection engine, enterprise security features (SOC 2, HIPAA, RBAC, encryption), and the pre-publish test gate were designed and built by Sandeep Roy.
 
 - GitHub: [@sgroy10](https://github.com/sgroy10)
 - npm: [speclock](https://www.npmjs.com/package/speclock)
 
 ---
 
-<p align="center"><i>SpecLock v5.3.0 — Developed by Sandeep Roy — 929 tests, 100% pass rate, 46 MCP tools, Universal Rules Sync, Incident Replay, AI Patch Firewall, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2, REST API v2. Because remembering isn't enough.</i></p>
+<p align="center"><i>SpecLock v5.4.0 — Developed by Sandeep Roy — 929 tests, 100% pass rate, 49 MCP tools, Universal Rules Sync, Incident Replay, AI Patch Firewall, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2, REST API v2. Because remembering isn't enough.</i></p>

package/package.json

@@ -2,9 +2,9 @@
 
   "name": "speclock",
 
-  "version": "5.3.1",
+  "version": "5.4.0",
 
-  "description": "AI Constraint Engine by Sandeep Roy — Universal Rules Sync (one command syncs constraints to Cursor, Claude Code, Copilot, Windsurf, Gemini, Aider, AGENTS.md). AI Patch Firewall, diff-native review, Patch Gateway (ALLOW/WARN/BLOCK), Spec Compiler (NL→constraints), Code Graph (blast radius), Typed constraints, REST API v2, Python SDK, ROS2 integration. 46 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance. Developed by Sandeep Roy.",
+  "description": "AI Constraint Engine by Sandeep Roy — Universal Rules Sync (one command syncs constraints to Cursor, Claude Code, Copilot, Windsurf, Gemini, Aider, AGENTS.md). AI Patch Firewall, diff-native review, Patch Gateway (ALLOW/WARN/BLOCK), Spec Compiler (NL→constraints), Code Graph (blast radius), Typed constraints, REST API v2, Python SDK, ROS2 integration. 49 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance. Developed by Sandeep Roy.",
 
   "type": "module",
 

package/src/cli/index.js

@@ -64,6 +64,9 @@ import {
 } from "../core/sso.js";
 import { syncRules, getSyncFormats } from "../core/rules-sync.js";
 import { getReplay, listSessions, formatReplay } from "../core/replay.js";
+import { computeDriftScore, formatDriftScore } from "../core/drift-score.js";
+import { computeCoverage, formatCoverage } from "../core/coverage.js";
+import { analyzeLockStrength, formatStrength } from "../core/strengthen.js";
 
 // --- Argument parsing ---
 
@@ -119,7 +122,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v5.3.1 — AI Constraint Engine (Universal Rules Sync + Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.4.0 — AI Constraint Engine (Universal Rules Sync + Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]
@@ -157,6 +160,9 @@ Commands:
   sync --preview <format>         Preview without writing files
   replay [--session <id>]         Replay session activity — what AI tried & what was caught
   replay --list                   List available sessions for replay
+  drift [--days 30]               Drift Score — how much has AI deviated from intent (0-100)
+  coverage                        Lock Coverage Audit — find unprotected code areas
+  strengthen                      Lock Strengthener — grade locks and suggest improvements
   watch                           Start file watcher (live dashboard)
   serve [--project <path>]        Start MCP stdio server
   status                          Show project brain summary
@@ -1113,6 +1119,38 @@ Tip: Run "speclock sync --all" to push constraints to Cursor, Claude, Copilot, W
     process.exit(1);
   }
 
+  // --- DRIFT (new: drift score) ---
+  if (cmd === "drift") {
+    const flags = parseFlags(args);
+    const days = flags.days ? parseInt(flags.days, 10) : 30;
+    const result = computeDriftScore(root, { days });
+
+    console.log(`\nSpecLock Drift Score`);
+    console.log("=".repeat(60));
+    console.log(formatDriftScore(result));
+    return;
+  }
+
+  // --- COVERAGE (new: lock coverage audit) ---
+  if (cmd === "coverage") {
+    const result = computeCoverage(root);
+
+    console.log(`\nSpecLock Lock Coverage Audit`);
+    console.log("=".repeat(60));
+    console.log(formatCoverage(result));
+    return;
+  }
+
+  // --- STRENGTHEN (new: lock strengthener) ---
+  if (cmd === "strengthen") {
+    const result = analyzeLockStrength(root);
+
+    console.log(`\nSpecLock Lock Strengthener`);
+    console.log("=".repeat(60));
+    console.log(formatStrength(result));
+    return;
+  }
+
   // --- REPLAY (new: incident replay) ---
   if (cmd === "replay") {
     const flags = parseFlags(args);

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "5.3.1";
+const VERSION = "5.4.0";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/coverage.js

@@ -0,0 +1,274 @@
+/**
+ * SpecLock Lock Coverage Audit — Find Unprotected Code
+ * Scans the codebase for high-risk patterns and identifies files/areas
+ * that have no lock covering them. Auto-suggests missing locks.
+ *
+ * Like a security scanner, but for AI constraint gaps.
+ *
+ * Developed by Sandeep Roy (https://github.com/sgroy10)
+ */
+
+import fs from "fs";
+import path from "path";
+import { readBrain } from "./storage.js";
+import { ensureInit } from "./memory.js";
+
+// --- High-risk patterns to detect ---
+
+const RISK_PATTERNS = [
+  {
+    category: "authentication",
+    keywords: ["auth", "login", "signup", "session", "jwt", "token", "oauth", "passport", "credential"],
+    filePatterns: ["auth", "login", "signup", "session", "passport", "middleware/auth"],
+    severity: "critical",
+    suggestedLock: "Never modify authentication or authorization without explicit permission",
+  },
+  {
+    category: "payments",
+    keywords: ["payment", "stripe", "billing", "checkout", "subscription", "invoice", "price", "razorpay", "paypal"],
+    filePatterns: ["payment", "billing", "checkout", "stripe", "subscription", "invoice"],
+    severity: "critical",
+    suggestedLock: "Never modify payment processing, billing, or subscription logic without explicit permission",
+  },
+  {
+    category: "database",
+    keywords: ["migration", "schema", "model", "prisma", "knex", "sequelize", "typeorm", "drizzle"],
+    filePatterns: ["migration", "schema", "model", "prisma", "db", "database", "seed"],
+    severity: "high",
+    suggestedLock: "Database schema changes must not drop tables or columns — migrations must be additive only",
+  },
+  {
+    category: "secrets",
+    keywords: ["env", "secret", "key", "credential", "password", "config"],
+    filePatterns: [".env", "config/secret", "credentials"],
+    severity: "critical",
+    suggestedLock: "Never expose API keys, secrets, or credentials in client-side code, logs, or error messages",
+  },
+  {
+    category: "api-routes",
+    keywords: ["route", "endpoint", "api", "controller", "handler"],
+    filePatterns: ["routes/", "api/", "controllers/", "handlers/", "app/api/"],
+    severity: "high",
+    suggestedLock: "Never remove or change existing API endpoints without explicit permission — clients depend on stability",
+  },
+  {
+    category: "security",
+    keywords: ["cors", "helmet", "csp", "csrf", "xss", "sanitize", "rate-limit", "rateLimit"],
+    filePatterns: ["security", "cors", "helmet", "middleware/rate"],
+    severity: "critical",
+    suggestedLock: "Security middleware (CORS, CSP, rate limiting) must not be weakened or removed",
+  },
+  {
+    category: "error-handling",
+    keywords: ["error", "catch", "exception", "fallback", "boundary"],
+    filePatterns: ["error", "boundary", "fallback", "exception"],
+    severity: "medium",
+    suggestedLock: "Never remove error handling, error boundaries, or fallback logic",
+  },
+  {
+    category: "logging",
+    keywords: ["logger", "logging", "log", "monitor", "telemetry", "sentry", "datadog"],
+    filePatterns: ["logger", "logging", "monitor", "telemetry"],
+    severity: "medium",
+    suggestedLock: "Never disable logging, monitoring, or observability — these keep production alive",
+  },
+  {
+    category: "testing",
+    keywords: ["test", "spec", "jest", "mocha", "vitest", "cypress", "playwright"],
+    filePatterns: ["test", "spec", "__tests__", "e2e", "cypress"],
+    severity: "low",
+    suggestedLock: "Never delete or skip existing tests — test coverage must not decrease",
+  },
+];
+
+// Files/dirs to ignore
+const IGNORE = [
+  "node_modules", ".git", ".speclock", "dist", "build", ".next",
+  ".cache", "coverage", ".turbo", ".vercel", ".netlify",
+];
+
+/**
+ * Scan project and compute lock coverage.
+ *
+ * @param {string} root - Project root
+ * @param {Object} [options]
+ * @param {number} [options.maxFiles] - Max files to scan (default: 500)
+ * @returns {Object} Coverage analysis
+ */
+export function computeCoverage(root, options = {}) {
+  const brain = ensureInit(root);
+  const maxFiles = options.maxFiles || 500;
+  const activeLocks = (brain.specLock?.items || []).filter((l) => l.active !== false);
+  const lockTexts = activeLocks.map((l) => (l.text || "").toLowerCase());
+
+  // Scan for source files
+  const files = scanFiles(root, maxFiles);
+
+  // Analyze each risk category
+  const categories = RISK_PATTERNS.map((pattern) => {
+    // Find files matching this category
+    const matchingFiles = files.filter((f) => {
+      const fileLower = f.toLowerCase();
+      return pattern.filePatterns.some((fp) => fileLower.includes(fp));
+    });
+
+    // Check if any lock covers this category
+    const coveredBy = activeLocks.filter((lock) => {
+      const lockLower = (lock.text || "").toLowerCase();
+      return pattern.keywords.some((kw) => lockLower.includes(kw));
+    });
+
+    const isCovered = coveredBy.length > 0;
+
+    return {
+      category: pattern.category,
+      severity: pattern.severity,
+      filesFound: matchingFiles.length,
+      files: matchingFiles.slice(0, 5), // show up to 5
+      covered: isCovered,
+      coveredBy: coveredBy.map((l) => l.text.substring(0, 80)),
+      suggestedLock: !isCovered ? pattern.suggestedLock : null,
+    };
+  });
+
+  // Only include categories that have files OR are critical
+  const relevant = categories.filter(
+    (c) => c.filesFound > 0 || c.severity === "critical"
+  );
+
+  const totalCategories = relevant.length;
+  const coveredCategories = relevant.filter((c) => c.covered).length;
+  const coveragePercent = totalCategories > 0
+    ? Math.round((coveredCategories / totalCategories) * 100)
+    : 0;
+
+  // Unprotected = has files but no lock
+  const unprotected = relevant.filter((c) => !c.covered && c.filesFound > 0);
+  const suggestions = unprotected
+    .sort((a, b) => severityRank(a.severity) - severityRank(b.severity))
+    .map((c) => ({
+      category: c.category,
+      severity: c.severity,
+      lock: c.suggestedLock,
+      filesAtRisk: c.filesFound,
+    }));
+
+  // Grade
+  let grade, status;
+  if (coveragePercent >= 90) { grade = "A+"; status = "excellent"; }
+  else if (coveragePercent >= 75) { grade = "A"; status = "well protected"; }
+  else if (coveragePercent >= 60) { grade = "B"; status = "partially protected"; }
+  else if (coveragePercent >= 40) { grade = "C"; status = "gaps found"; }
+  else if (coveragePercent >= 20) { grade = "D"; status = "mostly unprotected"; }
+  else { grade = "F"; status = "no protection"; }
+
+  return {
+    coveragePercent,
+    grade,
+    status,
+    totalFiles: files.length,
+    totalCategories,
+    coveredCategories,
+    categories: relevant,
+    unprotected,
+    suggestions,
+    activeLocks: activeLocks.length,
+    badge: `![Lock Coverage](https://img.shields.io/badge/lock_coverage-${coveragePercent}%25-${coveragePercent >= 75 ? "brightgreen" : coveragePercent >= 50 ? "yellow" : "red"}.svg)`,
+  };
+}
+
+function severityRank(s) {
+  if (s === "critical") return 0;
+  if (s === "high") return 1;
+  if (s === "medium") return 2;
+  return 3;
+}
+
+/**
+ * Scan for source files in the project.
+ */
+function scanFiles(root, maxFiles) {
+  const files = [];
+  const extensions = new Set([
+    ".js", ".ts", ".jsx", ".tsx", ".py", ".rb", ".go",
+    ".java", ".rs", ".php", ".vue", ".svelte", ".astro",
+    ".mjs", ".cjs", ".mts", ".cts",
+  ]);
+
+  function walk(dir, depth) {
+    if (depth > 6 || files.length >= maxFiles) return;
+
+    let entries;
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      if (files.length >= maxFiles) break;
+      const name = entry.name;
+
+      if (IGNORE.some((ig) => name === ig || name.startsWith("."))) continue;
+
+      const fullPath = path.join(dir, name);
+      const relPath = path.relative(root, fullPath).replace(/\\/g, "/");
+
+      if (entry.isDirectory()) {
+        walk(fullPath, depth + 1);
+      } else if (entry.isFile()) {
+        const ext = path.extname(name).toLowerCase();
+        if (extensions.has(ext)) {
+          files.push(relPath);
+        }
+      }
+    }
+  }
+
+  walk(root, 0);
+  return files;
+}
+
+/**
+ * Format coverage report for CLI output.
+ */
+export function formatCoverage(result) {
+  const lines = [];
+
+  lines.push(`Lock Coverage: ${result.coveragePercent}% (${result.grade}) — ${result.status}`);
+  lines.push(`Files scanned: ${result.totalFiles} | Categories: ${result.coveredCategories}/${result.totalCategories} covered | Active locks: ${result.activeLocks}`);
+  lines.push("");
+
+  // Category breakdown
+  lines.push("Category Breakdown:");
+  lines.push("  " + "-".repeat(55));
+
+  for (const c of result.categories) {
+    const icon = c.covered ? "COVERED" : (c.filesFound > 0 ? "EXPOSED" : "N/A");
+    const sev = c.severity.toUpperCase().padEnd(8);
+    lines.push(`  [${icon.padEnd(7)}] ${sev} ${c.category.padEnd(16)} ${c.filesFound} file(s)`);
+    if (c.covered && c.coveredBy.length > 0) {
+      lines.push(`            Lock: "${c.coveredBy[0]}"`);
+    }
+  }
+
+  // Suggestions
+  if (result.suggestions.length > 0) {
+    lines.push("");
+    lines.push("Suggested Locks (ready to apply):");
+    lines.push("  " + "-".repeat(55));
+    for (let i = 0; i < result.suggestions.length; i++) {
+      const s = result.suggestions[i];
+      lines.push(`  ${i + 1}. [${s.severity.toUpperCase()}] ${s.category} (${s.filesAtRisk} file(s) at risk)`);
+      lines.push(`     speclock lock "${s.lock}"`);
+      lines.push("");
+    }
+  } else {
+    lines.push("");
+    lines.push("All detected categories are covered by locks.");
+  }
+
+  lines.push(`README badge: ${result.badge}`);
+
+  return lines.join("\n");
+}

package/src/core/drift-score.js

@@ -0,0 +1,201 @@
+/**
+ * SpecLock Drift Score — Project Integrity Metric
+ * Measures how much a project has drifted from the founder's original intent.
+ * 0 = perfect alignment, 100 = complete drift.
+ *
+ * Signals:
+ *   - Lock violations (blocked + warned)
+ *   - Override frequency
+ *   - Revert detections
+ *   - Lock churn (locks removed)
+ *   - Session continuity gaps
+ *   - Decision stability
+ *
+ * Only SpecLock can compute this because only SpecLock knows
+ * what was INTENDED vs what was DONE.
+ *
+ * Developed by Sandeep Roy (https://github.com/sgroy10)
+ */
+
+import { readBrain, readEvents } from "./storage.js";
+import { ensureInit } from "./memory.js";
+
+/**
+ * Compute drift score for the project.
+ *
+ * @param {string} root - Project root
+ * @param {Object} [options]
+ * @param {number} [options.days] - Look back N days (default: 30)
+ * @returns {Object} Drift analysis
+ */
+export function computeDriftScore(root, options = {}) {
+  const brain = ensureInit(root);
+  const days = options.days || 30;
+  const cutoff = new Date(Date.now() - days * 86400000).toISOString();
+
+  const allEvents = readEvents(root, {});
+  const recentEvents = allEvents.filter((e) => e.at >= cutoff);
+  const activeLocks = (brain.specLock?.items || []).filter((l) => l.active !== false);
+
+  // --- Signal 1: Violation Rate (0-30 points) ---
+  // How often did the AI hit constraints?
+  const violations = recentEvents.filter(
+    (e) => e.type === "conflict_blocked" || e.type === "conflict_warned" ||
+           (e.summary && (e.summary.includes("CONFLICT") || e.summary.includes("BLOCK")))
+  );
+  const checks = recentEvents.filter(
+    (e) => e.type === "conflict_checked" || e.type === "conflict_blocked" ||
+           e.type === "conflict_warned"
+  );
+  const violationRate = checks.length > 0
+    ? (violations.length / checks.length) * 100
+    : 0;
+  // 0% violations = 0 drift, 50%+ = 30 drift
+  const violationScore = Math.min(30, Math.round(violationRate * 0.6));
+
+  // --- Signal 2: Override Frequency (0-20 points) ---
+  // Overrides mean someone bypassed a constraint — that's drift
+  const overrides = recentEvents.filter((e) => e.type === "override_applied");
+  const overrideScore = Math.min(20, overrides.length * 5);
+
+  // --- Signal 3: Revert Detections (0-15 points) ---
+  // Reverts indicate instability — code going back and forth
+  const reverts = recentEvents.filter((e) => e.type === "revert_detected");
+  const revertScore = Math.min(15, reverts.length * 3);
+
+  // --- Signal 4: Lock Churn (0-15 points) ---
+  // Locks being removed means constraints are weakening
+  const locksRemoved = recentEvents.filter((e) => e.type === "lock_removed");
+  const locksAdded = recentEvents.filter((e) => e.type === "lock_added");
+  const churnRatio = locksAdded.length > 0
+    ? locksRemoved.length / locksAdded.length
+    : locksRemoved.length > 0 ? 1 : 0;
+  const churnScore = Math.min(15, Math.round(churnRatio * 15));
+
+  // --- Signal 5: Goal Stability (0-10 points) ---
+  // Frequent goal changes indicate lack of direction
+  const goalChanges = recentEvents.filter((e) => e.type === "goal_updated");
+  const goalScore = Math.min(10, goalChanges.length > 1 ? (goalChanges.length - 1) * 5 : 0);
+
+  // --- Signal 6: Session Gaps (0-10 points) ---
+  // Many short sessions without summaries indicate fragmented work
+  const sessions = brain.sessions.history.filter((s) => s.startedAt >= cutoff);
+  const unsummarized = sessions.filter(
+    (s) => !s.summary || s.summary === "Session auto-closed (new session started)"
+  );
+  const gapRatio = sessions.length > 0 ? unsummarized.length / sessions.length : 0;
+  const gapScore = Math.min(10, Math.round(gapRatio * 10));
+
+  // --- Total ---
+  const totalScore = violationScore + overrideScore + revertScore +
+                     churnScore + goalScore + gapScore;
+  const driftScore = Math.min(100, totalScore);
+
+  // --- Grade ---
+  let grade, status;
+  if (driftScore <= 10) { grade = "A+"; status = "excellent"; }
+  else if (driftScore <= 20) { grade = "A"; status = "healthy"; }
+  else if (driftScore <= 35) { grade = "B"; status = "minor drift"; }
+  else if (driftScore <= 50) { grade = "C"; status = "moderate drift"; }
+  else if (driftScore <= 70) { grade = "D"; status = "significant drift"; }
+  else { grade = "F"; status = "severe drift"; }
+
+  // --- Per-session drift breakdown ---
+  const sessionDrift = sessions.map((s) => {
+    const sessionEvents = recentEvents.filter(
+      (e) => e.at >= s.startedAt && (s.endedAt ? e.at <= s.endedAt : true)
+    );
+    const sessionViolations = sessionEvents.filter(
+      (e) => e.type === "conflict_blocked" || e.type === "conflict_warned" ||
+             (e.summary && e.summary.includes("CONFLICT"))
+    );
+    const sessionOverrides = sessionEvents.filter(
+      (e) => e.type === "override_applied"
+    );
+    return {
+      id: s.id,
+      tool: s.toolUsed,
+      date: s.startedAt.substring(0, 10),
+      events: sessionEvents.length,
+      violations: sessionViolations.length,
+      overrides: sessionOverrides.length,
+      impact: sessionViolations.length * 3 + sessionOverrides.length * 5,
+    };
+  }).sort((a, b) => b.impact - a.impact);
+
+  // --- Trend ---
+  // Compare first half vs second half of the period
+  const midpoint = new Date(Date.now() - (days / 2) * 86400000).toISOString();
+  const firstHalf = recentEvents.filter((e) => e.at < midpoint);
+  const secondHalf = recentEvents.filter((e) => e.at >= midpoint);
+  const firstViolations = firstHalf.filter(
+    (e) => e.type === "conflict_blocked" || e.type === "conflict_warned"
+  ).length;
+  const secondViolations = secondHalf.filter(
+    (e) => e.type === "conflict_blocked" || e.type === "conflict_warned"
+  ).length;
+
+  let trend;
+  if (firstViolations === 0 && secondViolations === 0) trend = "stable";
+  else if (secondViolations > firstViolations) trend = "worsening";
+  else if (secondViolations < firstViolations) trend = "improving";
+  else trend = "stable";
+
+  return {
+    score: driftScore,
+    grade,
+    status,
+    trend,
+    period: `${days} days`,
+    signals: {
+      violations: { score: violationScore, max: 30, count: violations.length, total: checks.length },
+      overrides: { score: overrideScore, max: 20, count: overrides.length },
+      reverts: { score: revertScore, max: 15, count: reverts.length },
+      lockChurn: { score: churnScore, max: 15, removed: locksRemoved.length, added: locksAdded.length },
+      goalStability: { score: goalScore, max: 10, changes: goalChanges.length },
+      sessionGaps: { score: gapScore, max: 10, total: sessions.length, unsummarized: unsummarized.length },
+    },
+    activeLocks: activeLocks.length,
+    topDriftSessions: sessionDrift.slice(0, 5),
+    badge: `![SpecLock Drift Score](https://img.shields.io/badge/drift_score-${driftScore}%2F100-${driftScore <= 20 ? "brightgreen" : driftScore <= 50 ? "yellow" : "red"}.svg)`,
+  };
+}
+
+/**
+ * Format drift score for CLI output.
+ */
+export function formatDriftScore(result) {
+  const lines = [];
+
+  lines.push(`Drift Score: ${result.score}/100 (${result.grade}) — ${result.status}`);
+  lines.push(`Trend: ${result.trend} | Period: ${result.period} | Active locks: ${result.activeLocks}`);
+  lines.push("");
+  lines.push("Signal Breakdown:");
+  lines.push("  " + "-".repeat(50));
+
+  const s = result.signals;
+  lines.push(`  Violations:     ${pad(s.violations.score)}/${s.violations.max}  (${s.violations.count} violations in ${s.violations.total} checks)`);
+  lines.push(`  Overrides:      ${pad(s.overrides.score)}/${s.overrides.max}  (${s.overrides.count} overrides)`);
+  lines.push(`  Reverts:        ${pad(s.reverts.score)}/${s.reverts.max}  (${s.reverts.count} reverts detected)`);
+  lines.push(`  Lock churn:     ${pad(s.lockChurn.score)}/${s.lockChurn.max}  (${s.lockChurn.removed} removed, ${s.lockChurn.added} added)`);
+  lines.push(`  Goal stability: ${pad(s.goalStability.score)}/${s.goalStability.max}  (${s.goalStability.changes} goal change(s))`);
+  lines.push(`  Session gaps:   ${pad(s.sessionGaps.score)}/${s.sessionGaps.max}  (${s.sessionGaps.unsummarized}/${s.sessionGaps.total} unsummarized)`);
+
+  if (result.topDriftSessions.length > 0) {
+    lines.push("");
+    lines.push("Top Drift Sessions:");
+    for (const ds of result.topDriftSessions) {
+      if (ds.impact === 0) continue;
+      lines.push(`  ${ds.date}  ${ds.tool.padEnd(12)}  ${ds.violations} violation(s), ${ds.overrides} override(s)  [impact: ${ds.impact}]`);
+    }
+  }
+
+  lines.push("");
+  lines.push(`README badge: ${result.badge}`);
+
+  return lines.join("\n");
+}
+
+function pad(n) {
+  return String(n).padStart(2, " ");
+}

package/src/core/strengthen.js

@@ -0,0 +1,199 @@
+/**
+ * SpecLock Lock Strengthener — Grade and Improve Weak Locks
+ * Analyzes each lock's specificity, scope, and detection power.
+ * Suggests stronger versions that catch more violations.
+ *
+ * Developed by Sandeep Roy (https://github.com/sgroy10)
+ */
+
+import { readBrain } from "./storage.js";
+import { ensureInit } from "./memory.js";
+
+// --- Weakness patterns ---
+
+const WEAKNESS_RULES = [
+  {
+    id: "too_short",
+    test: (text) => text.split(/\s+/).length < 4,
+    issue: "Too vague — short locks miss edge cases",
+    fix: (text) => `${text} — no modifications, refactoring, or rewriting allowed without explicit permission`,
+  },
+  {
+    id: "no_action_verb",
+    test: (text) => {
+      const lower = text.toLowerCase();
+      return !["never", "don't", "do not", "must not", "cannot", "must", "always", "no "].some(
+        (v) => lower.includes(v)
+      );
+    },
+    issue: "No enforcement verb — AI may interpret as suggestion rather than rule",
+    fix: (text) => `Never ${text.charAt(0).toLowerCase() + text.slice(1)}`,
+  },
+  {
+    id: "no_scope",
+    test: (text) => {
+      const lower = text.toLowerCase();
+      const hasScope = ["file", "module", "function", "endpoint", "route", "table",
+        "column", "field", "component", "page", "api", "database", "schema",
+        "auth", "payment", "config", "secret", "key", "middleware"].some(
+        (s) => lower.includes(s)
+      );
+      return !hasScope;
+    },
+    issue: "No specific scope — doesn't target files, modules, or components",
+    fix: (text) => text, // Can't auto-fix without context
+  },
+  {
+    id: "no_consequence",
+    test: (text) => {
+      const lower = text.toLowerCase();
+      return !["because", "reason", "will break", "will fail", "causes", "leads to",
+        "depends on", "clients depend", "users expect", "production", "critical"].some(
+        (c) => lower.includes(c)
+      );
+    },
+    issue: "No consequence explained — AI may override without understanding impact",
+    fix: null, // Needs context
+  },
+  {
+    id: "ambiguous_touch",
+    test: (text) => {
+      const lower = text.toLowerCase();
+      return lower.includes("touch") && !lower.includes("modify") && !lower.includes("change");
+    },
+    issue: '"Touch" is ambiguous — does it mean read, write, or delete?',
+    fix: (text) => text.replace(/touch/gi, "modify, refactor, or delete"),
+  },
+  {
+    id: "missing_euphemism_guard",
+    test: (text) => {
+      const lower = text.toLowerCase();
+      const hasDelete = lower.includes("delete") || lower.includes("remove");
+      const hasCleanup = lower.includes("clean") || lower.includes("simplif") || lower.includes("reorganiz");
+      return hasDelete && !hasCleanup;
+    },
+    issue: 'Doesn\'t guard against euphemisms like "clean up" or "simplify" which often mean deletion',
+    fix: (text) => `${text}. This includes euphemisms like "clean up", "simplify", "modernize", or "reorganize" — these often mask destructive changes`,
+  },
+];
+
+/**
+ * Analyze all locks and suggest improvements.
+ *
+ * @param {string} root - Project root
+ * @returns {Object} Strength analysis
+ */
+export function analyzeLockStrength(root) {
+  const brain = ensureInit(root);
+  const activeLocks = (brain.specLock?.items || []).filter((l) => l.active !== false);
+
+  if (activeLocks.length === 0) {
+    return {
+      totalLocks: 0,
+      avgStrength: 0,
+      locks: [],
+      summary: "No active locks to analyze. Add constraints first.",
+    };
+  }
+
+  const analyzed = activeLocks.map((lock) => {
+    const text = lock.text || "";
+    const weaknesses = [];
+    const suggestions = [];
+
+    for (const rule of WEAKNESS_RULES) {
+      if (rule.test(text)) {
+        weaknesses.push({ id: rule.id, issue: rule.issue });
+        if (rule.fix) {
+          const fixed = rule.fix(text);
+          if (fixed !== text) {
+            suggestions.push({ id: rule.id, improved: fixed });
+          }
+        }
+      }
+    }
+
+    // Score: start at 100, deduct per weakness
+    const deductions = {
+      too_short: 25,
+      no_action_verb: 20,
+      no_scope: 15,
+      no_consequence: 10,
+      ambiguous_touch: 15,
+      missing_euphemism_guard: 10,
+    };
+
+    let strength = 100;
+    for (const w of weaknesses) {
+      strength -= deductions[w.id] || 10;
+    }
+    strength = Math.max(0, strength);
+
+    let grade;
+    if (strength >= 90) grade = "A";
+    else if (strength >= 75) grade = "B";
+    else if (strength >= 60) grade = "C";
+    else if (strength >= 40) grade = "D";
+    else grade = "F";
+
+    return {
+      id: lock.id,
+      text: text.substring(0, 100),
+      fullText: text,
+      strength,
+      grade,
+      weaknesses,
+      suggestions: suggestions.slice(0, 2), // top 2 suggestions
+    };
+  });
+
+  const avgStrength = Math.round(
+    analyzed.reduce((sum, l) => sum + l.strength, 0) / analyzed.length
+  );
+
+  const weak = analyzed.filter((l) => l.strength < 60);
+  const strong = analyzed.filter((l) => l.strength >= 80);
+
+  return {
+    totalLocks: analyzed.length,
+    avgStrength,
+    avgGrade: avgStrength >= 90 ? "A" : avgStrength >= 75 ? "B" : avgStrength >= 60 ? "C" : avgStrength >= 40 ? "D" : "F",
+    strongCount: strong.length,
+    weakCount: weak.length,
+    locks: analyzed,
+    summary: `${analyzed.length} locks analyzed. Average strength: ${avgStrength}/100 (${weak.length} weak, ${strong.length} strong).`,
+  };
+}
+
+/**
+ * Format strength analysis for CLI output.
+ */
+export function formatStrength(result) {
+  if (result.totalLocks === 0) return result.summary;
+
+  const lines = [];
+
+  lines.push(`Lock Strength: ${result.avgStrength}/100 (${result.avgGrade}) — ${result.strongCount} strong, ${result.weakCount} weak`);
+  lines.push("");
+
+  // Sort weakest first
+  const sorted = [...result.locks].sort((a, b) => a.strength - b.strength);
+
+  for (const lock of sorted) {
+    const icon = lock.strength >= 80 ? "STRONG" : lock.strength >= 60 ? "OK" : "WEAK";
+    lines.push(`[${icon.padEnd(6)}] ${lock.strength}/100 (${lock.grade})  "${lock.text}"`);
+
+    if (lock.weaknesses.length > 0) {
+      for (const w of lock.weaknesses) {
+        lines.push(`          Issue: ${w.issue}`);
+      }
+    }
+    if (lock.suggestions.length > 0) {
+      lines.push(`          Suggested: "${lock.suggestions[0].improved.substring(0, 100)}"`);
+    }
+    lines.push("");
+  }
+
+  lines.push(result.summary);
+  return lines.join("\n");
+}

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.3.1 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.4.0 &mdash; AI Constraint Engine</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.3.1 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.4.0 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.3.1";
+const VERSION = "5.4.0";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -901,8 +901,8 @@ app.get("/", (req, res) => {
     name: "speclock",
     version: VERSION,
     author: AUTHOR,
-    description: "AI Constraint Engine — Universal Rules Sync + AI Patch Firewall. Syncs constraints to Cursor, Claude Code, Copilot, Windsurf, Gemini, Aider, AGENTS.md. Patch Gateway (ALLOW/WARN/BLOCK verdicts), diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact). Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, HMAC audit chain, SOC 2/HIPAA compliance. 46 MCP tools. 929 tests, 100% accuracy.",
-    tools: 46,
+    description: "AI Constraint Engine — Universal Rules Sync + AI Patch Firewall. Syncs constraints to Cursor, Claude Code, Copilot, Windsurf, Gemini, Aider, AGENTS.md. Patch Gateway (ALLOW/WARN/BLOCK verdicts), diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact). Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, HMAC audit chain, SOC 2/HIPAA compliance. 49 MCP tools. 929 tests, 100% accuracy.",
+    tools: 49,
     mcp_endpoint: "/mcp",
     health_endpoint: "/health",
     npm: "https://www.npmjs.com/package/speclock",

package/src/mcp/server.js

@@ -67,6 +67,9 @@ import {
 import { generateContext, generateContextPack } from "../core/context.js";
 import { syncRules, getSyncFormats } from "../core/rules-sync.js";
 import { getReplay, listSessions, formatReplay } from "../core/replay.js";
+import { computeDriftScore, formatDriftScore } from "../core/drift-score.js";
+import { computeCoverage, formatCoverage } from "../core/coverage.js";
+import { analyzeLockStrength, formatStrength } from "../core/strengthen.js";
 import {
   readBrain,
   readEvents,
@@ -122,7 +125,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.3.1";
+const VERSION = "5.4.0";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(
@@ -1999,7 +2002,45 @@ server.tool(
   }
 );
 
-// Tool 39: speclock_list_sync_formats
+// Tool 39: speclock_drift_score
+server.tool(
+  "speclock_drift_score",
+  "Compute a 0-100 Drift Score measuring how much the project has drifted from the founder's original intent. Analyzes violations, overrides, reverts, lock churn, goal stability, and session gaps. Returns score, grade, trend, signal breakdown, and per-session impact. Only SpecLock can compute this because only SpecLock knows what was INTENDED vs what was DONE.",
+  {
+    days: z.number().optional().default(30).describe("Look back N days (default: 30)"),
+  },
+  async ({ days }) => {
+    const result = computeDriftScore(PROJECT_ROOT, { days });
+    const formatted = formatDriftScore(result);
+    return { content: [{ type: "text", text: `## Drift Score\n\n\`\`\`\n${formatted}\n\`\`\`` }] };
+  }
+);
+
+// Tool 40: speclock_coverage
+server.tool(
+  "speclock_coverage",
+  "Lock Coverage Audit — scans the codebase for high-risk patterns (auth, payments, database, secrets, API routes, security, error handling, logging) and identifies areas with no lock protecting them. Auto-suggests the missing locks you need. Like a security scanner but for AI constraint gaps.",
+  {},
+  async () => {
+    const result = computeCoverage(PROJECT_ROOT);
+    const formatted = formatCoverage(result);
+    return { content: [{ type: "text", text: `## Lock Coverage Audit\n\n\`\`\`\n${formatted}\n\`\`\`` }] };
+  }
+);
+
+// Tool 41: speclock_strengthen
+server.tool(
+  "speclock_strengthen",
+  "Lock Strengthener — grades each lock's specificity, scope, and detection power (0-100). Identifies weak locks and suggests stronger versions that catch more violations. Checks for: vagueness, missing enforcement verbs, no scope, no consequence, ambiguous language, missing euphemism guards.",
+  {},
+  async () => {
+    const result = analyzeLockStrength(PROJECT_ROOT);
+    const formatted = formatStrength(result);
+    return { content: [{ type: "text", text: `## Lock Strength Analysis\n\n\`\`\`\n${formatted}\n\`\`\`` }] };
+  }
+);
+
+// Tool 42: speclock_list_sync_formats
 server.tool(
   "speclock_list_sync_formats",
   "List all available AI tool formats that SpecLock can sync constraints to. Shows format key, tool name, output file path, and description.",