speclock 5.4.1 → 5.5.1

package/README.md

@@ -8,7 +8,13 @@
   <a href="https://www.npmjs.com/package/speclock"><img src="https://img.shields.io/npm/v/speclock.svg?style=flat-square&color=4F46E5" alt="npm version" /></a>
   <a href="https://www.npmjs.com/package/speclock"><img src="https://img.shields.io/npm/dm/speclock.svg?style=flat-square&color=22C55E" alt="npm downloads" /></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="MIT License" /></a>
-  <a href="https://modelcontextprotocol.io"><img src="https://img.shields.io/badge/MCP-42_tools-green.svg?style=flat-square" alt="MCP 49 tools" /></a>
+  <a href="https://modelcontextprotocol.io"><img src="https://img.shields.io/badge/MCP-51_tools-green.svg?style=flat-square" alt="MCP 51 tools" /></a>
+</p>
+
+<p align="center">
+  <img src="https://img.shields.io/badge/drift_score-12%2F100-brightgreen.svg?style=flat-square" alt="Drift Score" />
+  <img src="https://img.shields.io/badge/lock_coverage-83%25-brightgreen.svg?style=flat-square" alt="Lock Coverage" />
+  <img src="https://img.shields.io/badge/lock_strength-85%2F100-brightgreen.svg?style=flat-square" alt="Lock Strength" />
 </p>
 
 <p align="center">
@@ -19,6 +25,10 @@
 
 ---
 
+> **New in v5.4:** `speclock drift` — the only tool that measures how much your AI has drifted from your architecture. `speclock coverage` — find what's unprotected. `speclock strengthen` — grade your locks. Three numbers that tell your project's whole story.
+
+---
+
 ```
 You:    "Never touch the auth system"
 AI:     🔒 Locked.
@@ -32,8 +42,8 @@ AI:     ⚠️  BLOCKED — violates lock "Never touch the auth system"
         Should I find another approach?
 ```
 
-**100/100 on Claude's independent test suite. 929 tests across 18 suites. 0 false positives. 15.7ms per check.**
-**Gemini Flash hybrid, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2 integration.**
+**100/100 on Claude's independent test suite. 976 tests across 19 suites. 0 false positives. 15.7ms per check.**
+**Zero-config Guardian Mode, Universal Rules Sync, AI Patch Firewall, Drift Score, Spec Compiler, Code Graph.**
 
 ---
 
@@ -45,6 +55,14 @@ npx speclock setup --goal "Build my app"
 
 That's it. One command. Works everywhere — Bolt.new, Claude Code, Cursor, Lovable, Windsurf, Cline, Aider.
 
+### Already have `.cursorrules`, `CLAUDE.md`, or `AGENTS.md`?
+
+```bash
+npx speclock protect
+```
+
+Zero flags. Reads your existing rule files, extracts enforceable constraints, installs a pre-commit hook, and syncs rules to every AI tool. **Your rules are now enforced, not just suggested.**
+
 ## The Problem
 
 AI coding tools have memory now. Claude Code has `CLAUDE.md`. Cursor has `.cursorrules`. Mem0 exists.
@@ -581,7 +599,7 @@ POST /api/v2/graph/build
 
 ---
 
-## 49 MCP Tools
+## 51 MCP Tools
 
 <details>
 <summary><b>Memory</b> — goal, locks, decisions, notes, deploy facts</summary>
@@ -797,7 +815,7 @@ The AI opens the file and sees:
 │     AI Tool (Claude Code, Cursor, Bolt.new...)    │
 └────────────┬──────────────────┬──────────────────┘
              │                  │
-   MCP Protocol (49 tools)    npm File-Based
+   MCP Protocol (51 tools)    npm File-Based
              │              (SPECLOCK.md + CLI)
              │                  │
 ┌────────────▼──────────────────▼──────────────────┐
@@ -865,9 +883,10 @@ The AI opens the file and sees:
 | Question Framing | 9 | 100% | "What if we..." and "How hard would it be..." |
 | REST API v2 | 9 | 100% | Typed constraint endpoints, SSE |
 | PII/Export Detection | 8 | 100% | SSN, email export, data access violations |
-| **Total** | **929** | **100%** | **18 suites, 15+ domains** |
+| Guardian (Protect) | 47 | 100% | Zero-config rule file extraction |
+| **Total** | **976** | **100%** | **19 suites, 15+ domains** |
 
-**External validation:** Claude's independent 7-suite adversarial test battery — **100/100 (100%)** on v5.4.0. Zero false positives. Zero missed violations. 15.7ms per check.
+**External validation:** Claude's independent 7-suite adversarial test battery — **100/100 (100%)** on v5.5.0. Zero false positives. Zero missed violations. 15.7ms per check.
 
 Tested across: fintech, e-commerce, IoT, healthcare, SaaS, gaming, biotech, aerospace, payments, payroll, robotics, autonomous systems, telecom, insurance, government. All 11 Indian payment gateways detected. Zero false positives on UI/cosmetic actions.
 
@@ -905,11 +924,11 @@ Issues and PRs welcome on [GitHub](https://github.com/sgroy10/speclock).
 
 **SpecLock** is created and maintained by **[Sandeep Roy](https://github.com/sgroy10)**.
 
-Sandeep Roy is the sole developer of SpecLock — the AI Constraint Engine that enforces project rules across AI coding sessions. All 49 MCP tools, the semantic conflict detection engine, enterprise security features (SOC 2, HIPAA, RBAC, encryption), and the pre-publish test gate were designed and built by Sandeep Roy.
+Sandeep Roy is the sole developer of SpecLock — the AI Constraint Engine that enforces project rules across AI coding sessions. All 51 MCP tools, the semantic conflict detection engine, enterprise security features (SOC 2, HIPAA, RBAC, encryption), and the pre-publish test gate were designed and built by Sandeep Roy.
 
 - GitHub: [@sgroy10](https://github.com/sgroy10)
 - npm: [speclock](https://www.npmjs.com/package/speclock)
 
 ---
 
-<p align="center"><i>SpecLock v5.4.0 — Developed by Sandeep Roy — 929 tests, 100% pass rate, 49 MCP tools, Universal Rules Sync, Incident Replay, AI Patch Firewall, Spec Compiler, Code Graph, Typed Constraints, Python SDK, ROS2, REST API v2. Because remembering isn't enough.</i></p>
+<p align="center"><i>SpecLock v5.5.0 — Your AI has rules. SpecLock makes them unbreakable. 976 tests, 100% pass rate, 51 MCP tools, Zero-config Guardian Mode, Universal Rules Sync, AI Patch Firewall, Drift Score. Developed by Sandeep Roy.</i></p>

package/bin/speclock.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 // SpecLock CLI — AI Constraint Engine
 // Developed by Sandeep Roy (https://github.com/sgroy10)
 import "../src/cli/index.js";

package/package.json

@@ -2,9 +2,9 @@
 
   "name": "speclock",
 
-  "version": "5.4.1",
+  "version": "5.5.1",
 
-  "description": "AI Constraint Engine by Sandeep Roy — Universal Rules Sync (one command syncs constraints to Cursor, Claude Code, Copilot, Windsurf, Gemini, Aider, AGENTS.md). AI Patch Firewall, diff-native review, Patch Gateway (ALLOW/WARN/BLOCK), Spec Compiler (NL→constraints), Code Graph (blast radius), Typed constraints, REST API v2, Python SDK, ROS2 integration. 49 MCP tools, Gemini LLM hybrid, HMAC audit chain, RBAC, encryption, SOC 2/HIPAA compliance. Developed by Sandeep Roy.",
+  "description": "Stop AI from breaking code you told it not to touch. Enforces .cursorrules, CLAUDE.md, and AGENTS.md — not just suggests. Zero-config: npx speclock protect reads your existing AI rule files, extracts constraints, installs pre-commit hooks, and makes your rules unbreakable. 51 MCP tools, Universal Rules Sync, AI Patch Firewall, Spec Compiler, Code Graph, Typed Constraints, Drift Score, HMAC audit chain, SOC 2/HIPAA compliance. Developed by Sandeep Roy.",
 
   "type": "module",
 

package/src/cli/index.js

@@ -67,6 +67,7 @@ import { getReplay, listSessions, formatReplay } from "../core/replay.js";
 import { computeDriftScore, formatDriftScore } from "../core/drift-score.js";
 import { computeCoverage, formatCoverage } from "../core/coverage.js";
 import { analyzeLockStrength, formatStrength } from "../core/strengthen.js";
+import { protect, formatProtectReport } from "../core/guardian.js";
 
 // --- Argument parsing ---
 
@@ -122,7 +123,7 @@ function refreshContext(root) {
 
 function printHelp() {
   console.log(`
-SpecLock v5.4.1 — AI Constraint Engine (Universal Rules Sync + Spec Compiler + Code Graph + Typed Constraints + Python SDK + ROS2 + REST API v2 + Gemini LLM + Policy-as-Code + Auth + RBAC + Encryption)
+SpecLock v5.5.1 — Your AI has rules. SpecLock makes them unbreakable.
 Developed by Sandeep Roy (github.com/sgroy10)
 
 Usage: speclock <command> [options]
@@ -133,6 +134,7 @@ Commands:
   goal <text>                     Set or update the project goal
   lock <text> [--tags a,b]        Add a non-negotiable constraint
   lock remove <id>                Remove a lock by ID
+  protect                         Zero-config: read rule files, extract locks, enforce
   guard <file> [--lock "text"]    Inject lock warning into a file
   unguard <file>                  Remove lock warning from a file
   decide <text> [--tags a,b]      Record a decision
@@ -545,6 +547,21 @@ Tip: Run "speclock sync --all" to push constraints to Cursor, Claude, Copilot, W
     return;
   }
 
+  // --- PROTECT (zero-config guardian mode) ---
+  if (cmd === "protect") {
+    const flags = parseFlags(args);
+    const opts = {
+      skipHook: flags["no-hook"] === true,
+      skipSync: flags["no-sync"] === true,
+    };
+    const report = protect(root, opts);
+    console.log(formatProtectReport(report));
+    if (report.errors.length > 0 && report.discovered.length === 0) {
+      process.exit(1);
+    }
+    return;
+  }
+
   // --- FACTS ---
   if (cmd === "facts") {
     const sub = args.shift();

package/src/core/compliance.js

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
 
-const VERSION = "5.4.1";
+const VERSION = "5.5.1";
 
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/engine.js

@@ -73,6 +73,14 @@ export {
   semanticAudit,
 } from "./pre-commit-semantic.js";
 
+// --- Guardian (v5.5) ---
+export {
+  discoverRuleFiles,
+  extractConstraints,
+  protect,
+  formatProtectReport,
+} from "./guardian.js";
+
 // --- File Watcher ---
 // watchRepo stays here because it uses multiple modules
 

package/src/core/guardian.js

@@ -0,0 +1,384 @@
+// ===================================================================
+// SpecLock Guardian — Zero-Config Protection from AI Rule Files
+// Reads existing .cursorrules, CLAUDE.md, AGENTS.md, copilot-instructions.md
+// and auto-extracts enforceable constraints. One command. No flags.
+//
+// "Your AI has rules. SpecLock makes them unbreakable."
+//
+// Developed by Sandeep Roy (https://github.com/sgroy10)
+// ===================================================================
+
+import fs from "fs";
+import path from "path";
+import { ensureInit, addLock, addDecision } from "./memory.js";
+import { readBrain } from "./storage.js";
+import { installHook, isHookInstalled } from "./hooks.js";
+import { syncRules } from "./rules-sync.js";
+import { generateContext } from "./context.js";
+
+// --- Rule file discovery ---
+
+const RULE_FILES = [
+  { file: ".cursorrules", tool: "Cursor" },
+  { file: ".cursor/rules/rules.mdc", tool: "Cursor (MDC)" },
+  { file: "CLAUDE.md", tool: "Claude Code" },
+  { file: "AGENTS.md", tool: "AGENTS.md" },
+  { file: ".github/copilot-instructions.md", tool: "GitHub Copilot" },
+  { file: ".windsurfrules", tool: "Windsurf" },
+  { file: ".windsurf/rules/rules.md", tool: "Windsurf (dir)" },
+  { file: "GEMINI.md", tool: "Gemini" },
+  { file: ".aider.conf.yml", tool: "Aider" },
+  { file: "COPILOT.md", tool: "Copilot (alt)" },
+  { file: ".github/instructions.md", tool: "GitHub (alt)" },
+];
+
+// Files that SpecLock's sync creates — these are OUTPUT, not INPUT.
+// Never read these back as source rule files.
+const SPECLOCK_OUTPUT_FILES = new Set([
+  ".cursor/rules/speclock.mdc",
+  ".windsurf/rules/speclock.md",
+]);
+
+// Header markers that indicate a file was auto-generated by SpecLock sync.
+// If ANY of these appear in the first 8 lines, skip the file.
+const SPECLOCK_SYNC_MARKERS = [
+  "Auto-synced from SpecLock",
+  "Auto-synced by SpecLock",
+  "Auto-synced.",
+  "(SpecLock)",
+  "# SpecLock Constraints",
+  "# Generated:",
+  "Do not edit manually — run `speclock sync`",
+  "speclock sync --format",
+  "speclock_session_briefing",
+];
+
+/**
+ * Discover all AI rule files in the project.
+ */
+export function discoverRuleFiles(root) {
+  const found = [];
+  for (const entry of RULE_FILES) {
+    // Skip known SpecLock output files
+    if (SPECLOCK_OUTPUT_FILES.has(entry.file)) continue;
+
+    const fullPath = path.join(root, entry.file);
+    if (fs.existsSync(fullPath)) {
+      const content = fs.readFileSync(fullPath, "utf-8").trim();
+      if (content.length === 0) continue;
+
+      // Skip files that were auto-generated by SpecLock sync
+      if (isSpeclockGenerated(content)) continue;
+
+      found.push({
+        file: entry.file,
+        tool: entry.tool,
+        path: fullPath,
+        content,
+        size: content.length,
+        lines: content.split("\n").length,
+      });
+    }
+  }
+  return found;
+}
+
+/**
+ * Check if file content was auto-generated by SpecLock sync.
+ * Looks at the first 5 lines for sync markers.
+ */
+function isSpeclockGenerated(content) {
+  const header = content.split("\n").slice(0, 8).join("\n");
+  return SPECLOCK_SYNC_MARKERS.some((marker) => header.includes(marker));
+}
+
+// --- Heuristic constraint extraction (no API key needed) ---
+
+// Patterns that signal a constraint/rule
+const CONSTRAINT_PATTERNS = [
+  // Strong imperative (NEVER, ALWAYS, MUST, DO NOT)
+  /^[-*•]\s*(NEVER|ALWAYS|MUST|DO NOT|DON'T|DONT|SHALL NOT|REQUIRED|MANDATORY|CRITICAL|IMPORTANT)\b/i,
+  /^(NEVER|ALWAYS|MUST|DO NOT|DON'T|DONT|SHALL NOT)\b/i,
+  // "Do not..." / "Don't..." at line start
+  /^[-*•]\s*(Do not|Don't|Dont|Never|Always|Must)\b/,
+  /^(Do not|Don't|Dont)\b/,
+  // Emphasis markers suggesting importance
+  /^\*\*(NEVER|ALWAYS|MUST|DO NOT|DON'T|IMPORTANT|CRITICAL|REQUIRED)\*\*/i,
+  // "X is required" / "X is mandatory" / "X is non-negotiable"
+  /\b(is required|is mandatory|is non-negotiable|is critical|is forbidden|is prohibited)\b/i,
+  // "Keep X" / "Preserve X" / "Protect X"
+  /^[-*•]\s*(Keep|Preserve|Protect|Maintain|Ensure|Enforce)\b/,
+  // Negative imperatives
+  /^[-*•]\s*(Avoid|Prevent|Prohibit|Forbid|Restrict|Disallow)\b/i,
+  // "should never" / "must never" / "must always"
+  /\b(should never|must never|must always|should always|must not|should not|cannot|can not)\b/i,
+];
+
+// Patterns that signal a decision/choice
+const DECISION_PATTERNS = [
+  /^[-*•]\s*(Use|Using|Tech stack|Stack|Framework|We use|Built with|Powered by)\b/i,
+  /\b(tech stack|architecture|we chose|we decided|we use|built with)\b/i,
+];
+
+// Lines to skip (headers, empty, comments, boilerplate)
+const SKIP_PATTERNS = [
+  /^#+\s/,                    // Markdown headers
+  /^---+$/,                   // Horizontal rules
+  /^\s*$/,                    // Empty lines
+  /^```/,                     // Code fences
+  /^<!--/,                    // HTML comments
+  /^>\s/,                     // Blockquotes (context, not rules)
+  /^Auto-synced by SpecLock/, // Our own output
+  /^Powered by \[SpecLock\]/, // Our own footer
+  /^#\s*SpecLock/,            // SpecLock headers
+];
+
+/**
+ * Extract constraints from raw text using heuristic pattern matching.
+ * No API key required — works offline, instantly.
+ */
+export function extractConstraints(content, sourceFile) {
+  const lines = content.split("\n");
+  const locks = [];
+  const decisions = [];
+  const seen = new Set();
+
+  for (let i = 0; i < lines.length; i++) {
+    const raw = lines[i];
+    const trimmed = raw.trim();
+
+    // Skip non-content lines
+    if (SKIP_PATTERNS.some((p) => p.test(trimmed))) continue;
+
+    // Clean up: remove leading bullet/dash, markdown bold
+    const cleaned = trimmed
+      .replace(/^[-*•]\s*/, "")
+      .replace(/\*\*/g, "")
+      .trim();
+
+    if (cleaned.length < 10 || cleaned.length > 300) continue;
+
+    // Deduplicate
+    const key = cleaned.toLowerCase().replace(/\s+/g, " ");
+    if (seen.has(key)) continue;
+
+    // Check for constraint patterns
+    if (CONSTRAINT_PATTERNS.some((p) => p.test(trimmed) || p.test(cleaned))) {
+      seen.add(key);
+      locks.push({
+        text: cleaned,
+        tags: [sourceFile.replace(/[/.]/g, "_").replace(/^_+|_+$/g, "")],
+        source: "guardian",
+        line: i + 1,
+      });
+      continue;
+    }
+
+    // Check for decision patterns
+    if (DECISION_PATTERNS.some((p) => p.test(trimmed) || p.test(cleaned))) {
+      seen.add(key);
+      decisions.push({
+        text: cleaned,
+        tags: [sourceFile.replace(/[/.]/g, "_").replace(/^_+|_+$/g, "")],
+        line: i + 1,
+      });
+    }
+  }
+
+  return { locks, decisions };
+}
+
+/**
+ * Run the full Guardian protect flow:
+ * 1. Init SpecLock if needed
+ * 2. Discover rule files
+ * 3. Extract constraints from each
+ * 4. Add as locks (skip duplicates with existing)
+ * 5. Install pre-commit hook
+ * 6. Sync rules back to all formats
+ * 7. Generate context
+ *
+ * Returns a report object.
+ */
+export function protect(root, options = {}) {
+  const report = {
+    discovered: [],
+    extracted: { locks: 0, decisions: 0 },
+    added: { locks: 0, decisions: 0, skipped: 0 },
+    hookInstalled: false,
+    hookStatus: "",
+    synced: [],
+    errors: [],
+  };
+
+  // 1. Init
+  const brain = ensureInit(root);
+
+  // 2. Discover
+  const ruleFiles = discoverRuleFiles(root);
+  report.discovered = ruleFiles.map((f) => ({
+    file: f.file,
+    tool: f.tool,
+    lines: f.lines,
+    size: f.size,
+  }));
+
+  if (ruleFiles.length === 0) {
+    report.errors.push(
+      "No AI rule files found (.cursorrules, CLAUDE.md, AGENTS.md, etc). " +
+      "Create one first, or use 'speclock setup' to start from scratch."
+    );
+    return report;
+  }
+
+  // 3. Extract constraints from each file
+  const allLocks = [];
+  const allDecisions = [];
+
+  for (const rf of ruleFiles) {
+    const result = extractConstraints(rf.content, rf.file);
+    allLocks.push(...result.locks);
+    allDecisions.push(...result.decisions);
+  }
+
+  report.extracted.locks = allLocks.length;
+  report.extracted.decisions = allDecisions.length;
+
+  // 4. Add locks (skip duplicates against existing brain locks)
+  const existingTexts = new Set(
+    (brain.specLock?.items || [])
+      .filter((l) => l.active !== false)
+      .map((l) => l.text.toLowerCase().replace(/\s+/g, " "))
+  );
+
+  for (const lock of allLocks) {
+    const normalized = lock.text.toLowerCase().replace(/\s+/g, " ");
+    if (existingTexts.has(normalized)) {
+      report.added.skipped++;
+      continue;
+    }
+    existingTexts.add(normalized);
+    addLock(root, lock.text, lock.tags, lock.source || "guardian");
+    report.added.locks++;
+  }
+
+  for (const dec of allDecisions) {
+    const normalized = dec.text.toLowerCase().replace(/\s+/g, " ");
+    if (existingTexts.has(normalized)) {
+      report.added.skipped++;
+      continue;
+    }
+    existingTexts.add(normalized);
+    addDecision(root, dec.text, dec.tags, "guardian");
+    report.added.decisions++;
+  }
+
+  // 5. Install pre-commit hook
+  if (!options.skipHook) {
+    if (isHookInstalled(root)) {
+      report.hookInstalled = true;
+      report.hookStatus = "already installed";
+    } else {
+      const hookResult = installHook(root);
+      report.hookInstalled = hookResult.success;
+      report.hookStatus = hookResult.success
+        ? "installed"
+        : hookResult.error || "failed";
+    }
+  } else {
+    report.hookStatus = "skipped (--no-hook)";
+  }
+
+  // 6. Sync rules to formats that WEREN'T source files (don't overwrite user's originals)
+  if (!options.skipSync) {
+    const sourceFiles = new Set(ruleFiles.map((f) => f.file));
+    try {
+      const syncResult = syncRules(root, { format: "all", excludeFiles: sourceFiles });
+      report.synced = (syncResult.synced || []).map((s) => s.file || s);
+    } catch (e) {
+      report.errors.push(`Sync failed: ${e.message}`);
+    }
+  }
+
+  // 7. Generate context
+  try {
+    generateContext(root);
+  } catch (_) {
+    // Non-critical
+  }
+
+  return report;
+}
+
+/**
+ * Format protect report for CLI output.
+ */
+export function formatProtectReport(report) {
+  const lines = [];
+
+  lines.push("");
+  lines.push("  SpecLock Protect — Guardian Mode");
+  lines.push("  " + "=".repeat(50));
+  lines.push("");
+
+  // Discovered files
+  if (report.discovered.length > 0) {
+    lines.push("  Rule files found:");
+    for (const f of report.discovered) {
+      lines.push(`    [+] ${f.file} (${f.tool}, ${f.lines} lines)`);
+    }
+  } else {
+    lines.push("  [!] No rule files found.");
+  }
+  lines.push("");
+
+  // Extracted
+  lines.push(`  Extracted: ${report.extracted.locks} constraints, ${report.extracted.decisions} decisions`);
+
+  // Added
+  if (report.added.locks > 0 || report.added.decisions > 0) {
+    lines.push(`  Added:     ${report.added.locks} new locks, ${report.added.decisions} new decisions`);
+  }
+  if (report.added.skipped > 0) {
+    lines.push(`  Skipped:   ${report.added.skipped} (already existed)`);
+  }
+  lines.push("");
+
+  // Hook
+  if (report.hookStatus === "installed") {
+    lines.push("  Pre-commit hook: INSTALLED");
+    lines.push("  Every commit will now be checked against your constraints.");
+  } else if (report.hookStatus === "already installed") {
+    lines.push("  Pre-commit hook: already active");
+  } else {
+    lines.push(`  Pre-commit hook: ${report.hookStatus}`);
+  }
+  lines.push("");
+
+  // Sync
+  if (report.synced.length > 0) {
+    lines.push("  Rules synced to:");
+    for (const s of report.synced) {
+      lines.push(`    [+] ${s}`);
+    }
+    lines.push("");
+  }
+
+  // Errors
+  if (report.errors.length > 0) {
+    for (const e of report.errors) {
+      lines.push(`  [!] ${e}`);
+    }
+    lines.push("");
+  }
+
+  // Final message
+  const total = report.added.locks + report.added.skipped;
+  if (total > 0) {
+    lines.push("  Your rules are now ENFORCED, not just suggested.");
+    lines.push("  AI agents that violate constraints will be blocked.");
+  }
+  lines.push("");
+
+  return lines.join("\n");
+}

package/src/core/rules-sync.js

@@ -451,7 +451,11 @@ export function syncRules(root, options = {}) {
   const synced = [];
   const errors = [];
 
+  // Skip formats whose output files are in the exclude list (used by guardian to avoid overwriting source files)
+  const excludeFiles = options.excludeFiles instanceof Set ? options.excludeFiles : new Set();
+
   for (const [key, fmt] of Object.entries(formats)) {
+    if (excludeFiles.has(fmt.file)) continue;
     try {
       const content = fmt.generate(brain);
       const filePath = path.join(root, fmt.file);

package/src/core/semantics.js

@@ -787,6 +787,17 @@ export const CONCEPT_MAP = {
   "location data":     ["subscriber data", "tracking data", "geolocation",
                         "user location", "pii"],
 
+  // Programming languages (alternatives = language switch conflict)
+  "typescript":        ["programming language", "typed language", "javascript",
+                        "language", "ts"],
+  "javascript":        ["programming language", "scripting language", "typescript",
+                        "language", "js"],
+  "python":            ["programming language", "scripting language", "language"],
+  "golang":            ["programming language", "language", "go"],
+  "rust":              ["programming language", "systems language", "language"],
+  "java":              ["programming language", "language", "kotlin"],
+  "kotlin":            ["programming language", "language", "java"],
+
   // Frontend frameworks (alternatives = change framework conflict)
   "react":             ["frontend framework", "ui framework", "frontend", "ui",
                         "vue", "angular", "svelte", "sveltekit", "next.js", "nextjs"],
@@ -1433,7 +1444,9 @@ function isProhibitiveLock(lockText) {
     || /\bno\s+\w/i.test(lockText)
     // Normalized lock patterns from lock-author.js rewriting
     || /\bis\s+frozen\b/i.test(lockText)
-    || /\bmust\s+(remain|be\s+preserved|stay|always)\b/i.test(lockText);
+    || /\bmust\s+(remain|be\s+preserved|stay|always)\b/i.test(lockText)
+    // "ALWAYS use X" is a preservation mandate — removing X violates it
+    || /^\s*always\b/i.test(lockText);
 }
 
 // ===================================================================
@@ -2227,7 +2240,7 @@ export function scoreConflict({ actionText, lockText }) {
   // "Test that Stripe is working" is COMPLIANT with "must always use Stripe"
   // "Debug the Stripe webhook" is COMPLIANT — it's verifying the preserved system
   {
-    const lockIsPreservation = /must remain|must be preserved|must always|at all times|must stay/i.test(lockText);
+    const lockIsPreservation = /must remain|must be preserved|must always|at all times|must stay|^\s*always\b/im.test(lockText);
 
     if (!intentAligned && lockIsPreservation) {
       const SAFE_FOR_PRESERVATION = new Set([
@@ -2339,7 +2352,7 @@ export function scoreConflict({ actionText, lockText }) {
   // But: "Update payment to use Razorpay" vs "Stripe lock" → introducing competitor → NOT safe
   // But: "Add Stripe key to frontend" → "add" not in WORKING_WITH_VERBS → NOT safe
   if (!intentAligned && actionPrimaryVerb) {
-    const lockIsPreservationOrFreeze = /must remain|must be preserved|must always|at all times|must stay|must never|must not|should never|do not replace|do not remove|do not switch|don't replace|don't remove|don't switch|don't|do not|never|uses .+ library/i.test(lockText);
+    const lockIsPreservationOrFreeze = /must remain|must be preserved|must always|at all times|must stay|must never|must not|should never|do not replace|do not remove|do not switch|don't replace|don't remove|don't switch|don't|do not|never|uses .+ library|^\s*always\b/im.test(lockText);
     if (lockIsPreservationOrFreeze) {
       // Extract specific brand/tech names from the lock text
       const lockWords = lockText.toLowerCase().split(/\s+/).map(w => w.replace(/[^a-z0-9]/g, "")).filter(w => w.length > 2);
@@ -2356,6 +2369,9 @@ export function scoreConflict({ actionText, lockText }) {
         "baileys", "twilio", "whatsapp",
         "auth0", "okta", "cognito", "keycloak",
         "react", "vue", "angular", "svelte", "nextjs", "nuxt",
+        "typescript", "javascript", "python", "golang", "rust", "java", "kotlin",
+        "tailwind", "bootstrap", "prisma", "drizzle", "sequelize",
+        "express", "fastapi", "django", "flask", "rails",
         "docker", "kubernetes", "terraform", "ansible",
         "aws", "gcp", "azure", "vercel", "netlify", "railway", "heroku",
       ]);
@@ -2406,7 +2422,7 @@ export function scoreConflict({ actionText, lockText }) {
       "build", "add", "create", "implement", "make", "design",
       "develop", "introduce",
     ]);
-    const lockIsPreservation = /must remain|must be preserved|must always|at all times|must stay/i.test(lockText);
+    const lockIsPreservation = /must remain|must be preserved|must always|at all times|must stay|^\s*always\b/im.test(lockText);
     if (lockIsPreservation) {
       if (ENHANCEMENT_VERBS.has(actionPrimaryVerb)) {
         // Enhancement verbs always align with preservation locks

package/src/core/telemetry.js

@@ -257,7 +257,7 @@ export async function flushToRemote(root) {
   // Build anonymized payload
   const payload = {
     instanceId: summary.instanceId,
-    version: "4.5.7",
+    version: "5.5.1",
     totalCalls: summary.totalCalls,
     avgResponseMs: summary.avgResponseMs,
     conflicts: summary.conflicts,

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.4.1 &mdash; AI Constraint Engine</div>
+    <div class="meta">v5.5.1 &mdash; Your AI has rules. SpecLock makes them unbreakable.</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.4.1 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.5.1 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.4.1";
+const VERSION = "5.5.1";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 
@@ -887,7 +887,7 @@ app.get("/health", (req, res) => {
     status: "healthy",
     version: VERSION,
     uptime: Math.floor((Date.now() - START_TIME) / 1000),
-    tools: 42,
+    tools: 51,
     auditChain: auditStatus,
     authEnabled: isAuthEnabled(PROJECT_ROOT),
     rateLimit: { limit: RATE_LIMIT, windowMs: RATE_WINDOW_MS },
@@ -901,8 +901,8 @@ app.get("/", (req, res) => {
     name: "speclock",
     version: VERSION,
     author: AUTHOR,
-    description: "AI Constraint Engine — Universal Rules Sync + AI Patch Firewall. Syncs constraints to Cursor, Claude Code, Copilot, Windsurf, Gemini, Aider, AGENTS.md. Patch Gateway (ALLOW/WARN/BLOCK verdicts), diff-native review (interface breaks, protected symbols, dependency drift, schema changes, API impact). Spec Compiler (NL→constraints), Code Graph (blast radius, lock-to-file mapping), Typed constraints, REST API v2, Python SDK + ROS2 integration. Policy-as-Code, RBAC, AES-256-GCM encryption, HMAC audit chain, SOC 2/HIPAA compliance. 49 MCP tools. 929 tests, 100% accuracy.",
-    tools: 49,
+    description: "Stop AI from breaking code you told it not to touch. Enforces .cursorrules, CLAUDE.md, and AGENTS.md — not just suggests. Zero-config Guardian Mode, Universal Rules Sync, AI Patch Firewall, Spec Compiler, Code Graph, Drift Score, HMAC audit chain, SOC 2/HIPAA compliance. 51 MCP tools. 976 tests.",
+    tools: 51,
     mcp_endpoint: "/mcp",
     health_endpoint: "/health",
     npm: "https://www.npmjs.com/package/speclock",

package/src/mcp/server.js

@@ -70,6 +70,7 @@ import { getReplay, listSessions, formatReplay } from "../core/replay.js";
 import { computeDriftScore, formatDriftScore } from "../core/drift-score.js";
 import { computeCoverage, formatCoverage } from "../core/coverage.js";
 import { analyzeLockStrength, formatStrength } from "../core/strengthen.js";
+import { discoverRuleFiles, protect, formatProtectReport } from "../core/guardian.js";
 import {
   readBrain,
   readEvents,
@@ -125,7 +126,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.4.1";
+const VERSION = "5.5.1";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(
@@ -2065,6 +2066,46 @@ server.tool(
   }
 );
 
+// Tool 43: speclock_protect
+server.tool(
+  "speclock_protect",
+  "Zero-config Guardian Mode — Reads existing AI rule files (.cursorrules, CLAUDE.md, AGENTS.md, copilot-instructions.md, etc.), auto-extracts enforceable constraints, installs pre-commit hook, and syncs rules to all AI tools. One command, no flags. Makes your AI rules unbreakable.",
+  {
+    skipHook: { type: "boolean", description: "Skip pre-commit hook installation", default: false },
+    skipSync: { type: "boolean", description: "Skip syncing rules to all formats", default: false },
+  },
+  async ({ skipHook, skipSync }) => {
+    const report = protect(PROJECT_ROOT, { skipHook, skipSync });
+    const formatted = formatProtectReport(report);
+    return { content: [{ type: "text", text: formatted }] };
+  }
+);
+
+// Tool 44: speclock_discover_rules
+server.tool(
+  "speclock_discover_rules",
+  "Discover all AI rule files in the project (.cursorrules, CLAUDE.md, AGENTS.md, copilot-instructions.md, .windsurfrules, GEMINI.md, .aider.conf.yml). Shows which tools have rules configured and their sizes. Use this to see what rules exist before running speclock_protect.",
+  {},
+  async () => {
+    const files = discoverRuleFiles(PROJECT_ROOT);
+    if (files.length === 0) {
+      return { content: [{ type: "text", text: "No AI rule files found in this project. Create a .cursorrules, CLAUDE.md, or AGENTS.md file first." }] };
+    }
+    const lines = [
+      `## AI Rule Files Found`,
+      ``,
+      `| File | Tool | Lines | Size |`,
+      `|------|------|-------|------|`,
+    ];
+    for (const f of files) {
+      lines.push(`| \`${f.file}\` | ${f.tool} | ${f.lines} | ${f.size} bytes |`);
+    }
+    lines.push(``);
+    lines.push(`Run \`speclock_protect\` to extract constraints and make them enforceable.`);
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+  }
+);
+
 // --- Smithery sandbox export ---
 export default function createSandboxServer() {
   return server;