speclock 5.5.3 → 5.5.5

package/src/dashboard/index.html

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.5.3 &mdash; Your AI has rules. SpecLock makes them unbreakable.</div>
+    <div class="meta">v5.5.5 &mdash; Your AI has rules. SpecLock makes them unbreakable.</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.5.3 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.5.5 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 
 <script>

package/src/mcp/http-server.js

@@ -1,6 +1,6 @@
 /**
  * SpecLock MCP HTTP Server — for Railway / remote deployment
- * Wraps the same 22 tools as the stdio server using Streamable HTTP transport.
+ * Wraps the same 51 tools as the stdio server using Streamable HTTP transport.
  * Developed by Sandeep Roy (https://github.com/sgroy10)
  */
 
@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.5.3";
+const VERSION = "5.5.5";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();
 

package/src/mcp/server.js

@@ -126,7 +126,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 
 // --- MCP Server ---
-const VERSION = "5.5.3";
+const VERSION = "5.5.5";
 const AUTHOR = "Sandeep Roy";
 
 const server = new McpServer(

package/src/templates/rule-packs/fastapi.md

@@ -0,0 +1,22 @@
+# FastAPI Rule Pack
+
+Curated SpecLock constraints for FastAPI + Python (async, Pydantic, JWT).
+These rules are enforced by SpecLock — do not remove without a migration plan.
+
+## Rules
+
+- NEVER bypass Pydantic validation on request bodies — every endpoint must declare a typed request model.
+- NEVER expose database connection strings, API keys, or secrets in code — load them from environment variables or a secrets manager.
+- ALWAYS use FastAPI dependency injection (`Depends`) for database sessions, auth, and shared services.
+- NEVER write SQL queries with string concatenation or f-strings on user input — use parameterized queries or an ORM like SQLAlchemy.
+- ALWAYS use `async def` for I/O-bound endpoints (database, HTTP, file) and sync `def` only for pure CPU work.
+- NEVER catch broad `Exception` without logging the traceback — use `logger.exception` and re-raise when appropriate.
+- ALWAYS validate and verify JWT tokens (signature, expiry, issuer, audience) before trusting any claim.
+- NEVER store passwords in plaintext — use bcrypt, argon2, or passlib with a strong work factor.
+- NEVER expose internal error messages, stack traces, or ORM errors to API responses — return sanitized error shapes.
+- ALWAYS enforce HTTPS in production environments — redirect HTTP, set HSTS, and reject insecure cookies.
+- NEVER use `eval()`, `exec()`, or `pickle.loads` on user-supplied input — all three are remote code execution vectors.
+- ALWAYS rate-limit public API endpoints with `slowapi` or an upstream gateway to prevent abuse.
+- ALWAYS pin dependency versions in `requirements.txt` or `pyproject.toml` and review with `pip-audit` / `safety`.
+- NEVER commit `.env`, `credentials.json`, or private keys to version control — add them to `.gitignore`.
+- ALWAYS configure CORS explicitly with allowed origins — never use `allow_origins=["*"]` together with credentials.

package/src/templates/rule-packs/nextjs.md

@@ -0,0 +1,22 @@
+# Next.js Rule Pack
+
+Curated SpecLock constraints for Next.js 13+ (App Router, Server Components, TypeScript).
+These rules are enforced by SpecLock — do not remove without a migration plan.
+
+## Rules
+
+- NEVER use `getServerSideProps` for static pages — use `getStaticProps` or `generateStaticParams`.
+- NEVER expose API keys or secrets to Client Components — keep them in Server Components or route handlers.
+- NEVER use `dangerouslySetInnerHTML` without sanitizing input through DOMPurify or a vetted sanitizer.
+- ALWAYS validate environment variables at startup in a typed `env.ts` (e.g. using zod or `@t3-oss/env-nextjs`).
+- NEVER mutate React state directly — always use the setter returned from `useState` or `useReducer`.
+- ALWAYS handle loading and error states in async Server Components with `loading.tsx` and `error.tsx`.
+- NEVER bundle large dependencies (moment, lodash full build, charting libs) into Client Components — lazy-load with `next/dynamic`.
+- NEVER use the `any` type in TypeScript — define proper interfaces and enable `strict: true` in tsconfig.
+- ALWAYS use `next/image` instead of raw `<img>` tags for automatic optimization, lazy loading, and CLS prevention.
+- NEVER hardcode database URLs, connection strings, or secrets in source files — read from `process.env`.
+- ALWAYS default to Server Components; opt into Client Components only when you need browser APIs, state, or effects.
+- NEVER ship `console.log`, `console.debug`, or `debugger` statements to production builds.
+- NEVER skip middleware authentication checks on protected routes — centralize auth in `middleware.ts`.
+- ALWAYS colocate route-specific code under `app/` and shared code under `lib/` or `components/`.
+- NEVER call `fetch` without explicit `cache` or `next.revalidate` options on Server Components — be intentional about caching.

package/src/templates/rule-packs/node.md

@@ -0,0 +1,22 @@
+# Node.js / Express Rule Pack
+
+Curated SpecLock constraints for Node.js and Express (async, security, reliability).
+These rules are enforced by SpecLock — do not remove without a migration plan.
+
+## Rules
+
+- NEVER block the event loop with synchronous I/O (`fs.readFileSync`, `crypto.pbkdf2Sync`) on request paths — use async variants.
+- NEVER use `eval()`, `new Function()`, or `vm.runInThisContext` on user-supplied input — they are remote code execution vectors.
+- ALWAYS validate and sanitize request input with `zod`, `joi`, or `express-validator` before trusting it.
+- NEVER concatenate user input into SQL or shell commands — use parameterized queries and `execFile` with argument arrays.
+- ALWAYS store secrets in environment variables or a secrets manager — never commit them to the repo.
+- NEVER catch promise rejections silently — always handle errors in `.catch()` or `try/await/catch` and log them.
+- ALWAYS set security headers via `helmet` and enable strict CORS with an explicit origin allowlist.
+- NEVER trust `req.body`, `req.query`, `req.params`, or `req.headers` without validation.
+- ALWAYS hash passwords with `bcrypt`, `argon2`, or `scrypt` — never MD5, SHA1, or plain SHA256.
+- NEVER use `dangerouslySetInnerHTML`, `eval`-based templating, or unescaped interpolation in server-rendered HTML.
+- ALWAYS pin dependencies with `package-lock.json` and audit with `npm audit` / `snyk` in CI.
+- NEVER ship `console.log` or `debugger` statements to production — use a proper logger like `pino` or `winston`.
+- ALWAYS enforce rate limiting on public endpoints with `express-rate-limit` or an upstream gateway.
+- NEVER log passwords, tokens, session IDs, or PII — redact sensitive fields before logging.
+- ALWAYS handle `unhandledRejection` and `uncaughtException` at the process level and exit cleanly.

package/src/templates/rule-packs/python.md

@@ -0,0 +1,22 @@
+# Python Rule Pack
+
+Curated SpecLock constraints for generic Python projects (security, type hints, hygiene).
+These rules are enforced by SpecLock — do not remove without a migration plan.
+
+## Rules
+
+- NEVER use `eval()`, `exec()`, or `compile()` on user-supplied input — they are remote code execution vectors.
+- NEVER use `pickle.loads`, `shelve`, or `marshal.loads` on untrusted data — use JSON or a schema-validated format.
+- ALWAYS use `subprocess.run` with a list of arguments and `shell=False` — never `shell=True` on user input.
+- NEVER hardcode secrets, API keys, or passwords in source files — read from environment variables or a secrets manager.
+- ALWAYS add type hints to public functions and class methods and verify with `mypy` or `pyright` in CI.
+- NEVER catch bare `except:` — always catch specific exception classes and log the traceback.
+- ALWAYS use context managers (`with` statements) for files, sockets, locks, and database connections.
+- NEVER write SQL with string concatenation or f-strings — use parameterized queries or an ORM.
+- ALWAYS pin dependencies in `requirements.txt` / `pyproject.toml` and audit with `pip-audit` or `safety`.
+- NEVER commit virtual environments, `.env` files, or credentials to version control.
+- ALWAYS validate external input with `pydantic`, `marshmallow`, or explicit type checks before use.
+- NEVER mutate function default arguments — use `None` and assign inside the function body.
+- ALWAYS use `logging` instead of `print` for anything other than CLI output, and configure levels per environment.
+- NEVER use `os.system` — use `subprocess` with explicit argument lists.
+- ALWAYS format code with `black` / `ruff format` and lint with `ruff` / `flake8` in CI.

package/src/templates/rule-packs/rails.md

@@ -0,0 +1,22 @@
+# Ruby on Rails Rule Pack
+
+Curated SpecLock constraints for Ruby on Rails (Strong Params, ActiveRecord, security).
+These rules are enforced by SpecLock — do not remove without a migration plan.
+
+## Rules
+
+- NEVER skip Strong Parameters in controllers — always whitelist with `params.require(...).permit(...)`.
+- NEVER use `find_by_sql`, `where("..#{...}")`, or raw interpolation with user input — use parameterized ActiveRecord queries.
+- ALWAYS use `find_by!` (or `find`) instead of `find_by` when the record is required, so missing records raise 404 cleanly.
+- NEVER store secrets in `config/database.yml` or source files — use Rails encrypted credentials or environment variables.
+- ALWAYS run destructive or multi-step migrations inside transactions and provide a `down` method.
+- NEVER bypass CSRF protection except in `ActionController::API` controllers — keep `protect_from_forgery` on for HTML forms.
+- ALWAYS validate models with appropriate validators (`presence`, `uniqueness`, `length`, `format`) at the model layer, not just the form.
+- NEVER use `eval`, `instance_eval`, or `send` with user-supplied strings — they open arbitrary code execution.
+- ALWAYS prefer safe navigation (`&.`) over `try` — it is faster and fails loudly on typos.
+- NEVER ship code without tests for critical paths (auth, payments, data mutation) — enforce coverage in CI.
+- NEVER use `Marshal.load`, `YAML.load` (without `safe_load`), or `Oj.load` on untrusted data — use safe loaders.
+- ALWAYS set `force_ssl = true` in production and configure secure, HTTP-only cookies.
+- NEVER log request parameters containing passwords, tokens, or credit card data — add them to `filter_parameters`.
+- ALWAYS authorize actions with Pundit/CanCanCan — never rely on "hidden" routes for access control.
+- NEVER use `update_all` or `delete_all` without an explicit scope — they bypass callbacks and validations.

package/src/templates/rule-packs/react.md

@@ -0,0 +1,22 @@
+# React Rule Pack
+
+Curated SpecLock constraints for generic React projects (hooks, state, components).
+These rules are enforced by SpecLock — do not remove without a migration plan.
+
+## Rules
+
+- NEVER mutate state directly — always use the setter returned by `useState` or reducers from `useReducer`.
+- NEVER call hooks conditionally or inside loops — hooks must run in the same order on every render.
+- ALWAYS include every reactive dependency in `useEffect`, `useMemo`, and `useCallback` dependency arrays.
+- NEVER use array indexes as `key` props for dynamic lists — use a stable unique id.
+- ALWAYS wrap expensive computations in `useMemo` and stable callbacks in `useCallback` only when profiling proves the need.
+- NEVER fetch data inside render — use `useEffect`, a data-fetching library (React Query, SWR), or a framework loader.
+- ALWAYS handle loading, error, and empty states explicitly in every async UI path.
+- NEVER leak event listeners, timers, or subscriptions — always return a cleanup function from `useEffect`.
+- ALWAYS prefer composition over inheritance — use hooks and component composition instead of class hierarchies.
+- NEVER use `dangerouslySetInnerHTML` without sanitizing input first with DOMPurify or equivalent.
+- ALWAYS type props and state with TypeScript (or `prop-types` for JS projects) and enable `strict` mode.
+- NEVER store derived state in `useState` — compute it during render so it stays in sync.
+- ALWAYS lift state to the lowest common ancestor that needs it — avoid global state for local concerns.
+- NEVER ship `console.log` or `debugger` statements to production builds.
+- ALWAYS wrap route-level components in error boundaries so one crash does not blank the whole app.