npm - speclock - Versions diffs - 5.5.5 → 5.5.6 - Mend

speclock 5.5.5 → 5.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +1 -1
package/src/cli/index.js +77 -11
package/src/core/compliance.js +1 -1
package/src/core/pre-commit-semantic.js +102 -2
package/src/dashboard/index.html +2 -2
package/src/mcp/http-server.js +1 -1
package/src/mcp/server.js +1 -1

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "speclock",
-  "version": "5.5.5",
+  "version": "5.5.6",
   "mcpName": "io.github.sgroy10/speclock",

package/src/cli/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import fs from "fs";
 import path from "path";
 import { fileURLToPath } from "url";
-import { getStagedDiff, parseDiff } from "../core/pre-commit-semantic.js";
+import { getStagedDiff, parseDiff, shouldSkipForSemanticAudit } from "../core/pre-commit-semantic.js";
 import {
   ensureInit,
   setGoal,
@@ -286,7 +286,7 @@ export function initFromRulePack(root, framework) {
 function printHelp() {
   console.log(`
-SpecLock v5.5.5 — Your AI has rules. SpecLock makes them unbreakable.
+SpecLock v5.5.6 — Your AI has rules. SpecLock makes them unbreakable.
 Developed by Sandeep Roy (github.com/sgroy10)
 Usage: speclock <command> [options]
@@ -1243,6 +1243,10 @@ Tip: Run "speclock sync --all" to push constraints to Cursor, Claude, Copilot, W
   // --- AUDIT-SEMANTIC (v2.5) ---
   if (cmd === "audit-semantic") {
     const flags = parseFlags(args);
+    const verbose =
+      flags.verbose === true ||
+      process.env.SPECLOCK_VERBOSE === "1" ||
+      process.env.SPECLOCK_VERBOSE === "true";
     const result = semanticAudit(root);
     // --- Commit-message + diff-content semantic check ---
@@ -1269,9 +1273,15 @@ Tip: Run "speclock sync --all" to push constraints to Cursor, Claude, Copilot, W
         } catch { /* ignore */ }
       }
-      // 2. Collect added lines from the staged diff.
+      // 2. Collect added lines from the staged diff, skipping SpecLock-internal
+      //    files (see shouldSkipForSemanticAudit). Those files' contents literally
+      //    restate the locks, so scanning their added lines produces 100%
+      //    false-positive matches for every lock in the brain.
       const diffText = getStagedDiff(root);
-      const fileChanges = diffText ? parseDiff(diffText) : [];
+      const allParsedChanges = diffText ? parseDiff(diffText) : [];
+      const fileChanges = allParsedChanges.filter(
+        (fc) => !shouldSkipForSemanticAudit(fc.file, root)
+      );
       const addedSnippets = [];
       for (const fc of fileChanges) {
         for (const line of fc.addedLines) {
@@ -1354,15 +1364,40 @@ Tip: Run "speclock sync --all" to push constraints to Cursor, Claude, Copilot, W
       process.env.SPECLOCK_STRICT === "true" ||
       result.blocked;
+    // --- Three-tier output filter (v5.5.6) ---
+    // Investor audit: walls of LOW-confidence matches are user-hostile.
+    // Only HIGH and MEDIUM print by default. LOW rolls up into a one-liner.
+    // --verbose / SPECLOCK_VERBOSE=1 shows everything.
+    const OUTPUT_MIN_CONFIDENCE = 40;  // below this = "LOW", hidden by default
+    const MAX_VISIBLE_VIOLATIONS = 10; // hard cap on printed items
+    const allViolations = result.violations || [];
+    const highViolations = allViolations.filter((v) => (v.confidence || 0) >= 70);
+    const mediumViolations = allViolations.filter(
+      (v) => (v.confidence || 0) >= OUTPUT_MIN_CONFIDENCE && (v.confidence || 0) < 70
+    );
+    const lowViolations = allViolations.filter(
+      (v) => (v.confidence || 0) < OUTPUT_MIN_CONFIDENCE
+    );
+    // What actually gets printed
+    const visibleViolations = verbose
+      ? allViolations
+      : [...highViolations, ...mediumViolations];
     console.log(`\nSemantic Pre-Commit Audit`);
     console.log("=".repeat(50));
     console.log(`Mode: ${result.mode} | Threshold: ${result.threshold}%`);
-    console.log(`Files analyzed: ${result.filesChecked}`);
+    const filesLine = result.filesSkipped
+      ? `Files analyzed: ${result.filesChecked} (${result.filesSkipped} skipped)`
+      : `Files analyzed: ${result.filesChecked}`;
+    console.log(filesLine);
     console.log(`Active locks: ${result.activeLocks}`);
-    console.log(`Violations: ${result.violations.length}`);
-    if (result.violations.length > 0) {
+    if (visibleViolations.length > 0) {
       console.log("");
-      for (const v of result.violations) {
+      const toPrint = visibleViolations.slice(0, MAX_VISIBLE_VIOLATIONS);
+      for (const v of toPrint) {
         console.log(`  [${v.level}] ${v.file} (confidence: ${v.confidence}%)`);
         console.log(`    Lock: "${v.lockText}"`);
         console.log(`    Reason: ${v.reason}`);
@@ -1370,17 +1405,48 @@ Tip: Run "speclock sync --all" to push constraints to Cursor, Claude, Copilot, W
           console.log(`    Changes: +${v.addedLines} / -${v.removedLines} lines`);
         }
       }
+      const hiddenByCap = visibleViolations.length - toPrint.length;
+      if (hiddenByCap > 0) {
+        console.log(`  ... + ${hiddenByCap} more (output capped at ${MAX_VISIBLE_VIOLATIONS})`);
+      }
+    }
+    // LOW-confidence rollup
+    if (!verbose && lowViolations.length > 0) {
+      console.log(
+        `  + ${lowViolations.length} low-confidence match(es) hidden (use --verbose or SPECLOCK_VERBOSE=1 to see)`
+      );
+    }
+    // --- New summary line ---
+    console.log("");
+    let summaryLine;
+    if (highViolations.length === 0 && mediumViolations.length === 0) {
+      summaryLine = `[OK] ${result.filesChecked} file(s) checked, no concerns.`;
+    } else if (highViolations.length > 0) {
+      summaryLine = `[!] ${highViolations.length} HIGH-confidence concern(s) — review before merging.`;
+    } else {
+      summaryLine = `[i] ${mediumViolations.length} medium-confidence note(s) (informational).`;
+    }
+    console.log(summaryLine);
+    // Preserve the machine-readable status message for any callers that grep for it
+    if (result.blocked) {
+      console.log(
+        `BLOCKED: ${highViolations.length} high-confidence violation(s) — hard enforcement active.`
+      );
     }
-    console.log(`\n${result.message}`);
-    if (result.violations.length > 0 && !strict) {
+    if (highViolations.length > 0 && !strict) {
       console.log("\nWarning mode active — commit allowed. To enforce hard blocks, run:");
       console.log("  speclock audit-semantic --strict");
       console.log("  SPECLOCK_STRICT=1 git commit ...");
       console.log("  speclock enforce hard   (persistent, project-wide)");
     }
-    process.exit(strict && result.violations.length > 0 ? 1 : 0);
+    // Blocking decision is still driven by the engine's 70% threshold, so
+    // only HIGH-confidence matches can ever cause a non-zero exit.
+    process.exit(strict && highViolations.length > 0 ? 1 : 0);
   }
   // --- AUTH (v3.0) ---

package/src/core/compliance.js CHANGED Viewed

@@ -9,7 +9,7 @@
 import { readBrain, readEvents } from "./storage.js";
 import { verifyAuditChain } from "./audit.js";
-const VERSION = "5.5.5";
+const VERSION = "5.5.6";
 // PHI-related keywords for HIPAA filtering
 const PHI_KEYWORDS = [

package/src/core/pre-commit-semantic.js CHANGED Viewed

@@ -16,6 +16,7 @@ import { analyzeConflict } from "./semantics.js";
 import { getEnforcementConfig } from "./enforcer.js";
 const GUARD_TAG = "SPECLOCK-GUARD";
+const SPECLOCK_AUTOGEN_MARKER = "SpecLock";
 const MAX_LINES_PER_FILE = 500;
 const BINARY_EXTENSIONS = new Set([
   "png", "jpg", "jpeg", "gif", "bmp", "ico", "svg", "webp",
@@ -27,6 +28,98 @@ const BINARY_EXTENSIONS = new Set([
   "lock", "map",
 ]);
+// Files / dirs that SpecLock itself auto-creates during `protect` or that
+// are just noise for semantic analysis. These are ALWAYS skipped from the
+// diff-level semantic audit because matching against them produces nothing
+// but false positives (e.g. rules files describe the same concepts the
+// locks describe, so they always "conflict" with themselves).
+const ALWAYS_SKIP_EXACT = new Set([
+  ".cursor/rules/speclock.mdc",
+  ".windsurf/rules/speclock.md",
+  ".aider.conf.yml",
+  ".mcp.json",
+  "package-lock.json",
+  "yarn.lock",
+  "pnpm-lock.yaml",
+  "Cargo.lock",
+  "poetry.lock",
+  "Gemfile.lock",
+  "composer.lock",
+]);
+// Directory prefixes that are always skipped.
+const ALWAYS_SKIP_DIR_PREFIXES = [
+  ".speclock/",
+  "node_modules/",
+  "dist/",
+  "build/",
+  ".next/",
+  ".nuxt/",
+  "__pycache__/",
+  ".venv/",
+  "venv/",
+  ".cache/",
+  "coverage/",
+  ".turbo/",
+];
+// Files that are skipped ONLY if their content carries the SpecLock
+// auto-generated marker (so hand-written AGENTS.md etc. still get audited).
+// CLAUDE.md is included because `speclock protect` seeds it with the active
+// locks — on the initial commit after protect, the file literally IS the
+// locks, so every semantic check would produce a false positive.
+const CONDITIONAL_SKIP_IF_AUTOGEN = new Set([
+  "AGENTS.md",
+  "GEMINI.md",
+  "CLAUDE.md",
+  ".github/copilot-instructions.md",
+]);
+/**
+ * Normalize a path to forward slashes for comparison.
+ */
+function normalizePath(p) {
+  return (p || "").replace(/\\/g, "/");
+}
+/**
+ * Decide whether a file should be skipped by the semantic pre-commit audit.
+ * This is the single source of truth for "is this a SpecLock internal file
+ * or generated noise we should not audit".
+ *
+ * @param {string} file - repo-relative path
+ * @param {string} root - repo root (to check content of conditional files)
+ * @returns {boolean} true if the file should be skipped
+ */
+export function shouldSkipForSemanticAudit(file, root) {
+  const norm = normalizePath(file);
+  // 1. Binary extensions
+  const ext = path.extname(norm).slice(1).toLowerCase();
+  if (BINARY_EXTENSIONS.has(ext)) return true;
+  // 2. Exact path matches (lockfiles, auto-generated rules files, .mcp.json)
+  if (ALWAYS_SKIP_EXACT.has(norm)) return true;
+  // 3. Directory prefix matches
+  for (const prefix of ALWAYS_SKIP_DIR_PREFIXES) {
+    if (norm === prefix.slice(0, -1) || norm.startsWith(prefix)) return true;
+  }
+  // 4. Conditionally-skipped files (only if they carry the auto-gen marker)
+  if (CONDITIONAL_SKIP_IF_AUTOGEN.has(norm)) {
+    try {
+      const fullPath = path.join(root, file);
+      if (fs.existsSync(fullPath)) {
+        const content = fs.readFileSync(fullPath, "utf-8");
+        if (content.includes(SPECLOCK_AUTOGEN_MARKER)) return true;
+      }
+    } catch { /* ignore read errors */ }
+  }
+  return false;
+}
 /**
  * Parse a unified diff into per-file change blocks.
  * Returns array of { file, addedLines, removedLines, hunks }.
@@ -191,8 +284,14 @@ export function semanticAudit(root) {
     };
   }
-  // Parse diff into per-file changes
-  const fileChanges = parseDiff(diff);
+  // Parse diff into per-file changes, then drop SpecLock-internal / generated
+  // files so we don't flood the user with false positives from files that
+  // SpecLock itself creates or manages.
+  const allFileChanges = parseDiff(diff);
+  const fileChanges = allFileChanges.filter(
+    (fc) => !shouldSkipForSemanticAudit(fc.file, root)
+  );
+  const skippedCount = allFileChanges.length - fileChanges.length;
   const violations = [];
   for (const fc of fileChanges) {
@@ -276,6 +375,7 @@ export function semanticAudit(root) {
     blocked,
     violations: uniqueViolations,
     filesChecked: fileChanges.length,
+    filesSkipped: skippedCount,
     activeLocks: activeLocks.length,
     mode: config.mode,
     threshold: config.blockThreshold,

package/src/dashboard/index.html CHANGED Viewed

@@ -89,7 +89,7 @@
 <div class="header">
   <div>
     <h1><span>SpecLock</span> Dashboard</h1>
-    <div class="meta">v5.5.5 &mdash; Your AI has rules. SpecLock makes them unbreakable.</div>
+    <div class="meta">v5.5.6 &mdash; Your AI has rules. SpecLock makes them unbreakable.</div>
   </div>
   <div style="display:flex;align-items:center;gap:12px;">
     <span id="health-badge" class="status-badge healthy">Loading...</span>
@@ -182,7 +182,7 @@
 </div>
 <div style="text-align:center;padding:24px;color:var(--muted);font-size:12px;">
-  SpecLock v5.5.5 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
+  SpecLock v5.5.6 &mdash; Developed by Sandeep Roy &mdash; <a href="https://github.com/sgroy10/speclock" style="color:var(--accent)">GitHub</a>
 </div>
 <script>

package/src/mcp/http-server.js CHANGED Viewed

@@ -113,7 +113,7 @@ import { fileURLToPath } from "url";
 import _path from "path";
 const PROJECT_ROOT = process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
-const VERSION = "5.5.5";
+const VERSION = "5.5.6";
 const AUTHOR = "Sandeep Roy";
 const START_TIME = Date.now();

package/src/mcp/server.js CHANGED Viewed

@@ -126,7 +126,7 @@ const PROJECT_ROOT =
   args.project || process.env.SPECLOCK_PROJECT_ROOT || process.cwd();
 // --- MCP Server ---
-const VERSION = "5.5.5";
+const VERSION = "5.5.6";
 const AUTHOR = "Sandeep Roy";
 const server = new McpServer(