npm - specvector - Versions diffs - 0.3.1 → 0.3.3 - Mend

specvector 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "specvector",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "Context-aware AI code review using Model Context Protocol (MCP)",
   "type": "module",
   "main": "src/index.ts",

package/src/config/index.ts CHANGED Viewed

@@ -280,19 +280,19 @@ export function getStrictnessModifier(strictness: SpecVectorConfig["strictness"]
   switch (strictness) {
     case "strict":
       return `Be VERY strict. Flag any potential issue, no matter how minor.
-Focus on: security vulnerabilities, performance issues, error handling, edge cases.
+Focus on: security vulnerabilities, logic errors, boundary conditions, data flow issues, performance problems, error handling, edge cases.
 Do not approve code that could be improved.`;
     case "lenient":
       return `Be lenient and focus only on critical issues.
-Only flag: bugs that would cause runtime errors, security vulnerabilities, obvious mistakes.
-Skip: style issues, minor improvements, suggestions.
+Only flag: bugs that would cause runtime errors, logic errors causing crashes or data corruption, security vulnerabilities, obvious mistakes.
+Skip: style issues, minor improvements, suggestions, theoretical problems.
 Approve unless there are blocking issues.`;
     case "normal":
     default:
       return `Use balanced judgement. Flag important issues but don't be nitpicky.
-Focus on: bugs, security, performance, maintainability.
-Skip: purely stylistic preferences.`;
+Focus on: logic errors that would cause real bugs in production, security, performance, maintainability.
+Skip: purely stylistic preferences, theoretical issues you haven't verified.`;
   }
 }

package/src/index.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import { postPRComment } from "./github/comment";
 import { parseDiff, getDiffSummary } from "./review/diff-parser";
 import { formatReviewComment, formatReviewSummary } from "./review/formatter";
 import { runReview } from "./review/engine";
+import { redactError } from "./utils/redact";
 const VERSION = "0.1.0";
@@ -132,7 +133,6 @@ async function handleReview(args: string[]): Promise<void> {
     displayAndPostReview(mockReview, prNumber, dryRun);
   } else {
     console.log("🤖 Running AI review...");
-    console.log("   (this may take 15-30 seconds)");
     console.log("");
     // Get branch name for Linear context
@@ -242,6 +242,6 @@ function generateMockReview(filesReviewed: number): import("./types/review").Rev
 // Run the CLI
 main().catch((error) => {
-  console.error("Fatal error:", error);
+  console.error("Fatal error:", redactError(error));
   process.exit(1);
 });

package/src/mcp/mcp-client.ts CHANGED Viewed

@@ -17,6 +17,7 @@ import type {
   MCPToolsListResult,
   MCPToolCallResult,
 } from "./types";
+import { redactSecrets, buildSafeEnv } from "../utils/redact";
 // ============================================================================
 // Constants
@@ -73,7 +74,7 @@ export async function createMCPClient(
   let proc: Subprocess;
   try {
     proc = spawn([config.command, ...config.args], {
-      env: { ...process.env, ...config.env },
+      env: buildSafeEnv(config.env as Record<string, string> | undefined),
       stdin: "pipe",
       stdout: "pipe",
       stderr: "pipe",
@@ -351,7 +352,7 @@ function startReadingStderr(state: MCPClientState): void {
         const text = decoder.decode(value, { stream: true });
         // Log stderr for debugging (could be made configurable)
         if (text.trim()) {
-          console.error(`[MCP:${state.config.name}] ${text.trim()}`);
+          console.error(`[MCP:${state.config.name}] ${redactSecrets(text.trim())}`);
         }
       }
     } catch {

package/src/review/engine.ts CHANGED Viewed

@@ -172,7 +172,7 @@ export async function runReview(
 /**
  * System prompt for the code review agent.
  */
-const REVIEW_SYSTEM_PROMPT = `You are a pragmatic code reviewer. Your job is to catch REAL problems, not nitpick.
+export const REVIEW_SYSTEM_PROMPT = `You are a pragmatic code reviewer. Your job is to catch REAL problems, not nitpick.
 ## Tools Available
 - read_file: Read source files to understand context
@@ -181,21 +181,43 @@ const REVIEW_SYSTEM_PROMPT = `You are a pragmatic code reviewer. Your job is to
 - get_outline: Get functions/classes in a file (fast overview)
 - find_symbol: Find where a function or class is defined
+## Tool Use Strategy
+Before flagging any issue, you MUST verify your understanding:
+1. **Read the full file** for any function being changed — don't judge from diff alone
+2. **Use find_symbol** to trace how changed functions are called by other code
+3. **Use grep** to find other usages of modified functions or variables
+4. **Only flag an issue if you have verified it** by reading the surrounding context
 ## What to Look For (in priority order)
 1. **CRITICAL**: Security vulnerabilities, data loss, crashes
 2. **HIGH**: Bugs that WILL break functionality in production
 3. **MEDIUM**: Significant code quality issues (not style nits)
+## Business Logic Patterns to Detect
+Focus on real logic errors that cause incorrect behavior:
+- **Off-by-one errors**: Wrong boundary conditions, < vs <=, array index issues
+- **Null/undefined handling**: Missing null checks on values that can be null
+- **Race conditions**: Shared state without synchronization, async ordering bugs
+- **Incorrect boolean logic**: Inverted conditions, wrong operator (AND vs OR)
+- **Missing error paths**: Happy-path-only code that ignores failure cases in data flows
+- **Wrong operator**: Using = instead of ==, + instead of -, incorrect comparisons
+- **State management bugs**: Mutating shared state, stale closures, incorrect resets
+- **Type coercion issues**: Implicit conversions causing unexpected behavior
 ## What NOT to Flag
 - Style preferences or "I would do it differently"
 - Theoretical performance issues without evidence
 - Missing edge case tests for working code
 - "Could be refactored" suggestions
 - Code that works but isn't perfect
+- Naming convention preferences
+- Comment formatting or missing comments
+- Import ordering or grouping
 ## Key Principle
 Most PRs should have 0-2 findings. If you're finding 5+ issues, you're being too picky.
 Only flag issues you'd actually block a PR for in a real code review.
+Verify every finding with tool use before reporting it.
 ## Response Format
 SUMMARY: [1-2 sentences - is this code ready to merge?]
@@ -228,15 +250,15 @@ ${diff.length > 15000 ? "\n(diff truncated, use tools to read full files if need
 ## Instructions
 1. First, understand what the changes are doing
-2. Use tools to explore related code if needed (find usages, read implementations)
-3. Identify any issues with the changes
+2. Use tools to explore related code — read full files, trace call chains, check usages
+3. For each potential issue, verify it by reading surrounding context before flagging
 4. Provide your review in the specified format`;
 }
 /**
  * Parse the agent's response into structured findings.
  */
-function parseReviewResponse(response: string, diffSummary: string, contextSources: ContextSource[] = []): ReviewResult {
+export function parseReviewResponse(response: string, diffSummary: string, contextSources: ContextSource[] = []): ReviewResult {
   const findings: ReviewFinding[] = [];
   // Extract summary

package/src/utils/redact.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * Secret redaction utilities.
+ *
+ * Prevents API keys, tokens, and other sensitive values from appearing
+ * in logs, error messages, or PR comments.
+ *
+ * Story 7.4: Security Enforcement (NFR4, NFR5)
+ */
+/**
+ * Environment variable names that contain secrets.
+ * Values from these variables will be redacted from any output.
+ */
+const SECRET_ENV_VARS = [
+  "OPENROUTER_API_KEY",
+  "LINEAR_API_TOKEN",
+  "LINEAR_API_KEY",
+  "GITHUB_TOKEN",
+  "GH_TOKEN",
+] as const;
+/**
+ * Environment variable names that are safe to pass to MCP subprocesses.
+ * Only these variables (plus explicitly provided config.env) are forwarded.
+ */
+export const MCP_SAFE_ENV_VARS = [
+  "PATH",
+  "HOME",
+  "USER",
+  "SHELL",
+  "TERM",
+  "LANG",
+  "LC_ALL",
+  "NODE_ENV",
+  "TMPDIR",
+  "XDG_RUNTIME_DIR",
+  // Node/Bun runtime
+  "NODE_PATH",
+  "BUN_INSTALL",
+  // npm/npx needs these to find packages
+  "npm_config_prefix",
+  "npm_config_cache",
+  "NVM_DIR",
+  "NVM_BIN",
+  "VOLTA_HOME",
+] as const;
+/**
+ * Redact known secret values from a string.
+ *
+ * Scans the string for any values that match current environment variable
+ * secrets and replaces them with "[REDACTED]".
+ *
+ * @param text - The string to redact secrets from
+ * @returns The redacted string
+ */
+export function redactSecrets(text: string): string {
+  let redacted = text;
+  for (const envVar of SECRET_ENV_VARS) {
+    const value = process.env[envVar];
+    if (value && value.length >= 4) {
+      // Replace all occurrences of the secret value
+      redacted = redacted.replaceAll(value, "[REDACTED]");
+    }
+  }
+  return redacted;
+}
+/**
+ * Safely stringify an error, redacting any secrets.
+ *
+ * Handles unknown error types (Error, string, object, etc.)
+ * and ensures no secret values leak through error messages.
+ *
+ * @param error - The error to stringify
+ * @returns A safe, redacted error string
+ */
+export function redactError(error: unknown): string {
+  let message: string;
+  if (error instanceof Error) {
+    // Only use message, not stack (stack can contain env var values)
+    message = error.message;
+  } else if (typeof error === "string") {
+    message = error;
+  } else {
+    try {
+      message = JSON.stringify(error) ?? String(error);
+    } catch {
+      message = String(error);
+    }
+  }
+  return redactSecrets(message);
+}
+/**
+ * Build a filtered environment for MCP subprocesses.
+ *
+ * Only includes safe, non-secret environment variables from process.env,
+ * merged with any explicitly provided config env vars.
+ *
+ * @param configEnv - Additional env vars from MCP config (may include tokens intentionally)
+ * @returns A filtered environment object
+ */
+export function buildSafeEnv(configEnv?: Record<string, string>): Record<string, string> {
+  const safeEnv: Record<string, string> = {};
+  // Only copy allowed env vars from process.env
+  for (const key of MCP_SAFE_ENV_VARS) {
+    const value = process.env[key];
+    if (value !== undefined) {
+      safeEnv[key] = value;
+    }
+  }
+  // Merge explicitly provided config env (these are intentional, e.g., LINEAR_API_KEY)
+  if (configEnv) {
+    Object.assign(safeEnv, configEnv);
+  }
+  return safeEnv;
+}