claude-mpm 5.4.21__py3-none-any.whl → 5.4.59__py3-none-any.whl

claude_mpm/services/socketio/server/core.py

@@ -32,7 +32,6 @@ except ImportError:
 # Import VersionService for dynamic version retrieval
 import contextlib
 
-import claude_mpm
 from claude_mpm.services.version_service import VersionService
 
 from ....core.constants import SystemLimits, TimeoutConfig
@@ -277,9 +276,16 @@ class SocketIOServerCore:
                 # Extract event data from payload (handles both direct and wrapped formats)
                 # ConnectionManagerService sends: {"namespace": "...", "event": "...", "data": {...}}
                 # Direct hook events may send data directly
-                if "data" in payload and isinstance(payload.get("data"), dict):
+                # CRITICAL: Check if payload has the expected event structure (type, subtype, timestamp)
+                # If it does, use it directly. Only extract 'data' field if it's a wrapper object.
+                if "type" in payload and "subtype" in payload:
+                    # Payload is already in normalized format, use it directly
+                    event_data = payload
+                elif "data" in payload and isinstance(payload.get("data"), dict):
+                    # Payload is a wrapper with 'data' field (from ConnectionManagerService)
                     event_data = payload["data"]
                 else:
+                    # Fallback: use entire payload
                     event_data = payload
 
                 # Log receipt with more detail
@@ -409,9 +415,23 @@ class SocketIOServerCore:
                             self.event_buffer.append(event_data)
                             self.stats["events_buffered"] = len(self.event_buffer)
 
-                        # Add to main server's event history
-                        if hasattr(self.main_server, "event_history"):
+                        # Add to main server's event history UNCONDITIONALLY
+                        # WHY: event_history is always initialized in SocketIOServer.__init__
+                        # This ensures events persist for new clients who connect later
+                        if self.main_server and hasattr(
+                            self.main_server, "event_history"
+                        ):
                             self.main_server.event_history.append(event_data)
+                            self.logger.debug(
+                                f"Added to history (total: {len(self.main_server.event_history)})"
+                            )
+                        else:
+                            # CRITICAL: Log warning if event_history is not available
+                            # This indicates a configuration or initialization problem
+                            self.logger.warning(
+                                "event_history not initialized on main_server! "
+                                "Events will not persist for new clients."
+                            )
 
                         # Use the broadcaster's sio to emit (it's the same as self.sio)
                         # This ensures the event goes through the proper channels
@@ -445,6 +465,21 @@ class SocketIOServerCore:
                             self.event_buffer.append(event_data)
                             self.stats["events_buffered"] = len(self.event_buffer)
 
+                        # Add to main server's event history (fallback path)
+                        # WHY: Ensure events persist even when broadcaster is unavailable
+                        if self.main_server and hasattr(
+                            self.main_server, "event_history"
+                        ):
+                            self.main_server.event_history.append(event_data)
+                            self.logger.debug(
+                                f"Added to history via fallback (total: {len(self.main_server.event_history)})"
+                            )
+                        else:
+                            self.logger.warning(
+                                "event_history not initialized on main_server (fallback path)! "
+                                "Events will not persist for new clients."
+                            )
+
                 # Return 204 No Content for success
                 self.logger.debug(f"✅ HTTP event processed successfully: {event_type}")
                 return web.Response(status=204)
@@ -504,7 +539,7 @@ class SocketIOServerCore:
             from pathlib import Path
 
             try:
-                working_dir = Path.cwd()
+                working_dir = str(Path.cwd())
                 home_dir = str(Path.home())
 
                 return web.json_response(
@@ -594,6 +629,169 @@ class SocketIOServerCore:
         self.app.router.add_get("/api/file/read", file_read_handler)
         self.logger.info("✅ File reading API registered at /api/file/read")
 
+        # Add files listing endpoint for file browser
+        async def files_list_handler(request):
+            """Handle GET /api/files for listing files in working directory."""
+
+            try:
+                # Get working directory from query params or use current directory
+                working_dir = request.query.get("path", str(Path.cwd()))
+                abs_working_dir = Path(working_dir).resolve().expanduser()
+
+                # Security check - ensure directory is accessible
+                if not abs_working_dir.exists():
+                    return web.json_response(
+                        {"error": "Directory not found"}, status=404
+                    )
+
+                if not abs_working_dir.is_dir():
+                    return web.json_response(
+                        {"error": "Path is not a directory"}, status=400
+                    )
+
+                # Collect files and directories
+                files = []
+                directories = []
+
+                # Common patterns to exclude
+                exclude_patterns = {
+                    ".git",
+                    ".venv",
+                    "venv",
+                    "node_modules",
+                    "__pycache__",
+                    ".pytest_cache",
+                    ".mypy_cache",
+                    "dist",
+                    "build",
+                    ".next",
+                    "coverage",
+                    ".coverage",
+                    ".tox",
+                    ".eggs",
+                    "*.egg-info",
+                }
+
+                for entry in abs_working_dir.iterdir():
+                    # Skip hidden files and excluded patterns
+                    if entry.name.startswith("."):
+                        # Allow .py, .ts, .md, etc. files but skip directories like .git
+                        if entry.is_dir():
+                            continue
+
+                    # Skip excluded directories
+                    if entry.name in exclude_patterns:
+                        continue
+
+                    try:
+                        stat_info = entry.stat()
+                        entry_data = {
+                            "name": entry.name,
+                            "path": str(entry),
+                            "type": "directory" if entry.is_dir() else "file",
+                            "size": stat_info.st_size if entry.is_file() else 0,
+                            "modified": stat_info.st_mtime,
+                        }
+
+                        if entry.is_dir():
+                            directories.append(entry_data)
+                        else:
+                            # Add file extension for syntax highlighting
+                            entry_data["extension"] = entry.suffix.lower()
+                            files.append(entry_data)
+                    except (PermissionError, OSError):
+                        # Skip files we can't access
+                        continue
+
+                # Sort directories and files alphabetically
+                directories.sort(key=lambda x: x["name"].lower())
+                files.sort(key=lambda x: x["name"].lower())
+
+                return web.json_response(
+                    {
+                        "success": True,
+                        "path": str(abs_working_dir),
+                        "directories": directories,
+                        "files": files,
+                        "total_files": len(files),
+                        "total_directories": len(directories),
+                    }
+                )
+
+            except Exception as e:
+                self.logger.error(f"Error listing files: {e}")
+                return web.json_response({"error": str(e)}, status=500)
+
+        self.app.router.add_get("/api/files", files_list_handler)
+        self.logger.info("✅ Files listing API registered at /api/files")
+
+        # Add git history endpoint
+        async def git_history_handler(request):
+            """Handle POST /api/git-history for getting file git history."""
+            import subprocess
+
+            try:
+                # Parse JSON body
+                data = await request.json()
+                file_path = data.get("path", "")
+                limit = data.get("limit", 10)
+
+                if not file_path:
+                    return web.json_response(
+                        {"success": False, "error": "No path provided", "commits": []},
+                        status=400,
+                    )
+
+                abs_path = Path(Path(file_path).resolve().expanduser())
+
+                if not Path(abs_path).exists():
+                    return web.json_response(
+                        {"success": False, "error": "File not found", "commits": []},
+                        status=404,
+                    )
+
+                # Get git log for file
+                result = subprocess.run(
+                    [
+                        "git",
+                        "log",
+                        f"-{limit}",
+                        "--pretty=format:%H|%an|%ar|%s",
+                        "--",
+                        abs_path,
+                    ],
+                    check=False,
+                    capture_output=True,
+                    text=True,
+                    cwd=Path(abs_path).parent,
+                )
+
+                commits = []
+                if result.returncode == 0 and result.stdout:
+                    for line in result.stdout.strip().split("\n"):
+                        if line:
+                            parts = line.split("|", 3)
+                            if len(parts) == 4:
+                                commits.append(
+                                    {
+                                        "hash": parts[0][:7],  # Short hash
+                                        "author": parts[1],
+                                        "date": parts[2],
+                                        "message": parts[3],
+                                    }
+                                )
+
+                return web.json_response({"success": True, "commits": commits})
+
+            except Exception as e:
+                self.logger.error(f"Error getting git history: {e}")
+                return web.json_response(
+                    {"success": False, "error": str(e), "commits": []}, status=500
+                )
+
+        self.app.router.add_post("/api/git-history", git_history_handler)
+        self.logger.info("✅ Git history API registered at /api/git-history")
+
     def _setup_directory_api(self):
         """Setup simple directory listing API.
 
@@ -611,7 +809,7 @@ class SocketIOServerCore:
             self.logger.error(f"Failed to setup directory API: {e}")
 
     def _setup_static_files(self):
-        """Setup static file serving for the dashboard."""
+        """Setup static file serving for the Svelte dashboard."""
         try:
             # Add debug logging for deployment context
             try:
@@ -624,65 +822,43 @@ class SocketIOServerCore:
             except Exception as e:
                 self.logger.debug(f"Could not detect deployment context: {e}")
 
-            self.dashboard_path = self._find_static_path()
+            # Find Svelte build directory
+            svelte_build_path = self._find_static_path()
 
-            if self.dashboard_path and self.dashboard_path.exists():
-                self.logger.info(f"✅ Dashboard found at: {self.dashboard_path}")
+            if svelte_build_path and svelte_build_path.exists():
+                self.logger.info(f"✅ Svelte dashboard found at: {svelte_build_path}")
+                self.dashboard_path = svelte_build_path
 
-                # Serve index.html at root
+                # Serve Svelte index.html at root
                 async def index_handler(request):
-                    index_file = self.dashboard_path / "index.html"
+                    index_file = svelte_build_path / "index.html"
                     if index_file.exists():
-                        self.logger.debug(f"Serving dashboard index from: {index_file}")
+                        self.logger.debug(
+                            f"Serving Svelte dashboard from: {index_file}"
+                        )
                         return web.FileResponse(index_file)
-                    self.logger.warning(
-                        f"Dashboard index.html not found at: {index_file}"
-                    )
+                    self.logger.warning(f"Svelte index.html not found at: {index_file}")
                     return web.Response(text="Dashboard not available", status=404)
 
                 self.app.router.add_get("/", index_handler)
 
-                # Serve the actual dashboard template at /dashboard
-                async def dashboard_handler(request):
-                    dashboard_template = (
-                        self.dashboard_path.parent / "templates" / "index.html"
-                    )
-                    if dashboard_template.exists():
-                        self.logger.debug(
-                            f"Serving dashboard template from: {dashboard_template}"
-                        )
-                        return web.FileResponse(dashboard_template)
-                    # Fallback to the main index if template doesn't exist
-                    self.logger.warning(
-                        f"Dashboard template not found at: {dashboard_template}, falling back to index"
+                # Serve Svelte app assets at /_app/ (needed for SvelteKit builds)
+                svelte_app_path = svelte_build_path / "_app"
+                if svelte_app_path.exists():
+                    self.app.router.add_static(
+                        "/_app/", svelte_app_path, name="svelte_app"
                     )
-                    return await index_handler(request)
-
-                self.app.router.add_get("/dashboard", dashboard_handler)
-
-                # Serve simple code view template at /code-simple
-                async def code_simple_handler(request):
-                    code_simple_template = (
-                        self.dashboard_path.parent / "templates" / "code_simple.html"
+                    self.logger.info(
+                        f"✅ Svelte dashboard available at http://{self.host}:{self.port}/ (build: {svelte_build_path})"
                     )
-                    if code_simple_template.exists():
-                        self.logger.debug(
-                            f"Serving code simple template from: {code_simple_template}"
-                        )
-                        return web.FileResponse(code_simple_template)
-                    # Return error if template doesn't exist
+                else:
                     self.logger.warning(
-                        f"Code simple template not found at: {code_simple_template}"
-                    )
-                    return web.Response(
-                        text="Simple code view not available", status=404
+                        f"⚠️  Svelte _app directory not found at: {svelte_app_path}"
                     )
 
-                self.app.router.add_get("/code-simple", code_simple_handler)
-
-                # Serve version.json from dashboard directory
+                # Serve version.json from Svelte build directory
                 async def version_handler(request):
-                    version_file = self.dashboard_path / "version.json"
+                    version_file = svelte_build_path / "version.json"
                     if version_file.exists():
                         self.logger.debug(f"Serving version.json from: {version_file}")
                         return web.FileResponse(version_file)
@@ -698,55 +874,10 @@ class SocketIOServerCore:
 
                 self.app.router.add_get("/version.json", version_handler)
 
-                # Serve static assets (CSS, JS) from the dashboard static directory
-                # Use package-relative path (works for both dev and installed package)
-                package_root = Path(claude_mpm.__file__).parent
-                dashboard_static_path = package_root / "dashboard" / "static"
-                if dashboard_static_path.exists():
-                    self.app.router.add_static(
-                        "/static/", dashboard_static_path, name="dashboard_static"
-                    )
-                    self.logger.info(
-                        f"✅ Static assets available at: {dashboard_static_path}"
-                    )
-                else:
-                    self.logger.warning(
-                        f"⚠️  Static assets directory not found at: {dashboard_static_path}"
-                    )
-
-                # Serve Svelte dashboard build
-                svelte_build_path = (
-                    package_root / "dashboard" / "static" / "svelte-build"
-                )
-                if svelte_build_path.exists():
-                    # Serve Svelte dashboard at /svelte route
-                    async def svelte_handler(request):
-                        svelte_index = svelte_build_path / "index.html"
-                        if svelte_index.exists():
-                            self.logger.debug(
-                                f"Serving Svelte dashboard from: {svelte_index}"
-                            )
-                            return web.FileResponse(svelte_index)
-                        return web.Response(
-                            text="Svelte dashboard not available", status=404
-                        )
-
-                    self.app.router.add_get("/svelte", svelte_handler)
-
-                    # Serve Svelte app assets at /_app/ (needed for SvelteKit builds)
-                    svelte_app_path = svelte_build_path / "_app"
-                    if svelte_app_path.exists():
-                        self.app.router.add_static(
-                            "/_app/", svelte_app_path, name="svelte_app"
-                        )
-                        self.logger.info(
-                            f"✅ Svelte dashboard available at /svelte (build: {svelte_build_path})"
-                        )
-                else:
-                    self.logger.debug(f"Svelte build not found at: {svelte_build_path}")
-
             else:
-                self.logger.warning("⚠️  No dashboard found, serving fallback response")
+                self.logger.warning(
+                    "⚠️  Svelte dashboard not found, serving fallback response"
+                )
 
                 # Fallback handler
                 async def fallback_handler(request):
@@ -773,10 +904,10 @@ class SocketIOServerCore:
             self.app.router.add_get("/", error_handler)
 
     def _find_static_path(self):
-        """Find the static files directory using multiple approaches.
+        """Find the Svelte build directory using multiple approaches.
 
-        WHY: The static files location varies depending on how the application
-        is installed and run. We try multiple common locations to find them.
+        WHY: The dashboard is now pure Svelte, located at dashboard/static/svelte-build/.
+        We search for this specific structure across different deployment contexts.
         """
         # Get deployment-context-aware paths
         try:
@@ -797,43 +928,45 @@ class SocketIOServerCore:
             package_root = None
             project_root = get_project_root()
 
-        # Try multiple possible locations for static files and dashboard
+        # Try multiple possible locations for Svelte build directory
         possible_paths = [
             # Package-based paths (for pipx and pip installations)
-            package_root / "dashboard" / "templates" if package_root else None,
-            package_root / "services" / "socketio" / "static" if package_root else None,
-            package_root / "static" if package_root else None,
+            package_root / "dashboard" / "static" / "svelte-build"
+            if package_root
+            else None,
             # Project-based paths (for development)
-            project_root / "src" / "claude_mpm" / "dashboard" / "templates",
-            project_root / "dashboard" / "templates",
-            project_root / "src" / "claude_mpm" / "services" / "static",
-            project_root / "src" / "claude_mpm" / "services" / "socketio" / "static",
-            project_root / "static",
-            project_root / "src" / "static",
+            project_root
+            / "src"
+            / "claude_mpm"
+            / "dashboard"
+            / "static"
+            / "svelte-build",
+            project_root / "dashboard" / "static" / "svelte-build",
             # Package installation locations (fallback)
-            Path(__file__).parent.parent / "static",
-            Path(__file__).parent / "static",
+            Path(__file__).parent.parent.parent
+            / "dashboard"
+            / "static"
+            / "svelte-build",
             # Scripts directory (for standalone installations)
-            get_scripts_dir() / "static",
-            get_scripts_dir() / "socketio" / "static",
+            get_scripts_dir() / "dashboard" / "static" / "svelte-build",
             # Current working directory
-            Path.cwd() / "static",
-            Path.cwd() / "socketio" / "static",
+            Path.cwd() / "src" / "claude_mpm" / "dashboard" / "static" / "svelte-build",
+            Path.cwd() / "dashboard" / "static" / "svelte-build",
         ]
 
         # Filter out None values
         possible_paths = [p for p in possible_paths if p is not None]
         self.logger.debug(
-            f"Searching {len(possible_paths)} possible static file locations"
+            f"Searching {len(possible_paths)} possible Svelte build locations"
         )
 
         for path in possible_paths:
-            self.logger.debug(f"Checking for static files at: {path}")
+            self.logger.debug(f"Checking for Svelte build at: {path}")
             try:
                 if path.exists() and path.is_dir():
-                    # Check if it contains expected files
+                    # Check if it contains expected Svelte build files
                     if (path / "index.html").exists():
-                        self.logger.info(f"✅ Found static files at: {path}")
+                        self.logger.info(f"✅ Found Svelte build at: {path}")
                         return path
                     self.logger.debug(f"Directory exists but no index.html: {path}")
                 else:
@@ -842,7 +975,7 @@ class SocketIOServerCore:
                 self.logger.debug(f"Error checking path {path}: {e}")
 
         self.logger.warning(
-            "⚠️  Static files not found - dashboard will not be available"
+            "⚠️  Svelte build not found - dashboard will not be available"
         )
         self.logger.debug(f"Searched paths: {[str(p) for p in possible_paths]}")
         return None
@@ -918,9 +1051,15 @@ class SocketIOServerCore:
                     },
                 }
 
-                # Add to event history if main server is available
+                # Add to event history UNCONDITIONALLY
+                # WHY: Heartbeat events should persist for new clients too
                 if self.main_server and hasattr(self.main_server, "event_history"):
                     self.main_server.event_history.append(heartbeat_data)
+                    self.logger.debug(
+                        f"Heartbeat added to history (total: {len(self.main_server.event_history)})"
+                    )
+                else:
+                    self.logger.warning("event_history not initialized for heartbeat!")
 
                 # Emit heartbeat to all connected clients (already using new schema)
                 await self.sio.emit("system_event", heartbeat_data)

claude_mpm/skills/bundled/security-scanning.md

@@ -81,6 +81,36 @@ API_KEY = "sk-1234567890abcdef"  # In code!  # pragma: allowlist secret
 
 # ✅ Safe: Use environment variables
 API_KEY = os.getenv("API_KEY")
+
+# ❌ CRITICAL: MCP config files with API keys
+# NEVER commit these files:
+# - .mcp-vector-search/config.json (OpenRouter API keys)
+# - .mcp/config.json (MCP server credentials)
+# - openrouter.json, anthropic-config.json
+# - credentials.json, secrets.json, api-keys.json
+
+# ✅ Safe: Verify .gitignore before committing
+# Check file is ignored: git check-ignore <file_path>
+# Check file not tracked: git ls-files <file_path>
+```
+
+**MCP Secret File Patterns (High Risk):**
+```bash
+# Files that commonly contain API keys:
+.mcp-vector-search/config.json     # OpenRouter, OpenAI keys
+.mcp/config.json                    # MCP server credentials
+**/mcp-config.json
+openrouter.json
+anthropic-config.json
+openai-config.json
+credentials.json
+secrets.json
+api-keys.json
+
+# ALWAYS add to .gitignore:
+echo ".mcp-vector-search/" >> .gitignore
+echo "credentials.json" >> .gitignore
+echo "secrets.json" >> .gitignore
 ```
 
 ### 4. XML External Entities (XXE)
@@ -178,6 +208,88 @@ if failed_login_count > 5:
     alert_security_team()
 ```
 
+## Secret Detection and Prevention
+
+### Pre-commit Hooks with detect-secrets
+```bash
+# Install detect-secrets
+pip install detect-secrets
+
+# Create baseline of existing secrets
+detect-secrets scan > .secrets.baseline
+
+# Install pre-commit hooks
+pip install pre-commit
+pre-commit install
+
+# Add to .pre-commit-config.yaml:
+# - repo: https://github.com/Yelp/detect-secrets
+#   rev: v1.5.0
+#   hooks:
+#     - id: detect-secrets
+#       args: ['--baseline', '.secrets.baseline']
+
+# Scan for new secrets
+detect-secrets scan --baseline .secrets.baseline
+
+# Audit baseline (mark false positives)
+detect-secrets audit .secrets.baseline
+```
+
+### Manual Secret Scanning
+```bash
+# Check if file is ignored by git
+git check-ignore .mcp-vector-search/config.json
+# Exit code 0 = ignored (safe)
+# Exit code 1 = NOT ignored (DANGER!)
+
+# Check if file is tracked by git
+git ls-files .mcp-vector-search/config.json
+# Output present = tracked (CRITICAL - remove immediately!)
+# No output = not tracked (safe if also in .gitignore)
+
+# Search git history for committed secrets
+git log --all --full-history -- .mcp-vector-search/config.json
+
+# Remove file from git history (if accidentally committed)
+git filter-branch --force --index-filter \
+  'git rm --cached --ignore-unmatch .mcp-vector-search/config.json' \
+  --prune-empty --tag-name-filter cat -- --all
+```
+
+### Incident Response: Exposed API Key
+If you've committed an API key to git:
+
+1. **IMMEDIATELY rotate the exposed credential**
+   - OpenRouter: https://openrouter.ai/settings/keys
+   - Anthropic: https://console.anthropic.com/settings/keys
+   - OpenAI: https://platform.openai.com/api-keys
+
+2. **Remove from git history**
+   ```bash
+   # Using git-filter-repo (recommended)
+   git filter-repo --path .mcp-vector-search/config.json --invert-paths
+
+   # Force push to remote (WARNING: destructive)
+   git push origin --force --all
+   git push origin --force --tags
+   ```
+
+3. **Add to .gitignore** (if not already there)
+   ```bash
+   echo ".mcp-vector-search/" >> .gitignore
+   git add .gitignore
+   git commit -m "chore: add MCP config to gitignore"
+   ```
+
+4. **Verify cleanup**
+   ```bash
+   git log --all --full-history -- .mcp-vector-search/config.json
+   # Should show no results
+   ```
+
+5. **Notify stakeholders** if the key had production access
+
 ## Security Scanning Tools
 
 ### Python