@agentmemory/agentmemory 0.8.1 → 0.8.5

package/dist/{src-Df36IFVL.mjs → src-BuDB8dPq.mjs}

@@ -1,11 +1,13 @@
+import { a as jaccardSimilarity, i as generateId, n as STREAM, r as fingerprintId, t as KV } from "./cli.mjs";
+import { a as getEnvVar, c as isGraphExtractionEnabled, d as loadEmbeddingConfig, f as loadFallbackConfig, i as getConsolidationDecayDays, l as loadClaudeBridgeConfig, m as loadTeamConfig, n as VERSION, p as loadSnapshotConfig, r as detectEmbeddingProvider, s as isConsolidationEnabled, t as getVisibleTools, u as loadConfig } from "./tools-registry-B9EXJvIf.mjs";
 import { execFile } from "node:child_process";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { dirname, join, resolve } from "node:path";
+import { dirname, join, resolve, sep } from "node:path";
 import { fileURLToPath } from "node:url";
-import { getContext, init } from "iii-sdk";
 import { homedir } from "node:os";
-import Anthropic from "@anthropic-ai/sdk";
 import { createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import { getContext, init } from "iii-sdk";
+import Anthropic from "@anthropic-ai/sdk";
 import { z } from "zod";
 import { promisify } from "node:util";
 import { lookup } from "node:dns/promises";
@@ -13,163 +15,6 @@ import { isIP } from "node:net";
 import { mkdir, writeFile } from "node:fs/promises";
 import { createServer } from "node:http";
 
-//#region src/config.ts
-function safeParseInt(value, fallback) {
-	if (!value) return fallback;
-	const parsed = parseInt(value, 10);
-	return Number.isNaN(parsed) ? fallback : parsed;
-}
-const DATA_DIR = join(homedir(), ".agentmemory");
-const ENV_FILE = join(DATA_DIR, ".env");
-function loadEnvFile() {
-	if (!existsSync(ENV_FILE)) return {};
-	const content = readFileSync(ENV_FILE, "utf-8");
-	const vars = {};
-	for (const line of content.split("\n")) {
-		const trimmed = line.trim();
-		if (!trimmed || trimmed.startsWith("#")) continue;
-		const eqIdx = trimmed.indexOf("=");
-		if (eqIdx === -1) continue;
-		const key = trimmed.slice(0, eqIdx).trim();
-		let val = trimmed.slice(eqIdx + 1).trim();
-		if (val.startsWith("\"") && val.endsWith("\"") || val.startsWith("'") && val.endsWith("'")) val = val.slice(1, -1);
-		vars[key] = val;
-	}
-	return vars;
-}
-function detectProvider(env) {
-	const maxTokens = parseInt(env["MAX_TOKENS"] || "4096", 10);
-	if (env["MINIMAX_API_KEY"]) return {
-		provider: "minimax",
-		model: env["MINIMAX_MODEL"] || "MiniMax-M2.7",
-		maxTokens
-	};
-	if (env["ANTHROPIC_API_KEY"]) return {
-		provider: "anthropic",
-		model: env["ANTHROPIC_MODEL"] || "claude-sonnet-4-20250514",
-		maxTokens,
-		baseURL: env["ANTHROPIC_BASE_URL"]
-	};
-	if (env["GEMINI_API_KEY"]) return {
-		provider: "gemini",
-		model: env["GEMINI_MODEL"] || "gemini-2.0-flash",
-		maxTokens
-	};
-	if (env["OPENROUTER_API_KEY"]) return {
-		provider: "openrouter",
-		model: env["OPENROUTER_MODEL"] || "anthropic/claude-sonnet-4-20250514",
-		maxTokens
-	};
-	return {
-		provider: "agent-sdk",
-		model: "claude-sonnet-4-20250514",
-		maxTokens: 4096
-	};
-}
-function loadConfig() {
-	const env = getMergedEnv();
-	const provider = detectProvider(env);
-	return {
-		engineUrl: env["III_ENGINE_URL"] || "ws://localhost:49134",
-		restPort: parseInt(env["III_REST_PORT"] || "3111", 10) || 3111,
-		streamsPort: parseInt(env["III_STREAMS_PORT"] || "3112", 10) || 3112,
-		provider,
-		tokenBudget: safeParseInt(env["TOKEN_BUDGET"], 2e3),
-		maxObservationsPerSession: safeParseInt(env["MAX_OBS_PER_SESSION"], 500),
-		compressionModel: provider.model,
-		dataDir: DATA_DIR
-	};
-}
-function getMergedEnv(overrides) {
-	return {
-		...loadEnvFile(),
-		...process.env,
-		...overrides
-	};
-}
-function getEnvVar(key) {
-	return getMergedEnv()[key];
-}
-function loadEmbeddingConfig() {
-	const env = getMergedEnv();
-	let bm25Weight = parseFloat(env["BM25_WEIGHT"] || "0.4");
-	let vectorWeight = parseFloat(env["VECTOR_WEIGHT"] || "0.6");
-	bm25Weight = isNaN(bm25Weight) || bm25Weight < 0 ? .4 : Math.min(bm25Weight, 1);
-	vectorWeight = isNaN(vectorWeight) || vectorWeight < 0 ? .6 : Math.min(vectorWeight, 1);
-	return {
-		provider: env["EMBEDDING_PROVIDER"] || void 0,
-		bm25Weight,
-		vectorWeight
-	};
-}
-function detectEmbeddingProvider(env) {
-	const source = env ?? getMergedEnv();
-	const forced = source["EMBEDDING_PROVIDER"];
-	if (forced) return forced;
-	if (source["GEMINI_API_KEY"]) return "gemini";
-	if (source["OPENAI_API_KEY"]) return "openai";
-	if (source["VOYAGE_API_KEY"]) return "voyage";
-	if (source["COHERE_API_KEY"]) return "cohere";
-	if (source["OPENROUTER_API_KEY"]) return "openrouter";
-	return null;
-}
-function loadClaudeBridgeConfig() {
-	const env = getMergedEnv();
-	const enabled = env["CLAUDE_MEMORY_BRIDGE"] === "true";
-	const projectPath = env["CLAUDE_PROJECT_PATH"] || "";
-	const lineBudget = safeParseInt(env["CLAUDE_MEMORY_LINE_BUDGET"], 200);
-	let memoryFilePath = "";
-	if (enabled && projectPath) {
-		const safePath = projectPath.replace(/[/\\]/g, "-").replace(/^-/, "");
-		memoryFilePath = join(homedir(), ".claude", "projects", safePath, "memory", "MEMORY.md");
-	}
-	return {
-		enabled,
-		projectPath,
-		memoryFilePath,
-		lineBudget
-	};
-}
-function loadTeamConfig() {
-	const env = getMergedEnv();
-	const teamId = env["TEAM_ID"];
-	const userId = env["USER_ID"];
-	if (!teamId || !userId) return null;
-	return {
-		teamId,
-		userId,
-		mode: env["TEAM_MODE"] === "shared" ? "shared" : "private"
-	};
-}
-function loadSnapshotConfig() {
-	const env = getMergedEnv();
-	return {
-		enabled: env["SNAPSHOT_ENABLED"] === "true",
-		interval: safeParseInt(env["SNAPSHOT_INTERVAL"], 3600),
-		dir: env["SNAPSHOT_DIR"] || join(homedir(), ".agentmemory", "snapshots")
-	};
-}
-function isGraphExtractionEnabled() {
-	return getMergedEnv()["GRAPH_EXTRACTION_ENABLED"] === "true";
-}
-function isConsolidationEnabled() {
-	return getMergedEnv()["CONSOLIDATION_ENABLED"] === "true";
-}
-function getConsolidationDecayDays() {
-	return safeParseInt(getMergedEnv()["CONSOLIDATION_DECAY_DAYS"], 30);
-}
-const VALID_PROVIDERS = new Set([
-	"anthropic",
-	"gemini",
-	"openrouter",
-	"agent-sdk",
-	"minimax"
-]);
-function loadFallbackConfig() {
-	return { providers: (getMergedEnv()["FALLBACK_PROVIDERS"] || "").split(",").map((p) => p.trim()).filter((p) => Boolean(p) && VALID_PROVIDERS.has(p)) };
-}
-
-//#endregion
 //#region src/providers/agent-sdk.ts
 var AgentSDKProvider = class {
 	name = "agent-sdk";
@@ -861,69 +706,6 @@ var VectorIndex = class VectorIndex {
 	}
 };
 
-//#endregion
-//#region src/state/schema.ts
-const KV = {
-	sessions: "mem:sessions",
-	observations: (sessionId) => `mem:obs:${sessionId}`,
-	memories: "mem:memories",
-	summaries: "mem:summaries",
-	config: "mem:config",
-	metrics: "mem:metrics",
-	health: "mem:health",
-	embeddings: (obsId) => `mem:emb:${obsId}`,
-	bm25Index: "mem:index:bm25",
-	relations: "mem:relations",
-	profiles: "mem:profiles",
-	claudeBridge: "mem:claude-bridge",
-	graphNodes: "mem:graph:nodes",
-	graphEdges: "mem:graph:edges",
-	semantic: "mem:semantic",
-	procedural: "mem:procedural",
-	teamShared: (teamId) => `mem:team:${teamId}:shared`,
-	teamUsers: (teamId, userId) => `mem:team:${teamId}:users:${userId}`,
-	teamProfile: (teamId) => `mem:team:${teamId}:profile`,
-	audit: "mem:audit",
-	actions: "mem:actions",
-	actionEdges: "mem:action-edges",
-	leases: "mem:leases",
-	routines: "mem:routines",
-	routineRuns: "mem:routine-runs",
-	signals: "mem:signals",
-	checkpoints: "mem:checkpoints",
-	mesh: "mem:mesh",
-	sketches: "mem:sketches",
-	facets: "mem:facets",
-	sentinels: "mem:sentinels",
-	crystals: "mem:crystals",
-	lessons: "mem:lessons",
-	insights: "mem:insights",
-	graphEdgeHistory: "mem:graph:edge-history",
-	enrichedChunks: (sessionId) => `mem:enriched:${sessionId}`,
-	latentEmbeddings: (obsId) => `mem:latent:${obsId}`,
-	retentionScores: "mem:retention"
-};
-const STREAM = {
-	name: "mem-live",
-	group: (sessionId) => sessionId,
-	viewerGroup: "viewer"
-};
-function generateId(prefix) {
-	return `${prefix}_${Date.now().toString(36)}_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
-}
-function fingerprintId(prefix, content) {
-	return `${prefix}_${createHash("sha256").update(content).digest("hex").slice(0, 16)}`;
-}
-function jaccardSimilarity(a, b) {
-	const setA = new Set(a.split(/\s+/).filter((t) => t.length > 2));
-	const setB = new Set(b.split(/\s+/).filter((t) => t.length > 2));
-	if (setA.size === 0 && setB.size === 0) return 1;
-	if (setA.size === 0 || setB.size === 0) return 0;
-	let intersection = 0;
-	for (const word of setA) if (setB.has(word)) intersection++;
-	return intersection / (setA.size + setB.size - intersection);
-}
-
 //#endregion
 //#region src/functions/graph-retrieval.ts
 function buildGraphContext(path) {
@@ -1950,9 +1732,11 @@ var IndexPersistence = class {
 const PRIVATE_TAG_RE = /<private>[\s\S]*?<\/private>/gi;
 const SECRET_PATTERN_SOURCES = [
 	/(?:api[_-]?key|secret|token|password|credential|auth)[\s]*[=:]\s*["']?[A-Za-z0-9_\-/.+]{20,}["']?/gi,
-	/(?:sk|pk|rk|ak)-[A-Za-z0-9]{20,}/g,
+	/Bearer\s+[A-Za-z0-9._\-+/=]{20,}/gi,
+	/sk-proj-[A-Za-z0-9\-_]{20,}/g,
+	/(?:sk|pk|rk|ak)-[A-Za-z0-9][A-Za-z0-9\-_]{19,}/g,
 	/sk-ant-[A-Za-z0-9\-_]{20,}/g,
-	/ghp_[A-Za-z0-9]{36}/g,
+	/gh[pus]_[A-Za-z0-9]{36,}/g,
 	/github_pat_[A-Za-z0-9_]{22,}/g,
 	/xoxb-[A-Za-z0-9\-]+/g,
 	/AKIA[0-9A-Z]{16}/g,
@@ -2153,6 +1937,77 @@ function getXmlChildren(xml, parentTag, childTag) {
 	return items;
 }
 
+//#endregion
+//#region src/functions/access-tracker.ts
+const RECENT_CAP = 20;
+function emptyAccessLog(memoryId) {
+	return {
+		memoryId,
+		count: 0,
+		lastAt: "",
+		recent: []
+	};
+}
+function normalizeAccessLog(raw) {
+	const r = raw ?? {};
+	const rawCount = typeof r.count === "number" && Number.isFinite(r.count) ? r.count : 0;
+	const count = Math.max(0, Math.floor(rawCount));
+	const rawRecent = Array.isArray(r.recent) ? r.recent.filter((x) => typeof x === "number" && Number.isFinite(x)) : [];
+	const recent = rawRecent.length > RECENT_CAP ? rawRecent.slice(-RECENT_CAP) : rawRecent;
+	return {
+		memoryId: typeof r.memoryId === "string" ? r.memoryId : "",
+		count: Math.max(count, recent.length),
+		lastAt: typeof r.lastAt === "string" ? r.lastAt : "",
+		recent
+	};
+}
+async function getAccessLog(kv, memoryId) {
+	try {
+		const raw = await kv.get(KV.accessLog, memoryId);
+		if (!raw) return emptyAccessLog(memoryId);
+		const normalized = normalizeAccessLog(raw);
+		if (!normalized.memoryId) normalized.memoryId = memoryId;
+		return normalized;
+	} catch {
+		return emptyAccessLog(memoryId);
+	}
+}
+async function recordAccess(kv, memoryId, timestampMs) {
+	if (!memoryId) return;
+	const ts = timestampMs ?? Date.now();
+	try {
+		await withKeyedLock(`mem:access:${memoryId}`, async () => {
+			const existing = await getAccessLog(kv, memoryId);
+			existing.count += 1;
+			existing.lastAt = new Date(ts).toISOString();
+			existing.recent.push(ts);
+			if (existing.recent.length > RECENT_CAP) existing.recent = existing.recent.slice(-RECENT_CAP);
+			await kv.set(KV.accessLog, memoryId, existing);
+		});
+	} catch (err) {
+		try {
+			getContext().logger.warn("recordAccess failed", {
+				memoryId,
+				error: err instanceof Error ? err.message : String(err)
+			});
+		} catch {}
+	}
+}
+async function recordAccessBatch(kv, memoryIds, timestampMs) {
+	if (!memoryIds || memoryIds.length === 0) return;
+	const ts = timestampMs ?? Date.now();
+	const unique = Array.from(new Set(memoryIds.filter(Boolean)));
+	await Promise.allSettled(unique.map((id) => recordAccess(kv, id, ts)));
+}
+async function deleteAccessLog(kv, memoryId) {
+	if (!memoryId) return;
+	try {
+		await withKeyedLock(`mem:access:${memoryId}`, async () => {
+			await kv.delete(KV.accessLog, memoryId);
+		});
+	} catch {}
+}
+
 //#endregion
 //#region src/functions/search.ts
 let index = null;
@@ -2239,6 +2094,7 @@ function registerSearchFunction(sdk, kv) {
 				sessionId: candidates[i].sessionId
 			});
 		}
+		recordAccessBatch(kv, enriched.map((r) => r.observation.id));
 		ctx.logger.info("Search completed", {
 			query,
 			results: enriched.length,
@@ -2634,19 +2490,22 @@ function registerContextFunction(sdk, kv, tokenBudget) {
 			const i = sessionsNeedingObs[j];
 			const important = obsResults[j].filter((o) => o.title && o.importance >= 5);
 			if (important.length > 0) {
-				const items = important.sort((a, b) => b.importance - a.importance).slice(0, 5).map((o) => `- [${o.type}] ${o.title}: ${o.narrative}`).join("\n");
+				const top = important.sort((a, b) => b.importance - a.importance).slice(0, 5);
+				const items = top.map((o) => `- [${o.type}] ${o.title}: ${o.narrative}`).join("\n");
 				const content = `## Session ${sessions[i].id.slice(0, 8)} (${sessions[i].startedAt})\n${items}`;
 				blocks.push({
 					type: "observation",
 					content,
 					tokens: estimateTokens$1(content),
-					recency: new Date(sessions[i].startedAt).getTime()
+					recency: new Date(sessions[i].startedAt).getTime(),
+					sourceIds: top.map((o) => o.id)
 				});
 			}
 		}
 		blocks.sort((a, b) => b.recency - a.recency);
 		let usedTokens = 0;
 		const selected = [];
+		const accessedIds = [];
 		const header = `<agentmemory-context project="${escapeXmlAttr(data.project)}">`;
 		const footer = `</agentmemory-context>`;
 		usedTokens += estimateTokens$1(header) + estimateTokens$1(footer);
@@ -2654,7 +2513,9 @@ function registerContextFunction(sdk, kv, tokenBudget) {
 			if (usedTokens + block.tokens > budget) break;
 			selected.push(block.content);
 			usedTokens += block.tokens;
+			if (block.sourceIds && block.sourceIds.length > 0) accessedIds.push(...block.sourceIds);
 		}
+		if (accessedIds.length > 0) recordAccessBatch(kv, accessedIds);
 		if (selected.length === 0) {
 			ctx.logger.info("No context available", { project: data.project });
 			return {
@@ -2987,6 +2848,9 @@ function registerFileIndexFunction(sdk, kv) {
 			for (const obs of fh.observations) lines.push(`- [${obs.type}] ${obs.title}: ${obs.narrative}`);
 		}
 		lines.push("</agentmemory-file-context>");
+		const accessedIds = [];
+		for (const fh of results) for (const obs of fh.observations) accessedIds.push(obs.obsId);
+		recordAccessBatch(kv, accessedIds);
 		const context = lines.join("\n");
 		ctx.logger.info("File context generated", {
 			files: data.files.length,
@@ -3299,6 +3163,7 @@ function registerRememberFunction(sdk, kv) {
 		let deleted = 0;
 		if (data.memoryId) {
 			await kv.delete(KV.memories, data.memoryId);
+			await deleteAccessLog(kv, data.memoryId);
 			deleted++;
 		}
 		if (data.sessionId && data.observationIds && data.observationIds.length > 0) for (const obsId of data.observationIds) {
@@ -3390,13 +3255,19 @@ function registerEvictFunction(sdk, kv) {
 				if (now > new Date(mem.forgetAfter).getTime()) {
 					stats.expiredMemories++;
 					evictedMemIds.add(mem.id);
-					if (!dryRun) await kv.delete(KV.memories, mem.id).catch(() => {});
+					if (!dryRun) {
+						await kv.delete(KV.memories, mem.id).catch(() => {});
+						await deleteAccessLog(kv, mem.id);
+					}
 				}
 			}
 			if (!evictedMemIds.has(mem.id) && mem.isLatest === false && mem.createdAt) {
 				if (now - new Date(mem.createdAt).getTime() > cfg.lowImportanceMaxDays * MS_PER_DAY$1) {
 					stats.nonLatestMemories++;
-					if (!dryRun) await kv.delete(KV.memories, mem.id).catch(() => {});
+					if (!dryRun) {
+						await kv.delete(KV.memories, mem.id).catch(() => {});
+						await deleteAccessLog(kv, mem.id);
+					}
 				}
 			}
 		}
@@ -3561,6 +3432,7 @@ function registerRelationsFunction(sdk, kv) {
 			});
 		}
 		result.sort((a, b) => b.confidence - a.confidence);
+		recordAccessBatch(kv, result.map((r) => r.memory.id));
 		ctx.logger.info("Related memories retrieved", {
 			memoryId: data.memoryId,
 			found: result.length
@@ -3632,6 +3504,7 @@ function registerTimelineFunction(sdk, kv) {
 				relativePosition: i - anchorIdx
 			});
 		}
+		recordAccessBatch(kv, entries.map((e) => e.observation.id));
 		ctx.logger.info("Timeline retrieved", {
 			anchor: data.anchor,
 			entries: entries.length
@@ -3682,6 +3555,7 @@ function registerSmartSearchFunction(sdk, kv, searchFn) {
 				observation: obs
 			} : null)));
 			for (const r of results) if (r) expanded.push(r);
+			recordAccessBatch(kv, expanded.map((e) => e.observation.id));
 			const truncated = data.expandIds.length > raw.length;
 			ctx.logger.info("Smart search expanded", {
 				requested: data.expandIds.length,
@@ -3709,6 +3583,7 @@ function registerSmartSearchFunction(sdk, kv, searchFn) {
 			score: r.combinedScore,
 			timestamp: r.observation.timestamp
 		}));
+		recordAccessBatch(kv, compact.map((r) => r.obsId));
 		ctx.logger.info("Smart search compact", {
 			query: data.query,
 			results: compact.length
@@ -3840,7 +3715,10 @@ function registerAutoForgetFunction(sdk, kv) {
 			if (now > new Date(mem.forgetAfter).getTime()) {
 				result.ttlExpired.push(mem.id);
 				deletedIds.add(mem.id);
-				if (!dryRun) await kv.delete(KV.memories, mem.id);
+				if (!dryRun) {
+					await kv.delete(KV.memories, mem.id);
+					await deleteAccessLog(kv, mem.id);
+				}
 			}
 		}
 		const latestMemories = memories.filter((m) => m.isLatest !== false && !deletedIds.has(m.id)).sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()).slice(0, 1e3);
@@ -3907,10 +3785,6 @@ function registerAutoForgetFunction(sdk, kv) {
 	});
 }
 
-//#endregion
-//#region src/version.ts
-const VERSION = "0.8.1";
-
 //#endregion
 //#region src/functions/export-import.ts
 function registerExportImportFunction(sdk, kv) {
@@ -3937,7 +3811,7 @@ function registerExportImportFunction(sdk, kv) {
 		const uniqueProjects = [...new Set(paginatedSessions.map((s) => s.project))];
 		const profileResults = await Promise.all(uniqueProjects.map((project) => kv.get(KV.profiles, project).catch(() => null)));
 		for (const profile of profileResults) if (profile) profiles.push(profile);
-		const [graphNodes, graphEdges, semanticMemories, proceduralMemories, actions, actionEdges, sentinels, sketches, crystals, facets, lessons, insights, routines, signals, checkpoints] = await Promise.all([
+		const [graphNodes, graphEdges, semanticMemories, proceduralMemories, actions, actionEdges, sentinels, sketches, crystals, facets, lessons, insights, routines, signals, checkpoints, accessLogs] = await Promise.all([
 			kv.list(KV.graphNodes).catch(() => []),
 			kv.list(KV.graphEdges).catch(() => []),
 			kv.list(KV.semantic).catch(() => []),
@@ -3952,7 +3826,8 @@ function registerExportImportFunction(sdk, kv) {
 			kv.list(KV.insights).catch(() => []),
 			kv.list(KV.routines).catch(() => []),
 			kv.list(KV.signals).catch(() => []),
-			kv.list(KV.checkpoints).catch(() => [])
+			kv.list(KV.checkpoints).catch(() => []),
+			kv.list(KV.accessLog).catch(() => [])
 		]);
 		const exportData = {
 			version: VERSION,
@@ -3976,7 +3851,8 @@ function registerExportImportFunction(sdk, kv) {
 			insights: insights.length > 0 ? insights : void 0,
 			routines: routines.length > 0 ? routines : void 0,
 			signals: signals.length > 0 ? signals : void 0,
-			checkpoints: checkpoints.length > 0 ? checkpoints : void 0
+			checkpoints: checkpoints.length > 0 ? checkpoints : void 0,
+			accessLogs: accessLogs.length > 0 ? accessLogs : void 0
 		};
 		if (maxSessions !== void 0) exportData.pagination = {
 			offset,
@@ -4016,7 +3892,11 @@ function registerExportImportFunction(sdk, kv) {
 			"0.7.7",
 			"0.7.9",
 			"0.8.0",
-			"0.8.1"
+			"0.8.1",
+			"0.8.2",
+			"0.8.3",
+			"0.8.4",
+			"0.8.5"
 		]).has(importData.version)) return {
 			success: false,
 			error: `Unsupported export version: ${importData.version}`
@@ -4026,6 +3906,7 @@ function registerExportImportFunction(sdk, kv) {
 		const MAX_SUMMARIES = 1e4;
 		const MAX_OBS_PER_SESSION = 5e3;
 		const MAX_TOTAL_OBSERVATIONS = 5e5;
+		const MAX_ACCESS_LOGS = 5e4;
 		if (!Array.isArray(importData.sessions)) return {
 			success: false,
 			error: "sessions must be an array"
@@ -4108,6 +3989,7 @@ function registerExportImportFunction(sdk, kv) {
 			for (const e of await kv.list(KV.graphEdges).catch(() => [])) await kv.delete(KV.graphEdges, e.id);
 			for (const s of await kv.list(KV.semantic).catch(() => [])) await kv.delete(KV.semantic, s.id);
 			for (const p of await kv.list(KV.procedural).catch(() => [])) await kv.delete(KV.procedural, p.id);
+			for (const a of await kv.list(KV.accessLog).catch(() => [])) await kv.delete(KV.accessLog, a.memoryId);
 		}
 		for (const session of importData.sessions) {
 			if (strategy === "skip") {
@@ -4284,6 +4166,28 @@ function registerExportImportFunction(sdk, kv) {
 			}
 			await kv.set(KV.insights, insight.id, insight);
 		}
+		if (importData.accessLogs) {
+			if (!Array.isArray(importData.accessLogs)) return {
+				success: false,
+				error: "accessLogs must be an array"
+			};
+			if (importData.accessLogs.length > MAX_ACCESS_LOGS) return {
+				success: false,
+				error: `Too many access logs (max ${MAX_ACCESS_LOGS})`
+			};
+			const memoryIds = new Set(importData.memories.map((m) => m.id));
+			for (const raw of importData.accessLogs) {
+				const log = normalizeAccessLog(raw);
+				if (!log.memoryId || !memoryIds.has(log.memoryId)) continue;
+				if (strategy === "skip") {
+					if (await kv.get(KV.accessLog, log.memoryId).catch(() => null)) {
+						stats.skipped++;
+						continue;
+					}
+				}
+				await kv.set(KV.accessLog, log.memoryId, log);
+			}
+		}
 		ctx.logger.info("Import complete", {
 			strategy,
 			...stats
@@ -5052,6 +4956,7 @@ function registerGovernanceFunction(sdk, kv) {
 		let deleted = 0;
 		for (const id of data.memoryIds) if (await kv.get(KV.memories, id)) {
 			await kv.delete(KV.memories, id);
+			await deleteAccessLog(kv, id);
 			deleted++;
 		}
 		await recordAudit(kv, "delete", "mem::governance-delete", data.memoryIds, {
@@ -5099,7 +5004,10 @@ function registerGovernanceFunction(sdk, kv) {
 			wouldDelete: candidates.length,
 			ids: candidates.map((m) => m.id)
 		};
-		for (const mem of candidates) await kv.delete(KV.memories, mem.id);
+		for (const mem of candidates) {
+			await kv.delete(KV.memories, mem.id);
+			await deleteAccessLog(kv, mem.id);
+		}
 		await recordAudit(kv, "delete", "mem::governance-bulk", candidates.map((m) => m.id), {
 			filter: data,
 			deleted: candidates.length
@@ -5147,6 +5055,7 @@ function registerSnapshotFunction(sdk, kv, snapshotDir) {
 			const sessions = await kv.list(KV.sessions);
 			const memories = await kv.list(KV.memories);
 			const graphNodes = await kv.list(KV.graphNodes);
+			const accessLogs = await kv.list(KV.accessLog).catch(() => []);
 			const observations = {};
 			for (const session of sessions) {
 				const obs = await kv.list(KV.observations(session.id)).catch(() => []);
@@ -5158,7 +5067,8 @@ function registerSnapshotFunction(sdk, kv, snapshotDir) {
 				sessions,
 				memories,
 				graphNodes,
-				observations
+				observations,
+				accessLogs
 			};
 			writeFileSync(join(snapshotDir, "state.json"), JSON.stringify(state, null, 2), "utf-8");
 			await gitExec(snapshotDir, ["add", "."]);
@@ -5250,6 +5160,7 @@ function registerSnapshotFunction(sdk, kv, snapshotDir) {
 			if (state.memories) for (const memory of state.memories) await kv.set(KV.memories, memory.id, memory);
 			if (state.graphNodes) for (const node of state.graphNodes) await kv.set(KV.graphNodes, node.id, node);
 			if (state.observations) for (const [sessionId, obs] of Object.entries(state.observations)) for (const o of obs) await kv.set(KV.observations(sessionId), o.id, o);
+			if (state.accessLogs) for (const log of state.accessLogs) await kv.set(KV.accessLog, log.memoryId, log);
 			await gitExec(snapshotDir, [
 				"checkout",
 				"HEAD",
@@ -6417,7 +6328,7 @@ async function lwwMergeGraphNodes(kv, items) {
 	}
 	return count;
 }
-function registerMeshFunction(sdk, kv) {
+function registerMeshFunction(sdk, kv, meshAuthToken) {
 	sdk.registerFunction({ id: "mem::mesh-register" }, async (data) => {
 		if (!data.url || !data.name) return {
 			success: false,
@@ -6454,6 +6365,10 @@ function registerMeshFunction(sdk, kv) {
 		};
 	});
 	sdk.registerFunction({ id: "mem::mesh-sync" }, async (data) => {
+		if (!meshAuthToken) return {
+			success: false,
+			error: "mesh sync requires AGENTMEMORY_SECRET"
+		};
 		const direction = data.direction || "both";
 		let peers;
 		if (data.peerId) {
@@ -6489,7 +6404,10 @@ function registerMeshFunction(sdk, kv) {
 					try {
 						const response = await fetch(`${peer.url}/agentmemory/mesh/receive`, {
 							method: "POST",
-							headers: { "Content-Type": "application/json" },
+							headers: {
+								"Content-Type": "application/json",
+								Authorization: `Bearer ${meshAuthToken}`
+							},
 							body: JSON.stringify(pushData),
 							signal: AbortSignal.timeout(3e4),
 							redirect: "error"
@@ -6502,6 +6420,7 @@ function registerMeshFunction(sdk, kv) {
 				}
 				if (direction === "pull" || direction === "both") try {
 					const response = await fetch(`${peer.url}/agentmemory/mesh/export?since=${peer.lastSyncAt || ""}`, {
+						headers: { Authorization: `Bearer ${meshAuthToken}` },
 						signal: AbortSignal.timeout(3e4),
 						redirect: "error"
 					});
@@ -8362,7 +8281,16 @@ function registerLessonsFunctions(sdk, kv) {
 
 //#endregion
 //#region src/functions/obsidian-export.ts
-const DEFAULT_VAULT = join(homedir(), ".agentmemory", "vault");
+const DEFAULT_EXPORT_ROOT = join(homedir(), ".agentmemory");
+function getExportRoot() {
+	return resolve(process.env["AGENTMEMORY_EXPORT_ROOT"] || DEFAULT_EXPORT_ROOT);
+}
+function resolveVaultDir(vaultDir) {
+	const root = getExportRoot();
+	const resolved = resolve(vaultDir || join(root, "vault"));
+	if (resolved === root || resolved.startsWith(root + sep)) return resolved;
+	return null;
+}
 function sanitize(name) {
 	return name.replace(/[<>:"/\\|?*\x00-\x1f]/g, "_").slice(0, 100);
 }
@@ -8475,7 +8403,11 @@ function sessionToMd(s) {
 }
 function registerObsidianExportFunction(sdk, kv) {
 	sdk.registerFunction({ id: "mem::obsidian-export" }, async (data) => {
-		const vaultDir = data.vaultDir || DEFAULT_VAULT;
+		const vaultDir = resolveVaultDir(data.vaultDir);
+		if (!vaultDir) return {
+			success: false,
+			error: `vaultDir must be inside ${getExportRoot()}`
+		};
 		const exportTypes = new Set(data.types || [
 			"memories",
 			"lessons",
@@ -9021,12 +8953,15 @@ function registerWorkingMemoryFunctions(sdk, kv, tokenBudget) {
 			if (Math.abs(strengthDiff) > .2) return strengthDiff;
 			return new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime();
 		});
+		const archivalIds = [];
 		for (const mem of active) {
 			const tokens = estimateTokens(mem.content);
 			if (usedTokens + tokens > budget) continue;
 			archivalLines.push(`- [${mem.type}] ${mem.title}: ${mem.content}`);
+			archivalIds.push(mem.id);
 			usedTokens += tokens;
 		}
+		recordAccessBatch(kv, archivalIds);
 		const pagedOut = active.length - archivalLines.length;
 		const sections = [];
 		if (coreLines.length > 0) sections.push(`## Core Memory\n${coreLines.join("\n")}`);
@@ -9780,17 +9715,15 @@ const DEFAULT_DECAY = {
 		cold: .15
 	}
 };
-function computeRetention(salience, createdAt, accessTimestamps, config) {
+function computeReinforcementBoost(accessTimestamps, sigma) {
 	const now = Date.now();
-	const deltaT = (now - new Date(createdAt).getTime()) / (1e3 * 60 * 60 * 24);
-	const temporalDecay = Math.exp(-config.lambda * deltaT);
-	let reinforcementBoost = 0;
+	let boost = 0;
 	for (const tAccess of accessTimestamps) {
+		if (!Number.isFinite(tAccess)) continue;
 		const daysSinceAccess = (now - tAccess) / (1e3 * 60 * 60 * 24);
-		if (daysSinceAccess > 0) reinforcementBoost += 1 / daysSinceAccess;
+		if (daysSinceAccess > 0) boost += 1 / daysSinceAccess;
 	}
-	reinforcementBoost *= config.sigma;
-	return Math.min(1, salience * temporalDecay + reinforcementBoost);
+	return boost * sigma;
 }
 function computeSalience(memory, accessCount) {
 	let baseSalience = .5;
@@ -9816,37 +9749,64 @@ function registerRetentionFunctions(sdk, kv) {
 			...DEFAULT_DECAY,
 			...data.config
 		};
-		const memories = await kv.list(KV.memories);
-		const semanticMems = await kv.list(KV.semantic);
+		const [memories, semanticMems, allLogs] = await Promise.all([
+			kv.list(KV.memories),
+			kv.list(KV.semantic),
+			kv.list(KV.accessLog).catch(() => [])
+		]);
+		const logsById = /* @__PURE__ */ new Map();
+		for (const raw of allLogs) {
+			const log = normalizeAccessLog(raw);
+			if (log.memoryId) logsById.set(log.memoryId, log);
+		}
 		const scores = [];
+		const computeDecay = (createdAt) => Math.exp(-config.lambda * ((Date.now() - new Date(createdAt).getTime()) / (1e3 * 60 * 60 * 24)));
 		for (const mem of memories) {
 			if (!mem.isLatest) continue;
-			const salience = computeSalience(mem, 0);
-			const score = computeRetention(salience, mem.createdAt, [], config);
+			const log = logsById.get(mem.id) ?? emptyAccessLog(mem.id);
+			const salience = computeSalience(mem, log.count);
+			const temporalDecay = computeDecay(mem.createdAt);
+			const reinforcementBoost = computeReinforcementBoost(log.recent, config.sigma);
+			const score = Math.min(1, salience * temporalDecay + reinforcementBoost);
 			const entry = {
 				memoryId: mem.id,
 				score,
 				salience,
-				temporalDecay: Math.exp(-config.lambda * ((Date.now() - new Date(mem.createdAt).getTime()) / (1e3 * 60 * 60 * 24))),
-				reinforcementBoost: 0,
-				lastAccessed: mem.updatedAt,
-				accessCount: 0
+				temporalDecay,
+				reinforcementBoost,
+				lastAccessed: log.lastAt || mem.updatedAt,
+				accessCount: log.count
 			};
 			scores.push(entry);
 			await kv.set(KV.retentionScores, mem.id, entry);
 		}
 		for (const sem of semanticMems) {
-			const accessTimestamps = sem.lastAccessedAt ? [new Date(sem.lastAccessedAt).getTime()] : [];
-			const salience = computeSalience(sem, sem.accessCount);
-			const score = computeRetention(salience, sem.createdAt, accessTimestamps, config);
+			const log = logsById.get(sem.id) ?? emptyAccessLog(sem.id);
+			let accessTimestamps;
+			let effectiveCount;
+			if (log.recent.length > 0 || log.count > 0) {
+				accessTimestamps = log.recent;
+				effectiveCount = log.count;
+			} else if (sem.lastAccessedAt) {
+				const legacyTs = Date.parse(sem.lastAccessedAt);
+				accessTimestamps = Number.isFinite(legacyTs) ? [legacyTs] : [];
+				effectiveCount = sem.accessCount;
+			} else {
+				accessTimestamps = [];
+				effectiveCount = sem.accessCount;
+			}
+			const salience = computeSalience(sem, effectiveCount);
+			const temporalDecay = computeDecay(sem.createdAt);
+			const reinforcementBoost = computeReinforcementBoost(accessTimestamps, config.sigma);
+			const score = Math.min(1, salience * temporalDecay + reinforcementBoost);
 			const entry = {
 				memoryId: sem.id,
 				score,
 				salience,
-				temporalDecay: Math.exp(-config.lambda * ((Date.now() - new Date(sem.createdAt).getTime()) / (1e3 * 60 * 60 * 24))),
-				reinforcementBoost: score - salience * Math.exp(-config.lambda * ((Date.now() - new Date(sem.createdAt).getTime()) / (1e3 * 60 * 60 * 24))),
-				lastAccessed: sem.lastAccessedAt,
-				accessCount: sem.accessCount
+				temporalDecay,
+				reinforcementBoost,
+				lastAccessed: log.lastAt || sem.lastAccessedAt,
+				accessCount: effectiveCount
 			};
 			scores.push(entry);
 			await kv.set(KV.retentionScores, sem.id, entry);
@@ -9890,6 +9850,7 @@ function registerRetentionFunctions(sdk, kv) {
 		for (const candidate of candidates) try {
 			await kv.delete(KV.memories, candidate.memoryId);
 			await kv.delete(KV.retentionScores, candidate.memoryId);
+			await deleteAccessLog(kv, candidate.memoryId);
 			evicted++;
 		} catch {
 			continue;
@@ -10045,14 +10006,57 @@ async function getLatestHealth(kv) {
 //#endregion
 //#region src/auth.ts
 const hmacKey = randomBytes(32);
+const VIEWER_NONCE_PLACEHOLDER = "__AGENTMEMORY_VIEWER_NONCE__";
 function timingSafeCompare(a, b) {
 	return timingSafeEqual(createHmac("sha256", hmacKey).update(a).digest(), createHmac("sha256", hmacKey).update(b).digest());
 }
-const VIEWER_CSP = "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self' ws://localhost:* wss://localhost:*; img-src 'self'; font-src 'self'";
+function createViewerNonce() {
+	return randomBytes(16).toString("base64url");
+}
+function buildViewerCsp(nonce) {
+	return [
+		"default-src 'none'",
+		"base-uri 'none'",
+		"frame-ancestors 'none'",
+		"object-src 'none'",
+		"form-action 'none'",
+		`script-src 'nonce-${nonce}'`,
+		"script-src-attr 'none'",
+		"style-src 'unsafe-inline'",
+		"connect-src 'self' http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:* wss://localhost:* wss://127.0.0.1:*",
+		"img-src 'self'",
+		"font-src 'self'"
+	].join("; ");
+}
+
+//#endregion
+//#region src/viewer/document.ts
+function loadViewerTemplate() {
+	const base = dirname(fileURLToPath(import.meta.url));
+	const candidates = [
+		join(base, "..", "src", "viewer", "index.html"),
+		join(base, "..", "viewer", "index.html"),
+		join(base, "viewer", "index.html")
+	];
+	for (const path of candidates) try {
+		return readFileSync(path, "utf-8");
+	} catch {}
+	return null;
+}
+function renderViewerDocument() {
+	const template = loadViewerTemplate();
+	if (!template) return { found: false };
+	const nonce = createViewerNonce();
+	return {
+		found: true,
+		html: template.replaceAll(VIEWER_NONCE_PLACEHOLDER, nonce),
+		csp: buildViewerCsp(nonce)
+	};
+}
 
 //#endregion
 //#region src/triggers/api.ts
-function checkAuth$1(req, secret) {
+function checkAuth(req, secret) {
 	if (!secret) return null;
 	const auth = req.headers?.["authorization"] || req.headers?.["Authorization"];
 	if (typeof auth !== "string" || !timingSafeCompare(auth, `Bearer ${secret}`)) return {
@@ -10061,6 +10065,13 @@ function checkAuth$1(req, secret) {
 	};
 	return null;
 }
+function requireConfiguredSecret(secret, feature) {
+	if (secret) return null;
+	return {
+		status_code: 503,
+		body: { error: `${feature} requires AGENTMEMORY_SECRET` }
+	};
+}
 function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 	sdk.registerFunction({ id: "api::liveness" }, async () => ({
 		status_code: 200,
@@ -10078,7 +10089,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::health" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const health = await getLatestHealth(kv);
 		const functionMetrics = metricsStore ? await metricsStore.getAll() : [];
@@ -10105,7 +10116,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::observe" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 201,
@@ -10121,7 +10132,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::context" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10137,7 +10148,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::search" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const body = req.body ?? {};
 		if (typeof body.query !== "string" || !body.query.trim()) return {
@@ -10176,7 +10187,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::session::start" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const { sessionId, project, cwd } = req.body;
 		const session = {
@@ -10208,7 +10219,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::session::end" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const session = await kv.get(KV.sessions, req.body.sessionId);
 		if (session) await kv.set(KV.sessions, req.body.sessionId, {
@@ -10230,7 +10241,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::summarize" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10246,7 +10257,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sessions" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10262,7 +10273,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::observations" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const sessionId = req.query_params["sessionId"];
 		if (!sessionId) return {
@@ -10283,7 +10294,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::file-context" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10299,7 +10310,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::enrich" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sessionId || typeof req.body.sessionId !== "string" || !Array.isArray(req.body?.files) || req.body.files.length === 0 || !req.body.files.every((f) => typeof f === "string")) return {
 			status_code: 400,
@@ -10323,7 +10334,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::remember" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.content || typeof req.body.content !== "string" || !req.body.content.trim()) return {
 			status_code: 400,
@@ -10343,7 +10354,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::forget" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sessionId && !req.body?.memoryId) return {
 			status_code: 400,
@@ -10363,7 +10374,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::consolidate" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10379,7 +10390,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::patterns" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10395,7 +10406,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::generate-rules" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10411,7 +10422,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::migrate" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.dbPath || typeof req.body.dbPath !== "string") return {
 			status_code: 400,
@@ -10431,7 +10442,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::evict" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const dryRun = req.query_params?.["dryRun"] === "true" || req.body?.dryRun === true;
 		return {
@@ -10448,7 +10459,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::smart-search" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.query && (!req.body?.expandIds || req.body.expandIds.length === 0)) return {
 			status_code: 400,
@@ -10468,7 +10479,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::timeline" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.anchor) return {
 			status_code: 400,
@@ -10488,7 +10499,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::profile" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const project = req.query_params["project"];
 		if (!project) return {
@@ -10509,7 +10520,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::export" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10525,7 +10536,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::import" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.exportData) return {
 			status_code: 400,
@@ -10545,7 +10556,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::relations" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sourceId || !req.body?.targetId || !req.body?.type) return {
 			status_code: 400,
@@ -10565,7 +10576,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::evolve" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.memoryId || !req.body?.newContent) return {
 			status_code: 400,
@@ -10585,7 +10596,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::auto-forget" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const dryRun = req.query_params?.["dryRun"] === "true" || req.body?.dryRun === true;
 		return {
@@ -10602,7 +10613,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::claude-bridge-read" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10625,7 +10636,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::claude-bridge-sync" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10648,7 +10659,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::graph-query" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10671,7 +10682,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::graph-stats" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10694,7 +10705,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::graph-extract" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!Array.isArray(req.body?.observations) || req.body.observations.length === 0) return {
 			status_code: 400,
@@ -10721,7 +10732,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::consolidate-pipeline" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10744,7 +10755,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::team-share" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.itemId || !req.body?.itemType) return {
 			status_code: 400,
@@ -10771,7 +10782,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::team-feed" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			const limit = parseInt(req.query_params?.["limit"]) || 20;
@@ -10795,7 +10806,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::team-profile" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10818,7 +10829,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::audit" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10837,7 +10848,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::governance-delete" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.memoryIds || !Array.isArray(req.body.memoryIds)) return {
 			status_code: 400,
@@ -10857,7 +10868,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::governance-bulk" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10873,7 +10884,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::snapshots" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10896,7 +10907,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::snapshot-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10919,7 +10930,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::snapshot-restore" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.commitHash) return {
 			status_code: 400,
@@ -10946,7 +10957,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::memories" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const memories = await kv.list(KV.memories);
 		return {
@@ -10963,7 +10974,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.title) return {
 			status_code: 400,
@@ -10983,7 +10994,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-update" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId) return {
 			status_code: 400,
@@ -11003,7 +11014,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11023,7 +11034,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-get" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const actionId = req.query_params?.["actionId"];
 		if (!actionId) return {
@@ -11044,7 +11055,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-edge" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sourceActionId || !req.body?.targetActionId || !req.body?.type) return {
 			status_code: 400,
@@ -11064,7 +11075,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::frontier" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11084,7 +11095,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::next" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11103,7 +11114,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lease-acquire" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId || !req.body?.agentId) return {
 			status_code: 400,
@@ -11123,7 +11134,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lease-release" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId || !req.body?.agentId) return {
 			status_code: 400,
@@ -11143,7 +11154,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lease-renew" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId || !req.body?.agentId) return {
 			status_code: 400,
@@ -11163,7 +11174,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.name) return {
 			status_code: 400,
@@ -11183,7 +11194,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11199,7 +11210,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-run" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.routineId) return {
 			status_code: 400,
@@ -11219,7 +11230,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-status" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const runId = req.query_params?.["runId"];
 		if (!runId) return {
@@ -11240,7 +11251,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::signal-send" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.from || !req.body?.content) return {
 			status_code: 400,
@@ -11260,7 +11271,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::signal-read" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const agentId = req.query_params?.["agentId"];
 		if (!agentId) return {
@@ -11286,7 +11297,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::checkpoint-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.name) return {
 			status_code: 400,
@@ -11306,7 +11317,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::checkpoint-resolve" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.checkpointId || !req.body?.status) return {
 			status_code: 400,
@@ -11326,7 +11337,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::checkpoint-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11345,7 +11356,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-register" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.url || !req.body?.name) return {
 			status_code: 400,
@@ -11365,7 +11378,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11381,7 +11396,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-sync" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11397,7 +11414,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-receive" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11413,7 +11432,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-export" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const since = req.query_params?.["since"];
 		if (since) {
@@ -11459,7 +11480,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::flow-compress" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -11482,7 +11503,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::branch-detect" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const cwd = req.query_params?.["cwd"] || process.cwd();
 		return {
@@ -11499,7 +11520,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::branch-worktrees" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const cwd = req.query_params?.["cwd"] || process.cwd();
 		return {
@@ -11516,7 +11537,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::branch-sessions" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const cwd = req.query_params?.["cwd"] || process.cwd();
 		return {
@@ -11532,27 +11553,21 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 			http_method: "GET"
 		}
 	});
-	sdk.registerFunction({ id: "api::viewer" }, async () => {
-		const headers = {
-			"Content-Type": "text/html",
-			"Content-Security-Policy": VIEWER_CSP
+	sdk.registerFunction({ id: "api::viewer" }, async (req) => {
+		const denied = checkAuth(req, secret);
+		if (denied) return denied;
+		const rendered = renderViewerDocument();
+		if (rendered.found) return {
+			status_code: 200,
+			headers: {
+				"Content-Type": "text/html",
+				"Content-Security-Policy": rendered.csp
+			},
+			body: rendered.html
 		};
-		const base = dirname(fileURLToPath(import.meta.url));
-		const candidates = [
-			join(base, "..", "viewer", "index.html"),
-			join(base, "..", "src", "viewer", "index.html"),
-			join(base, "viewer", "index.html")
-		];
-		for (const p of candidates) try {
-			return {
-				status_code: 200,
-				headers,
-				body: readFileSync(p, "utf-8")
-			};
-		} catch {}
 		return {
 			status_code: 404,
-			headers,
+			headers: { "Content-Type": "text/html" },
 			body: "<!DOCTYPE html><html><body><h1>agentmemory</h1><p>viewer not found</p></body></html>"
 		};
 	});
@@ -11565,7 +11580,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-create" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.name) return {
@@ -11586,7 +11601,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-trigger" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sentinelId) return {
@@ -11607,7 +11622,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-check" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		return {
 			status_code: 200,
@@ -11623,7 +11638,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-cancel" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sentinelId) return {
@@ -11644,7 +11659,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11664,7 +11679,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-create" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.title) return {
@@ -11685,7 +11700,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-add" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sketchId || !body?.title) return {
@@ -11706,7 +11721,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-promote" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sketchId) return {
@@ -11727,7 +11742,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-discard" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sketchId) return {
@@ -11748,7 +11763,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11768,7 +11783,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-gc" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		return {
 			status_code: 200,
@@ -11784,7 +11799,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::crystallize" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.actionIds) return {
@@ -11805,7 +11820,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::crystal-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11826,7 +11841,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::auto-crystallize" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11843,7 +11858,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::diagnose" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11860,7 +11875,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::heal" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11877,7 +11892,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-tag" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.targetId || !body?.dimension || !body?.value) return {
@@ -11898,7 +11913,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-untag" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.targetId || !body?.dimension) return {
@@ -11919,7 +11934,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-query" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11936,7 +11951,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-get" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		if (!params.targetId) return {
@@ -11957,7 +11972,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-stats" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11974,7 +11989,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::verify" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.id || typeof body.id !== "string") return {
@@ -11995,7 +12010,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::cascade-update" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.supersededMemoryId || typeof body.supersededMemoryId !== "string") return {
@@ -12016,7 +12031,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-save" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.content || typeof body.content !== "string") return {
@@ -12046,7 +12061,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -12068,7 +12083,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-search" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.query || typeof body.query !== "string") return {
@@ -12089,7 +12104,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-strengthen" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.lessonId || typeof body.lessonId !== "string") return {
@@ -12110,7 +12125,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::obsidian-export" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body || {};
 		const types = typeof body.types === "string" ? body.types.split(",").map((t) => t.trim()).filter(Boolean) : void 0;
@@ -12131,7 +12146,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::reflect" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body || {};
 		return {
@@ -12151,7 +12166,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::insight-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -12172,7 +12187,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::insight-search" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.query || typeof body.query !== "string") return {
@@ -12253,925 +12268,6 @@ function registerEventTriggers(sdk, kv) {
 	});
 }
 
-//#endregion
-//#region src/mcp/tools-registry.ts
-const CORE_TOOLS = [
-	{
-		name: "memory_recall",
-		description: "Search past session observations for relevant context. Use when you need to recall what happened in previous sessions, find past decisions, or look up how a file was modified before.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				query: {
-					type: "string",
-					description: "Search query (keywords, file names, concepts)"
-				},
-				limit: {
-					type: "number",
-					description: "Max results to return (default 10)"
-				}
-			},
-			required: ["query"]
-		}
-	},
-	{
-		name: "memory_save",
-		description: "Explicitly save an important insight, decision, or pattern to long-term memory.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				content: {
-					type: "string",
-					description: "The insight or decision to remember"
-				},
-				type: {
-					type: "string",
-					description: "Memory type: pattern, preference, architecture, bug, workflow, or fact"
-				},
-				concepts: {
-					type: "string",
-					description: "Comma-separated key concepts"
-				},
-				files: {
-					type: "string",
-					description: "Comma-separated relevant file paths"
-				}
-			},
-			required: ["content"]
-		}
-	},
-	{
-		name: "memory_file_history",
-		description: "Get past observations about specific files.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				files: {
-					type: "string",
-					description: "Comma-separated file paths"
-				},
-				sessionId: {
-					type: "string",
-					description: "Current session ID to exclude"
-				}
-			},
-			required: ["files"]
-		}
-	},
-	{
-		name: "memory_patterns",
-		description: "Detect recurring patterns across sessions.",
-		inputSchema: {
-			type: "object",
-			properties: { project: {
-				type: "string",
-				description: "Project path to analyze"
-			} }
-		}
-	},
-	{
-		name: "memory_sessions",
-		description: "List recent sessions with their status and observation counts.",
-		inputSchema: {
-			type: "object",
-			properties: {}
-		}
-	},
-	{
-		name: "memory_smart_search",
-		description: "Hybrid semantic+keyword search with progressive disclosure.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				query: {
-					type: "string",
-					description: "Search query"
-				},
-				expandIds: {
-					type: "string",
-					description: "Comma-separated observation IDs to expand"
-				},
-				limit: {
-					type: "number",
-					description: "Max results (default 10)"
-				}
-			},
-			required: ["query"]
-		}
-	},
-	{
-		name: "memory_timeline",
-		description: "Chronological observations around an anchor point.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				anchor: {
-					type: "string",
-					description: "Anchor point: ISO date or keyword"
-				},
-				project: {
-					type: "string",
-					description: "Filter by project path"
-				},
-				before: {
-					type: "number",
-					description: "Observations before anchor (default 5)"
-				},
-				after: {
-					type: "number",
-					description: "Observations after anchor (default 5)"
-				}
-			},
-			required: ["anchor"]
-		}
-	},
-	{
-		name: "memory_profile",
-		description: "User/project profile with top concepts and file patterns.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				project: {
-					type: "string",
-					description: "Project path"
-				},
-				refresh: {
-					type: "string",
-					description: "Set to 'true' to force rebuild"
-				}
-			},
-			required: ["project"]
-		}
-	},
-	{
-		name: "memory_export",
-		description: "Export all memory data as JSON.",
-		inputSchema: {
-			type: "object",
-			properties: {}
-		}
-	},
-	{
-		name: "memory_relations",
-		description: "Query the memory relationship graph.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				memoryId: {
-					type: "string",
-					description: "Memory ID to find relations for"
-				},
-				maxHops: {
-					type: "number",
-					description: "Max traversal depth (default 2)"
-				},
-				minConfidence: {
-					type: "number",
-					description: "Min confidence (0-1, default 0)"
-				}
-			},
-			required: ["memoryId"]
-		}
-	}
-];
-const V040_TOOLS = [
-	{
-		name: "memory_claude_bridge_sync",
-		description: "Sync memory state to/from Claude Code's native MEMORY.md file.",
-		inputSchema: {
-			type: "object",
-			properties: { direction: {
-				type: "string",
-				description: "'read' to import from MEMORY.md, 'write' to export to MEMORY.md"
-			} },
-			required: ["direction"]
-		}
-	},
-	{
-		name: "memory_graph_query",
-		description: "Query the knowledge graph for entities and relationships.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				startNodeId: {
-					type: "string",
-					description: "Starting node ID for traversal"
-				},
-				nodeType: {
-					type: "string",
-					description: "Filter by node type"
-				},
-				maxDepth: {
-					type: "number",
-					description: "Max BFS depth (default 3, max 5)"
-				},
-				query: {
-					type: "string",
-					description: "Search nodes by name"
-				}
-			}
-		}
-	},
-	{
-		name: "memory_consolidate",
-		description: "Run the 4-tier memory consolidation pipeline (working -> episodic -> semantic -> procedural).",
-		inputSchema: {
-			type: "object",
-			properties: { tier: {
-				type: "string",
-				description: "Target tier: episodic, semantic, or procedural"
-			} }
-		}
-	},
-	{
-		name: "memory_team_share",
-		description: "Share a memory or observation with team members.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				itemId: {
-					type: "string",
-					description: "ID of memory or observation to share"
-				},
-				itemType: {
-					type: "string",
-					description: "Type: observation, memory, or pattern"
-				}
-			},
-			required: ["itemId", "itemType"]
-		}
-	},
-	{
-		name: "memory_team_feed",
-		description: "Get recent shared items from all team members.",
-		inputSchema: {
-			type: "object",
-			properties: { limit: {
-				type: "number",
-				description: "Max items (default 20)"
-			} }
-		}
-	},
-	{
-		name: "memory_audit",
-		description: "View the audit trail of memory operations.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				operation: {
-					type: "string",
-					description: "Filter by operation type"
-				},
-				limit: {
-					type: "number",
-					description: "Max entries (default 50)"
-				}
-			}
-		}
-	},
-	{
-		name: "memory_governance_delete",
-		description: "Delete specific memories with audit trail.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				memoryIds: {
-					type: "string",
-					description: "Comma-separated memory IDs to delete"
-				},
-				reason: {
-					type: "string",
-					description: "Reason for deletion"
-				}
-			},
-			required: ["memoryIds"]
-		}
-	},
-	{
-		name: "memory_snapshot_create",
-		description: "Create a git-versioned snapshot of current memory state.",
-		inputSchema: {
-			type: "object",
-			properties: { message: {
-				type: "string",
-				description: "Snapshot description"
-			} }
-		}
-	}
-];
-const V050_TOOLS = [
-	{
-		name: "memory_action_create",
-		description: "Create an actionable work item with typed dependencies. Actions track what agents need to do and how work items relate to each other.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				title: {
-					type: "string",
-					description: "Action title"
-				},
-				description: {
-					type: "string",
-					description: "Detailed description of the work"
-				},
-				priority: {
-					type: "number",
-					description: "Priority 1-10 (10 highest)"
-				},
-				project: {
-					type: "string",
-					description: "Project path"
-				},
-				tags: {
-					type: "string",
-					description: "Comma-separated tags"
-				},
-				parentId: {
-					type: "string",
-					description: "Parent action ID for hierarchical actions"
-				},
-				requires: {
-					type: "string",
-					description: "Comma-separated action IDs that must complete before this"
-				}
-			},
-			required: ["title"]
-		}
-	},
-	{
-		name: "memory_action_update",
-		description: "Update an action's status, priority, or details. Set status to 'done' to complete it and unblock dependent actions.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				actionId: {
-					type: "string",
-					description: "Action ID to update"
-				},
-				status: {
-					type: "string",
-					description: "New status: pending, active, done, blocked, cancelled"
-				},
-				result: {
-					type: "string",
-					description: "Outcome description (when completing)"
-				},
-				priority: {
-					type: "number",
-					description: "New priority 1-10"
-				}
-			},
-			required: ["actionId"]
-		}
-	},
-	{
-		name: "memory_frontier",
-		description: "Get all unblocked actions ranked by priority and urgency. Returns the frontier of actionable work with no unsatisfied dependencies.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				project: {
-					type: "string",
-					description: "Filter by project"
-				},
-				agentId: {
-					type: "string",
-					description: "Agent ID to check lease conflicts"
-				},
-				limit: {
-					type: "number",
-					description: "Max results (default 20)"
-				}
-			}
-		}
-	},
-	{
-		name: "memory_next",
-		description: "Get the single most important next action to work on. Combines dependency resolution, priority, and recency into a score.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				project: {
-					type: "string",
-					description: "Filter by project"
-				},
-				agentId: {
-					type: "string",
-					description: "Current agent ID"
-				}
-			}
-		}
-	},
-	{
-		name: "memory_lease",
-		description: "Acquire, release, or renew an exclusive lease on an action. Prevents multiple agents from working on the same thing.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				actionId: {
-					type: "string",
-					description: "Action ID"
-				},
-				agentId: {
-					type: "string",
-					description: "Agent claiming the action"
-				},
-				operation: {
-					type: "string",
-					description: "acquire, release, or renew"
-				},
-				result: {
-					type: "string",
-					description: "Result when releasing (marks action done)"
-				},
-				ttlMs: {
-					type: "number",
-					description: "Lease duration in ms (default 10min, max 1hr)"
-				}
-			},
-			required: [
-				"actionId",
-				"agentId",
-				"operation"
-			]
-		}
-	},
-	{
-		name: "memory_routine_run",
-		description: "Instantiate a frozen workflow routine, creating actions for each step with proper dependencies.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				routineId: {
-					type: "string",
-					description: "Routine template ID"
-				},
-				project: {
-					type: "string",
-					description: "Project context"
-				},
-				initiatedBy: {
-					type: "string",
-					description: "Agent starting the run"
-				}
-			},
-			required: ["routineId"]
-		}
-	},
-	{
-		name: "memory_signal_send",
-		description: "Send a message to another agent or broadcast. Supports threading, typed messages, and TTL expiration.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				from: {
-					type: "string",
-					description: "Sender agent ID"
-				},
-				to: {
-					type: "string",
-					description: "Recipient agent ID (omit for broadcast)"
-				},
-				content: {
-					type: "string",
-					description: "Message content"
-				},
-				type: {
-					type: "string",
-					description: "Message type: info, request, response, alert, handoff"
-				},
-				replyTo: {
-					type: "string",
-					description: "Signal ID to reply to (auto-threads)"
-				}
-			},
-			required: ["from", "content"]
-		}
-	},
-	{
-		name: "memory_signal_read",
-		description: "Read messages for an agent. Marks delivered messages as read.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				agentId: {
-					type: "string",
-					description: "Agent to read messages for"
-				},
-				unreadOnly: {
-					type: "string",
-					description: "Set to 'true' for unread only"
-				},
-				threadId: {
-					type: "string",
-					description: "Filter by conversation thread"
-				},
-				limit: {
-					type: "number",
-					description: "Max messages (default 50)"
-				}
-			},
-			required: ["agentId"]
-		}
-	},
-	{
-		name: "memory_checkpoint",
-		description: "Create or resolve an external checkpoint (CI result, approval, deploy status) that gates action progress.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				operation: {
-					type: "string",
-					description: "create, resolve, or list"
-				},
-				name: {
-					type: "string",
-					description: "Checkpoint name (for create)"
-				},
-				checkpointId: {
-					type: "string",
-					description: "Checkpoint ID (for resolve)"
-				},
-				status: {
-					type: "string",
-					description: "passed or failed (for resolve)"
-				},
-				type: {
-					type: "string",
-					description: "Checkpoint type: ci, approval, deploy, external, timer"
-				},
-				linkedActionIds: {
-					type: "string",
-					description: "Comma-separated action IDs this checkpoint gates (for create)"
-				}
-			},
-			required: ["operation"]
-		}
-	},
-	{
-		name: "memory_mesh_sync",
-		description: "Sync memories and actions with peer agentmemory instances for multi-agent collaboration.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				peerId: {
-					type: "string",
-					description: "Specific peer ID (omit for all)"
-				},
-				direction: {
-					type: "string",
-					description: "push, pull, or both (default both)"
-				}
-			}
-		}
-	}
-];
-const V051_TOOLS = [
-	{
-		name: "memory_sentinel_create",
-		description: "Create an event-driven sentinel that watches for conditions (webhook, timer, threshold, pattern, approval) and auto-unblocks gated actions when triggered.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				name: {
-					type: "string",
-					description: "Sentinel name"
-				},
-				type: {
-					type: "string",
-					description: "Type: webhook, timer, threshold, pattern, approval, custom"
-				},
-				config: {
-					type: "string",
-					description: "JSON config (timer: {durationMs}, threshold: {metric,operator,value}, pattern: {pattern}, webhook: {path})"
-				},
-				linkedActionIds: {
-					type: "string",
-					description: "Comma-separated action IDs to gate"
-				},
-				expiresInMs: {
-					type: "number",
-					description: "Auto-expire after ms"
-				}
-			},
-			required: ["name", "type"]
-		}
-	},
-	{
-		name: "memory_sentinel_trigger",
-		description: "Externally fire a sentinel, providing an optional result payload. Unblocks any gated actions.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				sentinelId: {
-					type: "string",
-					description: "Sentinel ID to trigger"
-				},
-				result: {
-					type: "string",
-					description: "JSON result payload"
-				}
-			},
-			required: ["sentinelId"]
-		}
-	},
-	{
-		name: "memory_sketch_create",
-		description: "Create an ephemeral action graph for exploratory work. Auto-expires after TTL. Can be promoted to permanent actions or discarded.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				title: {
-					type: "string",
-					description: "Sketch title"
-				},
-				description: {
-					type: "string",
-					description: "What this sketch explores"
-				},
-				expiresInMs: {
-					type: "number",
-					description: "TTL in ms (default 1 hour)"
-				},
-				project: {
-					type: "string",
-					description: "Project context"
-				}
-			},
-			required: ["title"]
-		}
-	},
-	{
-		name: "memory_sketch_promote",
-		description: "Promote a sketch's ephemeral actions to permanent actions. Makes the exploratory work official.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				sketchId: {
-					type: "string",
-					description: "Sketch ID to promote"
-				},
-				project: {
-					type: "string",
-					description: "Override project for promoted actions"
-				}
-			},
-			required: ["sketchId"]
-		}
-	},
-	{
-		name: "memory_crystallize",
-		description: "Compress completed action chains into compact crystal digests using LLM summarization. Extracts narrative, key outcomes, files affected, and lessons.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				actionIds: {
-					type: "string",
-					description: "Comma-separated completed action IDs to crystallize"
-				},
-				project: {
-					type: "string",
-					description: "Project context"
-				},
-				sessionId: {
-					type: "string",
-					description: "Session context"
-				}
-			},
-			required: ["actionIds"]
-		}
-	},
-	{
-		name: "memory_diagnose",
-		description: "Run health checks across all subsystems (actions, leases, sentinels, sketches, signals, sessions, memories, mesh). Identifies stuck, orphaned, and inconsistent state.",
-		inputSchema: {
-			type: "object",
-			properties: { categories: {
-				type: "string",
-				description: "Comma-separated categories to check (default all)"
-			} }
-		}
-	},
-	{
-		name: "memory_heal",
-		description: "Auto-fix all fixable issues found by diagnostics. Unblocks stuck actions, expires stale leases, cleans up orphaned data.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				categories: {
-					type: "string",
-					description: "Comma-separated categories to heal (default all)"
-				},
-				dryRun: {
-					type: "string",
-					description: "Set to 'true' for dry run (report but don't fix)"
-				}
-			}
-		}
-	},
-	{
-		name: "memory_facet_tag",
-		description: "Attach a structured tag (dimension:value) to an action, memory, or observation for multi-dimensional categorization.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				targetId: {
-					type: "string",
-					description: "ID of the target to tag"
-				},
-				targetType: {
-					type: "string",
-					description: "Type: action, memory, or observation"
-				},
-				dimension: {
-					type: "string",
-					description: "Tag dimension (e.g., priority, team, status)"
-				},
-				value: {
-					type: "string",
-					description: "Tag value (e.g., urgent, backend, reviewed)"
-				}
-			},
-			required: [
-				"targetId",
-				"targetType",
-				"dimension",
-				"value"
-			]
-		}
-	},
-	{
-		name: "memory_facet_query",
-		description: "Query targets by facet tags with AND/OR logic. Find all actions tagged priority:urgent AND team:backend.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				matchAll: {
-					type: "string",
-					description: "Comma-separated dimension:value pairs (AND logic)"
-				},
-				matchAny: {
-					type: "string",
-					description: "Comma-separated dimension:value pairs (OR logic)"
-				},
-				targetType: {
-					type: "string",
-					description: "Filter by type: action, memory, or observation"
-				}
-			}
-		}
-	}
-];
-const V061_TOOLS = [{
-	name: "memory_verify",
-	description: "Verify a memory or observation by tracing its citation chain back to source observations and session context. Returns provenance information including confidence scores.",
-	inputSchema: {
-		type: "object",
-		properties: { id: {
-			type: "string",
-			description: "Memory ID or observation ID to verify"
-		} },
-		required: ["id"]
-	}
-}];
-const V070_TOOLS = [
-	{
-		name: "memory_lesson_save",
-		description: "Save a lesson learned from this session. Lessons have confidence scores that strengthen when reinforced and decay when not used. Duplicate content auto-strengthens the existing lesson.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				content: {
-					type: "string",
-					description: "The lesson learned (what worked, what to avoid, when to use X approach)"
-				},
-				context: {
-					type: "string",
-					description: "When/where this lesson applies"
-				},
-				confidence: {
-					type: "number",
-					description: "Initial confidence 0.0-1.0 (default 0.5)"
-				},
-				project: {
-					type: "string",
-					description: "Project this lesson is about"
-				},
-				tags: {
-					type: "string",
-					description: "Comma-separated tags"
-				}
-			},
-			required: ["content"]
-		}
-	},
-	{
-		name: "memory_lesson_recall",
-		description: "Search lessons by query. Returns lessons sorted by confidence and recency. Use to check what the agent has learned before making decisions.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				query: {
-					type: "string",
-					description: "Search query"
-				},
-				project: {
-					type: "string",
-					description: "Filter by project"
-				},
-				minConfidence: {
-					type: "number",
-					description: "Minimum confidence threshold (default 0.1)"
-				},
-				limit: {
-					type: "number",
-					description: "Max results (default 10)"
-				}
-			},
-			required: ["query"]
-		}
-	},
-	{
-		name: "memory_obsidian_export",
-		description: "Export memories, lessons, and crystals as Obsidian-compatible Markdown files with YAML frontmatter and wikilinks for graph view.",
-		inputSchema: {
-			type: "object",
-			properties: {
-				vaultDir: {
-					type: "string",
-					description: "Output directory (default ~/.agentmemory/vault/)"
-				},
-				types: {
-					type: "string",
-					description: "Comma-separated types to export: memories,lessons,crystals,sessions (default all)"
-				}
-			}
-		}
-	}
-];
-const V073_TOOLS = [{
-	name: "memory_reflect",
-	description: "Traverse the knowledge graph, group related memories by concept clusters, and synthesize higher-order insights via LLM. Returns new and reinforced insights.",
-	inputSchema: {
-		type: "object",
-		properties: {
-			project: {
-				type: "string",
-				description: "Filter by project"
-			},
-			maxClusters: {
-				type: "number",
-				description: "Max concept clusters to process (default 10, max 20)"
-			}
-		}
-	}
-}, {
-	name: "memory_insight_list",
-	description: "List synthesized insights — higher-order observations derived from patterns across memories, lessons, and crystals.",
-	inputSchema: {
-		type: "object",
-		properties: {
-			project: {
-				type: "string",
-				description: "Filter by project"
-			},
-			minConfidence: {
-				type: "number",
-				description: "Minimum confidence threshold (default 0)"
-			},
-			limit: {
-				type: "number",
-				description: "Max results (default 50)"
-			}
-		}
-	}
-}];
-const ESSENTIAL_TOOLS = new Set([
-	"memory_save",
-	"memory_recall",
-	"memory_consolidate",
-	"memory_smart_search",
-	"memory_sessions",
-	"memory_diagnose",
-	"memory_lesson_save",
-	"memory_reflect"
-]);
-function getAllTools() {
-	return [
-		...CORE_TOOLS,
-		...V040_TOOLS,
-		...V050_TOOLS,
-		...V051_TOOLS,
-		...V061_TOOLS,
-		...V070_TOOLS,
-		...V073_TOOLS
-	];
-}
-function getVisibleTools() {
-	if ((process.env["AGENTMEMORY_TOOLS"] || "core") === "all") return getAllTools();
-	return getAllTools().filter((t) => ESSENTIAL_TOOLS.has(t.name));
-}
-
 //#endregion
 //#region src/mcp/server.ts
 function registerMcpEndpoints(sdk, kv, secret) {
@@ -14441,11 +13537,6 @@ function readBody(req) {
 		req.on("error", reject);
 	});
 }
-function checkAuth(req, secret) {
-	if (!secret) return true;
-	const auth = req.headers["authorization"] || "";
-	return typeof auth === "string" && timingSafeCompare(auth, `Bearer ${secret}`);
-}
 function startViewerServer(port, _kv, _sdk, secret, restPort) {
 	const resolvedRestPort = restPort ?? port - 2;
 	const server = createServer(async (req, res) => {
@@ -14463,32 +13554,20 @@ function startViewerServer(port, _kv, _sdk, secret, restPort) {
 			return;
 		}
 		if (method === "GET" && (pathname === "/" || pathname === "/viewer" || pathname === "/agentmemory/viewer")) {
-			const base = dirname(fileURLToPath(import.meta.url));
-			const candidates = [
-				join(base, "index.html"),
-				join(base, "viewer", "index.html"),
-				join(base, "..", "viewer", "index.html"),
-				join(base, "..", "src", "viewer", "index.html"),
-				join(base, "..", "dist", "viewer", "index.html")
-			];
-			for (const p of candidates) try {
-				const html = readFileSync(p, "utf-8");
+			const rendered = renderViewerDocument();
+			if (rendered.found) {
 				res.writeHead(200, {
 					"Content-Type": "text/html; charset=utf-8",
-					"Content-Security-Policy": VIEWER_CSP,
+					"Content-Security-Policy": rendered.csp,
 					"Cache-Control": "no-cache"
 				});
-				res.end(html);
+				res.end(rendered.html);
 				return;
-			} catch {}
+			}
 			res.writeHead(404, { "Content-Type": "text/plain" });
 			res.end("viewer not found");
 			return;
 		}
-		if (!checkAuth(req, secret)) {
-			json(res, 401, { error: "unauthorized" }, req);
-			return;
-		}
 		try {
 			await proxyToRestApi(resolvedRestPort, pathname, qs, method, req, res, secret);
 		} catch (err) {
@@ -14746,7 +13825,7 @@ async function main() {
 	registerRoutinesFunction(sdk, kv);
 	registerSignalsFunction(sdk, kv);
 	registerCheckpointsFunction(sdk, kv);
-	registerMeshFunction(sdk, kv);
+	registerMeshFunction(sdk, kv, secret);
 	registerBranchAwareFunction(sdk, kv);
 	registerFlowCompressFunction(sdk, kv, provider);
 	registerSentinelsFunction(sdk, kv);
@@ -14859,4 +13938,4 @@ main().catch((err) => {
 
 //#endregion
 export {  };
-//# sourceMappingURL=src-Df36IFVL.mjs.map
+//# sourceMappingURL=src-BuDB8dPq.mjs.map