@agentmemory/agentmemory 0.8.1 → 0.8.6

package/dist/index.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { getContext, init } from "iii-sdk";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { dirname, join, resolve } from "node:path";
+import { dirname, join, resolve, sep } from "node:path";
 import { homedir } from "node:os";
 import Anthropic from "@anthropic-ai/sdk";
 import { createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
@@ -902,7 +902,8 @@ const KV = {
 	graphEdgeHistory: "mem:graph:edge-history",
 	enrichedChunks: (sessionId) => `mem:enriched:${sessionId}`,
 	latentEmbeddings: (obsId) => `mem:latent:${obsId}`,
-	retentionScores: "mem:retention"
+	retentionScores: "mem:retention",
+	accessLog: "mem:access"
 };
 const STREAM = {
 	name: "mem-live",
@@ -1951,9 +1952,11 @@ var IndexPersistence = class {
 const PRIVATE_TAG_RE = /<private>[\s\S]*?<\/private>/gi;
 const SECRET_PATTERN_SOURCES = [
 	/(?:api[_-]?key|secret|token|password|credential|auth)[\s]*[=:]\s*["']?[A-Za-z0-9_\-/.+]{20,}["']?/gi,
-	/(?:sk|pk|rk|ak)-[A-Za-z0-9]{20,}/g,
+	/Bearer\s+[A-Za-z0-9._\-+/=]{20,}/gi,
+	/sk-proj-[A-Za-z0-9\-_]{20,}/g,
+	/(?:sk|pk|rk|ak)-[A-Za-z0-9][A-Za-z0-9\-_]{19,}/g,
 	/sk-ant-[A-Za-z0-9\-_]{20,}/g,
-	/ghp_[A-Za-z0-9]{36}/g,
+	/gh[pus]_[A-Za-z0-9]{36,}/g,
 	/github_pat_[A-Za-z0-9_]{22,}/g,
 	/xoxb-[A-Za-z0-9\-]+/g,
 	/AKIA[0-9A-Z]{16}/g,
@@ -2154,6 +2157,77 @@ function getXmlChildren(xml, parentTag, childTag) {
 	return items;
 }
 
+//#endregion
+//#region src/functions/access-tracker.ts
+const RECENT_CAP = 20;
+function emptyAccessLog(memoryId) {
+	return {
+		memoryId,
+		count: 0,
+		lastAt: "",
+		recent: []
+	};
+}
+function normalizeAccessLog(raw) {
+	const r = raw ?? {};
+	const rawCount = typeof r.count === "number" && Number.isFinite(r.count) ? r.count : 0;
+	const count = Math.max(0, Math.floor(rawCount));
+	const rawRecent = Array.isArray(r.recent) ? r.recent.filter((x) => typeof x === "number" && Number.isFinite(x)) : [];
+	const recent = rawRecent.length > RECENT_CAP ? rawRecent.slice(-RECENT_CAP) : rawRecent;
+	return {
+		memoryId: typeof r.memoryId === "string" ? r.memoryId : "",
+		count: Math.max(count, recent.length),
+		lastAt: typeof r.lastAt === "string" ? r.lastAt : "",
+		recent
+	};
+}
+async function getAccessLog(kv, memoryId) {
+	try {
+		const raw = await kv.get(KV.accessLog, memoryId);
+		if (!raw) return emptyAccessLog(memoryId);
+		const normalized = normalizeAccessLog(raw);
+		if (!normalized.memoryId) normalized.memoryId = memoryId;
+		return normalized;
+	} catch {
+		return emptyAccessLog(memoryId);
+	}
+}
+async function recordAccess(kv, memoryId, timestampMs) {
+	if (!memoryId) return;
+	const ts = timestampMs ?? Date.now();
+	try {
+		await withKeyedLock(`mem:access:${memoryId}`, async () => {
+			const existing = await getAccessLog(kv, memoryId);
+			existing.count += 1;
+			existing.lastAt = new Date(ts).toISOString();
+			existing.recent.push(ts);
+			if (existing.recent.length > RECENT_CAP) existing.recent = existing.recent.slice(-RECENT_CAP);
+			await kv.set(KV.accessLog, memoryId, existing);
+		});
+	} catch (err) {
+		try {
+			getContext().logger.warn("recordAccess failed", {
+				memoryId,
+				error: err instanceof Error ? err.message : String(err)
+			});
+		} catch {}
+	}
+}
+async function recordAccessBatch(kv, memoryIds, timestampMs) {
+	if (!memoryIds || memoryIds.length === 0) return;
+	const ts = timestampMs ?? Date.now();
+	const unique = Array.from(new Set(memoryIds.filter(Boolean)));
+	await Promise.allSettled(unique.map((id) => recordAccess(kv, id, ts)));
+}
+async function deleteAccessLog(kv, memoryId) {
+	if (!memoryId) return;
+	try {
+		await withKeyedLock(`mem:access:${memoryId}`, async () => {
+			await kv.delete(KV.accessLog, memoryId);
+		});
+	} catch {}
+}
+
 //#endregion
 //#region src/functions/search.ts
 let index = null;
@@ -2240,6 +2314,7 @@ function registerSearchFunction(sdk, kv) {
 				sessionId: candidates[i].sessionId
 			});
 		}
+		recordAccessBatch(kv, enriched.map((r) => r.observation.id));
 		ctx.logger.info("Search completed", {
 			query,
 			results: enriched.length,
@@ -2635,19 +2710,22 @@ function registerContextFunction(sdk, kv, tokenBudget) {
 			const i = sessionsNeedingObs[j];
 			const important = obsResults[j].filter((o) => o.title && o.importance >= 5);
 			if (important.length > 0) {
-				const items = important.sort((a, b) => b.importance - a.importance).slice(0, 5).map((o) => `- [${o.type}] ${o.title}: ${o.narrative}`).join("\n");
+				const top = important.sort((a, b) => b.importance - a.importance).slice(0, 5);
+				const items = top.map((o) => `- [${o.type}] ${o.title}: ${o.narrative}`).join("\n");
 				const content = `## Session ${sessions[i].id.slice(0, 8)} (${sessions[i].startedAt})\n${items}`;
 				blocks.push({
 					type: "observation",
 					content,
 					tokens: estimateTokens$1(content),
-					recency: new Date(sessions[i].startedAt).getTime()
+					recency: new Date(sessions[i].startedAt).getTime(),
+					sourceIds: top.map((o) => o.id)
 				});
 			}
 		}
 		blocks.sort((a, b) => b.recency - a.recency);
 		let usedTokens = 0;
 		const selected = [];
+		const accessedIds = [];
 		const header = `<agentmemory-context project="${escapeXmlAttr(data.project)}">`;
 		const footer = `</agentmemory-context>`;
 		usedTokens += estimateTokens$1(header) + estimateTokens$1(footer);
@@ -2655,7 +2733,9 @@ function registerContextFunction(sdk, kv, tokenBudget) {
 			if (usedTokens + block.tokens > budget) break;
 			selected.push(block.content);
 			usedTokens += block.tokens;
+			if (block.sourceIds && block.sourceIds.length > 0) accessedIds.push(...block.sourceIds);
 		}
+		if (accessedIds.length > 0) recordAccessBatch(kv, accessedIds);
 		if (selected.length === 0) {
 			ctx.logger.info("No context available", { project: data.project });
 			return {
@@ -2988,6 +3068,9 @@ function registerFileIndexFunction(sdk, kv) {
 			for (const obs of fh.observations) lines.push(`- [${obs.type}] ${obs.title}: ${obs.narrative}`);
 		}
 		lines.push("</agentmemory-file-context>");
+		const accessedIds = [];
+		for (const fh of results) for (const obs of fh.observations) accessedIds.push(obs.obsId);
+		recordAccessBatch(kv, accessedIds);
 		const context = lines.join("\n");
 		ctx.logger.info("File context generated", {
 			files: data.files.length,
@@ -3300,6 +3383,7 @@ function registerRememberFunction(sdk, kv) {
 		let deleted = 0;
 		if (data.memoryId) {
 			await kv.delete(KV.memories, data.memoryId);
+			await deleteAccessLog(kv, data.memoryId);
 			deleted++;
 		}
 		if (data.sessionId && data.observationIds && data.observationIds.length > 0) for (const obsId of data.observationIds) {
@@ -3391,13 +3475,19 @@ function registerEvictFunction(sdk, kv) {
 				if (now > new Date(mem.forgetAfter).getTime()) {
 					stats.expiredMemories++;
 					evictedMemIds.add(mem.id);
-					if (!dryRun) await kv.delete(KV.memories, mem.id).catch(() => {});
+					if (!dryRun) {
+						await kv.delete(KV.memories, mem.id).catch(() => {});
+						await deleteAccessLog(kv, mem.id);
+					}
 				}
 			}
 			if (!evictedMemIds.has(mem.id) && mem.isLatest === false && mem.createdAt) {
 				if (now - new Date(mem.createdAt).getTime() > cfg.lowImportanceMaxDays * MS_PER_DAY$1) {
 					stats.nonLatestMemories++;
-					if (!dryRun) await kv.delete(KV.memories, mem.id).catch(() => {});
+					if (!dryRun) {
+						await kv.delete(KV.memories, mem.id).catch(() => {});
+						await deleteAccessLog(kv, mem.id);
+					}
 				}
 			}
 		}
@@ -3562,6 +3652,7 @@ function registerRelationsFunction(sdk, kv) {
 			});
 		}
 		result.sort((a, b) => b.confidence - a.confidence);
+		recordAccessBatch(kv, result.map((r) => r.memory.id));
 		ctx.logger.info("Related memories retrieved", {
 			memoryId: data.memoryId,
 			found: result.length
@@ -3633,6 +3724,7 @@ function registerTimelineFunction(sdk, kv) {
 				relativePosition: i - anchorIdx
 			});
 		}
+		recordAccessBatch(kv, entries.map((e) => e.observation.id));
 		ctx.logger.info("Timeline retrieved", {
 			anchor: data.anchor,
 			entries: entries.length
@@ -3683,6 +3775,7 @@ function registerSmartSearchFunction(sdk, kv, searchFn) {
 				observation: obs
 			} : null)));
 			for (const r of results) if (r) expanded.push(r);
+			recordAccessBatch(kv, expanded.map((e) => e.observation.id));
 			const truncated = data.expandIds.length > raw.length;
 			ctx.logger.info("Smart search expanded", {
 				requested: data.expandIds.length,
@@ -3710,6 +3803,7 @@ function registerSmartSearchFunction(sdk, kv, searchFn) {
 			score: r.combinedScore,
 			timestamp: r.observation.timestamp
 		}));
+		recordAccessBatch(kv, compact.map((r) => r.obsId));
 		ctx.logger.info("Smart search compact", {
 			query: data.query,
 			results: compact.length
@@ -3841,7 +3935,10 @@ function registerAutoForgetFunction(sdk, kv) {
 			if (now > new Date(mem.forgetAfter).getTime()) {
 				result.ttlExpired.push(mem.id);
 				deletedIds.add(mem.id);
-				if (!dryRun) await kv.delete(KV.memories, mem.id);
+				if (!dryRun) {
+					await kv.delete(KV.memories, mem.id);
+					await deleteAccessLog(kv, mem.id);
+				}
 			}
 		}
 		const latestMemories = memories.filter((m) => m.isLatest !== false && !deletedIds.has(m.id)).sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()).slice(0, 1e3);
@@ -3910,7 +4007,7 @@ function registerAutoForgetFunction(sdk, kv) {
 
 //#endregion
 //#region src/version.ts
-const VERSION = "0.8.1";
+const VERSION = "0.8.6";
 
 //#endregion
 //#region src/functions/export-import.ts
@@ -3938,7 +4035,7 @@ function registerExportImportFunction(sdk, kv) {
 		const uniqueProjects = [...new Set(paginatedSessions.map((s) => s.project))];
 		const profileResults = await Promise.all(uniqueProjects.map((project) => kv.get(KV.profiles, project).catch(() => null)));
 		for (const profile of profileResults) if (profile) profiles.push(profile);
-		const [graphNodes, graphEdges, semanticMemories, proceduralMemories, actions, actionEdges, sentinels, sketches, crystals, facets, lessons, insights, routines, signals, checkpoints] = await Promise.all([
+		const [graphNodes, graphEdges, semanticMemories, proceduralMemories, actions, actionEdges, sentinels, sketches, crystals, facets, lessons, insights, routines, signals, checkpoints, accessLogs] = await Promise.all([
 			kv.list(KV.graphNodes).catch(() => []),
 			kv.list(KV.graphEdges).catch(() => []),
 			kv.list(KV.semantic).catch(() => []),
@@ -3953,7 +4050,8 @@ function registerExportImportFunction(sdk, kv) {
 			kv.list(KV.insights).catch(() => []),
 			kv.list(KV.routines).catch(() => []),
 			kv.list(KV.signals).catch(() => []),
-			kv.list(KV.checkpoints).catch(() => [])
+			kv.list(KV.checkpoints).catch(() => []),
+			kv.list(KV.accessLog).catch(() => [])
 		]);
 		const exportData = {
 			version: VERSION,
@@ -3977,7 +4075,8 @@ function registerExportImportFunction(sdk, kv) {
 			insights: insights.length > 0 ? insights : void 0,
 			routines: routines.length > 0 ? routines : void 0,
 			signals: signals.length > 0 ? signals : void 0,
-			checkpoints: checkpoints.length > 0 ? checkpoints : void 0
+			checkpoints: checkpoints.length > 0 ? checkpoints : void 0,
+			accessLogs: accessLogs.length > 0 ? accessLogs : void 0
 		};
 		if (maxSessions !== void 0) exportData.pagination = {
 			offset,
@@ -4017,7 +4116,12 @@ function registerExportImportFunction(sdk, kv) {
 			"0.7.7",
 			"0.7.9",
 			"0.8.0",
-			"0.8.1"
+			"0.8.1",
+			"0.8.2",
+			"0.8.3",
+			"0.8.4",
+			"0.8.5",
+			"0.8.6"
 		]).has(importData.version)) return {
 			success: false,
 			error: `Unsupported export version: ${importData.version}`
@@ -4027,6 +4131,7 @@ function registerExportImportFunction(sdk, kv) {
 		const MAX_SUMMARIES = 1e4;
 		const MAX_OBS_PER_SESSION = 5e3;
 		const MAX_TOTAL_OBSERVATIONS = 5e5;
+		const MAX_ACCESS_LOGS = 5e4;
 		if (!Array.isArray(importData.sessions)) return {
 			success: false,
 			error: "sessions must be an array"
@@ -4109,6 +4214,7 @@ function registerExportImportFunction(sdk, kv) {
 			for (const e of await kv.list(KV.graphEdges).catch(() => [])) await kv.delete(KV.graphEdges, e.id);
 			for (const s of await kv.list(KV.semantic).catch(() => [])) await kv.delete(KV.semantic, s.id);
 			for (const p of await kv.list(KV.procedural).catch(() => [])) await kv.delete(KV.procedural, p.id);
+			for (const a of await kv.list(KV.accessLog).catch(() => [])) await kv.delete(KV.accessLog, a.memoryId);
 		}
 		for (const session of importData.sessions) {
 			if (strategy === "skip") {
@@ -4285,6 +4391,28 @@ function registerExportImportFunction(sdk, kv) {
 			}
 			await kv.set(KV.insights, insight.id, insight);
 		}
+		if (importData.accessLogs) {
+			if (!Array.isArray(importData.accessLogs)) return {
+				success: false,
+				error: "accessLogs must be an array"
+			};
+			if (importData.accessLogs.length > MAX_ACCESS_LOGS) return {
+				success: false,
+				error: `Too many access logs (max ${MAX_ACCESS_LOGS})`
+			};
+			const memoryIds = new Set(importData.memories.map((m) => m.id));
+			for (const raw of importData.accessLogs) {
+				const log = normalizeAccessLog(raw);
+				if (!log.memoryId || !memoryIds.has(log.memoryId)) continue;
+				if (strategy === "skip") {
+					if (await kv.get(KV.accessLog, log.memoryId).catch(() => null)) {
+						stats.skipped++;
+						continue;
+					}
+				}
+				await kv.set(KV.accessLog, log.memoryId, log);
+			}
+		}
 		ctx.logger.info("Import complete", {
 			strategy,
 			...stats
@@ -5053,6 +5181,7 @@ function registerGovernanceFunction(sdk, kv) {
 		let deleted = 0;
 		for (const id of data.memoryIds) if (await kv.get(KV.memories, id)) {
 			await kv.delete(KV.memories, id);
+			await deleteAccessLog(kv, id);
 			deleted++;
 		}
 		await recordAudit(kv, "delete", "mem::governance-delete", data.memoryIds, {
@@ -5100,7 +5229,10 @@ function registerGovernanceFunction(sdk, kv) {
 			wouldDelete: candidates.length,
 			ids: candidates.map((m) => m.id)
 		};
-		for (const mem of candidates) await kv.delete(KV.memories, mem.id);
+		for (const mem of candidates) {
+			await kv.delete(KV.memories, mem.id);
+			await deleteAccessLog(kv, mem.id);
+		}
 		await recordAudit(kv, "delete", "mem::governance-bulk", candidates.map((m) => m.id), {
 			filter: data,
 			deleted: candidates.length
@@ -5148,6 +5280,7 @@ function registerSnapshotFunction(sdk, kv, snapshotDir) {
 			const sessions = await kv.list(KV.sessions);
 			const memories = await kv.list(KV.memories);
 			const graphNodes = await kv.list(KV.graphNodes);
+			const accessLogs = await kv.list(KV.accessLog).catch(() => []);
 			const observations = {};
 			for (const session of sessions) {
 				const obs = await kv.list(KV.observations(session.id)).catch(() => []);
@@ -5159,7 +5292,8 @@ function registerSnapshotFunction(sdk, kv, snapshotDir) {
 				sessions,
 				memories,
 				graphNodes,
-				observations
+				observations,
+				accessLogs
 			};
 			writeFileSync(join(snapshotDir, "state.json"), JSON.stringify(state, null, 2), "utf-8");
 			await gitExec(snapshotDir, ["add", "."]);
@@ -5251,6 +5385,7 @@ function registerSnapshotFunction(sdk, kv, snapshotDir) {
 			if (state.memories) for (const memory of state.memories) await kv.set(KV.memories, memory.id, memory);
 			if (state.graphNodes) for (const node of state.graphNodes) await kv.set(KV.graphNodes, node.id, node);
 			if (state.observations) for (const [sessionId, obs] of Object.entries(state.observations)) for (const o of obs) await kv.set(KV.observations(sessionId), o.id, o);
+			if (state.accessLogs) for (const log of state.accessLogs) await kv.set(KV.accessLog, log.memoryId, log);
 			await gitExec(snapshotDir, [
 				"checkout",
 				"HEAD",
@@ -6418,7 +6553,7 @@ async function lwwMergeGraphNodes(kv, items) {
 	}
 	return count;
 }
-function registerMeshFunction(sdk, kv) {
+function registerMeshFunction(sdk, kv, meshAuthToken) {
 	sdk.registerFunction({ id: "mem::mesh-register" }, async (data) => {
 		if (!data.url || !data.name) return {
 			success: false,
@@ -6455,6 +6590,10 @@ function registerMeshFunction(sdk, kv) {
 		};
 	});
 	sdk.registerFunction({ id: "mem::mesh-sync" }, async (data) => {
+		if (!meshAuthToken) return {
+			success: false,
+			error: "mesh sync requires AGENTMEMORY_SECRET"
+		};
 		const direction = data.direction || "both";
 		let peers;
 		if (data.peerId) {
@@ -6490,7 +6629,10 @@ function registerMeshFunction(sdk, kv) {
 					try {
 						const response = await fetch(`${peer.url}/agentmemory/mesh/receive`, {
 							method: "POST",
-							headers: { "Content-Type": "application/json" },
+							headers: {
+								"Content-Type": "application/json",
+								Authorization: `Bearer ${meshAuthToken}`
+							},
 							body: JSON.stringify(pushData),
 							signal: AbortSignal.timeout(3e4),
 							redirect: "error"
@@ -6503,6 +6645,7 @@ function registerMeshFunction(sdk, kv) {
 				}
 				if (direction === "pull" || direction === "both") try {
 					const response = await fetch(`${peer.url}/agentmemory/mesh/export?since=${peer.lastSyncAt || ""}`, {
+						headers: { Authorization: `Bearer ${meshAuthToken}` },
 						signal: AbortSignal.timeout(3e4),
 						redirect: "error"
 					});
@@ -8363,7 +8506,16 @@ function registerLessonsFunctions(sdk, kv) {
 
 //#endregion
 //#region src/functions/obsidian-export.ts
-const DEFAULT_VAULT = join(homedir(), ".agentmemory", "vault");
+const DEFAULT_EXPORT_ROOT = join(homedir(), ".agentmemory");
+function getExportRoot() {
+	return resolve(process.env["AGENTMEMORY_EXPORT_ROOT"] || DEFAULT_EXPORT_ROOT);
+}
+function resolveVaultDir(vaultDir) {
+	const root = getExportRoot();
+	const resolved = resolve(vaultDir || join(root, "vault"));
+	if (resolved === root || resolved.startsWith(root + sep)) return resolved;
+	return null;
+}
 function sanitize(name) {
 	return name.replace(/[<>:"/\\|?*\x00-\x1f]/g, "_").slice(0, 100);
 }
@@ -8476,7 +8628,11 @@ function sessionToMd(s) {
 }
 function registerObsidianExportFunction(sdk, kv) {
 	sdk.registerFunction({ id: "mem::obsidian-export" }, async (data) => {
-		const vaultDir = data.vaultDir || DEFAULT_VAULT;
+		const vaultDir = resolveVaultDir(data.vaultDir);
+		if (!vaultDir) return {
+			success: false,
+			error: `vaultDir must be inside ${getExportRoot()}`
+		};
 		const exportTypes = new Set(data.types || [
 			"memories",
 			"lessons",
@@ -9022,12 +9178,15 @@ function registerWorkingMemoryFunctions(sdk, kv, tokenBudget) {
 			if (Math.abs(strengthDiff) > .2) return strengthDiff;
 			return new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime();
 		});
+		const archivalIds = [];
 		for (const mem of active) {
 			const tokens = estimateTokens(mem.content);
 			if (usedTokens + tokens > budget) continue;
 			archivalLines.push(`- [${mem.type}] ${mem.title}: ${mem.content}`);
+			archivalIds.push(mem.id);
 			usedTokens += tokens;
 		}
+		recordAccessBatch(kv, archivalIds);
 		const pagedOut = active.length - archivalLines.length;
 		const sections = [];
 		if (coreLines.length > 0) sections.push(`## Core Memory\n${coreLines.join("\n")}`);
@@ -9781,17 +9940,15 @@ const DEFAULT_DECAY = {
 		cold: .15
 	}
 };
-function computeRetention(salience, createdAt, accessTimestamps, config) {
+function computeReinforcementBoost(accessTimestamps, sigma) {
 	const now = Date.now();
-	const deltaT = (now - new Date(createdAt).getTime()) / (1e3 * 60 * 60 * 24);
-	const temporalDecay = Math.exp(-config.lambda * deltaT);
-	let reinforcementBoost = 0;
+	let boost = 0;
 	for (const tAccess of accessTimestamps) {
+		if (!Number.isFinite(tAccess)) continue;
 		const daysSinceAccess = (now - tAccess) / (1e3 * 60 * 60 * 24);
-		if (daysSinceAccess > 0) reinforcementBoost += 1 / daysSinceAccess;
+		if (daysSinceAccess > 0) boost += 1 / daysSinceAccess;
 	}
-	reinforcementBoost *= config.sigma;
-	return Math.min(1, salience * temporalDecay + reinforcementBoost);
+	return boost * sigma;
 }
 function computeSalience(memory, accessCount) {
 	let baseSalience = .5;
@@ -9817,37 +9974,64 @@ function registerRetentionFunctions(sdk, kv) {
 			...DEFAULT_DECAY,
 			...data.config
 		};
-		const memories = await kv.list(KV.memories);
-		const semanticMems = await kv.list(KV.semantic);
+		const [memories, semanticMems, allLogs] = await Promise.all([
+			kv.list(KV.memories),
+			kv.list(KV.semantic),
+			kv.list(KV.accessLog).catch(() => [])
+		]);
+		const logsById = /* @__PURE__ */ new Map();
+		for (const raw of allLogs) {
+			const log = normalizeAccessLog(raw);
+			if (log.memoryId) logsById.set(log.memoryId, log);
+		}
 		const scores = [];
+		const computeDecay = (createdAt) => Math.exp(-config.lambda * ((Date.now() - new Date(createdAt).getTime()) / (1e3 * 60 * 60 * 24)));
 		for (const mem of memories) {
 			if (!mem.isLatest) continue;
-			const salience = computeSalience(mem, 0);
-			const score = computeRetention(salience, mem.createdAt, [], config);
+			const log = logsById.get(mem.id) ?? emptyAccessLog(mem.id);
+			const salience = computeSalience(mem, log.count);
+			const temporalDecay = computeDecay(mem.createdAt);
+			const reinforcementBoost = computeReinforcementBoost(log.recent, config.sigma);
+			const score = Math.min(1, salience * temporalDecay + reinforcementBoost);
 			const entry = {
 				memoryId: mem.id,
 				score,
 				salience,
-				temporalDecay: Math.exp(-config.lambda * ((Date.now() - new Date(mem.createdAt).getTime()) / (1e3 * 60 * 60 * 24))),
-				reinforcementBoost: 0,
-				lastAccessed: mem.updatedAt,
-				accessCount: 0
+				temporalDecay,
+				reinforcementBoost,
+				lastAccessed: log.lastAt || mem.updatedAt,
+				accessCount: log.count
 			};
 			scores.push(entry);
 			await kv.set(KV.retentionScores, mem.id, entry);
 		}
 		for (const sem of semanticMems) {
-			const accessTimestamps = sem.lastAccessedAt ? [new Date(sem.lastAccessedAt).getTime()] : [];
-			const salience = computeSalience(sem, sem.accessCount);
-			const score = computeRetention(salience, sem.createdAt, accessTimestamps, config);
+			const log = logsById.get(sem.id) ?? emptyAccessLog(sem.id);
+			let accessTimestamps;
+			let effectiveCount;
+			if (log.recent.length > 0 || log.count > 0) {
+				accessTimestamps = log.recent;
+				effectiveCount = log.count;
+			} else if (sem.lastAccessedAt) {
+				const legacyTs = Date.parse(sem.lastAccessedAt);
+				accessTimestamps = Number.isFinite(legacyTs) ? [legacyTs] : [];
+				effectiveCount = sem.accessCount;
+			} else {
+				accessTimestamps = [];
+				effectiveCount = sem.accessCount;
+			}
+			const salience = computeSalience(sem, effectiveCount);
+			const temporalDecay = computeDecay(sem.createdAt);
+			const reinforcementBoost = computeReinforcementBoost(accessTimestamps, config.sigma);
+			const score = Math.min(1, salience * temporalDecay + reinforcementBoost);
 			const entry = {
 				memoryId: sem.id,
 				score,
 				salience,
-				temporalDecay: Math.exp(-config.lambda * ((Date.now() - new Date(sem.createdAt).getTime()) / (1e3 * 60 * 60 * 24))),
-				reinforcementBoost: score - salience * Math.exp(-config.lambda * ((Date.now() - new Date(sem.createdAt).getTime()) / (1e3 * 60 * 60 * 24))),
-				lastAccessed: sem.lastAccessedAt,
-				accessCount: sem.accessCount
+				temporalDecay,
+				reinforcementBoost,
+				lastAccessed: log.lastAt || sem.lastAccessedAt,
+				accessCount: effectiveCount
 			};
 			scores.push(entry);
 			await kv.set(KV.retentionScores, sem.id, entry);
@@ -9891,6 +10075,7 @@ function registerRetentionFunctions(sdk, kv) {
 		for (const candidate of candidates) try {
 			await kv.delete(KV.memories, candidate.memoryId);
 			await kv.delete(KV.retentionScores, candidate.memoryId);
+			await deleteAccessLog(kv, candidate.memoryId);
 			evicted++;
 		} catch {
 			continue;
@@ -10046,14 +10231,57 @@ async function getLatestHealth(kv) {
 //#endregion
 //#region src/auth.ts
 const hmacKey = randomBytes(32);
+const VIEWER_NONCE_PLACEHOLDER = "__AGENTMEMORY_VIEWER_NONCE__";
 function timingSafeCompare(a, b) {
 	return timingSafeEqual(createHmac("sha256", hmacKey).update(a).digest(), createHmac("sha256", hmacKey).update(b).digest());
 }
-const VIEWER_CSP = "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self' ws://localhost:* wss://localhost:*; img-src 'self'; font-src 'self'";
+function createViewerNonce() {
+	return randomBytes(16).toString("base64url");
+}
+function buildViewerCsp(nonce) {
+	return [
+		"default-src 'none'",
+		"base-uri 'none'",
+		"frame-ancestors 'none'",
+		"object-src 'none'",
+		"form-action 'none'",
+		`script-src 'nonce-${nonce}'`,
+		"script-src-attr 'none'",
+		"style-src 'unsafe-inline'",
+		"connect-src 'self' http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:* wss://localhost:* wss://127.0.0.1:*",
+		"img-src 'self'",
+		"font-src 'self'"
+	].join("; ");
+}
+
+//#endregion
+//#region src/viewer/document.ts
+function loadViewerTemplate() {
+	const base = dirname(fileURLToPath(import.meta.url));
+	const candidates = [
+		join(base, "..", "src", "viewer", "index.html"),
+		join(base, "..", "viewer", "index.html"),
+		join(base, "viewer", "index.html")
+	];
+	for (const path of candidates) try {
+		return readFileSync(path, "utf-8");
+	} catch {}
+	return null;
+}
+function renderViewerDocument() {
+	const template = loadViewerTemplate();
+	if (!template) return { found: false };
+	const nonce = createViewerNonce();
+	return {
+		found: true,
+		html: template.replaceAll(VIEWER_NONCE_PLACEHOLDER, nonce),
+		csp: buildViewerCsp(nonce)
+	};
+}
 
 //#endregion
 //#region src/triggers/api.ts
-function checkAuth$1(req, secret) {
+function checkAuth(req, secret) {
 	if (!secret) return null;
 	const auth = req.headers?.["authorization"] || req.headers?.["Authorization"];
 	if (typeof auth !== "string" || !timingSafeCompare(auth, `Bearer ${secret}`)) return {
@@ -10062,6 +10290,13 @@ function checkAuth$1(req, secret) {
 	};
 	return null;
 }
+function requireConfiguredSecret(secret, feature) {
+	if (secret) return null;
+	return {
+		status_code: 503,
+		body: { error: `${feature} requires AGENTMEMORY_SECRET` }
+	};
+}
 function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 	sdk.registerFunction({ id: "api::liveness" }, async () => ({
 		status_code: 200,
@@ -10079,7 +10314,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::health" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const health = await getLatestHealth(kv);
 		const functionMetrics = metricsStore ? await metricsStore.getAll() : [];
@@ -10106,7 +10341,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::observe" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 201,
@@ -10122,7 +10357,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::context" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10138,7 +10373,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::search" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const body = req.body ?? {};
 		if (typeof body.query !== "string" || !body.query.trim()) return {
@@ -10177,7 +10412,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::session::start" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const { sessionId, project, cwd } = req.body;
 		const session = {
@@ -10209,7 +10444,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::session::end" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const session = await kv.get(KV.sessions, req.body.sessionId);
 		if (session) await kv.set(KV.sessions, req.body.sessionId, {
@@ -10231,7 +10466,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::summarize" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10247,7 +10482,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sessions" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10263,7 +10498,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::observations" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const sessionId = req.query_params["sessionId"];
 		if (!sessionId) return {
@@ -10284,7 +10519,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::file-context" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10300,7 +10535,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::enrich" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sessionId || typeof req.body.sessionId !== "string" || !Array.isArray(req.body?.files) || req.body.files.length === 0 || !req.body.files.every((f) => typeof f === "string")) return {
 			status_code: 400,
@@ -10324,7 +10559,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::remember" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.content || typeof req.body.content !== "string" || !req.body.content.trim()) return {
 			status_code: 400,
@@ -10344,7 +10579,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::forget" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sessionId && !req.body?.memoryId) return {
 			status_code: 400,
@@ -10364,7 +10599,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::consolidate" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10380,7 +10615,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::patterns" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10396,7 +10631,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::generate-rules" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10412,7 +10647,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::migrate" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.dbPath || typeof req.body.dbPath !== "string") return {
 			status_code: 400,
@@ -10432,7 +10667,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::evict" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const dryRun = req.query_params?.["dryRun"] === "true" || req.body?.dryRun === true;
 		return {
@@ -10449,7 +10684,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::smart-search" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.query && (!req.body?.expandIds || req.body.expandIds.length === 0)) return {
 			status_code: 400,
@@ -10469,7 +10704,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::timeline" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.anchor) return {
 			status_code: 400,
@@ -10489,7 +10724,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::profile" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const project = req.query_params["project"];
 		if (!project) return {
@@ -10510,7 +10745,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::export" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10526,7 +10761,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::import" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.exportData) return {
 			status_code: 400,
@@ -10546,7 +10781,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::relations" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sourceId || !req.body?.targetId || !req.body?.type) return {
 			status_code: 400,
@@ -10566,7 +10801,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::evolve" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.memoryId || !req.body?.newContent) return {
 			status_code: 400,
@@ -10586,7 +10821,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::auto-forget" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const dryRun = req.query_params?.["dryRun"] === "true" || req.body?.dryRun === true;
 		return {
@@ -10603,7 +10838,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::claude-bridge-read" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10626,7 +10861,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::claude-bridge-sync" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10649,7 +10884,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::graph-query" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10672,7 +10907,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::graph-stats" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10695,7 +10930,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::graph-extract" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!Array.isArray(req.body?.observations) || req.body.observations.length === 0) return {
 			status_code: 400,
@@ -10722,7 +10957,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::consolidate-pipeline" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10745,7 +10980,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::team-share" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.itemId || !req.body?.itemType) return {
 			status_code: 400,
@@ -10772,7 +11007,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::team-feed" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			const limit = parseInt(req.query_params?.["limit"]) || 20;
@@ -10796,7 +11031,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::team-profile" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10819,7 +11054,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::audit" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10838,7 +11073,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::governance-delete" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.memoryIds || !Array.isArray(req.body.memoryIds)) return {
 			status_code: 400,
@@ -10858,7 +11093,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::governance-bulk" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -10874,7 +11109,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::snapshots" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10897,7 +11132,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::snapshot-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -10920,7 +11155,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::snapshot-restore" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.commitHash) return {
 			status_code: 400,
@@ -10947,7 +11182,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::memories" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const memories = await kv.list(KV.memories);
 		return {
@@ -10964,7 +11199,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.title) return {
 			status_code: 400,
@@ -10984,7 +11219,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-update" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId) return {
 			status_code: 400,
@@ -11004,7 +11239,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11024,7 +11259,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-get" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const actionId = req.query_params?.["actionId"];
 		if (!actionId) return {
@@ -11045,7 +11280,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::action-edge" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.sourceActionId || !req.body?.targetActionId || !req.body?.type) return {
 			status_code: 400,
@@ -11065,7 +11300,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::frontier" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11085,7 +11320,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::next" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11104,7 +11339,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lease-acquire" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId || !req.body?.agentId) return {
 			status_code: 400,
@@ -11124,7 +11359,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lease-release" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId || !req.body?.agentId) return {
 			status_code: 400,
@@ -11144,7 +11379,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lease-renew" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.actionId || !req.body?.agentId) return {
 			status_code: 400,
@@ -11164,7 +11399,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.name) return {
 			status_code: 400,
@@ -11184,7 +11419,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11200,7 +11435,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-run" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.routineId) return {
 			status_code: 400,
@@ -11220,7 +11455,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::routine-status" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const runId = req.query_params?.["runId"];
 		if (!runId) return {
@@ -11241,7 +11476,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::signal-send" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.from || !req.body?.content) return {
 			status_code: 400,
@@ -11261,7 +11496,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::signal-read" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const agentId = req.query_params?.["agentId"];
 		if (!agentId) return {
@@ -11287,7 +11522,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::checkpoint-create" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.name) return {
 			status_code: 400,
@@ -11307,7 +11542,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::checkpoint-resolve" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.checkpointId || !req.body?.status) return {
 			status_code: 400,
@@ -11327,7 +11562,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::checkpoint-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11346,7 +11581,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-register" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		if (!req.body?.url || !req.body?.name) return {
 			status_code: 400,
@@ -11366,7 +11603,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-list" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11382,7 +11621,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-sync" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11398,7 +11639,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-receive" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		return {
 			status_code: 200,
@@ -11414,7 +11657,9 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::mesh-export" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const secretErr = requireConfiguredSecret(secret, "mesh");
+		if (secretErr) return secretErr;
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const since = req.query_params?.["since"];
 		if (since) {
@@ -11460,7 +11705,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::flow-compress" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		try {
 			return {
@@ -11483,7 +11728,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::branch-detect" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const cwd = req.query_params?.["cwd"] || process.cwd();
 		return {
@@ -11500,7 +11745,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::branch-worktrees" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const cwd = req.query_params?.["cwd"] || process.cwd();
 		return {
@@ -11517,7 +11762,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::branch-sessions" }, async (req) => {
-		const authErr = checkAuth$1(req, secret);
+		const authErr = checkAuth(req, secret);
 		if (authErr) return authErr;
 		const cwd = req.query_params?.["cwd"] || process.cwd();
 		return {
@@ -11533,27 +11778,21 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 			http_method: "GET"
 		}
 	});
-	sdk.registerFunction({ id: "api::viewer" }, async () => {
-		const headers = {
-			"Content-Type": "text/html",
-			"Content-Security-Policy": VIEWER_CSP
+	sdk.registerFunction({ id: "api::viewer" }, async (req) => {
+		const denied = checkAuth(req, secret);
+		if (denied) return denied;
+		const rendered = renderViewerDocument();
+		if (rendered.found) return {
+			status_code: 200,
+			headers: {
+				"Content-Type": "text/html",
+				"Content-Security-Policy": rendered.csp
+			},
+			body: rendered.html
 		};
-		const base = dirname(fileURLToPath(import.meta.url));
-		const candidates = [
-			join(base, "..", "viewer", "index.html"),
-			join(base, "..", "src", "viewer", "index.html"),
-			join(base, "viewer", "index.html")
-		];
-		for (const p of candidates) try {
-			return {
-				status_code: 200,
-				headers,
-				body: readFileSync(p, "utf-8")
-			};
-		} catch {}
 		return {
 			status_code: 404,
-			headers,
+			headers: { "Content-Type": "text/html" },
 			body: "<!DOCTYPE html><html><body><h1>agentmemory</h1><p>viewer not found</p></body></html>"
 		};
 	});
@@ -11566,7 +11805,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-create" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.name) return {
@@ -11587,7 +11826,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-trigger" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sentinelId) return {
@@ -11608,7 +11847,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-check" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		return {
 			status_code: 200,
@@ -11624,7 +11863,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-cancel" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sentinelId) return {
@@ -11645,7 +11884,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sentinel-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11665,7 +11904,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-create" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.title) return {
@@ -11686,7 +11925,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-add" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sketchId || !body?.title) return {
@@ -11707,7 +11946,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-promote" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sketchId) return {
@@ -11728,7 +11967,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-discard" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.sketchId) return {
@@ -11749,7 +11988,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11769,7 +12008,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::sketch-gc" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		return {
 			status_code: 200,
@@ -11785,7 +12024,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::crystallize" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.actionIds) return {
@@ -11806,7 +12045,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::crystal-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11827,7 +12066,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::auto-crystallize" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11844,7 +12083,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::diagnose" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11861,7 +12100,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::heal" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11878,7 +12117,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-tag" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.targetId || !body?.dimension || !body?.value) return {
@@ -11899,7 +12138,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-untag" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.targetId || !body?.dimension) return {
@@ -11920,7 +12159,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-query" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		return {
@@ -11937,7 +12176,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-get" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		if (!params.targetId) return {
@@ -11958,7 +12197,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::facet-stats" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -11975,7 +12214,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::verify" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.id || typeof body.id !== "string") return {
@@ -11996,7 +12235,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::cascade-update" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.supersededMemoryId || typeof body.supersededMemoryId !== "string") return {
@@ -12017,7 +12256,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-save" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.content || typeof body.content !== "string") return {
@@ -12047,7 +12286,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -12069,7 +12308,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-search" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.query || typeof body.query !== "string") return {
@@ -12090,7 +12329,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::lesson-strengthen" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.lessonId || typeof body.lessonId !== "string") return {
@@ -12111,7 +12350,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::obsidian-export" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body || {};
 		const types = typeof body.types === "string" ? body.types.split(",").map((t) => t.trim()).filter(Boolean) : void 0;
@@ -12132,7 +12371,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::reflect" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body || {};
 		return {
@@ -12152,7 +12391,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::insight-list" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const params = req.query_params || {};
 		return {
@@ -12173,7 +12412,7 @@ function registerApiTriggers(sdk, kv, secret, metricsStore, provider) {
 		}
 	});
 	sdk.registerFunction({ id: "api::insight-search" }, async (req) => {
-		const denied = checkAuth$1(req, secret);
+		const denied = checkAuth(req, secret);
 		if (denied) return denied;
 		const body = req.body;
 		if (!body?.query || typeof body.query !== "string") return {
@@ -14442,11 +14681,6 @@ function readBody(req) {
 		req.on("error", reject);
 	});
 }
-function checkAuth(req, secret) {
-	if (!secret) return true;
-	const auth = req.headers["authorization"] || "";
-	return typeof auth === "string" && timingSafeCompare(auth, `Bearer ${secret}`);
-}
 function startViewerServer(port, _kv, _sdk, secret, restPort) {
 	const resolvedRestPort = restPort ?? port - 2;
 	const server = createServer(async (req, res) => {
@@ -14464,32 +14698,20 @@ function startViewerServer(port, _kv, _sdk, secret, restPort) {
 			return;
 		}
 		if (method === "GET" && (pathname === "/" || pathname === "/viewer" || pathname === "/agentmemory/viewer")) {
-			const base = dirname(fileURLToPath(import.meta.url));
-			const candidates = [
-				join(base, "index.html"),
-				join(base, "viewer", "index.html"),
-				join(base, "..", "viewer", "index.html"),
-				join(base, "..", "src", "viewer", "index.html"),
-				join(base, "..", "dist", "viewer", "index.html")
-			];
-			for (const p of candidates) try {
-				const html = readFileSync(p, "utf-8");
+			const rendered = renderViewerDocument();
+			if (rendered.found) {
 				res.writeHead(200, {
 					"Content-Type": "text/html; charset=utf-8",
-					"Content-Security-Policy": VIEWER_CSP,
+					"Content-Security-Policy": rendered.csp,
 					"Cache-Control": "no-cache"
 				});
-				res.end(html);
+				res.end(rendered.html);
 				return;
-			} catch {}
+			}
 			res.writeHead(404, { "Content-Type": "text/plain" });
 			res.end("viewer not found");
 			return;
 		}
-		if (!checkAuth(req, secret)) {
-			json(res, 401, { error: "unauthorized" }, req);
-			return;
-		}
 		try {
 			await proxyToRestApi(resolvedRestPort, pathname, qs, method, req, res, secret);
 		} catch (err) {
@@ -14747,7 +14969,7 @@ async function main() {
 	registerRoutinesFunction(sdk, kv);
 	registerSignalsFunction(sdk, kv);
 	registerCheckpointsFunction(sdk, kv);
-	registerMeshFunction(sdk, kv);
+	registerMeshFunction(sdk, kv, secret);
 	registerBranchAwareFunction(sdk, kv);
 	registerFlowCompressFunction(sdk, kv, provider);
 	registerSentinelsFunction(sdk, kv);