@alaarab/cortex 1.13.3 → 1.13.5

package/mcp/dist/content-learning.js

@@ -192,9 +192,12 @@ export function upsertCanonical(cortexPath, project, memory) {
     const canonicalPath = path.join(resolvedDir, "CANONICAL_MEMORIES.md");
     const today = new Date().toISOString().slice(0, 10);
     const bullet = memory.startsWith("- ") ? memory : `- ${memory}`;
+    let canonicalContent = "";
     withFileLock(canonicalPath, () => {
         if (!fs.existsSync(canonicalPath)) {
-            fs.writeFileSync(canonicalPath, `# ${project} Canonical Memories\n\n## Pinned\n\n${bullet} _(pinned ${today})_\n`);
+            const initial = `# ${project} Canonical Memories\n\n## Pinned\n\n${bullet} _(pinned ${today})_\n`;
+            fs.writeFileSync(canonicalPath, initial);
+            canonicalContent = initial;
         }
         else {
             const existing = fs.readFileSync(canonicalPath, "utf8");
@@ -203,13 +206,17 @@ export function upsertCanonical(cortexPath, project, memory) {
                 const updated = existing.includes("## Pinned")
                     ? existing.replace("## Pinned", `## Pinned\n\n${line}`)
                     : `${existing.trimEnd()}\n\n## Pinned\n\n${line}\n`;
+                const finalContent = updated.endsWith("\n") ? updated : updated + "\n";
                 const tmpPath = canonicalPath + ".tmp";
-                fs.writeFileSync(tmpPath, updated.endsWith("\n") ? updated : updated + "\n");
+                fs.writeFileSync(tmpPath, finalContent);
                 fs.renameSync(tmpPath, canonicalPath);
+                canonicalContent = finalContent;
+            }
+            else {
+                canonicalContent = existing;
             }
         }
     });
-    const canonicalContent = fs.readFileSync(canonicalPath, "utf8");
     const locks = loadCanonicalLocks(cortexPath);
     const lockKey = `${project}/CANONICAL_MEMORIES.md`;
     locks[lockKey] = {
@@ -272,8 +279,11 @@ export function addFindingToFile(cortexPath, project, learning, citationInput, o
         }
         const content = fs.readFileSync(learningsPath, "utf8");
         const legacyHistory = opts?.skipLegacyDedup ? "" : readLegacyHistoryContent(resolvedDir);
-        // When superseding, strip the old finding from history so dedup doesn't block the intentionally similar replacement
-        const historyForDedup = supersedesText
+        // When superseding, strip the old finding from history so dedup doesn't block the intentionally similar replacement.
+        // Skip the strip if new finding is identical to the superseded one (self-supersession should still be blocked by dedup).
+        const isSelfSupersession = supersedesText &&
+            learning.trim().toLowerCase().slice(0, 60) === supersedesText.trim().toLowerCase().slice(0, 60);
+        const historyForDedup = (supersedesText && !isSelfSupersession)
             ? (legacyHistory ? `${content}\n${legacyHistory}` : content)
                 .split("\n")
                 .filter(line => !line.startsWith("- ") || !line.toLowerCase().includes(supersedesText.slice(0, 40).toLowerCase()))

package/mcp/dist/data-access.js

@@ -338,7 +338,7 @@ export function completeBacklogItem(cortexPath, project, match) {
             return forwardErr(parsed);
         const found = findItemByMatch(parsed.data, match);
         if (found.error)
-            return cortexErr(found.error);
+            return cortexErr(found.error, CortexError.AMBIGUOUS_MATCH);
         if (!found.match)
             return cortexErr(`No backlog item matching "${match}" in project "${project}". Check the item text or use its ID (shown in the backlog view).`, CortexError.NOT_FOUND);
         const [item] = parsed.data.items[found.match.section].splice(found.match.index, 1);
@@ -359,7 +359,7 @@ export function updateBacklogItem(cortexPath, project, match, updates) {
             return forwardErr(parsed);
         const found = findItemByMatch(parsed.data, match);
         if (found.error)
-            return cortexErr(found.error);
+            return cortexErr(found.error, CortexError.AMBIGUOUS_MATCH);
         if (!found.match)
             return cortexErr(`No backlog item matching "${match}" in project "${project}". Check the item text or use its ID (shown in the backlog view).`, CortexError.NOT_FOUND);
         const item = parsed.data.items[found.match.section][found.match.index];
@@ -405,7 +405,7 @@ export function pinBacklogItem(cortexPath, project, match) {
             return forwardErr(parsed);
         const found = findItemByMatch(parsed.data, match);
         if (found.error)
-            return cortexErr(found.error);
+            return cortexErr(found.error, CortexError.AMBIGUOUS_MATCH);
         if (!found.match)
             return cortexErr(`No backlog item matching "${match}" in project "${project}". Check the item text or use its ID (shown in the backlog view).`, CortexError.NOT_FOUND);
         const item = parsed.data.items[found.match.section][found.match.index];
@@ -427,7 +427,7 @@ export function unpinBacklogItem(cortexPath, project, match) {
             return forwardErr(parsed);
         const found = findItemByMatch(parsed.data, match);
         if (found.error)
-            return cortexErr(found.error);
+            return cortexErr(found.error, CortexError.AMBIGUOUS_MATCH);
         if (!found.match)
             return cortexErr(`No backlog item matching "${match}" in project "${project}". Check the item text or use its ID (shown in the backlog view).`, CortexError.NOT_FOUND);
         const item = parsed.data.items[found.match.section][found.match.index];

package/mcp/dist/mcp-finding.js

@@ -59,7 +59,9 @@ export function register(server, ctx) {
                                 const lineEnd = content.indexOf("\n", idx);
                                 const insertAt = lineEnd >= 0 ? lineEnd : content.length;
                                 content = content.slice(0, insertAt) + " " + conflicts.annotations.join(" ") + " <!-- conflicts_checked: true -->" + content.slice(insertAt);
-                                fs.writeFileSync(fp, content);
+                                const tmpFp = fp + ".tmp";
+                                fs.writeFileSync(tmpFp, content);
+                                fs.renameSync(tmpFp, fp);
                             }
                         }
                     }
@@ -178,7 +180,8 @@ export function register(server, ctx) {
                     .filter((name) => name && !name.startsWith(".") && name !== "profiles")));
                 const commitMsg = message || `cortex: save ${files.length} file(s) across ${projectNames.length} project(s)`;
                 runCustomHooks(cortexPath, "pre-save");
-                runGit(["add", "-A"]);
+                // Restrict to known cortex file types to avoid staging .env or credential files
+                runGit(["add", "--", "*.md", "*.json", "*.yaml", "*.yml", "*.jsonl", "*.txt"]);
                 runGit(["commit", "-m", commitMsg]);
                 let hasRemote = false;
                 try {

package/mcp/dist/memory-ui.js

@@ -1,5 +1,6 @@
 import * as http from "http";
 import * as crypto from "crypto";
+import { timingSafeEqual } from "crypto";
 import * as fs from "fs";
 import * as path from "path";
 import * as querystring from "querystring";
@@ -35,6 +36,15 @@ function getSubmittedAuthToken(req, url, parsedBody) {
         return bodyAuth;
     return "";
 }
+function authTokensMatch(submitted, authToken) {
+    if (!authToken || !submitted)
+        return false;
+    const submittedBuffer = Buffer.from(submitted);
+    const authTokenBuffer = Buffer.from(authToken);
+    if (submittedBuffer.length !== authTokenBuffer.length)
+        return false;
+    return timingSafeEqual(submittedBuffer, authTokenBuffer);
+}
 function recentUsage(cortexPath) {
     const usage = path.join(cortexPath, ".governance", "memory-usage.log");
     if (!fs.existsSync(usage))
@@ -324,7 +334,7 @@ export function createReviewUiServer(cortexPath, opts) {
         if (req.method === "GET" && url.startsWith("/api/graph")) {
             if (authToken) {
                 const submitted = getSubmittedAuthToken(req, url);
-                if (submitted !== authToken) {
+                if (!authTokensMatch(submitted, authToken)) {
                     res.writeHead(401, { "content-type": "text/plain; charset=utf-8" });
                     res.end("Unauthorized");
                     return;
@@ -356,7 +366,7 @@ export function createReviewUiServer(cortexPath, opts) {
                 const parsed = querystring.parse(body);
                 if (authToken) {
                     const submitted = getSubmittedAuthToken(req, url, parsed);
-                    if (submitted !== authToken) {
+                    if (!authTokensMatch(submitted, authToken)) {
                         res.writeHead(401, { "content-type": "text/plain; charset=utf-8" });
                         res.end("Unauthorized");
                         return;

package/mcp/dist/shared.js

@@ -32,11 +32,6 @@ export function forwardErr(result) {
         return { ok: false, error: result.error, code: result.code };
     return { ok: false, error: "unexpected forward of ok result" };
 }
-// Type guard: returns true when result is a string error (legacy T | string pattern).
-// Useful during migration from T | string to CortexResult<T>.
-export function isCortexError(result) {
-    return typeof result === "string";
-}
 const ERROR_CODES = new Set(Object.values(CortexError));
 // Extract the error code from a legacy error string (e.g. "PROJECT_NOT_FOUND: ...").
 // Returns the code if the string starts with a known CortexError, or undefined.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alaarab/cortex",
-  "version": "1.13.3",
+  "version": "1.13.5",
   "description": "Long-term memory for AI agents — stored as markdown in a git repo you own.",
   "type": "module",
   "bin": {