@anmol-srv/sigil 0.10.3 → 0.12.0

package/integrations/hermes/README.md

@@ -1,6 +1,6 @@
 # Hermes integration
 
-Sigil ships as a [Hermes Agent](https://hermes.chat) memory provider plugin. The plugin source lives at [`plugin/`](./plugin) — copy that directory into Hermes' plugin tree on whichever machine runs Hermes.
+Sigil ships as a [Hermes Agent](https://hermes.chat) memory provider plugin. The plugin source lives at [`plugin/`](./plugin), copy that directory into Hermes' plugin tree on whichever machine runs Hermes.
 
 ## Quick deploy (manual)
 
@@ -23,7 +23,7 @@ Restart Hermes. Verify with `hermes memory status` (or whatever Hermes' status c
 | Hermes hook | Sigil call | Why |
 |---|---|---|
 | `is_available()` | `which sigil` | Avoid network calls; just check the binary exists. |
-| `initialize(session_id, platform, ...)` | sets namespace = `hermes-<platform>` | Per-platform classification — see plugin/README.md. |
+| `initialize(session_id, platform, ...)` | sets namespace = `hermes-<platform>` | Per-platform classification, see plugin/README.md. |
 | `prefetch(query)` | `sigil search <q> --namespace=hermes-<platform>,default --limit=5 --no-graph` | Fast cross-namespace recall = the shared brain. |
 | `sync_turn(user, assistant)` | `sigil remember --bg "<user>"` in a daemon thread | Non-blocking. Sigil's classifier decides what's worth keeping. |
 | `get_tool_schemas()` | `sigil_search`, `sigil_remember` | Lets the model explicitly drill down or save mid-turn. |
@@ -37,5 +37,5 @@ A `src/lib/clients/hermes.js` module (5th client alongside Claude Code / Cursor
 ## Caveats
 
 - **Sigil CLI must be on `PATH`** on whichever machine runs Hermes. If `which sigil` returns nothing, `is_available()` returns false and Hermes silently falls back to its built-in memory.
-- **`~/.sigil/.env` must be configured** — run `sigil init` on the Hermes host before activating the plugin.
-- **The plugin shells out for every prefetch.** Latency is `sigil search` latency. The plugin keeps this path retrieval-only; if Hermes' per-turn budget is tighter, we could move to in-process via a Python<>Node bridge — out of scope for v0.1.
+- **`~/.sigil/.env` must be configured**, run `sigil init` on the Hermes host before activating the plugin.
+- **The plugin shells out for every prefetch.** Latency is `sigil search` latency. The plugin keeps this path retrieval-only; if Hermes' per-turn budget is tighter, we could move to in-process via a Python<>Node bridge, out of scope for v0.1.

package/integrations/hermes/plugin/README.md

@@ -1,16 +1,16 @@
 # Sigil Memory Provider
 
-Persistent memory for Hermes Agent, backed by [Sigil](https://github.com/anmolsrv/sigil) — a local-first knowledge engine with atomic facts, entity graph, and hybrid retrieval. Same memory store used by Claude Code, Cursor, Codex CLI, and Kiro.
+Persistent memory for Hermes Agent, backed by [Sigil](https://github.com/anmolsrv/sigil), a local-first knowledge engine with atomic facts, entity graph, and hybrid retrieval. Same memory store used by Claude Code, Cursor, Codex CLI, and Kiro.
 
 ## Why this exists
 
-You're running Hermes on a server (e.g. via iMessage / Telegram / Discord gateway) and you also use Claude Code / Cursor / etc. on your laptop. You want **one brain** that all of them share — without copying memories around or rebuilding them per tool.
+You're running Hermes on a server (e.g. via iMessage / Telegram / Discord gateway) and you also use Claude Code / Cursor / etc. on your laptop. You want **one brain** that all of them share, without copying memories around or rebuilding them per tool.
 
 This plugin makes that real: every Hermes turn lands in a Sigil namespace, every laptop turn lands in `default`, and cross-namespace search means anyone can recall anything.
 
 ## Requirements
 
-- Sigil CLI on `PATH` — `npm install -g @anmol-srv/sigil`
+- Sigil CLI on `PATH`: `npm install -g @anmol-srv/sigil`
 - `sigil init` completed once (configures DB, embedder, LLM provider)
 - Postgres reachable from this machine (local install or shared via Tailscale / cloud)
 
@@ -20,7 +20,7 @@ This plugin makes that real: every Hermes turn lands in a Sigil namespace, every
 hermes config set memory.provider sigil
 ```
 
-No additional env vars or config files — Sigil reads its own `~/.sigil/.env`.
+No additional env vars or config files; Sigil reads its own `~/.sigil/.env`.
 
 ## How it classifies sources
 
@@ -51,13 +51,13 @@ sigil namespace list
 | `sigil_search` | Drill-down search across this platform + `default`. The model is told to use this only when the auto-injected context didn't surface what it needed. |
 | `sigil_remember` | Explicit save. The model is told to use this only when the user asks ("remember that...") or a critical fact arrives mid-turn. |
 
-Routine fact capture happens automatically via `sync_turn` — no model action required.
+Routine fact capture happens automatically via `sync_turn`, no model action required.
 
 ## What lives where
 
 | Layer | Where | Owns |
 |---|---|---|
-| This plugin | `~/.hermes/hermes-agent/plugins/memory/sigil/` | The Hermes ABC contract — initialize, prefetch, sync_turn, tool dispatch. Thin subprocess wrapper. |
+| This plugin | `~/.hermes/hermes-agent/plugins/memory/sigil/` | The Hermes ABC contract: initialize, prefetch, sync_turn, tool dispatch. Thin subprocess wrapper. |
 | Sigil CLI | `which sigil` | Hybrid search, fact extraction, AUDM dedup, pod-aware retrieval, embedder calls. |
 | Sigil config | `~/.sigil/.env` | DB connection, embedder choice, LLM provider. Run `sigil init` to reconfigure. |
 | Sigil data | Postgres (`SIGIL_DB_HOST` in `~/.sigil/.env`) | All facts, entities, pods, relations. Shared across machines when they point at the same Postgres. |
@@ -66,7 +66,7 @@ Routine fact capture happens automatically via `sync_turn` — no model action r
 
 Point `SIGIL_DB_HOST` in every machine's `~/.sigil/.env` at the *same* Postgres. Two common topologies:
 
-1. **Server-hosted Postgres** — Postgres on this server; laptop connects over Tailscale.
-2. **Cloud Postgres** — Supabase / Neon / RDS; both machines connect to it.
+1. **Server-hosted Postgres**: Postgres on this server; laptop connects over Tailscale.
+2. **Cloud Postgres**: Supabase / Neon / RDS; both machines connect to it.
 
 Either way: one DB, many writers, every namespace visible from everywhere.

package/knexfile.js

@@ -1,15 +1,36 @@
-import 'dotenv/config';
+import { config as dotenvConfig } from 'dotenv';
+import { existsSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import { homedir } from 'node:os';
+
+import { buildLocalConnection } from './src/db/drivers/local-postgres.js';
+import { buildUrlConnection } from './src/db/drivers/url.js';
+
+// Env precedence: shell env > project .env > global ~/.sigil/.env.
+// Matches the CLI's loader so `npx knex migrate:latest` Just Works.
+const projectEnv = resolve(process.cwd(), '.env');
+const globalEnv  = join(homedir(), '.sigil', '.env');
+if (existsSync(projectEnv)) dotenvConfig({ path: projectEnv, quiet: true });
+if (existsSync(globalEnv) && globalEnv !== projectEnv) dotenvConfig({ path: globalEnv, quiet: true });
 
 const env = (key, fallback) => process.env[key] ?? fallback;
 
+const url = env('SIGIL_DATABASE_URL', env('DATABASE_URL', ''));
+
+const connection = url
+  ? buildUrlConnection(url)
+  : buildLocalConnection({
+      db: {
+        host: env('SIGIL_DB_HOST', 'localhost'),
+        port: Number(env('SIGIL_DB_PORT', 5432)),
+        database: env('SIGIL_DB_NAME', 'sigil'),
+        user: env('SIGIL_DB_USER', 'sigil_app'),
+        password: env('SIGIL_DB_PASSWORD', ''),
+      },
+    });
+
 export default {
   client: 'pg',
-  connection: {
-    host: env('SIGIL_DB_HOST', 'localhost'),
-    port: Number(env('SIGIL_DB_PORT', 5432)),
-    database: env('SIGIL_DB_NAME', 'sigil'),
-    user: env('SIGIL_DB_USER', 'sigil_app'),
-    password: env('SIGIL_DB_PASSWORD', ''),
-  },
+  connection,
   migrations: { directory: './src/db/migrations' },
 };

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@anmol-srv/sigil",
-  "version": "0.10.3",
+  "version": "0.12.0",
   "type": "module",
-  "description": "Local-first memory infrastructure for AI coding agents. One brain shared across Claude Code, Codex CLI, Cursor, Kiro, Continue, Cline, Windsurf — any MCP client. Organized in pluggable pods, stored in your own Postgres. No cloud, no telemetry. Auto-captured from Claude Code via hooks; surfaced everywhere else as a 9-tool MCP server.",
+  "description": "Local-first memory infrastructure for AI coding agents. One brain shared across Claude Code, Codex CLI, Cursor, Kiro, Continue, Cline, Windsurf, or any MCP client. Organized in pluggable pods, stored in your own Postgres. No cloud, no telemetry. Auto-captured from Claude Code via hooks; surfaced everywhere else as a 9-tool MCP server.",
   "bin": {
     "sigil": "dist/cli.js"
   },
@@ -16,7 +16,10 @@
     "prepublishOnly": "npm run build",
     "migrate": "knex migrate:latest",
     "migrate:rollback": "knex migrate:rollback",
-    "migrate:make": "knex migrate:make"
+    "migrate:make": "knex migrate:make",
+    "test:reliability": "node test/reliability/run.js",
+    "db:test:up": "docker compose up -d db",
+    "db:test:down": "docker compose down"
   },
   "engines": {
     "node": ">=20.0.0"
@@ -25,6 +28,7 @@
     "dist/",
     "prompts/",
     "src/db/migrations/",
+    "src/gui/web/",
     "integrations/",
     "knexfile.js",
     "LICENSE",
@@ -67,7 +71,7 @@
     "local-first"
   ],
   "author": "Anmol Srivastava",
-  "license": "ISC",
+  "license": "MIT",
   "repository": {
     "type": "git",
     "url": "https://github.com/Anmol-Srv/sigil.git"
@@ -79,9 +83,11 @@
   "dependencies": {
     "@iarna/toml": "^2.2.5",
     "@modelcontextprotocol/sdk": "^1.27.1",
+    "@number0/iroh": "^0.35.0",
     "dotenv": "^17.3.1",
     "knex": "^3.1.0",
-    "pg": "^8.20.0"
+    "pg": "^8.20.0",
+    "ws": "^8.21.0"
   },
   "optionalDependencies": {
     "@anthropic-ai/sdk": "^0.30.0"

package/src/db/migrations/20260601000000_create-device-table.cjs

@@ -0,0 +1,34 @@
+/**
+ * device — devices that have paired with this Sigil cluster.
+ *
+ * Each row represents a remote Sigil install whose owner has been
+ * authorized to read/write this device's memory. `node_id` is the
+ * 64-char hex Ed25519 public key (Iroh NodeID + identity, same value).
+ *
+ * Roles:
+ *   reader  — can call read-side RPC methods only
+ *   writer  — can also remember/forget/ingest
+ *   admin   — can manage other devices (create pairing codes, revoke)
+ *
+ * `namespaces` scopes what this device can read/write. Empty array means
+ * "all namespaces this cluster knows about" (admin default).
+ *
+ * `active=false` is a soft revoke — preserves history of the device for
+ * audit purposes without allowing further calls.
+ */
+exports.up = (knex) =>
+  knex.schema.createTable('device', (t) => {
+    t.increments('id').primary();
+    t.text('node_id').notNullable().unique();
+    t.text('name').notNullable();
+    t.text('role').notNullable().defaultTo('writer'); // reader | writer | admin
+    t.specificType('namespaces', 'text[]').notNullable().defaultTo('{}');
+    t.boolean('active').notNullable().defaultTo(true);
+    t.jsonb('meta').notNullable().defaultTo('{}');
+    t.timestamp('last_seen_at');
+    t.timestamps(false, true);
+
+    t.index(['node_id', 'active'], 'idx_device_lookup');
+  });
+
+exports.down = (knex) => knex.schema.dropTable('device');

package/src/db/migrations/20260601000001_create-pairing-code-table.cjs

@@ -0,0 +1,27 @@
+/**
+ * pairing_code — one-shot, time-limited tokens that authorize a new
+ * device to register itself.
+ *
+ * The plaintext code is shown to the operator (printed by `sigil pair
+ * create`); only its SHA-256 hash is stored. Joining device presents
+ * the plaintext during the pairing handshake.
+ *
+ * `consumed_by_device_id` is set once the code is redeemed; thereafter
+ * the row is kept for audit but cannot be redeemed again.
+ */
+exports.up = (knex) =>
+  knex.schema.createTable('pairing_code', (t) => {
+    t.increments('id').primary();
+    t.text('code_hash').notNullable().unique();
+    t.text('name').notNullable();                     // intended device name, e.g. "laptop-b"
+    t.text('role').notNullable().defaultTo('writer'); // role to assign on redemption
+    t.specificType('namespaces', 'text[]').notNullable().defaultTo('{}');
+    t.timestamp('expires_at').notNullable();
+    t.integer('consumed_by_device_id').references('device.id').onDelete('SET NULL');
+    t.timestamp('consumed_at');
+    t.timestamps(false, true);
+
+    t.index(['expires_at'], 'idx_pairing_code_expiry');
+  });
+
+exports.down = (knex) => knex.schema.dropTable('pairing_code');

package/src/db/migrations/20260601000002_add-fact-provenance.cjs

@@ -0,0 +1,31 @@
+/**
+ * Add cross-device provenance + embedding-shape columns to fact.
+ *
+ *   embedding_model      — the model that produced this fact's vector.
+ *                          Cross-device sync refuses if the master's manifest
+ *                          says a different model is in use.
+ *   embedding_dim        — dimensionality of the vector. Belt-and-braces
+ *                          alongside the model check.
+ *   created_by_device_id — which paired device wrote this fact. NULL means
+ *                          "the local install" (back-compat with rows that
+ *                          existed before this migration).
+ *
+ * The columns are nullable so the migration is backfill-free; new ingests
+ * populate them from the embedder config + the authenticated caller's
+ * device row.
+ */
+exports.up = (knex) =>
+  knex.schema.alterTable('fact', (t) => {
+    t.text('embedding_model');
+    t.integer('embedding_dim');
+    t.integer('created_by_device_id').references('device.id').onDelete('SET NULL');
+    t.index(['created_by_device_id'], 'idx_fact_by_device');
+  });
+
+exports.down = (knex) =>
+  knex.schema.alterTable('fact', (t) => {
+    t.dropIndex(['created_by_device_id'], 'idx_fact_by_device');
+    t.dropColumn('created_by_device_id');
+    t.dropColumn('embedding_dim');
+    t.dropColumn('embedding_model');
+  });

package/src/db/migrations/20260601000003_add-device-revoked-reason.cjs

@@ -0,0 +1,19 @@
+/**
+ * Distinguishes "paused" revokes (a key out for service / on a borrowed
+ * laptop, expected to come back) from "compromised" revokes (terminal —
+ * the keypair leaked and must never authenticate again).
+ *
+ *   'paused'      → device.activate flips active=true (default)
+ *   'compromised' → device.activate refuses; requires re-pairing
+ *
+ * Nullable so existing rows are unaffected.
+ */
+exports.up = (knex) =>
+  knex.schema.alterTable('device', (t) => {
+    t.text('revoked_reason'); // 'paused' | 'compromised' | NULL
+  });
+
+exports.down = (knex) =>
+  knex.schema.alterTable('device', (t) => {
+    t.dropColumn('revoked_reason');
+  });

package/src/db/migrations/20260601000004_create-trace-event-table.cjs

@@ -0,0 +1,35 @@
+/**
+ * trace_event — persisted, queryable causal log of what the daemon did.
+ *
+ * Each row is one top-level operation (a search, an ingest/remember, a
+ * lifecycle sweep). `detail` (jsonb) holds the full structured trace:
+ * for search — the routing decision, matched entity, and every ranked
+ * fact with its similarity / RRF / ACT-R activation (decay) / final
+ * score; for ingest — classify → chunk → extract → per-fact AUDM verdict
+ * (with the similarity that drove it) → entity links.
+ *
+ * The live activity feed still streams over the event bus; this table is
+ * the durable history the GUI's Activity tab reads + filters.
+ */
+exports.up = async (knex) => {
+  await knex.schema.createTable('trace_event', (t) => {
+    t.bigIncrements('id').primary();
+    t.text('uid').notNullable().unique();         // trace-<nanoid>
+    t.text('kind').notNullable();                 // 'search' | 'ingest' | 'lifecycle' | ...
+    t.timestamp('ts', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.integer('duration_ms');
+    t.text('namespace');
+    t.text('summary');                            // one-line human description
+    t.text('device_id');                          // provenance (null = this device)
+    t.text('transport');                          // cli | mcp | gui | iroh | null
+    t.jsonb('detail').notNullable().defaultTo('{}');
+  });
+
+  // Hot path is "latest N, optionally filtered by kind".
+  await knex.schema.alterTable('trace_event', (t) => {
+    t.index(['ts'], 'trace_event_ts_idx');
+    t.index(['kind', 'ts'], 'trace_event_kind_ts_idx');
+  });
+};
+
+exports.down = (knex) => knex.schema.dropTableIfExists('trace_event');

package/src/db/migrations/20260601000005_add-fact-agent-provenance.cjs

@@ -0,0 +1,25 @@
+/**
+ * Add `created_by_agent` provenance to fact.
+ *
+ *   created_by_agent — which agent wrote this fact: 'claude-code', 'codex',
+ *                       'cursor', 'mcp', 'cli', etc. NULL means unknown /
+ *                       pre-migration (back-compat).
+ *
+ * This is PROVENANCE, not SCOPE: it is recorded, surfaced, and filterable,
+ * but never a default retrieval partition. Cross-agent sharing is the product
+ * — Claude must still see what Cursor wrote — so agent never enters the
+ * default WHERE clause. Nullable = backfill-free; new ingests populate it from
+ * the authenticated caller's request-context (AsyncLocalStorage). Mirrors the
+ * created_by_device_id column added in 20260601000002.
+ */
+exports.up = (knex) =>
+  knex.schema.alterTable('fact', (t) => {
+    t.text('created_by_agent');
+    t.index(['created_by_agent'], 'idx_fact_by_agent');
+  });
+
+exports.down = (knex) =>
+  knex.schema.alterTable('fact', (t) => {
+    t.dropIndex(['created_by_agent'], 'idx_fact_by_agent');
+    t.dropColumn('created_by_agent');
+  });

package/src/gui/web/api.js

@@ -0,0 +1,37 @@
+/**
+ * Central RPC client — the one door from the GUI to the daemon. Mirrors the
+ * cohort-live-web axios-wrapper convention: a single place that adds context
+ * and turns a structured daemon error ({code,message,hint}) into a toast.
+ *
+ * Pass { quiet: true } to suppress the auto-toast (e.g. when a caller renders
+ * the error inline). The thrown Error carries .code/.hint for callers.
+ */
+import { toast } from './toast.js';
+
+export async function rpc(method, params = {}, { quiet = false } = {}) {
+  let body;
+  try {
+    const res = await fetch('/api/v1/rpc', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      credentials: 'same-origin',
+      body: JSON.stringify({ method, params }),
+    });
+    body = await res.json();
+  } catch {
+    const e = {
+      code: 'NETWORK',
+      message: 'Could not reach the Sigil daemon.',
+      hint: 'Is it running? Try `sigil daemon status`.',
+    };
+    if (!quiet) toast({ variant: 'error', message: e.message, hint: e.hint, code: e.code });
+    throw Object.assign(new Error(e.message), e);
+  }
+
+  if (!body || body.ok !== true) {
+    const e = body?.error || { code: 'UNKNOWN', message: 'request failed' };
+    if (!quiet) toast({ variant: 'error', message: e.message, hint: e.hint, code: e.code });
+    throw Object.assign(new Error(e.message || 'request failed'), e);
+  }
+  return body.data;
+}