@deeplake/hivemind 0.6.47 → 0.7.4

package/hermes/bundle/commands/auth-login.js

@@ -0,0 +1,1009 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// dist/src/index-marker-store.js
+var index_marker_store_exports = {};
+__export(index_marker_store_exports, {
+  buildIndexMarkerPath: () => buildIndexMarkerPath,
+  getIndexMarkerDir: () => getIndexMarkerDir,
+  hasFreshIndexMarker: () => hasFreshIndexMarker,
+  writeIndexMarker: () => writeIndexMarker
+});
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "node:fs";
+import { join as join4 } from "node:path";
+import { tmpdir } from "node:os";
+function getIndexMarkerDir() {
+  return process.env.HIVEMIND_INDEX_MARKER_DIR ?? join4(tmpdir(), "hivemind-deeplake-indexes");
+}
+function buildIndexMarkerPath(workspaceId, orgId, table, suffix) {
+  const markerKey = [workspaceId, orgId, table, suffix].join("__").replace(/[^a-zA-Z0-9_.-]/g, "_");
+  return join4(getIndexMarkerDir(), `${markerKey}.json`);
+}
+function hasFreshIndexMarker(markerPath) {
+  if (!existsSync2(markerPath))
+    return false;
+  try {
+    const raw = JSON.parse(readFileSync3(markerPath, "utf-8"));
+    const updatedAt = raw.updatedAt ? new Date(raw.updatedAt).getTime() : NaN;
+    if (!Number.isFinite(updatedAt) || Date.now() - updatedAt > INDEX_MARKER_TTL_MS)
+      return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function writeIndexMarker(markerPath) {
+  mkdirSync2(getIndexMarkerDir(), { recursive: true });
+  writeFileSync2(markerPath, JSON.stringify({ updatedAt: (/* @__PURE__ */ new Date()).toISOString() }), "utf-8");
+}
+var INDEX_MARKER_TTL_MS;
+var init_index_marker_store = __esm({
+  "dist/src/index-marker-store.js"() {
+    "use strict";
+    INDEX_MARKER_TTL_MS = Number(process.env.HIVEMIND_INDEX_MARKER_TTL_MS ?? 6 * 60 * 6e4);
+  }
+});
+
+// dist/src/commands/auth.js
+import { execSync } from "node:child_process";
+
+// dist/src/utils/client-header.js
+var DEEPLAKE_CLIENT_HEADER = "X-Deeplake-Client";
+function deeplakeClientValue() {
+  return "hivemind";
+}
+function deeplakeClientHeader() {
+  return { [DEEPLAKE_CLIENT_HEADER]: deeplakeClientValue() };
+}
+
+// dist/src/commands/auth-creds.js
+import { readFileSync, writeFileSync, mkdirSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+function configDir() {
+  return join(homedir(), ".deeplake");
+}
+function credsPath() {
+  return join(configDir(), "credentials.json");
+}
+function loadCredentials() {
+  try {
+    return JSON.parse(readFileSync(credsPath(), "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function saveCredentials(creds) {
+  mkdirSync(configDir(), { recursive: true, mode: 448 });
+  writeFileSync(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+function deleteCredentials() {
+  try {
+    unlinkSync(credsPath());
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+async function apiGet(path, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { headers });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function apiDelete(path, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "DELETE", headers });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+}
+async function requestDeviceCode(apiUrl = DEFAULT_API_URL) {
+  const resp = await fetch(`${apiUrl}/auth/device/code`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", ...deeplakeClientHeader() }
+  });
+  if (!resp.ok)
+    throw new Error(`Device flow unavailable: HTTP ${resp.status}`);
+  return resp.json();
+}
+async function pollForToken(deviceCode, apiUrl = DEFAULT_API_URL) {
+  const resp = await fetch(`${apiUrl}/auth/device/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", ...deeplakeClientHeader() },
+    body: JSON.stringify({ device_code: deviceCode })
+  });
+  if (resp.ok)
+    return resp.json();
+  if (resp.status === 400) {
+    const err = await resp.json().catch(() => null);
+    if (err?.error === "authorization_pending" || err?.error === "slow_down")
+      return null;
+    if (err?.error === "expired_token")
+      throw new Error("Device code expired. Try again.");
+    if (err?.error === "access_denied")
+      throw new Error("Authorization denied.");
+  }
+  throw new Error(`Token polling failed: HTTP ${resp.status}`);
+}
+function openBrowser(url) {
+  try {
+    const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "${url}"` : `xdg-open "${url}" 2>/dev/null`;
+    execSync(cmd, { stdio: "ignore", timeout: 5e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function deviceFlowLogin(apiUrl = DEFAULT_API_URL) {
+  const code = await requestDeviceCode(apiUrl);
+  const opened = openBrowser(code.verification_uri_complete);
+  const msg = [
+    "\nDeeplake Authentication",
+    "\u2500".repeat(40),
+    `
+Open this URL: ${code.verification_uri_complete}`,
+    `Or visit ${code.verification_uri} and enter code: ${code.user_code}`,
+    opened ? "\nBrowser opened. Waiting for sign in..." : "\nWaiting for sign in..."
+  ].join("\n");
+  process.stderr.write(msg + "\n");
+  const interval = Math.max(code.interval || 5, 5) * 1e3;
+  const deadline = Date.now() + code.expires_in * 1e3;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, interval));
+    const result = await pollForToken(code.device_code, apiUrl);
+    if (result) {
+      process.stderr.write("\nAuthentication successful!\n");
+      return { token: result.access_token, expiresIn: result.expires_in };
+    }
+  }
+  throw new Error("Device code expired.");
+}
+async function listOrgs(token, apiUrl = DEFAULT_API_URL) {
+  const data = await apiGet("/organizations", token, apiUrl);
+  return Array.isArray(data) ? data : [];
+}
+async function switchOrg(orgId, orgName) {
+  const creds = loadCredentials();
+  if (!creds)
+    throw new Error("Not logged in. Run deeplake login first.");
+  saveCredentials({ ...creds, orgId, orgName });
+}
+async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
+  const raw = await apiGet("/workspaces", token, apiUrl, orgId);
+  const data = raw.data ?? raw;
+  return Array.isArray(data) ? data : [];
+}
+async function switchWorkspace(workspaceId) {
+  const creds = loadCredentials();
+  if (!creds)
+    throw new Error("Not logged in. Run deeplake login first.");
+  saveCredentials({ ...creds, workspaceId });
+}
+async function inviteMember(username, accessMode, token, orgId, apiUrl = DEFAULT_API_URL) {
+  await apiPost(`/organizations/${orgId}/members/invite`, { username, access_mode: accessMode }, token, apiUrl, orgId);
+}
+async function listMembers(token, orgId, apiUrl = DEFAULT_API_URL) {
+  const data = await apiGet(`/organizations/${orgId}/members`, token, apiUrl, orgId);
+  return data.members ?? [];
+}
+async function removeMember(userId, token, orgId, apiUrl = DEFAULT_API_URL) {
+  await apiDelete(`/organizations/${orgId}/members/${userId}`, token, apiUrl, orgId);
+}
+async function login(apiUrl = DEFAULT_API_URL) {
+  const { token: authToken } = await deviceFlowLogin(apiUrl);
+  const user = await apiGet("/me", authToken, apiUrl);
+  const userName = user.name || (user.email ? user.email.split("@")[0] : "unknown");
+  process.stderr.write(`
+Logged in as: ${userName}
+`);
+  const orgs = await listOrgs(authToken, apiUrl);
+  let orgId;
+  let orgName;
+  if (orgs.length === 1) {
+    orgId = orgs[0].id;
+    orgName = orgs[0].name;
+    process.stderr.write(`Organization: ${orgName}
+`);
+  } else {
+    process.stderr.write("\nOrganizations:\n");
+    orgs.forEach((org, i) => process.stderr.write(`  ${i + 1}. ${org.name}
+`));
+    orgId = orgs[0].id;
+    orgName = orgs[0].name;
+    process.stderr.write(`
+Using: ${orgName}
+`);
+  }
+  const tokenName = `deeplake-plugin-${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, authToken, apiUrl);
+  const apiToken = tokenData.token.token;
+  const creds = {
+    token: apiToken,
+    orgId,
+    orgName,
+    userName,
+    workspaceId: "default",
+    apiUrl,
+    savedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveCredentials(creds);
+  return creds;
+}
+
+// dist/src/config.js
+import { readFileSync as readFileSync2, existsSync } from "node:fs";
+import { join as join2 } from "node:path";
+import { homedir as homedir2, userInfo } from "node:os";
+function loadConfig() {
+  const home = homedir2();
+  const credPath = join2(home, ".deeplake", "credentials.json");
+  let creds = null;
+  if (existsSync(credPath)) {
+    try {
+      creds = JSON.parse(readFileSync2(credPath, "utf-8"));
+    } catch {
+      return null;
+    }
+  }
+  const token = process.env.HIVEMIND_TOKEN ?? creds?.token;
+  const orgId = process.env.HIVEMIND_ORG_ID ?? creds?.orgId;
+  if (!token || !orgId)
+    return null;
+  return {
+    token,
+    orgId,
+    orgName: creds?.orgName ?? orgId,
+    userName: creds?.userName || userInfo().username || "unknown",
+    workspaceId: process.env.HIVEMIND_WORKSPACE_ID ?? creds?.workspaceId ?? "default",
+    apiUrl: process.env.HIVEMIND_API_URL ?? creds?.apiUrl ?? "https://api.deeplake.ai",
+    tableName: process.env.HIVEMIND_TABLE ?? "memory",
+    sessionsTableName: process.env.HIVEMIND_SESSIONS_TABLE ?? "sessions",
+    memoryPath: process.env.HIVEMIND_MEMORY_PATH ?? join2(home, ".deeplake", "memory")
+  };
+}
+
+// dist/src/deeplake-api.js
+import { randomUUID } from "node:crypto";
+
+// dist/src/utils/debug.js
+import { appendFileSync } from "node:fs";
+import { join as join3 } from "node:path";
+import { homedir as homedir3 } from "node:os";
+var DEBUG = process.env.HIVEMIND_DEBUG === "1";
+var LOG = join3(homedir3(), ".deeplake", "hook-debug.log");
+function log(tag, msg) {
+  if (!DEBUG)
+    return;
+  appendFileSync(LOG, `${(/* @__PURE__ */ new Date()).toISOString()} [${tag}] ${msg}
+`);
+}
+
+// dist/src/utils/sql.js
+function sqlStr(value) {
+  return value.replace(/\\/g, "\\\\").replace(/'/g, "''").replace(/\0/g, "").replace(/[\x01-\x08\x0b\x0c\x0e-\x1f\x7f]/g, "");
+}
+
+// dist/src/embeddings/columns.js
+var SUMMARY_EMBEDDING_COL = "summary_embedding";
+var MESSAGE_EMBEDDING_COL = "message_embedding";
+
+// dist/src/deeplake-api.js
+var indexMarkerStorePromise = null;
+function getIndexMarkerStore() {
+  if (!indexMarkerStorePromise)
+    indexMarkerStorePromise = Promise.resolve().then(() => (init_index_marker_store(), index_marker_store_exports));
+  return indexMarkerStorePromise;
+}
+var log2 = (msg) => log("sdk", msg);
+function summarizeSql(sql, maxLen = 220) {
+  const compact = sql.replace(/\s+/g, " ").trim();
+  return compact.length > maxLen ? `${compact.slice(0, maxLen)}...` : compact;
+}
+function traceSql(msg) {
+  const traceEnabled = process.env.HIVEMIND_TRACE_SQL === "1" || process.env.HIVEMIND_DEBUG === "1";
+  if (!traceEnabled)
+    return;
+  process.stderr.write(`[deeplake-sql] ${msg}
+`);
+  if (process.env.HIVEMIND_DEBUG === "1")
+    log2(msg);
+}
+var RETRYABLE_CODES = /* @__PURE__ */ new Set([429, 500, 502, 503, 504]);
+var MAX_RETRIES = 3;
+var BASE_DELAY_MS = 500;
+var MAX_CONCURRENCY = 5;
+var QUERY_TIMEOUT_MS = Number(process.env.HIVEMIND_QUERY_TIMEOUT_MS ?? 1e4);
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isTimeoutError(error) {
+  const name = error instanceof Error ? error.name.toLowerCase() : "";
+  const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+  return name.includes("timeout") || name === "aborterror" || message.includes("timeout") || message.includes("timed out");
+}
+function isDuplicateIndexError(error) {
+  const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+  return message.includes("duplicate key value violates unique constraint") || message.includes("pg_class_relname_nsp_index") || message.includes("already exists");
+}
+function isSessionInsertQuery(sql) {
+  return /^\s*insert\s+into\s+"[^"]+"\s*\(\s*id\s*,\s*path\s*,\s*filename\s*,\s*message\s*,/i.test(sql);
+}
+function isTransientHtml403(text) {
+  const body = text.toLowerCase();
+  return body.includes("<html") || body.includes("403 forbidden") || body.includes("cloudflare") || body.includes("nginx");
+}
+var Semaphore = class {
+  max;
+  waiting = [];
+  active = 0;
+  constructor(max) {
+    this.max = max;
+  }
+  async acquire() {
+    if (this.active < this.max) {
+      this.active++;
+      return;
+    }
+    await new Promise((resolve) => this.waiting.push(resolve));
+  }
+  release() {
+    this.active--;
+    const next = this.waiting.shift();
+    if (next) {
+      this.active++;
+      next();
+    }
+  }
+};
+var DeeplakeApi = class {
+  token;
+  apiUrl;
+  orgId;
+  workspaceId;
+  tableName;
+  _pendingRows = [];
+  _sem = new Semaphore(MAX_CONCURRENCY);
+  _tablesCache = null;
+  constructor(token, apiUrl, orgId, workspaceId, tableName) {
+    this.token = token;
+    this.apiUrl = apiUrl;
+    this.orgId = orgId;
+    this.workspaceId = workspaceId;
+    this.tableName = tableName;
+  }
+  /** Execute SQL with retry on transient errors and bounded concurrency. */
+  async query(sql) {
+    const startedAt = Date.now();
+    const summary = summarizeSql(sql);
+    traceSql(`query start: ${summary}`);
+    await this._sem.acquire();
+    try {
+      const rows = await this._queryWithRetry(sql);
+      traceSql(`query ok (${Date.now() - startedAt}ms, rows=${rows.length}): ${summary}`);
+      return rows;
+    } catch (e) {
+      const message = e instanceof Error ? e.message : String(e);
+      traceSql(`query fail (${Date.now() - startedAt}ms): ${summary} :: ${message}`);
+      throw e;
+    } finally {
+      this._sem.release();
+    }
+  }
+  async _queryWithRetry(sql) {
+    let lastError;
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+      let resp;
+      try {
+        const signal = AbortSignal.timeout(QUERY_TIMEOUT_MS);
+        resp = await fetch(`${this.apiUrl}/workspaces/${this.workspaceId}/tables/query`, {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${this.token}`,
+            "Content-Type": "application/json",
+            "X-Activeloop-Org-Id": this.orgId,
+            ...deeplakeClientHeader()
+          },
+          signal,
+          body: JSON.stringify({ query: sql })
+        });
+      } catch (e) {
+        if (isTimeoutError(e)) {
+          lastError = new Error(`Query timeout after ${QUERY_TIMEOUT_MS}ms`);
+          throw lastError;
+        }
+        lastError = e instanceof Error ? e : new Error(String(e));
+        if (attempt < MAX_RETRIES) {
+          const delay = BASE_DELAY_MS * Math.pow(2, attempt) + Math.random() * 200;
+          log2(`query retry ${attempt + 1}/${MAX_RETRIES} (fetch error: ${lastError.message}) in ${delay.toFixed(0)}ms`);
+          await sleep(delay);
+          continue;
+        }
+        throw lastError;
+      }
+      if (resp.ok) {
+        const raw = await resp.json();
+        if (!raw?.rows || !raw?.columns)
+          return [];
+        return raw.rows.map((row) => Object.fromEntries(raw.columns.map((col, i) => [col, row[i]])));
+      }
+      const text = await resp.text().catch(() => "");
+      const retryable403 = isSessionInsertQuery(sql) && (resp.status === 401 || resp.status === 403 && (text.length === 0 || isTransientHtml403(text)));
+      const alreadyExists = resp.status === 500 && isDuplicateIndexError(text);
+      if (!alreadyExists && attempt < MAX_RETRIES && (RETRYABLE_CODES.has(resp.status) || retryable403)) {
+        const delay = BASE_DELAY_MS * Math.pow(2, attempt) + Math.random() * 200;
+        log2(`query retry ${attempt + 1}/${MAX_RETRIES} (${resp.status}) in ${delay.toFixed(0)}ms`);
+        await sleep(delay);
+        continue;
+      }
+      throw new Error(`Query failed: ${resp.status}: ${text.slice(0, 200)}`);
+    }
+    throw lastError ?? new Error("Query failed: max retries exceeded");
+  }
+  // ── Writes ──────────────────────────────────────────────────────────────────
+  /** Queue rows for writing. Call commit() to flush. */
+  appendRows(rows) {
+    this._pendingRows.push(...rows);
+  }
+  /** Flush pending rows via SQL. */
+  async commit() {
+    if (this._pendingRows.length === 0)
+      return;
+    const rows = this._pendingRows;
+    this._pendingRows = [];
+    const CONCURRENCY = 10;
+    for (let i = 0; i < rows.length; i += CONCURRENCY) {
+      const chunk = rows.slice(i, i + CONCURRENCY);
+      await Promise.allSettled(chunk.map((r) => this.upsertRowSql(r)));
+    }
+    log2(`commit: ${rows.length} rows`);
+  }
+  async upsertRowSql(row) {
+    const ts = (/* @__PURE__ */ new Date()).toISOString();
+    const cd = row.creationDate ?? ts;
+    const lud = row.lastUpdateDate ?? ts;
+    const exists = await this.query(`SELECT path FROM "${this.tableName}" WHERE path = '${sqlStr(row.path)}' LIMIT 1`);
+    if (exists.length > 0) {
+      let setClauses = `summary = E'${sqlStr(row.contentText)}', ${SUMMARY_EMBEDDING_COL} = NULL, mime_type = '${sqlStr(row.mimeType)}', size_bytes = ${row.sizeBytes}, last_update_date = '${lud}'`;
+      if (row.project !== void 0)
+        setClauses += `, project = '${sqlStr(row.project)}'`;
+      if (row.description !== void 0)
+        setClauses += `, description = '${sqlStr(row.description)}'`;
+      await this.query(`UPDATE "${this.tableName}" SET ${setClauses} WHERE path = '${sqlStr(row.path)}'`);
+    } else {
+      const id = randomUUID();
+      let cols = `id, path, filename, summary, ${SUMMARY_EMBEDDING_COL}, mime_type, size_bytes, creation_date, last_update_date`;
+      let vals = `'${id}', '${sqlStr(row.path)}', '${sqlStr(row.filename)}', E'${sqlStr(row.contentText)}', NULL, '${sqlStr(row.mimeType)}', ${row.sizeBytes}, '${cd}', '${lud}'`;
+      if (row.project !== void 0) {
+        cols += ", project";
+        vals += `, '${sqlStr(row.project)}'`;
+      }
+      if (row.description !== void 0) {
+        cols += ", description";
+        vals += `, '${sqlStr(row.description)}'`;
+      }
+      await this.query(`INSERT INTO "${this.tableName}" (${cols}) VALUES (${vals})`);
+    }
+  }
+  /** Update specific columns on a row by path. */
+  async updateColumns(path, columns) {
+    const setClauses = Object.entries(columns).map(([col, val]) => typeof val === "number" ? `${col} = ${val}` : `${col} = '${sqlStr(String(val))}'`).join(", ");
+    await this.query(`UPDATE "${this.tableName}" SET ${setClauses} WHERE path = '${sqlStr(path)}'`);
+  }
+  // ── Convenience ─────────────────────────────────────────────────────────────
+  /** Create a BM25 search index on a column. */
+  async createIndex(column) {
+    await this.query(`CREATE INDEX IF NOT EXISTS idx_${sqlStr(column)}_bm25 ON "${this.tableName}" USING deeplake_index ("${column}")`);
+  }
+  buildLookupIndexName(table, suffix) {
+    return `idx_${table}_${suffix}`.replace(/[^a-zA-Z0-9_]/g, "_");
+  }
+  async ensureLookupIndex(table, suffix, columnsSql) {
+    const markers = await getIndexMarkerStore();
+    const markerPath = markers.buildIndexMarkerPath(this.workspaceId, this.orgId, table, suffix);
+    if (markers.hasFreshIndexMarker(markerPath))
+      return;
+    const indexName = this.buildLookupIndexName(table, suffix);
+    try {
+      await this.query(`CREATE INDEX IF NOT EXISTS "${indexName}" ON "${table}" ${columnsSql}`);
+      markers.writeIndexMarker(markerPath);
+    } catch (e) {
+      if (isDuplicateIndexError(e)) {
+        markers.writeIndexMarker(markerPath);
+        return;
+      }
+      log2(`index "${indexName}" skipped: ${e.message}`);
+    }
+  }
+  /**
+   * Ensure a vector column exists on the given table.
+   *
+   * The previous implementation always issued `ALTER TABLE ADD COLUMN IF NOT
+   * EXISTS …` on every SessionStart. On a long-running workspace that's
+   * already migrated, every call returns 500 "Column already exists" — noisy
+   * in the log and a wasted round-trip. Worse, the very first call after the
+   * column is genuinely added triggers Deeplake's post-ALTER `vector::at`
+   * window (~30s) during which subsequent INSERTs fail; minimising the
+   * number of ALTER calls minimises exposure to that window.
+   *
+   * New flow:
+   *   1. Check the local marker file (mirrors ensureLookupIndex). If fresh,
+   *      return — zero network calls.
+   *   2. SELECT 1 FROM information_schema.columns WHERE table_name = T AND
+   *      column_name = C. Read-only, idempotent, can't tickle the post-ALTER
+   *      bug. If the column is present → mark + return.
+   *   3. Only if step 2 says the column is missing, fall back to ALTER ADD
+   *      COLUMN IF NOT EXISTS. Mark on success, also mark if Deeplake reports
+   *      "already exists" (race: another client added it between our SELECT
+   *      and ALTER).
+   *
+   * Marker uses the same dir / TTL as ensureLookupIndex so both schema
+   * caches share an opt-out (HIVEMIND_INDEX_MARKER_DIR) and a TTL knob.
+   */
+  async ensureEmbeddingColumn(table, column) {
+    await this.ensureColumn(table, column, "FLOAT4[]");
+  }
+  /**
+   * Generic marker-gated column migration. Same SELECT-then-ALTER flow as
+   * ensureEmbeddingColumn, parameterized by SQL type so it can patch up any
+   * column that was added to the schema after the table was originally
+   * created. Used today for `summary_embedding`, `message_embedding`, and
+   * the `agent` column (added 2026-04-11) — the latter has no fallback if
+   * a user upgraded over a pre-2026-04-11 table, so every INSERT fails
+   * with `column "agent" does not exist`.
+   */
+  async ensureColumn(table, column, sqlType) {
+    const markers = await getIndexMarkerStore();
+    const markerPath = markers.buildIndexMarkerPath(this.workspaceId, this.orgId, table, `col_${column}`);
+    if (markers.hasFreshIndexMarker(markerPath))
+      return;
+    const colCheck = `SELECT 1 FROM information_schema.columns WHERE table_name = '${sqlStr(table)}' AND column_name = '${sqlStr(column)}' AND table_schema = '${sqlStr(this.workspaceId)}' LIMIT 1`;
+    const rows = await this.query(colCheck);
+    if (rows.length > 0) {
+      markers.writeIndexMarker(markerPath);
+      return;
+    }
+    try {
+      await this.query(`ALTER TABLE "${table}" ADD COLUMN ${column} ${sqlType}`);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      if (!/already exists/i.test(msg))
+        throw e;
+      const recheck = await this.query(colCheck);
+      if (recheck.length === 0)
+        throw e;
+    }
+    markers.writeIndexMarker(markerPath);
+  }
+  /** List all tables in the workspace (with retry). */
+  async listTables(forceRefresh = false) {
+    if (!forceRefresh && this._tablesCache)
+      return [...this._tablesCache];
+    const { tables, cacheable } = await this._fetchTables();
+    if (cacheable)
+      this._tablesCache = [...tables];
+    return tables;
+  }
+  async _fetchTables() {
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const resp = await fetch(`${this.apiUrl}/workspaces/${this.workspaceId}/tables`, {
+          headers: {
+            Authorization: `Bearer ${this.token}`,
+            "X-Activeloop-Org-Id": this.orgId,
+            ...deeplakeClientHeader()
+          }
+        });
+        if (resp.ok) {
+          const data = await resp.json();
+          return {
+            tables: (data.tables ?? []).map((t) => t.table_name),
+            cacheable: true
+          };
+        }
+        if (attempt < MAX_RETRIES && RETRYABLE_CODES.has(resp.status)) {
+          await sleep(BASE_DELAY_MS * Math.pow(2, attempt) + Math.random() * 200);
+          continue;
+        }
+        return { tables: [], cacheable: false };
+      } catch {
+        if (attempt < MAX_RETRIES) {
+          await sleep(BASE_DELAY_MS * Math.pow(2, attempt));
+          continue;
+        }
+        return { tables: [], cacheable: false };
+      }
+    }
+    return { tables: [], cacheable: false };
+  }
+  /**
+   * Run a `CREATE TABLE` with an extra outer retry budget. The base
+   * `query()` already retries 3 times on fetch errors (~3.5s total), but a
+   * failed CREATE is permanent corruption — every subsequent SELECT against
+   * the missing table fails. Wrapping in an outer loop with longer backoff
+   * (2s, 5s, then 10s) gives us ~17s of reach across transient network
+   * blips before giving up. Failures still propagate; getApi() resets its
+   * cache on init failure (openclaw plugin) so the next call retries the
+   * whole init flow.
+   */
+  async createTableWithRetry(sql, label) {
+    const OUTER_BACKOFFS_MS = [2e3, 5e3, 1e4];
+    let lastErr = null;
+    for (let attempt = 0; attempt <= OUTER_BACKOFFS_MS.length; attempt++) {
+      try {
+        await this.query(sql);
+        return;
+      } catch (err) {
+        lastErr = err;
+        const msg = err instanceof Error ? err.message : String(err);
+        log2(`CREATE TABLE "${label}" attempt ${attempt + 1}/${OUTER_BACKOFFS_MS.length + 1} failed: ${msg}`);
+        if (attempt < OUTER_BACKOFFS_MS.length) {
+          await sleep(OUTER_BACKOFFS_MS[attempt]);
+        }
+      }
+    }
+    throw lastErr;
+  }
+  /** Create the memory table if it doesn't already exist. Migrate columns on existing tables. */
+  async ensureTable(name) {
+    const tbl = name ?? this.tableName;
+    const tables = await this.listTables();
+    if (!tables.includes(tbl)) {
+      log2(`table "${tbl}" not found, creating`);
+      await this.createTableWithRetry(`CREATE TABLE IF NOT EXISTS "${tbl}" (id TEXT NOT NULL DEFAULT '', path TEXT NOT NULL DEFAULT '', filename TEXT NOT NULL DEFAULT '', summary TEXT NOT NULL DEFAULT '', summary_embedding FLOAT4[], author TEXT NOT NULL DEFAULT '', mime_type TEXT NOT NULL DEFAULT 'text/plain', size_bytes BIGINT NOT NULL DEFAULT 0, project TEXT NOT NULL DEFAULT '', description TEXT NOT NULL DEFAULT '', agent TEXT NOT NULL DEFAULT '', creation_date TEXT NOT NULL DEFAULT '', last_update_date TEXT NOT NULL DEFAULT '') USING deeplake`, tbl);
+      log2(`table "${tbl}" created`);
+      if (!tables.includes(tbl))
+        this._tablesCache = [...tables, tbl];
+    }
+    await this.ensureEmbeddingColumn(tbl, SUMMARY_EMBEDDING_COL);
+    await this.ensureColumn(tbl, "agent", "TEXT NOT NULL DEFAULT ''");
+  }
+  /** Create the sessions table (uses JSONB for message since every row is a JSON event). */
+  async ensureSessionsTable(name) {
+    const tables = await this.listTables();
+    if (!tables.includes(name)) {
+      log2(`table "${name}" not found, creating`);
+      await this.createTableWithRetry(`CREATE TABLE IF NOT EXISTS "${name}" (id TEXT NOT NULL DEFAULT '', path TEXT NOT NULL DEFAULT '', filename TEXT NOT NULL DEFAULT '', message JSONB, message_embedding FLOAT4[], author TEXT NOT NULL DEFAULT '', mime_type TEXT NOT NULL DEFAULT 'application/json', size_bytes BIGINT NOT NULL DEFAULT 0, project TEXT NOT NULL DEFAULT '', description TEXT NOT NULL DEFAULT '', agent TEXT NOT NULL DEFAULT '', creation_date TEXT NOT NULL DEFAULT '', last_update_date TEXT NOT NULL DEFAULT '') USING deeplake`, name);
+      log2(`table "${name}" created`);
+      if (!tables.includes(name))
+        this._tablesCache = [...tables, name];
+    }
+    await this.ensureEmbeddingColumn(name, MESSAGE_EMBEDDING_COL);
+    await this.ensureColumn(name, "agent", "TEXT NOT NULL DEFAULT ''");
+    await this.ensureLookupIndex(name, "path_creation_date", `("path", "creation_date")`);
+  }
+};
+
+// dist/src/commands/session-prune.js
+import { createInterface } from "node:readline";
+function parseArgs(argv) {
+  let before;
+  let sessionId;
+  let all = false;
+  let yes = false;
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--before" && argv[i + 1]) {
+      before = argv[++i];
+    } else if (arg === "--session-id" && argv[i + 1]) {
+      sessionId = argv[++i];
+    } else if (arg === "--all") {
+      all = true;
+    } else if (arg === "--yes" || arg === "-y") {
+      yes = true;
+    }
+  }
+  return { before, sessionId, all, yes };
+}
+function confirm(message) {
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  return new Promise((resolve) => {
+    rl.question(`${message} [y/N] `, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase() === "y");
+    });
+  });
+}
+function extractSessionId(path) {
+  const m = path.match(/\/sessions\/[^/]+\/[^/]+_([^.]+)\.jsonl$/);
+  return m ? m[1] : path.split("/").pop()?.replace(/\.jsonl$/, "") ?? path;
+}
+async function listSessions(api, sessionsTable, author) {
+  const rows = await api.query(`SELECT path, COUNT(*) as cnt, MIN(creation_date) as first_event, MAX(creation_date) as last_event, MAX(project) as project FROM "${sessionsTable}" WHERE author = '${sqlStr(author)}' GROUP BY path ORDER BY first_event DESC`);
+  return rows.map((r) => ({
+    path: String(r.path),
+    rowCount: Number(r.cnt),
+    firstEvent: String(r.first_event),
+    lastEvent: String(r.last_event),
+    project: String(r.project ?? "")
+  }));
+}
+async function deleteSessions(config, sessionPaths) {
+  if (sessionPaths.length === 0)
+    return { sessionsDeleted: 0, summariesDeleted: 0 };
+  const sessionsApi = new DeeplakeApi(config.token, config.apiUrl, config.orgId, config.workspaceId, config.sessionsTableName);
+  const memoryApi = new DeeplakeApi(config.token, config.apiUrl, config.orgId, config.workspaceId, config.tableName);
+  let sessionsDeleted = 0;
+  let summariesDeleted = 0;
+  for (const sessionPath of sessionPaths) {
+    await sessionsApi.query(`DELETE FROM "${config.sessionsTableName}" WHERE path = '${sqlStr(sessionPath)}'`);
+    sessionsDeleted++;
+    const sessionId = extractSessionId(sessionPath);
+    const summaryPath = `/summaries/${config.userName}/${sessionId}.md`;
+    const existing = await memoryApi.query(`SELECT path FROM "${config.tableName}" WHERE path = '${sqlStr(summaryPath)}' LIMIT 1`);
+    if (existing.length > 0) {
+      await memoryApi.query(`DELETE FROM "${config.tableName}" WHERE path = '${sqlStr(summaryPath)}'`);
+      summariesDeleted++;
+    }
+  }
+  return { sessionsDeleted, summariesDeleted };
+}
+async function sessionPrune(argv) {
+  const config = loadConfig();
+  if (!config) {
+    console.error("Not logged in. Run: deeplake login");
+    process.exit(1);
+  }
+  const { before, sessionId, all, yes } = parseArgs(argv);
+  const author = config.userName;
+  const sessionsApi = new DeeplakeApi(config.token, config.apiUrl, config.orgId, config.workspaceId, config.sessionsTableName);
+  const sessions = await listSessions(sessionsApi, config.sessionsTableName, author);
+  if (sessions.length === 0) {
+    console.log(`No sessions found for author "${author}".`);
+    return;
+  }
+  let targets;
+  if (sessionId) {
+    targets = sessions.filter((s) => extractSessionId(s.path) === sessionId);
+    if (targets.length === 0) {
+      console.error(`Session not found: ${sessionId}`);
+      console.error(`
+Your sessions:`);
+      for (const s of sessions.slice(0, 10)) {
+        console.error(`  ${extractSessionId(s.path)}  ${s.firstEvent.slice(0, 10)}  ${s.project}`);
+      }
+      process.exit(1);
+    }
+  } else if (before) {
+    const cutoff = new Date(before);
+    if (isNaN(cutoff.getTime())) {
+      console.error(`Invalid date: ${before}`);
+      process.exit(1);
+    }
+    targets = sessions.filter((s) => new Date(s.lastEvent) < cutoff);
+  } else if (all) {
+    targets = sessions;
+  } else {
+    console.log(`Sessions for "${author}" (${sessions.length} total):
+`);
+    console.log("  Session ID".padEnd(42) + "Date".padEnd(14) + "Events".padEnd(10) + "Project");
+    console.log("  " + "\u2500".repeat(80));
+    for (const s of sessions) {
+      const id = extractSessionId(s.path);
+      const date = s.firstEvent.slice(0, 10);
+      console.log(`  ${id.padEnd(40)}${date.padEnd(14)}${String(s.rowCount).padEnd(10)}${s.project}`);
+    }
+    console.log(`
+To delete, use: --all, --before <date>, or --session-id <id>`);
+    return;
+  }
+  if (targets.length === 0) {
+    console.log("No sessions match the given criteria.");
+    return;
+  }
+  console.log(`Will delete ${targets.length} session(s) for "${author}":
+`);
+  for (const s of targets) {
+    const id = extractSessionId(s.path);
+    console.log(`  ${id}  ${s.firstEvent.slice(0, 10)}  ${s.rowCount} events  ${s.project}`);
+  }
+  console.log();
+  if (!yes) {
+    const ok = await confirm("Proceed with deletion?");
+    if (!ok) {
+      console.log("Aborted.");
+      return;
+    }
+  }
+  const { sessionsDeleted, summariesDeleted } = await deleteSessions(config, targets.map((t) => t.path));
+  console.log(`Deleted ${sessionsDeleted} session(s) and ${summariesDeleted} summary file(s).`);
+}
+
+// dist/src/commands/auth-login.js
+async function runAuthCommand(args) {
+  const cmd = args[0] ?? "whoami";
+  const creds = loadCredentials();
+  const apiUrl = creds?.apiUrl ?? "https://api.deeplake.ai";
+  switch (cmd) {
+    case "login": {
+      await login(apiUrl);
+      break;
+    }
+    case "whoami": {
+      if (!creds) {
+        console.log("Not logged in. Run: node auth-login.js login");
+        break;
+      }
+      console.log(`User org: ${creds.orgName ?? creds.orgId}`);
+      console.log(`Workspace: ${creds.workspaceId ?? "default"}`);
+      console.log(`API: ${creds.apiUrl ?? "https://api.deeplake.ai"}`);
+      break;
+    }
+    case "org": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const sub = args[1];
+      if (sub === "list") {
+        const orgs = await listOrgs(creds.token, apiUrl);
+        orgs.forEach((o) => console.log(`${o.id}  ${o.name}`));
+      } else if (sub === "switch") {
+        const target = args[2];
+        if (!target) {
+          console.log("Usage: org switch <org-name-or-id>");
+          process.exit(1);
+        }
+        const orgs = await listOrgs(creds.token, apiUrl);
+        const match = orgs.find((o) => o.id === target || o.name.toLowerCase() === target.toLowerCase());
+        if (!match) {
+          console.log(`Org not found: ${target}`);
+          process.exit(1);
+        }
+        await switchOrg(match.id, match.name);
+        console.log(`Switched to org: ${match.name}`);
+      } else {
+        console.log("Usage: org list | org switch <name-or-id>");
+      }
+      break;
+    }
+    case "workspaces": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const ws = await listWorkspaces(creds.token, apiUrl, creds.orgId);
+      ws.forEach((w) => console.log(`${w.id}  ${w.name}`));
+      break;
+    }
+    case "workspace": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const wsId = args[1];
+      if (!wsId) {
+        console.log("Usage: workspace <id>");
+        process.exit(1);
+      }
+      await switchWorkspace(wsId);
+      console.log(`Switched to workspace: ${wsId}`);
+      break;
+    }
+    case "invite": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const email = args[1];
+      const mode = args[2]?.toUpperCase() ?? "WRITE";
+      if (!email) {
+        console.log("Usage: invite <email> [ADMIN|WRITE|READ]");
+        process.exit(1);
+      }
+      await inviteMember(email, mode, creds.token, creds.orgId, apiUrl);
+      console.log(`Invited ${email} with ${mode} access`);
+      break;
+    }
+    case "members": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const members = await listMembers(creds.token, creds.orgId, apiUrl);
+      members.forEach((m) => console.log(`${m.role.padEnd(8)} ${m.email ?? m.name}`));
+      break;
+    }
+    case "remove": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const userId = args[1];
+      if (!userId) {
+        console.log("Usage: remove <user-id>");
+        process.exit(1);
+      }
+      await removeMember(userId, creds.token, creds.orgId, apiUrl);
+      console.log(`Removed user ${userId}`);
+      break;
+    }
+    case "sessions": {
+      const sub = args[1];
+      if (sub === "prune") {
+        await sessionPrune(args.slice(2));
+      } else {
+        console.log("Usage: sessions prune [--all | --before <date> | --session-id <id>] [--yes]");
+      }
+      break;
+    }
+    case "autoupdate": {
+      if (!creds) {
+        console.log("Not logged in.");
+        process.exit(1);
+      }
+      const val = args[1]?.toLowerCase();
+      if (val === "on" || val === "true") {
+        saveCredentials({ ...creds, autoupdate: true });
+        console.log("Autoupdate enabled. Plugin will update automatically on session start.");
+      } else if (val === "off" || val === "false") {
+        saveCredentials({ ...creds, autoupdate: false });
+        console.log("Autoupdate disabled. You'll see a notice when updates are available.");
+      } else {
+        const current = creds.autoupdate !== false ? "on" : "off";
+        console.log(`Autoupdate is currently: ${current}`);
+        console.log("Usage: autoupdate [on|off]");
+      }
+      break;
+    }
+    case "logout": {
+      if (deleteCredentials()) {
+        console.log("Logged out. Credentials removed.");
+      } else {
+        console.log("Not logged in.");
+      }
+      break;
+    }
+    default:
+      console.log("Commands: login, logout, whoami, org list, org switch, workspaces, workspace, sessions prune, invite, members, remove, autoupdate");
+  }
+}
+if (process.argv[1] && process.argv[1].endsWith("auth-login.js")) {
+  runAuthCommand(process.argv.slice(2)).catch((e) => {
+    console.error(e.message);
+    process.exit(1);
+  });
+}
+export {
+  runAuthCommand
+};