@deeplake/hivemind 0.7.51 → 0.7.53

package/.claude-plugin/marketplace.json

@@ -6,18 +6,18 @@
   },
   "metadata": {
     "description": "Cloud-backed persistent shared memory for AI agents powered by Deeplake",
-    "version": "0.7.51"
+    "version": "0.7.53"
   },
   "plugins": [
     {
       "name": "hivemind",
       "description": "Persistent shared memory powered by Deeplake — captures all session activity and provides cross-session, cross-agent memory search",
-      "version": "0.7.51",
+      "version": "0.7.53",
       "source": {
         "source": "git-subdir",
         "url": "https://github.com/activeloopai/hivemind.git",
         "path": "claude-code",
-        "sha": "c0c861150a00e85bc4fd21120ae2a331417468d0"
+        "sha": "2f9768a8c9ed54952bdc272261f2a527f5482fe2"
       },
       "homepage": "https://github.com/activeloopai/hivemind"
     }

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "hivemind",
   "description": "Cloud-backed persistent memory powered by Deeplake — read, write, and share memory across Claude Code sessions and agents",
-  "version": "0.7.51",
+  "version": "0.7.53",
   "author": {
     "name": "Activeloop",
     "url": "https://deeplake.ai"

package/bundle/cli.js

@@ -4270,7 +4270,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);
@@ -9665,7 +9672,45 @@ function writeLocalManifest(m, path = LOCAL_MANIFEST_PATH) {
   mkdirSync21(dirname15(path), { recursive: true });
   writeFileSync24(path, JSON.stringify(m, null, 2));
 }
+function countLocalManifestEntries(path = LOCAL_MANIFEST_PATH) {
+  const m = readLocalManifest(path);
+  return Array.isArray(m?.entries) ? m.entries.length : 0;
+}
 var LATEST_RUN_WINDOW_MS = 5 * 60 * 1e3;
+function getLatestInsightEntry(path = LOCAL_MANIFEST_PATH) {
+  const m = readLocalManifest(path);
+  if (!m || !Array.isArray(m.entries))
+    return null;
+  let newestTs = Number.NEGATIVE_INFINITY;
+  for (const e of m.entries) {
+    if (!e)
+      continue;
+    const ts = Date.parse(e.created_at ?? "");
+    if (Number.isFinite(ts) && ts > newestTs)
+      newestTs = ts;
+  }
+  if (!Number.isFinite(newestTs))
+    return null;
+  let best = null;
+  let bestTs = Number.NEGATIVE_INFINITY;
+  let bestIsPrimary = false;
+  for (const e of m.entries) {
+    if (!e || typeof e.insight !== "string" || e.insight.trim().length === 0)
+      continue;
+    const ts = Date.parse(e.created_at ?? "");
+    if (!Number.isFinite(ts))
+      continue;
+    if (newestTs - ts > LATEST_RUN_WINDOW_MS)
+      continue;
+    const isPrimary = e.primary === true;
+    if (!best || isPrimary && !bestIsPrimary || isPrimary === bestIsPrimary && ts > bestTs) {
+      best = e;
+      bestTs = ts;
+      bestIsPrimary = isPrimary;
+    }
+  }
+  return best;
+}
 
 // dist/src/commands/mine-local.js
 import { unlinkSync as unlinkSync12 } from "node:fs";
@@ -10012,18 +10057,24 @@ async function runMineLocalImpl(args) {
   const force = takeBoolFlag(work, "--force");
   const dryRun = takeBoolFlag(work, "--dry-run");
   const nRaw = takeFlagValue(work, "--n");
+  const onlyAgent = takeFlagValue(work, "--only");
   if (loadManifest2() && !force) {
     console.error(`Local skills have already been mined on this machine.`);
     console.error(`Manifest: ${MANIFEST_PATH}`);
     console.error(`Pass --force to re-mine.`);
     process.exit(1);
   }
-  const installs = detectInstalledAgents();
-  if (installs.length === 0) {
+  const installsAll = detectInstalledAgents();
+  if (installsAll.length === 0) {
     console.error(`No agent session directories detected. Run a session first.`);
     process.exit(1);
   }
-  console.log(`Detected installed agents: ${installs.map((i) => i.agent).join(", ")}`);
+  const installs = onlyAgent ? installsAll.filter((i) => i.agent === onlyAgent) : installsAll;
+  if (installs.length === 0) {
+    console.error(`No '${onlyAgent}' session directory detected. Skipping mine-local.`);
+    process.exit(1);
+  }
+  console.log(`Detected installed agents: ${installs.map((i) => i.agent).join(", ")}${onlyAgent ? ` (filtered to ${onlyAgent})` : ""}`);
   const host = detectHostAgent();
   const fallback = installs[0].agent;
   const gateAgent = gateAgentFor(host, fallback, installs);
@@ -11461,7 +11512,7 @@ async function runUpdate(opts = {}) {
   }
   log(`Update available: ${current} \u2192 ${latest}`);
   const detected = opts.installKindOverride ?? detectInstallKind();
-  const spawn3 = opts.spawn ?? defaultSpawn;
+  const spawn5 = opts.spawn ?? defaultSpawn;
   switch (detected.kind) {
     case "npm-global": {
       if (opts.dryRun) {
@@ -11476,7 +11527,7 @@ async function runUpdate(opts = {}) {
       try {
         log(`Upgrading via npm\u2026`);
         try {
-          spawn3("npm", ["install", "-g", `${PKG_NAME}@latest`]);
+          spawn5("npm", ["install", "-g", `${PKG_NAME}@latest`]);
         } catch (e) {
           warn(`npm install failed: ${e.message}`);
           warn(`Try running it manually: npm install -g ${PKG_NAME}@latest`);
@@ -11485,7 +11536,7 @@ async function runUpdate(opts = {}) {
         log(``);
         log(`Refreshing agent bundles\u2026`);
         try {
-          spawn3("hivemind", ["install", "--skip-auth"]);
+          spawn5("hivemind", ["install", "--skip-auth"]);
         } catch (e) {
           warn(`Agent refresh failed: ${e.message}`);
           warn(`Run manually: hivemind install`);
@@ -11536,6 +11587,325 @@ async function runUpdate(opts = {}) {
   }
 }
 
+// dist/src/cli/install-scan.js
+import { spawn as spawn4 } from "node:child_process";
+import { existsSync as existsSync39, readFileSync as readFileSync35, readdirSync as readdirSync9, unlinkSync as unlinkSync14 } from "node:fs";
+import { homedir as homedir26 } from "node:os";
+import { join as join49 } from "node:path";
+
+// dist/src/skillify/advisor.js
+import { spawn as spawn3 } from "node:child_process";
+import { existsSync as existsSync38 } from "node:fs";
+var ADVISOR_TIMEOUT_MS = 6e4;
+var MAX_CANDIDATES = 20;
+function buildAdvisorPrompt(candidates) {
+  const lines = [
+    "You are reviewing skill candidates extracted from a user's coding sessions.",
+    "Pick the ONE candidate whose `insight` field is most useful to show the user as a",
+    "concrete finding from their past work. Reply on EXACTLY ONE LINE.",
+    "",
+    "GOOD insights are:",
+    "  - Concrete and counted (cite specific numbers, file names, durations)",
+    '  - About a real coding mistake or pattern the USER made (in 2nd person \u2014 "You did X")',
+    "  - Actionable: the user can change behavior based on knowing this",
+    "",
+    "BAD insights (REJECT these) are:",
+    '  - Meta-commentary about why the skill was saved ("User explicitly requested...")',
+    "  - Vague / generic engineering platitudes the user already knows",
+    "  - About someone other than the user (a teammate, a third party)",
+    '  - Hypothetical ("could lead to...", "might cause...") rather than observed',
+    "",
+    "Output format \u2014 STRICT, one line only:",
+    "  PICK: <number 1-N>",
+    "OR",
+    "  REJECT_ALL: <short reason why every candidate failed>",
+    "",
+    "Candidates:"
+  ];
+  for (const [i, c] of candidates.entries()) {
+    lines.push(`${i + 1}. name=${c.skill_name}  insight=${JSON.stringify((c.insight ?? "").slice(0, 400))}`);
+  }
+  return lines.join("\n");
+}
+function parseAdvisorOutput(raw, candidates) {
+  const cleaned = raw.trim();
+  const pickMatch = cleaned.match(/PICK:\s*(\d+)/i);
+  if (pickMatch) {
+    const idx = parseInt(pickMatch[1], 10) - 1;
+    if (idx >= 0 && idx < candidates.length) {
+      return {
+        pickedSkillName: candidates[idx].skill_name,
+        reason: cleaned,
+        rawOutput: raw
+      };
+    }
+  }
+  const rejectMatch = cleaned.match(/REJECT_ALL:\s*(.+)/i);
+  if (rejectMatch) {
+    return { pickedSkillName: null, reason: rejectMatch[1].trim(), rawOutput: raw };
+  }
+  return { pickedSkillName: null, reason: `unparseable advisor output: ${cleaned.slice(0, 120)}`, rawOutput: raw };
+}
+function runAdvisorGate(prompt, claudeBin) {
+  return new Promise((resolve6, reject) => {
+    const child = spawn3(claudeBin, [
+      "-p",
+      "--no-session-persistence",
+      "--model",
+      "sonnet",
+      "--permission-mode",
+      "bypassPermissions"
+    ], {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: { ...process.env, HIVEMIND_WIKI_WORKER: "1", HIVEMIND_CAPTURE: "false" }
+    });
+    let stdout = "";
+    let stderr = "";
+    let settled = false;
+    const finish = (err, out) => {
+      if (settled)
+        return;
+      settled = true;
+      if (err)
+        reject(err);
+      else
+        resolve6(out);
+    };
+    const timer = setTimeout(() => {
+      try {
+        child.kill("SIGKILL");
+      } catch {
+      }
+      finish(new Error(`advisor timed out after ${ADVISOR_TIMEOUT_MS}ms`), "");
+    }, ADVISOR_TIMEOUT_MS);
+    child.stdout.on("data", (b) => {
+      stdout += b.toString("utf-8");
+    });
+    child.stderr.on("data", (b) => {
+      stderr += b.toString("utf-8");
+    });
+    child.on("error", (e) => {
+      clearTimeout(timer);
+      finish(e, "");
+    });
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      if (code !== 0) {
+        finish(new Error(`advisor CLI exit ${code}; stderr=${stderr.slice(0, 200)}`), "");
+      } else {
+        finish(null, stdout);
+      }
+    });
+    child.stdin.on("error", (e) => {
+      clearTimeout(timer);
+      finish(e, "");
+    });
+    child.stdin.end(prompt);
+  });
+}
+async function runAdvisor(manifestPath3 = LOCAL_MANIFEST_PATH) {
+  const m = readLocalManifest(manifestPath3);
+  if (!m || !Array.isArray(m.entries))
+    return null;
+  const insightBearing = m.entries.filter((e) => e && typeof e.insight === "string" && e.insight.trim().length > 0);
+  if (insightBearing.length === 0)
+    return null;
+  if (insightBearing.length === 1) {
+    insightBearing[0].primary = true;
+    writeLocalManifest(m, manifestPath3);
+    return {
+      pickedSkillName: insightBearing[0].skill_name,
+      reason: "trivial pick (single candidate)",
+      rawOutput: ""
+    };
+  }
+  const claudeBin = findAgentBin("claude_code");
+  if (!claudeBin || !existsSync38(claudeBin)) {
+    return null;
+  }
+  const ranked = [...insightBearing].sort((a, b) => (b.created_at ?? "").localeCompare(a.created_at ?? "")).slice(0, MAX_CANDIDATES);
+  const prompt = buildAdvisorPrompt(ranked);
+  let raw;
+  try {
+    raw = await runAdvisorGate(prompt, claudeBin);
+  } catch (err) {
+    return {
+      pickedSkillName: null,
+      reason: `advisor invocation failed: ${err.message}`,
+      rawOutput: ""
+    };
+  }
+  const result = parseAdvisorOutput(raw, ranked);
+  if (result.pickedSkillName) {
+    for (const e of m.entries) {
+      if (e && e.primary === true)
+        delete e.primary;
+    }
+    for (const e of m.entries) {
+      if (e && e.skill_name === result.pickedSkillName) {
+        e.primary = true;
+        break;
+      }
+    }
+    writeLocalManifest(m, manifestPath3);
+  }
+  return result;
+}
+
+// dist/src/cli/install-scan.js
+function claudeProjectsDir() {
+  return join49(homedir26(), ".claude", "projects");
+}
+function manifestPath2() {
+  return join49(homedir26(), ".claude", "hivemind", "local-mined.json");
+}
+var SCAN_TIMEOUT_MS = 3e5;
+var INSTALL_SCAN_SESSION_COUNT = 10;
+function manifestIsTrulyEmpty() {
+  const p = manifestPath2();
+  if (!existsSync39(p))
+    return false;
+  try {
+    const m = JSON.parse(readFileSync35(p, "utf-8"));
+    return Array.isArray(m.entries) && m.entries.length === 0;
+  } catch {
+    return false;
+  }
+}
+function hasLocalClaudeSessions() {
+  const projectsDir = claudeProjectsDir();
+  if (!existsSync39(projectsDir))
+    return false;
+  let subdirs;
+  try {
+    subdirs = readdirSync9(projectsDir);
+  } catch {
+    return false;
+  }
+  for (const sub of subdirs) {
+    let files;
+    try {
+      files = readdirSync9(join49(projectsDir, sub));
+    } catch {
+      continue;
+    }
+    if (files.some((f) => f.endsWith(".jsonl")))
+      return true;
+  }
+  return false;
+}
+function canOfferInstallScan() {
+  const bin = findAgentBin("claude_code");
+  if (!bin || !existsSync39(bin))
+    return false;
+  if (!hasLocalClaudeSessions())
+    return false;
+  if (existsSync39(manifestPath2()))
+    return false;
+  return true;
+}
+function unlinkManifestIfCorrupt() {
+  const p = manifestPath2();
+  if (!existsSync39(p))
+    return;
+  if (readLocalManifest(p) === null) {
+    try {
+      unlinkSync14(p);
+    } catch {
+    }
+  }
+}
+function runInstallScan() {
+  return new Promise((resolve6) => {
+    const cliPath = process.argv[1];
+    if (!cliPath || !existsSync39(cliPath)) {
+      resolve6({ insight: null, skillsCount: 0 });
+      return;
+    }
+    const child = spawn4(process.execPath, [
+      cliPath,
+      "skillify",
+      "mine-local",
+      "--n",
+      String(INSTALL_SCAN_SESSION_COUNT),
+      // The install copy advertises a "Claude Code" scan, so filter
+      // the mine-local picker to claude_code sessions. Without this,
+      // mine-local walks every installed agent (Codex, Cursor,
+      // Hermes, pi) and could surface an insight from a Codex
+      // session despite what we promised — codex PR #198 P2.
+      "--only",
+      "claude_code"
+    ], {
+      stdio: ["ignore", "ignore", "ignore"],
+      // HIVEMIND_CAPTURE=false: the spawned mine-local would otherwise
+      // try to capture its own activity, which is a no-op without
+      // credentials but spams the log. Keep it quiet.
+      env: { ...process.env, HIVEMIND_CAPTURE: "false" }
+    });
+    let settled = false;
+    const finish = (result) => {
+      if (settled)
+        return;
+      settled = true;
+      resolve6(result);
+    };
+    const timer = setTimeout(() => {
+      try {
+        child.kill("SIGKILL");
+      } catch {
+      }
+      unlinkManifestIfCorrupt();
+      finish({ insight: null, skillsCount: 0 });
+    }, SCAN_TIMEOUT_MS);
+    child.on("close", async (code) => {
+      clearTimeout(timer);
+      if (code !== 0) {
+        unlinkManifestIfCorrupt();
+        finish({ insight: null, skillsCount: 0 });
+        return;
+      }
+      let advisorResult = null;
+      try {
+        advisorResult = await runAdvisor();
+      } catch {
+      }
+      const advisorRejected = advisorResult !== null && advisorResult.pickedSkillName === null;
+      let entry = null;
+      if (!advisorRejected) {
+        try {
+          entry = getLatestInsightEntry();
+        } catch {
+        }
+      }
+      let skillsCount = 0;
+      try {
+        skillsCount = countLocalManifestEntries();
+      } catch {
+      }
+      if (!entry && manifestIsTrulyEmpty()) {
+        try {
+          unlinkSync14(manifestPath2());
+        } catch {
+        }
+        skillsCount = 0;
+      }
+      finish({ insight: entry, skillsCount });
+    });
+    child.on("error", () => {
+      clearTimeout(timer);
+      unlinkManifestIfCorrupt();
+      finish({ insight: null, skillsCount: 0 });
+    });
+  });
+}
+function formatScanResult(entry) {
+  const rawInsight = (entry.insight ?? "").replace(/\s+/g, " ").trim();
+  const insight = rawInsight.length > 280 ? rawInsight.slice(0, 277).replace(/\s\S*$/, "") + "\u2026" : rawInsight;
+  return `\u2713 Found a pattern in your past sessions:
+   \u{1F4CC} ${insight}
+   \u2728 Skill \`${entry.skill_name}\` ready to catch it next time`;
+}
+
 // dist/src/cli/index.js
 var AUTH_SUBCOMMANDS = /* @__PURE__ */ new Set([
   "whoami",
@@ -11717,14 +12087,44 @@ async function runAuthGate(args) {
     log("Or run `hivemind login` after install.");
     return;
   }
+  let foundInsight = null;
+  if (canOfferInstallScan()) {
+    log("");
+    log("\u{1F41D} Want me to scan your recent Claude Code sessions for repeatable mistakes?");
+    log("Takes 2-4 minutes. Scans 10 sessions in parallel using your Claude Code subscription.");
+    log("");
+    const scanOk = await confirm("Scan now?", true);
+    if (scanOk) {
+      log("");
+      log("Scanning your 10 most-recent sessions (up to 5 min). Be patient \u2014 haiku is running in the background.");
+      const { insight, skillsCount } = await runInstallScan();
+      log("");
+      if (insight && insight.insight && insight.insight.trim().length > 0) {
+        log(formatScanResult(insight));
+        foundInsight = { skill_name: insight.skill_name };
+      } else if (skillsCount > 0) {
+        log(`Mined ${skillsCount} skill${skillsCount === 1 ? "" : "s"} locally \u2014 they'll be available in your next claude session.`);
+        log("(No banner-quality insight to surface here \u2014 the gate is conservative on what gets the top-line.)");
+      } else {
+        log("No repeatable patterns found in this scan. (That's OK \u2014 the gate is conservative.)");
+      }
+    }
+  }
   log("");
-  log("\u{1F41D} One more step to unlock Hivemind");
-  log("");
-  log("To enable shared memory and auto-learning across your agents,");
-  log("we need to sign you in. Your traces will be securely stored in");
-  log("your private Hivemind, so all your agents can recall them.");
-  log("");
-  log("You can later connect your own cloud storage like S3/GCS/Azure Blob.");
+  if (foundInsight) {
+    log("\u{1F41D} Sign in to keep this skill across machines and share it with your team.");
+    log("");
+    log(`Without sign-in, \`${foundInsight.skill_name}\` lives only on this machine and`);
+    log("won't follow you to a new laptop or be shared with teammates who'd benefit.");
+  } else {
+    log("\u{1F41D} One more step to unlock Hivemind");
+    log("");
+    log("To enable shared memory and auto-learning across your agents,");
+    log("we need to sign you in. Your traces will be securely stored in");
+    log("your private Hivemind, so all your agents can recall them.");
+    log("");
+    log("You can later connect your own cloud storage like S3/GCS/Azure Blob.");
+  }
   log("");
   const yes = await confirm("Sign in now?", true);
   let signedIn = false;

package/codex/bundle/commands/auth-login.js

@@ -259,7 +259,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/codex/bundle/session-start.js

@@ -92,6 +92,65 @@ function loadCredentials() {
     return null;
   }
 }
+function saveCredentials(creds) {
+  mkdirSync2(configDir(), { recursive: true, mode: 448 });
+  writeFileSync2(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4)
+      payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function healDriftedOrgToken(creds, log6 = () => {
+}) {
+  if (!creds.token || !creds.orgId)
+    return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId)
+    return creds;
+  log6(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log6(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log6(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
+}
 
 // dist/src/utils/stdin.js
 function readStdin() {
@@ -1827,13 +1886,14 @@ async function main() {
   if (process.env.HIVEMIND_WIKI_WORKER === "1")
     return;
   const input = await readStdin();
-  const creds = loadCredentials();
+  let creds = loadCredentials();
   if (!creds?.token) {
     log5("no credentials found \u2014 run auth login to authenticate");
     const auto = maybeAutoMineLocal();
     log5(`auto-mine: ${auto.triggered ? "triggered (background)" : `skipped (${auto.reason})`}`);
   } else {
     log5(`credentials loaded: org=${creds.orgName ?? creds.orgId}`);
+    creds = await healDriftedOrgToken(creds, log5);
   }
   if (creds?.token) {
     const setupScript = join17(__bundleDir, "session-start-setup.js");

package/cursor/bundle/commands/auth-login.js

@@ -259,7 +259,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/cursor/bundle/session-start.js

@@ -91,6 +91,65 @@ function loadCredentials() {
     return null;
   }
 }
+function saveCredentials(creds) {
+  mkdirSync2(configDir(), { recursive: true, mode: 448 });
+  writeFileSync2(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4)
+      payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function healDriftedOrgToken(creds, log7 = () => {
+}) {
+  if (!creds.token || !creds.orgId)
+    return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId)
+    return creds;
+  log7(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log7(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log7(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
+}
 
 // dist/src/config.js
 import { readFileSync as readFileSync3, existsSync } from "node:fs";
@@ -2156,13 +2215,14 @@ async function main() {
   const input = await readStdin();
   const sessionId = resolveSessionId(input);
   const cwd = resolveCwd(input);
-  const creds = loadCredentials();
+  let creds = loadCredentials();
   if (!creds?.token) {
     log6("no credentials found");
     const auto = maybeAutoMineLocal();
     log6(`auto-mine: ${auto.triggered ? "triggered (background)" : `skipped (${auto.reason})`}`);
   } else {
     log6(`credentials loaded: org=${creds.orgName ?? creds.orgId}`);
+    creds = await healDriftedOrgToken(creds, log6);
   }
   await autoUpdate(creds, { agent: "cursor" });
   const current = getInstalledVersion(__bundleDir, ".claude-plugin");

package/hermes/bundle/commands/auth-login.js

@@ -259,7 +259,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/hermes/bundle/session-start.js

@@ -90,6 +90,65 @@ function loadCredentials() {
     return null;
   }
 }
+function saveCredentials(creds) {
+  mkdirSync2(configDir(), { recursive: true, mode: 448 });
+  writeFileSync2(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4)
+      payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function healDriftedOrgToken(creds, log7 = () => {
+}) {
+  if (!creds.token || !creds.orgId)
+    return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId)
+    return creds;
+  log7(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log7(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log7(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
+}
 
 // dist/src/config.js
 import { readFileSync as readFileSync3, existsSync } from "node:fs";
@@ -2146,10 +2205,12 @@ async function main() {
   const input = await readStdin();
   const sessionId = input.session_id ?? `hermes-${Date.now()}`;
   const cwd = input.cwd ?? process.cwd();
-  const creds = loadCredentials();
+  let creds = loadCredentials();
   const captureEnabled = process.env.HIVEMIND_CAPTURE !== "false";
   if (!creds?.token) {
     maybeAutoMineLocal();
+  } else {
+    creds = await healDriftedOrgToken(creds, log6);
   }
   await autoUpdate(creds, { agent: "hermes" });
   const current = getInstalledVersion(__bundleDir, ".claude-plugin");

package/openclaw/dist/index.js

@@ -52,6 +52,17 @@ function hivemindInstallIDHeader() {
 
 // src/commands/auth.ts
 var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4) payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
 async function apiGet(path, token, apiUrl, orgId) {
   const headers = {
     Authorization: `Bearer ${token}`,
@@ -63,6 +74,17 @@ async function apiGet(path, token, apiUrl, orgId) {
   if (!resp.ok) throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
   return resp.json();
 }
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId) headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok) throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
 async function requestDeviceCode(apiUrl = DEFAULT_API_URL) {
   const resp = await fetch(`${apiUrl}/auth/device/code`, {
     method: "POST",
@@ -101,7 +123,38 @@ async function listOrgs(token, apiUrl = DEFAULT_API_URL) {
 async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds) throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
+}
+async function healDriftedOrgToken(creds, log4 = () => {
+}) {
+  if (!creds.token || !creds.orgId) return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId) return creds;
+  log4(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log4(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log4(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);
@@ -1727,7 +1780,7 @@ function extractLatestVersion(body) {
   return typeof v === "string" && v.length > 0 ? v : null;
 }
 function getInstalledVersion() {
-  return "0.7.51".length > 0 ? "0.7.51" : null;
+  return "0.7.53".length > 0 ? "0.7.53" : null;
 }
 function isNewer(latest, current) {
   const parse = (v) => v.replace(/-.*$/, "").split(".").map(Number);
@@ -1752,6 +1805,7 @@ async function checkForUpdate(logger) {
 }
 var authPending = false;
 var authUrl = null;
+var driftHealPromise = null;
 var pendingUpdate = null;
 var justAuthenticated = false;
 async function requestAuth() {
@@ -2010,6 +2064,16 @@ function normalizeVirtualPath(p) {
 }
 async function getApi() {
   if (api) return api;
+  if (!driftHealPromise) {
+    driftHealPromise = (async () => {
+      try {
+        const creds = await loadCredentials2();
+        if (creds?.token) await healDriftedOrgToken(creds);
+      } catch {
+      }
+    })();
+  }
+  await driftHealPromise;
   const config = await loadConfig();
   if (!config) {
     if (!authPending) await requestAuth();

package/openclaw/openclaw.plugin.json

@@ -54,5 +54,5 @@
       }
     }
   },
-  "version": "0.7.51"
+  "version": "0.7.53"
 }

package/openclaw/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hivemind",
-  "version": "0.7.51",
+  "version": "0.7.53",
   "type": "module",
   "description": "Hivemind — cloud-backed persistent shared memory for AI agents, powered by DeepLake",
   "license": "Apache-2.0",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deeplake/hivemind",
-  "version": "0.7.51",
+  "version": "0.7.53",
   "description": "Cloud-backed persistent shared memory for AI agents powered by Deeplake",
   "type": "module",
   "repository": {

package/pi/extension-source/hivemind.ts

@@ -93,6 +93,52 @@ function loadCreds(): Creds | null {
   }
 }
 
+// Inline copies of decodeJwtPayload + healDriftedOrgToken (the shared helpers
+// live in src/commands/auth.ts, but pi extensions ship as raw .ts with no
+// shared-module imports — kept in lockstep with that file).
+function decodeJwtPayloadInline(token: string): Record<string, unknown> | null {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4) payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch { return null; }
+}
+
+async function healDriftedOrgTokenInline(creds: Creds): Promise<Creds> {
+  if (!creds.token || !creds.orgId) return creds;
+  const payload = decodeJwtPayloadInline(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : undefined;
+  if (!claimOrg || claimOrg === creds.orgId) return creds;
+  logHm(`session_start: token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} — re-minting`);
+  try {
+    const resp = await fetch(`${creds.apiUrl}/users/me/tokens`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${creds.token}`, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        name: `deeplake-plugin-heal-${Date.now()}`,
+        duration: 365 * 24 * 3600,
+        organization_id: creds.orgId,
+      }),
+    });
+    if (!resp.ok) throw new Error(`API ${resp.status}: ${(await resp.text().catch(() => "")).slice(0, 200)}`);
+    const data = await resp.json() as { token: { token: string } };
+    const newToken = data.token.token;
+    // Read + merge + write the WHOLE creds file so we don't drop fields pi
+    // doesn't model (e.g. savedAt). Atomic via writeFileSync with mode 0o600.
+    const path = join(homedir(), ".deeplake", "credentials.json");
+    const raw = JSON.parse(readFileSync(path, "utf-8"));
+    raw.token = newToken;
+    writeFileSync(path, JSON.stringify(raw, null, 2), { mode: 0o600 });
+    logHm(`session_start: token re-minted for org=${creds.orgId}`);
+    return { ...creds, token: newToken };
+  } catch (e: any) {
+    logHm(`session_start: token re-mint failed (continuing with stale token): ${e?.message ?? e}`);
+    return creds;
+  }
+}
+
 const MEMORY_TABLE = process.env.HIVEMIND_TABLE ?? "memory";
 const SESSIONS_TABLE = process.env.HIVEMIND_SESSIONS_TABLE ?? "sessions";
 
@@ -1076,11 +1122,12 @@ export default function hivemindExtension(pi: ExtensionAPI): void {
 
   pi.on("session_start", async (_event: any, _ctx: any) => {
     logHm(`session_start: fired (capture=${captureEnabled}, embed=${process.env.HIVEMIND_EMBEDDINGS !== "false"}, table=${SESSIONS_TABLE})`);
-    const creds = loadCreds();
+    let creds = loadCreds();
     if (!creds) {
       logHm(`session_start: no credentials at ~/.deeplake/credentials.json — capture disabled this session`);
     } else {
       logHm(`session_start: creds org=${creds.orgName ?? creds.orgId} ws=${creds.workspaceId}`);
+      creds = await healDriftedOrgTokenInline(creds);
     }
 
     // Centralized autoupdate: shells out to `hivemind update` (npm-based,