@deeplake/hivemind 0.7.52 → 0.7.53

package/.claude-plugin/marketplace.json

@@ -6,18 +6,18 @@
   },
   "metadata": {
     "description": "Cloud-backed persistent shared memory for AI agents powered by Deeplake",
-    "version": "0.7.52"
+    "version": "0.7.53"
   },
   "plugins": [
     {
       "name": "hivemind",
       "description": "Persistent shared memory powered by Deeplake — captures all session activity and provides cross-session, cross-agent memory search",
-      "version": "0.7.52",
+      "version": "0.7.53",
       "source": {
         "source": "git-subdir",
         "url": "https://github.com/activeloopai/hivemind.git",
         "path": "claude-code",
-        "sha": "f8a757482c192ad29790eb63a1be9d07c5633f18"
+        "sha": "2f9768a8c9ed54952bdc272261f2a527f5482fe2"
       },
       "homepage": "https://github.com/activeloopai/hivemind"
     }

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "hivemind",
   "description": "Cloud-backed persistent memory powered by Deeplake — read, write, and share memory across Claude Code sessions and agents",
-  "version": "0.7.52",
+  "version": "0.7.53",
   "author": {
     "name": "Activeloop",
     "url": "https://deeplake.ai"

package/bundle/cli.js

@@ -4270,7 +4270,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/codex/bundle/commands/auth-login.js

@@ -259,7 +259,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/codex/bundle/session-start.js

@@ -92,6 +92,65 @@ function loadCredentials() {
     return null;
   }
 }
+function saveCredentials(creds) {
+  mkdirSync2(configDir(), { recursive: true, mode: 448 });
+  writeFileSync2(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4)
+      payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function healDriftedOrgToken(creds, log6 = () => {
+}) {
+  if (!creds.token || !creds.orgId)
+    return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId)
+    return creds;
+  log6(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log6(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log6(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
+}
 
 // dist/src/utils/stdin.js
 function readStdin() {
@@ -1827,13 +1886,14 @@ async function main() {
   if (process.env.HIVEMIND_WIKI_WORKER === "1")
     return;
   const input = await readStdin();
-  const creds = loadCredentials();
+  let creds = loadCredentials();
   if (!creds?.token) {
     log5("no credentials found \u2014 run auth login to authenticate");
     const auto = maybeAutoMineLocal();
     log5(`auto-mine: ${auto.triggered ? "triggered (background)" : `skipped (${auto.reason})`}`);
   } else {
     log5(`credentials loaded: org=${creds.orgName ?? creds.orgId}`);
+    creds = await healDriftedOrgToken(creds, log5);
   }
   if (creds?.token) {
     const setupScript = join17(__bundleDir, "session-start-setup.js");

package/cursor/bundle/commands/auth-login.js

@@ -259,7 +259,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/cursor/bundle/session-start.js

@@ -91,6 +91,65 @@ function loadCredentials() {
     return null;
   }
 }
+function saveCredentials(creds) {
+  mkdirSync2(configDir(), { recursive: true, mode: 448 });
+  writeFileSync2(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4)
+      payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function healDriftedOrgToken(creds, log7 = () => {
+}) {
+  if (!creds.token || !creds.orgId)
+    return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId)
+    return creds;
+  log7(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log7(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log7(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
+}
 
 // dist/src/config.js
 import { readFileSync as readFileSync3, existsSync } from "node:fs";
@@ -2156,13 +2215,14 @@ async function main() {
   const input = await readStdin();
   const sessionId = resolveSessionId(input);
   const cwd = resolveCwd(input);
-  const creds = loadCredentials();
+  let creds = loadCredentials();
   if (!creds?.token) {
     log6("no credentials found");
     const auto = maybeAutoMineLocal();
     log6(`auto-mine: ${auto.triggered ? "triggered (background)" : `skipped (${auto.reason})`}`);
   } else {
     log6(`credentials loaded: org=${creds.orgName ?? creds.orgId}`);
+    creds = await healDriftedOrgToken(creds, log6);
   }
   await autoUpdate(creds, { agent: "cursor" });
   const current = getInstalledVersion(__bundleDir, ".claude-plugin");

package/hermes/bundle/commands/auth-login.js

@@ -259,7 +259,14 @@ async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds)
     throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);

package/hermes/bundle/session-start.js

@@ -90,6 +90,65 @@ function loadCredentials() {
     return null;
   }
 }
+function saveCredentials(creds) {
+  mkdirSync2(configDir(), { recursive: true, mode: 448 });
+  writeFileSync2(credsPath(), JSON.stringify({ ...creds, savedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), { mode: 384 });
+}
+
+// dist/src/commands/auth.js
+var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4)
+      payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId)
+    headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok)
+    throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
+async function healDriftedOrgToken(creds, log7 = () => {
+}) {
+  if (!creds.token || !creds.orgId)
+    return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId)
+    return creds;
+  log7(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log7(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log7(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
+}
 
 // dist/src/config.js
 import { readFileSync as readFileSync3, existsSync } from "node:fs";
@@ -2146,10 +2205,12 @@ async function main() {
   const input = await readStdin();
   const sessionId = input.session_id ?? `hermes-${Date.now()}`;
   const cwd = input.cwd ?? process.cwd();
-  const creds = loadCredentials();
+  let creds = loadCredentials();
   const captureEnabled = process.env.HIVEMIND_CAPTURE !== "false";
   if (!creds?.token) {
     maybeAutoMineLocal();
+  } else {
+    creds = await healDriftedOrgToken(creds, log6);
   }
   await autoUpdate(creds, { agent: "hermes" });
   const current = getInstalledVersion(__bundleDir, ".claude-plugin");

package/openclaw/dist/index.js

@@ -52,6 +52,17 @@ function hivemindInstallIDHeader() {
 
 // src/commands/auth.ts
 var DEFAULT_API_URL = "https://api.deeplake.ai";
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4) payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
 async function apiGet(path, token, apiUrl, orgId) {
   const headers = {
     Authorization: `Bearer ${token}`,
@@ -63,6 +74,17 @@ async function apiGet(path, token, apiUrl, orgId) {
   if (!resp.ok) throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
   return resp.json();
 }
+async function apiPost(path, body, token, apiUrl, orgId) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    ...deeplakeClientHeader()
+  };
+  if (orgId) headers["X-Activeloop-Org-Id"] = orgId;
+  const resp = await fetch(`${apiUrl}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  if (!resp.ok) throw new Error(`API ${resp.status}: ${await resp.text().catch(() => "")}`);
+  return resp.json();
+}
 async function requestDeviceCode(apiUrl = DEFAULT_API_URL) {
   const resp = await fetch(`${apiUrl}/auth/device/code`, {
     method: "POST",
@@ -101,7 +123,38 @@ async function listOrgs(token, apiUrl = DEFAULT_API_URL) {
 async function switchOrg(orgId, orgName) {
   const creds = loadCredentials();
   if (!creds) throw new Error("Not logged in. Run deeplake login first.");
-  saveCredentials({ ...creds, orgId, orgName });
+  const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+  const tokenName = `deeplake-plugin-switch-${Date.now()}`;
+  const tokenData = await apiPost("/users/me/tokens", {
+    name: tokenName,
+    duration: 365 * 24 * 3600,
+    organization_id: orgId
+  }, creds.token, apiUrl);
+  saveCredentials({ ...creds, orgId, orgName, token: tokenData.token.token });
+}
+async function healDriftedOrgToken(creds, log4 = () => {
+}) {
+  if (!creds.token || !creds.orgId) return creds;
+  const payload = decodeJwtPayload(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : void 0;
+  if (!claimOrg || claimOrg === creds.orgId) return creds;
+  log4(`token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} \u2014 re-minting`);
+  try {
+    const apiUrl = creds.apiUrl ?? DEFAULT_API_URL;
+    const tokenName = `deeplake-plugin-heal-${Date.now()}`;
+    const tokenData = await apiPost("/users/me/tokens", {
+      name: tokenName,
+      duration: 365 * 24 * 3600,
+      organization_id: creds.orgId
+    }, creds.token, apiUrl);
+    const healed = { ...creds, token: tokenData.token.token };
+    saveCredentials(healed);
+    log4(`token re-minted for org=${creds.orgId}`);
+    return healed;
+  } catch (err) {
+    log4(`token re-mint failed (continuing with stale token): ${err.message}`);
+    return creds;
+  }
 }
 async function listWorkspaces(token, apiUrl = DEFAULT_API_URL, orgId) {
   const raw = await apiGet("/workspaces", token, apiUrl, orgId);
@@ -1727,7 +1780,7 @@ function extractLatestVersion(body) {
   return typeof v === "string" && v.length > 0 ? v : null;
 }
 function getInstalledVersion() {
-  return "0.7.52".length > 0 ? "0.7.52" : null;
+  return "0.7.53".length > 0 ? "0.7.53" : null;
 }
 function isNewer(latest, current) {
   const parse = (v) => v.replace(/-.*$/, "").split(".").map(Number);
@@ -1752,6 +1805,7 @@ async function checkForUpdate(logger) {
 }
 var authPending = false;
 var authUrl = null;
+var driftHealPromise = null;
 var pendingUpdate = null;
 var justAuthenticated = false;
 async function requestAuth() {
@@ -2010,6 +2064,16 @@ function normalizeVirtualPath(p) {
 }
 async function getApi() {
   if (api) return api;
+  if (!driftHealPromise) {
+    driftHealPromise = (async () => {
+      try {
+        const creds = await loadCredentials2();
+        if (creds?.token) await healDriftedOrgToken(creds);
+      } catch {
+      }
+    })();
+  }
+  await driftHealPromise;
   const config = await loadConfig();
   if (!config) {
     if (!authPending) await requestAuth();

package/openclaw/openclaw.plugin.json

@@ -54,5 +54,5 @@
       }
     }
   },
-  "version": "0.7.52"
+  "version": "0.7.53"
 }

package/openclaw/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hivemind",
-  "version": "0.7.52",
+  "version": "0.7.53",
   "type": "module",
   "description": "Hivemind — cloud-backed persistent shared memory for AI agents, powered by DeepLake",
   "license": "Apache-2.0",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deeplake/hivemind",
-  "version": "0.7.52",
+  "version": "0.7.53",
   "description": "Cloud-backed persistent shared memory for AI agents powered by Deeplake",
   "type": "module",
   "repository": {

package/pi/extension-source/hivemind.ts

@@ -93,6 +93,52 @@ function loadCreds(): Creds | null {
   }
 }
 
+// Inline copies of decodeJwtPayload + healDriftedOrgToken (the shared helpers
+// live in src/commands/auth.ts, but pi extensions ship as raw .ts with no
+// shared-module imports — kept in lockstep with that file).
+function decodeJwtPayloadInline(token: string): Record<string, unknown> | null {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    while (payload.length % 4) payload += "=";
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch { return null; }
+}
+
+async function healDriftedOrgTokenInline(creds: Creds): Promise<Creds> {
+  if (!creds.token || !creds.orgId) return creds;
+  const payload = decodeJwtPayloadInline(creds.token);
+  const claimOrg = payload && typeof payload.org_id === "string" ? payload.org_id : undefined;
+  if (!claimOrg || claimOrg === creds.orgId) return creds;
+  logHm(`session_start: token org drift detected: jwt.org_id=${claimOrg} creds.orgId=${creds.orgId} — re-minting`);
+  try {
+    const resp = await fetch(`${creds.apiUrl}/users/me/tokens`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${creds.token}`, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        name: `deeplake-plugin-heal-${Date.now()}`,
+        duration: 365 * 24 * 3600,
+        organization_id: creds.orgId,
+      }),
+    });
+    if (!resp.ok) throw new Error(`API ${resp.status}: ${(await resp.text().catch(() => "")).slice(0, 200)}`);
+    const data = await resp.json() as { token: { token: string } };
+    const newToken = data.token.token;
+    // Read + merge + write the WHOLE creds file so we don't drop fields pi
+    // doesn't model (e.g. savedAt). Atomic via writeFileSync with mode 0o600.
+    const path = join(homedir(), ".deeplake", "credentials.json");
+    const raw = JSON.parse(readFileSync(path, "utf-8"));
+    raw.token = newToken;
+    writeFileSync(path, JSON.stringify(raw, null, 2), { mode: 0o600 });
+    logHm(`session_start: token re-minted for org=${creds.orgId}`);
+    return { ...creds, token: newToken };
+  } catch (e: any) {
+    logHm(`session_start: token re-mint failed (continuing with stale token): ${e?.message ?? e}`);
+    return creds;
+  }
+}
+
 const MEMORY_TABLE = process.env.HIVEMIND_TABLE ?? "memory";
 const SESSIONS_TABLE = process.env.HIVEMIND_SESSIONS_TABLE ?? "sessions";
 
@@ -1076,11 +1122,12 @@ export default function hivemindExtension(pi: ExtensionAPI): void {
 
   pi.on("session_start", async (_event: any, _ctx: any) => {
     logHm(`session_start: fired (capture=${captureEnabled}, embed=${process.env.HIVEMIND_EMBEDDINGS !== "false"}, table=${SESSIONS_TABLE})`);
-    const creds = loadCreds();
+    let creds = loadCreds();
     if (!creds) {
       logHm(`session_start: no credentials at ~/.deeplake/credentials.json — capture disabled this session`);
     } else {
       logHm(`session_start: creds org=${creds.orgName ?? creds.orgId} ws=${creds.workspaceId}`);
+      creds = await healDriftedOrgTokenInline(creds);
     }
 
     // Centralized autoupdate: shells out to `hivemind update` (npm-based,