@dinasor/mnemo-cli 0.0.1

package/scripts/memory/installer/templates/autonomy/schema.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+"""
+schema.py - Mnemo typed memory schema v2.
+Initializes and migrates the vector DB with full typed memory unit tables.
+Used by all autonomy modules to get a DB connection with guaranteed schema.
+"""
+import sqlite3
+import os
+from pathlib import Path
+
+import sqlite_vec
+
+SCHEMA_VERSION = 2
+EMBED_DIM = int(os.getenv("MNEMO_EMBED_DIM", "1536"))
+
+
+def _memory_root() -> Path:
+    override = os.getenv("MNEMO_MEMORY_ROOT", "").strip()
+    if override:
+        return Path(override).expanduser().resolve()
+
+    cwd = Path.cwd().resolve()
+    for root in (cwd, *cwd.parents):
+        for rel in ((".mnemo", "memory"), (".cursor", "memory")):
+            candidate = root.joinpath(*rel)
+            if candidate.exists():
+                return candidate
+    return cwd / ".mnemo" / "memory"
+
+
+def _db_path() -> Path:
+    db_override = os.getenv("MNEMO_DB_PATH", "").strip()
+    if db_override:
+        return Path(db_override).expanduser().resolve()
+    return _memory_root() / "mnemo_vector.sqlite"
+
+
+def get_db(db_path: Path | None = None, timeout: float = 30.0) -> sqlite3.Connection:
+    """Return a connected, migrated DB."""
+    if db_path is None:
+        db_path = _db_path()
+    db_path.parent.mkdir(parents=True, exist_ok=True)
+    db = sqlite3.connect(str(db_path), timeout=timeout)
+    db.row_factory = sqlite3.Row
+    db.execute("PRAGMA journal_mode=WAL")
+    db.execute("PRAGMA foreign_keys=ON")
+    db.execute("PRAGMA busy_timeout=10000")
+    db.enable_load_extension(True)
+    sqlite_vec.load(db)
+    _migrate(db)
+    return db
+
+
+def _migrate(db: sqlite3.Connection) -> None:
+    db.execute("CREATE TABLE IF NOT EXISTS schema_info (key TEXT PRIMARY KEY, value TEXT)")
+    row = db.execute("SELECT value FROM schema_info WHERE key='version'").fetchone()
+    ver = int(row["value"]) if row else 0
+
+    if ver < 1:
+        db.execute("DROP TABLE IF EXISTS file_meta")
+        db.execute("DROP TABLE IF EXISTS vec_memory")
+        db.execute("""
+            CREATE TABLE file_meta (
+                path        TEXT PRIMARY KEY,
+                hash        TEXT NOT NULL,
+                chunk_count INTEGER DEFAULT 0,
+                updated_at  REAL DEFAULT (unixepoch('now'))
+            )
+        """)
+        db.execute(f"""
+            CREATE VIRTUAL TABLE vec_memory USING vec0(
+                embedding float[{EMBED_DIM}] distance_metric=cosine,
+                +ref_path TEXT,
+                +content TEXT,
+                +source_file TEXT
+            )
+        """)
+
+    if ver < 2:
+        db.execute("""
+            CREATE TABLE IF NOT EXISTS memory_units (
+                unit_id      TEXT PRIMARY KEY,
+                source_ref   TEXT NOT NULL UNIQUE,
+                memory_type  TEXT NOT NULL DEFAULT 'semantic',
+                authority    REAL NOT NULL DEFAULT 0.5,
+                time_scope   TEXT NOT NULL DEFAULT 'time-bound',
+                sensitivity  TEXT NOT NULL DEFAULT 'public',
+                entity_tags  TEXT NOT NULL DEFAULT '[]',
+                content_hash TEXT NOT NULL,
+                created_at   REAL DEFAULT (unixepoch('now')),
+                updated_at   REAL DEFAULT (unixepoch('now'))
+            )
+        """)
+        db.execute("""
+            CREATE TABLE IF NOT EXISTS facts (
+                fact_id        TEXT PRIMARY KEY,
+                canonical_fact TEXT NOT NULL,
+                status         TEXT NOT NULL DEFAULT 'active',
+                confidence     REAL NOT NULL DEFAULT 1.0,
+                source_ref     TEXT NOT NULL,
+                created_at     REAL DEFAULT (unixepoch('now')),
+                updated_at     REAL DEFAULT (unixepoch('now'))
+            )
+        """)
+        db.execute("""
+            CREATE TABLE IF NOT EXISTS lifecycle_events (
+                event_id   TEXT PRIMARY KEY,
+                unit_id    TEXT NOT NULL,
+                operation  TEXT NOT NULL CHECK (operation IN ('ADD','UPDATE','DEPRECATE','NOOP')),
+                old_status TEXT,
+                new_status TEXT,
+                reason     TEXT,
+                ts         REAL DEFAULT (unixepoch('now'))
+            )
+        """)
+        db.execute("""
+            CREATE TABLE IF NOT EXISTS entities (
+                entity_id   TEXT PRIMARY KEY,
+                entity_name TEXT NOT NULL,
+                entity_type TEXT NOT NULL DEFAULT 'general',
+                confidence  REAL NOT NULL DEFAULT 1.0,
+                created_at  REAL DEFAULT (unixepoch('now'))
+            )
+        """)
+        db.execute("""
+            CREATE TABLE IF NOT EXISTS entity_aliases (
+                alias_id    TEXT PRIMARY KEY,
+                entity_id   TEXT NOT NULL REFERENCES entities(entity_id),
+                alias_text  TEXT NOT NULL,
+                confidence  REAL NOT NULL DEFAULT 1.0,
+                UNIQUE(alias_text)
+            )
+        """)
+        db.execute("""
+            CREATE TABLE IF NOT EXISTS autonomy_state (
+                key   TEXT PRIMARY KEY,
+                value TEXT,
+                updated_at REAL DEFAULT (unixepoch('now'))
+            )
+        """)
+        db.execute(
+            "INSERT OR REPLACE INTO schema_info(key, value) VALUES ('version', ?)",
+            (str(SCHEMA_VERSION),),
+        )
+        db.commit()
+
+
+def get_schema_version(db: sqlite3.Connection) -> int:
+    row = db.execute("SELECT value FROM schema_info WHERE key='version'").fetchone()
+    return int(row["value"]) if row else 0

package/scripts/memory/installer/templates/autonomy/vault_policy.py

@@ -0,0 +1,205 @@
+#!/usr/bin/env python3
+"""
+vault_policy.py - Vault lane and sensitivity enforcement for Mnemo.
+
+Handles:
+  - Marking files/units as secret/vault (sensitivity classification)
+  - Automatic redaction before context pack delivery
+  - Policy config loading from policies.yaml
+  - Autonomous redaction pipeline (no human required)
+"""
+import re
+import sqlite3
+import os
+import yaml
+from pathlib import Path
+from typing import Optional
+
+from autonomy.schema import get_db
+
+
+def _resolve_memory_root() -> Path:
+    override = os.getenv("MNEMO_MEMORY_ROOT", "").strip()
+    if override:
+        return Path(override).expanduser().resolve()
+
+    cwd = Path.cwd().resolve()
+    for root in (cwd, *cwd.parents):
+        for rel in ((".mnemo", "memory"), (".cursor", "memory")):
+            candidate = root.joinpath(*rel)
+            if candidate.exists():
+                return candidate
+    return cwd / ".mnemo" / "memory"
+
+
+DEFAULT_POLICY_PATH = _resolve_memory_root() / ".autonomy" / "policies.yaml"
+_POLICY_CACHE: dict | None = None
+
+# Built-in secret patterns (supplemented by policies.yaml)
+_BUILTIN_SECRET_PATTERNS = [
+    r"(?i)(api[_-]?key|secret[_-]?key|password|token|auth[_-]?token)\s*[:=]\s*\S+",
+    r"(?i)bearer\s+[a-zA-Z0-9._-]{20,}",
+    r"[a-zA-Z0-9]{32,}",  # Long API keys (conservative - only in vault paths)
+]
+
+REDACTION_PLACEHOLDER = "[REDACTED]"
+
+
+def load_policy(policy_path: Path = DEFAULT_POLICY_PATH) -> dict:
+    """Load vault policy from YAML file, with fallback to defaults."""
+    global _POLICY_CACHE
+    if _POLICY_CACHE is not None:
+        return _POLICY_CACHE
+
+    defaults = {
+        "sensitivity_paths": {
+            "secret": [".mnemo/memory/vault/", ".cursor/memory/vault/", ".env", "*.secret.*"],
+            "internal": [".mnemo/memory/active-context.md", ".cursor/memory/active-context.md"],
+        },
+        "redaction_patterns": [],
+        "allow_internal_for_roles": ["agent", "autonomous"],
+        "max_sensitivity_in_context": "internal",
+    }
+
+    if not policy_path.exists():
+        _POLICY_CACHE = defaults
+        return defaults
+
+    try:
+        with open(policy_path, "r", encoding="utf-8") as f:
+            loaded = yaml.safe_load(f) or {}
+        merged = {**defaults, **loaded}
+        _POLICY_CACHE = merged
+        return merged
+    except Exception:
+        _POLICY_CACHE = defaults
+        return defaults
+
+
+def invalidate_policy_cache() -> None:
+    global _POLICY_CACHE
+    _POLICY_CACHE = None
+
+
+def classify_sensitivity(path_str: str, policy: dict | None = None) -> str:
+    """Return 'public', 'internal', or 'secret' for a given file path."""
+    if policy is None:
+        policy = load_policy()
+
+    p_lower = path_str.lower().replace("\\", "/")
+    patterns = policy.get("sensitivity_paths", {})
+
+    for label in ("secret", "internal", "public"):
+        for pattern in patterns.get(label, []):
+            pat_lower = pattern.lower().replace("\\", "/")
+            if pat_lower.endswith("/") and pat_lower in p_lower:
+                return label
+            if pat_lower.startswith("*.") and p_lower.endswith(pat_lower[1:]):
+                return label
+            if pat_lower in p_lower:
+                return label
+
+    # Built-in vault detection
+    if "/vault/" in p_lower:
+        return "secret"
+    if ".secret." in p_lower or "secret." in p_lower:
+        return "secret"
+
+    return "public"
+
+
+def redact_content(content: str, sensitivity: str, policy: dict | None = None) -> str:
+    """
+    Redact sensitive patterns from content.
+    For 'secret' sensitivity: apply all redaction patterns.
+    For 'internal': apply only external-facing redaction.
+    """
+    if sensitivity == "public":
+        return content
+
+    if policy is None:
+        policy = load_policy()
+
+    result = content
+    patterns_to_apply = list(_BUILTIN_SECRET_PATTERNS)
+    extra = policy.get("redaction_patterns", [])
+    if isinstance(extra, list):
+        patterns_to_apply.extend(extra)
+
+    for pat in patterns_to_apply:
+        try:
+            result = re.sub(pat, REDACTION_PLACEHOLDER, result)
+        except re.error:
+            pass
+
+    return result
+
+
+class VaultPolicy:
+    def __init__(
+        self,
+        db: Optional[sqlite3.Connection] = None,
+        policy_path: Path = DEFAULT_POLICY_PATH,
+    ):
+        self.db = db or get_db()
+        self.policy = load_policy(policy_path)
+
+    def classify_and_persist(self, source_ref: str) -> str:
+        """Classify sensitivity and update DB record."""
+        sensitivity = classify_sensitivity(source_ref, self.policy)
+        self.db.execute(
+            "UPDATE memory_units SET sensitivity=?, updated_at=unixepoch('now') WHERE source_ref=?",
+            (sensitivity, source_ref),
+        )
+        self.db.commit()
+        return sensitivity
+
+    def bulk_reclassify(self) -> dict[str, int]:
+        """Reclassify all memory units. Returns {sensitivity: count}."""
+        rows = self.db.execute("SELECT unit_id, source_ref FROM memory_units").fetchall()
+        counts: dict[str, int] = {"public": 0, "internal": 0, "secret": 0}
+
+        for row in rows:
+            sensitivity = classify_sensitivity(row["source_ref"], self.policy)
+            self.db.execute(
+                "UPDATE memory_units SET sensitivity=?, updated_at=unixepoch('now') WHERE unit_id=?",
+                (sensitivity, row["unit_id"]),
+            )
+            counts[sensitivity] = counts.get(sensitivity, 0) + 1
+
+        self.db.commit()
+        return counts
+
+    def is_authorized(self, sensitivity: str, role: str = "agent") -> bool:
+        """Return True if the given role is authorized to see this sensitivity level."""
+        max_level = self.policy.get("max_sensitivity_in_context", "internal")
+        allowed_roles = self.policy.get("allow_internal_for_roles", [])
+
+        if sensitivity == "public":
+            return True
+        if sensitivity == "secret":
+            return False
+        if sensitivity == "internal":
+            return role in allowed_roles
+
+        return False
+
+    def apply_redaction(self, content: str, sensitivity: str) -> str:
+        """Apply content redaction based on sensitivity level."""
+        return redact_content(content, sensitivity, self.policy)
+
+    def audit_report(self) -> dict:
+        """Return audit summary of sensitivity distribution."""
+        rows = self.db.execute(
+            "SELECT sensitivity, COUNT(*) as cnt FROM memory_units GROUP BY sensitivity"
+        ).fetchall()
+        report = {r["sensitivity"]: r["cnt"] for r in rows}
+
+        # Check for units with secret content in non-vault paths
+        leaked = self.db.execute(
+            "SELECT COUNT(*) FROM memory_units WHERE sensitivity='secret' AND source_ref NOT LIKE '%vault%'"
+        ).fetchone()[0]
+        if leaked:
+            report["_warning_potential_leaks"] = leaked
+
+        return report

package/scripts/memory/installer/templates/build-memory-sqlite.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+"""Build SQLite FTS5 index from memory JSON indexes."""
+import argparse
+import json
+import sqlite3
+from pathlib import Path
+
+
+def read_text(p: Path) -> str:
+    return p.read_text(encoding="utf-8-sig", errors="replace")
+
+
+def resolve_memory_dir(repo: Path) -> Path:
+    candidates = [
+        repo / ".mnemo" / "memory",
+        repo / ".cursor" / "memory",
+    ]
+    for candidate in candidates:
+        if candidate.exists():
+            return candidate
+    return candidates[0]
+
+
+def main():
+    ap = argparse.ArgumentParser()
+    ap.add_argument("--repo", required=True)
+    args = ap.parse_args()
+
+    repo = Path(args.repo)
+    mem = resolve_memory_dir(repo)
+    out_db = mem / "memory.sqlite"
+
+    lessons_index = mem / "lessons-index.json"
+    journal_index = mem / "journal-index.json"
+
+    lessons = []
+    if lessons_index.exists():
+        t = read_text(lessons_index).strip()
+        if t:
+            lessons = json.loads(t)
+            if not isinstance(lessons, list):
+                lessons = [lessons] if lessons else []
+
+    journal = []
+    if journal_index.exists():
+        t = read_text(journal_index).strip()
+        if t:
+            journal = json.loads(t)
+            if not isinstance(journal, list):
+                journal = [journal] if journal else []
+
+    if out_db.exists():
+        out_db.unlink()
+
+    con = sqlite3.connect(str(out_db))
+    cur = con.cursor()
+    cur.execute("CREATE VIRTUAL TABLE memory_fts USING fts5(kind, id, date, tags, title, content, path);")
+
+    for kind, fid, path in [
+        ("hot_rules", "HOT", mem / "hot-rules.md"),
+        ("active", "ACTIVE", mem / "active-context.md"),
+        ("memo", "MEMO", mem / "memo.md"),
+    ]:
+        if path.exists():
+            cur.execute(
+                "INSERT INTO memory_fts(kind,id,date,tags,title,content,path) VALUES (?,?,?,?,?,?,?)",
+                (kind, fid, None, "", path.name, read_text(path), str(path)),
+            )
+
+    lessons_dir = mem / "lessons"
+    for l in lessons:
+        lid = l.get("Id")
+        title = l.get("Title", "")
+        tags = " ".join(l.get("Tags") or [])
+        date = l.get("Introduced")
+        file = l.get("File", "")
+        path = lessons_dir / file if file else (mem / "lessons.md")
+        content = read_text(path) if path.exists() else f"{title}\nRule: {l.get('Rule', '')}"
+        cur.execute(
+            "INSERT INTO memory_fts(kind,id,date,tags,title,content,path) VALUES (?,?,?,?,?,?,?)",
+            ("lesson", lid, date, tags, title, content, str(path)),
+        )
+
+    for e in journal:
+        tags = " ".join(e.get("Tags") or [])
+        files = e.get("Files") or []
+        if isinstance(files, dict):
+            files = []
+        content = f"{e.get('Title', '')}\nFiles: {', '.join(files)}"
+        path = mem / "journal" / (e.get("MonthFile") or "")
+        cur.execute(
+            "INSERT INTO memory_fts(kind,id,date,tags,title,content,path) VALUES (?,?,?,?,?,?,?)",
+            ("journal", None, e.get("Date"), tags, e.get("Title"), content, str(path)),
+        )
+
+    digests = mem / "digests"
+    if digests.exists():
+        for p in digests.glob("*.digest.md"):
+            cur.execute(
+                "INSERT INTO memory_fts(kind,id,date,tags,title,content,path) VALUES (?,?,?,?,?,?,?)",
+                ("digest", None, None, "", p.name, read_text(p), str(p)),
+            )
+
+    con.commit()
+    con.close()
+    print(f"Built: {out_db}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/scripts/memory/installer/templates/clear-active.ps1

@@ -0,0 +1,55 @@
+<#
+clear-active.ps1
+Resets active-context.md to blank template.
+#>
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+
+if ($PSScriptRoot) {
+  $RepoRoot = (Resolve-Path (Join-Path $PSScriptRoot "..\..")).Path
+} else {
+  $RepoRoot = (Get-Location).Path
+}
+
+function Resolve-MnemoMemoryDir([string]$Root) {
+  $candidates = @(
+    (Join-Path $Root ".mnemo\memory"),
+    (Join-Path $Root ".cursor\memory")
+  )
+  foreach ($candidate in $candidates) {
+    if (Test-Path -LiteralPath $candidate) { return $candidate }
+  }
+  return $candidates[0]
+}
+
+$ActivePath = Join-Path (Resolve-MnemoMemoryDir -Root $RepoRoot) "active-context.md"
+
+$Template = @"
+# Active Context (Session Scratchpad)
+
+Priority: this overrides older journal history *for this session only*.
+
+CLEAR this file when the task is done:
+- Run ``scripts/memory/clear-active.ps1``
+
+## Current Goal
+-
+
+## Files in Focus
+-
+
+## Findings / Decisions
+-
+
+## Temporary Constraints
+-
+
+## Blockers
+-
+"@
+
+$enc = New-Object System.Text.UTF8Encoding($false)
+[System.IO.File]::WriteAllText($ActivePath, ($Template -replace "`r?`n", "`r`n"), $enc)
+
+Write-Host "Cleared: $ActivePath" -ForegroundColor Green

package/scripts/memory/installer/templates/customization.md

@@ -0,0 +1,84 @@
+# Mnemo Memory Customization Prompt (paste into an AI)
+
+You are an AI coding agent. Your task is to **customize the Mnemo memory system** created by running `memory.ps1` in the root of THIS repository.
+
+## Non-negotiable rules
+
+- **Do not lose legacy memory.** If you find an older memory system (e.g. `Archive/`, `.cursor_old/`, `docs/memory/`, etc.), copy it into:
+  - `.cursor/memory/legacy/<source-name>/`
+- **Do not overwrite** the new Mnemo structure unless explicitly required. Prefer merge + preserve.
+- Keep the always-read layer token-safe:
+  - `.cursor/memory/hot-rules.md` stays ~20 lines (hard invariants only).
+  - `.cursor/memory/memo.md` is "current truth", not history (move history into journals).
+- Mnemo authority order (highest → lowest):
+  - Lessons > active-context > memo > journal.
+
+## Deliverable (what you must produce)
+
+1) Project-customized memory in `.cursor/memory/` (memo + index + regression checklist updated).
+2) Legacy memory preserved in `.cursor/memory/legacy/...`.
+3) Lint passes for the memory system.
+
+## Required steps
+
+### 1) Inventory this repo
+
+- Identify the project type, main entrypoints, key modules, build/test commands, and "hot" folders.
+
+### 2) Update `.cursor/memory/memo.md` (project truth)
+
+Fill it with high-signal bullets:
+- Ownership map (which folder/module owns what)
+- Invariants/constraints (forbidden APIs, timing constraints, state ownership rules)
+- Load order requirements (if relevant)
+- Integration points (plugins, external systems)
+
+Keep it short; no journaling here.
+
+### 3) Update `.cursor/memory/index.md` (orientation)
+
+- Add a "Hotspots" section listing the most bug-prone or most-edited files/dirs.
+- Add a short "If you only remember one thing" section (max 3 bullets).
+
+### 4) Update `.cursor/memory/regression-checklist.md`
+
+Make it match this repo's reality:
+- Build/test commands
+- Runtime/manual checks
+- Areas that commonly regress
+
+### 5) Import legacy journals
+
+- Merge/copy legacy monthly journals into `.cursor/memory/journal/YYYY-MM.md`
+- Ensure each date header appears once per month (`## YYYY-MM-DD`)
+
+### 6) Convert legacy lessons into atomic lessons (if needed)
+
+If legacy has a single `lessons.md`:
+- Convert it into individual files:
+  - `.cursor/memory/lessons/L-001-*.md`, `L-002-*.md`, ...
+- Each lesson must have valid YAML frontmatter required by the linter.
+- If you introduce new tags, add them to `.cursor/memory/tag-vocabulary.md`.
+
+### 7) Rules cleanup (recommended)
+
+If `.cursor/rules/` contains duplicated always-apply rules:
+- Merge into a single rule file (keep it readable with headings).
+- Remove duplicates to avoid conflicting instructions.
+
+### 8) Rebuild indexes + lint
+
+Run:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File scripts/memory/rebuild-memory-index.ps1
+powershell -ExecutionPolicy Bypass -File scripts/memory/lint-memory.ps1
+```
+
+Fix any lint errors you introduced.
+
+## Final response format
+
+- What you changed (files + why)
+- Where legacy memory is preserved
+- Lint result (pass/fail + any warnings)