@equilateral_ai/mindmeld 3.5.3 → 4.0.1

package/hooks/session-start.js

@@ -101,6 +101,80 @@ async function detectGitRemote() {
   }
 }
 
+/**
+ * Detect git HEAD SHA and branch for project identity (Spec §6.5)
+ * @returns {Promise<{commitSha: string|null, gitBranch: string|null}>}
+ */
+async function detectGitMetadata() {
+  const { execSync } = require('child_process');
+  const opts = { cwd: process.cwd(), encoding: 'utf-8', timeout: 2000, stdio: ['pipe', 'pipe', 'pipe'] };
+  let commitSha = null;
+  let gitBranch = null;
+  try {
+    commitSha = execSync('git rev-parse HEAD', opts).trim() || null;
+  } catch (_) { /* not a git repo */ }
+  try {
+    gitBranch = execSync('git branch --show-current', opts).trim() || null;
+  } catch (_) { /* detached HEAD or not a git repo */ }
+  return { commitSha, gitBranch };
+}
+
+/**
+ * Read Claude Code memory files for drift detection (Spec §5.2)
+ * Reads MEMORY.md index + all referenced .md files from the project memory dir
+ * @returns {Promise<string|null>} Concatenated memory content or null
+ */
+async function readClaudeMemory() {
+  const os = require('os');
+  const encodedCwd = process.cwd().replace(/\//g, '-');
+  const memoryDir = path.join(os.homedir(), '.claude', 'projects', encodedCwd, 'memory');
+
+  try {
+    await fs.access(memoryDir);
+  } catch (_) {
+    return null;
+  }
+
+  try {
+    const files = await fs.readdir(memoryDir);
+    const mdFiles = files.filter(f => f.endsWith('.md'));
+    if (mdFiles.length === 0) return null;
+
+    const contents = [];
+    // Read MEMORY.md first if it exists (it's the index)
+    if (mdFiles.includes('MEMORY.md')) {
+      const content = await fs.readFile(path.join(memoryDir, 'MEMORY.md'), 'utf-8');
+      contents.push(`--- MEMORY.md ---\n${content}`);
+    }
+    for (const file of mdFiles) {
+      if (file === 'MEMORY.md') continue;
+      try {
+        const content = await fs.readFile(path.join(memoryDir, file), 'utf-8');
+        contents.push(`--- ${file} ---\n${content}`);
+      } catch (_) { /* skip unreadable files */ }
+    }
+    return contents.join('\n\n');
+  } catch (err) {
+    console.error('[MindMeld] Memory read failed (non-fatal):', err.message);
+    return null;
+  }
+}
+
+/**
+ * Read CLAUDE.md files for drift detection
+ * Reads project-level CLAUDE.md and any parent CLAUDE.md files
+ * @returns {Promise<string|null>} Concatenated CLAUDE.md content or null
+ */
+async function readClaudeMd() {
+  try {
+    const claudeMdPath = path.join(process.cwd(), 'CLAUDE.md');
+    const content = await fs.readFile(claudeMdPath, 'utf-8');
+    return content || null;
+  } catch (_) {
+    return null;
+  }
+}
+
 /**
  * Get project name from git remote URL or directory name
  * @param {string|null} gitRemote - Git remote URL
@@ -628,6 +702,81 @@ async function fetchRelevantStandardsFromAPI(apiUrl, authToken, characteristics,
   });
 }
 
+/**
+ * Call mindmeld_init_session via JSON-RPC to get banded injection (Band A/B/C).
+ * This converges the hook injection path with the MCP tool path — one deterministic
+ * banded output regardless of whether the MCP tool also fires during the session.
+ */
+async function callBandedInitSession(apiUrl, authToken, params) {
+  if (!authToken) {
+    throw new Error('No auth token available');
+  }
+
+  const https = require('https');
+  const url = require('url');
+
+  const jsonRpcPayload = JSON.stringify({
+    jsonrpc: '2.0',
+    id: 1,
+    method: 'tools/call',
+    params: {
+      name: 'mindmeld_init_session',
+      arguments: params
+    }
+  });
+
+  const parsedUrl = url.parse(`${apiUrl}/api/mcp/mindmeld`);
+
+  const options = {
+    hostname: parsedUrl.hostname,
+    port: parsedUrl.port || 443,
+    path: parsedUrl.path,
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${authToken}`,
+      'Content-Length': Buffer.byteLength(jsonRpcPayload)
+    },
+    timeout: 8000
+  };
+
+  return new Promise((resolve, reject) => {
+    const req = https.request(options, (res) => {
+      let data = '';
+      res.on('data', chunk => { data += chunk; });
+      res.on('end', () => {
+        try {
+          const rpcResponse = JSON.parse(data);
+          if (rpcResponse.error) {
+            const err = new Error(rpcResponse.error.message || 'JSON-RPC error');
+            err.statusCode = res.statusCode;
+            reject(err);
+            return;
+          }
+          const content = rpcResponse.result?.content;
+          if (!content || !content[0] || content[0].type !== 'text') {
+            reject(new Error('Unexpected init_session response shape'));
+            return;
+          }
+          const initResult = JSON.parse(content[0].text);
+          resolve(initResult);
+        } catch (e) {
+          reject(new Error('Invalid banded init_session response'));
+        }
+      });
+    });
+
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error('Banded init_session timeout'));
+    });
+
+    req.write(jsonRpcPayload);
+    req.end();
+  });
+}
+
 /**
  * Fetch weekly splash data from API
  * Returns splash summary with stats, or null if already acknowledged
@@ -744,11 +893,14 @@ async function injectContext() {
     }
 
     // 1. Parallel local reads (no network, no DB)
-    const [fingerprintConfig, authToken, apiConfig, preferences] = await Promise.all([
+    const [fingerprintConfig, authToken, apiConfig, preferences, gitMetadata, memoryContent, claudeMdContent] = await Promise.all([
       loadFingerprintConfig(),
       loadAuthToken(),
       loadApiConfig(),
-      loadStandardsPreferences()
+      loadStandardsPreferences(),
+      detectGitMetadata(),
+      readClaudeMemory(),
+      readClaudeMd()
     ]);
 
     // 2. Initialize MindmeldClient (used for project detection, session tracking, team context)
@@ -795,7 +947,9 @@ async function injectContext() {
         companyId: context.companyId,
         userEmail: context.userEmail,
         startedAt: new Date().toISOString(),
-        transcriptPath: transcriptPath
+        transcriptPath: transcriptPath,
+        commitSha: gitMetadata.commitSha,
+        gitBranch: gitMetadata.gitBranch,
       };
       const mindmeldDir = path.join(process.cwd(), '.mindmeld');
       await fs.mkdir(mindmeldDir, { recursive: true });
@@ -842,89 +996,66 @@ async function injectContext() {
       console.error(`[MindMeld] Watcher spawn failed (non-fatal): ${err.message}`);
     }
 
-    // 4. Detect project characteristics locally (file system only, no DB)
-    const characteristics = await mindmeld.relevanceDetector.detectProjectCharacteristics();
+    // 4. Banded injection path (converged with MCP init_session)
+    // Band B content gated on resolved companyId — null scope would mis-match snapshots
+    const bandBGated = !!context.companyId;
+    const initParams = {
+      project_path: process.cwd(),
+      commit_sha: gitMetadata.commitSha || undefined,
+      git_branch: gitMetadata.gitBranch || undefined,
+      git_root: gitMetadata.gitRoot || undefined,
+      memory_content: bandBGated ? (memoryContent || undefined) : undefined,
+      claude_md_content: bandBGated ? (claudeMdContent || undefined) : undefined
+    };
 
-    // 5. Parallel API calls: standards + team context + splash
-    const [standardsResult, projectContextResult, splashResult] = await Promise.allSettled([
-      fetchRelevantStandardsFromAPI(apiConfig.apiUrl, authToken, characteristics, context.projectId, preferences),
-      mindmeld.loadProjectContext(context.projectId),
+    const [bandedResult, splashResult] = await Promise.allSettled([
+      callBandedInitSession(apiConfig.apiUrl, authToken, initParams),
       fetchSplashData(apiConfig.apiUrl, authToken)
     ]);
 
-    // 6. Resolve standards: API → file-based fallback (only for network errors, not subscription blocks)
-    let relevantStandards = [];
-    if (standardsResult.status === 'fulfilled' && standardsResult.value.length > 0) {
-      relevantStandards = standardsResult.value;
-      console.error(`[MindMeld] ${relevantStandards.length} standards from API`);
-    } else if (standardsResult.status === 'rejected' &&
-               standardsResult.reason.message.includes('subscription required')) {
-      // Subscription enforcement — do NOT fall through to file-based injection
-      console.error('[MindMeld] Active subscription required. Subscribe at app.mindmeld.dev');
-      return '';
-    } else if (standardsResult.status === 'rejected' &&
-               (standardsResult.reason.statusCode === 401 || standardsResult.reason.message === 'Unauthorized')) {
-      // Auth token expired or invalid — trigger re-auth and use file-based fallback
-      console.error('[MindMeld] Auth token expired. Triggering re-authentication...');
-      spawnBackgroundLogin();
-      const categories = mindmeld.relevanceDetector.mapCharacteristicsToCategories(characteristics);
-      relevantStandards = await mindmeld.relevanceDetector.loadStandardsFromFiles(categories, characteristics);
-      console.error(`[MindMeld] ${relevantStandards.length} standards from file fallback (scored)`);
-    } else {
-      if (standardsResult.status === 'rejected') {
-        console.error(`[MindMeld] API fallback: ${standardsResult.reason.message}`);
-      }
-      const categories = mindmeld.relevanceDetector.mapCharacteristicsToCategories(characteristics);
-      relevantStandards = await mindmeld.relevanceDetector.loadStandardsFromFiles(categories, characteristics);
-      console.error(`[MindMeld] ${relevantStandards.length} standards from file fallback (scored)`);
-    }
-
-    // 7. Filter by project preferences
-    if (preferences) {
-      relevantStandards = filterStandardsByPreferences(relevantStandards, preferences);
-      console.error(`[MindMeld] Filtered to ${relevantStandards.length} standards by preferences`);
-    }
-
-    // Take top 10 most relevant after filtering
-    relevantStandards = relevantStandards.slice(0, 10);
-
-    // 8. Record standards shown (fire-and-forget, non-blocking)
-    mindmeld.recordStandardsShown(sessionId, relevantStandards, context.projectId, context.userEmail);
-
-    // 9. Resolve team context from parallel API call
-    const projectContext = projectContextResult.status === 'fulfilled' ? projectContextResult.value : null;
-    const teamPatterns = projectContext && projectContext.patterns
-      ? projectContext.patterns.filter(p => p.confidence > 0.7)
-      : [];
-    const recentLearning = projectContext && projectContext.recentLearning
-      ? projectContext.recentLearning
-      : [];
-
-    // 10. Resolve splash data
     const splashData = splashResult.status === 'fulfilled' ? splashResult.value : null;
-
-    // Auto-acknowledge splash (fire-and-forget) so it doesn't show again this week
-    if (splashData && splashData.show_splash && splashData.summary) {
+    if (splashData?.show_splash && splashData?.summary) {
       acknowledgeSplash(apiConfig.apiUrl, authToken, splashData.summary.week_start);
     }
 
-    // 11. Build context injection with fingerprint
-    const injection = formatContextInjection({
-      project: context.projectName,
-      sessionId: sessionId,
-      collaborators: context.collaborators,
-      relevantStandards: relevantStandards,
-      teamPatterns: teamPatterns,
-      recentLearning: recentLearning,
-      fingerprint: fingerprintConfig,
-      splash: splashData
-    });
+    // 6. Resolve injection: banded → flat fallback
+    let injection;
+    if (bandedResult.status === 'fulfilled' && bandedResult.value.formatted_injection) {
+      const initResponse = bandedResult.value;
+      const summary = initResponse.injection_summary || {};
+      console.error(`[MindMeld] Banded injection: A=${summary.band_a_tokens || 0}t B=${summary.band_b_tokens || 0}t C=${summary.band_c_tokens || 0}t / ${summary.budget_tokens || 400}t budget`);
+
+      injection = formatConvergedInjection({
+        bandedMarkdown: initResponse.formatted_injection,
+        collaborators: context.collaborators,
+        splash: splashData
+      });
 
-    // 12. Cache condensed context for subagent injection
-    try {
-      await cacheSubagentContext(relevantStandards, teamPatterns, context.projectName);
-    } catch (cacheError) {
-      console.error('[MindMeld] Subagent context cache failed (non-fatal):', cacheError.message);
+      try {
+        const standardsForCache = (initResponse.injected_rules || []).map(r => ({
+          pattern_id: r.rule_id, element: r.standard, rule: r.text,
+          maturity: r.maturity, relevance_score: r.relevance_score
+        }));
+        await cacheSubagentContext(standardsForCache, [], context.projectName);
+      } catch (cacheError) {
+        console.error('[MindMeld] Subagent context cache failed (non-fatal):', cacheError.message);
+      }
+    } else {
+      const bandedError = bandedResult.status === 'rejected' ? bandedResult.reason : null;
+      if (bandedError) {
+        if (bandedError.message.includes('subscription required')) {
+          console.error('[MindMeld] Active subscription required. Subscribe at app.mindmeld.dev');
+          return '';
+        }
+        if (bandedError.statusCode === 401 || bandedError.message === 'Unauthorized') {
+          console.error('[MindMeld] Auth token expired. Triggering re-authentication...');
+          spawnBackgroundLogin();
+        }
+        console.error(`[MindMeld] API unavailable: ${bandedError.message}`);
+      } else {
+        console.error('[MindMeld] API returned empty injection');
+      }
+      injection = '<!-- MindMeld: API unavailable — this session is proceeding without governance injection. Standards were not loaded. -->';
     }
 
     const elapsed = Date.now() - startTime;
@@ -933,9 +1064,8 @@ async function injectContext() {
     return injection;
 
   } catch (error) {
-    // Graceful degradation - never block Claude Code session
     console.error('[MindMeld] Hook error (non-fatal):', error.message);
-    return '';
+    return '<!-- MindMeld: hook error — this session is proceeding without governance injection. Standards were not loaded. -->';
   }
 }
 
@@ -956,6 +1086,27 @@ async function checkMindmeldConfiguration() {
   }
 }
 
+/**
+ * Validate that a standard has enough content to be useful when injected.
+ * Mirrors StandardsIngestion.isViableStandard() for the output path.
+ */
+function isViableForInjection(standard) {
+  const el = (standard.element || '').trim();
+  const rl = (standard.rule || '').trim();
+
+  if (!el || !rl) return false;
+  if (/^(USE|ALWAYS|NEVER|PREFER|AVOID|DO|DON'T|SET|ADD|RUN|CALL)$/i.test(el)) return false;
+  if (/^(Standard Pattern|Core Principle)$/i.test(el) && rl.length < 30) return false;
+  if (/^(ALWAYS|NEVER|USE|PREFER|AVOID)[:\s]*$/i.test(rl)) return false;
+  if (rl.length < 15) return false;
+
+  // Word-count guard: element must have >=2 words or be a compound term (>=8 chars)
+  const wordCount = el.split(/[\s.]+/).filter(w => w.length > 0).length;
+  if (wordCount < 2 && el.length < 8) return false;
+
+  return true;
+}
+
 /**
  * Cache condensed context for subagent injection
  * Subagents don't get session-start hooks, so we cache the essentials
@@ -975,25 +1126,55 @@ async function cacheSubagentContext(standards, teamPatterns, projectName) {
   sections.push('Follow these standards when writing or modifying code:');
   sections.push('');
 
-  // Include standards as compact rules (no examples/anti-patterns to save tokens)
+  let injectedCount = 0;
+  let skippedCount = 0;
+
   if (standards && standards.length > 0) {
     for (const s of standards) {
-      sections.push(`- **${s.element}** [${s.category}]: ${s.rule}`);
+      if (!isViableForInjection(s)) {
+        skippedCount++;
+        continue;
+      }
+
+      const maturity = s.maturity_tier || s.maturity || 'validated';
+      const prefix = maturity === 'reinforced' ? '[MUST]' :
+                     maturity === 'enforced' ? '[MUST]' :
+                     maturity === 'solidified' ? '[SHOULD]' : '[CONSIDER]';
+
+      sections.push(`### ${prefix} ${s.element}`);
+      sections.push(`**Category**: ${s.category}`);
+      sections.push(`**Rule**: ${s.rule}`);
+
+      // Include first anti-pattern if available — high signal-to-token ratio
+      if (s.anti_patterns && s.anti_patterns.length > 0) {
+        const ap = s.anti_patterns[0];
+        const desc = typeof ap === 'string' ? ap : (ap.description || '');
+        if (desc) {
+          sections.push(`**Avoid**: ${desc}`);
+        }
+      }
+
+      sections.push('');
+      injectedCount++;
     }
-    sections.push('');
   }
 
-  // Include team patterns as compact rules
+  // Include team patterns with validation
   if (teamPatterns && teamPatterns.length > 0) {
     sections.push('## Team Patterns');
     for (const p of teamPatterns) {
+      if (!isViableForInjection(p)) {
+        skippedCount++;
+        continue;
+      }
       sections.push(`- **${p.element}** (${(p.correlation * 100).toFixed(0)}% correlation): ${p.rule}`);
+      injectedCount++;
     }
     sections.push('');
   }
 
   await fs.writeFile(cachePath, sections.join('\n'));
-  console.error(`[MindMeld] Cached subagent context (${sections.length} lines)`);
+  console.error(`[MindMeld] Cached subagent context (${injectedCount} standards, ${skippedCount} skipped as non-viable)`);
 }
 
 /**
@@ -1011,7 +1192,53 @@ function getMaturityPrefix(maturityTier) {
 }
 
 /**
- * Format context injection for Claude Code
+ * Wrap banded init_session output with hook-only sections (splash, team).
+ * The banded markdown is self-contained (header, copyright, bands A/B/C, footer).
+ * Hook-only content is inserted between the copyright block and the first band heading.
+ */
+function formatConvergedInjection({ bandedMarkdown, collaborators, splash }) {
+  const extraSections = [];
+
+  if (splash && splash.show_splash) {
+    if (splash.is_greenfield && splash.tips && splash.tips.length > 0) {
+      extraSections.push('## Getting Started with MindMeld');
+      for (const tip of splash.tips) extraSections.push(`- ${tip}`);
+      extraSections.push('');
+    } else if (splash.summary) {
+      const s = splash.summary;
+      const formatDate = (dateStr) => {
+        const d = new Date(dateStr + 'T00:00:00Z');
+        return d.toLocaleDateString('en-US', { month: 'short', day: 'numeric', timeZone: 'UTC' });
+      };
+      const hours = Math.floor(s.total_duration_minutes / 60);
+      const mins = s.total_duration_minutes % 60;
+      const duration = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+      extraSections.push(`## Weekly Recap (${formatDate(s.week_start)} - ${formatDate(s.week_end)})`);
+      extraSections.push(`${s.sessions_count} sessions | ${duration} total | ${s.active_projects} project${s.active_projects !== 1 ? 's' : ''}`);
+      extraSections.push(`${s.standards_injected} standards injected, ${s.standards_followed} followed, ${s.violations_detected} violation${s.violations_detected !== 1 ? 's' : ''}`);
+      if (s.patterns_harvested > 0) extraSections.push(`${s.patterns_harvested} patterns harvested`);
+      extraSections.push('');
+    }
+  }
+
+  if (collaborators && collaborators.length > 0) {
+    extraSections.push('## Team');
+    extraSections.push(collaborators.map(c => `- ${c.name} (${c.email})`).join('\n'));
+    extraSections.push('');
+  }
+
+  if (extraSections.length === 0) return bandedMarkdown;
+
+  const firstBandHeading = bandedMarkdown.indexOf('\n## ');
+  if (firstBandHeading === -1) return bandedMarkdown;
+
+  return bandedMarkdown.slice(0, firstBandHeading + 1) +
+    extraSections.join('\n') + '\n' +
+    bandedMarkdown.slice(firstBandHeading + 1);
+}
+
+/**
+ * Format flat context injection for Claude Code (fallback when banded path unavailable)
  * @param {object} data - Context data to inject
  * @param {object} data.fingerprint - Fingerprint config {userId, companyId, tier}
  */

package/package.json

@@ -1,21 +1,22 @@
 {
   "name": "@equilateral_ai/mindmeld",
-  "version": "3.5.3",
+  "version": "4.0.1",
   "description": "Intelligent standards injection for AI coding sessions - context-aware, self-documenting, scales to large codebases",
   "main": "src/index.js",
   "bin": {
-    "mindmeld": "./scripts/init-project.js"
+    "mindmeld": "scripts/init-project.js"
   },
   "files": [
-    "src/",
+    "src/index.js",
+    "src/core/AuthManager.js",
+    "src/core/PatternValidator.js",
+    "src/core/LLMPatternDetector.js",
+    "src/client/dbShim.js",
+    "src/handlers/helpers/dbOperations.js",
+    "src/utils/piiMask.js",
     "hooks/",
     "scripts/init-project.js",
     "scripts/auth-login.js",
-    "scripts/inject.js",
-    "scripts/harvest.js",
-    "scripts/repo-analyzer.js",
-    "scripts/mcp-bridge.js",
-    "scripts/standards.js",
     "README.md"
   ],
   "publishConfig": {
@@ -44,7 +45,9 @@
     "test:benchmark": "node scripts/test-claude-hooks.js --benchmark",
     "test:smoke": "jest --selectProjects smoke --testTimeout=15000",
     "test:e2e": "cd e2e && npx playwright test",
-    "test:e2e:admin": "cd frontend/admin && npx playwright test"
+    "test:e2e:admin": "cd frontend/admin && npx playwright test",
+    "prepack": "mkdir -p src/handlers/helpers && cp src/client/dbShim.js src/handlers/helpers/dbOperations.js",
+    "postpack": "git checkout -- src/handlers/helpers/dbOperations.js"
   },
   "claudeCode": {
     "hooks": {
@@ -80,14 +83,17 @@
   },
   "homepage": "https://mindmeld.dev",
   "dependencies": {
-    "@aws-sdk/client-bedrock-runtime": "^3.460.0",
-    "@aws-sdk/client-ses": "^3.985.0",
-    "js-yaml": "^4.1.1",
-    "pg": "^8.18.0"
+    "js-yaml": "^4.1.1"
+  },
+  "optionalDependencies": {
+    "@aws-sdk/client-bedrock-runtime": "^3.460.0"
   },
   "devDependencies": {
     "@aws-sdk/client-s3": "^3.460.0",
-    "jest": "^29.7.0"
+    "@aws-sdk/client-ses": "^3.985.0",
+    "dotenv": "^17.4.2",
+    "jest": "^29.7.0",
+    "pg": "^8.18.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/scripts/init-project.js

@@ -702,14 +702,9 @@ if (args.command === 'init') {
       process.exit(1);
     });
 } else if (args.command === 'inject') {
-  const { inject, showInjectHelp } = require('./inject');
-  if (args.help) { showInjectHelp(); process.exit(0); }
-  inject({ format: args.format, path: args.projectPath })
-    .then(() => process.exit(0))
-    .catch(error => {
-      console.error('\n❌ Error:', error.message);
-      process.exit(1);
-    });
+  console.error('The inject subcommand has been removed in v4.0.0.');
+  console.error('Standards injection is now handled automatically by the session-start hook via the MindMeld API.');
+  process.exit(1);
 } else if (args.command === 'harvest') {
   const { harvest, showHarvestHelp } = require('./harvest');
   if (args.help) { showHarvestHelp(); process.exit(0); }
@@ -741,8 +736,9 @@ if (args.command === 'init') {
       process.exit(1);
     });
 } else if (args.command === 'standards') {
-  // Delegate to standards.js
-  require('./standards');
+  console.error('The standards subcommand has been removed in v4.0.0.');
+  console.error('Configure standards at https://app.mindmeld.dev');
+  process.exit(1);
 } else if (args.command === 'open') {
   openWebApp(args.projectPath || 'dashboard')
     .then(() => process.exit(0))
@@ -751,19 +747,9 @@ if (args.command === 'init') {
       process.exit(1);
     });
 } else if (args.command === 'mcp') {
-  const { startBridge, resolveToken, showMcpHelp } = require('./mcp-bridge');
-  if (args.help) { showMcpHelp(); process.exit(0); }
-  const token = resolveToken(args.token);
-  if (!token) {
-    console.error('\nMindMeld MCP bridge requires an API token.\n');
-    console.error('Set one of:');
-    console.error('  1. MINDMELD_TOKEN environment variable');
-    console.error('  2. --token CLI argument');
-    console.error('  3. Save to ~/.mindmeld/api-token\n');
-    console.error('Create a token at: https://app.mindmeld.dev/api-tokens\n');
-    process.exit(1);
-  }
-  startBridge(token);
+  console.error('The mcp subcommand has been removed in v4.0.0.');
+  console.error('Use the MindMeld MCP server directly via Claude Code settings.');
+  process.exit(1);
 } else {
   console.error(`Unknown command: ${args.command}`);
   console.error('Run "mindmeld --help" for usage.');

package/src/client/dbShim.js

@@ -0,0 +1,16 @@
+/**
+ * Database operations shim for NPM client package.
+ * Core modules import dbOperations at the top level, but hooks never
+ * execute DB queries — they communicate via HTTP to the MindMeld API.
+ * This shim satisfies the require() without shipping pg or connection logic.
+ */
+
+async function executeQuery() {
+    throw new Error('Database operations are not available in the client package. Use the MindMeld API instead.');
+}
+
+function getPool() {
+    return null;
+}
+
+module.exports = { executeQuery, getPool };

package/src/core/AuthManager.js

@@ -32,6 +32,7 @@ class AuthManager {
                 region: options.cognitoRegion || 'us-east-2'
             },
             callbackPorts: options.callbackPorts || [9876, 9877, 9878, 9879, 9880],
+            // AEGIS review: path is config-driven (homedir + hardcoded), not HTTP user input — no traversal risk
             authFile: options.authFile || path.join(os.homedir(), '.mindmeld', 'auth.json')
         };
     }
@@ -58,8 +59,8 @@ class AuthManager {
      */
     async saveAuth(auth) {
         const dir = path.dirname(this.config.authFile);
-        await fsPromises.mkdir(dir, { recursive: true });
-        await fsPromises.writeFile(this.config.authFile, JSON.stringify(auth, null, 2));
+        await fsPromises.mkdir(dir, { recursive: true, mode: 0o700 });
+        await fsPromises.writeFile(this.config.authFile, JSON.stringify(auth, null, 2), { mode: 0o600 });
     }
 
     /**