@esparkman/pensieve 0.1.0

package/README.md

@@ -0,0 +1,238 @@
+# Pensieve
+
+A persistent memory MCP server for Claude Code that remembers decisions, preferences, and context across conversation boundaries.
+
+> *"I use the Pensieve. One simply siphons the excess thoughts from one's mind, pours them into the basin, and examines them at one's leisure."* — Albus Dumbledore
+
+## Problem
+
+When Claude Code conversations are compacted or cleared:
+- Agent "forgets" discovered patterns, decisions, and understanding
+- User re-explains the same context repeatedly
+- Agent may hallucinate or contradict previous decisions
+- Momentum lost every few hours of deep work
+
+## Solution
+
+Pensieve provides persistent storage via SQLite that Claude can access through native tool calls:
+- `pensieve_remember` — Save decisions, preferences, discoveries, entities
+- `pensieve_recall` — Query the knowledge base
+- `pensieve_session_start` — Load context at conversation start
+- `pensieve_session_end` — Persist learnings before ending
+
+## Installation
+
+### Option 1: Clone and Build (Recommended)
+
+```bash
+# Clone the repository
+git clone https://github.com/esparkman/pensieve.git ~/Development/pensieve
+cd ~/Development/pensieve
+
+# Install dependencies and build
+npm install
+npm run build
+
+# Add to Claude Code
+claude mcp add pensieve node ~/Development/pensieve/dist/index.js
+```
+
+### Option 2: npx (Coming Soon)
+
+Once published to npm:
+
+```bash
+claude mcp add pensieve npx @esparkman/pensieve
+```
+
+### Option 3: Docker
+
+```bash
+# Clone the repository
+git clone https://github.com/esparkman/pensieve.git
+cd pensieve
+
+# Build the Docker image
+docker build -t pensieve .
+
+# Add to Claude Code (mount your project for local database)
+claude mcp add pensieve docker run -i --rm \
+  -v "$PWD/.pensieve:/app/.pensieve" \
+  -v "$HOME/.claude-pensieve:/root/.claude-pensieve" \
+  pensieve
+```
+
+**Note:** The Docker approach mounts two volumes:
+- `$PWD/.pensieve` — Project-local database (if in a git repo)
+- `$HOME/.claude-pensieve` — Global fallback database
+
+### Verify Installation
+
+After installing, restart Claude Code and check that Pensieve is loaded:
+
+```bash
+# In a new Claude Code session, the tools should be available:
+# pensieve_status, pensieve_remember, pensieve_recall, etc.
+```
+
+## Usage
+
+After installing, Claude Code will have access to these tools:
+
+### Start a session
+
+At the beginning of each conversation, Claude should call:
+
+```
+pensieve_session_start()
+```
+
+This loads the last session's summary, work in progress, key decisions, and preferences.
+
+### Remember things
+
+```
+pensieve_remember({
+  type: "decision",
+  topic: "authentication",
+  decision: "Use Devise with magic links",
+  rationale: "Passwordless is more secure and user-friendly"
+})
+
+pensieve_remember({
+  type: "preference",
+  category: "testing",
+  key: "approach",
+  value: "system tests for UI flows"
+})
+
+pensieve_remember({
+  type: "entity",
+  name: "Customer",
+  description: "End user who places orders",
+  relationships: '{"belongs_to": ["Tenant"], "has_many": ["Orders"]}'
+})
+
+pensieve_remember({
+  type: "discovery",
+  category: "component",
+  name: "ButtonComponent",
+  location: "app/components/base/button_component.rb",
+  description: "Primary button component with variants"
+})
+```
+
+### Recall things
+
+```
+pensieve_recall({ query: "authentication" })
+pensieve_recall({ type: "preferences" })
+pensieve_recall({ type: "entities" })
+pensieve_recall({ type: "session" })
+pensieve_recall({ type: "questions" })
+```
+
+### End a session
+
+Before ending a conversation:
+
+```
+pensieve_session_end({
+  summary: "Completed invoice list component with filtering",
+  work_in_progress: "Invoice detail view partially designed",
+  next_steps: "Complete detail view, add PDF export",
+  key_files: ["app/components/invoices/invoice_list_component.rb"],
+  tags: ["invoices", "ui"]
+})
+```
+
+## Database Location
+
+Pensieve stores data in SQLite:
+
+- **Project-local** (if `.git` or `.pensieve` exists): `.pensieve/memory.sqlite`
+- **Global** (fallback): `~/.claude-pensieve/memory.sqlite`
+
+This means each project gets its own memory, but you also have a global memory for general preferences.
+
+### Environment Variable Override
+
+Set `PENSIEVE_DB_PATH` to explicitly specify the database location:
+
+```bash
+PENSIEVE_DB_PATH=/custom/path/memory.sqlite claude mcp add pensieve ...
+```
+
+## Security
+
+### Secrets Detection
+
+Pensieve automatically detects and **refuses to store** potential secrets including:
+- API keys (AWS, GitHub, Stripe, etc.)
+- Database connection strings with passwords
+- Bearer tokens and private keys
+- Credit card numbers and SSNs
+
+If a secret is detected, the data is NOT saved and a warning is displayed.
+
+### Storage Limits
+
+To prevent unbounded growth:
+- **Decisions**: Max 1,000 (oldest auto-pruned)
+- **Discoveries**: Max 500 (oldest auto-pruned)
+- **Sessions**: Older than 90 days auto-deleted
+- **Field length**: Max 10KB per field (truncated with warning)
+
+### Data Storage
+
+Data is stored in plaintext SQLite. Do NOT store:
+- Passwords or API keys
+- Personal identifying information
+- Financial credentials
+- Any sensitive secrets
+
+The database is local-only and never transmitted over the network.
+
+## Tools Reference
+
+| Tool | Purpose |
+|------|---------|
+| `pensieve_remember` | Save decisions, preferences, discoveries, entities, or questions |
+| `pensieve_recall` | Query the knowledge base |
+| `pensieve_session_start` | Start a session and load prior context |
+| `pensieve_session_end` | End a session and save a summary |
+| `pensieve_resolve_question` | Mark an open question as resolved |
+| `pensieve_status` | Get database location and counts |
+
+## Data Types
+
+### Decisions
+Important choices with rationale. Searchable by topic.
+
+### Preferences
+User conventions (coding style, testing approach, naming patterns).
+
+### Discoveries
+Things found in the codebase (components, patterns, helpers).
+
+### Entities
+Domain model understanding (models, relationships, attributes).
+
+### Sessions
+Summaries of work sessions for continuity.
+
+### Open Questions
+Unresolved blockers or questions to address.
+
+## Development
+
+```bash
+cd ~/Development/pensieve
+npm install
+npm run dev    # Run with tsx for development
+npm run build  # Build TypeScript
+```
+
+## License
+
+MIT

package/dist/__tests__/database.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/database.test.js

@@ -0,0 +1,210 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { MemoryDatabase, LIMITS } from '../database.js';
+import { existsSync, rmSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+describe('Database: Limits Configuration', () => {
+    it('exports expected limit values', () => {
+        expect(LIMITS.MAX_DECISIONS).toBe(1000);
+        expect(LIMITS.MAX_DISCOVERIES).toBe(500);
+        expect(LIMITS.MAX_ENTITIES).toBe(200);
+        expect(LIMITS.MAX_QUESTIONS).toBe(100);
+        expect(LIMITS.MAX_SESSIONS).toBe(100);
+        expect(LIMITS.SESSION_RETENTION_DAYS).toBe(90);
+        expect(LIMITS.MAX_FIELD_LENGTH).toBe(10000);
+    });
+});
+describe('Database: Field Truncation', () => {
+    let db;
+    let testDir;
+    beforeEach(() => {
+        // Create a temporary directory for tests
+        testDir = join(tmpdir(), `pensieve-test-${Date.now()}`);
+        mkdirSync(testDir, { recursive: true });
+        mkdirSync(join(testDir, '.pensieve'), { recursive: true });
+        db = new MemoryDatabase(testDir);
+    });
+    afterEach(() => {
+        db.close();
+        // Clean up test directory
+        if (existsSync(testDir)) {
+            rmSync(testDir, { recursive: true, force: true });
+        }
+    });
+    it('stores normal-length fields without modification', () => {
+        const decision = {
+            topic: 'test topic',
+            decision: 'A reasonable length decision',
+            rationale: 'Some rationale here',
+        };
+        db.addDecision(decision);
+        const results = db.searchDecisions('test topic');
+        expect(results).toHaveLength(1);
+        expect(results[0].topic).toBe('test topic');
+        expect(results[0].decision).toBe('A reasonable length decision');
+        expect(results[0].rationale).toBe('Some rationale here');
+    });
+    it('truncates fields that exceed MAX_FIELD_LENGTH', () => {
+        // Create a string that exceeds the limit
+        const longString = 'x'.repeat(LIMITS.MAX_FIELD_LENGTH + 1000);
+        const decision = {
+            topic: 'long field test',
+            decision: longString,
+            rationale: 'short',
+        };
+        db.addDecision(decision);
+        const results = db.searchDecisions('long field test');
+        expect(results).toHaveLength(1);
+        expect(results[0].decision.length).toBeLessThanOrEqual(LIMITS.MAX_FIELD_LENGTH + 20); // +20 for "... [truncated]"
+        expect(results[0].decision).toContain('... [truncated]');
+    });
+    it('truncates multiple long fields in the same record', () => {
+        const longTopic = 't'.repeat(LIMITS.MAX_FIELD_LENGTH + 500);
+        const longDecision = 'd'.repeat(LIMITS.MAX_FIELD_LENGTH + 500);
+        const longRationale = 'r'.repeat(LIMITS.MAX_FIELD_LENGTH + 500);
+        db.addDecision({
+            topic: longTopic,
+            decision: longDecision,
+            rationale: longRationale,
+        });
+        const results = db.getRecentDecisions(1);
+        expect(results).toHaveLength(1);
+        expect(results[0].topic).toContain('... [truncated]');
+        expect(results[0].decision).toContain('... [truncated]');
+        expect(results[0].rationale).toContain('... [truncated]');
+    });
+    it('handles null and undefined fields gracefully', () => {
+        const discovery = {
+            category: 'component',
+            name: 'TestComponent',
+            // location, description, metadata are undefined
+        };
+        const id = db.addDiscovery(discovery);
+        expect(id).toBeGreaterThan(0);
+        const results = db.searchDiscoveries('TestComponent');
+        expect(results).toHaveLength(1);
+        expect(results[0].location).toBeNull();
+        expect(results[0].description).toBeNull();
+    });
+    it('truncates discovery metadata when too long', () => {
+        const longMetadata = JSON.stringify({ data: 'x'.repeat(LIMITS.MAX_FIELD_LENGTH) });
+        db.addDiscovery({
+            category: 'pattern',
+            name: 'LongMetadata',
+            metadata: longMetadata,
+        });
+        const results = db.searchDiscoveries('LongMetadata');
+        expect(results).toHaveLength(1);
+        expect(results[0].metadata).toContain('... [truncated]');
+    });
+    it('truncates entity fields when too long', () => {
+        const longDescription = 'd'.repeat(LIMITS.MAX_FIELD_LENGTH + 100);
+        db.upsertEntity({
+            name: 'LongEntity',
+            description: longDescription,
+        });
+        const entity = db.getEntity('LongEntity');
+        expect(entity).toBeDefined();
+        expect(entity.description).toContain('... [truncated]');
+    });
+    it('truncates preference values when too long', () => {
+        const longValue = 'v'.repeat(LIMITS.MAX_FIELD_LENGTH + 100);
+        db.setPreference({
+            category: 'testing',
+            key: 'long_pref',
+            value: longValue,
+        });
+        const pref = db.getPreference('testing', 'long_pref');
+        expect(pref).toBeDefined();
+        expect(pref.value).toContain('... [truncated]');
+    });
+    it('truncates session summary when too long', () => {
+        const longSummary = 's'.repeat(LIMITS.MAX_FIELD_LENGTH + 100);
+        const sessionId = db.startSession();
+        db.endSession(sessionId, longSummary);
+        const session = db.getLastSession();
+        expect(session).toBeDefined();
+        expect(session.summary).toContain('... [truncated]');
+    });
+    it('truncates question fields when too long', () => {
+        const longQuestion = 'q'.repeat(LIMITS.MAX_FIELD_LENGTH + 100);
+        const longContext = 'c'.repeat(LIMITS.MAX_FIELD_LENGTH + 100);
+        db.addQuestion(longQuestion, longContext);
+        const questions = db.getOpenQuestions();
+        expect(questions).toHaveLength(1);
+        expect(questions[0].question).toContain('... [truncated]');
+        expect(questions[0].context).toContain('... [truncated]');
+    });
+});
+describe('Database: Storage Limits and Pruning', () => {
+    let db;
+    let testDir;
+    beforeEach(() => {
+        testDir = join(tmpdir(), `pensieve-test-${Date.now()}`);
+        mkdirSync(testDir, { recursive: true });
+        mkdirSync(join(testDir, '.pensieve'), { recursive: true });
+        db = new MemoryDatabase(testDir);
+    });
+    afterEach(() => {
+        db.close();
+        if (existsSync(testDir)) {
+            rmSync(testDir, { recursive: true, force: true });
+        }
+    });
+    it('maintains decision count at or below MAX_DECISIONS', () => {
+        // Add more decisions than the limit allows
+        // Note: This is a slow test, so we'll just test the mechanism with a smaller set
+        const testLimit = 10;
+        for (let i = 0; i < testLimit + 5; i++) {
+            db.addDecision({
+                topic: `topic-${i}`,
+                decision: `decision-${i}`,
+            });
+        }
+        // The actual pruning happens based on LIMITS.MAX_DECISIONS (1000)
+        // Since we only added 15, all should be present
+        const decisions = db.getRecentDecisions(100);
+        expect(decisions.length).toBe(testLimit + 5);
+    });
+    it('handles empty database gracefully', () => {
+        // Just verify no errors on empty db
+        expect(db.getRecentDecisions(10)).toEqual([]);
+        expect(db.getAllPreferences()).toEqual([]);
+        expect(db.getAllEntities()).toEqual([]);
+        expect(db.getOpenQuestions()).toEqual([]);
+        expect(db.getLastSession()).toBeUndefined();
+    });
+    it('search returns results across multiple fields', () => {
+        db.addDecision({
+            topic: 'authentication',
+            decision: 'Use Devise',
+            rationale: 'Well maintained gem',
+        });
+        db.addDecision({
+            topic: 'database',
+            decision: 'Use PostgreSQL for authentication data',
+            rationale: 'ACID compliance',
+        });
+        const results = db.searchDecisions('authentication');
+        expect(results.length).toBeGreaterThanOrEqual(2);
+    });
+});
+describe('Database: Path Resolution', () => {
+    it('uses PENSIEVE_DB_PATH environment variable when set', () => {
+        const testPath = join(tmpdir(), `pensieve-env-test-${Date.now()}`);
+        mkdirSync(testPath, { recursive: true });
+        const customDbPath = join(testPath, 'custom.sqlite');
+        process.env.PENSIEVE_DB_PATH = customDbPath;
+        try {
+            const db = new MemoryDatabase();
+            db.addDecision({ topic: 'test', decision: 'test' });
+            // Verify the database was created at the custom path
+            expect(existsSync(customDbPath)).toBe(true);
+            db.close();
+        }
+        finally {
+            delete process.env.PENSIEVE_DB_PATH;
+            rmSync(testPath, { recursive: true, force: true });
+        }
+    });
+});

package/dist/__tests__/security.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/security.test.js

@@ -0,0 +1,216 @@
+import { describe, it, expect } from 'vitest';
+import { detectSecrets, checkFieldsForSecrets, formatSecretWarning } from '../security.js';
+describe('Security: Secrets Detection', () => {
+    describe('AWS Keys', () => {
+        it('detects AWS Access Key ID', () => {
+            const result = detectSecrets('My key is AKIAIOSFODNN7EXAMPLE');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('AWS'))).toBe(true);
+        });
+        it('detects AWS Access Key ID in context', () => {
+            const result = detectSecrets('aws_access_key_id = AKIAIOSFODNN7EXAMPLE');
+            expect(result.containsSecret).toBe(true);
+        });
+        it('detects potential AWS Secret Key (40 char base64-like)', () => {
+            const result = detectSecrets('secret: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY');
+            expect(result.containsSecret).toBe(true);
+        });
+    });
+    describe('GitHub Tokens', () => {
+        it('detects GitHub Personal Access Token (classic)', () => {
+            const result = detectSecrets('token: ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('GitHub'))).toBe(true);
+        });
+        it('detects GitHub Fine-grained PAT', () => {
+            const result = detectSecrets('GITHUB_TOKEN=github_pat_11ABCDEFG_abcdefghijklmnopqrstuvwxyz');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('GitHub'))).toBe(true);
+        });
+        it('detects GitHub OAuth Token', () => {
+            const result = detectSecrets('oauth: gho_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('GitHub'))).toBe(true);
+        });
+    });
+    describe('Stripe Keys', () => {
+        // Build test keys dynamically to avoid GitHub secret scanning
+        const stripePrefix = 'sk_';
+        const liveKey = stripePrefix + 'live_51ABCdefGHIjklMNOpqrSTUvwxyz';
+        const testKey = stripePrefix + 'test_51ABCdefGHIjklMNOpqrSTUvwxyz';
+        it('detects Stripe live secret key', () => {
+            const result = detectSecrets(`STRIPE_SECRET_KEY=${liveKey}`);
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Stripe'))).toBe(true);
+        });
+        it('detects Stripe test secret key', () => {
+            const result = detectSecrets(`stripe_key: ${testKey}`);
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Stripe'))).toBe(true);
+        });
+    });
+    describe('Database Connection Strings', () => {
+        it('detects PostgreSQL connection string with password', () => {
+            const result = detectSecrets('DATABASE_URL=postgres://user:secretpassword@localhost:5432/mydb');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('PostgreSQL'))).toBe(true);
+        });
+        it('detects PostgreSQL connection string (postgresql://)', () => {
+            const result = detectSecrets('postgresql://admin:p@ssw0rd@db.example.com/production');
+            expect(result.containsSecret).toBe(true);
+        });
+        it('detects MySQL connection string with password', () => {
+            const result = detectSecrets('mysql://root:supersecret@mysql.example.com:3306/app');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('MySQL'))).toBe(true);
+        });
+        it('detects MongoDB connection string with password', () => {
+            const result = detectSecrets('mongodb://user:pass123@cluster.mongodb.net/db');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('MongoDB'))).toBe(true);
+        });
+        it('detects MongoDB+srv connection string', () => {
+            const result = detectSecrets('mongodb+srv://admin:secret@cluster0.abc123.mongodb.net/mydb');
+            expect(result.containsSecret).toBe(true);
+        });
+    });
+    describe('Bearer Tokens', () => {
+        it('detects bearer token in Authorization header format', () => {
+            const result = detectSecrets('Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Bearer'))).toBe(true);
+        });
+        it('detects bearer token inline', () => {
+            const result = detectSecrets('Use bearer abc123def456ghi789jkl012mno345');
+            expect(result.containsSecret).toBe(true);
+        });
+    });
+    describe('Private Keys', () => {
+        it('detects RSA private key header', () => {
+            const result = detectSecrets('-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQ');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Private key'))).toBe(true);
+        });
+        it('detects generic private key header', () => {
+            const result = detectSecrets('-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMG');
+            expect(result.containsSecret).toBe(true);
+        });
+        it('detects OpenSSH private key header', () => {
+            const result = detectSecrets('-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1r');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('SSH'))).toBe(true);
+        });
+    });
+    describe('Generic Secrets', () => {
+        it('detects password assignments', () => {
+            const result = detectSecrets('password = "mySuperSecretPass123"');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Password'))).toBe(true);
+        });
+        it('detects password with colon separator', () => {
+            const result = detectSecrets('password: verysecretpassword');
+            expect(result.containsSecret).toBe(true);
+        });
+        it('detects secret/token assignments', () => {
+            const result = detectSecrets('api_secret = "abcdef1234567890abcdef"');
+            expect(result.containsSecret).toBe(true);
+        });
+        it('detects API key patterns', () => {
+            const result = detectSecrets('My api_key is abc123def456ghi789jkl');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('API key'))).toBe(true);
+        });
+    });
+    describe('Credit Card Numbers', () => {
+        it('detects Visa card number', () => {
+            const result = detectSecrets('Card: 4111111111111111');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Credit card'))).toBe(true);
+        });
+        it('detects Mastercard number', () => {
+            const result = detectSecrets('Payment with 5500000000000004');
+            expect(result.containsSecret).toBe(true);
+        });
+        it('detects American Express number', () => {
+            const result = detectSecrets('Amex: 378282246310005');
+            expect(result.containsSecret).toBe(true);
+        });
+    });
+    describe('Social Security Numbers', () => {
+        it('detects SSN format (XXX-XX-XXXX)', () => {
+            const result = detectSecrets('SSN: 123-45-6789');
+            expect(result.containsSecret).toBe(true);
+            expect(result.warnings.some(w => w.includes('Social Security'))).toBe(true);
+        });
+    });
+    describe('Safe Content (No False Positives)', () => {
+        it('does not flag normal text', () => {
+            const result = detectSecrets('We decided to use PostgreSQL for the database');
+            expect(result.containsSecret).toBe(false);
+        });
+        it('does not flag code patterns', () => {
+            const result = detectSecrets('function getUser(id: string) { return users[id]; }');
+            expect(result.containsSecret).toBe(false);
+        });
+        it('does not flag short strings', () => {
+            const result = detectSecrets('key = "abc"');
+            expect(result.containsSecret).toBe(false);
+        });
+        it('does not flag file paths', () => {
+            const result = detectSecrets('Located at /app/components/user_component.rb');
+            expect(result.containsSecret).toBe(false);
+        });
+        it('does not flag database connection without password', () => {
+            const result = detectSecrets('postgres://localhost:5432/mydb');
+            expect(result.containsSecret).toBe(false);
+        });
+        it('does not flag UUIDs', () => {
+            const result = detectSecrets('id: 550e8400-e29b-41d4-a716-446655440000');
+            expect(result.containsSecret).toBe(false);
+        });
+    });
+});
+describe('Security: checkFieldsForSecrets', () => {
+    // Build test key dynamically to avoid GitHub secret scanning
+    const stripeKey = 'sk_' + 'live_51ABCdefGHIjklMNOpqrSTUvwxyz';
+    it('checks multiple fields and reports which field contains secret', () => {
+        const result = checkFieldsForSecrets({
+            topic: 'authentication',
+            decision: `Use API key: ${stripeKey}`,
+            rationale: 'It works well',
+        });
+        expect(result.containsSecret).toBe(true);
+        expect(result.warnings.some(w => w.includes('decision'))).toBe(true);
+    });
+    it('returns no warnings for safe content', () => {
+        const result = checkFieldsForSecrets({
+            topic: 'database',
+            decision: 'Use PostgreSQL',
+            rationale: 'Better for our use case',
+        });
+        expect(result.containsSecret).toBe(false);
+        expect(result.warnings).toHaveLength(0);
+    });
+    it('handles undefined and null values', () => {
+        const result = checkFieldsForSecrets({
+            topic: 'test',
+            decision: undefined,
+            rationale: undefined,
+        });
+        expect(result.containsSecret).toBe(false);
+    });
+});
+describe('Security: formatSecretWarning', () => {
+    it('formats warning message with detected secrets', () => {
+        const result = detectSecrets('password: secret123456');
+        const message = formatSecretWarning(result);
+        expect(message).toContain('SECURITY WARNING');
+        expect(message).toContain('NOT saved');
+        expect(message).toContain('Password');
+    });
+    it('returns empty string for safe content', () => {
+        const result = detectSecrets('normal text here');
+        const message = formatSecretWarning(result);
+        expect(message).toBe('');
+    });
+});