@frontmcp/plugin-remember 0.0.1 → 0.7.1

package/index.js

@@ -0,0 +1,1316 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+
+// plugins/plugin-remember/src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ForgetTool: () => ForgetTool,
+  ListMemoriesTool: () => ListMemoriesTool,
+  RecallTool: () => RecallTool,
+  RememberAccessor: () => RememberAccessor,
+  RememberAccessorToken: () => RememberAccessorToken,
+  RememberConfigToken: () => RememberConfigToken,
+  RememberMemoryProvider: () => RememberMemoryProvider,
+  RememberPlugin: () => RememberPlugin,
+  RememberRedisProvider: () => RememberRedisProvider,
+  RememberStoreToken: () => RememberStoreToken,
+  RememberThisTool: () => RememberThisTool,
+  RememberVercelKvProvider: () => RememberVercelKvProvider,
+  brand: () => brand,
+  default: () => RememberPlugin,
+  getRemember: () => getRemember,
+  tryGetRemember: () => tryGetRemember
+});
+module.exports = __toCommonJS(index_exports);
+
+// plugins/plugin-remember/src/remember.plugin.ts
+var import_sdk5 = require("@frontmcp/sdk");
+
+// plugins/plugin-remember/src/remember.symbols.ts
+var RememberStoreToken = /* @__PURE__ */ Symbol(
+  "plugin:remember:store"
+);
+var RememberConfigToken = /* @__PURE__ */ Symbol(
+  "plugin:remember:config"
+);
+var RememberAccessorToken = /* @__PURE__ */ Symbol(
+  "plugin:remember:accessor"
+);
+
+// plugins/plugin-remember/src/providers/remember-memory.provider.ts
+var import_sdk = require("@frontmcp/sdk");
+var MAX_TIMEOUT_MS = 2 ** 31 - 1;
+var RememberMemoryProvider = class {
+  memory = /* @__PURE__ */ new Map();
+  sweeper;
+  constructor(sweepIntervalSeconds = 60) {
+    this.sweeper = setInterval(() => this.sweep(), sweepIntervalSeconds * 1e3);
+    this.sweeper.unref?.();
+  }
+  /**
+   * Store a value with optional TTL.
+   * Always JSON-serializes the value for consistent storage/retrieval.
+   */
+  async setValue(key, value, ttlSeconds) {
+    const strValue = JSON.stringify(value);
+    const existing = this.memory.get(key);
+    if (existing?.timeout) clearTimeout(existing.timeout);
+    const entry = { value: strValue };
+    if (ttlSeconds && ttlSeconds > 0) {
+      const ttlMs = ttlSeconds * 1e3;
+      entry.expiresAt = Date.now() + ttlMs;
+      if (ttlMs <= MAX_TIMEOUT_MS) {
+        entry.timeout = setTimeout(() => {
+          const e = this.memory.get(key);
+          if (e && e.expiresAt && e.expiresAt <= Date.now()) {
+            this.memory.delete(key);
+          }
+        }, ttlMs);
+        entry.timeout.unref?.();
+      }
+    }
+    this.memory.set(key, entry);
+  }
+  /**
+   * Retrieve a value by key.
+   * JSON-parses the stored value to match the setValue serialization.
+   */
+  async getValue(key, defaultValue) {
+    const entry = this.memory.get(key);
+    if (!entry) return defaultValue;
+    if (this.isExpired(entry)) {
+      await this.delete(key);
+      return defaultValue;
+    }
+    try {
+      return JSON.parse(entry.value);
+    } catch {
+      return entry.value;
+    }
+  }
+  /**
+   * Delete a key.
+   */
+  async delete(key) {
+    const entry = this.memory.get(key);
+    if (entry?.timeout) clearTimeout(entry.timeout);
+    this.memory.delete(key);
+  }
+  /**
+   * Check if a key exists (and is not expired).
+   */
+  async exists(key) {
+    const entry = this.memory.get(key);
+    if (!entry) return false;
+    if (this.isExpired(entry)) {
+      await this.delete(key);
+      return false;
+    }
+    return true;
+  }
+  /**
+   * List keys matching a glob-style pattern.
+   * Supports * and ? wildcards.
+   */
+  async keys(pattern) {
+    const result = [];
+    const regex = pattern ? this.patternToRegex(pattern) : null;
+    const expiredKeys = [];
+    for (const [key, entry] of this.memory) {
+      if (this.isExpired(entry)) {
+        expiredKeys.push(key);
+      }
+    }
+    for (const key of expiredKeys) {
+      await this.delete(key);
+    }
+    for (const [key, entry] of this.memory) {
+      if (this.isExpired(entry)) {
+        continue;
+      }
+      if (regex && !regex.test(key)) {
+        continue;
+      }
+      result.push(key);
+    }
+    return result;
+  }
+  /**
+   * Gracefully close the provider.
+   */
+  async close() {
+    if (this.sweeper) clearInterval(this.sweeper);
+    for (const [, entry] of this.memory) {
+      if (entry.timeout) clearTimeout(entry.timeout);
+    }
+    this.memory.clear();
+  }
+  // ─────────────────────────────────────────────────────────────────────────────
+  // Private Methods
+  // ─────────────────────────────────────────────────────────────────────────────
+  isExpired(entry) {
+    return entry.expiresAt !== void 0 && entry.expiresAt <= Date.now();
+  }
+  /**
+   * Periodically remove expired keys to keep memory tidy.
+   */
+  sweep() {
+    const now = Date.now();
+    for (const [key, entry] of this.memory) {
+      if (entry.expiresAt !== void 0 && entry.expiresAt <= now) {
+        if (entry.timeout) clearTimeout(entry.timeout);
+        this.memory.delete(key);
+      }
+    }
+  }
+  /**
+   * Convert a glob-style pattern to a RegExp.
+   * * matches any sequence of characters
+   * ? matches any single character
+   *
+   * Includes ReDoS protection: validates pattern length and wildcard count.
+   */
+  patternToRegex(pattern) {
+    if (pattern.length > RememberMemoryProvider.MAX_PATTERN_LENGTH) {
+      throw new Error(`Pattern too long: ${pattern.length} chars (max ${RememberMemoryProvider.MAX_PATTERN_LENGTH})`);
+    }
+    const wildcardCount = (pattern.match(/[*?]/g) || []).length;
+    if (wildcardCount > RememberMemoryProvider.MAX_WILDCARDS) {
+      throw new Error(`Too many wildcards in pattern: ${wildcardCount} (max ${RememberMemoryProvider.MAX_WILDCARDS})`);
+    }
+    const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
+    return new RegExp(`^${escaped}$`);
+  }
+};
+// ReDoS protection constants
+// Pattern length allows for long prefixes (e.g., remember:session:{uuid}:user:*)
+__publicField(RememberMemoryProvider, "MAX_PATTERN_LENGTH", 500);
+__publicField(RememberMemoryProvider, "MAX_WILDCARDS", 20);
+RememberMemoryProvider = __decorateClass([
+  (0, import_sdk.Provider)({
+    name: "provider:remember:memory",
+    description: "In-memory storage provider for RememberPlugin",
+    scope: import_sdk.ProviderScope.GLOBAL
+  })
+], RememberMemoryProvider);
+
+// plugins/plugin-remember/src/providers/remember-redis.provider.ts
+var import_ioredis = __toESM(require("ioredis"));
+var import_sdk2 = require("@frontmcp/sdk");
+var RememberRedisProvider = class {
+  client;
+  /**
+   * Prefix prepended to all Redis keys.
+   * Include any separator (e.g., "myapp:" or "user:123:") as part of the prefix.
+   */
+  keyPrefix;
+  /** True if this provider created the client (and should close it), false if externally provided */
+  ownsClient;
+  constructor(options) {
+    this.keyPrefix = options.keyPrefix ?? "";
+    if (options.type === "redis-client") {
+      this.client = options.client;
+      this.ownsClient = false;
+      return;
+    }
+    this.ownsClient = true;
+    this.client = new import_ioredis.default({
+      lazyConnect: false,
+      maxRetriesPerRequest: 3,
+      ...options.config
+    });
+    this.client.on("connect", () => {
+      if (process.env["DEBUG"] === "true") {
+        console.log("[RememberPlugin:Redis] Connected");
+      }
+    });
+    this.client.on("error", (err) => {
+      console.error("[RememberPlugin:Redis] Error:", err.message);
+    });
+  }
+  /**
+   * Store a value with optional TTL.
+   *
+   * @param key - The key to store under
+   * @param value - The value to store (must not be undefined)
+   * @param ttlSeconds - Optional TTL in seconds (must be positive integer if provided)
+   * @throws Error if value is undefined or ttlSeconds is invalid
+   */
+  async setValue(key, value, ttlSeconds) {
+    if (value === void 0) {
+      throw new Error("Cannot store undefined value. Use null or delete the key instead.");
+    }
+    if (ttlSeconds !== void 0) {
+      if (typeof ttlSeconds !== "number" || !Number.isFinite(ttlSeconds)) {
+        throw new Error(`Invalid TTL: expected a number, got ${typeof ttlSeconds}`);
+      }
+      if (ttlSeconds <= 0) {
+        throw new Error(`Invalid TTL: must be positive, got ${ttlSeconds}`);
+      }
+      if (!Number.isInteger(ttlSeconds)) {
+        throw new Error(`Invalid TTL: must be an integer, got ${ttlSeconds}`);
+      }
+    }
+    const fullKey = this.keyPrefix + key;
+    const strValue = typeof value === "string" ? value : JSON.stringify(value);
+    if (ttlSeconds !== void 0 && ttlSeconds > 0) {
+      await this.client.set(fullKey, strValue, "EX", ttlSeconds);
+    } else {
+      await this.client.set(fullKey, strValue);
+    }
+  }
+  /**
+   * Retrieve a value by key.
+   *
+   * Returns the parsed JSON value if successful, or `defaultValue` if:
+   * - The key does not exist
+   * - The stored value is not valid JSON (malformed or legacy data)
+   *
+   * @param key - The key to retrieve
+   * @param defaultValue - Value to return if key doesn't exist or parsing fails
+   * @returns The parsed value as T, or defaultValue/undefined
+   */
+  async getValue(key, defaultValue) {
+    const fullKey = this.keyPrefix + key;
+    const raw = await this.client.get(fullKey);
+    if (raw === null) return defaultValue;
+    try {
+      return JSON.parse(raw);
+    } catch {
+      return defaultValue;
+    }
+  }
+  /**
+   * Delete a key.
+   */
+  async delete(key) {
+    const fullKey = this.keyPrefix + key;
+    await this.client.del(fullKey);
+  }
+  /**
+   * Check if a key exists.
+   */
+  async exists(key) {
+    const fullKey = this.keyPrefix + key;
+    return await this.client.exists(fullKey) === 1;
+  }
+  /**
+   * List keys matching a pattern.
+   * Uses Redis SCAN for efficient iteration.
+   */
+  async keys(pattern) {
+    const searchPattern = this.keyPrefix + (pattern ?? "*");
+    const result = [];
+    let cursor = "0";
+    do {
+      const [nextCursor, keys] = await this.client.scan(cursor, "MATCH", searchPattern, "COUNT", 100);
+      cursor = nextCursor;
+      for (const key of keys) {
+        result.push(key.slice(this.keyPrefix.length));
+      }
+    } while (cursor !== "0");
+    return result;
+  }
+  /**
+   * Gracefully close the Redis connection.
+   * Only closes if this provider owns the client (created it internally).
+   * Externally-provided clients are left open for the caller to manage.
+   */
+  async close() {
+    if (this.ownsClient) {
+      await this.client.quit();
+    }
+  }
+};
+RememberRedisProvider = __decorateClass([
+  (0, import_sdk2.Provider)({
+    name: "provider:remember:redis",
+    description: "Redis-based storage provider for RememberPlugin",
+    scope: import_sdk2.ProviderScope.GLOBAL
+  })
+], RememberRedisProvider);
+
+// plugins/plugin-remember/src/providers/remember-vercel-kv.provider.ts
+var import_sdk3 = require("@frontmcp/sdk");
+var RememberVercelKvProvider = class {
+  kv;
+  keyPrefix;
+  defaultTTL;
+  constructor(options = {}) {
+    const vercelKv = require("@vercel/kv");
+    const hasUrl = options.url !== void 0;
+    const hasToken = options.token !== void 0;
+    if (hasUrl !== hasToken) {
+      throw new Error(
+        `RememberVercelKvProvider: Both 'url' and 'token' must be provided together, or neither. Received: url=${hasUrl ? "provided" : "missing"}, token=${hasToken ? "provided" : "missing"}`
+      );
+    }
+    if (options.url && options.token) {
+      this.kv = vercelKv.createClient({
+        url: options.url,
+        token: options.token
+      });
+    } else {
+      this.kv = vercelKv.kv;
+    }
+    this.keyPrefix = options.keyPrefix ?? "remember:";
+    this.defaultTTL = options.defaultTTL;
+  }
+  prefixKey(key) {
+    return `${this.keyPrefix}${key}`;
+  }
+  /**
+   * Store a value with optional TTL.
+   */
+  async setValue(key, value, ttlSeconds) {
+    const fullKey = this.prefixKey(key);
+    const strValue = typeof value === "string" ? value : JSON.stringify(value);
+    const ttl = ttlSeconds ?? this.defaultTTL;
+    if (ttl && ttl > 0) {
+      await this.kv.set(fullKey, strValue, { ex: ttl });
+    } else {
+      await this.kv.set(fullKey, strValue);
+    }
+  }
+  /**
+   * Retrieve a value by key.
+   */
+  async getValue(key, defaultValue) {
+    const fullKey = this.prefixKey(key);
+    const raw = await this.kv.get(fullKey);
+    if (raw === null || raw === void 0) return defaultValue;
+    if (typeof raw === "string") {
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return raw;
+      }
+    }
+    return raw;
+  }
+  /**
+   * Delete a key.
+   */
+  async delete(key) {
+    const fullKey = this.prefixKey(key);
+    await this.kv.del(fullKey);
+  }
+  /**
+   * Check if a key exists.
+   */
+  async exists(key) {
+    const fullKey = this.prefixKey(key);
+    return await this.kv.exists(fullKey) === 1;
+  }
+  /**
+   * List keys matching a pattern.
+   * Uses SCAN for efficient iteration.
+   */
+  async keys(pattern) {
+    const searchPattern = this.prefixKey(pattern ?? "*");
+    const result = [];
+    try {
+      let cursor = 0;
+      do {
+        const [nextCursor, keys] = await this.kv.scan(cursor, {
+          match: searchPattern,
+          count: 100
+        });
+        cursor = nextCursor;
+        for (const key of keys) {
+          result.push(key.slice(this.keyPrefix.length));
+        }
+      } while (cursor !== 0);
+    } catch {
+      try {
+        const keys = await this.kv.keys(searchPattern);
+        for (const key of keys) {
+          result.push(key.slice(this.keyPrefix.length));
+        }
+      } catch {
+        console.warn("[RememberPlugin:VercelKV] keys() operation not supported");
+      }
+    }
+    return result;
+  }
+  /**
+   * Gracefully close the provider.
+   * No-op for Vercel KV as it uses stateless REST API.
+   */
+  async close() {
+  }
+};
+RememberVercelKvProvider = __decorateClass([
+  (0, import_sdk3.Provider)({
+    name: "provider:remember:vercel-kv",
+    description: "Vercel KV-based storage provider for RememberPlugin",
+    scope: import_sdk3.ProviderScope.GLOBAL
+  })
+], RememberVercelKvProvider);
+
+// plugins/plugin-remember/src/providers/remember-accessor.provider.ts
+var import_sdk4 = require("@frontmcp/sdk");
+
+// plugins/plugin-remember/src/remember.crypto.ts
+var import_utils2 = require("@frontmcp/utils");
+
+// plugins/plugin-remember/src/remember.secret-persistence.ts
+var path = __toESM(require("path"));
+var import_zod = require("zod");
+var import_utils = require("@frontmcp/utils");
+var DEFAULT_SECRET_FILE_PATH = ".frontmcp/remember-secret.json";
+var SECRET_BYTES = 32;
+var rememberSecretDataSchema = import_zod.z.object({
+  secret: import_zod.z.string().min(32),
+  // base64url of 32 bytes is ~43 chars
+  createdAt: import_zod.z.number().positive().int(),
+  version: import_zod.z.literal(1)
+});
+function validateSecretData(data) {
+  const result = rememberSecretDataSchema.safeParse(data);
+  if (!result.success) {
+    return { valid: false, error: result.error.issues[0]?.message ?? "Invalid secret structure" };
+  }
+  const parsed = result.data;
+  const now = Date.now();
+  if (parsed.createdAt > now + 6e4) {
+    return { valid: false, error: "createdAt is in the future" };
+  }
+  const hundredYearsMs = 100 * 365 * 24 * 60 * 60 * 1e3;
+  if (parsed.createdAt < now - hundredYearsMs) {
+    return { valid: false, error: "createdAt is too old" };
+  }
+  return { valid: true };
+}
+function isSecretPersistenceEnabled(options) {
+  const isProduction = process.env["NODE_ENV"] === "production";
+  if (isProduction) {
+    return options?.forceEnable === true;
+  }
+  return true;
+}
+function resolveSecretPath(options) {
+  const secretPath = options?.secretPath ?? DEFAULT_SECRET_FILE_PATH;
+  if (path.isAbsolute(secretPath)) {
+    return secretPath;
+  }
+  return path.resolve(process.cwd(), secretPath);
+}
+async function loadRememberSecret(options) {
+  if (!isSecretPersistenceEnabled(options)) {
+    return null;
+  }
+  const secretPath = resolveSecretPath(options);
+  try {
+    const content = await (0, import_utils.readFile)(secretPath, "utf8");
+    const data = JSON.parse(content);
+    const validation = validateSecretData(data);
+    if (!validation.valid) {
+      console.warn(
+        `[RememberSecretPersistence] Invalid secret file format at ${secretPath}: ${validation.error}, will regenerate`
+      );
+      return null;
+    }
+    return data;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    console.warn(`[RememberSecretPersistence] Failed to load secret from ${secretPath}: ${error.message}`);
+    return null;
+  }
+}
+async function saveRememberSecret(secretData, options) {
+  if (!isSecretPersistenceEnabled(options)) {
+    return true;
+  }
+  const secretPath = resolveSecretPath(options);
+  const dir = path.dirname(secretPath);
+  const tempPath = `${secretPath}.tmp.${Date.now()}.${(0, import_utils.base64urlEncode)((0, import_utils.randomBytes)(8))}`;
+  try {
+    await (0, import_utils.mkdir)(dir, { recursive: true, mode: 448 });
+    const content = JSON.stringify(secretData, null, 2);
+    await (0, import_utils.writeFile)(tempPath, content, { mode: 384 });
+    await (0, import_utils.rename)(tempPath, secretPath);
+    return true;
+  } catch (error) {
+    console.error(`[RememberSecretPersistence] Failed to save secret to ${secretPath}: ${error.message}`);
+    try {
+      await (0, import_utils.unlink)(tempPath);
+    } catch {
+    }
+    return false;
+  }
+}
+var cachedSecret = null;
+var secretGenerationPromise = null;
+function generateSecret() {
+  return (0, import_utils.base64urlEncode)((0, import_utils.randomBytes)(SECRET_BYTES));
+}
+async function getOrCreatePersistedSecret(options) {
+  if (cachedSecret) {
+    return cachedSecret;
+  }
+  if (secretGenerationPromise) {
+    return secretGenerationPromise;
+  }
+  secretGenerationPromise = (async () => {
+    try {
+      const loaded = await loadRememberSecret(options);
+      if (loaded) {
+        cachedSecret = loaded.secret;
+        return cachedSecret;
+      }
+      const newSecret = generateSecret();
+      const secretData = {
+        secret: newSecret,
+        createdAt: Date.now(),
+        version: 1
+      };
+      if (isSecretPersistenceEnabled(options)) {
+        await saveRememberSecret(secretData, options);
+      }
+      cachedSecret = newSecret;
+      return cachedSecret;
+    } finally {
+      secretGenerationPromise = null;
+    }
+  })();
+  return secretGenerationPromise;
+}
+
+// plugins/plugin-remember/src/remember.crypto.ts
+async function getBaseSecret() {
+  const envSecret = process.env["REMEMBER_SECRET"] || process.env["MCP_MEMORY_SECRET"] || process.env["MCP_SESSION_SECRET"];
+  if (envSecret) {
+    return envSecret;
+  }
+  return getOrCreatePersistedSecret();
+}
+var textEncoder = new TextEncoder();
+async function deriveEncryptionKey(source) {
+  const salt = textEncoder.encode("remember-plugin-v1");
+  let ikm;
+  let context;
+  switch (source.type) {
+    case "session":
+      ikm = source.sessionId;
+      context = `remember:session:${source.sessionId}`;
+      break;
+    case "tool":
+      ikm = source.sessionId;
+      context = `remember:tool:${source.toolName}:${source.sessionId}`;
+      break;
+    case "user":
+      ikm = await getBaseSecret() + source.userId;
+      context = `remember:user:${source.userId}`;
+      break;
+    case "global":
+      ikm = await getBaseSecret();
+      context = "remember:global";
+      break;
+    case "custom":
+      ikm = source.key;
+      context = `remember:custom:${source.key}`;
+      break;
+  }
+  const ikmBytes = textEncoder.encode(ikm);
+  const info = textEncoder.encode(context);
+  return (0, import_utils2.hkdfSha256)(ikmBytes, salt, info, 32);
+}
+function getKeySourceForScope(scope, context) {
+  switch (scope) {
+    case "session":
+      return { type: "session", sessionId: context.sessionId };
+    case "user":
+      return { type: "user", userId: context.userId ?? "anonymous" };
+    case "tool":
+      return {
+        type: "tool",
+        toolName: context.toolName ?? "unknown",
+        sessionId: context.sessionId
+      };
+    case "global":
+      return { type: "global" };
+  }
+}
+var textDecoder = new TextDecoder();
+async function encryptValue(data, keySource) {
+  const key = await deriveEncryptionKey(keySource);
+  const plaintext = textEncoder.encode(JSON.stringify(data));
+  const iv = (0, import_utils2.randomBytes)(12);
+  const { ciphertext, tag } = (0, import_utils2.encryptAesGcm)(key, plaintext, iv);
+  return {
+    alg: "A256GCM",
+    iv: (0, import_utils2.base64urlEncode)(iv),
+    tag: (0, import_utils2.base64urlEncode)(tag),
+    data: (0, import_utils2.base64urlEncode)(ciphertext)
+  };
+}
+async function decryptValue(blob, keySource) {
+  try {
+    const key = await deriveEncryptionKey(keySource);
+    const iv = (0, import_utils2.base64urlDecode)(blob.iv);
+    const tag = (0, import_utils2.base64urlDecode)(blob.tag);
+    const ciphertext = (0, import_utils2.base64urlDecode)(blob.data);
+    const decrypted = (0, import_utils2.decryptAesGcm)(key, ciphertext, iv, tag);
+    return JSON.parse(textDecoder.decode(decrypted));
+  } catch {
+    return null;
+  }
+}
+function serializeBlob(blob) {
+  return JSON.stringify(blob);
+}
+function deserializeBlob(str) {
+  try {
+    const parsed = JSON.parse(str);
+    if (parsed && typeof parsed === "object" && parsed.alg === "A256GCM" && typeof parsed.iv === "string" && typeof parsed.tag === "string" && typeof parsed.data === "string") {
+      return parsed;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function encryptAndSerialize(data, keySource) {
+  const blob = await encryptValue(data, keySource);
+  return serializeBlob(blob);
+}
+async function deserializeAndDecrypt(str, keySource) {
+  const blob = deserializeBlob(str);
+  if (!blob) return null;
+  return decryptValue(blob, keySource);
+}
+
+// plugins/plugin-remember/src/providers/remember-accessor.provider.ts
+var RememberAccessor = class {
+  store;
+  ctx;
+  config;
+  keyPrefix;
+  encryptionEnabled;
+  constructor(store, ctx, config) {
+    this.store = store;
+    this.ctx = ctx;
+    this.config = config;
+    this.keyPrefix = config.keyPrefix ?? "remember:";
+    this.encryptionEnabled = config.encryption?.enabled !== false;
+  }
+  // ─────────────────────────────────────────────────────────────────────────────
+  // Public API
+  // ─────────────────────────────────────────────────────────────────────────────
+  /**
+   * Store a value in memory.
+   *
+   * @param key - The key to store under
+   * @param value - The value to store (any JSON-serializable data)
+   * @param options - Storage options (scope, ttl, brand, metadata)
+   */
+  async set(key, value, options = {}) {
+    const scope = options.scope ?? "session";
+    const storageKey = this.buildStorageKey(key, scope);
+    const entry = {
+      value,
+      brand: options.brand,
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+      expiresAt: options.ttl ? Date.now() + options.ttl * 1e3 : void 0,
+      metadata: options.metadata
+    };
+    const serialized = this.encryptionEnabled ? await encryptAndSerialize(entry, this.getKeySource(scope)) : JSON.stringify(entry);
+    await this.store.setValue(storageKey, serialized, options.ttl);
+  }
+  /**
+   * Retrieve a value from memory.
+   *
+   * @param key - The key to retrieve
+   * @param options - Retrieval options (scope, defaultValue)
+   * @returns The stored value or defaultValue if not found
+   */
+  async get(key, options = {}) {
+    const scope = options.scope ?? "session";
+    const storageKey = this.buildStorageKey(key, scope);
+    const raw = await this.store.getValue(storageKey);
+    if (!raw) return options.defaultValue;
+    const entry = this.encryptionEnabled ? await deserializeAndDecrypt(raw, this.getKeySource(scope)) : this.parseEntry(raw);
+    if (!entry) return options.defaultValue;
+    if (entry.expiresAt && Date.now() > entry.expiresAt) {
+      await this.forget(key, { scope });
+      return options.defaultValue;
+    }
+    return entry.value;
+  }
+  /**
+   * Get the full entry including metadata.
+   *
+   * @param key - The key to retrieve
+   * @param options - Retrieval options (scope)
+   * @returns The full entry or undefined if not found
+   */
+  async getEntry(key, options = {}) {
+    const scope = options.scope ?? "session";
+    const storageKey = this.buildStorageKey(key, scope);
+    const raw = await this.store.getValue(storageKey);
+    if (!raw) return void 0;
+    const entry = this.encryptionEnabled ? await deserializeAndDecrypt(raw, this.getKeySource(scope)) : this.parseEntry(raw);
+    if (!entry) return void 0;
+    if (entry.expiresAt && Date.now() > entry.expiresAt) {
+      await this.forget(key, { scope });
+      return void 0;
+    }
+    return entry;
+  }
+  /**
+   * Forget (delete) a value from memory.
+   *
+   * @param key - The key to forget
+   * @param options - Options (scope)
+   */
+  async forget(key, options = {}) {
+    const scope = options.scope ?? "session";
+    const storageKey = this.buildStorageKey(key, scope);
+    await this.store.delete(storageKey);
+  }
+  /**
+   * Check if a key is remembered (exists and not expired).
+   *
+   * @param key - The key to check
+   * @param options - Options (scope)
+   * @returns true if the key exists
+   */
+  async knows(key, options = {}) {
+    const scope = options.scope ?? "session";
+    const storageKey = this.buildStorageKey(key, scope);
+    return this.store.exists(storageKey);
+  }
+  /**
+   * List all remembered keys for a scope.
+   *
+   * @param options - Options (scope, pattern)
+   * @returns Array of keys (without the scope prefix)
+   */
+  async list(options = {}) {
+    const scope = options.scope ?? "session";
+    const scopePrefix = this.buildScopePrefix(scope);
+    const fullPattern = scopePrefix + (options.pattern ?? "*");
+    const keys = await this.store.keys(fullPattern);
+    return keys.map((k) => k.slice(scopePrefix.length));
+  }
+  /**
+   * Update an existing entry's value while preserving metadata.
+   *
+   * @param key - The key to update
+   * @param value - The new value
+   * @param options - Options (scope, ttl)
+   */
+  async update(key, value, options = {}) {
+    const scope = options.scope ?? "session";
+    const existing = await this.getEntry(key, { scope });
+    if (!existing) return false;
+    const entry = {
+      ...existing,
+      value,
+      updatedAt: Date.now(),
+      expiresAt: options.ttl ? Date.now() + options.ttl * 1e3 : existing.expiresAt
+    };
+    const storageKey = this.buildStorageKey(key, scope);
+    const serialized = this.encryptionEnabled ? await encryptAndSerialize(entry, this.getKeySource(scope)) : JSON.stringify(entry);
+    await this.store.setValue(storageKey, serialized, options.ttl);
+    return true;
+  }
+  // ─────────────────────────────────────────────────────────────────────────────
+  // Convenience Methods
+  // ─────────────────────────────────────────────────────────────────────────────
+  /**
+   * Get the session ID from context.
+   */
+  get sessionId() {
+    return this.ctx.sessionId;
+  }
+  /**
+   * Get the user ID from context (if available).
+   */
+  get userId() {
+    const authInfo = this.ctx.authInfo;
+    return authInfo?.extra?.["userId"] ?? authInfo?.extra?.["sub"] ?? authInfo?.clientId ?? void 0;
+  }
+  // ─────────────────────────────────────────────────────────────────────────────
+  // Private Methods
+  // ─────────────────────────────────────────────────────────────────────────────
+  /**
+   * Build the full storage key including scope prefix.
+   */
+  buildStorageKey(key, scope) {
+    return this.buildScopePrefix(scope) + key;
+  }
+  /**
+   * Build the scope-specific prefix.
+   */
+  buildScopePrefix(scope) {
+    switch (scope) {
+      case "session":
+        return `${this.keyPrefix}session:${this.ctx.sessionId}:`;
+      case "user":
+        return `${this.keyPrefix}user:${this.userId ?? "anonymous"}:`;
+      case "tool": {
+        const toolName = this.ctx.flow?.name ?? "unknown";
+        return `${this.keyPrefix}tool:${toolName}:${this.ctx.sessionId}:`;
+      }
+      case "global":
+        return `${this.keyPrefix}global:`;
+    }
+  }
+  /**
+   * Get the encryption key source for a scope.
+   */
+  getKeySource(scope) {
+    return getKeySourceForScope(scope, {
+      sessionId: this.ctx.sessionId,
+      userId: this.userId,
+      toolName: this.ctx.flow?.name
+    });
+  }
+  /**
+   * Parse a JSON entry (when encryption is disabled).
+   */
+  parseEntry(raw) {
+    try {
+      return JSON.parse(raw);
+    } catch {
+      return null;
+    }
+  }
+};
+RememberAccessor = __decorateClass([
+  (0, import_sdk4.Provider)({
+    name: "provider:remember:accessor",
+    description: "Context-scoped accessor for RememberPlugin storage",
+    scope: import_sdk4.ProviderScope.CONTEXT
+  })
+], RememberAccessor);
+function createRememberAccessor(store, ctx, config) {
+  return new RememberAccessor(store, ctx, config);
+}
+
+// plugins/plugin-remember/src/remember.plugin.ts
+var RememberPlugin = class extends import_sdk5.DynamicPlugin {
+  options;
+  constructor(options = {}) {
+    super();
+    this.options = {
+      ...RememberPlugin.defaultOptions,
+      ...options
+    };
+  }
+};
+__publicField(RememberPlugin, "defaultOptions", {
+  type: "memory",
+  keyPrefix: "remember:",
+  encryption: { enabled: true }
+});
+/**
+ * Dynamic providers based on plugin options.
+ */
+__publicField(RememberPlugin, "dynamicProviders", (options) => {
+  const providers = [];
+  const config = {
+    ...RememberPlugin.defaultOptions,
+    ...options
+  };
+  switch (config.type) {
+    case "global-store":
+      providers.push({
+        name: "remember:store:global",
+        provide: RememberStoreToken,
+        inject: () => [import_sdk5.FrontMcpConfig],
+        useFactory: (frontmcpConfig) => {
+          const storeConfig = (0, import_sdk5.getGlobalStoreConfig)("RememberPlugin", frontmcpConfig);
+          if ((0, import_sdk5.isVercelKvProvider)(storeConfig)) {
+            return new RememberVercelKvProvider({
+              url: storeConfig.url,
+              token: storeConfig.token,
+              keyPrefix: config.keyPrefix,
+              defaultTTL: config.defaultTTL
+            });
+          }
+          return new RememberRedisProvider({
+            type: "redis",
+            config: {
+              host: storeConfig.host ?? "localhost",
+              port: storeConfig.port ?? 6379,
+              password: storeConfig.password,
+              db: storeConfig.db
+            },
+            keyPrefix: config.keyPrefix,
+            defaultTTL: config.defaultTTL
+          });
+        }
+      });
+      break;
+    case "redis":
+      if ("config" in config && config.config) {
+        providers.push({
+          name: "remember:store:redis",
+          provide: RememberStoreToken,
+          useValue: new RememberRedisProvider({
+            type: "redis",
+            config: config.config,
+            keyPrefix: config.keyPrefix,
+            defaultTTL: config.defaultTTL
+          })
+        });
+      }
+      break;
+    case "redis-client":
+      if ("client" in config && config.client) {
+        providers.push({
+          name: "remember:store:redis-client",
+          provide: RememberStoreToken,
+          useValue: new RememberRedisProvider({
+            type: "redis-client",
+            client: config.client,
+            keyPrefix: config.keyPrefix,
+            defaultTTL: config.defaultTTL
+          })
+        });
+      }
+      break;
+    case "vercel-kv":
+      providers.push({
+        name: "remember:store:vercel-kv",
+        provide: RememberStoreToken,
+        useValue: new RememberVercelKvProvider({
+          url: "url" in config ? config.url : void 0,
+          token: "token" in config ? config.token : void 0,
+          keyPrefix: config.keyPrefix,
+          defaultTTL: config.defaultTTL
+        })
+      });
+      break;
+    case "memory":
+    default:
+      providers.push({
+        name: "remember:store:memory",
+        provide: RememberStoreToken,
+        useValue: new RememberMemoryProvider()
+      });
+      break;
+  }
+  providers.push({
+    name: "remember:config",
+    provide: RememberConfigToken,
+    useValue: config
+  });
+  providers.push({
+    name: "remember:accessor",
+    provide: RememberAccessorToken,
+    scope: import_sdk5.ProviderScope.CONTEXT,
+    inject: () => [RememberStoreToken, import_sdk5.FRONTMCP_CONTEXT, RememberConfigToken],
+    useFactory: (store, ctx, cfg) => createRememberAccessor(store, ctx, cfg)
+  });
+  return providers;
+});
+RememberPlugin = __decorateClass([
+  (0, import_sdk5.Plugin)({
+    name: "remember",
+    description: "Help your LLM remember things across sessions",
+    providers: [
+      // Default in-memory provider (overridden by dynamicProviders if configured)
+      {
+        name: "remember:store:memory",
+        provide: RememberStoreToken,
+        useValue: new RememberMemoryProvider()
+      }
+    ],
+    // Context extensions - SDK handles runtime installation
+    // TypeScript types are declared in remember.context-extension.ts
+    contextExtensions: [
+      {
+        property: "remember",
+        token: RememberAccessorToken,
+        errorMessage: "RememberPlugin is not installed. Add RememberPlugin.init() to your plugins array."
+      }
+    ]
+  })
+], RememberPlugin);
+
+// plugins/plugin-remember/src/remember.types.ts
+var import_zod2 = require("zod");
+var rememberScopeSchema = import_zod2.z.enum(["session", "user", "tool", "global"]);
+function brand(data, _brand) {
+  return data;
+}
+var rememberEntrySchema = import_zod2.z.object({
+  value: import_zod2.z.unknown(),
+  brand: import_zod2.z.enum(["approval", "preference", "cache", "state", "conversation", "custom"]).optional(),
+  createdAt: import_zod2.z.number(),
+  updatedAt: import_zod2.z.number(),
+  expiresAt: import_zod2.z.number().optional(),
+  metadata: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.unknown()).optional()
+});
+
+// plugins/plugin-remember/src/tools/remember-this.tool.ts
+var import_sdk6 = require("@frontmcp/sdk");
+var import_zod3 = require("zod");
+var rememberThisInputSchema = import_zod3.z.object({
+  key: import_zod3.z.string().min(1).describe('What to call this memory (e.g., "user_preference", "last_action")'),
+  value: import_zod3.z.unknown().describe("The value to remember (any JSON-serializable data)"),
+  scope: import_zod3.z.enum(["session", "user", "tool", "global"]).optional().describe(
+    "How long to remember: session (until disconnect), user (forever), tool (for this tool), global (shared)"
+  ),
+  ttl: import_zod3.z.number().positive().optional().describe("Forget after this many seconds"),
+  brand: import_zod3.z.enum(["preference", "cache", "state", "conversation", "custom"]).optional().describe("Type hint for the stored value")
+});
+var rememberThisOutputSchema = import_zod3.z.object({
+  success: import_zod3.z.boolean(),
+  key: import_zod3.z.string(),
+  scope: import_zod3.z.string(),
+  expiresAt: import_zod3.z.number().optional()
+});
+var RememberThisTool = class extends import_sdk6.ToolContext {
+  async execute(input) {
+    const remember = this.get(RememberAccessorToken);
+    const config = this.get(RememberConfigToken);
+    const scope = input.scope ?? "session";
+    const allowedScopes = config.tools?.allowedScopes ?? ["session", "user", "tool", "global"];
+    if (!allowedScopes.includes(scope)) {
+      throw this.fail(new Error(`Scope '${scope}' is not allowed. Allowed scopes: ${allowedScopes.join(", ")}`));
+    }
+    await remember.set(input.key, input.value, {
+      scope,
+      ttl: input.ttl,
+      brand: input.brand
+    });
+    const expiresAt = input.ttl ? Date.now() + input.ttl * 1e3 : void 0;
+    return {
+      success: true,
+      key: input.key,
+      scope,
+      expiresAt
+    };
+  }
+};
+RememberThisTool = __decorateClass([
+  (0, import_sdk6.Tool)({
+    name: "remember_this",
+    description: "Remember something for later. Store a value that can be recalled in future conversations. Use this when the user asks you to remember preferences, settings, or any information they want to persist.",
+    inputSchema: rememberThisInputSchema,
+    outputSchema: rememberThisOutputSchema,
+    annotations: {
+      readOnlyHint: false
+    }
+  })
+], RememberThisTool);
+
+// plugins/plugin-remember/src/tools/recall.tool.ts
+var import_sdk7 = require("@frontmcp/sdk");
+var import_zod4 = require("zod");
+var recallInputSchema = {
+  key: import_zod4.z.string().min(1).describe("What memory to recall"),
+  scope: import_zod4.z.enum(["session", "user", "tool", "global"]).optional().describe("Which scope to look in (default: session)")
+};
+var recallOutputSchema = import_zod4.z.object({
+  found: import_zod4.z.boolean(),
+  key: import_zod4.z.string(),
+  value: import_zod4.z.unknown().optional(),
+  scope: import_zod4.z.string(),
+  createdAt: import_zod4.z.number().optional(),
+  expiresAt: import_zod4.z.number().optional()
+});
+var RecallTool = class extends import_sdk7.ToolContext {
+  async execute(input) {
+    const remember = this.get(RememberAccessorToken);
+    const config = this.get(RememberConfigToken);
+    const scope = input.scope ?? "session";
+    const allowedScopes = config.tools?.allowedScopes ?? ["session", "user", "tool", "global"];
+    if (!allowedScopes.includes(scope)) {
+      this.fail(new Error(`Scope '${scope}' is not allowed. Allowed scopes: ${allowedScopes.join(", ")}`));
+    }
+    const entry = await remember.getEntry(input.key, { scope });
+    if (!entry) {
+      return {
+        found: false,
+        key: input.key,
+        scope
+      };
+    }
+    return {
+      found: true,
+      key: input.key,
+      value: entry.value,
+      scope,
+      createdAt: entry.createdAt,
+      expiresAt: entry.expiresAt
+    };
+  }
+};
+RecallTool = __decorateClass([
+  (0, import_sdk7.Tool)({
+    name: "recall",
+    description: "Recall something that was previously remembered. Use this to retrieve stored preferences, settings, or any information that was saved with remember_this.",
+    inputSchema: recallInputSchema,
+    outputSchema: recallOutputSchema,
+    annotations: {
+      readOnlyHint: true
+    }
+  })
+], RecallTool);
+
+// plugins/plugin-remember/src/tools/forget.tool.ts
+var import_sdk8 = require("@frontmcp/sdk");
+var import_zod5 = require("zod");
+var forgetInputSchema = import_zod5.z.object({
+  key: import_zod5.z.string().min(1).describe("What memory to forget"),
+  scope: import_zod5.z.enum(["session", "user", "tool", "global"]).optional().describe("Which scope to forget from (default: session)")
+});
+var forgetOutputSchema = import_zod5.z.object({
+  success: import_zod5.z.boolean(),
+  key: import_zod5.z.string(),
+  scope: import_zod5.z.string(),
+  existed: import_zod5.z.boolean()
+});
+var ForgetTool = class extends import_sdk8.ToolContext {
+  async execute(input) {
+    const remember = this.get(RememberAccessorToken);
+    const config = this.get(RememberConfigToken);
+    const scope = input.scope ?? "session";
+    const allowedScopes = config.tools?.allowedScopes ?? ["session", "user", "tool", "global"];
+    if (!allowedScopes.includes(scope)) {
+      throw this.fail(new Error(`Scope '${scope}' is not allowed. Allowed scopes: ${allowedScopes.join(", ")}`));
+    }
+    const existed = await remember.knows(input.key, { scope });
+    await remember.forget(input.key, { scope });
+    return {
+      success: true,
+      key: input.key,
+      scope,
+      existed
+    };
+  }
+};
+ForgetTool = __decorateClass([
+  (0, import_sdk8.Tool)({
+    name: "forget",
+    description: "Forget a previously remembered value. Use this when the user wants to delete stored preferences or information.",
+    inputSchema: forgetInputSchema,
+    outputSchema: forgetOutputSchema,
+    annotations: {
+      readOnlyHint: false
+    }
+  })
+], ForgetTool);
+
+// plugins/plugin-remember/src/tools/list-memories.tool.ts
+var import_sdk9 = require("@frontmcp/sdk");
+var import_zod6 = require("zod");
+var listMemoriesInputSchema = import_zod6.z.object({
+  scope: import_zod6.z.enum(["session", "user", "tool", "global"]).optional().describe("Which scope to list from (default: session)"),
+  pattern: import_zod6.z.string().optional().describe('Pattern to filter keys (e.g., "user_*")'),
+  limit: import_zod6.z.number().positive().max(100).optional().describe("Maximum number of keys to return (default: 50)")
+});
+var listMemoriesOutputSchema = import_zod6.z.object({
+  keys: import_zod6.z.array(import_zod6.z.string()),
+  scope: import_zod6.z.string(),
+  count: import_zod6.z.number(),
+  truncated: import_zod6.z.boolean()
+});
+var ListMemoriesTool = class extends import_sdk9.ToolContext {
+  async execute(input) {
+    const remember = this.get(RememberAccessorToken);
+    const config = this.get(RememberConfigToken);
+    const scope = input.scope ?? "session";
+    const allowedScopes = config.tools?.allowedScopes ?? ["session", "user", "tool", "global"];
+    if (!allowedScopes.includes(scope)) {
+      throw this.fail(new Error(`Scope '${scope}' is not allowed. Allowed scopes: ${allowedScopes.join(", ")}`));
+    }
+    const limit = input.limit ?? 50;
+    let keys = await remember.list({ scope, pattern: input.pattern });
+    const truncated = keys.length > limit;
+    if (truncated) {
+      keys = keys.slice(0, limit);
+    }
+    return {
+      keys,
+      scope,
+      count: keys.length,
+      truncated
+    };
+  }
+};
+ListMemoriesTool = __decorateClass([
+  (0, import_sdk9.Tool)({
+    name: "list_memories",
+    description: "List all remembered keys in a scope. Use this to see what memories are stored for the current session or user.",
+    inputSchema: listMemoriesInputSchema,
+    outputSchema: listMemoriesOutputSchema,
+    annotations: {
+      readOnlyHint: true
+    }
+  })
+], ListMemoriesTool);
+
+// plugins/plugin-remember/src/remember.context-extension.ts
+function getRemember(ctx) {
+  return ctx.get(RememberAccessorToken);
+}
+function tryGetRemember(ctx) {
+  if (typeof ctx.tryGet === "function") {
+    return ctx.tryGet(RememberAccessorToken);
+  }
+  return void 0;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ForgetTool,
+  ListMemoriesTool,
+  RecallTool,
+  RememberAccessor,
+  RememberAccessorToken,
+  RememberConfigToken,
+  RememberMemoryProvider,
+  RememberPlugin,
+  RememberRedisProvider,
+  RememberStoreToken,
+  RememberThisTool,
+  RememberVercelKvProvider,
+  brand,
+  getRemember,
+  tryGetRemember
+});