@ijfw/memory-server 1.4.1 → 1.4.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ijfw/memory-server",
-  "version": "1.4.1",
+  "version": "1.4.4",
   "description": "Cross-platform persistent memory server for IJFW. 10 MCP tools (memory + admin/update). Works with 13 MCP-using platforms (Claude Code, Codex, Gemini CLI, Cursor, Windsurf, Copilot, Hermes, Wayland, OpenCode, QwenCode, Cline, KimiCode, OpenClaw) plus Aider via rules-only tier.",
   "author": "Sean Donahoe",
   "license": "MIT",

package/src/active-extension-writer.js

@@ -7,24 +7,40 @@
  *   - installExtension when opts.activate is set
  */
 
-import { readFile, writeFile, unlink, mkdir } from 'node:fs/promises';
+import { readFile, writeFile, unlink, mkdir, readdir, stat } from 'node:fs/promises';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 import { randomBytes } from 'node:crypto';
 
+import { resetExtensionQuotas } from './extension-quota-tracker.js';
+
 const STATE_PATH_REL = ['.ijfw', 'state', 'active-extension.json'];
 
+// B18 — stale last-seen-by-<ide>.json files older than this get cleaned on read.
+const LAST_SEEN_STALE_MS = 30 * 24 * 60 * 60 * 1000;
+
+// Valid IDE id pattern (matches ide-detect.js). Keep in sync.
+const IDE_ID_PATTERN = /^[a-z0-9-]+$/;
+
 function statePath(home) {
   return join(home || homedir(), ...STATE_PATH_REL);
 }
 
+function lastSeenPath(home, ideId) {
+  return join(home || homedir(), '.ijfw', 'state', `last-seen-by-${ideId}.json`);
+}
+
+function stateDir(home) {
+  return join(home || homedir(), '.ijfw', 'state');
+}
+
 /**
  * Write the active-extension state file from a manifest + scope.
  * Validates required fields before write. Atomic write via tmp+rename.
  *
  * @param {{ name: string, permissions: { reads: string[], writes: string[] } }} manifest
  * @param {'project'|'org'|'user'} scope
- * @param {{ homeDir?: string }} [opts]
+ * @param {{ homeDir?: string, ideId?: string|null }} [opts]
  * @returns {Promise<{ ok: boolean, path?: string, error?: string }>}
  */
 export async function writeActiveExtension(manifest, scope, opts = {}) {
@@ -42,12 +58,48 @@ export async function writeActiveExtension(manifest, scope, opts = {}) {
   }
   const reads = Array.isArray(manifest.permissions.reads) ? manifest.permissions.reads : [];
   const writes = Array.isArray(manifest.permissions.writes) ? manifest.permissions.writes : [];
+  const activatedAt = new Date().toISOString();
+  // B18: stamp activated_by_ide + activated_by_pid when ideId is provided.
+  // Caller (CLI) is responsible for calling detectIde() and threading the
+  // value in. When opts.ideId is null/undefined, fields are omitted (so the
+  // file stays back-compatible with v1.4.1 readers).
+  const ideId = (typeof opts.ideId === 'string' && IDE_ID_PATTERN.test(opts.ideId))
+    ? opts.ideId
+    : null;
   const out = {
     name: manifest.name,
     scope,
     permissions: { reads, writes },
-    activated_at: new Date().toISOString(),
+    activated_at: activatedAt,
   };
+  if (ideId) {
+    out.activated_by_ide = ideId;
+    out.activated_by_pid = process.pid;
+  }
+  // R12-H-01: persist manifest.quotas so the tier-2 hook
+  // (extension-permission-check.mjs) can enforce quotas on Edit/Write/Bash
+  // dispatch. Without this the tier-2 hook reads `active.quotas` as undefined
+  // and silently bypasses the v1.4.3 quota gate that the server-side
+  // gatePermissionAndQuota path enforces. Schema (extension-manifest-schema.js):
+  // optional object whose values are positive integers — currently
+  // max_files_written / max_bytes_written / max_wall_clock_ms (forward-compat:
+  // unknown dimensions are kept as-is — schema rejects unknowns at install).
+  if (
+    manifest.quotas !== undefined &&
+    manifest.quotas !== null &&
+    typeof manifest.quotas === 'object' &&
+    !Array.isArray(manifest.quotas)
+  ) {
+    const cleanQuotas = {};
+    let copied = 0;
+    for (const [k, v] of Object.entries(manifest.quotas)) {
+      if (typeof v === 'number' && Number.isFinite(v) && Number.isInteger(v) && v > 0) {
+        cleanQuotas[k] = v;
+        copied++;
+      }
+    }
+    if (copied > 0) out.quotas = cleanQuotas;
+  }
   const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
   const path = statePath(home);
   await mkdir(dirname(path), { recursive: true });
@@ -55,6 +107,14 @@ export async function writeActiveExtension(manifest, scope, opts = {}) {
   await writeFile(tmp, JSON.stringify(out, null, 2) + '\n', 'utf8');
   const { rename } = await import('node:fs/promises');
   await rename(tmp, path);
+  // B16/SEC-M-02: reset quota counters on activate; stamp activated_at so
+  // wall_clock_ms can be computed against this activation window.
+  try {
+    await resetExtensionQuotas(manifest.name, { homeDir: home, activated_at: activatedAt });
+  } catch {
+    // Quota reset failure must not block activation. Counters will self-heal
+    // on next deactivate or the next activate of the same name.
+  }
   return { ok: true, path };
 }
 
@@ -66,11 +126,38 @@ export async function writeActiveExtension(manifest, scope, opts = {}) {
  */
 export async function clearActiveExtension(opts = {}) {
   const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  // B16/SEC-M-02: read the active extension name BEFORE unlinking so we can
+  // clear its quota counters. Best-effort: if the file is missing or
+  // malformed, deactivate still succeeds.
+  let extName = null;
+  try {
+    const raw = await readFile(statePath(home), 'utf8');
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === 'object' && typeof parsed.name === 'string') {
+      extName = parsed.name;
+    }
+  } catch {
+    // ignore — extName stays null
+  }
   try {
     await unlink(statePath(home));
+    if (extName) {
+      try {
+        await resetExtensionQuotas(extName, { homeDir: home });
+      } catch {
+        // best-effort
+      }
+    }
     return { ok: true, removed: true };
   } catch (err) {
-    if (err && err.code === 'ENOENT') return { ok: true, removed: false };
+    if (err && err.code === 'ENOENT') {
+      if (extName) {
+        try {
+          await resetExtensionQuotas(extName, { homeDir: home });
+        } catch { /* best-effort */ }
+      }
+      return { ok: true, removed: false };
+    }
     return { ok: false, removed: false };
   }
 }
@@ -140,3 +227,196 @@ export async function findInstalledManifest(name, projectRoot, opts = {}) {
 
   return { ok: true, manifest: winner.manifest, scope: winner.scope, path: winner.path };
 }
+
+// ============================================================================
+// B18 — Cross-IDE Conflict Detection
+// ============================================================================
+
+/**
+ * Write the current IDE's last-seen marker. Best-effort: never throws.
+ * Atomic via tmp+rename.
+ *
+ * @param {string} ideId
+ * @param {{ homeDir?: string }} [opts]
+ */
+async function writeLastSeen(ideId, opts = {}) {
+  if (!ideId || typeof ideId !== 'string' || !IDE_ID_PATTERN.test(ideId)) return;
+  if (ideId === 'unknown') return;
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  const path = lastSeenPath(home, ideId);
+  try {
+    await mkdir(dirname(path), { recursive: true });
+    const body = JSON.stringify({ ide: ideId, last_seen_at: new Date().toISOString() }, null, 2) + '\n';
+    const tmp = `${path}.tmp.${randomBytes(4).toString('hex')}`;
+    await writeFile(tmp, body, 'utf8');
+    const { rename } = await import('node:fs/promises');
+    await rename(tmp, path);
+  } catch {
+    // best-effort
+  }
+}
+
+/**
+ * Read another IDE's last-seen marker. Returns null on any read error or
+ * missing file.
+ *
+ * @param {string} ideId
+ * @param {{ homeDir?: string }} [opts]
+ * @returns {Promise<{ ide: string, last_seen_at: string }|null>}
+ */
+async function readLastSeen(ideId, opts = {}) {
+  if (!ideId || !IDE_ID_PATTERN.test(ideId)) return null;
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  try {
+    const raw = await readFile(lastSeenPath(home, ideId), 'utf8');
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object') return null;
+    if (typeof parsed.last_seen_at !== 'string') return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Scan ~/.ijfw/state/ for last-seen-by-<ide>.json files older than 30 days
+ * and unlink them. Best-effort: never throws. Returns the number removed.
+ *
+ * @param {{ homeDir?: string, now?: number }} [opts]
+ * @returns {Promise<number>}
+ */
+async function cleanupStaleLastSeen(opts = {}) {
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  const now = typeof opts.now === 'number' ? opts.now : Date.now();
+  let removed = 0;
+  let entries;
+  try {
+    entries = await readdir(stateDir(home));
+  } catch {
+    return 0;
+  }
+  for (const entry of entries) {
+    if (!entry.startsWith('last-seen-by-') || !entry.endsWith('.json')) continue;
+    const full = join(stateDir(home), entry);
+    try {
+      const st = await stat(full);
+      if (now - st.mtimeMs > LAST_SEEN_STALE_MS) {
+        await unlink(full);
+        removed++;
+      }
+    } catch {
+      // best-effort
+    }
+  }
+  return removed;
+}
+
+/**
+ * Detect divergence between the IDE that wrote active.json and the current IDE.
+ *
+ * Semantics:
+ *   - active.json missing OR no activated_by_ide field (pre-v1.4.3) → not divergent
+ *   - active.activated_by_ide === current_ide → not divergent
+ *   - active.activated_by_ide !== current_ide AND current_ide has a last-seen
+ *     file AND active.activated_at is OLDER than current_ide's last_seen_at →
+ *     divergent (this IDE was here before; a different IDE has since taken over
+ *     stale state)
+ *   - otherwise → not divergent (legitimate cross-IDE hand-off)
+ *
+ * Side effects:
+ *   - writes current_ide's last-seen marker
+ *   - cleans up stale last-seen files (>30 days)
+ *
+ * @param {{ homeDir?: string, currentIde?: string, now?: number }} [opts]
+ * @returns {Promise<{ divergent: boolean, last_writer: string|null, current_ide: string, age_seconds: number|null, reason?: string }>}
+ */
+export async function detectCrossIdeDivergence(opts = {}) {
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  const now = typeof opts.now === 'number' ? opts.now : Date.now();
+  // Lazy import to avoid a hard module dependency cycle in test scaffolds.
+  let currentIde = opts.currentIde;
+  if (!currentIde) {
+    try {
+      const { detectIde } = await import('./ide-detect.js');
+      currentIde = detectIde();
+    } catch {
+      currentIde = 'unknown';
+    }
+  }
+
+  // Best-effort stale cleanup on every divergence check.
+  await cleanupStaleLastSeen({ homeDir: home, now });
+
+  // Read active.json. Missing or unreadable → not divergent.
+  let active;
+  try {
+    const raw = await readFile(statePath(home), 'utf8');
+    active = JSON.parse(raw);
+  } catch {
+    return { divergent: false, last_writer: null, current_ide: currentIde, age_seconds: null, reason: 'no active extension' };
+  }
+
+  // Pre-v1.4.3 active.json — silently no-divergence.
+  if (!active || typeof active !== 'object' || typeof active.activated_by_ide !== 'string') {
+    return { divergent: false, last_writer: null, current_ide: currentIde, age_seconds: null, reason: 'pre-v1.4.3 active.json' };
+  }
+
+  const lastWriter = active.activated_by_ide;
+  const activatedAtMs = typeof active.activated_at === 'string' ? Date.parse(active.activated_at) : NaN;
+  const ageSeconds = Number.isFinite(activatedAtMs) ? Math.max(0, Math.floor((now - activatedAtMs) / 1000)) : null;
+
+  // CRITICAL ORDERING: read prior last-seen BEFORE overwriting it. Otherwise
+  // the divergence comparison degrades to "now vs activated_at" which is
+  // always non-divergent.
+  let priorSeen = null;
+  if (lastWriter !== currentIde && currentIde !== 'unknown') {
+    priorSeen = await readLastSeen(currentIde, { homeDir: home });
+  }
+
+  // Now write our own last-seen marker (best-effort; we ARE the current IDE).
+  if (currentIde !== 'unknown') {
+    await writeLastSeen(currentIde, { homeDir: home });
+  }
+
+  if (lastWriter === currentIde) {
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'same ide' };
+  }
+
+  // If current_ide is 'unknown', divergence detection is disabled.
+  if (currentIde === 'unknown') {
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'detection disabled' };
+  }
+
+  if (!priorSeen) {
+    // Current IDE has no prior history → legitimate first-time hand-off.
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'first-time current ide' };
+  }
+  const seenMs = Date.parse(priorSeen.last_seen_at);
+  if (!Number.isFinite(seenMs) || !Number.isFinite(activatedAtMs)) {
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'unparseable timestamps' };
+  }
+
+  // Design rule (per B18 spec):
+  //   divergent iff active.activated_by_ide != currentIde
+  //                AND active.activated_at < currentIde.last_seen
+  //
+  // Reading: the slot says some other IDE wrote it, but the current IDE has
+  // a more recent last-seen — i.e., the current IDE has been touching state
+  // more recently than the write, yet a different IDE's name is on it. Stale
+  // cross-IDE state divergence.
+  if (activatedAtMs < seenMs) {
+    return { divergent: true, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'stale active.json: current ide last-seen is more recent than active.activated_at' };
+  }
+
+  // active was written AFTER current ide's last_seen — legitimate hand-off
+  // (another IDE took over while current was away).
+  return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'legitimate handoff: foreign ide wrote after current ide was last here' };
+}
+
+// Internal helpers exported for tests only.
+export const __testing = Object.freeze({
+  writeLastSeen,
+  readLastSeen,
+  cleanupStaleLastSeen,
+  LAST_SEEN_STALE_MS,
+});

package/src/cross-orchestrator.js

@@ -15,8 +15,10 @@
 
 import { spawn } from 'node:child_process';
 import * as readline from 'node:readline';
-import { pickAuditors, isReachable } from './audit-roster.js';
-import { loadSwarmConfig } from './swarm-config.js';
+import { readdirSync, mkdirSync, writeFileSync, existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { pickAuditors, isReachable, ROSTER } from './audit-roster.js';
+import { loadSwarmConfig, DEFAULT_AUDITORS } from './swarm-config.js';
 import { buildRequest, parseResponse, mergeResponses, checkBudget } from './cross-dispatcher.js';
 import { writeReceipt, readReceipts } from './receipts.js';
 import { runViaApi } from './api-client.js';
@@ -381,6 +383,158 @@ function countItems(p) {
   return 0;
 }
 
+// ---------------------------------------------------------------------------
+// phase-e-auto helpers (v1.4.4 N10)
+// ---------------------------------------------------------------------------
+
+// Resolve the next CROSS-AUDIT-r<N>.md path under .planning/<phase>/.
+// Scans for existing r<N> files and increments the highest N found.
+function resolveAuditOutputPath(projectDir, phase) {
+  const planningDir = join(projectDir, '.planning', phase);
+  let maxN = 0;
+  if (existsSync(planningDir)) {
+    try {
+      const files = readdirSync(planningDir);
+      for (const f of files) {
+        const m = f.match(/^CROSS-AUDIT-r(\d+)\.md$/);
+        if (m) {
+          const n = parseInt(m[1], 10);
+          if (n > maxN) maxN = n;
+        }
+      }
+    } catch { /* non-fatal */ }
+  }
+  return join(planningDir, `CROSS-AUDIT-r${maxN + 1}.md`);
+}
+
+// Classify a merged audit result into PASS / CONDITIONAL / FAIL.
+// HIGH severity finding → FAIL; any finding → CONDITIONAL; none → PASS.
+function classifyVerdict(items) {
+  if (!Array.isArray(items) || items.length === 0) return 'PASS';
+  const hasHigh = items.some(item => {
+    const sev = (item.severity || item.level || '').toString().toUpperCase();
+    return sev === 'HIGH' || sev === 'CRITICAL';
+  });
+  return hasHigh ? 'FAIL' : 'CONDITIONAL';
+}
+
+// Pick the auditor roster for phase-e-auto from swarm.json (or defaults).
+// Filters to entries that are reachable (CLI or API); missing CLI AND no
+// apiFallback → skipped with a NOTE entry in the return value.
+function resolvePhaseEAuditors(swarmConfig, env) {
+  const requestedIds = (Array.isArray(swarmConfig.auditors) && swarmConfig.auditors.length > 0)
+    ? swarmConfig.auditors
+    : [...DEFAULT_AUDITORS];
+
+  const picks = [];
+  const skipped = [];
+
+  for (const id of requestedIds) {
+    const entry = ROSTER.find(e => e.id === id);
+    if (!entry) {
+      skipped.push({ id, reason: 'not in roster' });
+      continue;
+    }
+    const reach = isReachable(id, env);
+    if (!reach.any) {
+      // CLI missing AND no apiFallback (or key not set) → skip with NOTE
+      skipped.push({ id, reason: 'CLI missing and no apiFallback configured' });
+      continue;
+    }
+    // Annotate API-only picks
+    const pick = (!reach.cli && reach.api) ? { ...entry, preferredSource: 'api' } : { ...entry };
+    picks.push(pick);
+  }
+
+  return { picks, skipped };
+}
+
+// Run the phase-e-auto branch.  Does NOT use process.exit / uxGate / budget
+// guard — it is a programmatic call from the orchestrator, not a CLI call.
+async function runPhaseEAuto({ projectDir, phase, target, env, quiet }) {
+  const swarmConfig = loadSwarmConfig(projectDir);
+  const { picks, skipped } = resolvePhaseEAuditors(swarmConfig, env);
+
+  const notes = skipped.map(s => `NOTE: skipped auditor '${s.id}' — ${s.reason}`);
+
+  if (!quiet && notes.length > 0) {
+    process.stderr.write(notes.join('\n') + '\n');
+  }
+
+  if (picks.length === 0) {
+    const outputPath = resolveAuditOutputPath(projectDir, phase);
+    const content = `# Cross-Audit Phase E\n\nNo auditors available.\n\n${notes.map(n => `- ${n}`).join('\n')}\n`;
+    const dir = dirname(outputPath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    writeFileSync(outputPath, content, 'utf8');
+    return { verdict: 'CONDITIONAL', findings: [], outputPath, notes };
+  }
+
+  const auditTarget = target || 'HEAD~1..HEAD';
+  const resolvedTimeoutSec = null;
+
+  const requests = picks.map(pick => ({
+    pick,
+    payload: buildRequest('audit', auditTarget, pick.id, 'general', null),
+  }));
+
+  const tasks = requests.map(({ pick, payload }) => () =>
+    fireExternal(pick, payload, timeoutForPick(pick, resolvedTimeoutSec), env)
+  );
+  const rawResults = await fanOut(tasks, 3);
+
+  const auditorResults = rawResults.map((raw, i) => {
+    const pick = picks[i];
+    if (raw === null) {
+      return { status: 'failed', parsed: { items: [], prose: `[${pick.id}: spawn failed]` } };
+    }
+    const { stdout, exitCode, status: rawStatus } = raw;
+    if (rawStatus === 'timeout') return { status: 'timeout', parsed: { items: [], prose: `[${pick.id}: timeout]` } };
+    if (rawStatus === 'failed') return { status: 'failed', parsed: { items: [], prose: `[${pick.id}: failed]` } };
+    if (rawStatus === 'aborted') return { status: 'aborted', parsed: { items: [], prose: `[${pick.id}: aborted]` } };
+    if (rawStatus === 'fallback-used') {
+      const p = parseResponse('audit', stdout);
+      return { status: 'fallback-used', parsed: p };
+    }
+    if (exitCode !== 0) return { status: 'failed', parsed: { items: [], prose: `[${pick.id}: exited ${exitCode}]` } };
+    const p = parseResponse('audit', stdout);
+    return { status: 'ok', parsed: p };
+  });
+
+  const parsed = auditorResults.map(r => r.parsed);
+  const merged = mergeResponses('audit', parsed);
+  const items = Array.isArray(merged) ? merged : [];
+  const verdict = classifyVerdict(items);
+
+  // Write synthesis to .planning/<phase>/CROSS-AUDIT-r<N>.md
+  const outputPath = resolveAuditOutputPath(projectDir, phase);
+  const dir = dirname(outputPath);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+  const auditorSummary = picks.map((p, i) => `- ${p.id}: ${auditorResults[i].status}`).join('\n');
+  const findingsSection = items.length > 0
+    ? items.map(item => `- [${(item.severity || item.level || 'INFO').toUpperCase()}] ${item.text || item.description || JSON.stringify(item)}`).join('\n')
+    : '_(none)_';
+  const content = [
+    `# Cross-Audit Phase E — ${phase}`,
+    '',
+    `**Verdict:** ${verdict}`,
+    `**Auditors:** ${picks.map(p => p.id).join(', ')}`,
+    '',
+    '## Auditor Status',
+    auditorSummary,
+    '',
+    '## Findings',
+    findingsSection,
+    '',
+    ...(notes.length > 0 ? ['## Notes', ...notes, ''] : []),
+  ].join('\n');
+
+  writeFileSync(outputPath, content, 'utf8');
+
+  return { verdict, findings: items, outputPath, notes };
+}
+
 export async function runCrossOp({
   mode,
   target,
@@ -400,6 +554,14 @@ export async function runCrossOp({
   runStamp   = runStamp   ?? new Date().toISOString();
   env        = env        ?? process.env;
 
+  // v1.4.4 N10: phase-e-auto branch — programmatic orchestrator call.
+  // Reads .ijfw/swarm.json for auditor roster; graceful CLI-missing skip;
+  // writes .planning/<phase>/CROSS-AUDIT-r<N>.md; returns {verdict, findings, outputPath}.
+  if (mode === 'phase-e-auto') {
+    const phase = target || 'current';
+    return runPhaseEAuto({ projectDir, phase, target, env, quiet });
+  }
+
   const start = Date.now();
 
   // Shared abort controller for this run -- used by minResponsesFanOut to kill stragglers.