@llamaventures/cli 1.3.0 → 1.4.0

package/AGENT_BRIEFING.md

@@ -139,7 +139,6 @@ Tools available:
 - `timeline` / `post`
 - `mentions_list`
 - `pitch_start` / `pitch_send_message` / `pitch_upload_file` / `pitch_status` / `pitch_finalize` — public intake (no Llama token needed; for founders / EAs / external agents)
-- `llama_api` — escape hatch for any endpoint not yet wrapped (path must start `/api/`)
 
 You can also fetch this exact briefing as an MCP prompt named `agent_briefing`.
 

package/README.md

@@ -342,9 +342,8 @@ llama pitch upload ./deck.pdf
 llama pitch                       # interactive REPL
 ```
 
-Server-enforced caps (same as the web flow): 5 sessions/IP/day,
-3 sessions/email/day, 30 min idle timeout, 100 messages/session,
-1 M tokens/session.
+Server-enforced rate limits apply (per-IP, per-email, per-session). If you
+hit a limit, the CLI surfaces the server's response message.
 
 This is genuine **agent-to-agent**: your AI helps you tell the story, our
 intake agent extracts the structured fields and produces the verdict.

package/bin/llama-mcp.mjs

@@ -364,9 +364,8 @@ server.registerTool(
 // founder's agent talks to ours, structured intake gets captured, and a
 // 12-dimension verdict is returned.
 //
-// Anti-abuse caps are server-enforced (5 sessions/IP/day, 3/email/day,
-// 30min idle, 100 msg cap, 1M token cap, global daily cap). The MCP tools
-// surface those rejections as text back to the agent.
+// Anti-abuse rate limits are server-enforced. The MCP tools surface
+// any server-side rejections as text back to the agent.
 
 function asTextResult(text, isError = false) {
   return {
@@ -383,8 +382,8 @@ server.registerTool(
       "when a founder (the user) wants to pitch their company to Llama. " +
       "Requires their name + email. Returns a session_id; the conversation " +
       "is then maintained via pitch_send_message until the agent finalizes. " +
-      "Caps (server-enforced): 5 sessions/IP/day, 3 sessions/email/day, " +
-      "30min idle timeout. No Llama Command token needed.",
+      "Server-enforced rate limits apply (per-IP, per-email, per-session). " +
+      "No Llama Command token needed.",
     inputSchema: {
       name: z.string().describe("the founder's full name (max 100 chars)"),
       email: z.string().describe("the founder's email (deliverable, not a disposable domain)"),
@@ -447,8 +446,9 @@ server.registerTool(
     description:
       "Attach a file (deck, one-pager, deck PDF, screenshot, etc.) to the " +
       "active pitch session. Server allows pdf / pptx / ppt / docx / doc / " +
-      "xlsx / xls / png / jpg / webp / heic / heif / txt / md, max 50 MB, " +
-      "10 files per session. Returns a drive_file_id; the intake agent will " +
+      "xlsx / xls / png / jpg / webp / heic / heif / txt / md, with " +
+      "server-enforced size and per-session count limits. " +
+      "Returns a drive_file_id; the intake agent will " +
       "pick the file up via list_uploaded_files / read_uploaded_file on its " +
       "next turn (so call pitch_send_message with a one-line note like " +
       "'I just uploaded our pitch deck' so the agent knows to look).",
@@ -493,7 +493,7 @@ server.registerTool(
       "server-side intake agent to finalize — the agent decides that on its " +
       "own once the pitch is sufficient. Use this for cleanup after a session " +
       "ends, or to abandon a session early. The server-side session will " +
-      "naturally expire after 30min of idle.",
+      "naturally expire after the server's idle timeout.",
     inputSchema: {},
   },
   async () => {
@@ -505,7 +505,7 @@ server.registerTool(
           {
             cleared: before.active,
             previous_session: before.active ? before : null,
-            note: "Local pitch session state cleared. Server-side session may still be active for ~30min until idle timeout.",
+            note: "Local pitch session state cleared. Server-side session may still be active until its idle timeout.",
           },
           null,
           2
@@ -517,6 +517,92 @@ server.registerTool(
   }
 );
 
+// ============================================================
+// Memo — long-form HTML investment memo (the Memo tab in the UI)
+// ============================================================
+
+server.registerTool(
+  "memo_show",
+  {
+    description:
+      "Fetch the current memo for a deal. Returns the envelope: memo " +
+      "(html, version, source, updated_by, updated_at), mode " +
+      "('composed' = server-generated, 'override' = hand-written), and " +
+      "inflight (if a server-side regeneration is in progress). html " +
+      "can be 50-100KB — be deliberate about including it in your reply.",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+    },
+  },
+  async ({ dealId }) =>
+    callApi("GET", `/api/deals/${encodeURIComponent(dealId)}/memo`)
+);
+
+server.registerTool(
+  "memo_regenerate",
+  {
+    description:
+      "Trigger server-side regeneration of the deal memo. Synchronous: " +
+      "returns the final result (version, model, duration_ms, degraded) " +
+      "once the composer finishes. Typical duration 2-3 minutes. Use " +
+      "tier='opus' for high-stakes deals (higher cost, deeper analysis).",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+      tier: z
+        .enum(["sonnet", "opus"])
+        .optional()
+        .describe("LLM tier (default: sonnet)"),
+    },
+  },
+  async ({ dealId, tier }) =>
+    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/memo`, {
+      action: "regenerate",
+      stream: false,
+      model: tier ?? "sonnet",
+    })
+);
+
+server.registerTool(
+  "memo_save",
+  {
+    description:
+      "Save hand-written HTML as a manual override for a deal's memo. " +
+      "Manual overrides take precedence over auto-composed memos on " +
+      "read. Pass the full HTML document including <!DOCTYPE html>, " +
+      "<style>, and <body> — it's rendered as-is in a sandboxed iframe.",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+      html: z
+        .string()
+        .describe("full HTML document"),
+    },
+  },
+  async ({ dealId, html }) =>
+    callApi("PUT", `/api/deals/${encodeURIComponent(dealId)}/memo`, { html })
+);
+
+server.registerTool(
+  "memo_reset",
+  {
+    description:
+      "Reset memo state. Default drops only the manual override row " +
+      "(next read falls back to the auto-composed version, if any). " +
+      "Pass scope='all' to drop every version for the deal — destructive, " +
+      "use sparingly.",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+      scope: z
+        .enum(["override_only", "all"])
+        .optional()
+        .describe("default: override_only"),
+    },
+  },
+  async ({ dealId, scope }) =>
+    callApi("DELETE", `/api/deals/${encodeURIComponent(dealId)}/memo`, {
+      scope: scope ?? "override_only",
+    })
+);
+
 // ============================================================
 // Prompts
 // ============================================================

package/bin/llama.mjs

@@ -242,7 +242,7 @@ Skill corrections (persona-owner pushback — read by persona-watcher):
   llama skill-correction add <skill-slug> "<correction text>" [--deal <uuid>] [--block <blockId>]
   llama skill-correction delete <id>
   Server enforces persona owner OR system admin on POST/DELETE; GET is open.
-  External personas (owner_email=null, e.g. virtual-liu-yi) are admin-only for write.
+  External personas (owner_email=null) are admin-only for write.
 
 Mentions / Inbox:
   llama mentions                                       # default: my unresolved cues
@@ -256,6 +256,12 @@ Wiki:
   llama wiki read <slug>
   llama wiki save <slug> --title "..." --content "..." --sources "url1;url2" [--type company] [--related "A;B"]
 
+Memo (long-form HTML investment memo — Memo tab in the UI):
+  llama memo show <dealId> [--out <path>] [--json]          # default: html → stdout (pipeable to file / browser)
+  llama memo regenerate <dealId> [--opus]                    # streams panel progress to stderr; result version → stdout
+  llama memo save <dealId> --file <path>                     # paste a hand-written HTML as manual override
+  llama memo reset <dealId> [--all]                          # default drops manual override; --all drops every version
+
 Admin (system admin only — server returns 403 for non-admin tokens):
   llama admin auth-events  [--kind X] [--actor email] [--subject email] [--since 24h|7d|30d|<ISO>] [--limit 100]
   llama admin deal-events  [--kind X] [--actor email] [--deal <uuid>] [--since 24h] [--limit 100]
@@ -318,9 +324,9 @@ Inspect / clean up:
   llama pitch status         # session id, idle minutes, finalized?
   llama pitch end            # clear local session state
 
-Caps (server-enforced):
-  5 sessions per IP per day, 3 per email per day, 60min idle timeout,
-  100 messages per session, 1M tokens per session.
+Caps:
+  Server-enforced per-IP / per-email / per-session rate limits apply.
+  The CLI surfaces server messages if a limit is hit.
 
 Environment:
   LLAMA_API_URL              override base URL (dev: http://localhost:3000)
@@ -411,7 +417,7 @@ Environment:
       cleared: !!had,
       session_file: EXTERNAL_SESSION_FILE,
       note: had
-        ? "Local session state cleared. Server-side session may still be active until idle timeout (60min)."
+        ? "Local session state cleared. Server-side session may still be active until idle timeout."
         : "No local session was active.",
     });
     return;
@@ -1588,6 +1594,198 @@ https://command.llamaventures.vc/settings/tokens, run
     );
   }
 
+  // ----- Memo (long-form HTML investment memo) -----
+  // The Memo tab in the deal page renders HTML stored in deal_memos.
+  // Two sources of memo content:
+  //   - composed: generated by the server-side memo composer on demand
+  //   - manual:   a hand-written HTML you paste in
+  // Manual always beats composed on read; reset to drop the manual row
+  // and fall back to the composed one.
+  if (area === "memo") {
+    const sub = action;
+
+    // show — fetch the current memo. Default: print HTML to stdout
+    // (pipeable to file or browser). --out writes to a path. --json
+    // returns the full envelope (memo + mode + inflight info).
+    if (sub === "show") {
+      const dealId = rest[0];
+      if (!dealId) {
+        throw new Error("Usage: llama memo show <dealId> [--out <path>] [--json]");
+      }
+      const { flags } = parseFlags(rest.slice(1));
+      const data = await request(
+        "GET",
+        `/api/deals/${encodeURIComponent(dealId)}/memo`
+      );
+      if (flags.json) {
+        print(data);
+        return;
+      }
+      const html = data?.memo?.html;
+      if (!html) {
+        if (data?.requires_compose) {
+          throw new Error(
+            "No memo for this deal yet — run `llama memo regenerate <dealId>` to compose one."
+          );
+        }
+        throw new Error("Memo response missing html field.");
+      }
+      if (flags.out) {
+        const { writeFileSync } = await import("fs");
+        writeFileSync(String(flags.out), html);
+        console.error(`Wrote ${html.length} bytes → ${flags.out}`);
+        return;
+      }
+      // Stdout — supports `llama memo show <id> > memo.html` and piping
+      // to e.g. `open -f -a Safari` for quick preview.
+      process.stdout.write(html);
+      return;
+    }
+
+    // regenerate — kick off the server-side composer. Streams panel
+    // progress events to stderr so you can see live status; prints
+    // final summary JSON (version, model, duration) to stdout.
+    if (sub === "regenerate") {
+      const dealId = rest[0];
+      if (!dealId) {
+        throw new Error("Usage: llama memo regenerate <dealId> [--opus]");
+      }
+      const { flags } = parseFlags(rest.slice(1));
+      const tier = flags.opus ? "opus" : "sonnet";
+      const authHeaders = await getAuthHeaders();
+      if (Object.keys(authHeaders).length === 0) {
+        throw new Error(
+          "Not authenticated. Run `gcloud auth login` or `llama token set <llc_...>` first."
+        );
+      }
+      const res = await fetch(
+        `${getBaseUrl()}/api/deals/${encodeURIComponent(dealId)}/memo`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json", ...authHeaders },
+          body: JSON.stringify({
+            action: "regenerate",
+            stream: true,
+            model: tier,
+          }),
+        }
+      );
+      if (!res.ok || !res.body) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`HTTP ${res.status}: ${text.slice(0, 300)}`);
+      }
+
+      const reader = res.body.getReader();
+      const decoder = new TextDecoder();
+      let buffer = "";
+      let doneEvent = null;
+      const startedAt = Date.now();
+      const progress = { done: 0, total: 12, placeholders: 0, retries: 0 };
+
+      while (true) {
+        const { value, done: streamDone } = await reader.read();
+        if (streamDone) break;
+        buffer += decoder.decode(value, { stream: true });
+        let idx;
+        while ((idx = buffer.indexOf("\n\n")) !== -1) {
+          const frame = buffer.slice(0, idx);
+          buffer = buffer.slice(idx + 2);
+          const dataLine = frame.split("\n").find((l) => l.startsWith("data:"));
+          if (!dataLine) continue;
+          let event;
+          try {
+            event = JSON.parse(dataLine.replace(/^data:\s?/, ""));
+          } catch {
+            continue;
+          }
+          const elapsed = ((Date.now() - startedAt) / 1000).toFixed(1);
+          const phase = event.phase || "?";
+          if (phase === "panel_done") {
+            progress.done = event.panels_completed ?? progress.done + 1;
+            progress.total = event.panels_total ?? progress.total;
+            if (event.status === "placeholder") progress.placeholders += 1;
+            if (event.status === "retry-recovered") progress.retries += 1;
+            const mark =
+              event.status === "ok"
+                ? "✓"
+                : event.status === "retry-recovered"
+                  ? "↻"
+                  : "⚠";
+            console.error(
+              `${elapsed}s  ${mark} ${event.panel} [${progress.done}/${progress.total}]`
+            );
+          } else if (phase === "anchor_done") {
+            console.error(
+              `${elapsed}s  anchor → ${event.verdict_label || event.verdict}`
+            );
+          } else if (phase === "assembling") {
+            console.error(`${elapsed}s  assembling…`);
+          } else if (phase === "done") {
+            doneEvent = event;
+          } else if (phase === "error") {
+            throw new Error(`Memo composer error: ${event.error}`);
+          }
+        }
+      }
+
+      if (!doneEvent) {
+        throw new Error("Stream ended without 'done' event.");
+      }
+      print({
+        ok: true,
+        version: doneEvent.version,
+        degraded: doneEvent.degraded,
+        model: doneEvent.model,
+        duration_ms: doneEvent.duration_ms,
+        placeholders: progress.placeholders,
+        retries: progress.retries,
+      });
+      return;
+    }
+
+    // save — upload hand-written HTML as a manual override.
+    if (sub === "save") {
+      const { flags } = parseFlags(rest);
+      const dealId = rest[0];
+      if (!dealId || !flags.file) {
+        throw new Error("Usage: llama memo save <dealId> --file <path>");
+      }
+      const { readFileSync } = await import("fs");
+      const html = readFileSync(String(flags.file), "utf-8");
+      if (!html.trim()) throw new Error(`File ${flags.file} is empty.`);
+      print(
+        await request(
+          "PUT",
+          `/api/deals/${encodeURIComponent(dealId)}/memo`,
+          { html }
+        )
+      );
+      return;
+    }
+
+    // reset — default drops only the manual override (next read returns
+    // the composed row, if any); --all drops every version for this deal.
+    if (sub === "reset") {
+      const dealId = rest[0];
+      if (!dealId) {
+        throw new Error("Usage: llama memo reset <dealId> [--all]");
+      }
+      const { flags } = parseFlags(rest.slice(1));
+      print(
+        await request(
+          "DELETE",
+          `/api/deals/${encodeURIComponent(dealId)}/memo`,
+          { scope: flags.all ? "all" : "override_only" }
+        )
+      );
+      return;
+    }
+
+    throw new Error(
+      `Unknown memo subcommand "${sub || ""}". Use: show / regenerate / save / reset.`
+    );
+  }
+
   usage();
   process.exitCode = 1;
 }

package/lib/external.mjs

@@ -18,14 +18,11 @@ import { getBaseUrl } from "./client.mjs";
 const SESSION_DIR = path.join(os.homedir(), ".llama");
 const SESSION_FILE = path.join(SESSION_DIR, "external-session.json");
 
-// Server-side proof-of-work prefix. Must agree with
-// llama-command/src/lib/external-pow-client.ts. ~65k iterations average on
-// commodity hardware (~50–500ms in node).
+// Server-side proof-of-work prefix. Server-validated; tune in tandem
+// with the server policy if changed.
 const POW_DIFFICULTY_PREFIX = "0000";
 
-// Server requires ts_rendered to be at least 3s old (anti-replay). We
-// backdate by 4s when computing PoW so the request lands inside the
-// validity window without waiting.
+// Backdate offset for the rendered-at timestamp passed to the server.
 const POW_BACKDATE_MS = 4_000;
 
 // ============================================================
@@ -360,13 +357,13 @@ export async function uploadExternalFile(filePath) {
 
   if (!res.ok) {
     if (res.status === 413) {
-      throw new Error("File too large (max 50 MB).");
+      throw new Error("File too large.");
     }
     if (res.status === 415) {
       throw new Error(`MIME type "${mimetype}" not in server allowlist.`);
     }
     if (res.status === 429) {
-      throw new Error("Upload cap reached (10 files per session).");
+      throw new Error("Upload cap reached.");
     }
     if (res.status === 401 || res.status === 403) {
       throw new Error(

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@llamaventures/cli",
-  "version": "1.3.0",
-  "description": "Llama Ventures CLI + MCP server. Internal team tool for command.llamaventures.vc.",
+  "version": "1.4.0",
+  "description": "CLI + MCP server for the Llama Ventures investment workbench (command.llamaventures.vc).",
   "type": "module",
   "bin": {
     "llama": "bin/llama.mjs",