@llamaventures/cli 1.3.1 → 1.4.2

package/bin/llama-mcp.mjs

@@ -40,6 +40,34 @@ async function callApi(method, path, body) {
   }
 }
 
+// Append a block to a deal brief. The /blocks route only accepts atomic
+// full-array PUTs (no POST), so we GET current blocks, prepend the new
+// one (matches UI default since 2026-05-03), and PUT the merged array.
+// Server stamps identity meta on PUT; we don't send any.
+async function addBriefBlock(dealId, block) {
+  try {
+    const id = globalThis.crypto.randomUUID();
+    const cur = await request("GET", `/api/deals/${encodeURIComponent(dealId)}/blocks`);
+    const existing = Array.isArray(cur?.blocks) ? cur.blocks : [];
+    const result = await request(
+      "PUT",
+      `/api/deals/${encodeURIComponent(dealId)}/blocks`,
+      { blocks: [{ id, ...block }, ...existing] }
+    );
+    const text = JSON.stringify(
+      { ok: result?.ok ?? true, id, count: result?.count ?? existing.length + 1 },
+      null,
+      2
+    );
+    return { content: [{ type: "text", text }] };
+  } catch (err) {
+    return {
+      content: [{ type: "text", text: `Error: ${err?.message ?? String(err)}` }],
+      isError: true,
+    };
+  }
+}
+
 const server = new McpServer({
   name: "llama-mcp",
   version: PKG_VERSION,
@@ -202,7 +230,7 @@ server.registerTool(
   "brief_add_text",
   {
     description:
-      "Append a markdown text block to a deal brief. Supports markdown + mermaid diagrams.",
+      "Prepend a markdown text block to a deal brief. Supports markdown + mermaid diagrams.",
     inputSchema: {
       dealId: z.string(),
       heading: z.string().optional().describe("optional block heading"),
@@ -210,18 +238,14 @@ server.registerTool(
     },
   },
   async ({ dealId, heading, body }) =>
-    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/blocks`, {
-      type: "text",
-      heading,
-      body,
-    })
+    addBriefBlock(dealId, { type: "text", heading: heading ?? "", body })
 );
 
 server.registerTool(
   "brief_add_link",
   {
     description:
-      "Append a link block to a deal brief. Server fetches og:image + title via /api/link-preview.",
+      "Prepend a link block to a deal brief. Server fetches og:image + title via /api/link-preview.",
     inputSchema: {
       dealId: z.string(),
       url: z.string(),
@@ -229,18 +253,14 @@ server.registerTool(
     },
   },
   async ({ dealId, url, label }) =>
-    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/blocks`, {
-      type: "link",
-      url,
-      label,
-    })
+    addBriefBlock(dealId, { type: "link", url, label: label ?? "" })
 );
 
 server.registerTool(
   "brief_add_callout",
   {
     description:
-      "Append a callout block to a deal brief. Use for emphasized insights or warnings.",
+      "Prepend a callout block to a deal brief. Use for emphasized insights or warnings.",
     inputSchema: {
       dealId: z.string(),
       tone: z.string().describe("insight | warning | info | success"),
@@ -249,12 +269,7 @@ server.registerTool(
     },
   },
   async ({ dealId, tone, heading, body }) =>
-    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/blocks`, {
-      type: "callout",
-      tone,
-      heading,
-      body,
-    })
+    addBriefBlock(dealId, { type: "callout", tone, heading: heading ?? "", body })
 );
 
 // ============================================================
@@ -279,15 +294,23 @@ server.registerTool(
   {
     description:
       "Create or update a wiki page. Content should be markdown with attribution " +
-      "blocks (**[Name · YYYY-MM-DD · source · fact|opinion]**) for traceability.",
+      "blocks (**[Name · YYYY-MM-DD · source · fact|opinion]**) for traceability. " +
+      "`sources` is a separate citation list (URLs, doc names, or meeting references) " +
+      "— at least one is required; URLs embedded inside `content` do not count.",
     inputSchema: {
       slug: z.string().describe("kebab-case slug"),
       title: z.string(),
       content: z.string().describe("markdown content"),
+      sources: z
+        .array(z.string())
+        .min(1)
+        .describe(
+          "citation list — URLs, doc names, or meeting references. At least one required."
+        ),
     },
   },
-  async ({ slug, title, content }) =>
-    callApi("POST", "/api/wiki/save", { slug, title, content })
+  async ({ slug, title, content, sources }) =>
+    callApi("POST", "/api/wiki/save", { slug, title, content, sources })
 );
 
 // ============================================================
@@ -517,6 +540,92 @@ server.registerTool(
   }
 );
 
+// ============================================================
+// Memo — long-form HTML investment memo (the Memo tab in the UI)
+// ============================================================
+
+server.registerTool(
+  "memo_show",
+  {
+    description:
+      "Fetch the current memo for a deal. Returns the envelope: memo " +
+      "(html, version, source, updated_by, updated_at), mode " +
+      "('composed' = server-generated, 'override' = hand-written), and " +
+      "inflight (if a server-side regeneration is in progress). html " +
+      "can be 50-100KB — be deliberate about including it in your reply.",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+    },
+  },
+  async ({ dealId }) =>
+    callApi("GET", `/api/deals/${encodeURIComponent(dealId)}/memo`)
+);
+
+server.registerTool(
+  "memo_regenerate",
+  {
+    description:
+      "Trigger server-side regeneration of the deal memo. Synchronous: " +
+      "returns the final result (version, model, duration_ms, degraded) " +
+      "once the composer finishes. Typical duration 2-3 minutes. Use " +
+      "tier='opus' for high-stakes deals (higher cost, deeper analysis).",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+      tier: z
+        .enum(["sonnet", "opus"])
+        .optional()
+        .describe("LLM tier (default: sonnet)"),
+    },
+  },
+  async ({ dealId, tier }) =>
+    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/memo`, {
+      action: "regenerate",
+      stream: false,
+      model: tier ?? "sonnet",
+    })
+);
+
+server.registerTool(
+  "memo_save",
+  {
+    description:
+      "Save hand-written HTML as a manual override for a deal's memo. " +
+      "Manual overrides take precedence over auto-composed memos on " +
+      "read. Pass the full HTML document including <!DOCTYPE html>, " +
+      "<style>, and <body> — it's rendered as-is in a sandboxed iframe.",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+      html: z
+        .string()
+        .describe("full HTML document"),
+    },
+  },
+  async ({ dealId, html }) =>
+    callApi("PUT", `/api/deals/${encodeURIComponent(dealId)}/memo`, { html })
+);
+
+server.registerTool(
+  "memo_reset",
+  {
+    description:
+      "Reset memo state. Default drops only the manual override row " +
+      "(next read falls back to the auto-composed version, if any). " +
+      "Pass scope='all' to drop every version for the deal — destructive, " +
+      "use sparingly.",
+    inputSchema: {
+      dealId: z.string().describe("deal uuid"),
+      scope: z
+        .enum(["override_only", "all"])
+        .optional()
+        .describe("default: override_only"),
+    },
+  },
+  async ({ dealId, scope }) =>
+    callApi("DELETE", `/api/deals/${encodeURIComponent(dealId)}/memo`, {
+      scope: scope ?? "override_only",
+    })
+);
+
 // ============================================================
 // Prompts
 // ============================================================

package/bin/llama.mjs

@@ -256,6 +256,12 @@ Wiki:
   llama wiki read <slug>
   llama wiki save <slug> --title "..." --content "..." --sources "url1;url2" [--type company] [--related "A;B"]
 
+Memo (long-form HTML investment memo — Memo tab in the UI):
+  llama memo show <dealId> [--out <path>] [--json]          # default: html → stdout (pipeable to file / browser)
+  llama memo regenerate <dealId> [--opus]                    # streams panel progress to stderr; result version → stdout
+  llama memo save <dealId> --file <path>                     # paste a hand-written HTML as manual override
+  llama memo reset <dealId> [--all]                          # default drops manual override; --all drops every version
+
 Admin (system admin only — server returns 403 for non-admin tokens):
   llama admin auth-events  [--kind X] [--actor email] [--subject email] [--since 24h|7d|30d|<ISO>] [--limit 100]
   llama admin deal-events  [--kind X] [--actor email] [--deal <uuid>] [--since 24h] [--limit 100]
@@ -1588,6 +1594,198 @@ https://command.llamaventures.vc/settings/tokens, run
     );
   }
 
+  // ----- Memo (long-form HTML investment memo) -----
+  // The Memo tab in the deal page renders HTML stored in deal_memos.
+  // Two sources of memo content:
+  //   - composed: generated by the server-side memo composer on demand
+  //   - manual:   a hand-written HTML you paste in
+  // Manual always beats composed on read; reset to drop the manual row
+  // and fall back to the composed one.
+  if (area === "memo") {
+    const sub = action;
+
+    // show — fetch the current memo. Default: print HTML to stdout
+    // (pipeable to file or browser). --out writes to a path. --json
+    // returns the full envelope (memo + mode + inflight info).
+    if (sub === "show") {
+      const dealId = rest[0];
+      if (!dealId) {
+        throw new Error("Usage: llama memo show <dealId> [--out <path>] [--json]");
+      }
+      const { flags } = parseFlags(rest.slice(1));
+      const data = await request(
+        "GET",
+        `/api/deals/${encodeURIComponent(dealId)}/memo`
+      );
+      if (flags.json) {
+        print(data);
+        return;
+      }
+      const html = data?.memo?.html;
+      if (!html) {
+        if (data?.requires_compose) {
+          throw new Error(
+            "No memo for this deal yet — run `llama memo regenerate <dealId>` to compose one."
+          );
+        }
+        throw new Error("Memo response missing html field.");
+      }
+      if (flags.out) {
+        const { writeFileSync } = await import("fs");
+        writeFileSync(String(flags.out), html);
+        console.error(`Wrote ${html.length} bytes → ${flags.out}`);
+        return;
+      }
+      // Stdout — supports `llama memo show <id> > memo.html` and piping
+      // to e.g. `open -f -a Safari` for quick preview.
+      process.stdout.write(html);
+      return;
+    }
+
+    // regenerate — kick off the server-side composer. Streams panel
+    // progress events to stderr so you can see live status; prints
+    // final summary JSON (version, model, duration) to stdout.
+    if (sub === "regenerate") {
+      const dealId = rest[0];
+      if (!dealId) {
+        throw new Error("Usage: llama memo regenerate <dealId> [--opus]");
+      }
+      const { flags } = parseFlags(rest.slice(1));
+      const tier = flags.opus ? "opus" : "sonnet";
+      const authHeaders = await getAuthHeaders();
+      if (Object.keys(authHeaders).length === 0) {
+        throw new Error(
+          "Not authenticated. Run `gcloud auth login` or `llama token set <llc_...>` first."
+        );
+      }
+      const res = await fetch(
+        `${getBaseUrl()}/api/deals/${encodeURIComponent(dealId)}/memo`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json", ...authHeaders },
+          body: JSON.stringify({
+            action: "regenerate",
+            stream: true,
+            model: tier,
+          }),
+        }
+      );
+      if (!res.ok || !res.body) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`HTTP ${res.status}: ${text.slice(0, 300)}`);
+      }
+
+      const reader = res.body.getReader();
+      const decoder = new TextDecoder();
+      let buffer = "";
+      let doneEvent = null;
+      const startedAt = Date.now();
+      const progress = { done: 0, total: 12, placeholders: 0, retries: 0 };
+
+      while (true) {
+        const { value, done: streamDone } = await reader.read();
+        if (streamDone) break;
+        buffer += decoder.decode(value, { stream: true });
+        let idx;
+        while ((idx = buffer.indexOf("\n\n")) !== -1) {
+          const frame = buffer.slice(0, idx);
+          buffer = buffer.slice(idx + 2);
+          const dataLine = frame.split("\n").find((l) => l.startsWith("data:"));
+          if (!dataLine) continue;
+          let event;
+          try {
+            event = JSON.parse(dataLine.replace(/^data:\s?/, ""));
+          } catch {
+            continue;
+          }
+          const elapsed = ((Date.now() - startedAt) / 1000).toFixed(1);
+          const phase = event.phase || "?";
+          if (phase === "panel_done") {
+            progress.done = event.panels_completed ?? progress.done + 1;
+            progress.total = event.panels_total ?? progress.total;
+            if (event.status === "placeholder") progress.placeholders += 1;
+            if (event.status === "retry-recovered") progress.retries += 1;
+            const mark =
+              event.status === "ok"
+                ? "✓"
+                : event.status === "retry-recovered"
+                  ? "↻"
+                  : "⚠";
+            console.error(
+              `${elapsed}s  ${mark} ${event.panel} [${progress.done}/${progress.total}]`
+            );
+          } else if (phase === "anchor_done") {
+            console.error(
+              `${elapsed}s  anchor → ${event.verdict_label || event.verdict}`
+            );
+          } else if (phase === "assembling") {
+            console.error(`${elapsed}s  assembling…`);
+          } else if (phase === "done") {
+            doneEvent = event;
+          } else if (phase === "error") {
+            throw new Error(`Memo composer error: ${event.error}`);
+          }
+        }
+      }
+
+      if (!doneEvent) {
+        throw new Error("Stream ended without 'done' event.");
+      }
+      print({
+        ok: true,
+        version: doneEvent.version,
+        degraded: doneEvent.degraded,
+        model: doneEvent.model,
+        duration_ms: doneEvent.duration_ms,
+        placeholders: progress.placeholders,
+        retries: progress.retries,
+      });
+      return;
+    }
+
+    // save — upload hand-written HTML as a manual override.
+    if (sub === "save") {
+      const { flags } = parseFlags(rest);
+      const dealId = rest[0];
+      if (!dealId || !flags.file) {
+        throw new Error("Usage: llama memo save <dealId> --file <path>");
+      }
+      const { readFileSync } = await import("fs");
+      const html = readFileSync(String(flags.file), "utf-8");
+      if (!html.trim()) throw new Error(`File ${flags.file} is empty.`);
+      print(
+        await request(
+          "PUT",
+          `/api/deals/${encodeURIComponent(dealId)}/memo`,
+          { html }
+        )
+      );
+      return;
+    }
+
+    // reset — default drops only the manual override (next read returns
+    // the composed row, if any); --all drops every version for this deal.
+    if (sub === "reset") {
+      const dealId = rest[0];
+      if (!dealId) {
+        throw new Error("Usage: llama memo reset <dealId> [--all]");
+      }
+      const { flags } = parseFlags(rest.slice(1));
+      print(
+        await request(
+          "DELETE",
+          `/api/deals/${encodeURIComponent(dealId)}/memo`,
+          { scope: flags.all ? "all" : "override_only" }
+        )
+      );
+      return;
+    }
+
+    throw new Error(
+      `Unknown memo subcommand "${sub || ""}". Use: show / regenerate / save / reset.`
+    );
+  }
+
   usage();
   process.exitCode = 1;
 }

package/lib/external.mjs

@@ -317,6 +317,40 @@ function guessMimeType(filename) {
   return ALLOWED_MIME_BY_EXT[ext] || "application/octet-stream";
 }
 
+// Paths the upload helper refuses to read. The intent is "user must point
+// at a real, intentional document" — symlinks and well-known config
+// directories are rejected so an automated caller cannot ferry an
+// unintended file into the upload by handing over a misleading path.
+const DISALLOWED_PATH_PREFIXES = [
+  ".ssh",
+  ".llama",
+  ".aws",
+  ".config/gcloud",
+  ".gnupg",
+  ".kube",
+  ".docker",
+];
+
+function assertSafeUploadPath(filePath) {
+  const lstat = fs.lstatSync(filePath);
+  if (lstat.isSymbolicLink()) {
+    throw new Error(
+      "Upload path is a symbolic link; pass the real file path instead."
+    );
+  }
+  if (!lstat.isFile()) {
+    throw new Error("Upload path is not a regular file.");
+  }
+  const resolved = fs.realpathSync(filePath);
+  const home = os.homedir();
+  for (const prefix of DISALLOWED_PATH_PREFIXES) {
+    const denied = path.join(home, prefix);
+    if (resolved === denied || resolved.startsWith(denied + path.sep)) {
+      throw new Error("Upload path is not allowed.");
+    }
+  }
+}
+
 export async function uploadExternalFile(filePath) {
   const session = readExternalSession();
   if (!session) {
@@ -329,6 +363,8 @@ export async function uploadExternalFile(filePath) {
     throw new Error(`File not found: ${filePath}`);
   }
 
+  assertSafeUploadPath(filePath);
+
   const fileData = fs.readFileSync(filePath);
   const filename = path.basename(filePath);
   const mimetype = guessMimeType(filename);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@llamaventures/cli",
-  "version": "1.3.1",
+  "version": "1.4.2",
   "description": "CLI + MCP server for the Llama Ventures investment workbench (command.llamaventures.vc).",
   "type": "module",
   "bin": {