@meetless/mla 0.1.4

package/dist/lib/open-url.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openUrl = openUrl;
+const child_process_1 = require("child_process");
+const defaultRunner = (cmd, args) => {
+    const r = (0, child_process_1.spawnSync)(cmd, args, { stdio: "ignore" });
+    return { error: r.error ?? undefined, status: r.status };
+};
+function launcherFor(platform, url) {
+    if (platform === "darwin")
+        return { cmd: "open", args: [url] };
+    if (platform === "win32")
+        return { cmd: "cmd", args: ["/c", "start", "", url] };
+    return { cmd: "xdg-open", args: [url] };
+}
+function openUrl(url, opts = {}) {
+    // Hand the OS launcher only vetted http(s) URLs. The Console URL is the only thing
+    // we ever open; rejecting everything else keeps a malformed config or a crafted
+    // path from reaching the shell.
+    if (!/^https?:\/\/\S+$/i.test(url)) {
+        return { ok: false, error: `refusing to open a non-http(s) URL: ${url}` };
+    }
+    const platform = opts.platform ?? process.platform;
+    const run = opts.run ?? defaultRunner;
+    const { cmd, args } = launcherFor(platform, url);
+    const r = run(cmd, args);
+    if (r.error)
+        return { ok: false, error: r.error.message };
+    if (typeof r.status === "number" && r.status !== 0) {
+        return { ok: false, error: `${cmd} exited ${r.status}` };
+    }
+    return { ok: true };
+}

package/dist/lib/orphan-guard.js

@@ -0,0 +1,70 @@
+"use strict";
+// Reaping guard for the long-lived `mla mcp` process tree (notes/20260622-mla-
+// mcp-process-leak-findings-and-fix.md, Tier 1). Shared by BOTH levels:
+//   - the worker (runMcp), which blocks on stdin EOF, and
+//   - the supervisor (runMcpSupervisor), which blocks on `await spawnChild`.
+//
+// The worker's MCP server blocks on stdin EOF (server.onclose in @meetless/mcp's
+// runStdioServer) as its ONLY exit path. So if the client dies WITHOUT closing
+// the stdin pipe (force-quit, crash, or a SIGTERM aimed at a parent in the
+// spawn chain that does not cascade), the worker is orphaned, reparented to
+// launchd (pid 1), and blocks on a stdin whose EOF will never arrive. The
+// supervisor has the mirror-image problem: if ITS parent dies but the worker
+// underneath it stays alive (so the worker's ppid is the still-running
+// supervisor, NOT 1, and the worker's own watchdog never fires), the supervisor
+// sits forever in `await spawnChild`. That orphaned-supervisor case was in fact
+// the MAJORITY of the measured leak (148 supervisors vs 61 workers), so the
+// watchdog has to live at every level, not just the leaf.
+//
+// Two backstops:
+//   1. SIGTERM/SIGINT/SIGHUP handlers: a direct signal tears the process down
+//      cleanly instead of being ignored while it waits. They run onTerminate
+//      first (the supervisor uses this to SIGTERM its in-flight worker so the
+//      whole tree collapses) and exit with signalExitCode.
+//   2. A parent-death watchdog: poll process.ppid; once it is 1 the original
+//      parent (client or supervisor) is gone, so run onTerminate and exit 0.
+//      macOS and Linux reparent orphans to pid 1, which makes this a reliable
+//      orphan signal. The timer is unref'd so it never, by itself, keeps the
+//      process alive (a unref'd timer does not hold the event loop open, so the
+//      clean disconnect/await path still ends the process exactly on time).
+//
+// Everything is injectable so the guard's behaviour is unit-tested without
+// registering real process listeners or wall-clock timers in the jest runner.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ORPHAN_POLL_MS = void 0;
+exports.installOrphanGuard = installOrphanGuard;
+exports.ORPHAN_POLL_MS = 5000;
+// The signals a terminal/editor or an OS shutdown sends to ask a process to
+// stop. Without these handlers Node's defaults still terminate on SIGTERM/SIGINT
+// in many cases, but an installed handler guarantees a clean, deterministic
+// teardown (run onTerminate, then exit with our chosen code) and covers SIGHUP,
+// which a closing terminal session delivers.
+const GUARD_SIGNALS = ["SIGTERM", "SIGINT", "SIGHUP"];
+// Install a level's death backstops. Call once, right before the long-lived
+// wait (the worker's serve loop, or the supervisor's spawn loop). Idempotency is
+// the caller's concern: in production each is invoked once per process, and the
+// unit tests inject a no-op.
+function installOrphanGuard(deps = {}) {
+    const on = deps.on ?? ((signal, handler) => void process.on(signal, handler));
+    const exit = deps.exit ?? ((code) => process.exit(code));
+    const getPpid = deps.getPpid ?? (() => process.ppid);
+    const setIntervalFn = deps.setIntervalFn ?? ((fn, ms) => setInterval(fn, ms));
+    const pollMs = deps.pollMs ?? exports.ORPHAN_POLL_MS;
+    const onTerminate = deps.onTerminate ?? (() => { });
+    const signalExitCode = deps.signalExitCode ?? 0;
+    for (const signal of GUARD_SIGNALS) {
+        on(signal, () => {
+            onTerminate();
+            exit(signalExitCode);
+        });
+    }
+    const timer = setIntervalFn(() => {
+        if (getPpid() === 1) {
+            onTerminate();
+            exit(0);
+        }
+    }, pollMs);
+    // Never let the watchdog itself hold the process open; the server's stdin
+    // pipe / the spawn await is the thing that should keep it alive, not this poll.
+    timer.unref();
+}

package/dist/lib/packaged.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isPackagedBinary = isPackagedBinary;
+// Runtime detection of the pkg-compiled standalone binary.
+//
+// `mla` ships two ways: a @yao-pkg/pkg-compiled single-file binary (curl|sh and
+// Homebrew) and a source/npm install on a real Node. The binary embeds its files
+// in a V8 snapshot rooted at /snapshot, and @yao-pkg/pkg sets `process.pkg` in
+// the packaged process. That snapshot has NO ESM dynamic-import callback, so any
+// true runtime import() of an ESM-only module fails with "A dynamic import
+// callback was not specified". `mla mcp` is exactly such a path (it
+// dynamic-imports the ESM-only @meetless/mcp), so the dispatcher uses this to
+// refuse cleanly in the binary rather than crash cryptically.
+//
+// From a source/npm install `process.pkg` is undefined and __dirname is a real
+// path, so this returns false and every code path behaves exactly as before.
+function isPackagedBinary() {
+    if (process.pkg != null)
+        return true;
+    return typeof __dirname === "string" && __dirname.startsWith("/snapshot");
+}

package/dist/lib/reconcile-sessions.js

@@ -0,0 +1,171 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.planSessionReconcile = planSessionReconcile;
+exports.projectDirForRepoPath = projectDirForRepoPath;
+exports.makeTranscriptStatusResolver = makeTranscriptStatusResolver;
+exports.executeSessionReconcile = executeSessionReconcile;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+// Pure decision core. Walks the captured sessions and partitions them into
+// "archive" (provably-deleted transcript) and "skip" (everything else, with the
+// reason). Order-preserving so the human/JSON output is stable.
+function planSessionReconcile(sessions, transcriptStatus) {
+    const plan = { toArchive: [], skipped: [] };
+    for (const s of sessions) {
+        const id = s.externalSessionId;
+        // The gates are ordered cheapest/safest first so the skip reason is the most
+        // specific true statement about why this session was left alone.
+        if (s.adapter !== "claude_code") {
+            plan.skipped.push({ sessionId: id, reason: "not-claude-code" });
+            continue;
+        }
+        if (s.archivedAt != null) {
+            plan.skipped.push({ sessionId: id, reason: "already-archived" });
+            continue;
+        }
+        if (s.liveness === "LIVE") {
+            plan.skipped.push({ sessionId: id, reason: "live" });
+            continue;
+        }
+        const status = transcriptStatus(id, s.repoPath);
+        if (status === "deleted") {
+            plan.toArchive.push(id);
+        }
+        else if (status === "present") {
+            plan.skipped.push({ sessionId: id, reason: "transcript-present" });
+        }
+        else {
+            plan.skipped.push({ sessionId: id, reason: "transcript-unknown" });
+        }
+    }
+    return plan;
+}
+// Claude Code names a project dir by collapsing the cwd's path separators (and
+// dots) to '-'. Verified empirically against the live ~/.claude/projects:
+//   /Users/alice/projects/acme/web
+//     -> -Users-alice-projects-acme-web
+//   /private/tmp/ml-q6-pg-rV03lX -> -private-tmp-ml-q6-pg-rV03lX
+// We only use this to PROVE the project still exists on this machine; if our
+// encoding ever diverges from Claude Code's the dir simply will not be found, so
+// the session resolves to "unknown" (skip) rather than a false "deleted".
+function projectDirForRepoPath(repoPath) {
+    return repoPath.replace(/[/.]/g, "-");
+}
+// Build the default disk-backed resolver. Performs ONE upfront scan of every
+// project dir under projectsRoot, recording the set of session ids that have a
+// `<id>.jsonl` transcript ANYWHERE (an encoding-independent presence check: even
+// if the server's repoPath disagrees with the real project dir, a transcript that
+// exists is still found and the session is reported present, never archived).
+//
+// A session is "deleted" ONLY when it is absent from that global set AND the
+// project dir derived from its repoPath still exists on disk (proof we are on the
+// capture host and that project is real here). Otherwise it is "unknown".
+function makeTranscriptStatusResolver(deps = {}) {
+    const projectsRoot = deps.projectsRoot ?? path.join(os.homedir(), ".claude", "projects");
+    const present = new Set();
+    let rootEntries = [];
+    try {
+        rootEntries = fs.readdirSync(projectsRoot);
+    }
+    catch {
+        rootEntries = [];
+    }
+    for (const entry of rootEntries) {
+        const dir = path.join(projectsRoot, entry);
+        let isDir = false;
+        try {
+            isDir = fs.statSync(dir).isDirectory();
+        }
+        catch {
+            isDir = false;
+        }
+        if (!isDir)
+            continue;
+        let files = [];
+        try {
+            files = fs.readdirSync(dir);
+        }
+        catch {
+            files = [];
+        }
+        for (const f of files) {
+            if (f.endsWith(".jsonl"))
+                present.add(f.slice(0, -".jsonl".length));
+        }
+    }
+    const dirExists = (dir) => {
+        try {
+            return fs.statSync(dir).isDirectory();
+        }
+        catch {
+            return false;
+        }
+    };
+    return (sessionId, repoPath) => {
+        if (present.has(sessionId))
+            return "present";
+        const rp = (repoPath || "").trim();
+        if (!rp)
+            return "unknown";
+        const projectDir = path.join(projectsRoot, projectDirForRepoPath(rp));
+        return dirExists(projectDir) ? "deleted" : "unknown";
+    };
+}
+// Orchestrate one reconcile sweep: fetch the captured sessions, plan which have a
+// provably-deleted transcript, and (unless dry-run) archive exactly those. Archive
+// is fail-SOFT per session: a single failure is recorded in `failed` and the sweep
+// continues, because hiding one stale session must never depend on hiding another.
+// Under dry-run the plan is computed and returned but `archive` is never called, so
+// `--dry-run` is a faithful, side-effect-free preview of what a real run would do.
+async function executeSessionReconcile(deps, opts) {
+    const sessions = await deps.listSessions();
+    const plan = planSessionReconcile(sessions, deps.resolver);
+    const archived = [];
+    const failed = [];
+    if (!opts.dryRun) {
+        for (const id of plan.toArchive) {
+            try {
+                await deps.archive(id);
+                archived.push(id);
+            }
+            catch (e) {
+                failed.push({ sessionId: id, error: e.message });
+            }
+        }
+    }
+    return { plan, archived, failed, dryRun: opts.dryRun };
+}

package/dist/lib/redactor.js

@@ -0,0 +1,89 @@
+"use strict";
+// Shared secret redactor for the mla CLI. Mirror of
+// intel/app/observability/redaction.py and apps/control/src/core/services/redactor.ts.
+// Principle 7 of notes/20260528-mla-logging-and-tracing-proposal.md:
+// exactly one redactor, applied at the three places an operator can see
+// captured content. Cross-plane parity is locked by a shared fixture test
+// (tools/meetless-agent/test/lib/redactor-parity.spec.ts).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDACTED = void 0;
+exports.redact = redact;
+exports.redactPayload = redactPayload;
+exports.REDACTED = "[REDACTED]";
+// Order matters: env_assignment runs first so KEY=value pairs are redacted
+// whole, not just the value half. Token literals come second for cases
+// without an = sign. High-entropy heuristic runs last to catch generic
+// session tokens that the prefix matchers miss.
+const PATTERNS = [
+    [
+        "env_assignment",
+        /\b([A-Z][A-Z0-9_]*_(?:TOKEN|KEY|SECRET|PASSWORD|PWD|API[_-]?KEY|ACCESS[_-]?KEY)|SECRET_[A-Z0-9_]+|PASSWORD|PASSWD|AWS_(?:ACCESS|SECRET)_(?:ACCESS_)?KEY(?:_ID)?|GH_TOKEN|GITHUB_TOKEN|OPENAI_API_KEY|ANTHROPIC_API_KEY)\s*[:=]\s*('[^']*'|"[^"]*"|\S+)/gim,
+    ],
+    ["bearer", /\b(Bearer|Basic)\s+[A-Za-z0-9._\-+/=]+/gi],
+    [
+        "provider_token",
+        /\b(sk-(?:proj-|ant-)?[A-Za-z0-9_\-]{16,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,}|ghs_[A-Za-z0-9]{20,}|github_pat_[A-Za-z0-9_]{20,}|xox[baprs]-[A-Za-z0-9\-]{10,}|AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|AIza[0-9A-Za-z_\-]{35}|hf_[A-Za-z0-9]{20,}|lf_(?:sk|pk)_[A-Za-z0-9]{20,})\b/g,
+    ],
+    ["cookie", /(Set-)?Cookie:\s*[^\r\n]+/gi],
+    [
+        "pem_key",
+        /-----BEGIN (?:[A-Z ]+ )?PRIVATE KEY-----[\s\S]*?-----END (?:[A-Z ]+ )?PRIVATE KEY-----/g,
+    ],
+];
+const ENTROPY_TOKEN = /\b[A-Za-z0-9_\-+/=]{32,}\b/g;
+function shannonEntropy(s) {
+    if (!s)
+        return 0;
+    const counts = {};
+    for (const ch of s)
+        counts[ch] = (counts[ch] ?? 0) + 1;
+    const n = s.length;
+    let h = 0;
+    for (const c of Object.values(counts)) {
+        const p = c / n;
+        h -= p * Math.log2(p);
+    }
+    return h;
+}
+function looksHighEntropy(token) {
+    if (token.length < 32)
+        return false;
+    let lower = false, upper = false, digit = false, sep = false;
+    for (const ch of token) {
+        if (ch >= "a" && ch <= "z")
+            lower = true;
+        else if (ch >= "A" && ch <= "Z")
+            upper = true;
+        else if (ch >= "0" && ch <= "9")
+            digit = true;
+        else if ("_-+/=".includes(ch))
+            sep = true;
+    }
+    const classes = [lower, upper, digit, sep].filter(Boolean).length;
+    if (classes < 2)
+        return false;
+    return shannonEntropy(token) >= 3.5;
+}
+function redact(text) {
+    if (text === null || text === undefined || text === "")
+        return text;
+    let out = text;
+    for (const [, pat] of PATTERNS)
+        out = out.replace(pat, exports.REDACTED);
+    out = out.replace(ENTROPY_TOKEN, (m) => (looksHighEntropy(m) ? exports.REDACTED : m));
+    return out;
+}
+function redactPayload(value) {
+    if (typeof value === "string")
+        return redact(value);
+    if (Array.isArray(value))
+        return value.map((v) => redactPayload(v));
+    if (value !== null && typeof value === "object") {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[k] = redactPayload(v);
+        }
+        return out;
+    }
+    return value;
+}

package/dist/lib/relationship-candidate-query.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPendingCandidateQuery = buildPendingCandidateQuery;
+// The single query-string builder for control's relationship-candidate list route
+// (GET /internal/v1/relationship-candidates). Shared by the kb review listing
+// (cursor pagination) and the kb forget cascade so neither command module imports
+// the other. Pins the default review view: PENDING_REVIEW + LIVE.
+function buildPendingCandidateQuery(workspaceId, doc, limit, cursor) {
+    const qs = new URLSearchParams();
+    qs.set("workspaceId", workspaceId);
+    qs.set("statusId", "PENDING_REVIEW");
+    qs.set("posture", "LIVE");
+    qs.set("limit", String(limit));
+    if (doc) {
+        // `--doc note:foo.md` is an exact artifactId; a bare `foo.md` is a notePath the
+        // route resolves to a basename server-side (relationship-candidate.dto.ts).
+        if (doc.includes(":"))
+            qs.set("artifactId", doc);
+        else
+            qs.set("notePath", doc);
+    }
+    if (cursor) {
+        qs.set("cursorId", cursor.id);
+        qs.set("cursorCreatedAt", cursor.createdAt);
+    }
+    return qs.toString();
+}