@meetless/mla 0.1.5 → 0.1.6

package/dist/build-info.json

@@ -1,9 +1,9 @@
 {
-  "version": "0.1.5",
-  "sha": "a984add",
+  "version": "0.1.6",
+  "sha": "5434c09",
   "branch": "HEAD",
   "dirty": false,
-  "builtAt": "2026-06-27T18:44:27.928Z",
+  "builtAt": "2026-06-27T19:14:26.079Z",
   "sentryDsn": "",
   "updatePublicKey": ""
 }

package/dist/cli.js

@@ -65,6 +65,7 @@ const internal_evidence_hooks_1 = require("./commands/internal-evidence-hooks");
 const internal_steer_sync_1 = require("./commands/internal-steer-sync");
 const internal_capture_decisions_1 = require("./commands/internal-capture-decisions");
 const internal_pretool_observe_1 = require("./commands/internal-pretool-observe");
+const internal_redact_capture_1 = require("./commands/internal-redact-capture");
 const internal_turn_recap_1 = require("./commands/internal-turn-recap");
 const internal_refresh_1 = require("./commands/internal-refresh");
 const internal_session_nudge_1 = require("./commands/internal-session-nudge");
@@ -73,11 +74,13 @@ const upgrade_apply_1 = require("./lib/upgrade-apply");
 const wire_1 = require("./lib/wire");
 const scan_context_1 = require("./commands/scan-context");
 const kb_1 = require("./commands/kb");
+const agent_memory_1 = require("./commands/agent-memory");
 const enrich_1 = require("./commands/enrich");
 const graph_1 = require("./commands/graph");
 const summary_1 = require("./commands/summary");
 const label_1 = require("./commands/label");
 const stats_1 = require("./commands/stats");
+const pilot_1 = require("./commands/pilot");
 const turn_1 = require("./commands/turn");
 const ask_1 = require("./commands/ask");
 const session_1 = require("./commands/session");
@@ -95,7 +98,7 @@ const rules_1 = require("./commands/rules");
 // Commands:
 //   mla init [flags]
 //   mla rewire [flags]
-//   mla activate [--name <name>] [--note <text>] [--here|--create|--repair] [--bootstrap <fast|agentic|full>]
+//   mla activate [--name <name>] [--note <text>] [--here|--create|--repair] [--bootstrap <fast|agentic>]
 //   mla deactivate [--yes] [--from-root|--marker <path>]
 //   mla mute | mla unmute
 //   mla review [--plain] [--no-flush]
@@ -154,11 +157,12 @@ usage:
   mla activate --repair
                     (re-check the existing binding's membership + connectivity;
                      never mints a new id)
-  mla activate --bootstrap <fast|agentic|full>
+  mla activate --bootstrap <fast|agentic>
                     (bootstrap tier for the activation preview: fast (default) shows
-                     the deterministic review bundle; agentic ALSO emits a deep-read
-                     scout mission to hand a coding agent; full adds the temporal
-                     legacy-note graph (not built yet, falls back to agentic))
+                     the deterministic review bundle. agentic is DEPRECATED: it still
+                     emits a static deep-read scout mission, but the consolidated
+                     agent-driven onboarding is /mla onboard. The old full tier was
+                     removed; --bootstrap full now errors with a migration note.)
   mla deactivate [--yes] [--from-root|--marker <path>]
                     (REMOVE this folder's workspace binding: deletes the nearest
                      .meetless.json. Confirms first (--yes to skip); from a subdir
@@ -260,6 +264,11 @@ usage:
                     (usefulness-first dashboard from local events.jsonl: evidence
                      followthrough, contradictions caught, coverage gaps. default
                      window 30d. \`evidence\` is the focused adoption join below.)
+  mla pilot <feedback|report|export|sample-check> ...
+                    (pilot value signal: record one explicit verdict at a natural
+                     point (feedback), score the four hypotheses (report), dump the
+                     raw pilot subset (export), or consult the 1-in-N injection
+                     sampling gate (sample-check). Local events.jsonl; no dashboard.)
   mla turn [N] [--session <sid>] [--json]
                     (per-turn assist recap: did mla run this turn and did it help?
                      no N recaps the latest completed turn of the current session;
@@ -488,6 +497,14 @@ async function dispatch(argv) {
             return (0, ask_1.runAsk)(argv.slice(1));
         case "kb":
             return (0, kb_1.runKb)(argv.slice(1));
+        // `mla agent-memory <enable|disable|status|scan|report>`: operator surface for
+        // the agent-memory capture pipeline (notes/20260626-agent-memory-auto-capture-
+        // proposal.md). Phase 1 is DRY-RUN ONLY: `scan` observes/classifies/secret-scans
+        // project-type Claude auto-memory files and records metadata-only decisions
+        // locally; it uploads nothing. Live ingestion is blocked upstream by the missing
+        // cross-revision claim-grain idempotency and is intentionally not wired.
+        case "agent-memory":
+            return (0, agent_memory_1.runAgentMemory)(argv.slice(1));
         // `mla enrich`: agent-orchestrated onboarding enrichment. `enrich plan` scans the
         // repo into an immutable run record + prints the plan the agent reads; `enrich
         // ingest` validates + persists the scouts' candidates born PENDING. The agent
@@ -508,6 +525,13 @@ async function dispatch(argv) {
             return (0, label_1.runLabel)(argv.slice(1));
         case "stats":
             return (0, stats_1.runStats)(argv.slice(1));
+        // `mla pilot` is the pilot value-signal surface (memo §6 Phase 3): record one
+        // explicit human verdict at a natural point (`feedback`), fold local events into
+        // the four hypotheses (`report`), dump the raw pilot subset (`export`), or consult
+        // the deterministic occasional-injection sampling gate (`sample-check`). No
+        // dashboard, no server -- it reads/writes the same local events.jsonl.
+        case "pilot":
+            return (0, pilot_1.runPilot)(argv.slice(1));
         // `mla turn [N]` is the per-turn analog of `mla stats`; `mla stats --turn`
         // routes to the SAME runTurn handler (one implementation, two entry points).
         case "turn":
@@ -572,6 +596,8 @@ async function dispatch(argv) {
                 return (0, internal_capture_decisions_1.runCaptureDecisions)(rest);
             if (sub === "pretool-observe")
                 return (0, internal_pretool_observe_1.runInternalPretoolObserve)(rest);
+            if (sub === "redact-capture")
+                return (0, internal_redact_capture_1.runInternalRedactCapture)(rest);
             if (sub === "turn-recap")
                 return (0, internal_turn_recap_1.runInternalTurnRecap)(rest);
             if (sub === "refresh")

package/dist/commands/activate.js

@@ -37,7 +37,8 @@ exports.renderActivationCard = void 0;
 exports.parseActivateArgs = parseActivateArgs;
 exports.resolveBootstrapTier = resolveBootstrapTier;
 exports.bootstrapTierEmitsMission = bootstrapTierEmitsMission;
-exports.bootstrapTierIsDeepNotYet = bootstrapTierIsDeepNotYet;
+exports.bootstrapTierIsDeprecated = bootstrapTierIsDeprecated;
+exports.agenticDeprecationNote = agenticDeprecationNote;
 exports.writeActivationMarker = writeActivationMarker;
 exports.clearDeactivateSentinel = clearDeactivateSentinel;
 exports.removeStaleGitignoreEntry = removeStaleGitignoreEntry;
@@ -59,7 +60,7 @@ Object.defineProperty(exports, "renderActivationCard", { enumerable: true, get:
 const scout_mission_1 = require("../lib/scanner/scout-mission");
 const scan_context_1 = require("./scan-context");
 const workspace_1 = require("../lib/workspace");
-const BOOTSTRAP_TIERS = ["fast", "agentic", "full"];
+const BOOTSTRAP_TIERS = ["fast", "agentic"];
 const VALUE_FLAGS = new Set(["--name", "--note", "--bootstrap"]);
 const BOOLEAN_FLAGS = new Set(["--here", "--create", "--repair"]);
 function parseActivateArgs(argv) {
@@ -76,6 +77,15 @@ function parseActivateArgs(argv) {
             else if (a === "--note")
                 out.note = v;
             else if (a === "--bootstrap") {
+                // The removed `full` tier gets a migration message, never a silent fallback
+                // to a shallower tier (Phase 2: "never silently fall back from a named-but-
+                // unbuilt tier").
+                if (v === "full") {
+                    throw new Error("The `full` bootstrap tier was removed: its temporal legacy-note graph was " +
+                        "never built. The deep, agent-driven read now lives in `/mla onboard` " +
+                        "(two read-only scouts; candidates land born PENDING for you to review). " +
+                        "Use `--bootstrap fast` (default) or run `/mla onboard` inside a session.");
+                }
                 if (!BOOTSTRAP_TIERS.includes(v)) {
                     throw new Error(`Invalid value for --bootstrap: ${v}. Supported tiers: ${BOOTSTRAP_TIERS.join(", ")}.`);
                 }
@@ -103,17 +113,27 @@ function parseActivateArgs(argv) {
 function resolveBootstrapTier(flags) {
     return flags.bootstrap ?? "fast";
 }
-// Whether a tier emits the agentic scout mission after the review bundle. Only the
-// deterministic `fast` tier stays silent; `agentic` and `full` both invite the
-// deep read.
+// Whether a tier emits the static scout mission after the review bundle. Only the
+// deterministic `fast` tier stays silent; the deprecated `agentic` tier still emits
+// the deep-read mission for back-compat.
 function bootstrapTierEmitsMission(tier) {
     return tier !== "fast";
 }
-// Whether a tier asks for the deep temporal scan that is not built in this lane
-// yet. Only `full` does; the activation tail uses this to print an honest "not yet,
-// running agentic instead" note rather than silently under-delivering.
-function bootstrapTierIsDeepNotYet(tier) {
-    return tier === "full";
+// Whether a tier is deprecated. `agentic` is kept working but steered toward the
+// consolidated `/mla onboard` flow; the activation tail prints the steer below it.
+function bootstrapTierIsDeprecated(tier) {
+    return tier === "agentic";
+}
+// Pure steer printed above the static `agentic` mission, pointing at the consolidated
+// `/mla onboard` flow. Exported so the writing-style + content guards can assert it
+// without driving the whole activation tail.
+function agenticDeprecationNote() {
+    return [
+        "`--bootstrap agentic` is deprecated. The richer, agent-driven onboarding is",
+        "`/mla onboard`: two read-only scouts read your docs and git history and surface",
+        "candidates born PENDING for you to review (the static mission below is a copy/paste",
+        "fallback for shells without a Claude Code session).",
+    ].join("\n");
 }
 // Pure marker writer (no console output). Writes a `.meetless.json` into `cwd`
 // unless one already exists and `force` is not set. Returns whether a NEW marker
@@ -481,6 +501,9 @@ function onboardRecommendation(opts) {
         "  history. They surface constraints, decisions, conventions, boundaries, and",
         "  deprecations as candidates born PENDING for you to review; nothing is accepted",
         "  automatically. You can run it now or any time later.",
+        "  First run only: the scout agents were just installed, and Claude Code loads",
+        "  agents at session start. If `/mla onboard` reports a scout agent is not found,",
+        "  restart Claude Code (or open a new session) and run it again.",
     ].join("\n");
 }
 // Shared tail for the provision/bind paths: clear any per-session OFF sentinel,
@@ -508,18 +531,16 @@ function finishActivate(cwd, tier, recommendOnboard = false) {
             const result = (0, scan_context_1.rescanAndCache)({ cwd, workspaceId: scanWorkspaceId });
             console.log("");
             console.log((0, bootstrap_summary_1.renderBootstrapSummary)(result));
-            // Deeper tiers invite the agentic scout to read the messy Tier-2 docs the
-            // deterministic pass could only count. `full` additionally asks for the
-            // temporal legacy-note graph, which is the canonical agent's lane and not
-            // built here, so we say so plainly and fall back to the agentic mission.
+            // The deprecated `agentic` tier still prints the static scout mission for the
+            // messy Tier-2 docs the deterministic pass could only count, but steers the
+            // operator to the consolidated `/mla onboard` flow first (Phase 2).
             if (bootstrapTierEmitsMission(tier)) {
-                if (bootstrapTierIsDeepNotYet(tier)) {
+                if (bootstrapTierIsDeprecated(tier)) {
                     console.log("");
-                    console.log("The `full` tier (temporal legacy-note graph) is not built yet; it depends on the");
-                    console.log("coordination graph. Running the agentic tier below, the deepest available now.");
+                    console.log(agenticDeprecationNote());
                 }
                 console.log("");
-                console.log("Agentic scout mission (hand this to a coding agent):");
+                console.log("Static scout mission (hand this to a coding agent):");
                 console.log("");
                 console.log((0, scout_mission_1.renderManualScoutMission)(result));
             }

package/dist/commands/agent-memory.js

@@ -0,0 +1,333 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runAgentMemory = runAgentMemory;
+// src/commands/agent-memory.ts
+//
+// `mla agent-memory <enable|disable|status|scan|push|report>`: the operator
+// surface for the agent-memory capture pipeline
+// (notes/20260626-agent-memory-auto-capture-proposal.md).
+//
+// `scan` is the Phase 1 DRY-RUN: it observes, classifies, secret-scans
+// (observe-only: signals are recorded, nothing is blocked), and records
+// metadata-only decisions locally; it uploads NOTHING.
+//
+// `push` is the Phase 2A LIVE pass: it uploads changed project-type memory
+// revisions to the governed KB (born PENDING, non-grounding), withholding any
+// file carrying a known credential format (SECRET-1). It is DEFAULT OFF behind
+// MEETLESS_AGENT_MEMORY_LIVE and refuses without --yes. The same collector also
+// runs (gated identically) from the Stop auto-index worker. Phase 2A keeps
+// claim extraction OFF; Phase 2B turns it on and is what the missing
+// cross-revision claim-grain idempotency (DERIVED-IDEMPOTENCY-1) gates.
+//
+// Consent (CONSENT-1) is explicit and per-directory: `enable` shows the resolved
+// directory, the target workspace, and exactly what capture does, and refuses to
+// persist a binding without `--yes`.
+const node_fs_1 = require("node:fs");
+const agent_memory_1 = require("../lib/scanner/agent-memory");
+const workspace_1 = require("../lib/workspace");
+const binding_1 = require("../lib/agent-memory-capture/binding");
+const collector_1 = require("../lib/agent-memory-capture/collector");
+const live_collector_1 = require("../lib/agent-memory-capture/live-collector");
+const ledger_1 = require("../lib/agent-memory-capture/ledger");
+const live_ledger_1 = require("../lib/agent-memory-capture/live-ledger");
+const report_1 = require("../lib/agent-memory-capture/report");
+function parseArgs(argv) {
+    const out = { sub: null, dir: null, workspace: null, yes: false, json: false };
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (a === "--dir") {
+            out.dir = argv[++i] ?? null;
+            continue;
+        }
+        if (a === "--workspace") {
+            out.workspace = argv[++i] ?? null;
+            continue;
+        }
+        if (a === "--yes" || a === "-y") {
+            out.yes = true;
+            continue;
+        }
+        if (a === "--json") {
+            out.json = true;
+            continue;
+        }
+        if (a.startsWith("-")) {
+            throw new Error(`Unknown flag: ${a}`);
+        }
+        if (out.sub === null) {
+            out.sub = a;
+            continue;
+        }
+        throw new Error(`Unexpected argument: ${a}`);
+    }
+    return out;
+}
+function nowIso() {
+    return new Date().toISOString();
+}
+// Resolve the directory to operate on: --dir override, else the Claude
+// auto-memory dir for the current project cwd.
+function resolveDir(dir) {
+    return dir && dir.trim() ? dir.trim() : (0, agent_memory_1.agentMemoryDir)(process.cwd());
+}
+const CONSENT_LINES = [
+    "This enables LOCAL DRY-RUN capture only (Phase 1).",
+    "mla will observe project-type memory files in this directory, hash and",
+    "secret-scan them, and record metadata-only decisions to a local log.",
+    "Nothing is uploaded in this phase.",
+    "",
+    "Secret patterns are recorded as observations only here; they do not block",
+    "anything, because nothing leaves the machine. Pre-upload credential",
+    "blocking arrives with remote capture (Phase 2B), not in this phase.",
+    "Raw memory notes never ground any agent answer.",
+];
+function runEnable(args) {
+    const dir = resolveDir(args.dir);
+    let workspaceId;
+    if (args.workspace && args.workspace.trim()) {
+        workspaceId = args.workspace.trim();
+    }
+    else {
+        try {
+            workspaceId = (0, workspace_1.resolveWorkspaceContext)().workspaceId;
+        }
+        catch {
+            console.error("No activated workspace found. Run this inside an activated repo or pass --workspace <id>.");
+            return 2;
+        }
+    }
+    const canonical = (0, binding_1.canonicalizeDir)(dir);
+    if (!canonical) {
+        console.error(`Memory directory does not resolve: ${dir}`);
+        console.error("Pass an existing directory with --dir, or activate Claude memory first.");
+        return 2;
+    }
+    if (!args.yes) {
+        console.log(`Directory: ${canonical}`);
+        console.log(`Workspace: ${workspaceId}`);
+        console.log("");
+        for (const l of CONSENT_LINES)
+            console.log(l);
+        console.log("");
+        console.log("Re-run with --yes to consent and enable dry-run capture.");
+        return 0;
+    }
+    const outcome = (0, binding_1.enableBinding)(canonical, workspaceId, nowIso());
+    if (!outcome.ok) {
+        if (outcome.reason === "workspace-conflict") {
+            console.error(`This directory is already bound to workspace ${outcome.conflictWorkspaceId}. ` +
+                "One memory directory binds exactly one workspace (MEMORY-WORKSPACE-1). " +
+                "Disable the existing binding first.");
+            return 2;
+        }
+        console.error(`Memory directory does not resolve: ${dir}`);
+        return 2;
+    }
+    const b = outcome.binding;
+    console.log(`${outcome.reactivated ? "Reactivated" : "Enabled"} dry-run capture for ${b.memoryDir}`);
+    console.log(`Binding: ${b.bindingId} -> workspace ${b.workspaceId}`);
+    console.log("Run `mla agent-memory scan` to record a dry-run pass (uploads nothing).");
+    return 0;
+}
+function runDisable(args) {
+    const dir = resolveDir(args.dir);
+    const canonical = (0, binding_1.canonicalizeDir)(dir) ?? dir;
+    const b = (0, binding_1.disableBinding)(canonical);
+    if (!b) {
+        console.error(`No capture binding found for ${canonical}`);
+        return 1;
+    }
+    console.log(`Disabled capture for ${b.memoryDir} (binding ${b.bindingId} preserved).`);
+    return 0;
+}
+// Derive the live ledger's counts for one binding: how many paths the SERVER has
+// acked (uploaded), how many are currently WITHHELD by the credential denylist
+// (blocked), and the total tracked. The live ledger stores acks/blocks, not
+// outcomes, so these are computed from the entry shape.
+function liveLedgerCounts(bindingId) {
+    const entries = Object.values((0, live_ledger_1.readLiveLedger)(bindingId).entries);
+    let uploaded = 0;
+    let blocked = 0;
+    for (const e of entries) {
+        if (e.lastUploadedHash)
+            uploaded++;
+        if (e.blockedHash)
+            blocked++;
+    }
+    return { tracked: entries.length, uploaded, blocked };
+}
+function runStatus(args) {
+    const bindings = (0, binding_1.listBindings)();
+    if (args.json) {
+        const rows = bindings.map((b) => ({
+            ...b,
+            ledgerEntries: Object.keys((0, ledger_1.readLedger)(b.bindingId).entries).length,
+            live: liveLedgerCounts(b.bindingId),
+        }));
+        console.log(JSON.stringify({ liveCaptureEnabled: (0, live_collector_1.liveCaptureEnabled)(), bindings: rows }, null, 2));
+        return 0;
+    }
+    if (bindings.length === 0) {
+        console.log("No agent-memory capture bindings. Run `mla agent-memory enable` to create one.");
+        return 0;
+    }
+    console.log(`Live capture: ${(0, live_collector_1.liveCaptureEnabled)() ? "ENABLED" : "off (default)"}`);
+    for (const b of bindings) {
+        const entries = Object.keys((0, ledger_1.readLedger)(b.bindingId).entries).length;
+        const live = liveLedgerCounts(b.bindingId);
+        console.log(`${b.enabled ? "[enabled] " : "[disabled]"} ${b.memoryDir}`);
+        console.log(`  binding   ${b.bindingId}`);
+        console.log(`  workspace ${b.workspaceId}`);
+        console.log(`  consented ${b.consentedAt}`);
+        console.log(`  tracked   ${entries} file(s) in dry-run ledger`);
+        console.log(`  live      ${live.tracked} tracked, ${live.uploaded} uploaded, ${live.blocked} blocked`);
+    }
+    return 0;
+}
+function tally(records) {
+    const t = {};
+    for (const r of records)
+        t[r.decision] = (t[r.decision] ?? 0) + 1;
+    return t;
+}
+function runScan(args) {
+    const results = (0, collector_1.runDryRunCollector)({ nowIso: nowIso() });
+    if (args.json) {
+        console.log(JSON.stringify({ results }, null, 2));
+        return 0;
+    }
+    if (results.length === 0) {
+        console.log("No enabled bindings. Run `mla agent-memory enable` first.");
+        return 0;
+    }
+    for (const r of results) {
+        if (!r.locked) {
+            console.log(`${r.bindingId}: skipped (another collector holds the lock)`);
+            continue;
+        }
+        const s = r.summary;
+        if (!s) {
+            console.log(`${r.bindingId}: no summary`);
+            continue;
+        }
+        const t = tally(s.records);
+        const parts = Object.entries(t).map(([k, v]) => `${k}=${v}`).join(" ");
+        console.log(`${s.memoryDir} [scan ${s.scanComplete ? "complete" : "PARTIAL"}] ${parts || "(no files)"}`);
+        console.log(`  appended ${r.appended} actionable decision(s) to the dry-run log`);
+    }
+    return 0;
+}
+function liveTally(records) {
+    const t = {};
+    for (const r of records)
+        t[r.outcome] = (t[r.outcome] ?? 0) + 1;
+    return t;
+}
+// `push`: the Phase 2A LIVE upload pass. DEFAULT OFF (MEETLESS_AGENT_MEMORY_LIVE)
+// and refuses without --yes. Shares the exact collector + gates the Stop worker
+// uses, so a manual push and an automatic Stop pass behave identically.
+async function runPush(args) {
+    if (!(0, live_collector_1.liveCaptureEnabled)()) {
+        console.error("Live agent-memory capture is OFF (the default).");
+        console.error("");
+        console.error("When enabled, this uploads changed project-type memory revisions to the");
+        console.error("governed KB as born-PENDING sources. They never ground any agent answer");
+        console.error("until a human accepts a derived claim. A pre-upload credential denylist");
+        console.error("withholds any file carrying a known credential format.");
+        console.error("");
+        console.error("To enable, set MEETLESS_AGENT_MEMORY_LIVE=1 and re-run with --yes:");
+        console.error("  MEETLESS_AGENT_MEMORY_LIVE=1 mla agent-memory push --yes");
+        return 0;
+    }
+    if (!args.yes) {
+        console.log("Live capture is ENABLED.");
+        console.log("This will UPLOAD changed project-type memory files from every enabled binding");
+        console.log("to the governed KB (born PENDING, non-grounding). Files carrying a known");
+        console.log("credential format are withheld. Re-run with --yes to upload.");
+        return 0;
+    }
+    const results = await (0, live_collector_1.runLiveCollector)({ nowIso: nowIso() });
+    if (args.json) {
+        console.log(JSON.stringify({ results }, null, 2));
+        return 0;
+    }
+    if (results.length === 0) {
+        console.log("No live upload performed (no enabled bindings, or no resolvable actor identity).");
+        return 0;
+    }
+    for (const r of results) {
+        if (!r.locked) {
+            console.log(`${r.bindingId}: skipped (another collector holds the lock)`);
+            continue;
+        }
+        const s = r.summary;
+        if (!s) {
+            console.log(`${r.bindingId}: no summary`);
+            continue;
+        }
+        const t = liveTally(s.records);
+        const parts = Object.entries(t)
+            .map(([k, v]) => `${k}=${v}`)
+            .join(" ");
+        console.log(`${s.memoryDir} [scan ${s.scanComplete ? "complete" : "PARTIAL"}] ${parts || "(no files)"}`);
+        console.log(`  appended ${r.appended} actionable outcome(s) to the live log`);
+    }
+    return 0;
+}
+function runReport(args) {
+    const dir = resolveDir(args.dir);
+    if (!(0, node_fs_1.existsSync)(dir) || !(0, node_fs_1.statSync)(dir).isDirectory()) {
+        console.error(`Not a directory: ${dir}`);
+        return 2;
+    }
+    const report = (0, report_1.analyzeCorpus)(dir);
+    if (args.json) {
+        console.log(JSON.stringify(report, null, 2));
+        return 0;
+    }
+    console.log(`Corpus: ${report.memoryDir}`);
+    console.log(`Total .md files: ${report.totalMdFiles}`);
+    console.log(`By type: ${JSON.stringify(report.byType)}`);
+    console.log(`Size bytes: min=${report.sizeBytes.min} median=${report.sizeBytes.median} ` +
+        `p90=${report.sizeBytes.p90} max=${report.sizeBytes.max}`);
+    console.log(`Project files with a secret signal (observe-only): ${report.secretSignalFiles.length}`);
+    for (const b of report.secretSignalFiles) {
+        console.log(`  ${b.file}: ${b.ruleIds.join(", ")}`);
+    }
+    console.log(`Phase 2B credential-denylist probe (known fixtures caught): ${report.credentialProbePass ? "PASS" : "FAIL"}`);
+    if (report.credentialProbeMisses.length > 0) {
+        console.log(`  UNDETECTED known credential token(s) in: ${report.credentialProbeMisses.join(", ")}`);
+    }
+    console.log("");
+    console.log("Manual gates (not auto-measured):");
+    for (const g of report.manualGates)
+        console.log(`  - ${g}`);
+    return 0;
+}
+async function runAgentMemory(argv) {
+    let args;
+    try {
+        args = parseArgs(argv);
+    }
+    catch (e) {
+        console.error(e.message);
+        return 2;
+    }
+    switch (args.sub) {
+        case "enable":
+            return runEnable(args);
+        case "disable":
+            return runDisable(args);
+        case "status":
+            return runStatus(args);
+        case "scan":
+            return runScan(args);
+        case "push":
+            return runPush(args);
+        case "report":
+            return runReport(args);
+        default:
+            console.error("Usage: mla agent-memory <enable|disable|status|scan|push|report> [--dir <path>] [--workspace <id>] [--yes] [--json]");
+            return 2;
+    }
+}