@mem-weave/server 0.2.0

package/dist/providers/llm/openai.js

@@ -0,0 +1,45 @@
+import { z } from 'zod';
+const OpenaiConfigSchema = z.object({
+    baseUrl: z.string().url().default('https://api.openai.com/v1'),
+    apiKey: z.string(),
+    model: z.string().default('gpt-4o-mini'),
+    temperature: z.number().min(0).max(2).default(0.2),
+    maxTokens: z.number().int().positive().default(2048)
+});
+export class OpenaiLlmProvider {
+    config;
+    constructor(raw) {
+        this.config = OpenaiConfigSchema.parse(raw);
+    }
+    async call(systemPrompt, userPrompt) {
+        try {
+            const url = `${this.config.baseUrl.replace(/\/+$/, '')}/chat/completions`;
+            const res = await fetch(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Authorization': `Bearer ${this.config.apiKey}`
+                },
+                body: JSON.stringify({
+                    model: this.config.model,
+                    messages: [
+                        { role: 'system', content: systemPrompt },
+                        { role: 'user', content: userPrompt }
+                    ],
+                    temperature: this.config.temperature,
+                    max_tokens: this.config.maxTokens
+                }),
+                signal: AbortSignal.timeout(30000)
+            });
+            if (!res.ok) {
+                const text = await res.text().catch(() => '');
+                throw new Error(`LLM API error ${res.status}: ${text.slice(0, 200)}`);
+            }
+            const json = await res.json();
+            return json.choices?.[0]?.message?.content ?? '';
+        }
+        catch (err) {
+            throw new Error('LLM request failed: ' + (err instanceof Error ? err.message : String(err)));
+        }
+    }
+}

package/dist/rest/routes/consolidation.js

@@ -0,0 +1,62 @@
+import { z } from 'zod';
+import { openDatabase } from '../../db/database.js';
+import { ConsolidationRunRepo } from '../../db/repositories/consolidation-run-repo.js';
+import { runConsolidation } from '../../workers/consolidator.js';
+import { randomUUID } from 'node:crypto';
+const TENANT_DEFAULT = 'tenant_default';
+const ListQuerySchema = z.object({
+    limit: z.coerce.number().int().min(1).max(200).default(20)
+});
+const IdParamSchema = z.object({ id: z.string().min(1) });
+const TriggerBodySchema = z.object({
+    dryRun: z.boolean().optional()
+}).default({});
+export function registerConsolidationRoute(app, dbPath) {
+    const runRepo = new ConsolidationRunRepo(openDatabase(dbPath));
+    app.get('/api/v1/consolidate/runs', async (request, reply) => {
+        const query = ListQuerySchema.parse(request.query);
+        const list = runRepo.listRecent(TENANT_DEFAULT, query.limit);
+        return reply.code(200).send({ runs: list, total: list.length });
+    });
+    app.get('/api/v1/consolidate/runs/:id', async (request, reply) => {
+        const { id } = IdParamSchema.parse(request.params);
+        const run = runRepo.getById(TENANT_DEFAULT, id);
+        if (!run) {
+            return reply.code(404).send({
+                error: { code: 'CONSOLIDATION_RUN_NOT_FOUND', message: `Run ${id} not found` }
+            });
+        }
+        return reply.code(200).send({ run });
+    });
+    app.post('/api/v1/consolidate', async (request, reply) => {
+        const body = TriggerBodySchema.parse(request.body ?? {});
+        const dryRun = body.dryRun ?? false;
+        const db = openDatabase(dbPath);
+        try {
+            const startedAt = Date.now();
+            const result = runConsolidation(db, TENANT_DEFAULT, { dryRun });
+            const endedAt = Date.now();
+            // Persist a run record so the UI can list it. (dryRun runs are also
+            // recorded so the UI can show "what would have happened".)
+            const id = randomUUID();
+            const runRepo2 = new ConsolidationRunRepo(db);
+            runRepo2.record({
+                tenantId: TENANT_DEFAULT,
+                startedAt,
+                endedAt,
+                promoted: result.promotedIds,
+                evicted: result.evictedIds,
+                merged: result.mergedPairs,
+                edgesCreated: 0,
+                contradictionFound: 0,
+                dryRun,
+                summary: result.summary
+            });
+            const run = runRepo2.getById(TENANT_DEFAULT, id);
+            return reply.code(200).send({ run });
+        }
+        finally {
+            db.close();
+        }
+    });
+}

package/dist/rest/routes/devices.js

@@ -0,0 +1,47 @@
+import { randomBytes } from 'node:crypto';
+import { z } from 'zod';
+import { openDatabase } from '../../db/database.js';
+import { DeviceRepo } from '../../db/repositories/device-repo.js';
+import { hashApiKey } from '../../server/auth.js';
+const TENANT_DEFAULT = 'tenant_default';
+const CreateBodySchema = z.object({
+    name: z.string().min(1).max(80),
+    type: z.enum(['opencode', 'cursor', 'claude_code', 'rest'])
+});
+const IdParamSchema = z.object({ id: z.string().min(1) });
+export function registerDevicesRoute(app, dbPath) {
+    const deviceRepo = new DeviceRepo(openDatabase(dbPath));
+    app.get('/api/v1/devices', async (_request, reply) => {
+        const list = deviceRepo.list(TENANT_DEFAULT);
+        return reply.code(200).send({ devices: list, total: list.length });
+    });
+    app.post('/api/v1/devices', async (request, reply) => {
+        const body = CreateBodySchema.parse(request.body);
+        // Generate a random 32-byte hex key (256 bits). The plain key is
+        // returned to the caller EXACTLY ONCE; only the SHA-256 hash is stored.
+        const apiKey = randomBytes(32).toString('hex');
+        const apiKeyHash = hashApiKey(apiKey, 'sha256');
+        const device = deviceRepo.create({
+            tenantId: TENANT_DEFAULT,
+            name: body.name,
+            type: body.type,
+            apiKeyHash
+        });
+        return reply.code(201).send({
+            device,
+            apiKey, // <-- returned only on creation
+            notice: 'This is the only time the API key will be shown. Store it securely.'
+        });
+    });
+    app.delete('/api/v1/devices/:id', async (request, reply) => {
+        const { id } = IdParamSchema.parse(request.params);
+        const existing = deviceRepo.getById(TENANT_DEFAULT, id);
+        if (!existing) {
+            return reply.code(404).send({
+                error: { code: 'DEVICE_NOT_FOUND', message: `Device ${id} not found` }
+            });
+        }
+        deviceRepo.delete(id);
+        return reply.code(200).send({ ok: true, deviceId: id });
+    });
+}

package/dist/rest/routes/injection.js

@@ -0,0 +1,76 @@
+import { z } from 'zod';
+import { openDatabase } from '../../db/database.js';
+import { searchMemories } from '../../retrieval/search-engine.js';
+import { buildStablePack, buildDeltaPack, createContentHash } from '../../injection/bundler.js';
+import { formatMemoriesAsXml } from '../../injection/formatter.js';
+const TENANT_DEFAULT = 'tenant_default';
+const InjectRequestSchema = z.object({
+    sessionId: z.string().min(1),
+    phase: z.enum(['session_start', 'prompt_delta', 'file_pack', 'failure_delta']),
+    query: z.string().optional(),
+    files: z.array(z.string()).optional(),
+    alreadyInjected: z.array(z.string()).optional()
+});
+export function registerInjectionRoute(app, dbPath) {
+    app.post('/api/v1/inject', async (request, reply) => {
+        const input = InjectRequestSchema.parse(request.body);
+        const db = openDatabase(dbPath);
+        try {
+            const alreadyInjected = new Set(input.alreadyInjected ?? []);
+            let result;
+            let contextMemories = [];
+            if (input.phase === 'session_start') {
+                // Stable pack: top long/medium memories
+                const stableRows = db.prepare(`
+          SELECT id, type, tier, title, summary, strength, importance
+          FROM memories
+          WHERE tenant_id = ? AND deleted_at IS NULL
+            AND (tier = 'long' OR (tier = 'medium' AND strength >= 0.4))
+            AND access_count >= 1
+          ORDER BY tier ASC, strength * importance DESC
+          LIMIT 50
+        `).all(TENANT_DEFAULT);
+                result = buildStablePack(stableRows, { budget: 1200 });
+                contextMemories = stableRows.filter(m => result.memoryIds.includes(m.id));
+            }
+            else {
+                // Delta pack: search for relevant memories
+                if (!input.query && (!input.files || input.files.length === 0)) {
+                    // Nothing to search for, return empty bundle
+                    result = { memoryIds: [], contentHash: createContentHash(input.phase, []), estimatedTokens: 0 };
+                }
+                else {
+                    const search = await searchMemories(db, TENANT_DEFAULT, {
+                        query: input.query ?? input.files?.join(' ') ?? '',
+                        limit: 10
+                    });
+                    const candidates = search.results.map(r => ({
+                        id: r.candidate.memory.id,
+                        type: r.candidate.memory.type,
+                        tier: r.candidate.memory.tier,
+                        title: r.candidate.memory.title,
+                        summary: r.candidate.memory.summary,
+                        strength: r.candidate.memory.strength,
+                        importance: r.candidate.memory.importance
+                    }));
+                    result = buildDeltaPack(candidates, { alreadyInjected, budget: 800 });
+                    contextMemories = candidates.filter(m => result.memoryIds.includes(m.id));
+                }
+            }
+            const contextXml = formatMemoriesAsXml(input.phase, contextMemories);
+            const bundleId = `${input.sessionId}:${input.phase}:${result.contentHash}`;
+            const body = {
+                bundleId,
+                phase: input.phase,
+                memoryIds: result.memoryIds,
+                contentHash: result.contentHash,
+                estimatedTokens: result.estimatedTokens,
+                contextXml
+            };
+            return reply.code(200).send(body);
+        }
+        finally {
+            db.close();
+        }
+    });
+}

package/dist/rest/routes/memories.js

@@ -0,0 +1,349 @@
+import { z } from 'zod';
+import { openDatabase } from '../../db/database.js';
+import { MemoryRepo } from '../../db/repositories/memory-repo.js';
+import { EdgeRepo } from '../../db/repositories/edge-repo.js';
+import { AccessLogRepo } from '../../db/repositories/access-log-repo.js';
+import { searchMemories } from '../../retrieval/search-engine.js';
+import { EdgeTypeSchema } from '../../core/types.js';
+import { RateLimiter } from '../../server/rate-limiter.js';
+const TENANT_DEFAULT = 'tenant_default';
+/**
+ * Per-tenant rate limiter for memory_write endpoints. The bucket is keyed
+ * by the API key (per device) so a misbehaving client cannot exhaust
+ * the bucket for an honest one. Defaults: 30 writes/minute burst, 2/sec
+ * sustained. Tuned for the "one memory per conversational turn" pattern;
+ * an LLM calling memory_save on every tool use fits comfortably.
+ */
+const writeLimiter = new RateLimiter({
+    capacity: 30,
+    refillPerSecond: 2
+});
+const ListQuerySchema = z.object({
+    limit: z.coerce.number().int().min(1).max(100).default(20),
+    offset: z.coerce.number().int().min(0).default(0),
+    type: z.string().optional(),
+    tier: z.string().optional()
+});
+const SearchBodySchema = z.object({
+    query: z.string().default(''),
+    limit: z.number().int().min(1).max(50).optional(),
+    scope: z.object({
+        project: z.string().optional(),
+        domain: z.string().optional(),
+        topic: z.string().optional()
+    }).optional(),
+    types: z.array(z.string()).optional(),
+    mode: z.enum(['compact', 'full']).optional()
+});
+const UpdateBodySchema = z.object({
+    title: z.string().min(1).max(120).optional(),
+    content: z.string().min(1).optional(),
+    summary: z.string().min(1).max(500).optional(),
+    importance: z.number().int().min(1).max(10).optional(),
+    confidence: z.number().min(0).max(1).optional()
+});
+const GraphQuerySchema = z.object({
+    depth: z.coerce.number().int().min(1).max(3).default(1),
+    edgeTypes: z.string().optional(),
+    direction: z.enum(['in', 'out', 'both']).default('both'),
+    limit: z.coerce.number().int().min(1).max(200).default(50)
+});
+const AccessLogsQuerySchema = z.object({
+    limit: z.coerce.number().int().min(1).max(200).default(50)
+});
+export function registerMemoriesRoute(app, dbPath) {
+    const memoryRepo = new MemoryRepo(openDatabase(dbPath));
+    const edgeRepo = new EdgeRepo(openDatabase(dbPath));
+    const accessLogRepo = new AccessLogRepo(openDatabase(dbPath));
+    // GET /api/v1/memories — list
+    app.get('/api/v1/memories', async (request, reply) => {
+        const query = ListQuerySchema.parse(request.query);
+        const db = openDatabase(dbPath);
+        try {
+            let sql = 'SELECT * FROM memories WHERE tenant_id = ? AND deleted_at IS NULL';
+            const params = [TENANT_DEFAULT];
+            if (query.type) {
+                sql += ' AND type = ?';
+                params.push(query.type);
+            }
+            if (query.tier) {
+                sql += ' AND tier = ?';
+                params.push(query.tier);
+            }
+            const countSql = sql.replace('SELECT *', 'SELECT COUNT(*) as cnt');
+            const total = db.prepare(countSql).get(...params).cnt;
+            sql += ' ORDER BY created_at DESC, rowid DESC LIMIT ? OFFSET ?';
+            params.push(query.limit, query.offset);
+            const rows = db.prepare(sql).all(...params);
+            const memories = rows.map((row) => memoryRepo.getById(TENANT_DEFAULT, row.id));
+            return reply.code(200).send({ memories, total, limit: query.limit, offset: query.offset });
+        }
+        finally {
+            db.close();
+        }
+    });
+    // POST /api/v1/memories — create (was in http.ts originally, kept here for cohesion)
+    app.post('/api/v1/memories', async (request, reply) => {
+        // Rate-limit by the authenticated device. Pre-bucket — even if Zod
+        // validation fails, the request counts against the limit, since a
+        // flood of invalid writes is still a flood.
+        const apiKey = request.headers['x-api-key'] ?? 'anonymous';
+        const limitResult = writeLimiter.consume(apiKey);
+        if (!limitResult.allowed) {
+            return reply
+                .code(429)
+                .header('Retry-After', String(limitResult.retryAfterSec))
+                .send({
+                error: {
+                    code: 'RATE_LIMITED',
+                    message: `Too many writes. Retry after ${limitResult.retryAfterSec}s.`
+                }
+            });
+        }
+        const { CreateMemoryInputSchema } = await import('../../core/types.js');
+        const input = CreateMemoryInputSchema.parse({
+            ...request.body,
+            tenantId: TENANT_DEFAULT
+        });
+        try {
+            const memory = memoryRepo.create(input);
+            return reply.code(201).send({
+                memoryId: memory.id,
+                type: memory.type,
+                tier: memory.tier,
+                title: memory.title,
+                summary: memory.summary,
+                createdEdges: []
+            });
+        }
+        catch (err) {
+            // UUID v4 collision is astronomically unlikely, but a PRIMARY KEY
+            // constraint failure is recoverable: re-throw as a clean 500 with
+            // a hint, not the raw SQLite error.
+            const msg = err.message ?? '';
+            if (msg.includes('UNIQUE') || msg.includes('PRIMARY KEY')) {
+                return reply.code(500).send({
+                    error: {
+                        code: 'ID_COLLISION',
+                        message: 'Failed to generate a unique memory id. Please retry.'
+                    }
+                });
+            }
+            throw err;
+        }
+    });
+    // POST /api/v1/memories/search
+    app.post('/api/v1/memories/search', async (request, reply) => {
+        const body = SearchBodySchema.parse(request.body);
+        const db = openDatabase(dbPath);
+        try {
+            const search = await searchMemories(db, TENANT_DEFAULT, {
+                query: body.query,
+                limit: body.limit ?? 8,
+                scope: body.scope,
+                types: body.types
+            });
+            const mode = body.mode ?? 'compact';
+            const results = search.results.map((r) => {
+                const base = {
+                    memoryId: r.candidate.memory.id,
+                    type: r.candidate.memory.type,
+                    tier: r.candidate.memory.tier,
+                    title: r.candidate.memory.title,
+                    summary: r.candidate.memory.summary,
+                    finalScore: r.finalScore,
+                    sources: Array.from(r.candidate.sources)
+                };
+                if (mode === 'full') {
+                    return {
+                        ...base,
+                        content: r.candidate.memory.content,
+                        importance: r.candidate.memory.importance,
+                        confidence: r.candidate.memory.confidence,
+                        strength: r.candidate.memory.strength,
+                        scopes: r.candidate.memory.scopes
+                    };
+                }
+                return base;
+            });
+            return reply.code(200).send({ results, totalCandidates: search.totalCandidates });
+        }
+        finally {
+            db.close();
+        }
+    });
+    // GET /api/v1/memories/:id
+    app.get('/api/v1/memories/:id', async (request, reply) => {
+        const params = z.object({ id: z.string().min(1) }).parse(request.params);
+        const memory = memoryRepo.getById(TENANT_DEFAULT, params.id);
+        if (!memory) {
+            return reply.code(404).send({
+                error: { code: 'MEMORY_NOT_FOUND', message: `Memory ${params.id} not found` }
+            });
+        }
+        return memory;
+    });
+    // PATCH /api/v1/memories/:id
+    app.patch('/api/v1/memories/:id', async (request, reply) => {
+        const params = z.object({ id: z.string().min(1) }).parse(request.params);
+        const body = UpdateBodySchema.parse(request.body);
+        const db = openDatabase(dbPath);
+        try {
+            const existing = memoryRepo.getById(TENANT_DEFAULT, params.id);
+            if (!existing) {
+                return reply.code(404).send({
+                    error: { code: 'MEMORY_NOT_FOUND', message: `Memory ${params.id} not found` }
+                });
+            }
+            const updates = [];
+            const values = [];
+            if (body.title !== undefined) {
+                updates.push('title = ?');
+                values.push(body.title);
+            }
+            if (body.content !== undefined) {
+                updates.push('content = ?');
+                values.push(body.content);
+            }
+            if (body.summary !== undefined) {
+                updates.push('summary = ?');
+                values.push(body.summary);
+            }
+            if (body.importance !== undefined) {
+                updates.push('importance = ?');
+                values.push(body.importance);
+            }
+            if (body.confidence !== undefined) {
+                updates.push('confidence = ?');
+                values.push(body.confidence);
+            }
+            if (updates.length === 0) {
+                return reply.code(200).send(existing);
+            }
+            updates.push('updated_at = ?');
+            values.push(Date.now());
+            values.push(TENANT_DEFAULT, params.id);
+            db.prepare(`
+        UPDATE memories SET ${updates.join(', ')}
+        WHERE tenant_id = ? AND id = ? AND deleted_at IS NULL
+      `).run(...values);
+            const updated = memoryRepo.getById(TENANT_DEFAULT, params.id);
+            return reply.code(200).send(updated);
+        }
+        finally {
+            db.close();
+        }
+    });
+    // DELETE /api/v1/memories/:id — soft delete
+    app.delete('/api/v1/memories/:id', async (request, reply) => {
+        const params = z.object({ id: z.string().min(1) }).parse(request.params);
+        const db = openDatabase(dbPath);
+        try {
+            const existing = memoryRepo.getById(TENANT_DEFAULT, params.id);
+            if (!existing) {
+                return reply.code(404).send({
+                    error: { code: 'MEMORY_NOT_FOUND', message: `Memory ${params.id} not found` }
+                });
+            }
+            const now = Date.now();
+            db.prepare(`
+        UPDATE memories SET deleted_at = ?, eviction_reason = ?
+        WHERE tenant_id = ? AND id = ?
+      `).run(now, 'manual_delete', TENANT_DEFAULT, params.id);
+            return reply.code(200).send({ ok: true, memoryId: params.id, deletedAt: now });
+        }
+        finally {
+            db.close();
+        }
+    });
+    // GET /api/v1/memories/:id/graph
+    app.get('/api/v1/memories/:id/graph', async (request, reply) => {
+        const params = z.object({ id: z.string().min(1) }).parse(request.params);
+        const query = GraphQuerySchema.parse(request.query);
+        const memory = memoryRepo.getById(TENANT_DEFAULT, params.id);
+        if (!memory) {
+            return reply.code(404).send({
+                error: { code: 'MEMORY_NOT_FOUND', message: `Memory ${params.id} not found` }
+            });
+        }
+        // Parse and validate edge types against EdgeTypeSchema
+        const edgeTypes = query.edgeTypes
+            ? query.edgeTypes.split(',').map((s) => s.trim()).filter(Boolean).flatMap((s) => {
+                const r = EdgeTypeSchema.safeParse(s);
+                return r.success ? [r.data] : [];
+            })
+            : undefined;
+        const db = openDatabase(dbPath);
+        try {
+            const allNeighbors = [];
+            const neighbors = edgeRepo.getNeighbors(TENANT_DEFAULT, params.id, query.direction, edgeTypes);
+            allNeighbors.push(...neighbors);
+            const seenNeighborIds = new Set([params.id]);
+            let frontier = neighbors.map((n) => n.neighborId);
+            for (let depth = 1; depth < query.depth && frontier.length > 0; depth++) {
+                const nextFrontier = [];
+                for (const nid of frontier) {
+                    if (seenNeighborIds.has(nid))
+                        continue;
+                    seenNeighborIds.add(nid);
+                    const next = edgeRepo.getNeighbors(TENANT_DEFAULT, nid, query.direction, edgeTypes);
+                    allNeighbors.push(...next);
+                    for (const n of next) {
+                        if (!seenNeighborIds.has(n.neighborId))
+                            nextFrontier.push(n.neighborId);
+                    }
+                }
+                frontier = nextFrontier;
+            }
+            // Build nodes
+            const nodeIds = new Set([params.id]);
+            for (const n of allNeighbors)
+                nodeIds.add(n.neighborId);
+            const nodes = Array.from(nodeIds).slice(0, query.limit).map((id) => {
+                const m = memoryRepo.getById(TENANT_DEFAULT, id);
+                return m ? {
+                    id: m.id,
+                    type: m.type,
+                    tier: m.tier,
+                    title: m.title,
+                    summary: m.summary
+                } : null;
+            }).filter(Boolean);
+            // Build edges (dedupe by edgeId)
+            const seenEdgeIds = new Set();
+            const edges = allNeighbors
+                .filter((n) => nodeIds.has(n.neighborId))
+                .filter((n) => {
+                if (seenEdgeIds.has(n.edgeId))
+                    return false;
+                seenEdgeIds.add(n.edgeId);
+                return true;
+            })
+                .map((n) => ({
+                id: n.edgeId,
+                fromMemoryId: n.direction === 'out' ? params.id : n.neighborId,
+                toMemoryId: n.direction === 'out' ? n.neighborId : params.id,
+                type: n.type,
+                strength: n.strength,
+                reason: n.reason
+            }));
+            return reply.code(200).send({ nodes, edges });
+        }
+        finally {
+            db.close();
+        }
+    });
+    // GET /api/v1/memories/:id/access-logs
+    app.get('/api/v1/memories/:id/access-logs', async (request, reply) => {
+        const params = z.object({ id: z.string().min(1) }).parse(request.params);
+        const query = AccessLogsQuerySchema.parse(request.query);
+        const memory = memoryRepo.getById(TENANT_DEFAULT, params.id);
+        if (!memory) {
+            return reply.code(404).send({
+                error: { code: 'MEMORY_NOT_FOUND', message: `Memory ${params.id} not found` }
+            });
+        }
+        const logs = accessLogRepo.listForMemory(TENANT_DEFAULT, params.id, query.limit);
+        return reply.code(200).send({ logs, total: logs.length });
+    });
+}

package/dist/rest/routes/observations.js

@@ -0,0 +1,29 @@
+import { z } from 'zod';
+import { openDatabase } from '../../db/database.js';
+import { ObservationRepo } from '../../db/repositories/observation-repo.js';
+const TENANT_DEFAULT = 'tenant_default';
+const ListQuerySchema = z.object({
+    limit: z.coerce.number().int().min(1).max(200).default(20),
+    unprocessedOnly: z.coerce.boolean().default(false)
+});
+const IdParamSchema = z.object({ id: z.string().min(1) });
+export function registerObservationsRoute(app, dbPath) {
+    const obsRepo = new ObservationRepo(openDatabase(dbPath));
+    app.get('/api/v1/observations', async (request, reply) => {
+        const query = ListQuerySchema.parse(request.query);
+        const list = query.unprocessedOnly
+            ? obsRepo.listUnprocessed(TENANT_DEFAULT, query.limit)
+            : obsRepo.listUnprocessed(TENANT_DEFAULT, query.limit); // v1: same path; v1.1 will add a "list all" method
+        return reply.code(200).send({ observations: list, total: list.length });
+    });
+    app.get('/api/v1/observations/:id', async (request, reply) => {
+        const { id } = IdParamSchema.parse(request.params);
+        const obs = obsRepo.getById(TENANT_DEFAULT, id);
+        if (!obs) {
+            return reply.code(404).send({
+                error: { code: 'OBSERVATION_NOT_FOUND', message: `Observation ${id} not found` }
+            });
+        }
+        return reply.code(200).send(obs);
+    });
+}

package/dist/rest/routes/sessions.js

@@ -0,0 +1,37 @@
+import { z } from 'zod';
+import { openDatabase } from '../../db/database.js';
+import { SessionRepo } from '../../db/repositories/session-repo.js';
+const TENANT_DEFAULT = 'tenant_default';
+const ListQuerySchema = z.object({
+    limit: z.coerce.number().int().min(1).max(200).default(20)
+});
+const IdParamSchema = z.object({ id: z.string().min(1) });
+export function registerSessionsRoute(app, dbPath) {
+    const sessionRepo = new SessionRepo(openDatabase(dbPath));
+    app.get('/api/v1/sessions', async (request, reply) => {
+        const query = ListQuerySchema.parse(request.query);
+        const list = sessionRepo.listRecent(TENANT_DEFAULT, query.limit);
+        return reply.code(200).send({ sessions: list, total: list.length });
+    });
+    app.get('/api/v1/sessions/:id', async (request, reply) => {
+        const { id } = IdParamSchema.parse(request.params);
+        const session = sessionRepo.getById(TENANT_DEFAULT, id);
+        if (!session) {
+            return reply.code(404).send({
+                error: { code: 'SESSION_NOT_FOUND', message: `Session ${id} not found` }
+            });
+        }
+        return reply.code(200).send(session);
+    });
+    app.get('/api/v1/sessions/:id/memories', async (request, reply) => {
+        const { id } = IdParamSchema.parse(request.params);
+        const session = sessionRepo.getById(TENANT_DEFAULT, id);
+        if (!session) {
+            return reply.code(404).send({
+                error: { code: 'SESSION_NOT_FOUND', message: `Session ${id} not found` }
+            });
+        }
+        const memories = sessionRepo.listMemories(TENANT_DEFAULT, id);
+        return reply.code(200).send({ memories, total: memories.length });
+    });
+}

package/dist/rest/routes/settings.js

@@ -0,0 +1,25 @@
+import { expandPath, loadConfig } from '../../core/config.js';
+/**
+ * GET /api/v1/settings — returns the loaded config with secrets masked.
+ * The UI uses this to display "read-only" configuration in the Settings page.
+ */
+export function registerSettingsRoute(app, configPath) {
+    app.get('/api/v1/settings', async (_request, reply) => {
+        const config = loadConfig(configPath);
+        // Mask secrets
+        const maskIfString = (v) => (v ? '***' : v);
+        return reply.code(200).send({
+            server: config.server,
+            storage: { ...config.storage, path: expandPath(config.storage.path) },
+            auth: {
+                ...config.auth,
+                deviceApiKey: maskIfString(config.auth.deviceApiKey)
+            },
+            embedding: { ...config.embedding, apiKey: maskIfString(config.embedding.apiKey) },
+            llm: { ...config.llm, apiKey: maskIfString(config.llm.apiKey) },
+            consolidation: config.consolidation,
+            injection: config.injection,
+            search: config.search
+        });
+    });
+}