@mnemonik/shared 1.0.0 → 5.75.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,39 @@
1
+ /**
2
+ * Hook dispatcher HTTP timeout budgets + AbortSignal helper.
3
+ *
4
+ * Single source of truth for the timeouts used by the three host-side
5
+ * hook dispatcher packages (`@mnemonik/claude-code-hooks`,
6
+ * `@mnemonik/codex-hooks`, `@mnemonik/cursor-hooks`). Before the
7
+ * 2026-05-16 audit Finding #7 cross-cutting cleanup, each package
8
+ * declared its own copy of these constants and a near-identical
9
+ * `withTimeout` helper — coordinating a budget change required three
10
+ * synchronised edits with no enforcement that the values matched.
11
+ *
12
+ * Surface is intentionally minimal: small constants + a single helper
13
+ * function. No fetch wrappers here — request shaping stays per-package
14
+ * because each host expresses its hook payloads differently.
15
+ */
16
+ /** Snapshot / file-context / policy-reminder / injections fetch budget. Critical-path. */
17
+ export declare const FETCH_TIMEOUT_MS = 2000;
18
+ /** Telemetry fan-out budget. Drop the metric rather than hold the user. */
19
+ export declare const TELEMETRY_TIMEOUT_MS = 500;
20
+ /** PostToolUse / track-ide-edit budget. Faster than FETCH because it's fire-and-forget. */
21
+ export declare const POST_TOOL_TIMEOUT_MS = 1500;
22
+ /** beforeMCPExecution gate budget. Same as FETCH today; documented separately so it can move independently. */
23
+ export declare const MCP_PRECHECK_TIMEOUT_MS = 2000;
24
+ /**
25
+ * Spawn an `AbortController` tied to a timeout. Returns the signal plus a
26
+ * `cleanup` function the caller MUST invoke (in `finally`) to clear the
27
+ * timer when the request finishes naturally — otherwise the timer leaks
28
+ * for the timeout duration.
29
+ *
30
+ * Identical signature to the inlined `withTimeout` that each hook package
31
+ * used before this consolidation; call sites swap their local import for
32
+ * `import { withHookTimeout } from '@mnemonik/shared'` and nothing else
33
+ * changes.
34
+ */
35
+ export declare function withHookTimeout(ms: number): {
36
+ signal: AbortSignal;
37
+ cleanup: () => void;
38
+ };
39
+ //# sourceMappingURL=hookTimeouts.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hookTimeouts.d.ts","sourceRoot":"","sources":["../src/hookTimeouts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,0FAA0F;AAC1F,eAAO,MAAM,gBAAgB,OAAO,CAAC;AAErC,2EAA2E;AAC3E,eAAO,MAAM,oBAAoB,MAAM,CAAC;AAExC,2FAA2F;AAC3F,eAAO,MAAM,oBAAoB,OAAO,CAAC;AAEzC,+GAA+G;AAC/G,eAAO,MAAM,uBAAuB,OAAO,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,WAAW,CAAC;IAAC,OAAO,EAAE,MAAM,IAAI,CAAA;CAAE,CAIxF"}
@@ -0,0 +1,40 @@
1
+ /**
2
+ * Hook dispatcher HTTP timeout budgets + AbortSignal helper.
3
+ *
4
+ * Single source of truth for the timeouts used by the three host-side
5
+ * hook dispatcher packages (`@mnemonik/claude-code-hooks`,
6
+ * `@mnemonik/codex-hooks`, `@mnemonik/cursor-hooks`). Before the
7
+ * 2026-05-16 audit Finding #7 cross-cutting cleanup, each package
8
+ * declared its own copy of these constants and a near-identical
9
+ * `withTimeout` helper — coordinating a budget change required three
10
+ * synchronised edits with no enforcement that the values matched.
11
+ *
12
+ * Surface is intentionally minimal: small constants + a single helper
13
+ * function. No fetch wrappers here — request shaping stays per-package
14
+ * because each host expresses its hook payloads differently.
15
+ */
16
+ /** Snapshot / file-context / policy-reminder / injections fetch budget. Critical-path. */
17
+ export const FETCH_TIMEOUT_MS = 2000;
18
+ /** Telemetry fan-out budget. Drop the metric rather than hold the user. */
19
+ export const TELEMETRY_TIMEOUT_MS = 500;
20
+ /** PostToolUse / track-ide-edit budget. Faster than FETCH because it's fire-and-forget. */
21
+ export const POST_TOOL_TIMEOUT_MS = 1500;
22
+ /** beforeMCPExecution gate budget. Same as FETCH today; documented separately so it can move independently. */
23
+ export const MCP_PRECHECK_TIMEOUT_MS = 2000;
24
+ /**
25
+ * Spawn an `AbortController` tied to a timeout. Returns the signal plus a
26
+ * `cleanup` function the caller MUST invoke (in `finally`) to clear the
27
+ * timer when the request finishes naturally — otherwise the timer leaks
28
+ * for the timeout duration.
29
+ *
30
+ * Identical signature to the inlined `withTimeout` that each hook package
31
+ * used before this consolidation; call sites swap their local import for
32
+ * `import { withHookTimeout } from '@mnemonik/shared'` and nothing else
33
+ * changes.
34
+ */
35
+ export function withHookTimeout(ms) {
36
+ const ac = new AbortController();
37
+ const timer = setTimeout(() => ac.abort(), ms);
38
+ return { signal: ac.signal, cleanup: () => clearTimeout(timer) };
39
+ }
40
+ //# sourceMappingURL=hookTimeouts.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hookTimeouts.js","sourceRoot":"","sources":["../src/hookTimeouts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,0FAA0F;AAC1F,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAErC,2EAA2E;AAC3E,MAAM,CAAC,MAAM,oBAAoB,GAAG,GAAG,CAAC;AAExC,2FAA2F;AAC3F,MAAM,CAAC,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAEzC,+GAA+G;AAC/G,MAAM,CAAC,MAAM,uBAAuB,GAAG,IAAI,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,EAAU;IACxC,MAAM,EAAE,GAAG,IAAI,eAAe,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/C,OAAO,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;AACnE,CAAC"}
package/dist/index.d.ts CHANGED
@@ -6,6 +6,8 @@
6
6
  */
7
7
  export { MCP_INSTRUCTIONS, MCP_INSTRUCTIONS_RAW, getMcpInstructions } from './instructions.js';
8
8
  export { USAGE_GUIDE } from './usageGuide.js';
9
- export { CodeScanner, type CodeChunk, type ScanOptions } from './codeScanner.js';
9
+ export { CodeScanner, AUTHORITY_FILE_MATCHERS, type CodeChunk, type ScanOptions, } from './codeScanner.js';
10
10
  export { FileSystemReader, getFileSystemReader, type ScanFilesResult, type ChangedFilesResult, type FileData, } from './FileSystemReader.js';
11
+ export { SECRET_PATTERNS, SECRET_REDACTION_PLACEHOLDER, scrubSecrets } from './secretPatterns.js';
12
+ export { FETCH_TIMEOUT_MS, TELEMETRY_TIMEOUT_MS, POST_TOOL_TIMEOUT_MS, MCP_PRECHECK_TIMEOUT_MS, withHookTimeout, } from './hookTimeouts.js';
11
13
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/F,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACjF,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,QAAQ,GACd,MAAM,uBAAuB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/F,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,WAAW,EACX,uBAAuB,EACvB,KAAK,SAAS,EACd,KAAK,WAAW,GACjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,QAAQ,GACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,4BAA4B,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACvB,eAAe,GAChB,MAAM,mBAAmB,CAAC"}
package/dist/index.js CHANGED
@@ -6,6 +6,8 @@
6
6
  */
7
7
  export { MCP_INSTRUCTIONS, MCP_INSTRUCTIONS_RAW, getMcpInstructions } from './instructions.js';
8
8
  export { USAGE_GUIDE } from './usageGuide.js';
9
- export { CodeScanner } from './codeScanner.js';
9
+ export { CodeScanner, AUTHORITY_FILE_MATCHERS, } from './codeScanner.js';
10
10
  export { FileSystemReader, getFileSystemReader, } from './FileSystemReader.js';
11
+ export { SECRET_PATTERNS, SECRET_REDACTION_PLACEHOLDER, scrubSecrets } from './secretPatterns.js';
12
+ export { FETCH_TIMEOUT_MS, TELEMETRY_TIMEOUT_MS, POST_TOOL_TIMEOUT_MS, MCP_PRECHECK_TIMEOUT_MS, withHookTimeout, } from './hookTimeouts.js';
11
13
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/F,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAoC,MAAM,kBAAkB,CAAC;AACjF,OAAO,EACL,gBAAgB,EAChB,mBAAmB,GAIpB,MAAM,uBAAuB,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/F,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,WAAW,EACX,uBAAuB,GAGxB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,gBAAgB,EAChB,mBAAmB,GAIpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,4BAA4B,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACvB,eAAe,GAChB,MAAM,mBAAmB,CAAC"}
@@ -4,28 +4,47 @@
4
4
  * This is the SINGLE SOURCE OF TRUTH for MCP instructions.
5
5
  * Shared instruction content imported by the server.
6
6
  *
7
- * Version: 2.92
8
- * Updated: 2026-02-24
7
+ * Version: 2.98
8
+ * Updated: 2026-05-27
9
9
  *
10
- * v2.93: Code mode permanent all memory operations via memory_tools sandbox.
10
+ * v2.98 Doc truth contracts are the normal drift surface. linkedDocs and
11
+ * doc_code_couplings remain legacy diagnostics only; docs drift
12
+ * defaults to truth findings and legacy:true is explicit debug.
13
+ * v2.97 — Dropped legacy doc-coupling action guidance. Coupling rows are
14
+ * not truth findings (plan §1).
15
+ * v2.96 — Replace conditional memory_discover guidance with structural fix:
16
+ * bootstrap now includes _methodCatalog (discoverMemoryTools({})) so
17
+ * agents have the memory_tools calling convention from turn one.
18
+ * Instruction updated to reference _methodCatalog directly.
19
+ * v2.95 — Drop `augments` from JIT directive verdict list per plan §5 default
20
+ * (augments downgrades to ambient via the parallel recall gate, not
21
+ * the directive lane). See jit-knowledge-injector.md §5 decision note.
22
+ * v2.94 — Add JIT directive teaching (docs/development/jit-knowledge-injector.md §2.3).
23
+ *
24
+ * Code mode permanent — all memory operations via memory_tools sandbox.
11
25
  * memory_add, file_context etc. are now mnemonik.* methods, not standalone tools.
12
26
  *
13
- * v2.92: Zero-cooperation rewrite. Context auto-loads if session_bootstrap is skipped.
27
+ * Zero-cooperation rewrite. Context auto-loads if session_bootstrap is skipped.
14
28
  * Session summaries are auto-saved if agent doesn't call mnemonik.memory_add().
15
29
  * Instructions drastically simplified — the server handles the workflow now.
16
30
  *
17
- * v2.80: Token-optimised rewrite (superseded by v2.92).
31
+ * Token-optimised rewrite (superseded by later instruction rewrites).
18
32
  */
19
33
  /**
20
34
  * Get MCP instructions, respecting MNEMONIK_INSTRUCTIONS_ENABLED env var.
21
35
  * Set MNEMONIK_INSTRUCTIONS_ENABLED=false to disable for testing.
36
+ *
37
+ * Reads env through globalThis so this package compiles cleanly without
38
+ * `@types/node` (shared package's tsconfig doesn't include it, which made
39
+ * IDEs flag `process` as an unknown global even though the workspace
40
+ * tsc resolution found it).
22
41
  */
23
42
  export declare function getMcpInstructions(): string;
24
43
  /**
25
44
  * Raw instructions content (always returns the content, ignores env var).
26
45
  * Use getMcpInstructions() for production code.
27
46
  */
28
- export declare const MCP_INSTRUCTIONS_RAW = "You have Mnemonik, a persistent memory system for this project.\n\nFirst call, every session: session_bootstrap. Read the mnemonik skill (from available_skills) for the full workflow.\nAfter bootstrap: execute _directive.message actions immediately (scanner daemon check is mandatory).\n\nProactively call memory_search before starting new work \u2014 avoids rediscovering known patterns and contradicting past decisions.\nProactively call file_context before editing any file \u2014 loads past bugs, decisions, and gotchas for that file.\nProactively call checkpoint after making changes or decisions worth keeping \u2014 your context is ephemeral and checkpoint is the only way decisions survive across sessions and context compaction. Do not wait for the user to say \"done\" or \"thanks\".\n\nWhen mnemonik.file_context({ filePaths, cwd }) returns linkedDocs with driftStatus 'stale', update docs then call mnemonik.docs({ action: 'resolve', docPath, cwd }).\n\nSkip: formatting-only, trivial one-line, mechanical refactors, git ops, tests.\nSave: architectural decisions, bug root causes, user preferences, discovered patterns, multi-file changes.";
47
+ export declare const MCP_INSTRUCTIONS_RAW = "You have Mnemonik, a persistent memory system for this project.\n\nFirst call, every session: session_bootstrap. Read the mnemonik skill (from available_skills) for the full workflow.\nAfter bootstrap: execute _directive.message actions immediately (scanner daemon check is mandatory).\n\nThe bootstrap response includes _methodCatalog \u2014 the full list of mnemonik methods and the memory_tools calling convention. Read it before making any memory_tools calls. Use memory_discover({ method }) for the full schema and a copy-pasteable example of a specific method or action.\nProactively call memory_search before starting new work \u2014 avoids rediscovering known patterns and contradicting past decisions.\nProactively call file_context before editing any file \u2014 loads past bugs, decisions, and gotchas for that file.\nProactively call checkpoint after making changes or decisions worth keeping \u2014 your context is ephemeral and checkpoint is the only way decisions survive across sessions and context compaction. Do not wait for the user to say \"done\" or \"thanks\".\n\nDocumentation drift uses explicit doc-truth contracts. Treat _docDrift/docTruthFindings as actionable only when each finding includes a concrete assertion, named authority, observed mismatch, and agentAction='update_doc'. _docHealth, linkedDocs, stale-coupling counts, and docs({ action: 'drift', legacy: true }) are diagnostics only, not instructions to edit or resolve docs.\n\nAmbient envelopes contain background memories surfaced because they may be relevant to your current turn. Treat them as information, not directive. Weight them lower than your own reasoning unless they directly answer the question. They are advisory recall, not authoritative evidence.\n\nDirective envelopes with signal=\"jit_required\" are different from ambient. They surface memories that the server has classified as contradicting or materially refining the answer you were about to give to the current prompt. Each memory carries a verdict (contradicts | refines) and a one-line reason. Treat these as authoritative for the current response \u2014 comply with the surfaced fact unless it is clearly outdated or wrong. Do not silently route around them. If you disagree with a surfaced memory, say so explicitly and explain why; do not just ignore it.\n\nSkip: formatting-only, trivial one-line, mechanical refactors, git ops, tests.\nSave: architectural decisions, bug root causes, user preferences, discovered patterns, multi-file changes.";
29
48
  /**
30
49
  * Default export for convenience.
31
50
  * Note: This respects the MNEMONIK_INSTRUCTIONS_ENABLED env var.
@@ -1 +1 @@
1
- {"version":3,"file":"instructions.d.ts","sourceRoot":"","sources":["../src/instructions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAgBH;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAK3C;AAED;;;GAGG;AACH,eAAO,MAAM,oBAAoB,qoCAAuB,CAAC;AAEzD;;;GAGG;AACH,eAAO,MAAM,gBAAgB,QAAuB,CAAC"}
1
+ {"version":3,"file":"instructions.d.ts","sourceRoot":"","sources":["../src/instructions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAqBH;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAO3C;AAED;;;GAGG;AACH,eAAO,MAAM,oBAAoB,q9EAAuB,CAAC;AAEzD;;;GAGG;AACH,eAAO,MAAM,gBAAgB,QAAuB,CAAC"}
@@ -4,37 +4,63 @@
4
4
  * This is the SINGLE SOURCE OF TRUTH for MCP instructions.
5
5
  * Shared instruction content imported by the server.
6
6
  *
7
- * Version: 2.92
8
- * Updated: 2026-02-24
7
+ * Version: 2.98
8
+ * Updated: 2026-05-27
9
9
  *
10
- * v2.93: Code mode permanent all memory operations via memory_tools sandbox.
10
+ * v2.98 Doc truth contracts are the normal drift surface. linkedDocs and
11
+ * doc_code_couplings remain legacy diagnostics only; docs drift
12
+ * defaults to truth findings and legacy:true is explicit debug.
13
+ * v2.97 — Dropped legacy doc-coupling action guidance. Coupling rows are
14
+ * not truth findings (plan §1).
15
+ * v2.96 — Replace conditional memory_discover guidance with structural fix:
16
+ * bootstrap now includes _methodCatalog (discoverMemoryTools({})) so
17
+ * agents have the memory_tools calling convention from turn one.
18
+ * Instruction updated to reference _methodCatalog directly.
19
+ * v2.95 — Drop `augments` from JIT directive verdict list per plan §5 default
20
+ * (augments downgrades to ambient via the parallel recall gate, not
21
+ * the directive lane). See jit-knowledge-injector.md §5 decision note.
22
+ * v2.94 — Add JIT directive teaching (docs/development/jit-knowledge-injector.md §2.3).
23
+ *
24
+ * Code mode permanent — all memory operations via memory_tools sandbox.
11
25
  * memory_add, file_context etc. are now mnemonik.* methods, not standalone tools.
12
26
  *
13
- * v2.92: Zero-cooperation rewrite. Context auto-loads if session_bootstrap is skipped.
27
+ * Zero-cooperation rewrite. Context auto-loads if session_bootstrap is skipped.
14
28
  * Session summaries are auto-saved if agent doesn't call mnemonik.memory_add().
15
29
  * Instructions drastically simplified — the server handles the workflow now.
16
30
  *
17
- * v2.80: Token-optimised rewrite (superseded by v2.92).
31
+ * Token-optimised rewrite (superseded by later instruction rewrites).
18
32
  */
19
33
  const INSTRUCTIONS_CONTENT = `You have Mnemonik, a persistent memory system for this project.
20
34
 
21
35
  First call, every session: session_bootstrap. Read the mnemonik skill (from available_skills) for the full workflow.
22
36
  After bootstrap: execute _directive.message actions immediately (scanner daemon check is mandatory).
23
37
 
38
+ The bootstrap response includes _methodCatalog — the full list of mnemonik methods and the memory_tools calling convention. Read it before making any memory_tools calls. Use memory_discover({ method }) for the full schema and a copy-pasteable example of a specific method or action.
24
39
  Proactively call memory_search before starting new work — avoids rediscovering known patterns and contradicting past decisions.
25
40
  Proactively call file_context before editing any file — loads past bugs, decisions, and gotchas for that file.
26
41
  Proactively call checkpoint after making changes or decisions worth keeping — your context is ephemeral and checkpoint is the only way decisions survive across sessions and context compaction. Do not wait for the user to say "done" or "thanks".
27
42
 
28
- When mnemonik.file_context({ filePaths, cwd }) returns linkedDocs with driftStatus 'stale', update docs then call mnemonik.docs({ action: 'resolve', docPath, cwd }).
43
+ Documentation drift uses explicit doc-truth contracts. Treat _docDrift/docTruthFindings as actionable only when each finding includes a concrete assertion, named authority, observed mismatch, and agentAction='update_doc'. _docHealth, linkedDocs, stale-coupling counts, and docs({ action: 'drift', legacy: true }) are diagnostics only, not instructions to edit or resolve docs.
44
+
45
+ Ambient envelopes contain background memories surfaced because they may be relevant to your current turn. Treat them as information, not directive. Weight them lower than your own reasoning unless they directly answer the question. They are advisory recall, not authoritative evidence.
46
+
47
+ Directive envelopes with signal="jit_required" are different from ambient. They surface memories that the server has classified as contradicting or materially refining the answer you were about to give to the current prompt. Each memory carries a verdict (contradicts | refines) and a one-line reason. Treat these as authoritative for the current response — comply with the surfaced fact unless it is clearly outdated or wrong. Do not silently route around them. If you disagree with a surfaced memory, say so explicitly and explain why; do not just ignore it.
29
48
 
30
49
  Skip: formatting-only, trivial one-line, mechanical refactors, git ops, tests.
31
50
  Save: architectural decisions, bug root causes, user preferences, discovered patterns, multi-file changes.`;
32
51
  /**
33
52
  * Get MCP instructions, respecting MNEMONIK_INSTRUCTIONS_ENABLED env var.
34
53
  * Set MNEMONIK_INSTRUCTIONS_ENABLED=false to disable for testing.
54
+ *
55
+ * Reads env through globalThis so this package compiles cleanly without
56
+ * `@types/node` (shared package's tsconfig doesn't include it, which made
57
+ * IDEs flag `process` as an unknown global even though the workspace
58
+ * tsc resolution found it).
35
59
  */
36
60
  export function getMcpInstructions() {
37
- if (typeof process !== 'undefined' && process.env?.MNEMONIK_INSTRUCTIONS_ENABLED === 'false') {
61
+ const env = globalThis.process
62
+ ?.env;
63
+ if (env?.MNEMONIK_INSTRUCTIONS_ENABLED === 'false') {
38
64
  return '';
39
65
  }
40
66
  return INSTRUCTIONS_CONTENT;
@@ -1 +1 @@
1
- {"version":3,"file":"instructions.js","sourceRoot":"","sources":["../src/instructions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,oBAAoB,GAAG;;;;;;;;;;;;2GAY8E,CAAC;AAE5G;;;GAGG;AACH,MAAM,UAAU,kBAAkB;IAChC,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,6BAA6B,KAAK,OAAO,EAAE,CAAC;QAC7F,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,oBAAoB,CAAC;AAEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,kBAAkB,EAAE,CAAC"}
1
+ {"version":3,"file":"instructions.js","sourceRoot":"","sources":["../src/instructions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;2GAiB8E,CAAC;AAE5G;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,GAAG,GAAI,UAAyE,CAAC,OAAO;QAC5F,EAAE,GAAG,CAAC;IACR,IAAI,GAAG,EAAE,6BAA6B,KAAK,OAAO,EAAE,CAAC;QACnD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,oBAAoB,CAAC;AAEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,kBAAkB,EAAE,CAAC"}
@@ -0,0 +1,36 @@
1
+ /**
2
+ * Single source of truth for secret-redaction patterns.
3
+ *
4
+ * Used by:
5
+ * - packages/shared CodeScanner — scrubs chunk content before computing
6
+ * contentHash, so daemon ships scrubbed content (correct hash for
7
+ * server-side cache dedup).
8
+ * - server /api/v1/scan/push handler — re-applies scrub as defense in
9
+ * depth (idempotent — already-scrubbed content stays the same), so
10
+ * older daemons or compromised daemons can't leak secrets through us.
11
+ * - server GitMiner — scrubs commit messages before storing as memories.
12
+ *
13
+ * Patterns target high-confidence credential shapes:
14
+ * 1. key=value style: api_key, secret, token, password, credential, auth
15
+ * 2. Stripe-style sk_live_/pk_test_ keys
16
+ * 3. GitHub personal access tokens (ghp_ prefix, exact 36 chars)
17
+ * 4. GitLab personal access tokens (glpat- prefix, 20+ chars)
18
+ * 5. PEM-style private key headers
19
+ *
20
+ * False-positive cost: a few legitimate strings get replaced with the
21
+ * placeholder. False-negative cost: a credential ships to the server and
22
+ * gets stored in a memory. The patterns are deliberately tight (require
23
+ * specific prefixes, length minimums) to keep the false-positive rate low
24
+ * while catching the common credential leak vectors.
25
+ */
26
+ export declare const SECRET_REDACTION_PLACEHOLDER = "[REDACTED]";
27
+ export declare const SECRET_PATTERNS: ReadonlyArray<RegExp>;
28
+ /**
29
+ * Replace recognized secret shapes in `text` with the redaction
30
+ * placeholder. Returns the input unchanged when no patterns match.
31
+ *
32
+ * Idempotent: scrubbing already-scrubbed text returns the same text
33
+ * (the placeholder itself doesn't match any pattern).
34
+ */
35
+ export declare function scrubSecrets(text: string): string;
36
+ //# sourceMappingURL=secretPatterns.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secretPatterns.d.ts","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,eAAO,MAAM,4BAA4B,eAAe,CAAC;AAEzD,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAYjD,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOjD"}
@@ -0,0 +1,56 @@
1
+ /**
2
+ * Single source of truth for secret-redaction patterns.
3
+ *
4
+ * Used by:
5
+ * - packages/shared CodeScanner — scrubs chunk content before computing
6
+ * contentHash, so daemon ships scrubbed content (correct hash for
7
+ * server-side cache dedup).
8
+ * - server /api/v1/scan/push handler — re-applies scrub as defense in
9
+ * depth (idempotent — already-scrubbed content stays the same), so
10
+ * older daemons or compromised daemons can't leak secrets through us.
11
+ * - server GitMiner — scrubs commit messages before storing as memories.
12
+ *
13
+ * Patterns target high-confidence credential shapes:
14
+ * 1. key=value style: api_key, secret, token, password, credential, auth
15
+ * 2. Stripe-style sk_live_/pk_test_ keys
16
+ * 3. GitHub personal access tokens (ghp_ prefix, exact 36 chars)
17
+ * 4. GitLab personal access tokens (glpat- prefix, 20+ chars)
18
+ * 5. PEM-style private key headers
19
+ *
20
+ * False-positive cost: a few legitimate strings get replaced with the
21
+ * placeholder. False-negative cost: a credential ships to the server and
22
+ * gets stored in a memory. The patterns are deliberately tight (require
23
+ * specific prefixes, length minimums) to keep the false-positive rate low
24
+ * while catching the common credential leak vectors.
25
+ */
26
+ export const SECRET_REDACTION_PLACEHOLDER = '[REDACTED]';
27
+ export const SECRET_PATTERNS = [
28
+ /(?:api[_-]?key|secret|token|password|credential|auth)\s*[:=]\s*\S+/gi,
29
+ // Stripe-shape: (sk|pk)_(live|test)_<24+ alphanumerics>. Catches modern
30
+ // Stripe keys whose body is split by an environment underscore that
31
+ // breaks the contiguous-alphanum pattern below. Required `live|test`
32
+ // literal prevents false-positives on snake_case identifiers like
33
+ // pkg_install_helper_function_xyz_abc_def.
34
+ /(?:sk|pk)_(?:live|test)_[a-zA-Z0-9]{24,}/g,
35
+ /(?:sk|pk)[-_][a-zA-Z0-9]{20,}/g,
36
+ /ghp_[a-zA-Z0-9]{36}/g,
37
+ /glpat-[a-zA-Z0-9-]{20,}/g,
38
+ /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
39
+ ];
40
+ /**
41
+ * Replace recognized secret shapes in `text` with the redaction
42
+ * placeholder. Returns the input unchanged when no patterns match.
43
+ *
44
+ * Idempotent: scrubbing already-scrubbed text returns the same text
45
+ * (the placeholder itself doesn't match any pattern).
46
+ */
47
+ export function scrubSecrets(text) {
48
+ if (!text)
49
+ return text;
50
+ let result = text;
51
+ for (const pattern of SECRET_PATTERNS) {
52
+ result = result.replace(pattern, SECRET_REDACTION_PLACEHOLDER);
53
+ }
54
+ return result;
55
+ }
56
+ //# sourceMappingURL=secretPatterns.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secretPatterns.js","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,YAAY,CAAC;AAEzD,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,sEAAsE;IACtE,wEAAwE;IACxE,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,2CAA2C;IAC3C,gCAAgC;IAChC,sBAAsB;IACtB,0BAA0B;IAC1B,yDAAyD;CAC1D,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,4BAA4B,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
@@ -4,11 +4,12 @@
4
4
  * This is the SINGLE SOURCE OF TRUTH for the usage guide.
5
5
  * Shared usage guide content imported by the server.
6
6
  *
7
- * Version: 2.80
8
- * Updated: 2026-02-20 - Aligned with instructions/rules/skill v2.80
7
+ * Version: 2.82
8
+ * Updated: 2026-05-27 - Doc-truth-contract-rebuild: teach authority-backed
9
+ * truth findings and keep legacy coupling drift diagnostic only.
9
10
  *
10
11
  * This guide focuses on HOW to use Mnemonik effectively, not WHAT tools exist.
11
12
  * Tool schemas already tell agents what's available - they need the workflow.
12
13
  */
13
- export declare const USAGE_GUIDE = "# Mnemonik Workflow Guide (v2.80)\n\n## Workflow\n\nsession_bootstrap \u2192 memory_search \u2192 file_context \u2192 [work] \u2192 memory_add \u2192 memory_state\n\n## Tool Selection by Stage\n\n### Session start\n- session_bootstrap: loads context, policies, pending tasks (call once, first thing)\n- memory_search: search by task domain; set workflowContext (feature_implementation, debugging, exploration, policy_review)\n- projects: resolve project IDs if context unclear\n- policy: review safety rules\n\n### Before editing files\n- file_context: fetch memories for the file \u2014 call for EVERY file you edit\n- memory_search: second search scoped to file/module if needed\n- docs(action: 'links'): check doc couplings for the file\n\n### During implementation\n- memory_get: retrieve specific memory by id\n- memory_update: refine memory created this session\n- memory_info: query history, provenance, confidence breakdown, links, graph\n- assist: get tool guidance if uncertain\n\n### After significant work\n- memory_add: save decisions, outcomes, patterns, bug root causes\n- memory_state: reinforce (memory helped), supersede (replace outdated), deprecate, penalize, dispute\n- tasks: mark tasks in progress or complete\n- docs(action: 'drift'): check for stale documentation after code changes\n- docs(action: 'resolve'): mark stale docs as fixed after updating them\n\n### Diagnostics\n- doctor: when tool calls fail or behavior is inconsistent\n- scanner: refresh embeddings, trigger scans, check drift\n\n## Skip conditions\n\nSkip memory tools for: formatting-only edits, trivial one-line changes, mechanical refactors, git operations, running tests.\n\n## Completion gate\n\nNever tell the user significant work is done without calling memory_add first in the same response. Changes made + responding next = completion. \"Progress updates\" count.\n\n## Memory search tips\n\n- Query should include task intent + key entities\n- Set workflowContext when you know the phase\n- Use currentFile to boost file-linked memories\n- Use filterOnly:true only for narrow filters (no embedding, requires >=1 filter)\n\n## Proactive heuristics\n\n- Long sessions: re-run memory_search after switching topics\n- Conflicting info: use memory_state to supersede/dispute\n- High-impact changes: save memory immediately after verification\n- When file_context returns linkedDocs with driftStatus 'stale': update docs then docs(action: 'resolve')\n\n## Anti-fade (every ~10 tool calls)\n\nCheck: (1) memory_search before work? (2) file_context before edit? (3) memory_add after completing? No session_bootstrap? Call it now.\n";
14
+ export declare const USAGE_GUIDE = "# Mnemonik Workflow Guide (v2.82)\n\n## Workflow\n\nsession_bootstrap \u2192 memory_search \u2192 file_context \u2192 [work] \u2192 memory_add \u2192 memory_state\n\n## Tool Selection by Stage\n\n### Session start\n- session_bootstrap: loads context, policies, pending tasks (call once, first thing)\n- memory_search: search by task domain; set workflowContext (feature_implementation, debugging, exploration, policy_review)\n- projects: resolve project IDs if context unclear\n- policy: review safety rules\n\n### Before editing files\n- file_context: fetch memories for the file \u2014 call for EVERY file you edit\n- memory_search: second search scoped to file/module if needed\n- mnemonik.docs({ action: 'links' }): check doc couplings for the file\n\n### During implementation\n- memory_get: retrieve specific memory by id\n- memory_update: refine memory created this session\n- memory_info: query history, provenance, confidence breakdown, links, graph\n- assist: get tool guidance if uncertain\n\n### After significant work\n- memory_add: save decisions, outcomes, patterns, bug root causes\n- memory_state: reinforce (memory helped), supersede (replace outdated), deprecate, penalize, dispute\n- tasks: mark tasks in progress or complete\n- mnemonik.docs({ action: 'status' }): view doc-truth health (legacy coupling counts are diagnostic only \u2014 do not act on them as drift)\n\n### Diagnostics\n- doctor: when tool calls fail or behavior is inconsistent\n- scanner: refresh embeddings, trigger scans, check drift\n\n## Skip conditions\n\nSkip memory tools for: formatting-only edits, trivial one-line changes, mechanical refactors, git operations, running tests.\n\n## Completion gate\n\nNever tell the user significant work is done without calling memory_add first in the same response. Changes made + responding next = completion. \"Progress updates\" count.\n\n## Memory search tips\n\n- Query should include task intent + key entities\n- Set workflowContext when you know the phase\n- Use currentFile to boost file-linked memories\n- Use filterOnly:true only for narrow filters (no embedding, requires >=1 filter)\n\n## Proactive heuristics\n\n- Long sessions: re-run memory_search after switching topics\n- Conflicting info: use memory_state to supersede/dispute\n- High-impact changes: save memory immediately after verification\n- Act on docTruthFindings/_docDrift only when the finding has authority, observed mismatch, and agentAction='update_doc'; linkedDocs and stale-coupling counts are legacy diagnostics\n\n## Anti-fade (every ~10 tool calls)\n\nCheck: (1) memory_search before work? (2) file_context before edit? (3) memory_add after completing? No session_bootstrap? Call it now.\n";
14
15
  //# sourceMappingURL=usageGuide.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"usageGuide.d.ts","sourceRoot":"","sources":["../src/usageGuide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,eAAO,MAAM,WAAW,wkFA6DvB,CAAC"}
1
+ {"version":3,"file":"usageGuide.d.ts","sourceRoot":"","sources":["../src/usageGuide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,eAAO,MAAM,WAAW,2pFA4DvB,CAAC"}
@@ -4,13 +4,14 @@
4
4
  * This is the SINGLE SOURCE OF TRUTH for the usage guide.
5
5
  * Shared usage guide content imported by the server.
6
6
  *
7
- * Version: 2.80
8
- * Updated: 2026-02-20 - Aligned with instructions/rules/skill v2.80
7
+ * Version: 2.82
8
+ * Updated: 2026-05-27 - Doc-truth-contract-rebuild: teach authority-backed
9
+ * truth findings and keep legacy coupling drift diagnostic only.
9
10
  *
10
11
  * This guide focuses on HOW to use Mnemonik effectively, not WHAT tools exist.
11
12
  * Tool schemas already tell agents what's available - they need the workflow.
12
13
  */
13
- export const USAGE_GUIDE = `# Mnemonik Workflow Guide (v2.80)
14
+ export const USAGE_GUIDE = `# Mnemonik Workflow Guide (v2.82)
14
15
 
15
16
  ## Workflow
16
17
 
@@ -27,7 +28,7 @@ session_bootstrap → memory_search → file_context → [work] → memory_add
27
28
  ### Before editing files
28
29
  - file_context: fetch memories for the file — call for EVERY file you edit
29
30
  - memory_search: second search scoped to file/module if needed
30
- - docs(action: 'links'): check doc couplings for the file
31
+ - mnemonik.docs({ action: 'links' }): check doc couplings for the file
31
32
 
32
33
  ### During implementation
33
34
  - memory_get: retrieve specific memory by id
@@ -39,8 +40,7 @@ session_bootstrap → memory_search → file_context → [work] → memory_add
39
40
  - memory_add: save decisions, outcomes, patterns, bug root causes
40
41
  - memory_state: reinforce (memory helped), supersede (replace outdated), deprecate, penalize, dispute
41
42
  - tasks: mark tasks in progress or complete
42
- - docs(action: 'drift'): check for stale documentation after code changes
43
- - docs(action: 'resolve'): mark stale docs as fixed after updating them
43
+ - mnemonik.docs({ action: 'status' }): view doc-truth health (legacy coupling counts are diagnostic only — do not act on them as drift)
44
44
 
45
45
  ### Diagnostics
46
46
  - doctor: when tool calls fail or behavior is inconsistent
@@ -66,7 +66,7 @@ Never tell the user significant work is done without calling memory_add first in
66
66
  - Long sessions: re-run memory_search after switching topics
67
67
  - Conflicting info: use memory_state to supersede/dispute
68
68
  - High-impact changes: save memory immediately after verification
69
- - When file_context returns linkedDocs with driftStatus 'stale': update docs then docs(action: 'resolve')
69
+ - Act on docTruthFindings/_docDrift only when the finding has authority, observed mismatch, and agentAction='update_doc'; linkedDocs and stale-coupling counts are legacy diagnostics
70
70
 
71
71
  ## Anti-fade (every ~10 tool calls)
72
72
 
@@ -1 +1 @@
1
- {"version":3,"file":"usageGuide.js","sourceRoot":"","sources":["../src/usageGuide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,CAAC,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6D1B,CAAC"}
1
+ {"version":3,"file":"usageGuide.js","sourceRoot":"","sources":["../src/usageGuide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,MAAM,CAAC,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4D1B,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mnemonik/shared",
3
- "version": "1.0.0",
3
+ "version": "5.75.3",
4
4
  "description": "Shared constants and utilities for Mnemonik packages",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",