@pleri/olam-cli 0.1.204 → 0.1.206

package/dist/mcp-server.js

@@ -15051,11 +15051,12 @@ function mergeHomeSettingsJson(filePath, options) {
         return { status: "already-present", message: `hook already present at ${filePath}` };
       }
     } else {
+      const filteredArr = options.ensureHook.staleSentinelPrefix ? dropStaleHooks(stageArr, options.ensureHook.staleSentinelPrefix, sentinel) : stageArr;
       settings = {
         ...settings,
         hooks: {
           ...settings.hooks,
-          [stage]: [...stageArr, entry]
+          [stage]: [...filteredArr, entry]
         }
       };
       changed = true;
@@ -15089,6 +15090,24 @@ function readSettings(filePath) {
     return {};
   return JSON.parse(raw);
 }
+function dropStaleHooks(matchers, stalePrefix, currentSentinel) {
+  const out = [];
+  for (const matcher of matchers) {
+    const allCmds = [];
+    if (typeof matcher.command === "string")
+      allCmds.push(matcher.command);
+    if (Array.isArray(matcher.hooks)) {
+      for (const h of matcher.hooks) {
+        if (typeof h.command === "string")
+          allCmds.push(h.command);
+      }
+    }
+    const isStale = allCmds.some((c) => c.includes(stalePrefix)) && !allCmds.some((c) => c.includes(currentSentinel));
+    if (!isStale)
+      out.push(matcher);
+  }
+  return out;
+}
 function isHookSentinelPresent(matchers, sentinel) {
   for (const matcher of matchers) {
     if (typeof matcher?.command === "string" && matcher.command.includes(sentinel)) {
@@ -48697,7 +48716,7 @@ import * as path44 from "node:path";
 import * as os27 from "node:os";
 
 // ../core/dist/kg/hook-template.js
-var KG_HOOK_SENTINEL = "kg-service-v2-classifier-hook";
+var KG_HOOK_SENTINEL = "kg-service-v3-classifier-hook";
 function defaultUrl(flavor) {
   if (flavor === "host")
     return "http://127.0.0.1:9997/classify";
@@ -48711,10 +48730,20 @@ function buildHookCommand(opts) {
   const emitContext = `python3 -c 'import json,sys,os
 try:
   d=json.loads(sys.stdin.read())
-  if d.get("route") and d["route"] != "grep":
+  route=d.get("route","")
+  if route:
+    if route in ("kg","both"):
+      label=d.get("top_match") or d.get("reason","")
+      layer=d.get("layer","?")
+      nodes=d.get("nodes_matched",0)
+      saved=(d.get("savings") or {}).get("saved_tokens_est",0)
+      saved_k=round(saved/1000)
+      sys.stderr.write(f"\\x1b[32m\\u29bf\\u29bf\\x1b[0m  KG hit \\u2713 {label} \\u2192  L{layer}/{route} \\u00b7 {nodes} nodes \\u00b7 \\x1b[32m~{saved_k}k tokens saved\\x1b[0m\\n")
+    else:
+      sys.stderr.write("\\U0001f50d Grep used\\n")
+  if route and route != "grep":
     label=d.get("top_match") or d.get("reason","")
     layer=d.get("layer","?")
-    route=d["route"]
     nodes=d.get("nodes_matched",0)
     saved=(d.get("savings") or {}).get("saved_tokens_est",0)
     saved_k=round(saved/1000)
@@ -48725,7 +48754,6 @@ try:
     rel=any(k in ql for k in ("call","caller","import","uses","used","reference","who "))
     g="olam kg mirror graph \\"" + sym + "\\" --workspace <ws>"
     hint=g + (" --relates" if rel else "") + "  (where X is defined; add --relates for what calls/imports it; --repo <name> to browse a repo)"
-    sys.stderr.write(f"\\x1b[32m\\u2713 KG hit\\x1b[0m  \\"{q}\\"  \\u2192  L{layer}/{route} \\u00b7 {nodes} nodes \\u00b7 ~{saved_k}k tokens saved\\n")
     print(json.dumps({"hookSpecificOutput":{"hookEventName":"PreToolUse","additionalContext":f"[kg-classifier L{layer}|{route}] {label[:140]}\\n\\u21b3 graph: {hint}"}}))
 except Exception: pass' 2>/dev/null`;
   const isCloud = opts.flavor === "cloud-sandbox";
@@ -48734,7 +48762,7 @@ except Exception: pass' 2>/dev/null`;
   const cloudGuard = isCloud ? `if [ -z "\${OLAM_KG_PROXY_URL:-}" ] || [ -z "\${OLAM_KG_PROXY_BEARER:-}" ]; then exit 0; fi; ` : "";
   const wsField = isCloud ? `,\\"workspace\\":\\"\${OLAM_KG_PROXY_WORKSPACE:-}\\"` : "";
   const curlPost = `RESP=$(curl -s --max-time 1 -X POST -H 'Content-Type: application/json' ${authHeader2} -d "{\\"q\\":\\"$(echo \\"$CMD\\" | head -c 200 | tr '\\"' ' ')\\"${wsField}}" ${resolvedUrl} 2>/dev/null)`;
-  const hostRemoteFallback = opts.flavor === "host" ? `; if [ -z "$RESP" ] && [ -r "$HOME/.olam/kg-proxy-url" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then RESP=$(curl -s --max-time 2 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" -d "{\\"q\\":\\"$(echo \\"$CMD\\" | head -c 200 | tr '\\"' ' ')\\"}" "$(cat "$HOME/.olam/kg-proxy-url")/v1/classify" 2>/dev/null); fi` : "";
+  const hostRemoteFallback = opts.flavor === "host" ? `; if [ -z "$RESP" ] && [ -r "$HOME/.olam/kg-proxy-url" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then KG_ORIGIN=$(sed 's|\\(https*://[^/]*\\).*|\\1|' "$HOME/.olam/kg-proxy-url" 2>/dev/null); RESP=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" -d "{\\"q\\":\\"$(echo \\"$CMD\\" | head -c 200 | tr '\\"' ' ')\\"}" "$KG_ORIGIN/v1/classify" 2>/dev/null); fi` : "";
   return [
     `KG_SENTINEL=${KG_HOOK_SENTINEL}`,
     `CMD=$(${extractCmd})`,

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-06-02T05:18:01.119Z",
+  "bundledAt": "2026-06-02T12:45:34.001Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -118,7 +118,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:a92c2849bdacd77c1a5dec59c45377af9fd4c76b10da98482e4cd4d59ca7cb33
+          image: ghcr.io/pleri/olam-host-cp@sha256:f11d34247171fba77439e3877ba8b781b857d1eb3f1c983bac2621dd7a254fef
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:b8165709ae12fe6b84a6e61cf935715af75a141835b7e452f5b80c1d98ced062
+          image: ghcr.io/pleri/olam-auth@sha256:10879610c8930d06e2201171ca98249da756461fbbca7540face7593de3f2516
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:e1f3c74e5b8f7e22b1b093ababd16fba59dd973040fa1d7040c81858a3382c66
+          image: ghcr.io/pleri/olam-kg-service@sha256:4fc5f7257d2fa8e11c07e5436a68edd0353c0d503739b9e90f7736e5b336a8fa
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:0322f58514626ff0c45ced3a7711d03d5bd2d2ec158de46a396531920a15c49b
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:0780d597d7eb7d124eb998cf8e56649e375a594e4181ddb181f8b1cb2d443701
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:a9ede246fc89ad7c47c938400f544f677e92e8f6a3addf49e585f0f314b2c133
+          image: ghcr.io/pleri/olam-memory-service@sha256:4b2742280eb0437e3865e603d1d148e28408a1ec8aa4a7dd2c726cd3d31ee8dd
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/src/server.mjs

@@ -2241,6 +2241,35 @@ const server = http.createServer(instrumentHandler('host-cp', async (req, res) =
           ...(burstKgWorkspace ? { kgWorkspace: burstKgWorkspace } : {}),
           ...(burstHostCpUrl ? { hostCpUrl: burstHostCpUrl } : {}),
           ...(burstChunksSinkUrl ? { chunksSinkUrl: burstChunksSinkUrl } : {}),
+          // attachments → runner materializes operator-pasted file/image bytes
+          // from R2 into /workspace/<sid>/.attachments (plan-chat-spa-attachments
+          // Phase A, #1614). The runner reads body.attachments; sandbox-dispatch-client
+          // forwards it on the plan-DO path, so cloud-burst must too — else a
+          // sandbox dispatch carrying attachments silently runs without the files
+          // (drift parity with sandbox-dispatch-client — same class as #1605/#1622).
+          ...(Array.isArray(parsedBody.attachments) && parsedBody.attachments.length > 0 ? { attachments: parsedBody.attachments } : {}),
+          // Agent-capability fields the runner /spawn handler reads and
+          // sandbox-dispatch-client (cell #4) already forwards. The cloud-burst
+          // path (cell #2) builds an explicit spawnBody, so it must forward them
+          // too or a local-mode→sandbox dispatch carrying any of these silently
+          // loses the capability (same drift class as submodules/attachments).
+          // Body-supplied (the cell #2 SPA send is the only source on this path);
+          // absent → spread to nothing, so today's bare {prompt,session_id,world_id}
+          // burst is byte-for-byte unchanged.
+          //   skillSources → runner lays the operator's /100x chain into ~/.claude.
+          //   mcpServers   → runner writes ~/.claude.json so the agent has MCP tools.
+          //   interactive  → runner launches a tmux REPL instead of headless -p.
+          //   operatorSub  → in-container poster stamps chunks with the owner sub
+          //                  (runner reads body.operatorSub ?? body.operator_sub;
+          //                  forwarding the camelCase alias satisfies both reads —
+          //                  operator_sub is a documented EXCLUSIONS alias).
+          //   chunksSinkBearer → per-dispatch chunk-sink auth (NEVER logged); runner
+          //                  prefers it over its deploy-time env.CHUNKS_INGEST_BEARER.
+          ...(Array.isArray(parsedBody.skillSources) && parsedBody.skillSources.length > 0 ? { skillSources: parsedBody.skillSources } : {}),
+          ...(parsedBody.mcpServers && typeof parsedBody.mcpServers === 'object' && Object.keys(parsedBody.mcpServers).length > 0 ? { mcpServers: parsedBody.mcpServers } : {}),
+          ...(parsedBody.interactive ? { interactive: true } : {}),
+          ...(parsedBody.operatorSub ? { operatorSub: parsedBody.operatorSub } : {}),
+          ...(parsedBody.chunksSinkBearer ? { chunksSinkBearer: parsedBody.chunksSinkBearer } : {}),
           idempotencyKey,
           ...safeOptions,
         };
@@ -4064,7 +4093,7 @@ const _spaCacheByKey = new Map();
 // audit FAIL. Keep it as the canonical HN/WP-array parity source until
 // that audit is repointed at worldFetch.ts directly (follow-up).
 // eslint-disable-next-line no-unused-vars -- retained as HN/WP parity-audit source
-const BOOTSTRAP_SCRIPT = `<script>(function(){function ck(){var m=document.cookie.match(/olam_host_cp_token=([^;]+)/);return m?m[1]:'';}function sw(t){document.cookie='olam_host_cp_token='+t+'; path=/; samesite=strict';}try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);sw(d.token);}}catch(e){console.error('[host-cp bootstrap]',e);}var reloading=false;function recover(){if(reloading)return;try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);if(d.token&&ck()!==d.token){reloading=true;sw(d.token);console.warn('[host-cp auth recover] token rotated; reloading');location.reload();}}}catch(e){console.error('[host-cp auth recover]',e);}}var HN=['/api/bootstrap','/api/worlds','/api/projects','/api/workspaces','/api/workspaces/match','/api/repos','/api/runbooks','/api/auth','/api/host-stream','/api/plan-chat','/api/plan/agent-runtime','/health'];var WP=['/api/','/session/','/hooks/','/dispatch','/lanes','/codex/','/review/'];function sr(p){if(typeof p!=='string')return false;if(p.startsWith('/api/world/'))return false;for(var i=0;i<HN.length;i++){var n=HN[i];if(p===n||p.startsWith(n+'?')||p.startsWith(n+'/'))return false;}for(var j=0;j<WP.length;j++){var w=WP[j];if(p===w||p===w.replace(/\\/$/,'')||p.startsWith(w)||p.startsWith(w.replace(/\\/$/,'')+'?')||p.startsWith(w.replace(/\\/$/,'')+'/'))return true;}return false;}function wid(){var p=location.pathname;var m=p.match(/^\\/(world|inbox|session)\\/([^/?#]+)/);if(m)return m[2];if(/^\\/(?:worlds?|workspaces?|world|sandbox|session|inbox|plan|design|repos|runbooks|assets|api|health|favicon)($|\\/|\\?)/.test(p))return null;var r=p.match(/^\\/([a-z][a-z0-9-]+)(?:\\/|$|\\?)/);return r?r[1]:null;}function rw(p){var w=wid();return w?'/api/world/'+w+p:p;}var of=window.fetch.bind(window);window.fetch=function(input,init){var pr;if(typeof input==='string'&&sr(input))pr=of(rw(input),init);else if(input&&typeof input.url==='string'&&sr(input.url))pr=of(new Request(rw(input.url),input),init);else pr=of(input,init);return pr.then(function(res){if(res&&res.status===401)recover();return res;});};var OE=window.EventSource;if(OE){window.EventSource=function(u,i){var s=u;if(typeof s==='string'&&sr(s))s=rw(s);var es=new OE(s,i);es.addEventListener('error',function(){if(es.readyState===OE.CLOSED)recover();});return es;};window.EventSource.prototype=OE.prototype;window.EventSource.CONNECTING=OE.CONNECTING;window.EventSource.OPEN=OE.OPEN;window.EventSource.CLOSED=OE.CLOSED;}})();</script>`;
+const BOOTSTRAP_SCRIPT = `<script>(function(){function ck(){var m=document.cookie.match(/olam_host_cp_token=([^;]+)/);return m?m[1]:'';}function sw(t){document.cookie='olam_host_cp_token='+t+'; path=/; samesite=strict';}try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);sw(d.token);}}catch(e){console.error('[host-cp bootstrap]',e);}var reloading=false;function recover(){if(reloading)return;try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);if(d.token&&ck()!==d.token){reloading=true;sw(d.token);console.warn('[host-cp auth recover] token rotated; reloading');location.reload();}}}catch(e){console.error('[host-cp auth recover]',e);}}var HN=['/api/bootstrap','/api/whoami','/api/worlds','/api/projects','/api/chats','/api/workspaces','/api/workspaces/match','/api/repos','/api/runbooks','/api/auth','/api/host-stream','/api/plan-chat','/api/plan/agent-runtime','/health'];var WP=['/api/','/session/','/hooks/','/dispatch','/lanes','/codex/','/review/'];function sr(p){if(typeof p!=='string')return false;if(p.startsWith('/api/world/'))return false;for(var i=0;i<HN.length;i++){var n=HN[i];if(p===n||p.startsWith(n+'?')||p.startsWith(n+'/'))return false;}for(var j=0;j<WP.length;j++){var w=WP[j];if(p===w||p===w.replace(/\\/$/,'')||p.startsWith(w)||p.startsWith(w.replace(/\\/$/,'')+'?')||p.startsWith(w.replace(/\\/$/,'')+'/'))return true;}return false;}function wid(){var p=location.pathname;var m=p.match(/^\\/(world|inbox|session)\\/([^/?#]+)/);if(m)return m[2];if(/^\\/(?:worlds?|workspaces?|world|sandbox|session|inbox|plan|design|repos|runbooks|assets|api|health|favicon)($|\\/|\\?)/.test(p))return null;var r=p.match(/^\\/([a-z][a-z0-9-]+)(?:\\/|$|\\?)/);return r?r[1]:null;}function rw(p){var w=wid();return w?'/api/world/'+w+p:p;}var of=window.fetch.bind(window);window.fetch=function(input,init){var pr;if(typeof input==='string'&&sr(input))pr=of(rw(input),init);else if(input&&typeof input.url==='string'&&sr(input.url))pr=of(new Request(rw(input.url),input),init);else pr=of(input,init);return pr.then(function(res){if(res&&res.status===401)recover();return res;});};var OE=window.EventSource;if(OE){window.EventSource=function(u,i){var s=u;if(typeof s==='string'&&sr(s))s=rw(s);var es=new OE(s,i);es.addEventListener('error',function(){if(es.readyState===OE.CLOSED)recover();});return es;};window.EventSource.prototype=OE.prototype;window.EventSource.CONNECTING=OE.CONNECTING;window.EventSource.OPEN=OE.OPEN;window.EventSource.CLOSED=OE.CLOSED;}})();</script>`;
 
 /**
  * Build the plan-chat bearer injection script. Reads

package/memory-hooks/agentmemory-classify-queue.mjs

@@ -0,0 +1,363 @@
+#!/usr/bin/env node
+/**
+ * agentmemory-classify-queue.mjs
+ *
+ * PostToolUse hook for Claude Code — captures every PostToolUse event
+ * as a queue candidate at `~/.olam/agentmemory-queue/<ts>-<rand>.jsonl`
+ * for later batch-classification by Phase B2's background classifier.
+ *
+ * Hot-path SLO: p99 dump latency < 100ms (Phase A plan P1 row).
+ * Fail-open: any error exits 0 with no stdout — never blocks the tool loop.
+ *
+ * Pipeline:
+ *   1. Read JSON event from stdin (Claude Code hook protocol).
+ *   2. Per-tool capture (closes B1 CP3 ADV-B1-002 + ADV-B1-003): each
+ *      tool_name has an explicit extraction function instead of generic
+ *      shape-probing. Write/NotebookEdit DO NOT capture file body
+ *      (only `wrote <path> (<N> bytes)`) — avoids leaking .env /
+ *      credentials / id_rsa file writes into the queue. Edit/MultiEdit
+ *      capture OLD/NEW strings so substantive changes reach B2.
+ *   3. Strip secrets from the captured text BEFORE writing to disk
+ *      (12 patterns; see SECRET_PATTERNS). Includes quoted env-var
+ *      values, AWS access keys, Slack tokens, Stripe keys, JWTs,
+ *      private-key armor, DB URLs with creds, and context-anchored
+ *      hex64 bearer tokens. Closes plan OQ12 + B1 CP3 ADV-B1-001 +
+ *      ADV-B1-004.
+ *   4. Cap queue depth at 50 (force-flush trigger) / 80 (hard drop).
+ *      Closes OQ10.
+ *   5. Atomic write via tmp + rename. 8-byte rand suffix (2^64 space;
+ *      birthday-paradox-free at any realistic capture rate). Closes
+ *      B1 CP3 ADV-B1-005.
+ *
+ * Candidate schema (B1.1 — closes ADV-B1-006):
+ *   { ts, tool_name, cwd, session_id, captured_text, queue_pressure }
+ *
+ * Install (operator runs manually):
+ *   $ cp packages/memory-service/hooks/agentmemory-classify-queue.mjs \
+ *        ~/.claude/scripts/hooks/agentmemory-classify-queue.mjs
+ *   $ jq '.hooks.PostToolUse += [{"command": "~/.claude/scripts/hooks/agentmemory-classify-queue.mjs"}]' \
+ *        ~/.claude/settings.json > ~/.claude/settings.json.new
+ *   $ mv ~/.claude/settings.json.new ~/.claude/settings.json
+ *   (Phase B3 will ship `olam memory classifier install-hook` to
+ *   automate this.)
+ *
+ * Plan reference:
+ *   docs/plans/agentmemory-classifier-and-regret/phase-b-tasks.md B1
+ *   OQ10 (queue depth cap), OQ12 (secret stripper before enqueue)
+ *   B1 CP3 ADV-B1-001..006 (B1.1 follow-up)
+ */
+
+import {
+  existsSync,
+  mkdirSync,
+  readdirSync,
+  readFileSync,
+  realpathSync,
+  renameSync,
+  writeFileSync,
+} from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { randomBytes } from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+
+/** Max bytes of captured text persisted per candidate. Keeps queue files small. */
+export const MAX_CAPTURED_CHARS = 4000;
+
+/** Queue depth at which `main()` triggers a force-flush of the oldest 20 entries. */
+export const QUEUE_FORCE_FLUSH_THRESHOLD = 50;
+
+/** Queue depth at which `main()` drops the new event entirely (warn-log only). */
+export const QUEUE_DROP_THRESHOLD = 80;
+
+/**
+ * Random bytes appended to each queue filename. 8 bytes = 2^64 space;
+ * birthday-paradox-free at any realistic capture rate (collision
+ * probability < 1e-12 even at 100M events). Was 4 bytes in B1 (~1.6%
+ * collision at 360K events/hour bursts — silently lost a candidate per
+ * collision per ADV-B1-005).
+ */
+const RAND_BYTES = 8;
+
+/**
+ * Vetted secret patterns. Each pattern matches a specific secret shape;
+ * matches are redacted with `<REDACTED:<pattern-name>>` so the queue
+ * file stays parseable and the redaction is observable in audits.
+ *
+ * Pattern set covers (closes ADV-B1-001 quoted-env-var bypass + adds
+ * coverage for shapes B1's initial 6-pattern set missed):
+ *   env-var-assign        — `KEY=value`, `KEY='value'`, `KEY="value"`,
+ *                            `"KEY":"value"` JSON-stringified form.
+ *                            Permissive key matcher (any uppercase
+ *                            identifier ending in SECRET|KEY|TOKEN|
+ *                            PASSWORD|PASS|BEARER|AUTH|CREDS|CREDENTIALS)
+ *                            so STRIPE_SECRET_KEY, CUSTOM_API_TOKEN,
+ *                            etc. all fire.
+ *   bearer                — `Bearer <token>` Authorization headers.
+ *   sk-prefix             — Anthropic/OpenAI keys.
+ *   gh-pat                — GitHub personal access tokens.
+ *   slack-token           — `xoxa|xoxb|xoxp|xoxr|xoxs|xoxo-...`
+ *   aws-access-key-id     — `AKIA[A-Z0-9]{16}` access key IDs.
+ *   stripe-key            — `sk_live_...` / `sk_test_...`.
+ *   jwt                   — 3-segment base64url tokens.
+ *   hex64-bearer          — 64-hex tokens ONLY when adjacent to
+ *                            bearer|token|secret|key context word.
+ *                            (Was unanchored in B1; false-fired on
+ *                            container digests / sha256sum output per
+ *                            ADV-B1-004.)
+ *   private-key-armor     — PEM/OpenSSH key headers.
+ *   db-url-with-creds     — `postgres|mysql|mongodb|redis://user:pw@host`.
+ */
+export const SECRET_PATTERNS = [
+  {
+    name: 'env-var-assign',
+    re: /\b[A-Z][A-Z0-9_]*(?:SECRET|KEY|TOKEN|PASSWORD|PASS|BEARER|AUTH|CREDS|CREDENTIALS)[A-Z0-9_]*\s*[:=]\s*(?:"[^"\n]+"|'[^'\n]+'|[^\s"',;\n]+)/g,
+  },
+  {
+    // Same shape but inside JSON-string keys: `"FOO_KEY":"value"`.
+    // env-var-assign catches the unquoted KEY case; this rule catches
+    // the JSON-stringified key case where the key itself is wrapped in
+    // double-quotes.
+    name: 'env-var-assign',
+    re: /"[A-Z][A-Z0-9_]*(?:SECRET|KEY|TOKEN|PASSWORD|PASS|BEARER|AUTH|CREDS|CREDENTIALS)[A-Z0-9_]*"\s*:\s*"[^"\n]+"/g,
+  },
+  { name: 'bearer', re: /\bBearer\s+[A-Za-z0-9._-]{16,}/g },
+  { name: 'sk-prefix', re: /\bsk-[A-Za-z0-9_-]{20,}/g },
+  { name: 'gh-pat', re: /\bghp_[A-Za-z0-9]{30,}/g },
+  { name: 'slack-token', re: /\bxox[abopsr]-[A-Za-z0-9-]{10,}/g },
+  { name: 'aws-access-key-id', re: /\bAKIA[A-Z0-9]{16}\b/g },
+  { name: 'stripe-key', re: /\bsk_(?:live|test)_[A-Za-z0-9]{20,}/g },
+  { name: 'jwt', re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g },
+  { name: 'hex64-bearer', re: /\b(?:bearer|token|secret|key)[\s:=]+[a-f0-9]{64}\b/gi },
+  { name: 'private-key-armor', re: /-----BEGIN [A-Z ]+PRIVATE KEY-----/g },
+  { name: 'db-url-with-creds', re: /\b(?:postgres|postgresql|mysql|mongodb|redis):\/\/[^:@\s'"]+:[^@\s'"]+@[^\s'"]+/g },
+];
+
+/** Resolved queue directory path under `~/.olam/agentmemory-queue/`. */
+export function queueDir() {
+  return join(homedir(), '.olam', 'agentmemory-queue');
+}
+
+/**
+ * Strip all configured secret patterns from `text`. Returns the
+ * redacted text. Idempotent — running twice doesn't re-redact.
+ */
+export function stripSecrets(text) {
+  if (typeof text !== 'string' || text.length === 0) return text;
+  let out = text;
+  for (const { name, re } of SECRET_PATTERNS) {
+    const pattern = new RegExp(re.source, re.flags);
+    out = out.replace(pattern, `<REDACTED:${name}>`);
+  }
+  return out;
+}
+
+/** Ensure the queue directory exists (idempotent). */
+export function ensureQueueDir(dir = queueDir()) {
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+}
+
+/** Count `.jsonl` files in the queue dir (excludes the `.warn.log`). */
+export function queueDepth(dir = queueDir()) {
+  if (!existsSync(dir)) return 0;
+  return readdirSync(dir).filter((n) => n.endsWith('.jsonl')).length;
+}
+
+/**
+ * Atomic queue-file write. Writes to a tmp path then renames into place
+ * so a partial JSONL never ends up in the queue dir. Uses 8-byte rand
+ * to eliminate collision class (ADV-B1-005).
+ */
+export function writeCandidate(candidate, dir = queueDir()) {
+  ensureQueueDir(dir);
+  const ts = candidate.ts ?? Date.now();
+  const rand = randomBytes(RAND_BYTES).toString('hex');
+  const final = join(dir, `${ts}-${rand}.jsonl`);
+  const tmp = final + '.tmp';
+  writeFileSync(tmp, JSON.stringify(candidate) + '\n', 'utf-8');
+  renameSync(tmp, final);
+  return final;
+}
+
+/** Append a structured warning to the queue dir's `.warn.log` (fail-open). */
+export function warnLog(message, dir = queueDir()) {
+  try {
+    ensureQueueDir(dir);
+    const line = JSON.stringify({ ts: Date.now(), level: 'warn', message }) + '\n';
+    writeFileSync(join(dir, '.warn.log'), line, { flag: 'a' });
+  } catch {
+    // Fail-open: warn-log failure is non-fatal.
+  }
+}
+
+/**
+ * Build a candidate payload from a Claude Code PostToolUse event. The
+ * captured text is per-tool (see {@link extractCapturedText}); secrets
+ * are stripped before this candidate ever touches disk.
+ *
+ * Schema (B1.1):
+ *   ts             unix ms timestamp
+ *   tool_name      from event.tool_name
+ *   cwd            from event.cwd
+ *   session_id     from event.session_id (B2 needs this for chain
+ *                  reconstruction — was missing in B1, would have
+ *                  forever-orphaned every pre-fix candidate)
+ *   captured_text  per-tool extraction, secret-stripped, truncated
+ *   queue_pressure depth at capture time (B2 observability)
+ */
+export function buildCandidate(event, depth = 0, now = Date.now()) {
+  const rawText = extractCapturedText(event);
+  const stripped = stripSecrets(rawText);
+  const truncated = stripped.length > MAX_CAPTURED_CHARS
+    ? stripped.slice(0, MAX_CAPTURED_CHARS)
+    : stripped;
+  return {
+    ts: now,
+    tool_name: event?.tool_name ?? null,
+    cwd: event?.cwd ?? null,
+    session_id: event?.session_id ?? null,
+    captured_text: truncated,
+    queue_pressure: depth,
+  };
+}
+
+/**
+ * Per-tool capture map. Each tool_name has an explicit extraction
+ * function — generic shape-probing would leak file bodies for Write
+ * (per ADV-B1-002) and miss substantive edits for Edit/MultiEdit
+ * (per ADV-B1-003). The explicit map closes both classes.
+ *
+ * Write / NotebookEdit: capture ONLY `wrote <path> (<N> bytes)` — never
+ *   the file body. Operator writing ~/.env or ~/.aws/credentials gets
+ *   the metadata in the queue, not the secret content.
+ * Edit / MultiEdit: capture OLD + NEW strings (substantive change).
+ *   stripSecrets runs over the serialized form, so secret-bearing
+ *   edits are still redacted.
+ * Read: capture `read <path>` + first 2KB of content. Same Write
+ *   reasoning would apply but Read explicitly returns content the
+ *   agent will reason over — withholding it makes classification
+ *   useless.
+ * Bash: capture command + stdout.
+ * Generic fallback: tool_response.content / .text.
+ */
+export function extractCapturedText(event) {
+  if (!event || typeof event !== 'object') return '';
+  const toolName = event.tool_name;
+  const ti = event.tool_input ?? event.toolInput ?? null;
+  const tr = event.tool_response ?? event.toolResponse ?? null;
+
+  if (toolName === 'Bash') {
+    const command = ti?.command ?? '';
+    const stdout = readContentField(tr) ?? '';
+    return command ? (stdout ? `$ ${command}\n${stdout}` : `$ ${command}`) : (stdout ?? '');
+  }
+
+  if (toolName === 'Write' || toolName === 'NotebookEdit') {
+    const filePath = ti?.file_path ?? ti?.notebook_path ?? '<unknown>';
+    const content = ti?.content ?? ti?.new_source ?? '';
+    const len = typeof content === 'string' ? content.length : 0;
+    return `wrote ${filePath} (${len} bytes)`;
+  }
+
+  if (toolName === 'Edit') {
+    const filePath = ti?.file_path ?? '<unknown>';
+    const oldStr = ti?.old_string ?? '';
+    const newStr = ti?.new_string ?? '';
+    return `edit ${filePath}\nOLD:\n${oldStr}\nNEW:\n${newStr}`;
+  }
+
+  if (toolName === 'MultiEdit') {
+    const filePath = ti?.file_path ?? '<unknown>';
+    const edits = Array.isArray(ti?.edits) ? ti.edits : [];
+    const parts = edits.map((e, i) => `[${i}] OLD:\n${e?.old_string ?? ''}\nNEW:\n${e?.new_string ?? ''}`);
+    return `multi-edit ${filePath}\n${parts.join('\n---\n')}`;
+  }
+
+  if (toolName === 'Read') {
+    const filePath = ti?.file_path ?? '<unknown>';
+    const content = readContentField(tr) ?? '';
+    const truncated = content.length > MAX_CAPTURED_CHARS / 2
+      ? content.slice(0, MAX_CAPTURED_CHARS / 2)
+      : content;
+    return `read ${filePath}\n${truncated}`;
+  }
+
+  // Generic fallback: tool_response content/text or tool_input content.
+  const fromResponse = readContentField(tr);
+  if (typeof fromResponse === 'string' && fromResponse.length > 0) return fromResponse;
+  if (ti && typeof ti === 'object') {
+    if (typeof ti.content === 'string') return ti.content;
+    if (typeof ti.command === 'string') return ti.command;
+  }
+  return '';
+}
+
+/**
+ * Read a content payload from a tool_response-shaped object. Handles:
+ *   - string (return as-is)
+ *   - { content: [{text}, ...] } MCP-style array (concat text blocks)
+ *   - { text: string }
+ *   - { content: string }
+ */
+function readContentField(obj) {
+  if (!obj) return null;
+  if (typeof obj === 'string') return obj;
+  if (Array.isArray(obj.content)) {
+    return obj.content
+      .map((c) => (typeof c?.text === 'string' ? c.text : ''))
+      .join('\n');
+  }
+  if (typeof obj.text === 'string') return obj.text;
+  if (typeof obj.content === 'string') return obj.content;
+  return null;
+}
+
+async function main() {
+  let event = {};
+  try {
+    event = JSON.parse(readFileSync(0, 'utf-8'));
+  } catch {
+    return; // unparseable stdin → fail-open
+  }
+
+  const dir = queueDir();
+  ensureQueueDir(dir);
+  const depth = queueDepth(dir);
+
+  if (depth >= QUEUE_DROP_THRESHOLD) {
+    warnLog(`queue depth ${depth} >= drop threshold ${QUEUE_DROP_THRESHOLD}; dropping event tool_name=${event?.tool_name ?? '?'}`, dir);
+    return;
+  }
+
+  const candidate = buildCandidate(event, depth);
+  writeCandidate(candidate, dir);
+
+  if (depth >= QUEUE_FORCE_FLUSH_THRESHOLD) {
+    // Phase B2 will own the force-flush trigger via an out-of-band
+    // signal (touching a sentinel file the launchd timer watches).
+    // For B1 ship we just warn — the next scheduled flush picks it up.
+    warnLog(`queue depth ${depth} >= force-flush threshold ${QUEUE_FORCE_FLUSH_THRESHOLD}; awaiting B2 timer`, dir);
+  }
+}
+
+// Run main only when invoked directly (allows test files to import the
+// pure functions above without firing the hook side-effects). Compare
+// REAL paths (not raw argv vs file://) so the hook still fires when
+// resolved through a symlink — toolbox sync mounts these scripts via
+// $HOME/.claude/scripts/agentmemory-classifier/ which is a symlink to the
+// canonical atlas-toolbox path. Pre-fix, the raw-string compare missed
+// the symlink and main() never ran.
+function isDirectInvocation() {
+  try {
+    const argvPath = process.argv[1] ? realpathSync(process.argv[1]) : '';
+    const metaPath = realpathSync(fileURLToPath(import.meta.url));
+    return argvPath === metaPath;
+  } catch {
+    return false;
+  }
+}
+if (isDirectInvocation()) {
+  main().catch(() => process.exit(0));
+}