@pleri/olam-cli 0.1.209 → 0.1.210

package/dist/mcp-server.js

@@ -16387,16 +16387,25 @@ function settingsBackupDir() {
     return override;
   return path27.join(os12.homedir(), ".olam", "state", "settings-backups");
 }
+function entryKey(entry) {
+  const cmds = commandsInEntry(entry);
+  const cmdKey = cmds.length > 0 ? cmds[0] : "";
+  return `${entry.matcher ?? ""}\0${cmdKey}`;
+}
 function dedupeByMatcher(entries) {
   const map2 = /* @__PURE__ */ new Map();
   for (const e of entries) {
-    const cmds = commandsInEntry(e);
-    const cmdKey = cmds.length > 0 ? cmds[0] : "";
-    const key = `${e.matcher ?? ""}\0${cmdKey}`;
-    map2.set(key, e);
+    map2.set(entryKey(e), e);
   }
   return [...map2.values()];
 }
+function reclaimLegacyDuplicates(preserved, olamFinal) {
+  if (olamFinal.length === 0)
+    return { kept: preserved, reclaimedCount: 0 };
+  const olamKeys = new Set(olamFinal.map(entryKey));
+  const kept = preserved.filter((e) => !olamKeys.has(entryKey(e)));
+  return { kept, reclaimedCount: preserved.length - kept.length };
+}
 function commandsInEntry(entry) {
   const cmds = [];
   const direct = entry["command"];
@@ -16497,6 +16506,7 @@ function mergeSettings(input) {
   ]);
   let hooksAdded = 0;
   let dualWriteDeduped = 0;
+  let legacyReclaimed = 0;
   const dualWriteDroppedCommands = [];
   for (const cat of categories) {
     const existing = Array.isArray(existingHooks[cat]) ? existingHooks[cat] : [];
@@ -16506,7 +16516,9 @@ function mergeSettings(input) {
     const { kept: olamFinal, droppedCount, droppedCommands } = applyDualWriteDedup(olamDeduped, preserved);
     dualWriteDeduped += droppedCount;
     dualWriteDroppedCommands.push(...droppedCommands);
-    mergedHooks[cat] = [...preserved, ...olamFinal];
+    const { kept: preservedFinal, reclaimedCount } = reclaimLegacyDuplicates(preserved, olamFinal);
+    legacyReclaimed += reclaimedCount;
+    mergedHooks[cat] = [...preservedFinal, ...olamFinal];
     hooksAdded += olamFinal.length;
   }
   const permSet = /* @__PURE__ */ new Set();
@@ -16536,7 +16548,14 @@ function mergeSettings(input) {
   const tmp = `${settingsPath}.tmp-${process.pid}`;
   fs29.writeFileSync(tmp, JSON.stringify(next, null, 2) + "\n", { mode: 420 });
   fs29.renameSync(tmp, settingsPath);
-  return { backupPath, hooksAdded, permissionsCount: permSet.size, dualWriteDeduped, dualWriteDroppedCommands };
+  return {
+    backupPath,
+    hooksAdded,
+    permissionsCount: permSet.size,
+    dualWriteDeduped,
+    dualWriteDroppedCommands,
+    legacyReclaimed
+  };
 }
 var OLAM_SKILLS_MARKER, BACKUP_RETENTION, DUAL_WRITE_DEDUP_RULES;
 var init_settings_merger = __esm({
@@ -49076,7 +49095,10 @@ import * as path46 from "node:path";
 import * as os23 from "node:os";
 
 // ../core/dist/kg/hook-template.js
-var KG_HOOK_SENTINEL = "kg-service-v3-classifier-hook";
+var KG_HOOK_SENTINEL = "kg-service-v4-classifier-hook";
+var KG_HOOK_SENTINEL_PREFIX = "kg-service-v";
+var KG_HOOK_PROMPT_SENTINEL = "kg-service-prompt-v4-classifier-hook";
+var KG_HOOK_PROMPT_SENTINEL_PREFIX = "kg-service-prompt-v";
 function defaultUrl(flavor) {
   if (flavor === "host")
     return "http://127.0.0.1:9997/classify";
@@ -49084,6 +49106,33 @@ function defaultUrl(flavor) {
     return "http://host.docker.internal:9997/classify";
   return "";
 }
+var TERM_EXTRACT_PY = `python3 -c 'import sys
+cmd=sys.stdin.read().strip()
+toks=cmd.split()
+TOOLS=("grep","rg","ripgrep","find","fd","ack","ag")
+DIRS=("src","lib","app","test","spec","packages")
+QUOTES=chr(34)+chr(39)+chr(96)
+i=0
+if toks and toks[0]=="git" and len(toks)>1 and toks[1]=="grep": i=2
+elif toks and toks[0] in TOOLS: i=1
+term=""
+for t in toks[i:]:
+  if t.startswith("-"): continue
+  s=t.strip(QUOTES)
+  if not s: continue
+  if "/" in s or s.endswith("/") or s in DIRS or s in (".",".."): continue
+  term=s; break
+print(term if term else cmd)' 2>/dev/null`;
+var PROMPT_TERM_EXTRACT_PY = `python3 -c 'import sys,re
+p=sys.stdin.read().strip()
+Q=chr(34); B=chr(96); A=chr(39)
+pats=[B+"([^"+B+"]{3,})"+B, Q+"([^"+Q+"]{3,})"+Q, A+"([^"+A+"]{3,})"+A, "\\\\b[A-Za-z_$][\\\\w$]*(?:\\\\.[A-Za-z_$][\\\\w$]*)+\\\\b", "\\\\b[a-zA-Z_$][\\\\w$]*[A-Z][\\\\w$]*\\\\b", "\\\\b[a-z_][a-z0-9_]*_[a-z0-9_]+\\\\b"]
+term=""
+for pat in pats:
+  m=re.search(pat,p)
+  if m:
+    term=(m.group(1) if m.groups() else m.group(0)).strip(); break
+print(term if term else p)' 2>/dev/null`;
 function buildHookCommand(opts) {
   const url3 = opts.url ?? defaultUrl(opts.flavor);
   const extractCmd = `python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('tool_input',d).get('command',''))" 2>/dev/null`;
@@ -49091,20 +49140,26 @@ function buildHookCommand(opts) {
 try:
   d=json.loads(sys.stdin.read())
   route=d.get("route","")
+  qnodes=[]
+  try:
+    qd=json.loads(os.environ.get("KG_QUERY_NODES","") or "{}")
+    if isinstance(qd,dict) and qd.get("ok") and isinstance(qd.get("nodes"),list):
+      qnodes=qd["nodes"]
+  except Exception: qnodes=[]
+  real_n=len(qnodes)
   if route:
     if route in ("kg","both"):
       label=d.get("top_match") or d.get("reason","")
       layer=d.get("layer","?")
-      nodes=d.get("nodes_matched",0)
+      nodes=real_n if real_n else d.get("nodes_matched",0)
       saved=(d.get("savings") or {}).get("saved_tokens_est",0)
       saved_k=round(saved/1000)
       sys.stderr.write(f"\\x1b[32m\\u29bf\\u29bf\\x1b[0m  KG hit \\u2713 {label} \\u2192  L{layer}/{route} \\u00b7 {nodes} nodes \\u00b7 \\x1b[32m~{saved_k}k tokens saved\\x1b[0m\\n")
-    else:
+    elif route=="grep":
       sys.stderr.write("\\U0001f50d Grep used\\n")
-  if route and route != "grep":
+  if route in ("kg","both"):
     label=d.get("top_match") or d.get("reason","")
     layer=d.get("layer","?")
-    nodes=d.get("nodes_matched",0)
     saved=(d.get("savings") or {}).get("saved_tokens_est",0)
     saved_k=round(saved/1000)
     q=os.environ.get("KG_QUERY","")[:60]
@@ -49114,20 +49169,44 @@ try:
     rel=any(k in ql for k in ("call","caller","import","uses","used","reference","who "))
     g="olam kg mirror graph \\"" + sym + "\\" --workspace <ws>"
     hint=g + (" --relates" if rel else "") + "  (where X is defined; add --relates for what calls/imports it; --repo <name> to browse a repo)"
-    print(json.dumps({"hookSpecificOutput":{"hookEventName":"PreToolUse","additionalContext":f"[kg-classifier L{layer}|{route}] {label[:140]}\\n\\u21b3 graph: {hint}"}}))
+    if qnodes:
+      lines=[]
+      for n in qnodes[:5]:
+        s=str(n.get("symbol") or n.get("label") or "?")
+        f=str(n.get("file") or "")
+        loc=str(n.get("loc") or "")
+        lines.append(f"  {s}  {f}:{loc}" if loc else f"  {s}  {f}")
+      body="[kg-classifier L"+str(layer)+"|"+route+"] "+label[:140]+"\\n\\u21b3 nodes ("+str(real_n)+"):\\n"+"\\n".join(lines)+"\\n\\u21b3 graph: "+hint
+    else:
+      body="[kg-classifier L"+str(layer)+"|"+route+"] "+label[:140]+"\\n\\u21b3 graph: "+hint
+    print(json.dumps({"hookSpecificOutput":{"hookEventName":"PreToolUse","additionalContext":body}}))
 except Exception: pass' 2>/dev/null`;
   const isCloud = opts.flavor === "cloud-sandbox";
   const resolvedUrl = isCloud ? '"${OLAM_KG_PROXY_URL:-}/v1/classify"' : url3;
   const authHeader2 = isCloud ? `-H "Authorization: Bearer \${OLAM_KG_PROXY_BEARER:-}"` : "";
   const cloudGuard = isCloud ? `if [ -z "\${OLAM_KG_PROXY_URL:-}" ] || [ -z "\${OLAM_KG_PROXY_BEARER:-}" ]; then exit 0; fi; ` : "";
-  const wsField = isCloud ? `,\\"workspace\\":\\"\${OLAM_KG_PROXY_WORKSPACE:-}\\"` : "";
-  const curlPost = `RESP=$(curl -s --max-time 1 -X POST -H 'Content-Type: application/json' ${authHeader2} -d "{\\"q\\":\\"$(echo \\"$CMD\\" | head -c 200 | tr '\\"' ' ')\\"${wsField}}" ${resolvedUrl} 2>/dev/null)`;
-  const hostRemoteFallback = opts.flavor === "host" ? `; if [ -z "$RESP" ] && [ -r "$HOME/.olam/kg-proxy-url" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then KG_ORIGIN=$(sed 's|\\(https*://[^/]*\\).*|\\1|' "$HOME/.olam/kg-proxy-url" 2>/dev/null); RESP=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" -d "{\\"q\\":\\"$(echo \\"$CMD\\" | head -c 200 | tr '\\"' ' ')\\"}" "$KG_ORIGIN/v1/classify" 2>/dev/null); fi` : "";
+  const isHostOrWorld = opts.flavor === "host" || opts.flavor === "world";
+  const wsResolve = isHostOrWorld ? `KG_WS="\${OLAM_KG_WORKSPACE:-$(cat "\${OLAM_HOME:-$HOME/.olam}/kg-default-workspace" 2>/dev/null || echo atlas-one)}"; ` : "";
+  const wsField = isCloud ? `,\\"workspace\\":\\"\${OLAM_KG_PROXY_WORKSPACE:-}\\"` : `,\\"workspace\\":\\"$KG_WS\\"`;
+  const termExtract = TERM_EXTRACT_PY;
+  const qTermLocal = `$(echo \\"$KG_TERM\\" | head -c 200 | tr '\\"' ' ')`;
+  const setTerm = `KG_TERM=$(echo "$CMD" | ${termExtract}); `;
+  const curlPost = `${wsResolve}${setTerm}RESP=$(curl -s --max-time 1 -X POST -H 'Content-Type: application/json' ${authHeader2} -d "{\\"q\\":\\"${qTermLocal}\\"${wsField}}" ${resolvedUrl} 2>/dev/null)`;
+  const hostRemoteFallback = opts.flavor === "host" ? `; if [ -r "$HOME/.olam/kg-proxy-url" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then KG_ORIGIN=$(sed 's|\\(https*://[^/]*\\).*|\\1|' "$HOME/.olam/kg-proxy-url" 2>/dev/null); if [ -z "$RESP" ]; then RESP=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" -d "{\\"q\\":\\"${qTermLocal}\\"${wsField}}" "$KG_ORIGIN/v1/classify" 2>/dev/null); fi; fi` : "";
+  const routeIsKg = `echo "$RESP" | grep -Eq '"route"[[:space:]]*:[[:space:]]*"(kg|both)"'`;
+  const queryBody = `-d "{\\"q\\":\\"${qTermLocal}\\",\\"limit\\":5${wsField}}"`;
+  let queryFollowup = "";
+  if (opts.flavor === "host") {
+    queryFollowup = `; KG_QUERY_NODES=""; if [ -n "$RESP" ] && ${routeIsKg} && [ -n "$KG_ORIGIN" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then KG_QUERY_NODES=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" ${queryBody} "$KG_ORIGIN/v1/query" 2>/dev/null); fi`;
+  } else if (isCloud) {
+    queryFollowup = `; KG_QUERY_NODES=""; if [ -n "$RESP" ] && ${routeIsKg}; then KG_QUERY_NODES=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' ${authHeader2} ${queryBody} "\${OLAM_KG_PROXY_URL:-}/v1/query" 2>/dev/null); fi`;
+  }
+  const emitLine = `export KG_QUERY="$(echo \\"$CMD\\" | head -c 60 | tr '\\"' ' ')"; export KG_QUERY_NODES="\${KG_QUERY_NODES:-}"; echo "$RESP" | ${emitContext}`;
   return [
     `KG_SENTINEL=${KG_HOOK_SENTINEL}`,
     `CMD=$(${extractCmd})`,
-    `case "$CMD" in grep\\ *|grep|git\\ grep\\ *|rg\\ *|ripgrep\\ *|find\\ *|fd\\ *|ack\\ *|ag\\ *) ${cloudGuard}${curlPost}${hostRemoteFallback}`,
-    `KG_QUERY="$(echo \\"$CMD\\" | head -c 60 | tr '\\"' ' ')" echo "$RESP" | ${emitContext}`,
+    `case "$CMD" in grep\\ *|grep|git\\ grep\\ *|rg\\ *|ripgrep\\ *|find\\ *|fd\\ *|ack\\ *|ag\\ *) ${cloudGuard}${curlPost}${hostRemoteFallback}${queryFollowup}`,
+    emitLine,
     `;; esac`
   ].join("; ");
 }
@@ -49142,6 +49221,77 @@ function buildHookMatcherEntry(opts) {
     ]
   };
 }
+function buildPromptHookCommand(opts) {
+  const url3 = opts.url ?? defaultUrl(opts.flavor);
+  const isCloud = opts.flavor === "cloud-sandbox";
+  const isHostOrWorld = opts.flavor === "host" || opts.flavor === "world";
+  const extractCmd = `python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('prompt',''))" 2>/dev/null`;
+  const resolvedUrl = isCloud ? '"${OLAM_KG_PROXY_URL:-}/v1/classify"' : url3;
+  const authHeader2 = isCloud ? `-H "Authorization: Bearer \${OLAM_KG_PROXY_BEARER:-}"` : "";
+  const cloudGuard = isCloud ? `if [ -z "\${OLAM_KG_PROXY_URL:-}" ] || [ -z "\${OLAM_KG_PROXY_BEARER:-}" ]; then exit 0; fi; ` : "";
+  const wsResolve = isHostOrWorld ? `KG_WS="\${OLAM_KG_WORKSPACE:-$(cat "\${OLAM_HOME:-$HOME/.olam}/kg-default-workspace" 2>/dev/null || echo atlas-one)}"; ` : "";
+  const wsField = isCloud ? `,\\"workspace\\":\\"\${OLAM_KG_PROXY_WORKSPACE:-}\\"` : `,\\"workspace\\":\\"$KG_WS\\"`;
+  const classifyPost = `${wsResolve}RESP=$(curl -s --max-time 1 -X POST -H 'Content-Type: application/json' ${authHeader2} -d "{\\"q\\":\\"$(echo \\"$PROMPT\\" | head -c 200 | tr '\\"' ' ')\\"${wsField}}" ${resolvedUrl} 2>/dev/null)`;
+  const hostRemoteFallback = opts.flavor === "host" ? `; if [ -r "$HOME/.olam/kg-proxy-url" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then KG_ORIGIN=$(sed 's|\\(https*://[^/]*\\).*|\\1|' "$HOME/.olam/kg-proxy-url" 2>/dev/null); if [ -z "$RESP" ]; then RESP=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" -d "{\\"q\\":\\"$(echo \\"$PROMPT\\" | head -c 200 | tr '\\"' ' ')\\"${wsField}}" "$KG_ORIGIN/v1/classify" 2>/dev/null); fi; fi` : "";
+  const setTerm = `KG_TERM=$(echo "$PROMPT" | ${PROMPT_TERM_EXTRACT_PY}); `;
+  const qTerm = `$(echo \\"$KG_TERM\\" | head -c 200 | tr '\\"' ' ')`;
+  const routeIsKg = `echo "$RESP" | grep -Eq '"route"[[:space:]]*:[[:space:]]*"(kg|both)"'`;
+  const queryBody = `-d "{\\"q\\":\\"${qTerm}\\",\\"limit\\":5${wsField}}"`;
+  let queryFollowup = "";
+  if (opts.flavor === "host") {
+    queryFollowup = `; KG_QUERY_NODES=""; if [ -n "$RESP" ] && ${routeIsKg} && [ -n "$KG_ORIGIN" ] && [ -r "$HOME/.olam/kg-proxy-bearer" ]; then ${setTerm}KG_QUERY_NODES=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $(cat "$HOME/.olam/kg-proxy-bearer")" ${queryBody} "$KG_ORIGIN/v1/query" 2>/dev/null); fi`;
+  } else if (isCloud) {
+    queryFollowup = `; KG_QUERY_NODES=""; if [ -n "$RESP" ] && ${routeIsKg}; then ${setTerm}KG_QUERY_NODES=$(curl -s --max-time 3 -X POST -H 'Content-Type: application/json' ${authHeader2} ${queryBody} "\${OLAM_KG_PROXY_URL:-}/v1/query" 2>/dev/null); fi`;
+  }
+  const emitContext = `python3 -c 'import json,sys,os
+try:
+  d=json.loads(sys.stdin.read())
+  route=d.get("route","")
+  if route not in ("kg","both"): sys.exit(0)
+  qnodes=[]
+  try:
+    qd=json.loads(os.environ.get("KG_QUERY_NODES","") or "{}")
+    if isinstance(qd,dict) and qd.get("ok") and isinstance(qd.get("nodes"),list):
+      qnodes=qd["nodes"]
+  except Exception: qnodes=[]
+  layer=d.get("layer","?")
+  cands=d.get("candidate_symbols") or []
+  sym=(cands[0] if cands else "") or "<symbol>"
+  q=os.environ.get("KG_QUERY","")[:60]
+  ql=q.lower()
+  rel=any(k in ql for k in ("call","caller","import","uses","used","reference","who "))
+  g="olam kg mirror graph \\"" + sym + "\\" --workspace <ws>"
+  hint=g + (" --relates" if rel else "") + "  (where X is defined; add --relates for what calls/imports it; --repo <name> to browse a repo)"
+  if qnodes:
+    lines=[]
+    for n in qnodes[:5]:
+      s=str(n.get("symbol") or n.get("label") or "?")
+      f=str(n.get("file") or "")
+      loc=str(n.get("loc") or "")
+      lines.append(f"  {s}  {f}:{loc}" if loc else f"  {s}  {f}")
+    body="[kg L"+str(layer)+"|"+route+"] this looks symbol-shaped \u2014 the KG already has:\\n\\u21b3 nodes ("+str(len(qnodes))+"):\\n"+"\\n".join(lines)+"\\n\\u21b3 graph: "+hint
+  else:
+    body="[kg L"+str(layer)+"|"+route+"] this looks symbol-shaped \u2014 prefer the KG over grep.\\n\\u21b3 graph: "+hint
+  print(json.dumps({"hookSpecificOutput":{"hookEventName":"UserPromptSubmit","additionalContext":body}}))
+except Exception: pass' 2>/dev/null`;
+  const emitLine = `export KG_QUERY="$(echo \\"$PROMPT\\" | head -c 60 | tr '\\"' ' ')"; export KG_QUERY_NODES="\${KG_QUERY_NODES:-}"; echo "$RESP" | ${emitContext}`;
+  return [
+    `KG_SENTINEL=${KG_HOOK_PROMPT_SENTINEL}`,
+    `PROMPT=$(${extractCmd})`,
+    // No search-tool gate: classify every non-empty prompt. Empty prompt → no-op.
+    `if [ -n "$PROMPT" ]; then ${cloudGuard}${classifyPost}${hostRemoteFallback}${queryFollowup}; ${emitLine}; fi`
+  ].join("; ");
+}
+function buildPromptHookMatcherEntry(opts) {
+  return {
+    hooks: [
+      {
+        type: "command",
+        command: buildPromptHookCommand(opts)
+      }
+    ]
+  };
+}
 
 // ../skill-runtime/dist/skills/kg-install-hook.js
 init_v3();
@@ -49190,9 +49340,18 @@ function register31(server, _ctx, _initError) {
         ensureHook: {
           stage: "PreToolUse",
           sentinel: KG_HOOK_SENTINEL,
+          staleSentinelPrefix: KG_HOOK_SENTINEL_PREFIX,
           entry: buildHookMatcherEntry({ flavor: "host" })
         }
       });
+      mergeHomeSettingsJson(filePath, {
+        ensureHook: {
+          stage: "UserPromptSubmit",
+          sentinel: KG_HOOK_PROMPT_SENTINEL,
+          staleSentinelPrefix: KG_HOOK_PROMPT_SENTINEL_PREFIX,
+          entry: buildPromptHookMatcherEntry({ flavor: "host" })
+        }
+      });
       if (result.status === "already-present" && backupPath) {
         try {
           fs47.unlinkSync(backupPath);
@@ -49266,13 +49425,13 @@ function settingsPathFor3(scope, projectPath) {
   const root = projectPath ?? process.cwd();
   return path47.join(root, ".claude", "settings.json");
 }
-function dropSentinel(matchers) {
+function dropSentinel(matchers, sentinelPrefix) {
   let changed = false;
   const out = [];
   for (const matcher of matchers) {
     const innerHooks = matcher.hooks ?? [];
     const keptInner = innerHooks.filter((h) => {
-      if (typeof h.command === "string" && h.command.includes(KG_HOOK_SENTINEL)) {
+      if (typeof h.command === "string" && h.command.includes(sentinelPrefix)) {
         changed = true;
         return false;
       }
@@ -49308,13 +49467,16 @@ function register32(server, _ctx, _initError) {
       const raw = fs48.readFileSync(filePath, "utf-8");
       const settings = raw.trim() ? JSON.parse(raw) : {};
       const preToolUse = settings.hooks?.PreToolUse;
-      if (!Array.isArray(preToolUse) || preToolUse.length === 0) {
+      const promptSubmit = settings.hooks?.UserPromptSubmit;
+      const hasPre = Array.isArray(preToolUse) && preToolUse.length > 0;
+      const hasPrompt = Array.isArray(promptSubmit) && promptSubmit.length > 0;
+      if (!hasPre && !hasPrompt) {
         return {
           content: [
             {
               type: "text",
               text: JSON.stringify(
-                { ok: true, status: "no-hooks", filePath, message: "no PreToolUse hooks present" },
+                { ok: true, status: "no-hooks", filePath, message: "no kg hooks present" },
                 null,
                 2
               )
@@ -49322,8 +49484,9 @@ function register32(server, _ctx, _initError) {
           ]
         };
       }
-      const { matchers, changed } = dropSentinel(preToolUse);
-      if (!changed) {
+      const preResult = hasPre ? dropSentinel(preToolUse, KG_HOOK_SENTINEL_PREFIX) : { matchers: [], changed: false };
+      const promptResult = hasPrompt ? dropSentinel(promptSubmit, KG_HOOK_PROMPT_SENTINEL_PREFIX) : { matchers: [], changed: false };
+      if (!preResult.changed && !promptResult.changed) {
         return {
           content: [
             {
@@ -49343,15 +49506,13 @@ function register32(server, _ctx, _initError) {
         fs48.copyFileSync(filePath, backupPath);
       } catch {
       }
-      const next = {
-        ...settings,
-        hooks: { ...settings.hooks, PreToolUse: matchers }
-      };
-      if (matchers.length === 0) {
-        const otherStages = Object.keys(next.hooks ?? {}).filter((k) => k !== "PreToolUse");
-        if (otherStages.length === 0) delete next.hooks;
-        else delete next.hooks.PreToolUse;
-      }
+      const nextHooks = { ...settings.hooks };
+      if (hasPre) nextHooks.PreToolUse = preResult.matchers;
+      if (hasPrompt) nextHooks.UserPromptSubmit = promptResult.matchers;
+      if (hasPre && preResult.matchers.length === 0) delete nextHooks.PreToolUse;
+      if (hasPrompt && promptResult.matchers.length === 0) delete nextHooks.UserPromptSubmit;
+      const next = { ...settings, hooks: nextHooks };
+      if (Object.keys(nextHooks).length === 0) delete next.hooks;
       fs48.writeFileSync(filePath, JSON.stringify(next, null, 2) + "\n");
       return {
         content: [

package/hermes-bundle/version.json

@@ -1,4 +1,4 @@
 {
-  "bundledAt": "2026-06-03T05:18:35.489Z",
+  "bundledAt": "2026-06-03T07:06:37.421Z",
   "kgFirstSha": "29a9ccce1b115d049e375c4a90eb5cf7c123e610e2d0590270a4db2cdbc64a28"
 }

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -118,7 +118,7 @@ spec:
         # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:90d17380f48eb37c26d9050105d0ebc037e71a610ffd02998aa2f05a8a31caba
+          image: ghcr.io/pleri/olam-host-cp@sha256:5d8726cbe667359e64d2abe53150c80c870a2d71960c2f41833a3c8719abee12
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:95167696ea6e6146df66a325193283d4418b07c77540c17e1b33a5aa15b12092
+          image: ghcr.io/pleri/olam-auth@sha256:90c00c3d75cc697539a0d6663fdf30d67fac787171ff1c53a3c1fa1755fcecb3
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:8d2b10b56dc5db06470d86f8097fc14c2e0f4b03a5a9a15817673f858ed3a0db
+          image: ghcr.io/pleri/olam-kg-service@sha256:829de080754fe0728b0c0368b6083a6679baff33745dd81c68fadc4ccea7bf7d
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:1b0aa93ed9e3bf517715b02542fca075265f01cc1d73320bfe60a8cad700d1df
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:c7041e093e23acdad36eb2a611e66e925061b79e41a5b8a3be28bba57d6624c5
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:b3f650cd4ad766d7d221896db03ac4110f80dd106cbb16bad4ca9c3a66642520
+          image: ghcr.io/pleri/olam-memory-service@sha256:2b40d835b807fa49316a9db0215ee4ac6b36e2403c8170cfb4a70067115ad292
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/src/server.mjs

@@ -237,6 +237,13 @@ const OLAM_SANDBOX_RUNNER_TOKEN = process.env.OLAM_SANDBOX_RUNNER_TOKEN ?? '';
 // Basic auth to plan-DO; defaults to Basic auth with operator/<SHOWCASE_PW>.
 const OLAM_OPSIDE_LONGPOLL = process.env.OLAM_OPSIDE_LONGPOLL === '1';
 const OLAM_CLOUD_URL = process.env.OLAM_CLOUD_URL ?? '';
+// Chunk sink: the Neon ingest worker is the PROVEN path (runner → ingest →
+// Neon → Electric → SPA). The legacy default (OLAM_CLOUD_URL = plan-DO) buffers
+// chunks in DO SQLite and only reaches Neon if plan-DO's HOST_CP_URL is set —
+// which it is not in cloud mode, so SPA chunk-render silently breaks. Prefer
+// CHUNKS_INGEST_URL when set; fall back to OLAM_CLOUD_URL for back-compat.
+const CHUNKS_INGEST_URL = process.env.CHUNKS_INGEST_URL ?? '';
+const CHUNKS_INGEST_BEARER = process.env.CHUNKS_INGEST_BEARER ?? '';
 const OLAM_SHOWCASE_PASSWORD = process.env.OLAM_SHOWCASE_PASSWORD ?? '';
 // Build the Basic auth header from OLAM_SHOWCASE_PASSWORD when not
 // explicitly overridden. Showcase Basic auth is the v1 mechanism (Decision #7).
@@ -2218,7 +2225,8 @@ const server = http.createServer(instrumentHandler('host-cp', async (req, res) =
           (typeof parsedBody.workspace === 'string' && parsedBody.workspace.length > 0 ? parsedBody.workspace : '') ||
           hostKgWorkspace;
         const burstHostCpUrl = parsedBody.hostCpUrl || readRemoteHostCpUrl();
-        const burstChunksSinkUrl = parsedBody.chunksSinkUrl || OLAM_CLOUD_URL;
+        const burstChunksSinkUrl = parsedBody.chunksSinkUrl || CHUNKS_INGEST_URL || OLAM_CLOUD_URL;
+        const burstChunksSinkBearer = parsedBody.chunksSinkBearer || CHUNKS_INGEST_BEARER || '';
         // Always generate a fresh idempotency key — prevents double-spawn on
         // retried requests (mirrors the cloud-dispatch handler's A3.2 contract).
         const idempotencyKey = crypto.randomUUID();
@@ -2241,6 +2249,7 @@ const server = http.createServer(instrumentHandler('host-cp', async (req, res) =
           ...(burstKgWorkspace ? { kgWorkspace: burstKgWorkspace } : {}),
           ...(burstHostCpUrl ? { hostCpUrl: burstHostCpUrl } : {}),
           ...(burstChunksSinkUrl ? { chunksSinkUrl: burstChunksSinkUrl } : {}),
+          ...(burstChunksSinkBearer ? { chunksSinkBearer: burstChunksSinkBearer } : {}),
           // attachments → runner materializes operator-pasted file/image bytes
           // from R2 into /workspace/<sid>/.attachments (plan-chat-spa-attachments
           // Phase A, #1614). The runner reads body.attachments; sandbox-dispatch-client
@@ -3267,10 +3276,14 @@ const server = http.createServer(instrumentHandler('host-cp', async (req, res) =
       // operator is watching (live SPA reasoning). body value wins if present.
       const remoteHostCpUrl = readRemoteHostCpUrl();
       if (remoteHostCpUrl && !parsed.hostCpUrl) enrichedObj = { ...(enrichedObj ?? parsed), hostCpUrl: remoteHostCpUrl };
-      // Host-cp-independent chunk sink: forward the public plan-DO URL so the
-      // runner posts chunks straight to plan-DO /v1/chunks → Neon → Electric →
-      // SPA (no host-cp in the chunk path). OLAM_CLOUD_URL is plan-DO's URL.
-      if (OLAM_CLOUD_URL && !parsed.chunksSinkUrl) enrichedObj = { ...(enrichedObj ?? parsed), chunksSinkUrl: OLAM_CLOUD_URL };
+      // Host-cp-independent chunk sink: the runner posts chunks to
+      // <chunksSinkUrl>/v1/chunks. Prefer the Neon ingest worker (proven path:
+      // runner → ingest → Neon → Electric → SPA); the legacy OLAM_CLOUD_URL
+      // (plan-DO) only buffers in DO SQLite and never reaches Neon in cloud
+      // mode. body value wins. Pair the sink with its bearer when defaulting.
+      const defaultChunkSink = CHUNKS_INGEST_URL || OLAM_CLOUD_URL;
+      if (defaultChunkSink && !parsed.chunksSinkUrl) enrichedObj = { ...(enrichedObj ?? parsed), chunksSinkUrl: defaultChunkSink };
+      if (CHUNKS_INGEST_BEARER && !parsed.chunksSinkBearer) enrichedObj = { ...(enrichedObj ?? parsed), chunksSinkBearer: CHUNKS_INGEST_BEARER };
       // Always inject idempotencyKey into the body so plan-DO forwards it to the
       // runner even when the Idempotency-Key header is not propagated.
       enrichedObj = { ...(enrichedObj ?? parsed), idempotencyKey };

package/memory-hooks/agent-memory-gate.mjs

@@ -0,0 +1,103 @@
+/**
+ * agent-memory-gate.mjs — dependency-free ESM gate helper for hooks.
+ *
+ * Re-implements the SAME tri-state opt-in contract as
+ * packages/core/src/memory/gate.ts inline. Hooks are standalone .mjs/.js files
+ * distributed to operators' ~/.claude/scripts/hooks/ and cannot import
+ * @olam/core at runtime — this module is imported by the agentmemory hooks.
+ *
+ * # Modes — KEEP IN SYNC WITH gate.ts
+ *
+ *   off       — no recall, no capture (default).
+ *   readonly  — recall allowed; capture (write) NOT. Human-driven dev.
+ *   editor    — recall AND capture allowed. Fully agentic dev.
+ *
+ * # Precedence (fail-closed)
+ *
+ *   1. env OLAM_AGENT_MEMORY — AUTHORITATIVE when set + non-empty
+ *      (trimmed, case-insensitive):
+ *        'readonly' → readonly · 'editor' → editor
+ *        '1'|'true'|'on' → readonly  (legacy "on" → least-privilege)
+ *        any other value → off
+ *   2. flag file at $OLAM_HOME/agent-memory-enabled (or ~/.olam/…) when env unset:
+ *        'readonly' → readonly · 'editor' → editor
+ *        'true'|'1' → readonly  (legacy enable wrote TRUE)
+ *        anything else / absent / read error → off
+ *   3. default → off
+ *
+ * FAIL-CLOSED: any error → off. Legacy truthy values resolve to READONLY, never
+ * EDITOR — write access must be opted into explicitly.
+ *
+ * Two implementations, one contract. If you change this logic, update
+ * packages/core/src/memory/gate.ts to match (and vice-versa).
+ */
+
+import { readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+/** @typedef {'off' | 'readonly' | 'editor'} AgentMemoryMode */
+
+const ENV_MODE = new Map([
+  ['readonly', 'readonly'],
+  ['editor', 'editor'],
+  ['1', 'readonly'],
+  ['true', 'readonly'],
+  ['on', 'readonly'],
+]);
+const FILE_MODE = new Map([
+  ['readonly', 'readonly'],
+  ['editor', 'editor'],
+  ['true', 'readonly'],
+  ['1', 'readonly'],
+]);
+
+/**
+ * Resolve the agent-memory-enabled flag file path.
+ * Mirrors agentMemoryEnabledPath() from @olam/core/src/paths/olam-paths.ts.
+ * Re-reads process.env on every call (direnv-safe).
+ */
+function agentMemoryEnabledPath() {
+  const fromEnv = process.env['OLAM_HOME'];
+  const olamHome = (fromEnv && fromEnv.length > 0) ? fromEnv : join(homedir(), '.olam');
+  return join(olamHome, 'agent-memory-enabled');
+}
+
+/**
+ * Resolve the agent-memory access mode. Synchronous. Never throws — any I/O
+ * error or unrecognised value → 'off' (fail-closed).
+ *
+ * @returns {AgentMemoryMode}
+ */
+export function agentMemoryMode() {
+  const envVal = process.env['OLAM_AGENT_MEMORY'];
+  if (envVal !== undefined && envVal.length > 0) {
+    return ENV_MODE.get(envVal.trim().toLowerCase()) ?? 'off';
+  }
+
+  try {
+    const raw = readFileSync(agentMemoryEnabledPath(), 'utf8').trim().toLowerCase();
+    return FILE_MODE.get(raw) ?? 'off';
+  } catch {
+    return 'off';
+  }
+}
+
+/**
+ * Returns true iff agent-memory RECALL should run (readonly or editor).
+ * Compatibility shim for existing read-path call sites.
+ *
+ * @returns {boolean}
+ */
+export function isAgentMemoryEnabled() {
+  return agentMemoryMode() !== 'off';
+}
+
+/**
+ * Returns true iff agent-memory CAPTURE (write) is permitted — editor only.
+ *
+ * @returns {boolean}
+ */
+export function canWriteAgentMemory() {
+  return agentMemoryMode() === 'editor';
+}

package/memory-hooks/agentmemory-save.mjs

@@ -33,6 +33,7 @@
  */
 
 import { readFileSync } from 'node:fs';
+import { canWriteAgentMemory } from './agent-memory-gate.mjs';
 
 const DEFAULT_URL = 'https://atlas-agent-memory.atlas-kitchen.workers.dev';
 const MEMORY_PATH_RE = /\/\.claude\/projects\/.*\/memory\/.*\.md$/;
@@ -93,6 +94,9 @@ async function main() {
   const filePath = payload?.tool_input?.file_path ?? '';
   if (toolName !== 'Write' || !MEMORY_PATH_RE.test(filePath)) return;
 
+  // Capture is gated to EDITOR mode. off/readonly never write to the store.
+  if (!canWriteAgentMemory()) return;
+
   const bearer = (process.env['OLAM_AGENT_MEMORY_BEARER'] ?? '').trim();
   if (!bearer) return;
 

package/memory-hooks/agentmemory-session-recall.js

@@ -43,21 +43,24 @@ const path = require('path');
 // ---------------------------------------------------------------------------
 // Opt-in gate — inline re-implementation of agent-memory-gate.mjs contract
 // (CJS cannot import ESM at the top level; inline ensures same fail-closed
-// semantics without a dynamic import or a build step).
+// semantics without a dynamic import or a build step). This is a RECALL path,
+// so it gates on mode !== off (readonly OR editor); legacy truthy → readonly.
 // ---------------------------------------------------------------------------
-const _GATE_TRUTHY_ENV = new Set(['1', 'true', 'on']);
-const _GATE_TRUTHY_FILE = new Set(['true', '1']);
+// Values that enable RECALL (env, then file). Capture (editor-only) is gated
+// separately in agentmemory-save.mjs via canWriteAgentMemory().
+const _GATE_ENABLED_ENV = new Set(['readonly', 'editor', '1', 'true', 'on']);
+const _GATE_ENABLED_FILE = new Set(['readonly', 'editor', 'true', '1']);
 function _isAgentMemoryEnabled() {
   const envVal = process.env['OLAM_AGENT_MEMORY'];
   if (envVal !== undefined && envVal.length > 0) {
-    return _GATE_TRUTHY_ENV.has(envVal.trim().toLowerCase());
+    return _GATE_ENABLED_ENV.has(envVal.trim().toLowerCase());
   }
   try {
     const fromEnv = process.env['OLAM_HOME'];
     const olamHome = (fromEnv && fromEnv.length > 0) ? fromEnv : path.join(os.homedir(), '.olam');
     const flagPath = path.join(olamHome, 'agent-memory-enabled');
     const raw = fs.readFileSync(flagPath, 'utf8').trim().toLowerCase();
-    return _GATE_TRUTHY_FILE.has(raw);
+    return _GATE_ENABLED_FILE.has(raw);
   } catch {
     return false;
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.209",
+  "version": "0.1.210",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"