@plur-ai/cli 0.9.9 → 0.9.10

package/dist/commands/hook-inject.js

@@ -3,30 +3,165 @@ import {
 } from "./chunk-O6WTH7H7.js";
 
 // src/commands/hook-inject.ts
-import { existsSync, writeFileSync, readFileSync, mkdirSync, readSync, statSync } from "fs";
-import { join } from "path";
-import { tmpdir } from "os";
+import { existsSync, writeFileSync, readFileSync, appendFileSync, mkdirSync, readSync, statSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { tmpdir, homedir } from "os";
 import { randomUUID } from "crypto";
+var MAX_REMOTE_TASK_CHARS = 1e3;
+var MAX_REMOTE_RESPONSE_BYTES = 128 * 1024;
+var REMOTE_TIMEOUT_MS = 1500;
+var REMOTE_INJECT_LOG_DIR = join(homedir(), ".plur", "logs");
+function remoteInjectLogPath() {
+  return join(REMOTE_INJECT_LOG_DIR, `remote-inject-${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}.jsonl`);
+}
+function logRemoteAttempt(entry) {
+  try {
+    mkdirSync(REMOTE_INJECT_LOG_DIR, { recursive: true });
+    appendFileSync(remoteInjectLogPath(), JSON.stringify(entry) + "\n");
+  } catch {
+  }
+}
 var REMINDER_INTERVAL_MS = 10 * 60 * 1e3;
+function findProjectConfigPath(startDir = process.cwd()) {
+  const home = resolve(homedir());
+  let dir = resolve(startDir);
+  const MAX_DEPTH = 12;
+  for (let depth = 0; depth < MAX_DEPTH; depth++) {
+    if (dir !== home) {
+      const candidate = join(dir, ".plur.yaml");
+      if (existsSync(candidate)) return candidate;
+    }
+    if (existsSync(join(dir, ".git"))) return null;
+    if (dir === home || dir === "/" || dir === ".") return null;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+  return null;
+}
+function unquoteYamlValue(v) {
+  return v.replace(/^(['"])(.*)\1$/, "$2");
+}
 function readProjectConfig() {
-  const configPath = join(process.cwd(), ".plur.yaml");
-  if (!existsSync(configPath)) return {};
+  const configPath = findProjectConfigPath();
+  if (!configPath) return {};
   try {
-    const content = readFileSync(configPath, "utf8");
+    const content = readFileSync(configPath, "utf8").replace(/^/, "");
     const config = {};
-    for (const line of content.split("\n")) {
+    let inListKey = null;
+    let listAcc = [];
+    const finishList = () => {
+      if (inListKey === "remote_scopes") {
+        config.remote_scopes = listAcc;
+      }
+      inListKey = null;
+      listAcc = [];
+    };
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.replace(/\r$/, "");
       const trimmed = line.trim();
       if (trimmed.startsWith("#") || !trimmed) continue;
-      const [key, ...rest] = trimmed.split(":");
-      const value = rest.join(":").trim();
-      if (key === "domain") config.domain = value;
-      if (key === "scope") config.scope = value;
+      if (inListKey === "remote_scopes" && trimmed.startsWith("-")) {
+        listAcc.push(unquoteYamlValue(trimmed.slice(1).trim()));
+        continue;
+      }
+      if (inListKey) finishList();
+      const colonIdx = trimmed.indexOf(":");
+      if (colonIdx < 0) continue;
+      const key = trimmed.slice(0, colonIdx).trim();
+      const value = unquoteYamlValue(trimmed.slice(colonIdx + 1).trim());
+      switch (key) {
+        case "domain":
+          config.domain = value;
+          break;
+        case "scope":
+          config.scope = value;
+          break;
+        case "remote_url":
+          config.remote_url = value;
+          break;
+        case "remote_token":
+          config.remote_token = value;
+          break;
+        case "remote_scopes":
+          if (value === "" || value === "|" || value === ">") {
+            inListKey = "remote_scopes";
+            listAcc = [];
+          } else {
+            config.remote_scopes = value.split(",").map((s) => unquoteYamlValue(s.trim())).filter(Boolean);
+          }
+          break;
+      }
     }
+    finishList();
     return config;
   } catch {
     return {};
   }
 }
+async function tryRemoteInject(config, task) {
+  if (!config.remote_url || !config.remote_token) return null;
+  const startTs = Date.now();
+  let base;
+  try {
+    base = new URL(config.remote_url).origin;
+  } catch {
+    logRemoteAttempt({ ts: (/* @__PURE__ */ new Date()).toISOString(), url: config.remote_url ?? "?", outcome: "bad_response", ms: 0, detail: "invalid URL" });
+    return null;
+  }
+  const url = `${base}/api/v1/inject`;
+  const truncatedTask = task.length > MAX_REMOTE_TASK_CHARS ? task.slice(0, MAX_REMOTE_TASK_CHARS) : task;
+  const body = { task: truncatedTask };
+  if (config.remote_scopes && config.remote_scopes.length > 0) {
+    body.scopes = config.remote_scopes;
+  }
+  const ctrl = new AbortController();
+  const t = setTimeout(() => ctrl.abort(), REMOTE_TIMEOUT_MS);
+  try {
+    const r = await fetch(url, {
+      method: "POST",
+      signal: ctrl.signal,
+      headers: {
+        "authorization": `Bearer ${config.remote_token}`,
+        "content-type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+    if (!r.ok) {
+      logRemoteAttempt({ ts: (/* @__PURE__ */ new Date()).toISOString(), url, outcome: "http_error", ms: Date.now() - startTs, http: r.status });
+      return null;
+    }
+    const contentLength = r.headers.get("content-length");
+    if (contentLength && parseInt(contentLength, 10) > MAX_REMOTE_RESPONSE_BYTES) {
+      logRemoteAttempt({ ts: (/* @__PURE__ */ new Date()).toISOString(), url, outcome: "oversize", ms: Date.now() - startTs, http: r.status, detail: `content-length=${contentLength}` });
+      return null;
+    }
+    const data = await r.json();
+    if (typeof data.text !== "string" || !data.text.trim()) {
+      logRemoteAttempt({ ts: (/* @__PURE__ */ new Date()).toISOString(), url, outcome: "bad_response", ms: Date.now() - startTs, http: r.status, detail: "empty or non-string text field" });
+      return null;
+    }
+    const count = typeof data.count === "number" ? data.count : 0;
+    logRemoteAttempt({ ts: (/* @__PURE__ */ new Date()).toISOString(), url, outcome: "ok", ms: Date.now() - startTs, http: r.status, engrams: count });
+    return {
+      text: data.text,
+      count,
+      injectedIds: Array.isArray(data.injected_ids) ? data.injected_ids : []
+    };
+  } catch (err) {
+    const isAbort = err instanceof Error && err.name === "AbortError";
+    logRemoteAttempt({
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      url,
+      outcome: isAbort ? "timeout" : "network_error",
+      ms: Date.now() - startTs,
+      detail: err instanceof Error ? err.message.slice(0, 120) : void 0
+    });
+    return null;
+  } finally {
+    clearTimeout(t);
+  }
+}
 function sessionDir() {
   const dir = join(tmpdir(), "plur-sessions");
   mkdirSync(dir, { recursive: true });
@@ -177,25 +312,36 @@ ${parts2.join("\n")}` };
   const injectOpts = projectConfig.scope ? { scope: projectConfig.scope } : void 0;
   let context = null;
   let count = 0;
-  try {
-    const result = await plur.injectHybrid(task, injectOpts);
-    if (result.count > 0) {
-      const parts2 = [];
-      if (result.directives) parts2.push(result.directives);
-      if (result.constraints) parts2.push(result.constraints);
-      if (result.consider) parts2.push(result.consider);
-      context = parts2.join("\n");
-      count = result.count;
+  let remoteUsed = false;
+  if (projectConfig.remote_url && projectConfig.remote_token) {
+    const remote = await tryRemoteInject(projectConfig, task);
+    if (remote && remote.count > 0) {
+      context = remote.text;
+      count = remote.count;
+      remoteUsed = true;
     }
-  } catch {
-    const result = plur.inject(task, injectOpts);
-    if (result.count > 0) {
-      const parts2 = [];
-      if (result.directives) parts2.push(result.directives);
-      if (result.constraints) parts2.push(result.constraints);
-      if (result.consider) parts2.push(result.consider);
-      context = parts2.join("\n");
-      count = result.count;
+  }
+  if (!remoteUsed) {
+    try {
+      const result = await plur.injectHybrid(task, injectOpts);
+      if (result.count > 0) {
+        const parts2 = [];
+        if (result.directives) parts2.push(result.directives);
+        if (result.constraints) parts2.push(result.constraints);
+        if (result.consider) parts2.push(result.consider);
+        context = parts2.join("\n");
+        count = result.count;
+      }
+    } catch {
+      const result = plur.inject(task, injectOpts);
+      if (result.count > 0) {
+        const parts2 = [];
+        if (result.directives) parts2.push(result.directives);
+        if (result.constraints) parts2.push(result.constraints);
+        if (result.consider) parts2.push(result.consider);
+        context = parts2.join("\n");
+        count = result.count;
+      }
     }
   }
   const parts = [];
@@ -205,10 +351,11 @@ ${parts2.join("\n")}` };
     sessionId = markerData.sessionId;
   } catch {
   }
+  const sourceLabel = remoteUsed ? " (Enterprise)" : "";
   if (isRehydrate) {
-    parts.push(`[PLUR Memory \u2014 rehydrated after compaction, ${count} engrams]`);
+    parts.push(`[PLUR Memory${sourceLabel} \u2014 rehydrated after compaction, ${count} engrams]`);
   } else {
-    parts.push(`[PLUR Memory \u2014 session started, ${count} engrams injected]`);
+    parts.push(`[PLUR Memory${sourceLabel} \u2014 session started, ${count} engrams injected]`);
     if (sessionId) parts.push(`Session ID: ${sessionId}`);
     if (projectConfig.domain) parts.push(`Project domain: ${projectConfig.domain}`);
     if (projectConfig.scope) parts.push(`Project scope: ${projectConfig.scope} \u2014 use this scope for plur_learn calls`);

package/dist/commands/init-remote.js

@@ -0,0 +1,298 @@
+import {
+  outputText
+} from "./chunk-7U4W4J3G.js";
+
+// src/commands/init-remote.ts
+import { existsSync, readFileSync, writeFileSync, appendFileSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { homedir } from "os";
+var HELP = `plur init-remote \u2014 opt this project into recall from PLUR Enterprise
+
+USAGE
+  plur init-remote --url <enterprise-url> --token <api-key> [--scopes <list>]
+  plur init-remote --verify   Check connectivity against existing .plur.yaml
+
+OPTIONS
+  --url URL           Enterprise base URL, e.g. https://plur.datafund.io
+  --token KEY         API key for authentication
+  --scopes SCOPES     Optional comma-separated scope whitelist
+                      e.g. "org:plur,group:plur/engineering"
+  --no-gitignore      Skip adding .plur.yaml to .gitignore (NOT RECOMMENDED \u2014
+                      the token is sensitive)
+  --verify            Read existing .plur.yaml and test the /api/v1/me
+                      endpoint against the configured remote
+
+WHAT THIS DOES
+  Writes .plur.yaml in the current directory with remote_url, remote_token,
+  and optional remote_scopes fields. The UserPromptSubmit hook will then
+  call \${remote_url}/api/v1/inject for each prompt (before falling back to
+  local PLUR). The hook walks upward from the current working directory to
+  find .plur.yaml, so you can work from any subdirectory.
+
+  WITHOUT this command, projects stay 100% local-only and Enterprise
+  never sees their prompts.
+`;
+function parseArgs(args) {
+  const out = {};
+  const consumeValue = (i, flag) => {
+    const next = args[i + 1];
+    if (next === void 0 || next.startsWith("--")) {
+      return { error: `${flag} requires a value (got ${next === void 0 ? "nothing" : `another flag: ${next}`})` };
+    }
+    return { value: next };
+  };
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "--help" || a === "-h") {
+      out.help = true;
+      continue;
+    }
+    if (a === "--verify") {
+      out.verify = true;
+      continue;
+    }
+    if (a === "--no-gitignore") {
+      out.noGitignore = true;
+      continue;
+    }
+    if (a === "--url" || a === "--token" || a === "--scopes") {
+      const r = consumeValue(i, a);
+      if ("error" in r) return r;
+      i++;
+      if (a === "--url") out.url = r.value;
+      if (a === "--token") out.token = r.value;
+      if (a === "--scopes") out.scopes = r.value.split(",").map((s) => s.trim()).filter(Boolean);
+      continue;
+    }
+  }
+  return out;
+}
+function stripRemoteKeys(content) {
+  const lines = content.split("\n");
+  const out = [];
+  let skippingList = false;
+  const REMOTE_KEY = /^remote_(url|token|scopes)\s*:(.*)$/;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (skippingList) {
+      if (trimmed === "" || trimmed.startsWith("-")) continue;
+      skippingList = false;
+    }
+    const m = trimmed.match(REMOTE_KEY);
+    if (m) {
+      const key = m[1];
+      const rest = m[2].trim();
+      if (key === "scopes" && (rest === "" || rest === "|" || rest === ">")) {
+        skippingList = true;
+      }
+      continue;
+    }
+    out.push(line);
+  }
+  while (out.length > 0 && out[out.length - 1].trim() === "") out.pop();
+  return out.join("\n");
+}
+function buildConfigBody(existing, url, token, scopes) {
+  const stripped = stripRemoteKeys(existing);
+  const sep = stripped.length > 0 && !stripped.endsWith("\n") ? "\n\n" : stripped.length > 0 ? "\n" : "";
+  const block = [];
+  block.push("# --- PLUR Enterprise remote (opt-in for this project) ---");
+  block.push("# remote_token is sensitive \u2014 keep .plur.yaml in .gitignore.");
+  block.push(`remote_url: ${url}`);
+  block.push(`remote_token: ${token}`);
+  if (scopes && scopes.length > 0) {
+    block.push("remote_scopes:");
+    for (const s of scopes) block.push(`  - ${s}`);
+  }
+  return stripped + sep + block.join("\n") + "\n";
+}
+function ensureGitignore() {
+  const home = resolve(homedir());
+  let dir = resolve(process.cwd());
+  let gitignorePath = null;
+  const MAX_DEPTH = 12;
+  for (let depth = 0; depth < MAX_DEPTH; depth++) {
+    const candidate = join(dir, ".gitignore");
+    if (existsSync(candidate)) {
+      gitignorePath = candidate;
+      break;
+    }
+    if (existsSync(join(dir, ".git"))) break;
+    if (dir === home || dir === "/" || dir === ".") break;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  const PATTERN = ".plur.yaml";
+  if (!gitignorePath) {
+    const newPath = join(process.cwd(), ".gitignore");
+    writeFileSync(newPath, `# Added by 'plur init-remote' \u2014 .plur.yaml may hold an API token
+${PATTERN}
+`);
+    return { path: newPath, action: "created" };
+  }
+  const content = readFileSync(gitignorePath, "utf8");
+  const already = content.split("\n").some((l) => l.trim() === PATTERN);
+  if (already) return { path: gitignorePath, action: "already" };
+  const sep = content.endsWith("\n") ? "" : "\n";
+  appendFileSync(gitignorePath, `${sep}# Added by 'plur init-remote' \u2014 .plur.yaml may hold an API token
+${PATTERN}
+`);
+  return { path: gitignorePath, action: "added" };
+}
+function findExistingConfigPath() {
+  const home = resolve(homedir());
+  let dir = resolve(process.cwd());
+  const MAX_DEPTH = 12;
+  for (let depth = 0; depth < MAX_DEPTH; depth++) {
+    if (dir !== home) {
+      const candidate = join(dir, ".plur.yaml");
+      if (existsSync(candidate)) return candidate;
+    }
+    if (existsSync(join(dir, ".git"))) return null;
+    if (dir === home || dir === "/" || dir === ".") return null;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+  return null;
+}
+function readRemoteFromConfig(path) {
+  if (!existsSync(path)) return {};
+  const content = readFileSync(path, "utf8");
+  const out = {};
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith("#") || !trimmed) continue;
+    const m = trimmed.match(/^(remote_url|remote_token)\s*:\s*(.+)$/);
+    if (m) {
+      if (m[1] === "remote_url") out.url = m[2].trim();
+      if (m[1] === "remote_token") out.token = m[2].trim();
+    }
+  }
+  return out;
+}
+async function verifyConnectivity(url, token) {
+  let base;
+  try {
+    base = new URL(url).origin;
+  } catch {
+    throw new Error(`Invalid URL: ${url}`);
+  }
+  const probeUrl = `${base}/api/v1/me`;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), 5e3);
+  try {
+    const r = await fetch(probeUrl, {
+      signal: ctrl.signal,
+      headers: { "authorization": `Bearer ${token}`, "accept": "application/json" }
+    });
+    if (r.status === 401) throw new Error(`401 Unauthorized \u2014 check your API token`);
+    if (r.status === 403) throw new Error(`403 Forbidden \u2014 token lacks /me access`);
+    if (!r.ok) throw new Error(`HTTP ${r.status} from ${probeUrl}`);
+    const data = await r.json();
+    if (!data.username) throw new Error(`Unexpected response shape from ${probeUrl}`);
+    return {
+      username: data.username,
+      org_id: data.org_id ?? "(unknown)",
+      scopes: Array.isArray(data.scopes) ? data.scopes : []
+    };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function run(args, flags) {
+  const parsed = parseArgs(args);
+  if ("error" in parsed) {
+    outputText(`Error: ${parsed.error}
+
+${HELP}`, flags);
+    process.exit(1);
+  }
+  const opts = parsed;
+  if (opts.help) {
+    outputText(HELP, flags);
+    return;
+  }
+  const configPath = join(process.cwd(), ".plur.yaml");
+  if (opts.verify) {
+    const verifyPath = findExistingConfigPath() ?? configPath;
+    const cfg = readRemoteFromConfig(verifyPath);
+    if (!cfg.url || !cfg.token) {
+      outputText(`No remote config found (walked upward from ${process.cwd()}). Run \`plur init-remote --url <url> --token <key>\` first.`, flags);
+      process.exit(1);
+    }
+    outputText(`Using config at ${verifyPath}`, flags);
+    try {
+      const me = await verifyConnectivity(cfg.url, cfg.token);
+      outputText(`\u2713 Connected to ${cfg.url} as ${me.username} (org: ${me.org_id})`, flags);
+      outputText(`  readable scopes: ${me.scopes.length === 0 ? "(none)" : me.scopes.join(", ")}`, flags);
+    } catch (err) {
+      outputText(`\u2717 Connection failed: ${err.message}`, flags);
+      process.exit(2);
+    }
+    return;
+  }
+  if (!opts.url || !opts.token) {
+    outputText(`Missing required flags.
+${HELP}`, flags);
+    process.exit(1);
+  }
+  if (/[\n\r\t]/.test(opts.token)) {
+    outputText(`Error: token contains newline/tab characters. Refusing to write a corrupt config.`, flags);
+    process.exit(1);
+  }
+  try {
+    const u = new URL(opts.url);
+    if (u.protocol !== "http:" && u.protocol !== "https:") {
+      outputText(`Error: remote_url must be http:// or https:// (got ${u.protocol})`, flags);
+      process.exit(1);
+    }
+  } catch {
+    outputText(`Error: remote_url is not a valid URL: ${opts.url}`, flags);
+    process.exit(1);
+  }
+  outputText(`Testing connectivity to ${opts.url}...`, flags);
+  try {
+    const me = await verifyConnectivity(opts.url, opts.token);
+    outputText(`\u2713 Authenticated as ${me.username} (org: ${me.org_id})`, flags);
+    outputText(`  readable scopes: ${me.scopes.length === 0 ? "(none)" : me.scopes.join(", ")}`, flags);
+  } catch (err) {
+    outputText(`\u2717 Connection failed: ${err.message}`, flags);
+    outputText(`  Refusing to write a broken config. Fix the URL/token and re-run.`, flags);
+    process.exit(2);
+  }
+  const existing = existsSync(configPath) ? readFileSync(configPath, "utf8") : "";
+  const next = buildConfigBody(existing, opts.url, opts.token, opts.scopes);
+  writeFileSync(configPath, next);
+  outputText(`\u2713 Wrote ${configPath}`, flags);
+  if (opts.scopes && opts.scopes.length > 0) {
+    outputText(`  scope whitelist: ${opts.scopes.join(", ")}`, flags);
+  } else {
+    outputText(`  scope whitelist: (none \u2014 hook will query all readable scopes)`, flags);
+  }
+  if (!opts.noGitignore) {
+    const gi = ensureGitignore();
+    if (gi.action === "added") outputText(`\u2713 Added .plur.yaml to ${gi.path}`, flags);
+    else if (gi.action === "created") outputText(`\u2713 Created ${gi.path} with .plur.yaml entry`, flags);
+    else outputText(`\u2713 ${gi.path} already excludes .plur.yaml`, flags);
+  } else {
+    outputText(`\u26A0 Skipped .gitignore (--no-gitignore). The token in .plur.yaml is sensitive.`, flags);
+  }
+  outputText(`
+Done. The UserPromptSubmit hook will now query ${opts.url} on every prompt`, flags);
+  outputText(`from this directory tree (bounded by the nearest .git). Personal/non-project`, flags);
+  outputText(`sessions (without a .plur.yaml in the path) stay local-only.`, flags);
+  outputText(``, flags);
+  outputText(`\u26A0 Token sensitivity:`, flags);
+  outputText(`  .plur.yaml now contains an API token in plaintext.`, flags);
+  outputText(`  - .gitignore protects against git commits but NOT against cloud sync`, flags);
+  outputText(`    (iCloud Drive, Dropbox, Google Drive). If this project lives in a`, flags);
+  outputText(`    synced folder, the token will leave your machine.`, flags);
+  outputText(`  - Also not protected: \`cp -r\`, \`zip\`, \`rsync\`, archived backups.`, flags);
+  outputText(`  - Consider moving the token to an env var if your project ships with`, flags);
+  outputText(`    others (future: env-var substitution in .plur.yaml).`, flags);
+}
+export {
+  run
+};

package/dist/index.js

@@ -49,7 +49,7 @@ function createPlur(flags2) {
 }
 
 // src/index.ts
-var VERSION = "0.9.9";
+var VERSION = "0.9.10";
 var argv = process.argv.slice(2);
 if (argv.includes("--version") || argv.includes("-v")) {
   console.log(VERSION);
@@ -82,6 +82,7 @@ Commands:
   stores list             List configured stores
   stores add <path>       Add a knowledge store
   init                    Install Claude Code hooks + register plur MCP server
+  init-remote             Opt this project into recall from a PLUR Enterprise server
   doctor                  Diagnose Claude Code / Claude Desktop integration
   audit [--source X]      Audit working memory (claude-code|claw|hermes) for conflicts vs engrams
   hook-inject             (internal) Hook handler for engram injection
@@ -124,6 +125,7 @@ var COMMANDS = {
   stores: "./commands/stores.js",
   migrate: "./commands/migrate.js",
   init: "./commands/init.js",
+  "init-remote": "./commands/init-remote.js",
   doctor: "./commands/doctor.js",
   audit: "./commands/audit.js",
   "hook-inject": "./commands/hook-inject.js",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plur-ai/cli",
-  "version": "0.9.9",
+  "version": "0.9.10",
   "type": "module",
   "bin": {
     "plur": "dist/index.js"