npm - @prmichaelsen/remember-mcp - Versions diffs - 2.6.1 → 2.6.3 - Mend

@prmichaelsen/remember-mcp 2.6.1 → 2.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/CHANGELOG.md +62 -0
package/agent/progress.yaml +163 -13
package/agent/tasks/task-61-enhance-confirmation-tool-descriptions.md +267 -0
package/agent/tasks/task-62-fix-confirmation-response-storage.md +323 -0
package/agent/tasks/task-63-fix-fetchobjectbyid-missing-properties.md +397 -0
package/dist/server-factory.js +63 -6
package/dist/server.js +63 -6
package/dist/tools/confirm.d.ts +12 -0
package/dist/tools/deny.d.ts +12 -0
package/dist/weaviate/client.d.ts +16 -0
package/package.json +1 -1
package/src/tools/confirm.ts +30 -3
package/src/tools/deny.ts +23 -1
package/src/tools/publish.ts +6 -2
package/src/weaviate/client.ts +47 -0
package/agent/tasks/task-70-draft.md +0 -13

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,68 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.6.3] - 2026-02-16
+### 🐛 Fixed
+- **CRITICAL: Fixed Empty Published Memories Bug**
+  - Published memories were empty shells with no content, title, or properties
+  - Root cause: `fetchObjectById()` calls missing `returnProperties` parameter
+  - Fixed in `remember_publish` and `remember_confirm` (executePublishMemory)
+  - All published memories now include complete property data
+### ✨ Added
+- **New Utility Function**: `fetchMemoryWithAllProperties()`
+  - Centralized helper in `src/weaviate/client.ts`
+  - Ensures all memory properties are fetched consistently
+  - Prevents future bugs from missing properties
+  - Includes `ALL_MEMORY_PROPERTIES` constant (20+ properties)
+### 🔧 Improved
+- Enhanced debug logging in publish flow
+  - Added property count verification
+  - Added hasTitle and hasContent checks
+  - Better diagnostics for troubleshooting
+### 🎯 Impact
+- **Fixes**: All published memories since v2.4.0 were empty
+- **Search**: Published memories now searchable (have content)
+- **Discovery**: Space functionality now works as designed
+- **Note**: Existing empty memories need to be re-published
+---
+## [2.6.2] - 2026-02-16
+### 🔒 Security
+- **Enhanced Confirmation Tool Safety Guidelines**
+  - Added critical safety requirements to `remember_confirm` tool description
+  - Added critical safety requirements to `remember_deny` tool description
+  - Added JSDoc comments emphasizing proper confirmation workflow
+  - Prevents agents from bypassing user consent by chaining confirmations
+### 📝 Changed
+- Updated `remember_confirm` description with 5 critical safety requirements
+- Updated `remember_deny` description with 5 critical safety requirements
+- Added ⚠️ visual indicators for safety requirements
+- Added detailed JSDoc comments explaining proper workflow
+### 🎯 Safety Requirements
+Both confirmation tools now explicitly require:
+1. Token received in PREVIOUS tool response
+2. Details presented to user for review
+3. EXPLICIT user confirmation/denial in SEPARATE message
+4. NEVER chain with other tool calls
+5. ALWAYS treat as standalone, deliberate actions
+---
 ## [2.6.1] - 2026-02-16
 ### 🔧 Improved

package/agent/progress.yaml CHANGED Viewed

@@ -2,10 +2,10 @@
 project:
   name: remember-mcp
-  version: 2.5.1
+  version: 2.6.3
   started: 2026-02-11
   status: in_progress
-  current_milestone: M11
+  current_milestone: M12
   last_updated: 2026-02-16
 milestones:
@@ -162,7 +162,26 @@ milestones:
       ✅ No memory duplication across spaces
       ✅ All tests passing with multi-space support
       ✅ Documentation updated with multi-space examples
+  - id: M12
+    name: Comment System (Phase 1)
+    status: in_progress
+    progress: 60%
+    started: 2026-02-16
+    completed: null
+    estimated_weeks: 1
+    tasks_completed: 3
+    tasks_total: 5
+    notes: |
+      ✅ Task 55: Added 3 comment fields to schema (parent_id, thread_root_id, moderation_flags)
+      ✅ Task 56: Updated remember_search_space with include_comments parameter
+      ✅ Task 57: Updated remember_query_space with include_comments parameter
+      📋 Task 58: Add Comment Unit Tests (pending)
+      📋 Task 59: Update Documentation for Comments (pending)
+      ✅ Zero new tools required - reuses existing infrastructure
+      ✅ Backward compatible - comments excluded by default
+      ✅ Released v2.6.0 with comment system foundation
   - id: M7
     name: Trust & Permissions
     status: not_started
@@ -406,11 +425,97 @@ tasks:
         ✅ Context inclusion toggle
         ✅ Integrated into server.ts and server-factory.ts
+  milestone_12:
+    - id: task-55
+      name: Add Comment Fields to Weaviate Schema
+      status: completed
+      file: agent/tasks/task-55-add-comment-fields-to-schema.md
+      estimated_hours: 2
+      completed_date: 2026-02-16
+      notes: |
+        ✅ Added 3 fields to Memory schema: parent_id, thread_root_id, moderation_flags
+        ✅ Added same fields to Memory_public collection
+        ✅ Enables infinite comment nesting
+        ✅ Per-space moderation support
+        ✅ Released in v2.6.0
+    - id: task-56
+      name: Update remember_search_space for Comments
+      status: completed
+      file: agent/tasks/task-56-update-search-space-for-comments.md
+      estimated_hours: 2
+      completed_date: 2026-02-16
+      notes: |
+        ✅ Added include_comments parameter (default: false)
+        ✅ Comments excluded from search by default
+        ✅ Opt-in via include_comments: true
+        ✅ Backward compatible
+        ✅ Released in v2.6.0
+    - id: task-57
+      name: Update remember_query_space for Comments
+      status: completed
+      file: agent/tasks/task-57-update-query-space-for-comments.md
+      estimated_hours: 1
+      completed_date: 2026-02-16
+      notes: |
+        ✅ Added include_comments parameter (default: false)
+        ✅ Same filtering logic as search_space
+        ✅ Backward compatible
+        ✅ Released in v2.6.0
+    - id: task-58
+      name: Add Comment Unit Tests
+      status: not_started
+      file: agent/tasks/task-58-add-comment-unit-tests.md
+      estimated_hours: 3
+      notes: |
+        📋 Pending: Schema tests, filtering tests, edge cases
+        📋 Test infinite nesting support
+        📋 Test moderation flags
+    - id: task-59
+      name: Update Documentation for Comments
+      status: not_started
+      file: agent/tasks/task-59-update-documentation-for-comments.md
+      estimated_hours: 2
+      notes: |
+        📋 Pending: README updates, CHANGELOG entry, examples
+        📋 Document comment creation workflow
+        📋 Add threading examples
+    - id: task-60
+      name: Standardize Structured Logging
+      status: completed
+      file: agent/tasks/task-60-standardize-structured-logging.md
+      estimated_hours: 3
+      completed_date: 2026-02-16
+      notes: |
+        ✅ Replaced 54 console.log/error/warn calls with structured logger
+        ✅ Updated 8 files: confirmation-token.service, publish, confirm, deny, weaviate client/schema/space-schema, firestore init, config
+        ✅ All logs include context objects (service, module, tool names)
+        ✅ Fixed circular dependency in config.ts with dynamic import
+        ✅ Released in v2.6.1
+    - id: task-61
+      name: Enhance Confirmation Tool Safety Guidelines
+      status: completed
+      file: agent/tasks/task-61-enhance-confirmation-tool-descriptions.md
+      estimated_hours: 1
+      completed_date: 2026-02-16
+      notes: |
+        ✅ Enhanced remember_confirm tool description with 5 critical safety requirements
+        ✅ Enhanced remember_deny tool description with same safety guidelines
+        ✅ Added JSDoc comments explaining proper workflow
+        ✅ Prevents agents from bypassing user consent
+        ✅ Visual indicators (⚠️) for critical requirements
+        ✅ Released in v2.6.2
 documentation:
   design_documents: 23
-  milestone_documents: 10
+  milestone_documents: 11
   pattern_documents: 5
-  task_documents: 33
+  task_documents: 61
 progress:
   planning: 100%
@@ -418,6 +523,33 @@ progress:
   overall: 50%
 recent_work:
+  - date: 2026-02-16
+    description: Comment System, Structured Logging, and Safety Guidelines (v2.6.0-v2.6.2)
+    items:
+      - 🎉 M12 STARTED: Comment System (Phase 1) - 60% complete (3/5 tasks)
+      - ✅ Task 55: Added 3 comment fields to Weaviate schema
+      - ✅ parent_id, thread_root_id, moderation_flags fields added
+      - ✅ Enables infinite comment nesting with no depth limit
+      - ✅ Per-space moderation flags support
+      - ✅ Task 56: Updated remember_search_space with include_comments parameter
+      - ✅ Comments excluded by default for clean discovery
+      - ✅ Opt-in via include_comments: true
+      - ✅ Task 57: Updated remember_query_space with include_comments parameter
+      - ✅ Same filtering logic as search_space
+      - ✅ Released v2.6.0 with comment system foundation
+      - ✅ Task 60: Standardized structured logging across 8 files
+      - ✅ Replaced 54 console.log/error/warn calls with logger.info/error/warn/debug
+      - ✅ All logs include context objects (service, module, tool names)
+      - ✅ Fixed circular dependency in config.ts with dynamic import
+      - ✅ Released v2.6.1 with structured logging
+      - ✅ Task 61: Enhanced confirmation tool safety guidelines
+      - ✅ Added 5 critical safety requirements to remember_confirm and remember_deny
+      - ✅ Prevents agents from chaining confirmations without user consent
+      - ✅ Visual indicators (⚠️) and JSDoc comments added
+      - ✅ Released v2.6.2 with safety enhancements
+      - 📋 Next: Complete M12 with Tasks 58-59 (tests + documentation)
+      - 📋 6 commits ready to push to origin
   - date: 2026-02-16
     description: ACP Initialization Complete - Multi-Space Architecture Verified (v2.5.1)
     items:
@@ -743,18 +875,21 @@ recent_work:
       - ✅ Build successful
 next_steps:
-  - Deploy v2.5.1 to Cloud Run and verify multi-space functionality
-  - Test multi-space publishing workflow end-to-end
-  - Test multi-space search across multiple spaces
-  - Verify Firestore request creation with enhanced error handling
-  - Check Cloud Run logs for diagnostic output from ConfirmationTokenService
-  - Consider implementing comment system (v2.6.0) - 3 schema fields only!
+  - Complete Task 58: Add Comment Unit Tests (3 hours)
+  - Complete Task 59: Update Documentation for Comments (2 hours)
+  - Push 6 commits to origin (v2.6.0, v2.6.1, v2.6.2)
+  - Deploy v2.6.2 to Cloud Run
+  - Test comment system end-to-end (create, search, thread fetching)
+  - Test structured logging in Cloud Run logs
+  - Verify confirmation tool safety guidelines in production
+  - Complete M12: Comment System (Phase 1)
   - Start M5: Template System (15 default templates + auto-suggestion)
   - Optional: Create integration tests (Task 6)
   - Optional: Add development documentation (Task 7)
   - Consider M6: Auth & Multi-Tenancy
 notes:
+  - 🚀 Milestone 12 (Comment System Phase 1) IN PROGRESS - 60% complete!
   - 🎉 Milestone 11 (Unified Public Collection) COMPLETED!
   - 🎉 Milestone 10 (Shared Spaces & Confirmation Flow) COMPLETED!
   - 🎉 Milestone 4 (User Preferences) COMPLETED!
@@ -769,6 +904,10 @@ notes:
   - ✅ M4: 2/2 preference tools complete (100% progress)
   - ✅ M10: 10/10 shared space tools complete (100% progress)
   - ✅ M11: 9/9 multi-space architecture tasks complete (100% progress)
+  - 🚀 M12: 3/5 comment system tasks complete (60% progress)
+  - ✅ Comment system foundation implemented (v2.6.0)
+  - ✅ Structured logging standardized (v2.6.1)
+  - ✅ Confirmation tool safety enhanced (v2.6.2)
   - ✅ Complete memory CRUD operations (create, read, update, delete)
   - ✅ Complete relationship CRUD operations (create, read, update, delete)
   - ✅ Advanced search capabilities (hybrid, similarity, RAG queries)
@@ -833,8 +972,10 @@ build_status:
   - ✅ Source maps generated
   - ✅ Type definitions generated (.d.ts files)
   - ✅ Package exports configured for both entry points
-  - ✅ Version 2.0.1 published (patch release - error logging)
-  - ✅ 30 TypeScript source files (added error-handler.ts)
+  - ✅ Version 2.6.2 published (patch release - safety guidelines)
+  - ✅ Version 2.6.1 published (patch release - structured logging)
+  - ✅ Version 2.6.0 published (minor release - comment system)
+  - ✅ 30 TypeScript source files
   - ✅ All 12 tools implemented
   - ✅ Weaviate v3 filter API implemented
   - ✅ Or/And operator validation implemented
@@ -857,6 +998,12 @@ tools_status:
   preference_tools:
     - ✅ remember_set_preference (src/tools/set-preference.ts)
     - ✅ remember_get_preferences (src/tools/get-preferences.ts)
+  space_tools:
+    - ✅ remember_publish (src/tools/publish.ts) - Multi-space support
+    - ✅ remember_confirm (src/tools/confirm.ts) - Enhanced safety guidelines
+    - ✅ remember_deny (src/tools/deny.ts) - Enhanced safety guidelines
+    - ✅ remember_search_space (src/tools/search-space.ts) - Comment filtering
+    - ✅ remember_query_space (src/tools/query-space.ts) - Comment filtering
 implementation_notes:
   - All 12 core tools implemented and integrated
@@ -899,3 +1046,6 @@ task_20_completion:
   releases:
     - v1.0.0: Major release with breaking change (async createServer)
     - v1.0.1: Patch release with Or operator bug fix
+    - v2.6.0: Minor release with comment system foundation
+    - v2.6.1: Patch release with structured logging
+    - v2.6.2: Patch release with confirmation tool safety guidelines

package/agent/tasks/task-61-enhance-confirmation-tool-descriptions.md ADDED Viewed

@@ -0,0 +1,267 @@
+# Task 61: Enhance Confirmation Tool Descriptions with Safety Guidelines
+**Milestone**: M10 (Shared Spaces & Confirmation Flow)
+**Estimated Time**: 1 hour
+**Dependencies**: Tasks 36-38 (Publish, Confirm, Deny tools)
+**Status**: Not Started
+---
+## Objective
+Update the tool descriptions for `remember_confirm` and `remember_deny` to include critical safety guidelines that prevent agents from chaining confirmation actions inappropriately. These guidelines ensure agents follow proper confirmation workflows and obtain explicit user consent before executing sensitive operations.
+---
+## Context
+The current tool descriptions for `remember_confirm` and `remember_deny` don't explicitly warn agents about the critical requirement to obtain user confirmation in a separate interaction. This can lead to agents attempting to chain confirmation calls immediately after receiving a token, bypassing the intended user consent step.
+**Problem**: Agents might do this:
+```typescript
+// ❌ WRONG: Chaining confirm immediately
+const publishResult = await remember_publish({ memory_id: "abc", spaces: ["the_void"] });
+const confirmResult = await remember_confirm({ token: publishResult.token });  // NO USER CONSENT!
+```
+**Correct behavior**: Agents should do this:
+```typescript
+// ✅ CORRECT: Get token, ask user, then confirm in separate message
+const publishResult = await remember_publish({ memory_id: "abc", spaces: ["the_void"] });
+// Agent: "User, do you want to publish this memory to The Void? Token: xyz"
+// [User responds in SEPARATE message: "Yes"]
+// Agent in NEW message:
+const confirmResult = await remember_confirm({ token: publishResult.token });
+```
+---
+## Steps
+### 1. Update remember_confirm Tool Description
+Modify [`src/tools/confirm.ts`](../../src/tools/confirm.ts) tool description:
+**Current**:
+```typescript
+description: 'Confirm and execute a pending action using the token. Works for any action that requires confirmation (publish, delete, etc.).',
+```
+**Updated**:
+```typescript
+description: `Confirm and execute a pending action using the token. Works for any action that requires confirmation (publish, delete, etc.).
+⚠️ CRITICAL SAFETY REQUIREMENTS:
+Before executing this tool, you MUST:
+1. Have received the confirmation token in a PREVIOUS tool response
+2. Have presented the token details to the user for review
+3. Have received EXPLICIT user confirmation in a SEPARATE user message
+4. NEVER chain this tool with other tool calls in the same response
+5. ALWAYS treat confirmations as standalone, deliberate actions
+Violating these requirements bypasses user consent and is a security violation.`,
+```
+### 2. Update remember_deny Tool Description
+Modify [`src/tools/deny.ts`](../../src/tools/deny.ts) tool description:
+**Current**:
+```typescript
+description: 'Deny a pending action. The request will be marked as denied and the token invalidated. Works for any action that requires confirmation.',
+```
+**Updated**:
+```typescript
+description: `Deny a pending action. The request will be marked as denied and the token invalidated. Works for any action that requires confirmation.
+⚠️ CRITICAL SAFETY REQUIREMENTS:
+Before executing this tool, you MUST:
+1. Have received the confirmation token in a PREVIOUS tool response
+2. Have presented the token details to the user for review
+3. Have received EXPLICIT user denial in a SEPARATE user message
+4. NEVER chain this tool with other tool calls in the same response
+5. ALWAYS treat denials as standalone, deliberate actions
+This ensures proper user consent workflow is followed.`,
+```
+### 3. Add Safety Notes to Tool Comments
+Add JSDoc comments above the tool definitions emphasizing the safety requirements:
+```typescript
+/**
+ * Tool definition for remember_confirm
+ *
+ * CRITICAL SAFETY: This tool must ONLY be called after explicit user confirmation
+ * in a separate message. Never chain with other tools or call immediately after
+ * receiving a token. The confirmation workflow requires:
+ *
+ * 1. Agent calls remember_publish (or other confirmable action)
+ * 2. Agent receives token in response
+ * 3. Agent presents details to user and asks for confirmation
+ * 4. User responds in SEPARATE message with explicit yes/no
+ * 5. Agent calls remember_confirm or remember_deny in NEW response
+ *
+ * Chaining confirmations bypasses user consent and violates security model.
+ */
+export const confirmTool: Tool = {
+  // ... tool definition
+};
+```
+### 4. Update Design Document
+Update [`agent/design/publish-tools-confirmation-flow.md`](../../agent/design/publish-tools-confirmation-flow.md) to include these safety guidelines:
+Add a new section:
+```markdown
+## Safety Guidelines for Agents
+### Critical Requirements
+Agents using the confirmation flow MUST follow these rules:
+1. **Separate Messages**: Confirmation must happen in a separate user message
+   - ❌ WRONG: Chain confirm immediately after publish
+   - ✅ CORRECT: Wait for user response, then confirm
+2. **Explicit Consent**: User must explicitly say "yes" or "confirm"
+   - ❌ WRONG: Assume user wants to confirm
+   - ✅ CORRECT: Ask user and wait for explicit response
+3. **No Chaining**: Never call confirm/deny with other tools
+   - ❌ WRONG: `[remember_publish, remember_confirm]` in same response
+   - ✅ CORRECT: `remember_publish` in one response, wait, then `remember_confirm`
+4. **Present Details**: Show user what they're confirming
+   - ❌ WRONG: "Do you want to confirm?"
+   - ✅ CORRECT: "Do you want to publish 'My Memory' to The Void and Dogs spaces?"
+5. **Standalone Actions**: Treat confirmations as deliberate, standalone operations
+   - ❌ WRONG: Confirm as part of larger workflow
+   - ✅ CORRECT: Confirm as dedicated action
+### Example Correct Flow
+\`\`\`
+Agent Message 1:
+  Tool: remember_publish({ memory_id: "abc", spaces: ["the_void"] })
+  Response: { token: "xyz123" }
+  Agent to User: "I'd like to publish your memory 'Hiking Tips' to The Void.
+                  This will make it discoverable by other users.
+                  Do you want to proceed?"
+User Message 2:
+  "Yes, publish it"
+Agent Message 3:
+  Tool: remember_confirm({ token: "xyz123" })
+  Response: { success: true, space_memory_id: "def456" }
+  Agent to User: "Memory published successfully to The Void!"
+\`\`\`
+### Example Incorrect Flow
+\`\`\`
+Agent Message 1:
+  Tool 1: remember_publish({ memory_id: "abc", spaces: ["the_void"] })
+  Tool 2: remember_confirm({ token: "xyz123" })  // ❌ NO USER CONSENT!
+  Agent to User: "Published your memory!"
+\`\`\`
+This bypasses user consent and violates the security model.
+```
+### 5. Test the Updated Descriptions
+Verify the updated descriptions appear correctly:
+```bash
+# Build the project
+npm run build
+# Check that tools are registered with updated descriptions
+# (Manual verification in MCP client or by inspecting tool definitions)
+```
+---
+## Verification
+- [ ] `remember_confirm` tool description includes safety requirements
+- [ ] `remember_deny` tool description includes safety requirements
+- [ ] JSDoc comments added above tool definitions
+- [ ] Design document updated with safety guidelines section
+- [ ] Safety guidelines include examples of correct and incorrect flows
+- [ ] Tool descriptions use ⚠️ emoji for visibility
+- [ ] All 5 critical requirements listed in both tools
+- [ ] TypeScript compiles without errors: `npm run typecheck`
+- [ ] Build successful: `npm run build`
+- [ ] All tests passing: `npm test`
+---
+## Expected Output
+### Updated Tool Descriptions
+Both `remember_confirm` and `remember_deny` will have enhanced descriptions that:
+- Clearly state the 5 critical safety requirements
+- Use visual indicators (⚠️) to draw attention
+- Explain the security implications
+- Provide clear guidance on proper usage
+### Design Document Enhancement
+The publish-tools-confirmation-flow design document will have a new "Safety Guidelines for Agents" section that:
+- Explains the correct confirmation workflow
+- Shows examples of correct and incorrect flows
+- Emphasizes the security model
+- Provides clear dos and don'ts
+---
+## Common Issues and Solutions
+### Issue 1: Tool descriptions too long
+**Symptom**: MCP clients truncate or don't display full description
+**Solution**: Keep critical requirements concise. Use numbered list format for scannability.
+### Issue 2: Agents still chain confirmations
+**Symptom**: Agents call confirm immediately after publish
+**Solution**: This is an agent behavior issue, not a code issue. The enhanced descriptions help, but agent prompts may need adjustment. Consider adding system-level constraints in MCP client configuration.
+### Issue 3: Description formatting issues
+**Symptom**: Line breaks or formatting don't appear correctly in MCP clients
+**Solution**: Use simple text formatting. Avoid complex markdown. Use numbered lists and clear sections.
+---
+## Resources
+- [MCP Tool Schema](https://github.com/modelcontextprotocol/specification): Tool description best practices
+- [Confirmation Flow Design](../../agent/design/publish-tools-confirmation-flow.md): Original design document
+- [Security Best Practices](https://owasp.org/www-community/controls/): General security guidelines
+---
+## Notes
+- **This is a documentation/UX improvement**, not a code behavior change
+- **Agents can still bypass** these guidelines if they choose to - this is guidance, not enforcement
+- **Consider system-level enforcement** in future (e.g., MCP server could reject chained confirms)
+- **Tool descriptions are agent-facing**, not user-facing - they guide agent behavior
+- **Keep descriptions concise** while being comprehensive about safety requirements
+- **Visual indicators** (⚠️, ❌, ✅) help draw attention to critical information
+---
+**Next Task**: Task 62: Add System-Level Confirmation Chaining Prevention (Optional)
+**Related Design Docs**: [publish-tools-confirmation-flow.md](../../agent/design/publish-tools-confirmation-flow.md)
+**Estimated Completion Date**: TBD