@prmichaelsen/remember-mcp 3.19.3 → 4.0.0

package/src/tools/admin-schema-collection.spec.ts

@@ -0,0 +1,167 @@
+/**
+ * Tests for admin schema and collection tools:
+ * - remember_admin_get_weaviate_schema
+ * - remember_admin_list_collections
+ * - remember_admin_collection_stats
+ */
+
+import { handleAdminGetWeaviateSchema } from './admin-get-weaviate-schema.js';
+import { handleAdminListCollections } from './admin-list-collections.js';
+import { handleAdminCollectionStats } from './admin-collection-stats.js';
+
+// Mock the Weaviate client
+const mockGet = jest.fn();
+const mockListAll = jest.fn();
+const mockConfigGet = jest.fn();
+const mockLength = jest.fn();
+
+jest.mock('../weaviate/client.js', () => ({
+  getWeaviateClient: () => ({
+    collections: {
+      get: (name: string) => {
+        mockGet(name);
+        return {
+          config: { get: mockConfigGet },
+          length: mockLength,
+        };
+      },
+      listAll: mockListAll,
+    },
+  }),
+}));
+
+const sampleConfig = {
+  properties: [
+    { name: 'content', dataType: 'text', description: 'Memory content', indexFilterable: true, indexSearchable: true, tokenization: 'word' },
+    { name: 'weight', dataType: 'number', description: 'Significance', indexFilterable: true, indexSearchable: false, tokenization: null },
+  ],
+  vectorizers: [{ name: 'default', type: 'text2vec-openai' }],
+  generative: null,
+  multiTenancy: { enabled: false },
+  replication: { factor: 1 },
+};
+
+describe('remember_admin_get_weaviate_schema', () => {
+  const originalEnv = process.env.ADMIN_USER_IDS;
+
+  beforeEach(() => {
+    process.env.ADMIN_USER_IDS = 'admin_user';
+    jest.clearAllMocks();
+    mockConfigGet.mockResolvedValue(sampleConfig);
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.ADMIN_USER_IDS = originalEnv;
+    } else {
+      delete process.env.ADMIN_USER_IDS;
+    }
+  });
+
+  it('returns schema for admin user', async () => {
+    const result = await handleAdminGetWeaviateSchema(
+      { collection_name: 'Memory_users_test' },
+      'admin_user'
+    );
+    const parsed = JSON.parse(result);
+    expect(parsed.collection_name).toBe('Memory_users_test');
+    expect(parsed.properties).toHaveLength(2);
+    expect(parsed.properties[0].name).toBe('content');
+    expect(parsed.properties[1].name).toBe('weight');
+  });
+
+  it('returns permission error for non-admin user', async () => {
+    const result = await handleAdminGetWeaviateSchema(
+      { collection_name: 'Memory_users_test' },
+      'regular_user'
+    );
+    const parsed = JSON.parse(result);
+    expect(parsed.isError).toBe(true);
+    expect(parsed.content[0].text).toContain('Permission denied');
+  });
+});
+
+describe('remember_admin_list_collections', () => {
+  const originalEnv = process.env.ADMIN_USER_IDS;
+
+  beforeEach(() => {
+    process.env.ADMIN_USER_IDS = 'admin_user';
+    jest.clearAllMocks();
+    mockListAll.mockResolvedValue([
+      { name: 'Memory_users_abc123' },
+      { name: 'Memory_users_def456' },
+      { name: 'Memory_spaces_public' },
+      { name: 'Memory_groups_team1' },
+    ]);
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.ADMIN_USER_IDS = originalEnv;
+    } else {
+      delete process.env.ADMIN_USER_IDS;
+    }
+  });
+
+  it('lists all collections with type categorization', async () => {
+    const result = await handleAdminListCollections({}, 'admin_user');
+    const parsed = JSON.parse(result);
+    expect(parsed.total).toBe(4);
+    expect(parsed.collections[0]).toEqual({ name: 'Memory_users_abc123', type: 'user' });
+    expect(parsed.collections[2]).toEqual({ name: 'Memory_spaces_public', type: 'space' });
+    expect(parsed.collections[3]).toEqual({ name: 'Memory_groups_team1', type: 'group' });
+  });
+
+  it('filters collections by prefix', async () => {
+    const result = await handleAdminListCollections({ filter: 'Memory_users_' }, 'admin_user');
+    const parsed = JSON.parse(result);
+    expect(parsed.total).toBe(2);
+    expect(parsed.collections.every((c: any) => c.type === 'user')).toBe(true);
+  });
+
+  it('returns permission error for non-admin user', async () => {
+    const result = await handleAdminListCollections({}, 'regular_user');
+    const parsed = JSON.parse(result);
+    expect(parsed.isError).toBe(true);
+  });
+});
+
+describe('remember_admin_collection_stats', () => {
+  const originalEnv = process.env.ADMIN_USER_IDS;
+
+  beforeEach(() => {
+    process.env.ADMIN_USER_IDS = 'admin_user';
+    jest.clearAllMocks();
+    mockConfigGet.mockResolvedValue(sampleConfig);
+    mockLength.mockResolvedValue(42);
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.ADMIN_USER_IDS = originalEnv;
+    } else {
+      delete process.env.ADMIN_USER_IDS;
+    }
+  });
+
+  it('returns stats for admin user', async () => {
+    const result = await handleAdminCollectionStats(
+      { collection_name: 'Memory_users_test' },
+      'admin_user'
+    );
+    const parsed = JSON.parse(result);
+    expect(parsed.collection_name).toBe('Memory_users_test');
+    expect(parsed.object_count).toBe(42);
+    expect(parsed.property_count).toBe(2);
+    expect(parsed.properties).toEqual(['content', 'weight']);
+  });
+
+  it('returns permission error for non-admin user', async () => {
+    const result = await handleAdminCollectionStats(
+      { collection_name: 'Memory_users_test' },
+      'regular_user'
+    );
+    const parsed = JSON.parse(result);
+    expect(parsed.isError).toBe(true);
+  });
+});

package/src/tools/admin-search-across-users.ts

@@ -0,0 +1,104 @@
+/**
+ * remember_admin_search_across_users tool
+ * Searches memories across multiple user tenants.
+ */
+
+import { handleToolError } from '../utils/error-handler.js';
+import { createDebugLogger } from '../utils/debug.js';
+import type { AuthContext } from '../types/auth.js';
+import { isAdmin, adminPermissionError } from '../utils/admin.js';
+import { createCoreServices } from '../core-services.js';
+
+export const adminSearchAcrossUsersTool = {
+  name: 'remember_admin_search_across_users',
+  description: `[Admin] Search memories across multiple user tenants.
+
+  Results include which user each memory belongs to.
+  Requires explicit user_id array — no "all users" search.
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: 'object',
+    properties: {
+      user_ids: {
+        type: 'array',
+        items: { type: 'string' },
+        description: 'User IDs to search across (required, 1 or more)',
+      },
+      query: {
+        type: 'string',
+        description: 'Search query (hybrid search)',
+      },
+      limit: {
+        type: 'number',
+        description: 'Max results across all users. Default: 10',
+      },
+      content_type: {
+        type: 'string',
+        description: 'Optional content type filter',
+      },
+    },
+    required: ['user_ids', 'query'],
+  },
+};
+
+export interface AdminSearchAcrossUsersArgs {
+  user_ids: string[];
+  query: string;
+  limit?: number;
+  content_type?: string;
+}
+
+export async function handleAdminSearchAcrossUsers(
+  args: AdminSearchAcrossUsersArgs,
+  userId: string,
+  _authContext?: AuthContext
+): Promise<string> {
+  const debug = createDebugLogger({ tool: 'remember_admin_search_across_users', userId, operation: 'search across users' });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+
+    if (!args.user_ids || args.user_ids.length === 0) {
+      return JSON.stringify({ error: 'user_ids array is required and must not be empty' });
+    }
+
+    debug.info('Tool invoked', { user_ids: args.user_ids, query: args.query, limit: args.limit });
+
+    const limit = args.limit ?? 10;
+    const allResults: Array<{ user_id: string; memory: any; score?: number }> = [];
+    const warnings: string[] = [];
+
+    for (const targetUserId of args.user_ids) {
+      try {
+        const services = createCoreServices(targetUserId);
+        const searchResult = await services.memory.search({
+          query: args.query,
+          limit,
+          filters: args.content_type ? { types: [args.content_type as any] } : undefined,
+        });
+
+        for (const memory of searchResult.memories) {
+          allResults.push({
+            user_id: targetUserId,
+            memory,
+          });
+        }
+      } catch (err) {
+        warnings.push(`User ${targetUserId}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+
+    // Sort by relevance (first results from each user are highest relevance)
+    // and limit to requested total
+    const limited = allResults.slice(0, limit);
+
+    return JSON.stringify({
+      total: limited.length,
+      results: limited,
+      warnings: warnings.length > 0 ? warnings : undefined,
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: 'remember_admin_search_across_users', userId, operation: 'search across users' });
+  }
+}

package/src/tools/confirm.spec.ts

@@ -0,0 +1,108 @@
+/**
+ * Tests for confirm tool — secret_token passthrough and set_trust_level handling.
+ */
+
+import { handleConfirm } from './confirm.js';
+
+// ─── Mocks ──────────────────────────────────────────────────
+
+jest.mock('../core-services.js', () => ({
+  createCoreServices: jest.fn(),
+}));
+
+jest.mock('../weaviate/client.js', () => ({
+  getWeaviateClient: jest.fn(),
+  getMemoryCollectionName: jest.fn((userId: string) => `Memory_users_${userId}`),
+}));
+
+jest.mock('../utils/debug.js', () => ({
+  createDebugLogger: jest.fn(() => ({
+    info: jest.fn(),
+    debug: jest.fn(),
+    trace: jest.fn(),
+    error: jest.fn(),
+    time: jest.fn((_: string, fn: () => any) => fn()),
+  })),
+}));
+
+jest.mock('../utils/error-handler.js', () => ({
+  handleToolError: jest.fn(),
+}));
+
+import { createCoreServices } from '../core-services.js';
+const mockCreateCoreServices = createCoreServices as jest.MockedFunction<any>;
+
+// ─── Tests ───────────────────────────────────────────────────
+
+describe('confirm tool', () => {
+  let mockConfirm: jest.Mock;
+  let mockValidateToken: jest.Mock;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockConfirm = jest.fn();
+    mockValidateToken = jest.fn();
+
+    mockCreateCoreServices.mockReturnValue({
+      space: { confirm: mockConfirm },
+      token: { validateToken: mockValidateToken, confirmRequest: jest.fn() },
+    });
+  });
+
+  it('passes secret_token through to space.confirm when provided', async () => {
+    mockValidateToken.mockResolvedValue({ action: 'publish_memory' });
+    mockConfirm.mockResolvedValue({
+      action: 'publish_memory',
+      success: true,
+      composite_id: 'u1.m1',
+      published_to: ['spaces: public'],
+      space_ids: ['public'],
+      group_ids: [],
+    });
+
+    await handleConfirm({ token: 'tok-1', secret_token: 'sec-abc' }, 'user-1');
+
+    expect(mockConfirm).toHaveBeenCalledWith({ token: 'tok-1', secret_token: 'sec-abc' });
+  });
+
+  it('works without secret_token (backward compatible)', async () => {
+    mockValidateToken.mockResolvedValue({ action: 'publish_memory' });
+    mockConfirm.mockResolvedValue({
+      action: 'publish_memory',
+      success: true,
+      composite_id: 'u1.m1',
+      published_to: ['spaces: public'],
+      space_ids: ['public'],
+      group_ids: [],
+    });
+
+    await handleConfirm({ token: 'tok-1' }, 'user-1');
+
+    expect(mockConfirm).toHaveBeenCalledWith({ token: 'tok-1', secret_token: undefined });
+  });
+
+  it('handles set_trust_level action via memory.confirmSetTrustLevel', async () => {
+    const mockConfirmSetTrustLevel = jest.fn().mockResolvedValue({
+      memory_id: 'mem-1',
+      previous_trust_level: 'normal',
+      new_trust_level: 'core',
+      updated_at: '2026-03-20T00:00:00Z',
+    });
+
+    mockValidateToken.mockResolvedValue({ action: 'set_trust_level' });
+    mockCreateCoreServices.mockReturnValue({
+      space: { confirm: mockConfirm },
+      token: { validateToken: mockValidateToken, confirmRequest: jest.fn() },
+      memory: { confirmSetTrustLevel: mockConfirmSetTrustLevel },
+    });
+
+    const result = JSON.parse(await handleConfirm({ token: 'tok-trust' }, 'user-1') as string);
+
+    expect(result.success).toBe(true);
+    expect(result.memory_id).toBe('mem-1');
+    expect(result.previous_trust_level).toBe('normal');
+    expect(result.new_trust_level).toBe('core');
+    expect(result.message).toBe('Trust level changed from normal to core');
+    expect(mockConfirmSetTrustLevel).toHaveBeenCalledWith('tok-trust');
+  });
+});

package/src/tools/confirm.ts

@@ -53,6 +53,10 @@ Violating these requirements bypasses user consent and is a security violation.`
         type: 'string',
         description: 'The confirmation token from the action tool',
       },
+      secret_token: {
+        type: 'string',
+        description: 'HMAC secret token for guard-protected operations. Only required when confirmation guard is enabled on the server.',
+      },
     },
     required: ['token'],
   },
@@ -60,6 +64,7 @@ Violating these requirements bypasses user consent and is a security violation.`
 
 interface ConfirmArgs {
   token: string;
+  secret_token?: string;
 }
 
 /**
@@ -140,8 +145,26 @@ export async function handleConfirm(
       );
     }
 
+    // Handle set_trust_level via MemoryService
+    if (request.action === 'set_trust_level') {
+      const { memory } = createCoreServices(userId);
+      const result = await memory.confirmSetTrustLevel(args.token);
+      return JSON.stringify(
+        {
+          success: true,
+          memory_id: result.memory_id,
+          previous_trust_level: result.previous_trust_level,
+          new_trust_level: result.new_trust_level,
+          updated_at: result.updated_at,
+          message: `Trust level changed from ${result.previous_trust_level} to ${result.new_trust_level}`,
+        },
+        null,
+        2
+      );
+    }
+
     // Delegate publish/retract/revise to core SpaceService
-    const result = await space.confirm({ token: args.token });
+    const result = await space.confirm({ token: args.token, secret_token: args.secret_token });
 
     // Format response based on action type
     if (result.action === 'retract_memory') {

package/src/tools/create-internal-memory.ts

@@ -29,7 +29,6 @@ export const createInternalMemoryTool = {
       title: { type: 'string', description: 'Optional title' },
       tags: { type: 'array', items: { type: 'string' }, description: 'Additional tags (internal tags added automatically)' },
       weight: { type: 'number', minimum: 0, maximum: 1, description: 'Significance (0-1)' },
-      trust: { type: 'number', minimum: 0, maximum: 1, description: 'Trust level (0-1)' },
       feel_salience: { type: 'number', minimum: 0, maximum: 1 },
       feel_social_weight: { type: 'number', minimum: 0, maximum: 1 },
       feel_narrative_importance: { type: 'number', minimum: 0, maximum: 1 },
@@ -43,7 +42,6 @@ export interface CreateInternalMemoryArgs {
   title?: string;
   tags?: string[];
   weight?: number;
-  trust?: number;
   [key: string]: any;
 }
 
@@ -81,7 +79,6 @@ export async function handleCreateInternalMemory(
       title: args.title,
       type: ctx.type as any,
       weight: args.weight,
-      trust: args.trust,
       tags: mergedTags,
       context_summary: `Internal memory created via MCP (${ctx.type})`,
       ...feelFields,

package/src/tools/create-memory.spec.ts

@@ -114,13 +114,17 @@ describe('updateMemoryTool definition', () => {
     expect(required).not.toContain('group_ids');
   });
 
-  it('has optional content, title, type, weight, trust, tags properties', () => {
+  it('has optional content, title, type, weight, tags properties', () => {
     const props = updateMemoryTool.inputSchema.properties as Record<string, any>;
     expect(props.content).toBeDefined();
     expect(props.title).toBeDefined();
     expect(props.type).toBeDefined();
     expect(props.weight).toBeDefined();
-    expect(props.trust).toBeDefined();
     expect(props.tags).toBeDefined();
   });
+
+  it('does not expose trust in schema', () => {
+    const props = updateMemoryTool.inputSchema.properties as Record<string, any>;
+    expect(props.trust).toBeUndefined();
+  });
 });

package/src/tools/create-memory.ts

@@ -18,7 +18,7 @@ export const createMemoryTool = {
   description: `Create a new memory with optional template.
   
   Memories can store any type of information: notes, events, people, recipes, etc.
-  Each memory has a weight (significance 0-1) and trust level (access control 0-1).
+  Each memory has a weight (significance 0-1). Trust defaults to SECRET (level 5) and can be changed via remember_request_set_trust_level.
   Location and context are automatically captured from the request.
   
   **IMPORTANT - Content vs Summary**:
@@ -56,12 +56,6 @@ export const createMemoryTool = {
         minimum: 0,
         maximum: 1,
       },
-      trust: {
-        type: 'number',
-        description: 'Access control level (0-1, default: 0.25)',
-        minimum: 0,
-        maximum: 1,
-      },
       tags: {
         type: 'array',
         items: { type: 'string' },
@@ -149,7 +143,6 @@ export interface CreateMemoryArgs {
   title?: string;
   type?: ContentType;
   weight?: number;
-  trust?: number;
   tags?: string[];
   references?: string[];
   template_id?: string;
@@ -201,7 +194,6 @@ export async function handleCreateMemory(
       title: args.title,
       type: args.type,
       weight: args.weight,
-      trust: args.trust,
       tags: args.tags,
       references: args.references,
       template_id: args.template_id,

package/src/tools/deny.spec.ts

@@ -0,0 +1,59 @@
+/**
+ * Tests for deny tool — secret_token passthrough.
+ */
+
+import { handleDeny } from './deny.js';
+
+// ─── Mocks ──────────────────────────────────────────────────
+
+jest.mock('../core-services.js', () => ({
+  createCoreServices: jest.fn(),
+}));
+
+jest.mock('../utils/debug.js', () => ({
+  createDebugLogger: jest.fn(() => ({
+    info: jest.fn(),
+    debug: jest.fn(),
+    trace: jest.fn(),
+    error: jest.fn(),
+    time: jest.fn((_: string, fn: () => any) => fn()),
+  })),
+}));
+
+jest.mock('../utils/error-handler.js', () => ({
+  handleToolError: jest.fn(),
+}));
+
+import { createCoreServices } from '../core-services.js';
+const mockCreateCoreServices = createCoreServices as jest.MockedFunction<any>;
+
+// ─── Tests ───────────────────────────────────────────────────
+
+describe('deny tool', () => {
+  let mockDeny: jest.Mock;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockDeny = jest.fn();
+
+    mockCreateCoreServices.mockReturnValue({
+      space: { deny: mockDeny },
+    });
+  });
+
+  it('passes secret_token through to space.deny when provided', async () => {
+    mockDeny.mockResolvedValue({ success: true });
+
+    await handleDeny({ token: 'tok-1', secret_token: 'sec-abc' }, 'user-1');
+
+    expect(mockDeny).toHaveBeenCalledWith({ token: 'tok-1', secret_token: 'sec-abc' });
+  });
+
+  it('works without secret_token (backward compatible)', async () => {
+    mockDeny.mockResolvedValue({ success: true });
+
+    await handleDeny({ token: 'tok-1' }, 'user-1');
+
+    expect(mockDeny).toHaveBeenCalledWith({ token: 'tok-1', secret_token: undefined });
+  });
+});

package/src/tools/deny.ts

@@ -45,6 +45,10 @@ This ensures proper user consent workflow is followed.`,
         type: 'string',
         description: 'The confirmation token from the action tool',
       },
+      secret_token: {
+        type: 'string',
+        description: 'HMAC secret token for guard-protected operations. Only required when confirmation guard is enabled on the server.',
+      },
     },
     required: ['token'],
   },
@@ -52,6 +56,7 @@ This ensures proper user consent workflow is followed.`,
 
 interface DenyArgs {
   token: string;
+  secret_token?: string;
 }
 
 /**
@@ -68,7 +73,7 @@ export async function handleDeny(
     debug.trace('Arguments', { args });
 
     const { space } = createCoreServices(userId);
-    const result = await space.deny({ token: args.token });
+    const result = await space.deny({ token: args.token, secret_token: args.secret_token });
 
     return JSON.stringify(
       {

package/src/tools/ghost-config.ts

@@ -29,17 +29,17 @@ export const ghostConfigTool: Tool = {
 Actions:
 - get: View current ghost configuration
 - set: Update ghost settings (enabled, trust defaults, enforcement mode)
-- set_trust: Set a per-user trust level override (0-1)
+- set_trust: Set a per-user trust level override (1-5 integer)
 - remove_trust: Remove a per-user trust override (revert to default)
 - block: Block a user from ghost access entirely
 - unblock: Unblock a previously blocked user
 
-Trust levels control what information your ghost can share:
-- 0.0: Existence only ("A memory exists about this")
-- 0.25: Metadata only (tags, type, dates — no content)
-- 0.5: Summary only (AI-generated summary, no raw content)
-- 0.75: Partial access (content with sensitive fields redacted)
-- 1.0: Full access (all content revealed)
+Trust levels (1-5 integer scale) control what information your ghost can share:
+- 1 (PUBLIC): Full access (all content revealed)
+- 2 (INTERNAL): Partial access (content with sensitive fields redacted)
+- 3 (CONFIDENTIAL): Summary only (AI-generated summary, no raw content)
+- 4 (RESTRICTED): Metadata only (tags, type, dates — no content)
+- 5 (SECRET): Existence only ("A memory exists about this")
 
 Ghost is disabled by default. Enable it to allow others to chat with your AI representation.`,
   inputSchema: {
@@ -60,16 +60,16 @@ Ghost is disabled by default. Enable it to allow others to chat with your AI rep
         description: 'Allow non-friends to chat with ghost (for "set" action)',
       },
       default_friend_trust: {
-        type: 'number',
-        description: 'Default trust level for friends (0-1, for "set" action)',
-        minimum: 0,
-        maximum: 1,
+        type: 'integer',
+        description: 'Default trust level for friends (1-5 integer, for "set" action)',
+        minimum: 1,
+        maximum: 5,
       },
       default_public_trust: {
-        type: 'number',
-        description: 'Default trust level for strangers (0-1, for "set" action)',
-        minimum: 0,
-        maximum: 1,
+        type: 'integer',
+        description: 'Default trust level for strangers (1-5 integer, for "set" action)',
+        minimum: 1,
+        maximum: 5,
       },
       enforcement_mode: {
         type: 'string',
@@ -82,10 +82,10 @@ Ghost is disabled by default. Enable it to allow others to chat with your AI rep
         description: 'Target user ID (for set_trust, remove_trust, block, unblock)',
       },
       trust_level: {
-        type: 'number',
-        description: 'Trust level to assign (0-1, for "set_trust" action)',
-        minimum: 0,
-        maximum: 1,
+        type: 'integer',
+        description: 'Trust level to assign (1-5 integer, for "set_trust" action)',
+        minimum: 1,
+        maximum: 5,
       },
     },
     required: ['action'],

package/src/tools/query-memory.ts

@@ -91,8 +91,10 @@ export const queryMemoryTool = {
             description: 'Minimum weight (0-1)',
           },
           trust_min: {
-            type: 'number',
-            description: 'Minimum trust level (0-1)',
+            type: 'integer',
+            description: 'Minimum trust level (1-5: 1=PUBLIC, 2=INTERNAL, 3=CONFIDENTIAL, 4=RESTRICTED, 5=SECRET)',
+            minimum: 1,
+            maximum: 5,
           },
           date_from: {
             type: 'string',