@rely-ai/caliber 1.19.7 → 1.20.0-dev.1773685589

package/dist/bin.js

@@ -2062,7 +2062,7 @@ Return a JSON object with this exact shape:
 Respond with ONLY the JSON object, no markdown fences or extra text.`;
 var LEARN_SYSTEM_PROMPT = `You are an expert developer experience engineer. You analyze raw tool call events from AI coding sessions to extract reusable operational lessons that will help future LLM sessions work more effectively in this project.
 
-You receive a chronological sequence of tool events from a Claude Code session. Each event includes the tool name, its input, its response, and whether it was a success or failure.
+You receive a chronological sequence of events from a Claude Code session. Most events are tool calls (with tool name, input, response, and success/failure status). Some events are USER_PROMPT events that capture what the user typed \u2014 these are critical for detecting corrections and redirections.
 
 Your job is to find OPERATIONAL patterns \u2014 things that went wrong and how they were fixed, commands that required specific flags or configuration, APIs that needed a particular approach to work. Focus on the WORKFLOW, not the code logic.
 
@@ -2074,6 +2074,7 @@ Look for:
 4. **Project-specific commands**: The correct way to build, test, lint, deploy \u2014 especially if it differs from defaults.
 5. **File/path traps**: Paths that are misleading, files that shouldn't be edited, directories with unexpected structure.
 6. **Configuration quirks**: Settings, flags, or arguments that are required but non-obvious.
+7. **User corrections**: The user explicitly told the AI what's wrong, what to use instead, or what to avoid. Look for phrases like "no, use X instead of Y", "don't touch/edit/modify X", "that's wrong, you need to...", "always/never do X in this project", "stop, that file is...". These are the HIGHEST VALUE signals \u2014 they represent direct human feedback about project-specific requirements. If a user correction contradicts a pattern you'd otherwise extract, the correction wins.
 
 DO NOT extract:
 - Descriptions of what the code does or how features work (e.g. "compression removes comments" or "skeleton extraction creates outlines")
@@ -2084,21 +2085,30 @@ DO NOT extract:
 From these observations, produce:
 
 ### claudeMdLearnedSection
-A markdown section with concise, actionable bullet points. Your output will be written to CALIBER_LEARNINGS.md \u2014 a standalone file that all AI coding agents (Claude Code, Cursor, Codex) reference for project-specific operational patterns. Each bullet should be a concrete instruction that prevents a future mistake or encodes a discovered workaround. Format: what to do (or avoid), and why.
+A markdown section with concise, actionable bullet points. Your output will be written to CALIBER_LEARNINGS.md \u2014 a standalone file that all AI coding agents (Claude Code, Cursor, Codex) reference for project-specific operational patterns.
+
+Each bullet MUST be prefixed with an observation type in bold brackets. Valid types:
+- **[correction]** \u2014 user explicitly told the AI what's wrong or what to do differently (HIGHEST PRIORITY \u2014 always include these)
+- **[gotcha]** \u2014 a trap or edge case that wastes time if you don't know about it
+- **[fix]** \u2014 a specific failure-to-recovery sequence
+- **[pattern]** \u2014 a reusable approach that works in this project
+- **[env]** \u2014 an environment or configuration requirement
+- **[convention]** \u2014 a project-specific rule or naming convention
 
 Good examples:
-- "Run \`npm install\` before \`npm run build\` \u2014 the build assumes deps are installed and gives a misleading error otherwise"
-- "The test database requires \`DATABASE_URL\` to be set \u2014 use \`source .env.test\` first"
-- "Use \`pnpm\` not \`npm\` \u2014 the lockfile is pnpm-lock.yaml and npm creates conflicts"
-- "Do NOT run \`jest\` directly \u2014 always use \`npm run test\` which sets the correct NODE_ENV"
-- "API calls to \`/v2/users\` require the \`X-Api-Version\` header \u2014 without it you get a 404 that looks like the endpoint doesn't exist"
-- "When \`tsup\` build fails with a type error, run \`npx tsc --noEmit\` first to get the real error \u2014 tsup swallows the details"
-- "Files in \`src/generated/\` are auto-generated \u2014 editing them directly will be overwritten on next build"
+- "**[correction]** Files in \`src/generated/\` are auto-generated \u2014 never edit them directly"
+- "**[correction]** Use \`pnpm\` not \`npm\` \u2014 the lockfile is pnpm-lock.yaml and npm creates conflicts"
+- "**[gotcha]** When \`tsup\` build fails with a type error, run \`npx tsc --noEmit\` first to get the real error \u2014 tsup swallows the details"
+- "**[fix]** If \`npm install\` fails with ERESOLVE, use \`--legacy-peer-deps\`"
+- "**[env]** The test database requires \`DATABASE_URL\` to be set \u2014 use \`source .env.test\` first"
+- "**[pattern]** Do NOT run \`jest\` directly \u2014 always use \`npm run test\` which sets the correct NODE_ENV"
+- "**[convention]** API calls to \`/v2/users\` require the \`X-Api-Version\` header \u2014 without it you get a 404 that looks like the endpoint doesn't exist"
 
 Bad examples (do NOT produce these):
 - "The codebase uses TypeScript with strict mode" (describes code, not actionable)
 - "Components follow a pattern of X" (describes architecture, not operational)
 - "The project has a scoring module" (summarizes code structure)
+- Any bullet without a **[type]** prefix
 
 Rules for the learned section:
 - Be additive: keep all existing learned items, add new ones, remove duplicates
@@ -3686,6 +3696,7 @@ var SETTINGS_PATH2 = path13.join(".claude", "settings.json");
 var HOOK_TAILS = [
   { event: "PostToolUse", tail: "learn observe", description: "Caliber: recording tool usage for session learning" },
   { event: "PostToolUseFailure", tail: "learn observe --failure", description: "Caliber: recording tool failure for session learning" },
+  { event: "UserPromptSubmit", tail: "learn observe --prompt", description: "Caliber: recording user prompt for correction detection" },
   { event: "SessionEnd", tail: "learn finalize", description: "Caliber: finalizing session learnings" }
 ];
 function getHookConfigs() {
@@ -3746,6 +3757,7 @@ var CURSOR_HOOKS_PATH = path13.join(".cursor", "hooks.json");
 var CURSOR_HOOK_EVENTS = [
   { event: "postToolUse", tail: "learn observe" },
   { event: "postToolUseFailure", tail: "learn observe --failure" },
+  { event: "userPromptSubmit", tail: "learn observe --prompt" },
   { event: "sessionEnd", tail: "learn finalize" }
 ];
 function readCursorHooks() {
@@ -7649,8 +7661,12 @@ function parseBullets(content) {
   if (current) bullets.push(current);
   return bullets;
 }
+var TYPE_PREFIX_RE = /^\*\*\[[^\]]+\]\*\*\s*/;
 function normalizeBullet(bullet) {
-  return bullet.replace(/^- /, "").replace(/`[^`]*`/g, "").replace(/\s+/g, " ").toLowerCase().trim();
+  return bullet.replace(/^- /, "").replace(TYPE_PREFIX_RE, "").replace(/`[^`]*`/g, "").replace(/\s+/g, " ").toLowerCase().trim();
+}
+function hasTypePrefix(bullet) {
+  return TYPE_PREFIX_RE.test(bullet.replace(/^- /, ""));
 }
 function deduplicateLearnedItems(existing, incoming) {
   const existingBullets = existing ? parseBullets(existing) : [];
@@ -7660,14 +7676,18 @@ function deduplicateLearnedItems(existing, incoming) {
   for (const bullet of incomingBullets) {
     const norm = normalizeBullet(bullet);
     if (!norm) continue;
-    const isDup = merged.some((e) => {
+    const dupIdx = merged.findIndex((e) => {
       const eNorm = normalizeBullet(e);
       const shorter = Math.min(norm.length, eNorm.length);
       const longer = Math.max(norm.length, eNorm.length);
       if (!(eNorm.includes(norm) || norm.includes(eNorm))) return false;
       return shorter / longer > 0.7;
     });
-    if (!isDup) {
+    if (dupIdx !== -1) {
+      if (hasTypePrefix(bullet) && !hasTypePrefix(merged[dupIdx])) {
+        merged[dupIdx] = bullet;
+      }
+    } else {
       merged.push(bullet);
       newItems.push(bullet);
     }
@@ -8137,6 +8157,17 @@ function appendEvent(event) {
     fs30.writeFileSync(filePath, kept.join("\n") + "\n");
   }
 }
+function appendPromptEvent(event) {
+  ensureLearningDir();
+  const filePath = sessionFilePath();
+  fs30.appendFileSync(filePath, JSON.stringify(event) + "\n");
+  const count = getEventCount();
+  if (count > LEARNING_MAX_EVENTS) {
+    const lines = fs30.readFileSync(filePath, "utf-8").split("\n").filter(Boolean);
+    const kept = lines.slice(lines.length - LEARNING_MAX_EVENTS);
+    fs30.writeFileSync(filePath, kept.join("\n") + "\n");
+  }
+}
 function readAllEvents() {
   const filePath = sessionFilePath();
   if (!fs30.existsSync(filePath)) return [];
@@ -8197,14 +8228,6 @@ function acquireFinalizeLock() {
     fs30.writeFileSync(lockPath, String(process.pid), { flag: "wx" });
     return true;
   } catch {
-    try {
-      const stat = fs30.statSync(lockPath);
-      if (Date.now() - stat.mtimeMs >= LOCK_STALE_MS) {
-        fs30.writeFileSync(lockPath, String(process.pid));
-        return true;
-      }
-    } catch {
-    }
     return false;
   }
 }
@@ -8216,17 +8239,64 @@ function releaseFinalizeLock() {
   }
 }
 
+// src/lib/sanitize.ts
+var KNOWN_PREFIX_PATTERNS = [
+  // Anthropic (before generic sk- pattern)
+  [/sk-ant-[A-Za-z0-9_-]{20,}/g, "[REDACTED]"],
+  // AWS access key IDs
+  [/AKIA[0-9A-Z]{16}/g, "[REDACTED]"],
+  // AWS secret keys in assignments
+  [/(?:aws)?_?secret_?(?:access)?_?key\s*[:=]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/gi, "[REDACTED]"],
+  // GitHub tokens (PAT, OAuth, server, app install, fine-grained)
+  [/gh[pousr]_[A-Za-z0-9_]{36,}/g, "[REDACTED]"],
+  [/github_pat_[A-Za-z0-9_]{22,}/g, "[REDACTED]"],
+  // Stripe keys
+  [/[sr]k_(live|test)_[A-Za-z0-9]{20,}/g, "[REDACTED]"],
+  // Slack tokens
+  [/xox[bpsar]-[A-Za-z0-9-]{10,}/g, "[REDACTED]"],
+  // JWTs (3-segment base64url)
+  [/eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/g, "[REDACTED]"],
+  // OpenAI keys (after sk-ant- to avoid false match)
+  [/sk-[A-Za-z0-9-]{20,}/g, "[REDACTED]"],
+  // Google API keys
+  [/AIza[A-Za-z0-9_-]{35}/g, "[REDACTED]"],
+  // Bearer tokens
+  [/[Bb]earer\s+[A-Za-z0-9_\-.]{20,}/g, "[REDACTED]"],
+  // PEM private keys
+  [/-----BEGIN[A-Z ]+KEY-----[\s\S]+?-----END[A-Z ]+KEY-----/g, "[REDACTED]"]
+];
+var SENSITIVE_ASSIGNMENT = /(?:api[_-]?key|secret[_-]?key|password|token|credential|auth[_-]?token|private[_-]?key)\s*[:=]\s*['"]?([^\s'"]{8,500})['"]?/gi;
+function sanitizeSecrets(text) {
+  let result = text;
+  for (const [pattern, replacement] of KNOWN_PREFIX_PATTERNS) {
+    result = result.replace(pattern, replacement);
+  }
+  result = result.replace(
+    SENSITIVE_ASSIGNMENT,
+    (match, value) => match.replace(value, "[REDACTED]")
+  );
+  return result;
+}
+
 // src/ai/learn.ts
 init_config();
 var MAX_PROMPT_TOKENS = 1e5;
 function formatEventsForPrompt(events) {
   return events.map((e, i) => {
-    const status = e.hook_event_name === "PostToolUseFailure" ? "FAILURE" : "SUCCESS";
-    const inputStr = JSON.stringify(e.tool_input, null, 2);
-    const responseStr = typeof e.tool_response === "object" && "_truncated" in e.tool_response ? String(e.tool_response._truncated) : JSON.stringify(e.tool_response, null, 2);
+    if (e.hook_event_name === "UserPromptSubmit") {
+      const pe = e;
+      return `--- Event ${i + 1} [USER_PROMPT] ---
+Time: ${pe.timestamp}
+User said:
+${pe.prompt_content}`;
+    }
+    const te = e;
+    const status = te.hook_event_name === "PostToolUseFailure" ? "FAILURE" : "SUCCESS";
+    const inputStr = JSON.stringify(te.tool_input, null, 2);
+    const responseStr = typeof te.tool_response === "object" && "_truncated" in te.tool_response ? String(te.tool_response._truncated) : JSON.stringify(te.tool_response, null, 2);
     return `--- Event ${i + 1} [${status}] ---
-Tool: ${e.tool_name}
-Time: ${e.timestamp}
+Tool: ${te.tool_name}
+Time: ${te.timestamp}
 Input:
 ${inputStr}
 Response:
@@ -8298,9 +8368,25 @@ async function learnObserveCommand(options) {
     const raw = await readStdin();
     if (!raw.trim()) return;
     const hookData = JSON.parse(raw);
+    const sessionId = hookData.session_id || hookData.conversation_id || "unknown";
+    if (options.prompt) {
+      const event2 = {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        session_id: sessionId,
+        hook_event_name: "UserPromptSubmit",
+        prompt_content: sanitizeSecrets(String(hookData.prompt_content || hookData.content || hookData.prompt || "")),
+        cwd: hookData.cwd || process.cwd()
+      };
+      appendPromptEvent(event2);
+      const state2 = readState2();
+      state2.eventCount++;
+      if (!state2.sessionId) state2.sessionId = sessionId;
+      writeState2(state2);
+      return;
+    }
     const event = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      session_id: hookData.session_id || hookData.conversation_id || "unknown",
+      session_id: sessionId,
       hook_event_name: options.failure ? "PostToolUseFailure" : "PostToolUse",
       tool_name: hookData.tool_name || "unknown",
       tool_input: hookData.tool_input || {},
@@ -8311,7 +8397,7 @@ async function learnObserveCommand(options) {
     appendEvent(event);
     const state = readState2();
     state.eventCount++;
-    if (!state.sessionId) state.sessionId = event.session_id;
+    if (!state.sessionId) state.sessionId = sessionId;
     writeState2(state);
   } catch {
   }
@@ -8530,7 +8616,7 @@ program.command("score").description("Score your current agent config setup (det
 program.command("refresh").description("Update docs based on recent code changes").option("--quiet", "Suppress output (for use in hooks)").option("--dry-run", "Preview changes without writing files").action(tracked("refresh", refreshCommand));
 program.command("hooks").description("Manage auto-refresh hooks (toggle interactively)").option("--install", "Enable all hooks non-interactively").option("--remove", "Disable all hooks non-interactively").action(tracked("hooks", hooksCommand));
 var learn = program.command("learn", { hidden: true }).description("[dev] Session learning \u2014 observe tool usage and extract reusable instructions");
-learn.command("observe").description("Record a tool event from stdin (called by hooks)").option("--failure", "Mark event as a tool failure").action(tracked("learn:observe", learnObserveCommand));
+learn.command("observe").description("Record a tool event from stdin (called by hooks)").option("--failure", "Mark event as a tool failure").option("--prompt", "Record a user prompt event").action(tracked("learn:observe", learnObserveCommand));
 learn.command("finalize").description("Analyze session events and update CALIBER_LEARNINGS.md (called on SessionEnd)").option("--force", "Skip the running-process check (for manual invocation)").action(tracked("learn:finalize", (opts) => learnFinalizeCommand(opts)));
 learn.command("install").description("Install learning hooks into .claude/settings.json").action(tracked("learn:install", learnInstallCommand));
 learn.command("remove").description("Remove learning hooks from .claude/settings.json").action(tracked("learn:remove", learnRemoveCommand));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rely-ai/caliber",
-  "version": "1.19.7",
+  "version": "1.20.0-dev.1773685589",
   "description": "Analyze your codebase and generate optimized AI agent configs (CLAUDE.md, .cursorrules, skills) — no API key needed",
   "type": "module",
   "bin": {