@remnic/core 9.3.614 → 9.3.616

package/src/access-http.ts

@@ -1094,12 +1094,20 @@ export class EngramAccessHttpServer {
         entityRef: body.entityRef,
         ttl: body.ttl,
         sourceReason: body.sourceReason,
+        cwd: body.cwd,
+        projectTag: body.projectTag,
       };
-      const idempotencyStatus = await this.service.peekMemoryStoreIdempotency(request);
-      if (idempotencyStatus === "miss" && request.dryRun !== true) {
-        this.ensureWriteRateLimitAvailable();
-      }
-      const response = await this.service.memoryStore(request);
+      // Rate-limit enforcement is SOLELY authoritative inside memoryStore via
+      // enforceWriteQuota: it runs atomically with the real idempotency-miss
+      // determination (and the real resolved namespace), and is never invoked
+      // for a replay. We deliberately do NOT pre-check here: the write namespace
+      // is resolved from mutable session/git context, so a stale peek could
+      // report "miss" for a request that is actually an idempotent replay in the
+      // now-scoped namespace and hard-reject a safe replay with 429 (#1434 Codex
+      // review). Letting the in-lock hook be the only hard gate avoids that.
+      const response = await this.service.memoryStore(request, {
+        enforceWriteQuota: () => this.ensureWriteRateLimitAvailable(),
+      });
       if (this.shouldCountWriteRateLimit(response as { dryRun?: boolean; idempotencyReplay?: boolean })) {
         this.recordWriteRateLimitHit();
       }
@@ -1123,12 +1131,15 @@ export class EngramAccessHttpServer {
         entityRef: body.entityRef,
         ttl: body.ttl,
         sourceReason: body.sourceReason,
+        cwd: body.cwd,
+        projectTag: body.projectTag,
       };
-      const idempotencyStatus = await this.service.peekSuggestionSubmitIdempotency(request);
-      if (idempotencyStatus === "miss" && request.dryRun !== true) {
-        this.ensureWriteRateLimitAvailable();
-      }
-      const response = await this.service.suggestionSubmit(request);
+      // Quota enforcement is solely authoritative inside suggestionSubmit
+      // (enforceWriteQuota), atomic with the real miss and never on a replay; no
+      // HTTP pre-check, so a stale peek can't 429 a safe replay (#1434 Codex review).
+      const response = await this.service.suggestionSubmit(request, {
+        enforceWriteQuota: () => this.ensureWriteRateLimitAvailable(),
+      });
       if (this.shouldCountWriteRateLimit(response as { dryRun?: boolean; idempotencyReplay?: boolean })) {
         this.recordWriteRateLimitHit();
       }

package/src/access-mcp.test.ts

@@ -262,6 +262,115 @@ test("MCP memory write tools reject malformed arguments before dispatch", async
   }
 });
 
+test("MCP write tools accept and forward client-injected cwd/projectTag (#1434)", async () => {
+  for (const toolName of ["engram.memory_store", "engram.suggestion_submit"]) {
+    let received: Record<string, unknown> | undefined;
+    const service = {
+      ...makeMockService(),
+      memoryStore: async (args: Record<string, unknown>) => {
+        received = args;
+        return {
+          schemaVersion: 1,
+          operation: "memory_store",
+          namespace: "default",
+          dryRun: true,
+          accepted: true,
+          queued: false,
+          status: "validated",
+        };
+      },
+      suggestionSubmit: async (args: Record<string, unknown>) => {
+        received = args;
+        return {
+          schemaVersion: 1,
+          operation: "suggestion_submit",
+          namespace: "default",
+          dryRun: true,
+          accepted: true,
+          queued: false,
+          status: "validated",
+        };
+      },
+    } as unknown as EngramAccessService;
+    const server = new EngramMcpServer(service);
+
+    const response = await server.handleRequest(
+      makeToolRequest(toolName, {
+        content: "valid durable content",
+        category: "fact",
+        dryRun: true,
+        cwd: "/home/dev/project-x",
+        projectTag: "Blend/Supply",
+      }),
+    );
+    const result = (response as Record<string, unknown> & {
+      result?: { isError?: boolean };
+    }).result;
+
+    assert.equal(result?.isError, false, `${toolName} should accept cwd/projectTag`);
+    assert.equal(received?.cwd, "/home/dev/project-x", `${toolName} must forward cwd`);
+    assert.equal(received?.projectTag, "Blend/Supply", `${toolName} must forward projectTag`);
+  }
+});
+
+test("MCP write tools still reject genuinely-unknown keys after the cwd fix (#1434)", async () => {
+  let dispatched = false;
+  const service = {
+    ...makeMockService(),
+    memoryStore: async () => {
+      dispatched = true;
+      return {
+        schemaVersion: 1,
+        operation: "memory_store",
+        namespace: "default",
+        dryRun: true,
+        accepted: true,
+        queued: false,
+        status: "validated",
+      };
+    },
+  } as unknown as EngramAccessService;
+  const server = new EngramMcpServer(service);
+  const response = await server.handleRequest(
+    makeToolRequest("engram.memory_store", {
+      content: "valid durable content",
+      category: "fact",
+      dryRun: true,
+      cwd: "/ok",
+      bogusField: "must still be rejected",
+    }),
+  );
+  const result = (response as Record<string, unknown> & {
+    result?: { isError?: boolean; content?: Array<{ text?: string }> };
+  }).result;
+  assert.equal(result?.isError, true, "unknown keys must still be rejected");
+  assert.equal(dispatched, false, "malformed write must not dispatch");
+});
+
+test("MCP capsule tools tolerate client-injected cwd/projectTag (#1434)", async () => {
+  for (const toolName of [
+    "engram.capsule_list",
+    "engram.capsule_export",
+    "engram.capsule_import",
+  ]) {
+    const service = {
+      ...makeMockService(),
+      capsuleList: async () => ({ capsules: [] }),
+      capsuleExport: async () => ({ exported: true }),
+      capsuleImport: async () => ({ imported: true }),
+    } as unknown as EngramAccessService;
+    const server = new EngramMcpServer(service);
+    const args: Record<string, unknown> = { cwd: "/x", projectTag: "t" };
+    if (toolName === "engram.capsule_export") args.name = "cap-1";
+    if (toolName === "engram.capsule_import") args.archivePath = "/tmp/a.capsule.json.gz";
+    const response = await server.handleRequest(makeToolRequest(toolName, args));
+    const result = (response as Record<string, unknown> & {
+      result?: { isError?: boolean };
+    }).result;
+    assert.equal(result?.isError, false, `${toolName} should tolerate cwd/projectTag`);
+  }
+});
+
 test("MCP session override is injected only into tools that accept sessionKey", async () => {
   let capsuleListArgs: Record<string, unknown> | undefined;
   let observeArgs: Record<string, unknown> | undefined;

package/src/access-mcp.ts

@@ -115,6 +115,8 @@ const STRICT_MCP_SCHEMA_KEYS: Partial<Record<SchemaName, readonly string[]>> = {
     "entityRef",
     "ttl",
     "sourceReason",
+    "cwd",
+    "projectTag",
   ],
   suggestionSubmit: [
     "schemaVersion",
@@ -129,6 +131,8 @@ const STRICT_MCP_SCHEMA_KEYS: Partial<Record<SchemaName, readonly string[]>> = {
     "entityRef",
     "ttl",
     "sourceReason",
+    "cwd",
+    "projectTag",
   ],
   capsuleExport: [
     "name",
@@ -138,9 +142,40 @@ const STRICT_MCP_SCHEMA_KEYS: Partial<Record<SchemaName, readonly string[]>> = {
     "peerIds",
     "includeTranscripts",
     "encrypt",
+    "cwd",
+    "projectTag",
   ],
-  capsuleImport: ["archivePath", "namespace", "mode", "passphrase"],
-  capsuleList: ["namespace"],
+  capsuleImport: ["archivePath", "namespace", "mode", "passphrase", "cwd", "projectTag"],
+  capsuleList: ["namespace", "cwd", "projectTag"],
+};
+
+// Shared JSON-schema fragments for the client-injected git/project context
+// fields (#1434). Declared once to avoid drift across tool definitions.
+// `_SCOPED` is for write tools that resolve a project namespace from these
+// fields; `_IGNORED` is for tools that merely tolerate them for MCP client
+// compatibility (clients like Pi MCPorter auto-inject `cwd` on every call).
+const MCP_GIT_CONTEXT_SCHEMA_PROPS_SCOPED: Record<string, unknown> = {
+  cwd: {
+    type: "string",
+    description:
+      "Optional working directory. When no explicit namespace is given, resolves the project namespace this write is stored in (mirrors recall/observe).",
+  },
+  projectTag: {
+    type: "string",
+    description:
+      "Optional project tag for non-git project scoping. When no explicit namespace is given, routes this write to the tagged project namespace.",
+  },
+};
+const MCP_GIT_CONTEXT_SCHEMA_PROPS_IGNORED: Record<string, unknown> = {
+  cwd: {
+    type: "string",
+    description:
+      "Accepted for MCP client compatibility (git-context auto-injection); ignored by this tool.",
+  },
+  projectTag: {
+    type: "string",
+    description: "Accepted for MCP client compatibility; ignored by this tool.",
+  },
 };
 
 function parseMcpRequest<N extends SchemaName>(
@@ -614,6 +649,7 @@ export class EngramMcpServer {
             },
             includeTranscripts: { type: "boolean" },
             encrypt: { type: "boolean" },
+            ...MCP_GIT_CONTEXT_SCHEMA_PROPS_IGNORED,
           },
           required: ["name"],
           additionalProperties: false,
@@ -639,6 +675,7 @@ export class EngramMcpServer {
               type: "string",
               description: "Passphrase for encrypted capsule archives.",
             },
+            ...MCP_GIT_CONTEXT_SCHEMA_PROPS_IGNORED,
           },
           required: ["archivePath"],
           additionalProperties: false,
@@ -651,6 +688,7 @@ export class EngramMcpServer {
           type: "object",
           properties: {
             namespace: { type: "string" },
+            ...MCP_GIT_CONTEXT_SCHEMA_PROPS_IGNORED,
           },
           additionalProperties: false,
         },
@@ -755,6 +793,7 @@ export class EngramMcpServer {
             entityRef: { type: "string" },
             ttl: { type: "string" },
             sourceReason: { type: "string" },
+            ...MCP_GIT_CONTEXT_SCHEMA_PROPS_SCOPED,
           },
           required: ["content"],
           additionalProperties: false,
@@ -778,6 +817,7 @@ export class EngramMcpServer {
             entityRef: { type: "string" },
             ttl: { type: "string" },
             sourceReason: { type: "string" },
+            ...MCP_GIT_CONTEXT_SCHEMA_PROPS_SCOPED,
           },
           required: ["content"],
           additionalProperties: false,
@@ -2502,6 +2542,8 @@ export class EngramMcpServer {
           entityRef: body.entityRef,
           ttl: body.ttl,
           sourceReason: body.sourceReason,
+          cwd: body.cwd,
+          projectTag: body.projectTag,
         });
       }
       case "engram.suggestion_submit": {
@@ -2520,6 +2562,8 @@ export class EngramMcpServer {
           entityRef: body.entityRef,
           ttl: body.ttl,
           sourceReason: body.sourceReason,
+          cwd: body.cwd,
+          projectTag: body.projectTag,
         });
       }
       case "engram.entity_get":

package/src/access-schema.ts

@@ -243,6 +243,17 @@ export const memoryStoreRequestSchema = z.object({
   entityRef: entityRefSchema,
   ttl: ttlSchema,
   sourceReason: sourceReasonSchema,
+  // Git/project context for project-scoped writes (#1434). When no explicit
+  // `namespace` is given, these route the write to the same project namespace
+  // recall/observe resolve from `cwd`/`projectTag` (issue #569, rule 42). Also
+  // lets MCP clients that auto-inject `cwd` (e.g. Pi MCPorter) call write tools.
+  cwd: z.string().trim().min(1, "cwd must be non-empty when provided").max(2048).optional(),
+  projectTag: z
+    .string()
+    .trim()
+    .min(1, "projectTag must be non-empty when provided")
+    .max(256)
+    .optional(),
 });
 
 export const suggestionSubmitRequestSchema = memoryStoreRequestSchema;