@simonfestl/husky-cli 1.9.2 → 1.10.0

package/dist/commands/auth.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare const authCommand: Command;

package/dist/commands/auth.js

@@ -0,0 +1,262 @@
+import { Command } from "commander";
+import { getConfig } from "./config.js";
+import { getPermissions, clearPermissionsCache, getCacheStatus, hasPermission, canAccessKnowledgeBase } from "../lib/permissions-cache.js";
+const API_KEY_ROLES = [
+    "admin", "supervisor", "worker", "reviewer", "support",
+    "purchasing", "ops", "e2e_agent", "pr_agent"
+];
+async function apiRequest(path, options = {}) {
+    const config = getConfig();
+    if (!config.apiUrl || !config.apiKey) {
+        throw new Error("API not configured. Run: husky config set api-url <url> && husky config set api-key <key>");
+    }
+    const url = new URL(path, config.apiUrl);
+    const res = await fetch(url.toString(), {
+        method: options.method || "GET",
+        headers: {
+            "x-api-key": config.apiKey,
+            "Content-Type": "application/json",
+        },
+        body: options.body ? JSON.stringify(options.body) : undefined,
+    });
+    if (!res.ok) {
+        const error = await res.json().catch(() => ({ error: res.statusText }));
+        throw new Error(error.message || error.error || `HTTP ${res.status}`);
+    }
+    return res.json();
+}
+export const authCommand = new Command("auth")
+    .description("Manage API keys and authentication");
+authCommand
+    .command("keys")
+    .description("List all API keys")
+    .option("--include-revoked", "Include revoked keys")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        const query = options.includeRevoked ? "?includeRevoked=true" : "";
+        const data = await apiRequest(`/api/auth/keys${query}`);
+        if (options.json) {
+            console.log(JSON.stringify(data.keys, null, 2));
+            return;
+        }
+        if (data.keys.length === 0) {
+            console.log("No API keys found.");
+            return;
+        }
+        console.log("\nAPI Keys:");
+        console.log("─".repeat(80));
+        for (const key of data.keys) {
+            const status = key.revoked ? "🔴 REVOKED" : "🟢 ACTIVE";
+            const expires = key.expiresAt ? new Date(key.expiresAt).toLocaleDateString() : "Never";
+            const lastUsed = key.lastUsedAt ? new Date(key.lastUsedAt).toLocaleDateString() : "Never";
+            console.log(`${status} ${key.keyPrefix}...  ${key.name}`);
+            console.log(`   Role: ${key.role}  |  Expires: ${expires}  |  Last used: ${lastUsed}`);
+            console.log(`   ID: ${key.id}`);
+            console.log("");
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("create-key")
+    .description("Create a new API key")
+    .requiredOption("--name <name>", "Human-readable name for the key")
+    .requiredOption("--role <role>", `Role: ${API_KEY_ROLES.join(", ")}`)
+    .option("--scopes <scopes>", "Comma-separated additional scopes")
+    .option("--expires-in-days <days>", "Expiration in days (1-365)")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        if (!API_KEY_ROLES.includes(options.role)) {
+            console.error(`Invalid role: ${options.role}`);
+            console.error(`Valid roles: ${API_KEY_ROLES.join(", ")}`);
+            process.exit(1);
+        }
+        const body = {
+            name: options.name,
+            role: options.role,
+        };
+        if (options.scopes) {
+            body.scopes = options.scopes.split(",").map((s) => s.trim());
+        }
+        if (options.expiresInDays) {
+            const days = parseInt(options.expiresInDays, 10);
+            if (isNaN(days) || days < 1 || days > 365) {
+                console.error("--expires-in-days must be between 1 and 365");
+                process.exit(1);
+            }
+            body.expiresInDays = days;
+        }
+        const result = await apiRequest("/api/auth/keys", {
+            method: "POST",
+            body,
+        });
+        if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        console.log("\n✅ API Key Created Successfully");
+        console.log("─".repeat(60));
+        console.log(`Name:      ${result.name}`);
+        console.log(`Role:      ${result.role}`);
+        console.log(`Key ID:    ${result.id}`);
+        console.log(`Prefix:    ${result.keyPrefix}`);
+        if (result.expiresAt) {
+            console.log(`Expires:   ${new Date(result.expiresAt).toLocaleDateString()}`);
+        }
+        console.log("");
+        console.log("🔑 API KEY (store securely - shown only once):");
+        console.log("");
+        console.log(`   ${result.plainTextKey}`);
+        console.log("");
+        console.log("⚠️  " + result.warning);
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("revoke-key <id>")
+    .description("Revoke an API key")
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+    try {
+        const result = await apiRequest(`/api/auth/keys/${id}`, { method: "DELETE" });
+        if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        console.log(`\n✅ API Key Revoked: ${result.keyPrefix}...`);
+        console.log(`   Revoked at: ${new Date(result.revokedAt).toLocaleString()}`);
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("whoami")
+    .description("Show current authentication info")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        const data = await apiRequest("/api/auth/whoami");
+        if (options.json) {
+            console.log(JSON.stringify(data, null, 2));
+            return;
+        }
+        console.log("\n🔐 Authentication Info");
+        console.log("─".repeat(40));
+        console.log(`Role:       ${data.role}`);
+        console.log(`Key ID:     ${data.keyId}`);
+        console.log(`Source:     ${data.source}`);
+        if (data.scopes && data.scopes.length > 0) {
+            console.log(`Scopes:     ${data.scopes.join(", ")}`);
+        }
+        console.log("");
+        console.log("Permissions:");
+        for (const perm of data.permissions) {
+            console.log(`  • ${perm}`);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("permissions")
+    .description("Show cached permissions (5-min cache)")
+    .option("--refresh", "Force refresh from API")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        if (options.refresh) {
+            clearPermissionsCache();
+        }
+        const perms = await getPermissions();
+        const cacheStatus = getCacheStatus();
+        if (options.json) {
+            console.log(JSON.stringify({
+                ...perms,
+                cache: cacheStatus,
+            }, null, 2));
+            return;
+        }
+        const cacheAge = cacheStatus.age ? Math.round(cacheStatus.age / 1000) : 0;
+        const expiresIn = cacheStatus.expiresIn ? Math.round(cacheStatus.expiresIn / 1000) : 0;
+        console.log("\n🔑 Cached Permissions");
+        console.log("─".repeat(50));
+        console.log(`Role:         ${perms.role}`);
+        console.log(`Cache age:    ${cacheAge}s (expires in ${expiresIn}s)`);
+        console.log("");
+        console.log("Permissions:");
+        for (const perm of perms.permissions) {
+            console.log(`  • ${perm}`);
+        }
+        if (perms.knowledgeBases.length > 0) {
+            console.log("");
+            console.log("Knowledge Bases:");
+            for (const kb of perms.knowledgeBases) {
+                console.log(`  • ${kb}`);
+            }
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("can <permission>")
+    .description("Check if current key has a specific permission")
+    .option("--json", "Output as JSON")
+    .action(async (permission, options) => {
+    try {
+        const allowed = await hasPermission(permission);
+        if (options.json) {
+            console.log(JSON.stringify({ permission, allowed }));
+            return;
+        }
+        if (allowed) {
+            console.log(`✅ Permission granted: ${permission}`);
+        }
+        else {
+            console.log(`❌ Permission denied: ${permission}`);
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("can-access-kb <kb>")
+    .description("Check if current key can access a knowledge base")
+    .option("--json", "Output as JSON")
+    .action(async (kb, options) => {
+    try {
+        const allowed = await canAccessKnowledgeBase(kb);
+        if (options.json) {
+            console.log(JSON.stringify({ knowledgeBase: kb, allowed }));
+            return;
+        }
+        if (allowed) {
+            console.log(`✅ Access granted to KB: ${kb}`);
+        }
+        else {
+            console.log(`❌ Access denied to KB: ${kb}`);
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});

package/dist/commands/brain.js

@@ -1,11 +1,32 @@
 import { Command } from "commander";
-import { AgentBrain, AGENT_TYPES, isValidAgentType } from "../lib/biz/agent-brain.js";
+import { AgentBrain, AGENT_TYPES, isValidAgentType, KNOWLEDGE_BASES, isValidKnowledgeBase, KnowledgeBaseBrain, getAccessibleKnowledgeBases, getAgentType } from "../lib/biz/agent-brain.js";
 import { generateSOP, formatSOPAsMarkdown } from "../lib/biz/sop-generator.js";
+import { ApiBrain, shouldUseApi } from "../lib/biz/api-brain.js";
 const DEFAULT_AGENT = process.env.HUSKY_AGENT_ID || 'default';
-function createBrain(agentId, agentType) {
+function toDate(value) {
+    return value instanceof Date ? value : new Date(value);
+}
+function createBrain(agentId, agentType, options) {
+    if (options?.useApi || (shouldUseApi() && options?.kb)) {
+        return new ApiBrain({
+            agentId,
+            agentType: isValidAgentType(agentType) ? agentType : undefined,
+            knowledgeBase: options?.kb,
+        });
+    }
     const validAgentType = isValidAgentType(agentType) ? agentType : undefined;
     return new AgentBrain({ agentId, agentType: validAgentType });
 }
+function createKBBrain(kb, agentType, agentId = DEFAULT_AGENT) {
+    const resolvedAgentType = isValidAgentType(agentType) ? agentType : getAgentType();
+    if (!resolvedAgentType) {
+        throw new Error(`Agent type required for knowledge base access. Set HUSKY_AGENT_TYPE or use --agent-type`);
+    }
+    if (!isValidKnowledgeBase(kb)) {
+        throw new Error(`Invalid knowledge base '${kb}'. Available: ${KNOWLEDGE_BASES.join(', ')}`);
+    }
+    return new KnowledgeBaseBrain(resolvedAgentType, kb, agentId);
+}
 export const brainCommand = new Command("brain")
     .description("Agent memory and knowledge management");
 brainCommand
@@ -14,13 +35,27 @@ brainCommand
     .option("-a, --agent <id>", "Agent ID", DEFAULT_AGENT)
     .option("-t, --tags <tags>", "Comma-separated tags")
     .option("--agent-type <type>", `Agent type for database selection (${AGENT_TYPES.join(", ")})`)
+    .option("--kb <name>", `Knowledge base to use (${KNOWLEDGE_BASES.join(", ")})`)
     .option("--visibility <level>", "Visibility level (private, team, public)", "private")
     .option("--allow-pii", "Skip PII filtering (use only for technical/internal content)")
     .option("--json", "Output as JSON")
     .action(async (content, options) => {
     try {
-        const brain = createBrain(options.agent, options.agentType);
         const tags = options.tags ? options.tags.split(",").map((t) => t.trim()) : [];
+        if (options.kb) {
+            const kbBrain = createKBBrain(options.kb, options.agentType, options.agent);
+            const info = kbBrain.getInfo();
+            console.log(`  Storing in knowledge base: ${info.knowledgeBase} (${info.collectionName})...`);
+            const id = await kbBrain.remember(content, tags);
+            if (options.json) {
+                console.log(JSON.stringify({ success: true, id, knowledgeBase: info.knowledgeBase, collection: info.collectionName }));
+            }
+            else {
+                console.log(`  ✓ Stored in ${info.knowledgeBase}: ${id}`);
+            }
+            return;
+        }
+        const brain = createBrain(options.agent, options.agentType);
         const visibility = options.visibility;
         const dbInfo = brain.getDatabaseInfo();
         if (!["private", "team", "public"].includes(visibility)) {
@@ -48,19 +83,39 @@ brainCommand
     .option("-l, --limit <num>", "Max results", "5")
     .option("-m, --min-score <score>", "Minimum similarity score (0-1)", "0.5")
     .option("--agent-type <type>", `Agent type for database selection (${AGENT_TYPES.join(", ")})`)
+    .option("--kb <name>", `Knowledge base to search (${KNOWLEDGE_BASES.join(", ")})`)
     .option("--shared", "Search shared memories from other agents")
     .option("--public-only", "Search only public memories (requires --shared)")
     .option("--json", "Output as JSON")
     .action(async (query, options) => {
     try {
+        if (options.kb) {
+            const kbBrain = createKBBrain(options.kb, options.agentType, options.agent);
+            const info = kbBrain.getInfo();
+            console.log(`  Searching knowledge base: ${info.knowledgeBase}...`);
+            const results = await kbBrain.recall(query, parseInt(options.limit, 10), parseFloat(options.minScore));
+            if (options.json) {
+                console.log(JSON.stringify({ success: true, query, knowledgeBase: info.knowledgeBase, results }));
+                return;
+            }
+            console.log(`\n  📚 Knowledge Base: ${info.knowledgeBase} (${results.length} found)\n`);
+            if (results.length === 0) {
+                console.log(`  No results found.`);
+                return;
+            }
+            for (const r of results) {
+                const tags = r.memory.tags.length > 0 ? ` [${r.memory.tags.join(", ")}]` : "";
+                console.log(`  [${(r.score * 100).toFixed(1)}%] ${r.memory.content.slice(0, 80)}${tags}`);
+            }
+            console.log("");
+            return;
+        }
         const brain = createBrain(options.agent, options.agentType);
         let results;
         if (options.shared) {
-            // Search shared memories
             results = await brain.recallShared(query, parseInt(options.limit, 10), parseFloat(options.minScore), options.publicOnly);
         }
         else {
-            // Search personal memories
             const dbInfo = brain.getDatabaseInfo();
             console.log(`  Searching memories for: "${query}" (db: ${dbInfo.databaseName})...`);
             results = await brain.recall(query, parseInt(options.limit, 10), parseFloat(options.minScore));
@@ -111,7 +166,7 @@ brainCommand
             return;
         }
         for (const m of memories) {
-            const date = m.createdAt.toLocaleDateString("de-DE");
+            const date = toDate(m.createdAt).toLocaleDateString("de-DE");
             const tags = m.tags.length > 0 ? ` [${m.tags.join(", ")}]` : "";
             console.log(`  ${date} │ ${m.content.slice(0, 60)}...${tags}`);
         }
@@ -398,7 +453,7 @@ brainCommand
         if (toArchive.length > 0) {
             console.log(`\n  Memories:`);
             for (const m of toArchive.slice(0, 10)) {
-                const age = Math.floor((Date.now() - m.createdAt.getTime()) / (1000 * 60 * 60 * 24));
+                const age = Math.floor((Date.now() - toDate(m.createdAt).getTime()) / (1000 * 60 * 60 * 24));
                 console.log(`    ${m.id.slice(0, 8)} │ ${m.content.slice(0, 50)}... (${age}d old, Q: ${m.qualityScore?.toFixed(2)})`);
             }
             if (toArchive.length > 10) {
@@ -483,4 +538,72 @@ brainCommand
         process.exit(1);
     }
 });
+// ============================================================================
+// Knowledge Base Commands
+// ============================================================================
+brainCommand
+    .command("kb-list")
+    .description("List available knowledge bases and your access")
+    .option("--agent-type <type>", `Agent type (${AGENT_TYPES.join(", ")})`)
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        const agentType = isValidAgentType(options.agentType) ? options.agentType : getAgentType();
+        const accessible = agentType ? getAccessibleKnowledgeBases(agentType) : [];
+        if (options.json) {
+            console.log(JSON.stringify({
+                agentType: agentType || null,
+                knowledgeBases: KNOWLEDGE_BASES,
+                accessible,
+            }));
+            return;
+        }
+        console.log(`\n  📚 Knowledge Bases`);
+        console.log(`  ────────────────────────────────`);
+        console.log(`  Your role: ${agentType || '(not set)'}\n`);
+        for (const kb of KNOWLEDGE_BASES) {
+            const hasAccess = accessible.includes(kb);
+            const icon = hasAccess ? '✓' : '✗';
+            const color = hasAccess ? '' : ' (no access)';
+            console.log(`  ${icon} ${kb}${color}`);
+        }
+        console.log("");
+    }
+    catch (error) {
+        console.error("Error:", error.message);
+        process.exit(1);
+    }
+});
+brainCommand
+    .command("kb-stats <kb>")
+    .description("Show statistics for a knowledge base")
+    .option("--agent-type <type>", `Agent type (${AGENT_TYPES.join(", ")})`)
+    .option("--json", "Output as JSON")
+    .action(async (kb, options) => {
+    try {
+        const kbBrain = createKBBrain(kb, options.agentType);
+        const info = kbBrain.getInfo();
+        const stats = await kbBrain.stats();
+        if (options.json) {
+            console.log(JSON.stringify({ success: true, ...info, ...stats }));
+            return;
+        }
+        console.log(`\n  📚 Knowledge Base: ${info.knowledgeBase}`);
+        console.log(`  ────────────────────────────────`);
+        console.log(`  Collection: ${info.collectionName}`);
+        console.log(`  Total entries: ${stats.count}`);
+        if (Object.keys(stats.tags).length > 0) {
+            console.log(`\n  Tags:`);
+            const sortedTags = Object.entries(stats.tags).sort((a, b) => b[1] - a[1]);
+            for (const [tag, count] of sortedTags.slice(0, 10)) {
+                console.log(`    ${tag}: ${count}`);
+            }
+        }
+        console.log("");
+    }
+    catch (error) {
+        console.error("Error:", error.message);
+        process.exit(1);
+    }
+});
 export default brainCommand;

package/dist/lib/biz/agent-brain.d.ts

@@ -1,5 +1,11 @@
-export declare const AGENT_TYPES: readonly ["support", "claude", "gotess", "supervisor", "worker", "reviewer", "e2e_agent", "pr_agent"];
+export declare const AGENT_TYPES: readonly ["admin", "supervisor", "support", "worker", "reviewer", "e2e_agent", "pr_agent", "purchasing", "ops"];
 export type AgentType = typeof AGENT_TYPES[number];
+export declare const KNOWLEDGE_BASES: readonly ["secondbrain", "supplier-products", "customer-insights", "process-sops"];
+export type KnowledgeBase = typeof KNOWLEDGE_BASES[number];
+export declare const ROLE_KB_ACCESS: Record<AgentType, readonly KnowledgeBase[]>;
+export declare function isValidKnowledgeBase(value: string | undefined): value is KnowledgeBase;
+export declare function canAccessKnowledgeBase(agentType: AgentType | undefined, kb: KnowledgeBase): boolean;
+export declare function getAccessibleKnowledgeBases(agentType: AgentType | undefined): readonly KnowledgeBase[];
 export type MemoryVisibility = 'private' | 'team' | 'public';
 export interface Memory {
     id: string;
@@ -30,6 +36,7 @@ export interface AgentBrainOptions {
     agentId: string;
     agentType?: AgentType;
     projectId?: string;
+    collectionName?: string;
 }
 export declare function isValidAgentType(value: string | undefined): value is AgentType;
 export declare function getAgentType(): AgentType | undefined;
@@ -38,6 +45,7 @@ export declare class AgentBrain {
     private embeddings;
     private agentId;
     private agentType?;
+    private collectionNameOverride?;
     constructor(agentIdOrOptions: string | AgentBrainOptions, projectId?: string);
     getDatabaseInfo(): {
         agentType?: AgentType;
@@ -106,4 +114,24 @@ export declare class AgentBrain {
      */
     purge(retentionDays?: number): Promise<number>;
 }
+export declare class KnowledgeBaseBrain {
+    private brain;
+    private kb;
+    private agentType;
+    constructor(agentType: AgentType, kb: KnowledgeBase, agentId?: string);
+    getCollectionName(): string;
+    remember(content: string, tags?: string[], metadata?: Record<string, unknown>): Promise<string>;
+    recall(query: string, limit?: number, minScore?: number): Promise<RecallResult[]>;
+    list(limit?: number): Promise<Memory[]>;
+    forget(memoryId: string): Promise<void>;
+    stats(): Promise<{
+        count: number;
+        tags: Record<string, number>;
+    }>;
+    getInfo(): {
+        agentType: AgentType;
+        knowledgeBase: KnowledgeBase;
+        collectionName: string;
+    };
+}
 export default AgentBrain;

package/dist/lib/biz/agent-brain.js

@@ -5,7 +5,32 @@ import { randomUUID } from 'crypto';
 import { sanitizeForEmbedding } from './pii-filter.js';
 const DEFAULT_COLLECTION = 'agent-memories';
 const VECTOR_SIZE = 768;
-export const AGENT_TYPES = ['support', 'claude', 'gotess', 'supervisor', 'worker', 'reviewer', 'e2e_agent', 'pr_agent'];
+export const AGENT_TYPES = ['admin', 'supervisor', 'support', 'worker', 'reviewer', 'e2e_agent', 'pr_agent', 'purchasing', 'ops'];
+export const KNOWLEDGE_BASES = ['secondbrain', 'supplier-products', 'customer-insights', 'process-sops'];
+export const ROLE_KB_ACCESS = {
+    admin: ['secondbrain', 'supplier-products', 'customer-insights', 'process-sops'],
+    supervisor: ['secondbrain', 'supplier-products', 'customer-insights', 'process-sops'],
+    support: ['customer-insights', 'supplier-products', 'process-sops'],
+    purchasing: ['supplier-products', 'process-sops'],
+    ops: ['supplier-products', 'process-sops'],
+    worker: [],
+    reviewer: [],
+    e2e_agent: [],
+    pr_agent: [],
+};
+export function isValidKnowledgeBase(value) {
+    return value !== undefined && KNOWLEDGE_BASES.includes(value);
+}
+export function canAccessKnowledgeBase(agentType, kb) {
+    if (!agentType)
+        return false;
+    return ROLE_KB_ACCESS[agentType]?.includes(kb) ?? false;
+}
+export function getAccessibleKnowledgeBases(agentType) {
+    if (!agentType)
+        return [];
+    return ROLE_KB_ACCESS[agentType] ?? [];
+}
 export function isValidAgentType(value) {
     return value !== undefined && AGENT_TYPES.includes(value);
 }
@@ -26,6 +51,7 @@ export class AgentBrain {
     embeddings;
     agentId;
     agentType;
+    collectionNameOverride;
     constructor(agentIdOrOptions, projectId) {
         let options;
         if (typeof agentIdOrOptions === 'string') {
@@ -37,6 +63,7 @@ export class AgentBrain {
         const config = getConfig();
         this.agentId = options.agentId;
         this.agentType = options.agentType || getAgentType();
+        this.collectionNameOverride = options.collectionName;
         this.qdrant = QdrantClient.fromConfig();
         const gcpProject = options.projectId || config.gcpProjectId || process.env.GOOGLE_CLOUD_PROJECT || 'tigerv0';
         this.embeddings = new EmbeddingService({
@@ -53,6 +80,8 @@ export class AgentBrain {
         };
     }
     getCollectionName() {
+        if (this.collectionNameOverride)
+            return this.collectionNameOverride;
         if (!this.agentType)
             return DEFAULT_COLLECTION;
         return `${this.agentType}-memories`;
@@ -516,4 +545,46 @@ export class AgentBrain {
         return toPurge.length;
     }
 }
+export class KnowledgeBaseBrain {
+    brain;
+    kb;
+    agentType;
+    constructor(agentType, kb, agentId = 'default') {
+        if (!canAccessKnowledgeBase(agentType, kb)) {
+            throw new Error(`Access denied to knowledge base '${kb}'`);
+        }
+        this.agentType = agentType;
+        this.kb = kb;
+        this.brain = new AgentBrain({
+            agentId,
+            agentType,
+            collectionName: `${kb}-kb`
+        });
+    }
+    getCollectionName() {
+        return `${this.kb}-kb`;
+    }
+    async remember(content, tags = [], metadata) {
+        return this.brain.remember(content, tags, { ...metadata, knowledgeBase: this.kb, sourceAgent: this.agentType }, 'team', false);
+    }
+    async recall(query, limit = 5, minScore = 0.5) {
+        return this.brain.recall(query, limit, minScore);
+    }
+    async list(limit = 20) {
+        return this.brain.listMemories(limit);
+    }
+    async forget(memoryId) {
+        return this.brain.forget(memoryId);
+    }
+    async stats() {
+        return this.brain.stats();
+    }
+    getInfo() {
+        return {
+            agentType: this.agentType,
+            knowledgeBase: this.kb,
+            collectionName: this.getCollectionName(),
+        };
+    }
+}
 export default AgentBrain;

package/dist/lib/biz/api-brain.d.ts

@@ -0,0 +1,73 @@
+export interface Memory {
+    id: string;
+    agent: string;
+    agentType?: string;
+    content: string;
+    tags: string[];
+    createdAt: string;
+    updatedAt: string;
+    metadata?: Record<string, unknown>;
+    visibility?: string;
+    publishedBy?: string;
+    publishedAt?: string;
+    useCount?: number;
+    endorsements?: number;
+    recallCount?: number;
+    qualityScore?: number;
+    status?: string;
+}
+export interface RecallResult {
+    memory: Memory;
+    score: number;
+}
+export interface BrainStats {
+    count: number;
+    tags: Record<string, number>;
+}
+export declare class ApiBrain {
+    private agentId;
+    private agentType?;
+    private knowledgeBase?;
+    constructor(options: {
+        agentId: string;
+        agentType?: string;
+        knowledgeBase?: string;
+    });
+    private validateKbAccess;
+    remember(content: string, tags?: string[], metadata?: Record<string, unknown>, visibility?: string): Promise<string>;
+    recall(query: string, limit?: number, minScore?: number): Promise<RecallResult[]>;
+    list(limit?: number): Promise<Memory[]>;
+    forget(memoryId: string): Promise<void>;
+    stats(): Promise<BrainStats>;
+    tags(tagList: string[], limit?: number): Promise<Memory[]>;
+    publish(memoryId: string, visibility?: string): Promise<void>;
+    unpublish(memoryId: string): Promise<void>;
+    endorse(memoryId: string): Promise<void>;
+    getDatabaseInfo(): {
+        agentType?: string;
+        databaseName: string;
+        collectionName: string;
+    };
+    listMemories(limit?: number): Promise<Memory[]>;
+    recallByTags(tagList: string[], limit?: number): Promise<Memory[]>;
+    recallShared(query: string, limit?: number, minScore?: number, publicOnly?: boolean): Promise<RecallResult[]>;
+    listShared(limit?: number, publicOnly?: boolean): Promise<Memory[]>;
+    boost(_memoryId: string): Promise<void>;
+    downvote(_memoryId: string): Promise<void>;
+    getQuality(_memoryId: string): Promise<{
+        recallCount: number;
+        boostCount: number;
+        downvoteCount: number;
+        qualityScore: number;
+        status: string;
+    }>;
+    cleanup(_dryRun?: boolean, _threshold?: number, _minAgeDays?: number, _tags?: string[]): Promise<Memory[]>;
+    purge(_retentionDays?: number): Promise<number>;
+    static getInfo(): Promise<{
+        knowledgeBases: string[];
+        accessibleKnowledgeBases: string[];
+        role?: string;
+    }>;
+}
+export declare function shouldUseApi(): boolean;
+export default ApiBrain;

package/dist/lib/biz/api-brain.js

@@ -0,0 +1,196 @@
+import { getConfig } from "../../commands/config.js";
+import { canAccessKnowledgeBase as checkKbAccess } from "../permissions-cache.js";
+async function apiRequest(path, options = {}) {
+    const config = getConfig();
+    if (!config.apiUrl || !config.apiKey) {
+        throw new Error("API not configured. Run: husky config set api-url <url> && husky config set api-key <key>");
+    }
+    const url = new URL(`/api/brain${path}`, config.apiUrl);
+    const res = await fetch(url.toString(), {
+        method: options.method || "POST",
+        headers: {
+            "x-api-key": config.apiKey,
+            "Content-Type": "application/json",
+        },
+        body: options.body ? JSON.stringify(options.body) : undefined,
+    });
+    if (!res.ok) {
+        const error = await res.json().catch(() => ({ error: res.statusText }));
+        if (res.status === 403) {
+            throw new Error(`Access denied: ${error.error || 'Permission denied to this resource'}`);
+        }
+        throw new Error(error.message || error.error || `HTTP ${res.status}`);
+    }
+    return res.json();
+}
+export class ApiBrain {
+    agentId;
+    agentType;
+    knowledgeBase;
+    constructor(options) {
+        this.agentId = options.agentId;
+        this.agentType = options.agentType;
+        this.knowledgeBase = options.knowledgeBase;
+    }
+    async validateKbAccess() {
+        if (!this.knowledgeBase)
+            return;
+        const hasAccess = await checkKbAccess(this.knowledgeBase);
+        if (!hasAccess) {
+            throw new Error(`Access denied to knowledge base '${this.knowledgeBase}'. Check your role permissions.`);
+        }
+    }
+    async remember(content, tags = [], metadata, visibility = "private") {
+        await this.validateKbAccess();
+        const result = await apiRequest("/remember", {
+            body: {
+                content,
+                tags,
+                agentId: this.agentId,
+                agentType: this.agentType,
+                metadata,
+                visibility,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+        return result.id;
+    }
+    async recall(query, limit = 5, minScore = 0.5) {
+        await this.validateKbAccess();
+        const result = await apiRequest("/recall", {
+            body: {
+                query,
+                limit,
+                minScore,
+                agentId: this.agentId,
+                agentType: this.agentType,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+        return result.results;
+    }
+    async list(limit = 20) {
+        await this.validateKbAccess();
+        const result = await apiRequest("/list", {
+            body: {
+                limit,
+                agentId: this.agentId,
+                agentType: this.agentType,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+        return result.memories;
+    }
+    async forget(memoryId) {
+        await apiRequest("/forget", {
+            body: {
+                memoryId,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+    }
+    async stats() {
+        const result = await apiRequest("/stats", {
+            body: {
+                agentId: this.agentId,
+                agentType: this.agentType,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+        return { count: result.count, tags: result.tags };
+    }
+    async tags(tagList, limit = 10) {
+        const result = await apiRequest("/tags", {
+            body: {
+                tags: tagList,
+                limit,
+                agentId: this.agentId,
+                agentType: this.agentType,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+        return result.memories;
+    }
+    async publish(memoryId, visibility = "team") {
+        await apiRequest("/publish", {
+            body: { memoryId, visibility },
+        });
+    }
+    async unpublish(memoryId) {
+        await apiRequest("/unpublish", {
+            body: { memoryId },
+        });
+    }
+    async endorse(memoryId) {
+        await apiRequest("/endorse", {
+            body: { memoryId },
+        });
+    }
+    getDatabaseInfo() {
+        return {
+            agentType: this.agentType,
+            databaseName: `api:${this.knowledgeBase || 'agent-memories'}`,
+            collectionName: this.knowledgeBase ? `${this.knowledgeBase}-kb` : 'agent-memories',
+        };
+    }
+    async listMemories(limit = 20) {
+        return this.list(limit);
+    }
+    async recallByTags(tagList, limit = 10) {
+        const result = await apiRequest("/tags", {
+            body: {
+                tags: tagList,
+                limit,
+                agentId: this.agentId,
+                agentType: this.agentType,
+                knowledgeBase: this.knowledgeBase,
+            },
+        });
+        return result.memories;
+    }
+    async recallShared(query, limit = 5, minScore = 0.5, publicOnly = false) {
+        const result = await apiRequest("/recall-shared", {
+            body: {
+                query,
+                limit,
+                minScore,
+                agentType: this.agentType,
+                visibility: publicOnly ? 'public' : 'team',
+            },
+        });
+        return result.results;
+    }
+    async listShared(limit = 20, publicOnly = false) {
+        const result = await apiRequest("/shared", {
+            body: {
+                limit,
+                agentType: this.agentType,
+                visibility: publicOnly ? 'public' : undefined,
+            },
+        });
+        return result.memories;
+    }
+    async boost(_memoryId) {
+        throw new Error("boost() is not supported via API. Use direct Qdrant access for quality operations.");
+    }
+    async downvote(_memoryId) {
+        throw new Error("downvote() is not supported via API. Use direct Qdrant access for quality operations.");
+    }
+    async getQuality(_memoryId) {
+        throw new Error("getQuality() is not supported via API. Use direct Qdrant access for quality operations.");
+    }
+    async cleanup(_dryRun = true, _threshold = 0.1, _minAgeDays = 90, _tags) {
+        throw new Error("cleanup() is not supported via API. Use direct Qdrant access for admin operations.");
+    }
+    async purge(_retentionDays = 365) {
+        throw new Error("purge() is not supported via API. Use direct Qdrant access for admin operations.");
+    }
+    static async getInfo() {
+        return apiRequest("/info", { method: "GET" });
+    }
+}
+export function shouldUseApi() {
+    const config = getConfig();
+    return Boolean(config.apiUrl && config.apiKey);
+}
+export default ApiBrain;

package/dist/lib/permissions-cache.d.ts

@@ -0,0 +1,18 @@
+interface CachedPermissions {
+    role: string;
+    permissions: string[];
+    knowledgeBases: string[];
+    fetchedAt: number;
+}
+export declare function getPermissions(): Promise<CachedPermissions>;
+export declare function clearPermissionsCache(): void;
+export declare function hasPermission(permission: string): Promise<boolean>;
+export declare function canAccessKnowledgeBase(kb: string): Promise<boolean>;
+export declare function getAccessibleKnowledgeBases(): Promise<string[]>;
+export declare function getCurrentRole(): Promise<string | null>;
+export declare function getCacheStatus(): {
+    cached: boolean;
+    age: number | null;
+    expiresIn: number | null;
+};
+export {};

package/dist/lib/permissions-cache.js

@@ -0,0 +1,104 @@
+import { getConfig } from "../commands/config.js";
+const CACHE_TTL_MS = 5 * 60 * 1000;
+let cache = null;
+let fetchPromise = null;
+async function fetchPermissions() {
+    const config = getConfig();
+    if (!config.apiUrl || !config.apiKey) {
+        throw new Error("API not configured");
+    }
+    const url = new URL("/api/auth/whoami", config.apiUrl);
+    const res = await fetch(url.toString(), {
+        method: "GET",
+        headers: {
+            "x-api-key": config.apiKey,
+            "Content-Type": "application/json",
+        },
+    });
+    if (!res.ok) {
+        const error = await res.json().catch(() => ({ error: res.statusText }));
+        throw new Error(error.message || error.error || `HTTP ${res.status}`);
+    }
+    const data = await res.json();
+    const kbPermissions = data.permissions
+        .filter((p) => p.startsWith("kb:"))
+        .map((p) => p.replace("kb:", ""));
+    return {
+        role: data.role,
+        permissions: data.permissions,
+        knowledgeBases: kbPermissions,
+        fetchedAt: Date.now(),
+    };
+}
+export async function getPermissions() {
+    const now = Date.now();
+    if (cache && now - cache.fetchedAt < CACHE_TTL_MS) {
+        return cache;
+    }
+    if (!fetchPromise) {
+        fetchPromise = fetchPermissions().then(result => {
+            cache = result;
+            fetchPromise = null;
+            return result;
+        }).catch(err => {
+            fetchPromise = null;
+            throw err;
+        });
+    }
+    return fetchPromise;
+}
+export function clearPermissionsCache() {
+    cache = null;
+    fetchPromise = null;
+}
+export async function hasPermission(permission) {
+    try {
+        const perms = await getPermissions();
+        if (perms.permissions.includes("*"))
+            return true;
+        if (perms.permissions.includes(permission))
+            return true;
+        const [scope] = permission.split(":");
+        if (perms.permissions.includes(`${scope}:*`))
+            return true;
+        return false;
+    }
+    catch {
+        return false;
+    }
+}
+export async function canAccessKnowledgeBase(kb) {
+    try {
+        const perms = await getPermissions();
+        return perms.knowledgeBases.includes(kb) || perms.permissions.includes("kb:*");
+    }
+    catch {
+        return false;
+    }
+}
+export async function getAccessibleKnowledgeBases() {
+    try {
+        const perms = await getPermissions();
+        return perms.knowledgeBases;
+    }
+    catch {
+        return [];
+    }
+}
+export async function getCurrentRole() {
+    try {
+        const perms = await getPermissions();
+        return perms.role;
+    }
+    catch {
+        return null;
+    }
+}
+export function getCacheStatus() {
+    if (!cache) {
+        return { cached: false, age: null, expiresIn: null };
+    }
+    const age = Date.now() - cache.fetchedAt;
+    const expiresIn = Math.max(0, CACHE_TTL_MS - age);
+    return { cached: true, age, expiresIn };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simonfestl/husky-cli",
-  "version": "1.9.2",
+  "version": "1.10.0",
   "description": "CLI for Huskyv0 Task Orchestration with Claude Agent SDK",
   "type": "module",
   "bin": {