@unifiedmemory/cli 1.3.13 → 1.3.15

package/lib/memory-instructions.js

@@ -1,82 +1,76 @@
 // Unique marker to detect if instructions already present
-export const MEMORY_INSTRUCTIONS_MARKER = '<!-- UNIFIEDMEMORY_INSTRUCTIONS_V2 -->';
+export const MEMORY_INSTRUCTIONS_MARKER = '<!-- UNIFIEDMEMORY_INSTRUCTIONS_V3 -->';
 
 export function getMemoryInstructions() {
   return `${MEMORY_INSTRUCTIONS_MARKER}
 
-# UnifiedMemory Integration (REQUIRED)
+# STOP - Read Before ANY Code Task
 
-This project uses UnifiedMemory for persistent knowledge management. The \`unifiedmemory\` MCP server is configured and MUST be used for all relevant queries.
+**MANDATORY**: Call \`search_notes\` BEFORE writing any code. Always. No exceptions.
 
-## Available Tools
+## Pre-Implementation Checklist
 
-The \`unifiedmemory\` MCP server provides these tools (call them like any MCP tool):
+Before ANY coding task, you MUST:
+- [ ] Call \`search_notes\` with relevant keywords
+- [ ] Review results for existing patterns/decisions
+- [ ] Mention what you found (or didn't) in your response
+- [ ] THEN start implementation
 
-| Tool | Purpose | Required Parameters |
-|------|---------|---------------------|
-| \`search_notes\` | **Primary tool** - Search project knowledge base | \`query\` (search text) |
-| \`create_note\` | Record decisions, plans, or completions | \`summary_text\`, \`topic\` |
-| \`list_notes\` | List all notes in current project | None |
-| \`get_note\` | Retrieve a specific note by ID | \`note_id\` |
-| \`list_topics\` | List available topics/categories | None |
-| \`create_topic\` | Create a new topic for organization | \`name\` |
-| \`list_projects\` | List available projects | None |
+---
 
-All tools automatically use the correct project context - no additional configuration needed.
+## WRONG
 
-## MANDATORY: Search Before Implementing
+\`\`\`
+User: "Create a calculator app"
+Assistant: [immediately writes code]  ← NEVER DO THIS
+\`\`\`
 
-**REQUIREMENT**: Before responding to ANY coding task, feature request, or implementation question, you MUST:
+## CORRECT
 
-1. Call the \`search_notes\` tool with the user's query or relevant keywords
-2. Review returned results for prior decisions, patterns, or context
-3. Incorporate relevant findings into your response
-4. Mention what context you found (or didn't find) in your response
+\`\`\`
+User: "Create a calculator app"
+Assistant: [calls search_notes first]
+Assistant: "No relevant patterns found in UnifiedMemory. Proceeding..."
+Assistant: [writes code]
+\`\`\`
 
-### When to Search
+---
 
-You MUST search before:
-- Implementing any feature (search for existing patterns)
-- Fixing any bug (search for related issues)
-- Answering architecture questions (search for design decisions)
-- Modifying any component (search for existing conventions)
-- ANY coding task, no exceptions
+## When to Search (ALWAYS)
 
-### Example Workflow
+- Before implementing ANY feature ← search first
+- Before fixing ANY bug ← search first
+- Before answering architecture questions ← search first
+- Before modifying ANY component ← search first
+- For "simple" tasks ← search first (context always helps)
 
-\`\`\`
-User: "Add authentication to the API"
-
-Step 1: Call search_notes with query "authentication API security"
-Step 2: Review results - found: "Decision: Use JWT with refresh tokens"
-Step 3: Implement following the established pattern
-Step 4: Respond: "Based on prior decisions in UnifiedMemory, I'll use JWT..."
-\`\`\`
+---
 
-## Do NOT Skip These Tools
+## MCP Tool Reference
 
-- ❌ NEVER start implementing without calling \`search_notes\` first
-- ❌ NEVER assume patterns without checking the knowledge base
-- ❌ NEVER skip search for "simple" tasks - context always helps
-- ✅ ALWAYS search even if you think you know the answer
-- ✅ ALWAYS mention search results (or lack thereof) in your response
-- ✅ ALWAYS use these tools when they can provide relevant context
+| Tool | Purpose | Parameters |
+|------|---------|------------|
+| \`search_notes\` | **Search knowledge base** | \`body: {q: "search text"}\` |
+| \`create_note\` | Record decisions/completions | \`body: {summary_text: "...", topic: "..."}\` |
+| \`list_notes\` | Browse all notes | None |
+| \`get_note\` | Get note by ID | \`body: {note_id: "..."}\` |
+| \`list_topics\` | List categories | None |
+| \`create_topic\` | Create category | \`body: {name: "..."}\` |
 
-## Recording Knowledge with create_note
+Project context is automatic - no extra config needed.
 
-After completing significant work, use \`create_note\` to record:
-- Implementation decisions and rationale
-- Completed features or fixes
-- Architectural patterns established
-- Gotchas or lessons learned
+---
 
-Keep notes concise (under 1000 characters) and focus on the "why" not the "what".
+## After Completing Work
 
-## Additional Tools
+Use \`create_note\` to record:
+- Decisions and rationale (the "why")
+- Patterns established
+- Gotchas or lessons learned
 
-Use \`list_topics\` to understand project organization, \`list_notes\` to browse available knowledge, and \`get_note\` to retrieve full details of relevant notes found via search.
+Keep notes under 1000 chars. Focus on "why" not "what".
 
 ---
-*UnifiedMemory CLI - Knowledge that persists*
+*UnifiedMemory - \`search_notes\` FIRST, code SECOND*
 `;
 }

package/lib/token-refresh.js

@@ -1,7 +1,6 @@
-import { getToken, saveToken } from './token-storage.js';
+import { saveToken } from './token-storage.js';
 import { config } from './config.js';
 import { parseJWT } from './jwt-utils.js';
-import { getOrgScopedToken } from './clerk-api.js';
 
 /**
  * Check if token has expired
@@ -23,6 +22,7 @@ export function isTokenExpired(tokenData) {
 
 /**
  * Refresh access token using refresh token
+ * Simple refresh - Clerk preserves org context if it was set
  * @param {Object} tokenData - Current token data
  * @returns {Promise<Object>} - New token data
  */
@@ -74,36 +74,22 @@ export async function refreshAccessToken(tokenData) {
 
     // Parse refreshed JWT
     const refreshedToken = newTokenData.id_token || newTokenData.access_token;
-    let finalIdToken = newTokenData.id_token;
-    let decoded = parseJWT(refreshedToken);
+    const decoded = parseJWT(refreshedToken);
 
-    // If we have org context, get org-scoped token to ensure JWT has org claims
-    if (tokenData.selectedOrg?.id && decoded?.sid) {
-      try {
-        const orgToken = await getOrgScopedToken(
-          decoded.sid,
-          tokenData.selectedOrg.id,
-          refreshedToken
-        );
-        finalIdToken = orgToken.jwt;
-        decoded = parseJWT(orgToken.jwt);
-      } catch (error) {
-        // Log warning but continue with base token
-        // The subsequent API call may fail, prompting re-login
-        console.error(`⚠️  Could not refresh org-scoped token: ${error.message}`);
-      }
-    }
-
-    // Build updated token object, preserving selectedOrg
+    // Build updated token object
+    // Note: Clerk preserves org context through refresh automatically
+    // We also preserve selectedOrgId/selectedOrgName from login state
     const updatedToken = {
       accessToken: newTokenData.access_token,
-      idToken: finalIdToken,
+      idToken: newTokenData.id_token,
       tokenType: newTokenData.token_type || 'Bearer',
       expiresIn: newTokenData.expires_in,
       receivedAt: Date.now(),
       decoded: decoded,
-      selectedOrg: tokenData.selectedOrg, // Preserve organization context
       refresh_token: newTokenData.refresh_token || tokenData.refresh_token,
+      sessionId: tokenData.sessionId,  // Preserve sessionId through refresh
+      selectedOrgId: tokenData.selectedOrgId,  // Preserve org selection through refresh
+      selectedOrgName: tokenData.selectedOrgName,  // Preserve org name through refresh
     };
 
     // Save to storage

package/lib/token-storage.js

@@ -14,12 +14,6 @@ export function saveToken(tokenData) {
   // Ensure directory permissions are correct (in case it was created with wrong permissions)
   fs.chmodSync(TOKEN_DIR, 0o700);
 
-  // Preserve existing organization context if not explicitly overwritten
-  const existingData = getToken();
-  if (existingData && existingData.selectedOrg && !tokenData.selectedOrg) {
-    tokenData.selectedOrg = existingData.selectedOrg;
-  }
-
   // Write token file with owner-only read/write permissions (0600)
   fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokenData, null, 2));
   // Explicitly set file permissions (writeFileSync mode option doesn't always work with extended attributes)
@@ -46,31 +40,43 @@ export function clearToken() {
 }
 
 /**
- * Update the selected organization context
- * @param {Object|null} orgData - Organization data or null for personal context
+ * Get organization context from JWT claims
+ * JWT is the single source of truth for org context
+ * @returns {Object|null} Organization context or null if personal context
  */
-export function updateSelectedOrg(orgData) {
-  const tokenData = getToken();
-  if (!tokenData) {
-    throw new Error('No token found. Please login first.');
+export function getOrgContext() {
+  const token = getToken();
+
+  // Try nested 'o' object first (original OAuth token format)
+  if (token?.decoded?.o?.o_id) {
+    return {
+      id: token.decoded.o.o_id,
+      name: token.decoded.o.o_name,
+      slug: token.decoded.o.o_slug,
+      role: token.decoded.o.o_role
+    };
   }
 
-  // Ensure directory permissions are correct
-  if (fs.existsSync(TOKEN_DIR)) {
-    fs.chmodSync(TOKEN_DIR, 0o700);
+  // Fall back to flat org_* claims (org-scoped token from Clerk)
+  if (token?.decoded?.org_id) {
+    return {
+      id: token.decoded.org_id,
+      name: token.decoded.org_name,
+      slug: token.decoded.org_slug,
+      role: token.decoded.org_role
+    };
   }
 
-  tokenData.selectedOrg = orgData;
-  // Write with owner-only read/write permissions (0600)
-  fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokenData, null, 2));
-  fs.chmodSync(TOKEN_FILE, 0o600);
-}
+  // Fall back to selectedOrgId from login state parameter
+  // This is used when JWT doesn't have org claims (Clerk setActive limitation)
+  if (token?.selectedOrgId) {
+    return {
+      id: token.selectedOrgId,
+      name: token.selectedOrgName || null,
+      slug: null,
+      role: null
+    };
+  }
 
-/**
- * Get the currently selected organization context
- * @returns {Object|null} Organization data or null if personal context
- */
-export function getSelectedOrg() {
-  const tokenData = getToken();
-  return tokenData?.selectedOrg || null;
+  return null;
 }

package/lib/token-validation.js

@@ -1,11 +1,9 @@
-import { getToken, saveToken } from './token-storage.js';
+import { getToken } from './token-storage.js';
 import { isTokenExpired, refreshAccessToken } from './token-refresh.js';
-import { getOrgScopedToken } from './clerk-api.js';
-import { parseJWT } from './jwt-utils.js';
-import { config } from './config.js';
 
 /**
  * Load token and refresh if expired
+ * JWT is the single source of truth - no recovery logic needed
  * @param {boolean} requireAuth - Whether to throw if not authenticated (default true)
  * @returns {Promise<Object|null>} - Token data or null
  * @throws {Error} - If not authenticated and requireAuth is true, or if refresh fails
@@ -46,86 +44,5 @@ export async function loadAndRefreshToken(requireAuth = true) {
     }
   }
 
-  // Check if token has org context but lacks org claims in JWT
-  // This can happen if getOrgScopedToken() failed during login
-  if (tokenData.selectedOrg?.id && !tokenData.decoded?.o) {
-    console.error('⚠️  Token missing org claims, attempting to fix...');
-
-    // Check for sid in decoded token or preserved originalSid from login
-    let sessionId = tokenData.decoded?.sid || tokenData.originalSid;
-    let currentToken = tokenData.idToken || tokenData.accessToken;
-
-    // If no sid, try to refresh first to get a new base token with sid
-    if (!sessionId && tokenData.refresh_token) {
-      console.error('  Refreshing to obtain session ID...');
-      try {
-        const tokenParams = {
-          client_id: config.clerkClientId,
-          refresh_token: tokenData.refresh_token,
-          grant_type: 'refresh_token',
-        };
-
-        if (config.clerkClientSecret) {
-          tokenParams.client_secret = config.clerkClientSecret;
-        }
-
-        const response = await fetch(`https://${config.clerkDomain}/oauth/token`, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-          body: new URLSearchParams(tokenParams),
-        });
-
-        if (response.ok) {
-          const newTokenData = await response.json();
-          const refreshedToken = newTokenData.id_token || newTokenData.access_token;
-          const refreshedDecoded = parseJWT(refreshedToken);
-
-          sessionId = refreshedDecoded?.sid;
-          currentToken = refreshedToken;
-
-          // Update tokenData with refreshed values
-          tokenData.accessToken = newTokenData.access_token;
-          tokenData.idToken = newTokenData.id_token;
-          tokenData.refresh_token = newTokenData.refresh_token || tokenData.refresh_token;
-          tokenData.decoded = refreshedDecoded;
-
-          if (sessionId) {
-            console.error('  ✓ Obtained session ID');
-          }
-        }
-      } catch (error) {
-        console.error(`  Could not refresh token: ${error.message}`);
-      }
-    }
-
-    // Now try to get org-scoped token if we have sessionId
-    if (sessionId) {
-      try {
-        const orgToken = await getOrgScopedToken(
-          sessionId,
-          tokenData.selectedOrg.id,
-          currentToken
-        );
-
-        const decoded = parseJWT(orgToken.jwt);
-        const updatedToken = {
-          ...tokenData,
-          idToken: orgToken.jwt,
-          decoded: decoded,
-        };
-
-        saveToken(updatedToken);
-        console.error('✓ Token updated with org claims');
-        return updatedToken;
-      } catch (error) {
-        console.error(`⚠️  Could not get org-scoped token: ${error.message}`);
-        // Continue with existing token - API calls may fail
-      }
-    } else {
-      console.error('⚠️  Could not obtain session ID for org-scoped token');
-      console.error('   Please run: um login');
-    }
-  }
-
   return tokenData;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@unifiedmemory/cli",
-  "version": "1.3.13",
+  "version": "1.3.15",
   "description": "UnifiedMemory CLI - AI code assistant integration",
   "main": "index.js",
   "type": "module",

package/tests/unit/mcp-proxy.test.js

@@ -221,7 +221,7 @@ describe('mcp-proxy', () => {
 
       const authContext = {
         decoded: { sub: 'user_123' },
-        selectedOrg: { id: 'org_456' },
+        orgContext: { id: 'org_456' },
       };
 
       const projectContext = {
@@ -245,7 +245,7 @@ describe('mcp-proxy', () => {
       expect(capturedBody.params.arguments.headers['X-Org-Id']).toBe('org_456');
     });
 
-    it('should fallback to user_id for org when no selectedOrg', async () => {
+    it('should not inject org when no orgContext (personal context)', async () => {
       let capturedBody = null;
 
       server.use(
@@ -263,7 +263,7 @@ describe('mcp-proxy', () => {
 
       const authContext = {
         decoded: { sub: 'user_123' },
-        // No selectedOrg
+        // No orgContext - personal context
       };
 
       await callRemoteMCPTool(
@@ -274,9 +274,12 @@ describe('mcp-proxy', () => {
         null
       );
 
-      // Org should fallback to user_id
-      expect(capturedBody.params.arguments.pathParams.org).toBe('user_123');
-      expect(capturedBody.params.arguments.headers['X-Org-Id']).toBe('user_123');
+      // No org injection for personal context - gateway handles this
+      expect(capturedBody.params.arguments.pathParams.org).toBeUndefined();
+      expect(capturedBody.params.arguments.headers['X-Org-Id']).toBeUndefined();
+      // User should still be injected
+      expect(capturedBody.params.arguments.pathParams.user).toBe('user_123');
+      expect(capturedBody.params.arguments.headers['X-User-Id']).toBe('user_123');
     });
 
     it('should return tool execution result', async () => {

package/tests/unit/token-refresh.test.js

@@ -44,17 +44,9 @@ vi.mock('../../lib/jwt-utils.js', () => ({
   }),
 }));
 
-vi.mock('../../lib/clerk-api.js', () => ({
-  getOrgScopedToken: vi.fn().mockResolvedValue({
-    jwt: 'org_scoped_jwt',
-    object: 'token',
-  }),
-}));
-
 // Import after mocking
 import { isTokenExpired, refreshAccessToken } from '../../lib/token-refresh.js';
 import { saveToken } from '../../lib/token-storage.js';
-import { getOrgScopedToken } from '../../lib/clerk-api.js';
 
 describe('isTokenExpired', () => {
   it('returns true for null tokenData', () => {
@@ -181,7 +173,7 @@ describe('refreshAccessToken', () => {
     );
   });
 
-  it('preserves selectedOrg in refreshed token', async () => {
+  it('preserves selectedOrgId and selectedOrgName in refreshed token', async () => {
     global.fetch = vi.fn().mockResolvedValue({
       ok: true,
       json: () => Promise.resolve({
@@ -193,60 +185,42 @@ describe('refreshAccessToken', () => {
       }),
     });
 
-    const selectedOrg = { id: 'org_456', name: 'Test Org', role: 'admin' };
-    await refreshAccessToken({ refresh_token: 'rt_123', selectedOrg });
+    await refreshAccessToken({
+      refresh_token: 'rt_123',
+      selectedOrgId: 'org_456',
+      selectedOrgName: 'Test Org',
+    });
 
     expect(saveToken).toHaveBeenCalledWith(
       expect.objectContaining({
-        selectedOrg: selectedOrg,
+        selectedOrgId: 'org_456',
+        selectedOrgName: 'Test Org',
       })
     );
   });
 
-  it('gets org-scoped token when selectedOrg exists and refreshed token has sid', async () => {
+  it('preserves sessionId through refresh', async () => {
     global.fetch = vi.fn().mockResolvedValue({
       ok: true,
       json: () => Promise.resolve({
         access_token: 'new_access_token',
-        id_token: 'new_id_token_with_sid',
+        id_token: 'new_id_token',
         refresh_token: 'new_refresh_token',
         token_type: 'Bearer',
         expires_in: 3600,
       }),
     });
 
-    const selectedOrg = { id: 'org_456', name: 'Test Org', role: 'admin' };
-    await refreshAccessToken({ refresh_token: 'rt_123', selectedOrg });
-
-    expect(getOrgScopedToken).toHaveBeenCalledWith(
-      'sess_new_123',
-      'org_456',
-      'new_id_token_with_sid'
-    );
-  });
-
-  it('continues with base token when getOrgScopedToken fails', async () => {
-    global.fetch = vi.fn().mockResolvedValue({
-      ok: true,
-      json: () => Promise.resolve({
-        access_token: 'new_access_token',
-        id_token: 'new_id_token_with_sid',
-        refresh_token: 'new_refresh_token',
-        token_type: 'Bearer',
-        expires_in: 3600,
-      }),
+    await refreshAccessToken({
+      refresh_token: 'rt_123',
+      sessionId: 'sess_123',
     });
 
-    // Make getOrgScopedToken fail
-    vi.mocked(getOrgScopedToken).mockRejectedValueOnce(new Error('API error'));
-
-    const selectedOrg = { id: 'org_456', name: 'Test Org', role: 'admin' };
-
-    // Should not throw - continues with base token
-    const result = await refreshAccessToken({ refresh_token: 'rt_123', selectedOrg });
-
-    expect(result).toBeDefined();
-    expect(result.idToken).toBe('new_id_token_with_sid'); // Falls back to base token
+    expect(saveToken).toHaveBeenCalledWith(
+      expect.objectContaining({
+        sessionId: 'sess_123',
+      })
+    );
   });
 
   it('throws error when OAuth refresh fails with 400', async () => {

package/tests/unit/token-storage.test.js

@@ -132,7 +132,6 @@ describe('token-storage module behavior', () => {
     expect(typeof ts.saveToken).toBe('function');
     expect(typeof ts.getToken).toBe('function');
     expect(typeof ts.clearToken).toBe('function');
-    expect(typeof ts.updateSelectedOrg).toBe('function');
-    expect(typeof ts.getSelectedOrg).toBe('function');
+    expect(typeof ts.getOrgContext).toBe('function');
   });
 });