@vedtechsolutions/engram-mcp 1.0.19 → 1.0.21

package/dist/{chunk-OY2XHPUF.js → chunk-O3ZP4K3T.js}

@@ -11178,14 +11178,17 @@ function inferRole(nodeType, filePath, analysis) {
 
 // src/engines/curator.ts
 import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync, realpathSync as realpathSync2, lstatSync as lstatSync2, renameSync } from "fs";
-import { join as join5, dirname as dirname3 } from "path";
+import { join as join5, dirname as dirname3, resolve as resolve3 } from "path";
 import { homedir as homedir3 } from "os";
 var logger14 = createLogger("curator");
 var lastBridgeWriteTime = 0;
 function discoverMemoryDir(cwd) {
   const envDir = process.env.CLAUDE_MEMORY_DIR;
-  if (envDir && existsSync5(envDir)) {
-    return envDir;
+  if (envDir && envDir.startsWith("/") && !envDir.includes("\0") && envDir.length < 1e3) {
+    const resolvedEnv = resolve3(envDir);
+    if (resolvedEnv === resolve3(resolvedEnv) && existsSync5(resolvedEnv)) {
+      return resolvedEnv;
+    }
   }
   const home = homedir3();
   const projectsBase = join5(home, ".claude", "projects");
@@ -12672,4 +12675,4 @@ export {
   composeProjectUnderstanding,
   formatMentalModelInjection
 };
-//# sourceMappingURL=chunk-OY2XHPUF.js.map
+//# sourceMappingURL=chunk-O3ZP4K3T.js.map

package/dist/hook.js

@@ -174,10 +174,10 @@ import {
   updateReasoningChain,
   updateSelfModelFromSession,
   updateTask
-} from "./chunk-OY2XHPUF.js";
+} from "./chunk-O3ZP4K3T.js";
 
 // src/hook.ts
-import { readFileSync, writeFileSync, existsSync, renameSync, statSync, readdirSync, unlinkSync, appendFileSync, openSync, readSync, closeSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, renameSync, statSync, readdirSync, unlinkSync, openSync, readSync, closeSync } from "fs";
 import { join, basename, resolve } from "path";
 import { homedir } from "os";
 
@@ -2886,15 +2886,39 @@ function readStdin() {
       return;
     }
     let data = "";
+    const MAX_STDIN_BYTES = 10 * 1024 * 1024;
     process.stdin.setEncoding("utf-8");
     process.stdin.on("data", (chunk) => {
       data += chunk;
+      if (data.length > MAX_STDIN_BYTES) {
+        data = data.slice(0, MAX_STDIN_BYTES);
+        process.stdin.destroy();
+        resolve2(data);
+      }
     });
     process.stdin.on("end", () => resolve2(data));
     process.stdin.on("error", () => resolve2(""));
     setTimeout(() => resolve2(data), 2e3);
   });
 }
+function validateTranscriptPath(p) {
+  if (!p || typeof p !== "string") return null;
+  const resolved = resolve(p);
+  const allowed = join(homedir(), ".claude", "projects");
+  if (!resolved.startsWith(allowed + "/") || !resolved.endsWith(".jsonl")) return null;
+  return resolved;
+}
+function validateSessionId(sid) {
+  if (!sid || typeof sid !== "string") return null;
+  if (!/^[a-zA-Z0-9_-]{1,100}$/.test(sid)) return null;
+  return sid;
+}
+function validateCwd(cwd) {
+  if (!cwd || typeof cwd !== "string") return null;
+  if (!cwd.startsWith("/")) return null;
+  if (cwd.includes("\0") || cwd.length > 1e3) return null;
+  return cwd;
+}
 function distillLesson(context) {
   const parts = [];
   if (context.errors && context.errors.length > 0 && context.fix) {
@@ -3226,13 +3250,29 @@ function sanitizeCognitiveState(state) {
   const cog = state.cognitive_state;
   if (!cog) return;
   const placeholders = ["X", "X.", "Y", "Y.", "Z", "Z."];
-  if (cog.current_approach && placeholders.includes(cog.current_approach)) {
+  const templatePatterns = [
+    /^X[\.\s]/,
+    // Starts with X. or X<space>
+    /^Approach:\s*X/i,
+    // "Approach: X..."
+    /Hypothesis:\s*[XYZ][\.\s]/,
+    // Contains "Hypothesis: X."
+    /Discovery:\s*[XYZ][\.\s]/,
+    // Contains "Discovery: Z."
+    /^[XYZ]\.\s+(?:Hypothesis|Discovery|Approach):/i
+    // "X. Hypothesis: Y..."
+  ];
+  const isPlaceholderValue = (val) => {
+    if (placeholders.includes(val)) return true;
+    return templatePatterns.some((p) => p.test(val));
+  };
+  if (cog.current_approach && isPlaceholderValue(cog.current_approach)) {
     cog.current_approach = null;
   }
-  if (cog.active_hypothesis && placeholders.includes(cog.active_hypothesis)) {
+  if (cog.active_hypothesis && isPlaceholderValue(cog.active_hypothesis)) {
     cog.active_hypothesis = null;
   }
-  if (cog.recent_discovery && placeholders.includes(cog.recent_discovery)) {
+  if (cog.recent_discovery && isPlaceholderValue(cog.recent_discovery)) {
     cog.recent_discovery = null;
   }
   if (cog.active_hypothesis && cog.active_hypothesis.startsWith("/")) {
@@ -3261,11 +3301,35 @@ function sanitizeCognitiveState(state) {
       }
     }
   }
+  if (cog.recent_discovery && cog.recent_discovery.length < 15 && !cog.recent_discovery.includes(" ")) {
+    cog.recent_discovery = null;
+  }
+  if (cog.recent_discovery && /^that\s/i.test(cog.recent_discovery) && cog.recent_discovery.length < 40) {
+    cog.recent_discovery = null;
+  }
   if (state.active_task && state.active_task.startsWith("<")) {
     state.active_task = null;
   }
+  if (state.active_task) {
+    const conversationalPatterns = [
+      /^i have another/i,
+      /^just letting you/i,
+      /^just a quick/i,
+      /^now tell me/i,
+      /^do another final/i,
+      /^reviewing$/i
+      // Generic tool-inferred task, not specific
+    ];
+    if (conversationalPatterns.some((p) => p.test(state.active_task))) {
+      state.active_task = null;
+    }
+  }
   if (!state.active_task || state.active_task === "unknown task") {
-    const editedFiles = state.recent_actions.filter((a) => a.tool === "Edit" || a.tool === "Write").map((a) => a.target.split(/[/\\]/).pop() ?? a.target);
+    const editedFiles = state.recent_actions.filter((a) => a.tool === "Edit" || a.tool === "Write").map((a) => {
+      const arrowIdx = a.target.indexOf(" \u2192");
+      const path = arrowIdx > 0 ? a.target.slice(0, arrowIdx) : a.target;
+      return path.split(/[/\\]/).pop() ?? path;
+    });
     const uniqueFiles = [...new Set(editedFiles)].slice(-5);
     if (uniqueFiles.length > 0) {
       if (cog.current_approach && cog.current_approach.length >= 10) {
@@ -3275,6 +3339,16 @@ function sanitizeCognitiveState(state) {
       }
     }
   }
+  if (state.session_files.length > 0) {
+    state.session_files = state.session_files.filter((f) => {
+      if (f.length < 3 || f.length > 500) return false;
+      if (!f.includes("/") && !f.includes("\\")) return false;
+      if (f.includes("/../") || f.startsWith("../")) return false;
+      if (/^\/?\d+\.\d+/.test(f)) return false;
+      if (f === "/root/.ssh" || f.includes("/etc/cron")) return false;
+      return true;
+    });
+  }
 }
 function deleteSessionState() {
   const watcherPath = getWatcherPath(activeSessionId);
@@ -3346,6 +3420,12 @@ function writeSessionHandoff(state, narrative) {
     reasoning_trail: reasoningTrail.slice(0, 10)
   };
   try {
+    const serialized = JSON.stringify(handoff, null, 2);
+    if (serialized.length > 65536) {
+      log.warn("Session handoff too large, truncating", { size: serialized.length });
+      handoff.reasoning_trail = handoff.reasoning_trail.slice(0, 3);
+      handoff.lessons = handoff.lessons.slice(0, 3);
+    }
     const tmpPath = handoffPath + ".tmp";
     writeFileSync(tmpPath, JSON.stringify(handoff, null, 2), "utf-8");
     renameSync(tmpPath, handoffPath);
@@ -3466,16 +3546,16 @@ var [command, ...args] = process.argv.slice(2);
 async function main() {
   const stdinRaw = await readStdin();
   const stdinJson = safeParse(stdinRaw);
-  const stdinSessionId = stdinJson?.session_id;
-  if (stdinSessionId && typeof stdinSessionId === "string" && stdinSessionId.length > 0 && stdinSessionId.length <= 200) {
-    activeSessionId = stdinSessionId;
+  const validatedSessionId = validateSessionId(stdinJson?.session_id);
+  if (validatedSessionId) {
+    activeSessionId = validatedSessionId;
   } else if (process.env.ENGRAM_SESSION_ID) {
-    activeSessionId = process.env.ENGRAM_SESSION_ID;
+    const envSessionId = validateSessionId(process.env.ENGRAM_SESSION_ID);
+    if (envSessionId) activeSessionId = envSessionId;
   }
   migrateLegacyWatcherState();
   try {
-    const stdinCwd = stdinJson?.cwd;
-    const cwdForDb = stdinCwd ?? process.cwd();
+    const cwdForDb = validateCwd(stdinJson?.cwd) ?? process.cwd();
     const projectRoot = inferProjectPath(cwdForDb);
     const projectDbPath = deriveProjectDbPath(projectRoot);
     initProjectDatabase(projectDbPath);
@@ -3496,29 +3576,12 @@ async function main() {
       handlePostToolGeneric(stdinJson);
       break;
     case "notification": {
-      try {
-        appendFileSync(
-          join(homedir(), ".engram", "notification-debug.log"),
-          `[${(/* @__PURE__ */ new Date()).toISOString()}] NOTIFICATION stdin_keys=${Object.keys(stdinJson ?? {}).join(",")}
-`
-        );
-      } catch {
-      }
       const notifType = stdinJson?.notification_type ?? args[0] ?? "general";
       const notifMessage = stdinJson?.message ?? args[1] ?? "";
       handleNotification(notifType, notifMessage);
       break;
     }
     case "session-start":
-      try {
-        const src = stdinJson?.source ?? "unknown";
-        appendFileSync(
-          join(homedir(), ".engram", "notification-debug.log"),
-          `[${(/* @__PURE__ */ new Date()).toISOString()}] SESSION-START source=${src} stdin_keys=${Object.keys(stdinJson ?? {}).join(",")}
-`
-        );
-      } catch {
-      }
       handleSessionStart(stdinJson, args[0]);
       break;
     case "session-end":
@@ -3532,14 +3595,6 @@ async function main() {
       handleEngramUsed(stdinJson, args[0]);
       break;
     case "pre-compact":
-      try {
-        appendFileSync(
-          join(homedir(), ".engram", "notification-debug.log"),
-          `[${(/* @__PURE__ */ new Date()).toISOString()}] PRE-COMPACT stdin=${JSON.stringify(stdinJson).slice(0, 2e3)}
-`
-        );
-      } catch {
-      }
       handlePreCompact();
       break;
     case "prompt-check":
@@ -4784,12 +4839,6 @@ function extractFilesFromToolCall(tool, input, output) {
 function handleNotification(type, data) {
   try {
     log.info("Notification received", { type, data: truncate(data, 300) });
-    try {
-      const debugLine = `[${(/* @__PURE__ */ new Date()).toISOString()}] type=${type} data=${truncate(data, 500)}
-`;
-      appendFileSync(join(homedir(), ".engram", "notification-debug.log"), debugLine);
-    } catch {
-    }
     const isContextWarning = type === "context_window" || type === "context" || /context.*(low|full|limit|running out|compact)/i.test(data) || /remaining.*context/i.test(data);
     if (isContextWarning) {
       log.info("Context pressure detected \u2014 proactive offload triggered", { type, data });
@@ -5450,6 +5499,9 @@ function handleSubagentStop(stdinJson) {
   const fileMatches = lastMessage.match(/(?:\/[\w./+-]+\.\w+|[\w./+-]+\.(?:ts|js|py|xml|json|css|scss|md))/g);
   if (fileMatches) {
     for (const f of fileMatches) {
+      if (!f.includes("/")) continue;
+      if (f.includes("/../") || f.startsWith("../") || /^\/?\d+\.\d+/.test(f)) continue;
+      if (f === "/root/.ssh" || f.includes("/etc/cron")) continue;
       if (!state.session_files.includes(f)) {
         state.session_files.push(f);
       }
@@ -5458,7 +5510,7 @@ function handleSubagentStop(stdinJson) {
       state.session_files = state.session_files.slice(-50);
     }
   }
-  const isMetaAnalysis = lastMessage.startsWith("<analysis>") || lastMessage.startsWith("<summary>") || /^#+\s/.test(lastMessage) || lastMessage.startsWith("Based on ");
+  const isMetaAnalysis = lastMessage.startsWith("<analysis>") || lastMessage.startsWith("<summary>") || /^#+\s/.test(lastMessage) || lastMessage.startsWith("Based on ") || /^(I now have|Perfect!|I have (sufficient|enough|comprehensive))/i.test(lastMessage) || /^(Here('s| is) (the|my|a) (comprehensive|complete|detailed|full))/i.test(lastMessage) || lastMessage.includes("## ") && lastMessage.length > 500;
   const hasError = !isMetaAnalysis && containsError(lastMessage);
   if (hasError) {
     state.recent_errors.push(truncate(lastMessage, 200));
@@ -5697,13 +5749,20 @@ function buildContinuationBrief(state) {
   for (const id of state.decision_memory_ids.slice(-5)) {
     try {
       const mem = getMemory(id);
-      if (mem) decisions.push(truncate(mem.content, 150));
+      if (mem) {
+        const content = mem.content;
+        if (/^Delegated:|^Decision:\s*Delegated/i.test(content)) continue;
+        decisions.push(truncate(content, 150));
+      }
     } catch {
     }
   }
   const triedFailed = (state.session_outcomes ?? []).filter((o) => o.includes("\u2192 fail") || o.includes("\u2192 dead end") || o.includes("\u2192 blocked")).slice(-5).map((o) => truncate(o, 120));
   const editActions = state.recent_actions.filter((a) => a.tool === "Edit" || a.tool === "Write");
-  const keyFiles = [...new Set(editActions.map((a) => a.target))].slice(-10);
+  const keyFiles = [...new Set(editActions.map((a) => {
+    const arrowIdx = a.target.indexOf(" \u2192");
+    return arrowIdx > 0 ? a.target.slice(0, arrowIdx) : a.target;
+  }))].slice(-10);
   const recentBash = state.recent_commands?.slice(-5) ?? [];
   if (recentBash.length > 0) {
     const bashSummary = recentBash.map((c) => truncate(c.cmd, 80));
@@ -5995,7 +6054,7 @@ function handlePromptCheck(stdinJson, argFallback) {
   }
   try {
     if (state.total_turns > 0 && state.total_turns % CONTEXT_PRESSURE.MIN_TURNS_BETWEEN_CHECKS === 0) {
-      const transcriptPath = stdinJson?.transcript_path;
+      const transcriptPath = validateTranscriptPath(stdinJson?.transcript_path);
       const remaining = estimateContextRemaining(transcriptPath);
       if (remaining !== null) {
         state.last_context_remaining = remaining;
@@ -6178,7 +6237,7 @@ function handlePromptCheck(stdinJson, argFallback) {
   } catch {
   }
   try {
-    const transcriptPath2 = stdinJson?.transcript_path;
+    const transcriptPath2 = validateTranscriptPath(stdinJson?.transcript_path);
     if (transcriptPath2 && state.total_turns > 0 && state.total_turns - state.last_reasoning_extraction_turn >= TRANSCRIPT_REASONING.EXTRACTION_INTERVAL_TURNS && state.reasoning_extraction_count < TRANSCRIPT_REASONING.MAX_PER_SESSION && canEncodeReasoning(state)) {
       const reasoningSnippets = extractReasoningFromTranscript(transcriptPath2);
       for (const snippet of reasoningSnippets.slice(0, 2)) {
@@ -7132,10 +7191,14 @@ function handlePostCompact(stdinJson) {
     if (!recovery) return;
     const budget = new OutputBudget(OUTPUT_BUDGET.POST_COMPACT_MAX_BYTES);
     const lines = [];
-    const brief = state.continuation_brief;
-    if (brief) {
+    sanitizeCognitiveState(state);
+    const brief = buildContinuationBrief(state);
+    const briefUsable = brief.task !== "unknown task" || brief.last_actions.length > 0;
+    if (briefUsable) {
       const mindLines = ["[Engram] Continue from where you left off:"];
-      mindLines.push(`  Task: ${brief.task}`);
+      if (brief.task !== "unknown task") {
+        mindLines.push(`  Task: ${brief.task}`);
+      }
       mindLines.push(`  Phase: ${brief.phase}`);
       if (brief.last_actions.length > 0) {
         mindLines.push(`  Last actions:`);
@@ -7186,7 +7249,7 @@ function handlePostCompact(stdinJson) {
       }
     }
     try {
-      const transcriptPath = stdinJson?.transcript_path ?? null;
+      const transcriptPath = validateTranscriptPath(stdinJson?.transcript_path);
       if (transcriptPath) {
         const reasoningSnippets = extractReasoningFromTranscript(transcriptPath, TRANSCRIPT_REASONING.POST_COMPACT_MAX_MESSAGES);
         if (reasoningSnippets.length > 0) {

package/dist/index.js

@@ -154,7 +154,7 @@ import {
   vaccinate,
   vacuumDatabase,
   validateMultiPerspective
-} from "./chunk-OY2XHPUF.js";
+} from "./chunk-O3ZP4K3T.js";
 
 // src/index.ts
 import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vedtechsolutions/engram-mcp",
-  "version": "1.0.19",
+  "version": "1.0.21",
   "description": "Cognitive memory system for AI — persistent, cross-session learning via MCP",
   "type": "module",
   "main": "dist/index.js",