@wastedcode/memex 0.1.0 → 0.1.2

package/dist/standalone/memex.mjs

@@ -253,8 +253,11 @@ var init_errors = __esm({
         super(
           `No credentials configured for wiki '${wikiId}'.
 Set credentials with:
-  memex login ${wikiId}          (OAuth)
-  memex config ${wikiId} --set-key  (API key)`,
+  memex setup-token <token>               (global, all wikis)
+  memex login ${wikiId} --token <token>    (per-wiki)
+  memex login ${wikiId}                    (copy ~/.claude credentials)
+
+Generate a token by running: claude setup-token`,
           "NO_CREDENTIALS",
           400
         );
@@ -314,7 +317,7 @@ var init_constants = __esm({
       "WebFetch",
       "WebSearch"
     ]);
-    WIKI_ID_PATTERN = /^[a-z0-9][a-z0-9-]{1,62}[a-z0-9]$/;
+    WIKI_ID_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9_-]{1,62}[a-zA-Z0-9]$/;
   }
 });
 
@@ -370,9 +373,14 @@ var init_namespace = __esm({
        */
       wrapCommand(wikiId, innerCommand) {
         const wikiDir = join(this.wikisDir, wikiId);
+        const rawDir = join(wikiDir, "wiki", "raw");
+        const rawMount = `${WORKSPACE_MOUNT}/wiki/raw`;
         const script = [
           `mount --bind ${shellEscape(wikiDir)} ${shellEscape(WORKSPACE_MOUNT)}`,
           `mount -o remount,nosuid,nodev ${shellEscape(WORKSPACE_MOUNT)}`,
+          // raw/ is the immutable source archive — Claude can read but never write
+          `mount --bind ${shellEscape(rawDir)} ${shellEscape(rawMount)}`,
+          `mount -o remount,bind,ro ${shellEscape(rawMount)}`,
           `cd ${shellEscape(WORKSPACE_MOUNT)}`,
           `exec ${innerCommand.map(shellEscape).join(" ")}`
         ].join(" && ");
@@ -386,7 +394,7 @@ var init_namespace = __esm({
 });
 
 // src/daemon/scaffold.ts
-import { mkdirSync as mkdirSync2, writeFileSync, rmSync, readFileSync, existsSync as existsSync2 } from "node:fs";
+import { mkdirSync as mkdirSync2, writeFileSync, rmSync, readFileSync, existsSync as existsSync2, readdirSync } from "node:fs";
 import { join as join2, basename } from "node:path";
 function sanitizeFilename(name) {
   return name.replace(/[^a-zA-Z0-9._-]/g, "_");
@@ -508,6 +516,48 @@ Chronological record of knowledge base activity.
         if (!existsSync2(p)) return [];
         return readFileSync(p, "utf-8").split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
       }
+      /**
+       * List files in a wiki's wiki/ directory.
+       * Returns an array of { path, type } entries relative to wiki/.
+       * If prefix is given, only lists entries under that subdirectory.
+       */
+      listWikiFiles(wikiId, prefix = "") {
+        const wikiContentDir = join2(this.wikiDir(wikiId), "wiki");
+        const target = prefix ? join2(wikiContentDir, prefix) : wikiContentDir;
+        if (!target.startsWith(wikiContentDir)) {
+          throw new Error("Invalid path");
+        }
+        if (!existsSync2(target)) return [];
+        const entries = readdirSync(target, { withFileTypes: true });
+        const results = [];
+        for (const entry of entries) {
+          if (entry.name.startsWith(".")) continue;
+          const relPath = prefix ? `${prefix}/${entry.name}` : entry.name;
+          results.push({
+            path: relPath,
+            type: entry.isDirectory() ? "directory" : "file"
+          });
+        }
+        return results.sort((a, b) => {
+          if (a.type !== b.type) return a.type === "directory" ? -1 : 1;
+          return a.path.localeCompare(b.path);
+        });
+      }
+      /**
+       * Read a file from a wiki's wiki/ directory.
+       * Returns the file content as a UTF-8 string.
+       */
+      readWikiFile(wikiId, filePath) {
+        const wikiContentDir = join2(this.wikiDir(wikiId), "wiki");
+        const target = join2(wikiContentDir, filePath);
+        if (!target.startsWith(wikiContentDir)) {
+          throw new Error("Invalid path");
+        }
+        if (!existsSync2(target)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        return readFileSync(target, "utf-8");
+      }
       /**
        * Check if a wiki directory exists on disk.
        */
@@ -521,36 +571,37 @@ Chronological record of knowledge base activity.
 // src/daemon/auth.ts
 import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync3 } from "node:fs";
 import { join as join3 } from "node:path";
-var AuthManager;
+var GLOBAL_TOKEN_PATH, AuthManager;
 var init_auth = __esm({
   "src/daemon/auth.ts"() {
     "use strict";
     init_constants();
     init_errors();
+    GLOBAL_TOKEN_PATH = join3(DATA_DIR, ".oauth-token");
     AuthManager = class {
-      constructor(wikisDir = WIKIS_DIR, globalApiKey) {
+      constructor(wikisDir = WIKIS_DIR) {
         this.wikisDir = wikisDir;
-        this.globalApiKey = globalApiKey;
+        this.globalOAuthToken = this.loadGlobalToken();
       }
       wikisDir;
-      globalApiKey;
+      globalOAuthToken;
       /**
        * Resolve credentials for a wiki, returning environment variables
        * to set on the claude child process.
        *
        * Priority:
-       *   1. Per-wiki API key file (.claude/api-key)
+       *   1. Per-wiki OAuth token file (.claude/oauth-token)
        *   2. Per-wiki OAuth credentials (.claude/.credentials.json exists)
-       *   3. Global ANTHROPIC_API_KEY from daemon environment
+       *   3. Global OAuth token (from `memex setup-token`)
        */
       resolveCredentials(wikiId) {
         const claudeDir = this.configDir(wikiId);
-        const apiKeyPath = join3(claudeDir, "api-key");
-        if (existsSync3(apiKeyPath)) {
-          const key = readFileSync2(apiKeyPath, "utf-8").trim();
-          if (key) {
+        const tokenPath = join3(claudeDir, "oauth-token");
+        if (existsSync3(tokenPath)) {
+          const token = readFileSync2(tokenPath, "utf-8").trim();
+          if (token) {
             return {
-              ANTHROPIC_API_KEY: key,
+              CLAUDE_CODE_OAUTH_TOKEN: token,
               CLAUDE_CONFIG_DIR: claudeDir
             };
           }
@@ -561,22 +612,38 @@ var init_auth = __esm({
             CLAUDE_CONFIG_DIR: claudeDir
           };
         }
-        if (this.globalApiKey) {
+        if (this.globalOAuthToken) {
           return {
-            ANTHROPIC_API_KEY: this.globalApiKey,
+            CLAUDE_CODE_OAUTH_TOKEN: this.globalOAuthToken,
             CLAUDE_CONFIG_DIR: claudeDir
           };
         }
         throw new NoCredentialsError(wikiId);
       }
       /**
-       * Store an API key for a wiki.
+       * Store and activate a global OAuth token (from `claude setup-token`).
+       * This is the daemon-wide fallback used when a wiki has no per-wiki credentials.
+       */
+      setGlobalToken(token) {
+        const trimmed = token.trim();
+        mkdirSync3(DATA_DIR, { recursive: true });
+        writeFileSync2(GLOBAL_TOKEN_PATH, trimmed, { mode: 384 });
+        this.globalOAuthToken = trimmed;
+      }
+      /**
+       * Check if a global OAuth token is configured.
        */
-      setApiKey(wikiId, key) {
+      hasGlobalToken() {
+        return !!this.globalOAuthToken;
+      }
+      /**
+       * Store an OAuth token for a specific wiki.
+       */
+      setWikiToken(wikiId, token) {
         const claudeDir = this.configDir(wikiId);
         mkdirSync3(claudeDir, { recursive: true, mode: 448 });
-        const apiKeyPath = join3(claudeDir, "api-key");
-        writeFileSync2(apiKeyPath, key.trim(), { mode: 384 });
+        const tokenPath = join3(claudeDir, "oauth-token");
+        writeFileSync2(tokenPath, token.trim(), { mode: 384 });
       }
       /**
        * Get the CLAUDE_CONFIG_DIR path for a wiki.
@@ -598,9 +665,17 @@ var init_auth = __esm({
        */
       hasCredentials(wikiId) {
         const claudeDir = this.configDir(wikiId);
-        const apiKeyPath = join3(claudeDir, "api-key");
+        const tokenPath = join3(claudeDir, "oauth-token");
         const credsPath = join3(claudeDir, ".credentials.json");
-        return existsSync3(apiKeyPath) || existsSync3(credsPath) || !!this.globalApiKey;
+        return existsSync3(tokenPath) || existsSync3(credsPath) || !!this.globalOAuthToken;
+      }
+      // ── Private ────────────────────────────────────────────────────────────
+      loadGlobalToken() {
+        if (existsSync3(GLOBAL_TOKEN_PATH)) {
+          const token = readFileSync2(GLOBAL_TOKEN_PATH, "utf-8").trim();
+          if (token) return token;
+        }
+        return void 0;
       }
     };
   }
@@ -627,9 +702,16 @@ Integrate these into the wiki:
    d. Maintain bidirectional links \u2014 if you link A\u2192B, update B\u2192A too.
    e. Update _index.md with current summaries for all affected pages.
 6. Append a dated ingest entry to _log.md summarizing what was ingested and what pages were affected.
+7. **Reflect on the schema.** Before finishing, re-read _schema.md and ask yourself:
+   - Have I established patterns that aren't documented? (e.g. bug lifecycle stages, severity conventions, required fields for a category)
+   - Are there recurring structures across pages in the same category? (e.g. all bugs have Status/Reporter/Impact \u2014 codify that)
+   - Has my filing behavior drifted from what the schema says? Update the schema to match reality.
+   - Are there cross-category patterns worth noting? (e.g. "bugs should always link to their owning product")
+   - Would a future version of me, seeing this schema for the first time, make the same decisions I just made?
+   The schema is your institutional memory. If you learned something from this ingest \u2014 a new convention, a refinement, a pattern \u2014 write it down. Vocabulary, heuristics, page templates, lifecycle stages, things to ignore. The schema should get richer with every ingest, not just when new categories appear.
 
 Rules:
-- NEVER modify files in raw/ \u2014 they are immutable sources
+- NEVER modify files in raw/ \u2014 they are immutable sources (this is enforced by the filesystem)
 - Prefer updating existing pages over creating duplicates
 - If a source contradicts existing wiki content, UPDATE the existing page \u2014 resolve or flag the contradiction
 - Keep pages focused \u2014 one topic per page
@@ -771,13 +853,21 @@ IMPORTANT: You are operating in a sandboxed wiki directory. Only read and write
 - \`_schema.md\` \u2014 Filing conventions, categories, domain vocabulary, filing heuristics. YOUR institutional memory.
 - \`_index.md\` \u2014 One-line summary of every wiki page, organized by category. The table of contents.
 - \`_log.md\` \u2014 Chronological activity log. You maintain this.
-- \`raw/\` \u2014 Immutable source documents. NEVER modify or delete these files.
+- \`raw/\` \u2014 Immutable source archive. Read-only (enforced by filesystem). Read from here, never write.
 - Everything else \u2014 Wiki pages organized by entity and topic.
 
 ## Your responsibilities
 
-### 1. Schema (_schema.md)
-You own the schema. Update it when you establish or refine conventions \u2014 new categories, naming patterns, domain vocabulary, filing heuristics, things to ignore.
+### 1. Schema (_schema.md) \u2014 YOUR institutional memory
+You own the schema. It is not a static config file \u2014 it is a living document that evolves with every ingest. The schema captures what you've learned about how THIS knowledge base works: what categories exist, how pages in each category are structured, what naming and filing patterns have emerged, what domain vocabulary matters.
+
+Update the schema when you:
+- Establish or refine category conventions (new categories, what belongs where)
+- Notice structural patterns (e.g. "bugs have Status/Reporter/Impact fields", "people pages track contributions chronologically")
+- Learn domain vocabulary or terminology
+- Develop filing heuristics (e.g. "bug reports should always link to their owning product")
+- Discover things to ignore or de-prioritize
+- Notice lifecycle patterns (e.g. open \u2192 resolved, proposed \u2192 accepted)
 
 On the FIRST call for a new knowledge base (no _schema.md exists), CREATE it with the conventions you establish. Suggested starting categories (adapt to what fits):
 - customers/ \u2014 profiles and feedback per person or company
@@ -786,6 +876,8 @@ On the FIRST call for a new knowledge base (no _schema.md exists), CREATE it wit
 - research/ \u2014 deep dives and analyses
 - reference/ \u2014 factual reference material
 
+The schema should get richer with experience. After 10 ingests it should contain conventions a generic prompt wouldn't know. A future session reading only the schema should understand how this knowledge base thinks.
+
 ### 2. Index (_index.md)
 ALWAYS keep _index.md current. Every wiki page gets a one-line summary: what it contains, how many connections, what matters most. Organize by category. A reader should understand the shape of the entire knowledge base by reading only the index.
 
@@ -904,6 +996,9 @@ var init_runner = __esm({
         if (credEnv["CLAUDE_CONFIG_DIR"]) {
           env["CLAUDE_CONFIG_DIR"] = `${WORKSPACE_MOUNT}/.claude`;
         }
+        if (credEnv["CLAUDE_CODE_OAUTH_TOKEN"]) {
+          env["CLAUDE_CODE_OAUTH_TOKEN"] = credEnv["CLAUDE_CODE_OAUTH_TOKEN"];
+        }
         return new Promise((resolve) => {
           const child = spawn(wrapped.command, wrapped.args, {
             env,
@@ -1181,13 +1276,16 @@ var init_routes = __esm({
           { method: "DELETE", pattern: /^\/wikis\/(?<id>[^/]+)$/, handler: this.destroyWiki.bind(this) },
           { method: "PUT", pattern: /^\/wikis\/(?<id>[^/]+)\/config$/, handler: this.updateConfig.bind(this) },
           { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/chown$/, handler: this.chownWiki.bind(this) },
-          { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/api-key$/, handler: this.setApiKey.bind(this) },
+          { method: "POST", pattern: /^\/auth\/token$/, handler: this.setGlobalToken.bind(this) },
+          { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/token$/, handler: this.setWikiToken.bind(this) },
           { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/credentials$/, handler: this.setCredentials.bind(this) },
           { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/jobs$/, handler: this.submitJob.bind(this) },
           { method: "GET", pattern: /^\/wikis\/(?<id>[^/]+)\/jobs\/(?<jobId>\d+)$/, handler: this.getJob.bind(this) },
           { method: "GET", pattern: /^\/wikis\/(?<id>[^/]+)\/jobs$/, handler: this.listJobs.bind(this) },
           { method: "GET", pattern: /^\/wikis\/(?<id>[^/]+)\/logs$/, handler: this.getAuditLog.bind(this) },
-          { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/ingest-file$/, handler: this.receiveFile.bind(this) }
+          { method: "POST", pattern: /^\/wikis\/(?<id>[^/]+)\/ingest-file$/, handler: this.receiveFile.bind(this) },
+          { method: "GET", pattern: /^\/wikis\/(?<id>[^/]+)\/files$/, handler: this.listFiles.bind(this) },
+          { method: "GET", pattern: /^\/wikis\/(?<id>[^/]+)\/files\/(?<path>.+)$/, handler: this.readFile.bind(this) }
         ];
       }
       db;
@@ -1213,7 +1311,7 @@ var init_routes = __esm({
         const name = b.name;
         if (!id || !WIKI_ID_PATTERN.test(id)) {
           throw new ValidationError(
-            `Invalid wiki ID '${id}'. Must be 3-64 chars, lowercase alphanumeric and hyphens, cannot start or end with a hyphen.`
+            `Invalid wiki ID '${id}'. Must be 3-64 chars, alphanumeric with hyphens and underscores, cannot start or end with a hyphen or underscore.`
           );
         }
         if (this.db.getWiki(id)) {
@@ -1289,16 +1387,31 @@ var init_routes = __esm({
         return { status: 200, body: { ok: true, data: wiki } };
       }
       // ── Auth ─────────────────────────────────────────────────────────────────
-      async setApiKey(params, body, ctx) {
+      async setGlobalToken(_params, body, _ctx) {
+        const b = requireBody(body);
+        const token = b.token;
+        if (!token || typeof token !== "string") {
+          throw new ValidationError("token (string) is required");
+        }
+        if (!token.startsWith("sk-ant-oat01-")) {
+          throw new ValidationError("Token must be a Claude OAuth token (sk-ant-oat01-...)");
+        }
+        this.auth.setGlobalToken(token);
+        return { status: 200, body: { ok: true } };
+      }
+      async setWikiToken(params, body, ctx) {
         const wikiId = params["id"];
         this.requireWiki(wikiId, ctx.callerUid);
         const b = requireBody(body);
-        const key = b.key;
-        if (!key || typeof key !== "string") {
-          throw new ValidationError("API key is required");
+        const token = b.token;
+        if (!token || typeof token !== "string") {
+          throw new ValidationError("token (string) is required");
         }
-        this.auth.setApiKey(wikiId, key);
-        this.db.logAudit(wikiId, "wiki.api_key_set");
+        if (!token.startsWith("sk-ant-oat01-")) {
+          throw new ValidationError("Token must be a Claude OAuth token (sk-ant-oat01-...)");
+        }
+        this.auth.setWikiToken(wikiId, token);
+        this.db.logAudit(wikiId, "wiki.oauth_token_set");
         return { status: 200, body: { ok: true } };
       }
       async setCredentials(params, body, ctx) {
@@ -1372,6 +1485,21 @@ var init_routes = __esm({
         const stored = this.scaffold.writeRawFile(wikiId, filename, buffer);
         return { status: 201, body: { ok: true, data: { filename: stored } } };
       }
+      // ── File browsing ────────────────────────────────────────────────────
+      async listFiles(params, body, ctx) {
+        const wikiId = params["id"];
+        this.requireWiki(wikiId, ctx.callerUid);
+        const prefix = ctx.query?.get("prefix") ?? "";
+        const files = this.scaffold.listWikiFiles(wikiId, prefix);
+        return { status: 200, body: { ok: true, data: files } };
+      }
+      async readFile(params, body, ctx) {
+        const wikiId = params["id"];
+        this.requireWiki(wikiId, ctx.callerUid);
+        const filePath = params["path"];
+        const content = this.scaffold.readWikiFile(wikiId, filePath);
+        return { status: 200, body: { ok: true, data: { path: filePath, content } } };
+      }
       // ── Helpers ──────────────────────────────────────────────────────────────
       requireWiki(wikiId, callerUid) {
         const wiki = this.db.getWiki(wikiId);
@@ -1533,7 +1661,8 @@ var init_server = __esm({
             wait,
             res,
             // pass response for streaming login output
-            callerUid
+            callerUid,
+            query: urlObj.searchParams
           });
           if (res.writableEnded) return;
           sendJson(res, result.status, result.body);
@@ -1577,7 +1706,7 @@ async function startDaemon() {
   namespace.checkCapabilities();
   namespace.ensureDirectories();
   const scaffold = new WikiScaffold(WIKIS_DIR);
-  const auth = new AuthManager(WIKIS_DIR, process.env["ANTHROPIC_API_KEY"]);
+  const auth = new AuthManager(WIKIS_DIR);
   const runner = new ClaudeRunner(namespace, auth, db, WIKIS_DIR);
   const queue = new QueueManager(db, runner, AUTO_LINT_INTERVAL);
   const routes = new RouteHandler(db, scaffold, namespace, queue, auth);
@@ -1617,7 +1746,7 @@ var init_daemon = __esm({
 });
 
 // src/index.ts
-import { Command as Command13 } from "commander";
+import { Command as Command14 } from "commander";
 
 // src/cli/commands/serve.ts
 import { Command } from "commander";
@@ -1762,8 +1891,11 @@ var MemexClient = class {
   chownWiki(wikiId, uid) {
     return this.request("POST", `/wikis/${wikiId}/chown`, { uid });
   }
-  setApiKey(wikiId, key) {
-    return this.request("POST", `/wikis/${wikiId}/api-key`, { key });
+  setGlobalToken(token) {
+    return this.request("POST", "/auth/token", { token });
+  }
+  setWikiToken(wikiId, token) {
+    return this.request("POST", `/wikis/${wikiId}/token`, { token });
   }
   setCredentials(wikiId, credentials) {
     return this.request("POST", `/wikis/${wikiId}/credentials`, { credentials });
@@ -1778,6 +1910,13 @@ var MemexClient = class {
   listJobs(wikiId) {
     return this.request("GET", `/wikis/${wikiId}/jobs`);
   }
+  listFiles(wikiId, prefix) {
+    const path = `/wikis/${wikiId}/files` + (prefix ? `?prefix=${encodeURIComponent(prefix)}` : "");
+    return this.request("GET", path);
+  }
+  readFile(wikiId, filePath) {
+    return this.request("GET", `/wikis/${wikiId}/files/${filePath}`);
+  }
   getAuditLog(wikiId, limit) {
     const path = `/wikis/${wikiId}/logs` + (limit ? `?limit=${limit}` : "");
     return this.request("GET", path);
@@ -1869,7 +2008,7 @@ import { createInterface as createInterface2 } from "node:readline";
 import { execFileSync as execFileSync2 } from "node:child_process";
 init_constants();
 import { join as join5 } from "node:path";
-var configCommand = new Command4("config").description("Configure a wiki").argument("<wikiId>", "Wiki to configure").option("--edit", "Open .claude.md in $EDITOR").option("--set-key", "Set the API key for this wiki").option("--model <model>", "Set the default model (e.g., sonnet, opus, haiku)").option("--allowed-tools <tools>", "Set allowed tools (comma-separated, e.g., WebSearch,WebFetch)").option("--list-tools", "Show available tools and current configuration").action(async (wikiId, opts) => {
+var configCommand = new Command4("config").description("Configure a wiki").argument("<wikiId>", "Wiki to configure").option("--edit", "Open .claude.md in $EDITOR").option("--set-token", "Set an OAuth token for this wiki (from `claude setup-token`)").option("--model <model>", "Set the default model (e.g., sonnet, opus, haiku)").option("--allowed-tools <tools>", "Set allowed tools (comma-separated, e.g., WebSearch,WebFetch)").option("--list-tools", "Show available tools and current configuration").action(async (wikiId, opts) => {
   const client = new MemexClient();
   const wikiResp = await client.getWiki(wikiId);
   if (!wikiResp.ok) {
@@ -1888,14 +2027,20 @@ var configCommand = new Command4("config").description("Configure a wiki").argum
     }
     return;
   }
-  if (opts.setKey) {
-    const key = await promptSecret("API key: ");
-    const resp = await client.setApiKey(wikiId, key);
+  if (opts.setToken) {
+    const token = await promptSecret("OAuth token (from `claude setup-token`): ");
+    if (!token.startsWith("sk-ant-oat01-")) {
+      console.error(`Error: Token must start with 'sk-ant-oat01-'.`);
+      console.error(`
+Generate one by running: claude setup-token`);
+      process.exit(1);
+    }
+    const resp = await client.setWikiToken(wikiId, token);
     if (!resp.ok) {
       console.error(`Error: ${resp.error}`);
       process.exit(1);
     }
-    console.log(`API key set for '${wikiId}'`);
+    console.log(`OAuth token set for '${wikiId}'`);
     return;
   }
   if (opts.listTools) {
@@ -1981,27 +2126,36 @@ import { readFileSync as readFileSync5, existsSync as existsSync6 } from "node:f
 import { join as join6 } from "node:path";
 import { homedir } from "node:os";
 var DEFAULT_CREDS_PATH = join6(homedir(), ".claude", ".credentials.json");
-var loginCommand = new Command5("login").description("Copy Claude credentials into a wiki").argument("<wikiId>", "Wiki to authenticate").option("--credentials <path>", "Path to .credentials.json", DEFAULT_CREDS_PATH).option("--api-key <key>", "Use an API key instead of OAuth credentials").action(async (wikiId, opts) => {
+var loginCommand = new Command5("login").description("Copy Claude credentials into a wiki").argument("<wikiId>", "Wiki to authenticate").option("--credentials <path>", "Path to .credentials.json", DEFAULT_CREDS_PATH).option("--token <token>", "Use an OAuth token from `claude setup-token`").action(async (wikiId, opts) => {
   const client = new MemexClient();
   const wikiResp = await client.getWiki(wikiId);
   if (!wikiResp.ok) {
     console.error(`Error: ${wikiResp.error}`);
     process.exit(1);
   }
-  if (opts.apiKey) {
-    const resp2 = await client.setApiKey(wikiId, opts.apiKey);
+  if (opts.token) {
+    if (!opts.token.startsWith("sk-ant-oat01-")) {
+      console.error(`Error: Token must start with 'sk-ant-oat01-'.`);
+      console.error(`
+Generate one by running: claude setup-token`);
+      process.exit(1);
+    }
+    const resp2 = await client.setWikiToken(wikiId, opts.token);
     if (!resp2.ok) {
       console.error(`Error: ${resp2.error}`);
       process.exit(1);
     }
-    console.log(`API key stored for wiki '${wikiId}'.`);
+    console.log(`OAuth token stored for wiki '${wikiId}'.`);
     return;
   }
   const credsPath = opts.credentials;
   if (!existsSync6(credsPath)) {
     console.error(`Error: Credentials file not found: ${credsPath}`);
     console.error(`
-Run 'claude auth login' first, or pass --credentials <path>`);
+Options:`);
+    console.error(`  1. Run 'claude auth login' first, then re-run this command`);
+    console.error(`  2. Run 'claude setup-token' and use: memex login ${wikiId} --token <token>`);
+    console.error(`  3. Set globally: memex setup-token <token>`);
     process.exit(1);
   }
   const credentials = readFileSync5(credsPath, "utf-8");
@@ -2291,8 +2445,42 @@ function padRow2(id, type, status, created) {
   return `${id.padEnd(8)} ${type.padEnd(10)} ${status.padEnd(12)} ${created}`;
 }
 
+// src/cli/commands/setup-token.ts
+import { Command as Command13 } from "commander";
+var TOKEN_PREFIX = "sk-ant-oat01-";
+var setupTokenCommand = new Command13("setup-token").description("Store a long-lived OAuth token from `claude setup-token` for all wikis").argument("<token>", "OAuth token (sk-ant-oat01-...)").option("--wiki <wikiId>", "Store for a specific wiki only (instead of globally)").action(async (token, opts) => {
+  if (!token.startsWith(TOKEN_PREFIX)) {
+    console.error(`Error: Token must start with '${TOKEN_PREFIX}'.`);
+    console.error(`
+Generate one by running: claude setup-token`);
+    process.exit(1);
+  }
+  const client = new MemexClient();
+  if (opts.wiki) {
+    const wikiResp = await client.getWiki(opts.wiki);
+    if (!wikiResp.ok) {
+      console.error(`Error: ${wikiResp.error}`);
+      process.exit(1);
+    }
+    const resp = await client.setWikiToken(opts.wiki, token);
+    if (!resp.ok) {
+      console.error(`Error: ${resp.error}`);
+      process.exit(1);
+    }
+    console.log(`OAuth token stored for wiki '${opts.wiki}'.`);
+  } else {
+    const resp = await client.setGlobalToken(token);
+    if (!resp.ok) {
+      console.error(`Error: ${resp.error}`);
+      process.exit(1);
+    }
+    console.log("Global OAuth token stored.");
+    console.log("All wikis without per-wiki credentials will use this token.");
+  }
+});
+
 // src/index.ts
-var program = new Command13();
+var program = new Command14();
 program.name("memex").description("Isolated, queued claude -p runtime for persistent knowledge bases").version("0.1.0");
 program.addCommand(serveCommand);
 program.addCommand(createCommand);
@@ -2306,6 +2494,7 @@ program.addCommand(logsCommand);
 program.addCommand(listCommand);
 program.addCommand(chownCommand);
 program.addCommand(statusCommand);
+program.addCommand(setupTokenCommand);
 program.parseAsync().catch((err) => {
   console.error(err.message ?? err);
   process.exit(1);