@xmemo/client 0.4.160 → 0.4.161

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xmemo/client",
-  "version": "0.4.160",
+  "version": "0.4.161",
   "description": "Privacy-first CLI and MCP setup helper for XMemo.",
   "type": "module",
   "bin": {

package/plugins/kiro/POWER.md

@@ -27,34 +27,36 @@ This command:
 
 ## Authentication
 
-### OAuth (Recommended)
+### Environment Variable (Required)
 
-The power uses OAuth by default. On first use, Kiro will open a browser window for you to authorize XMemo access.
+Kiro requires the `XMEMO_KEY` environment variable to be set for authentication. 
 
-### Environment Variable (Alternative)
-
-If OAuth is unavailable, you can use an environment variable:
+First, authenticate with XMemo:
 
 ```bash
 xmemo login
 ```
 
-Or manually set your token:
-
-```bash
-printf '%s\n' 'your-token' | xmemo token add --from-stdin
-```
-
 Then set the environment variable:
 
 ```bash
-# PowerShell
-[Environment]::SetEnvironmentVariable("XMEMO_KEY", "your-token", "User")
+# PowerShell (User-level, persistent)
+$token = xmemo token show --format raw
+[Environment]::SetEnvironmentVariable("XMEMO_KEY", $token, "User")
+
+# PowerShell (Session-only)
+$env:XMEMO_KEY = xmemo token show --format raw
 
 # Bash/Zsh
-export XMEMO_KEY="your-token"
+export XMEMO_KEY=$(xmemo token show --format raw)
 ```
 
+**Important**: Restart Kiro after setting the environment variable for the first time.
+
+### Why Environment Variable?
+
+Kiro currently has a known issue with OAuth token persistence. Using an environment variable ensures reliable authentication across all sessions.
+
 ## Usage
 
 Once installed, Kiro will automatically use XMemo when appropriate. The steering file instructs Kiro to:
@@ -134,7 +136,7 @@ To remove XMemo from Kiro, manually edit `~/.kiro/settings/mcp.json` and remove
 ## Privacy & Security
 
 - No telemetry or analytics
-- OAuth tokens are stored securely by Kiro
+- Tokens are managed by XMemo CLI and referenced via environment variable
 - Agent identity headers are non-secret attribution IDs
 - Environment variable approach keeps tokens out of config files
 - All memory content is user-owned and controlled through your XMemo account

package/plugins/kiro/README.md

@@ -10,15 +10,29 @@ XMemo gives Kiro a hosted, user-owned memory layer for durable project context,
 
 ## Authentication
 
-The Kiro Power is OAuth-first. The power metadata stores only the hosted MCP URL; the first XMemo tool use should open the browser-based OAuth flow. Do not add `Authorization`, `Bearer`, or `XMEMO_KEY` to the power's `mcp.json`.
+The Kiro Power uses environment variable authentication due to a known Kiro IDE OAuth token persistence issue. The power metadata stores only the hosted MCP URL plus the `XMEMO_KEY` environment variable reference.
 
-Manual direct-key fallback remains available through:
+Users should authenticate with:
 
 ```bash
-xmemo mcp config --client kiro --json
+xmemo login
+```
+
+Then set the environment variable:
+
+```bash
+# PowerShell (persistent)
+$token = xmemo token show --format raw
+[Environment]::SetEnvironmentVariable("XMEMO_KEY", $token, "User")
 ```
 
-Use that fallback only for local/manual installs where Kiro OAuth is unavailable.
+Then restart Kiro for the environment variable to take effect.
+
+Manual configuration is available through:
+
+```bash
+xmemo mcp config --client kiro --json
+```
 
 ## Reviewer smoke prompts
 

package/plugins/kiro/SETUP.md

@@ -15,6 +15,8 @@ This will:
 2. Configure authentication via `XMEMO_KEY` environment variable
 3. Set up agent identity headers for attribution
 
+**Note**: Kiro uses environment variable authentication (`XMEMO_KEY`) as the recommended method. Make sure to set the environment variable before using XMemo.
+
 ## Step-by-Step Setup
 
 ### 1. Install XMemo CLI
@@ -25,7 +27,7 @@ npm install -g @xmemo/client
 
 ### 2. Authenticate with XMemo
 
-Choose one of these methods:
+Kiro requires the `XMEMO_KEY` environment variable to be set. Choose one of these methods:
 
 #### Option A: OAuth Login (Recommended)
 
@@ -33,28 +35,36 @@ Choose one of these methods:
 xmemo login
 ```
 
-This opens your browser for secure OAuth authentication.
+This opens your browser for secure OAuth authentication and automatically stores your token.
 
 #### Option B: Direct Token
 
-If you already have a token:
+If you already have a token, add it to the token store:
 
 ```bash
 printf '%s\n' 'your-token' | xmemo token add --from-stdin
 ```
 
-Set the environment variable:
+After authentication, export your token to the environment variable:
 
-**PowerShell:**
+**PowerShell (User-level, persistent):**
 ```powershell
-[Environment]::SetEnvironmentVariable("XMEMO_KEY", "your-token", "User")
+$token = xmemo token show --format raw
+[Environment]::SetEnvironmentVariable("XMEMO_KEY", $token, "User")
+```
+
+**PowerShell (Session-only):**
+```powershell
+$env:XMEMO_KEY = xmemo token show --format raw
 ```
 
 **Bash/Zsh:**
 ```bash
-export XMEMO_KEY="your-token"
+export XMEMO_KEY=$(xmemo token show --format raw)
 ```
 
+**Note**: The environment variable must be set before starting Kiro for the MCP server to authenticate successfully.
+
 ### 3. Configure Kiro
 
 Preview the configuration first:
@@ -162,7 +172,7 @@ xmemo auth status
 xmemo token status --verify
 ```
 
-**Verify environment variable:**
+**Verify environment variable is set:**
 
 PowerShell:
 ```powershell
@@ -174,6 +184,16 @@ Bash/Zsh:
 echo $XMEMO_KEY
 ```
 
+**If the environment variable is not set, set it:**
+
+PowerShell (User-level, persistent):
+```powershell
+$token = xmemo token show --format raw
+[Environment]::SetEnvironmentVariable("XMEMO_KEY", $token, "User")
+```
+
+**Then restart Kiro** for the environment variable to be loaded.
+
 **Re-authenticate if needed:**
 ```bash
 xmemo login

package/plugins/kiro/steering/AGENTS.md

@@ -16,7 +16,7 @@ Use XMemo when the task may depend on prior memory, durable project context, cod
 2. **Save only durable information** that the user asks to remember or that is clearly useful across future Kiro sessions.
 3. **Keep memory content concise, scoped, and useful**. Prefer concrete facts, decisions, links to public docs, and action items over chat transcripts.
 4. **For destructive memory actions**, confirm the exact target before deleting, forgetting, or overwriting.
-5. **If authorization is missing or expired**, ask the user to reconnect XMemo through Kiro's OAuth flow. Do not request raw bearer tokens in chat.
+5. **If authorization errors occur**, ask the user to verify the `XMEMO_KEY` environment variable is set and to restart Kiro.
 
 ## Good Memory Candidates
 

package/src/mcp/formats/json.js

@@ -30,7 +30,7 @@ export const JSON_MCP_CLIENT_DEFINITIONS = Object.freeze([
   nestedTransportClientDefinition('continue', 'Continue', 'defaultContinueConfigPath'),
   commandClientDefinition('claude-desktop', 'Claude Desktop', 'defaultClaudeConfigPath'),
   httpClientDefinition('openclaw', 'OpenClaw', 'defaultOpenclawConfigPath', { urlKey: 'url', authentication: 'env-bearer' }),
-  httpClientDefinition('kiro', 'Kiro', 'defaultKiroConfigPath', { urlKey: 'url', authentication: 'env-bearer' }),
+  httpClientDefinition('kiro', 'Kiro', 'defaultKiroConfigPath', { urlKey: 'url', authentication: 'env-bearer', requiredTokenEnv: TOKEN_ENV_VAR }),
   commandClientDefinition('zed', 'Zed', 'defaultZedConfigPath', { section: 'context_servers' }),
   nestedTransportClientDefinition('jetbrains', 'JetBrains', 'defaultJetbrainsConfigPath'),
   remoteClientDefinition('opencode', 'OpenCode', 'defaultOpencodeConfigPath'),
@@ -182,10 +182,6 @@ function headersForDefinition(definition, identity) {
 
   if (definition.authentication === 'env-bearer') {
     headers.Authorization = authorizationHeader(definition.bearerSyntax);
-  } else if (definition.id === 'kiro') {
-    if (process.env[TOKEN_ENV_VAR]) {
-      headers.Authorization = authorizationHeader(definition.bearerSyntax ?? 'env-colon');
-    }
   }
 
   return orderedHeaders(headers);