bikky 0.4.1 → 0.4.3

package/dist/package-verifier.js

@@ -0,0 +1,83 @@
+import fs from "node:fs";
+import path from "node:path";
+const privateIdentityPathPattern = () => new RegExp([
+    ["saber", "zrelli", "private"].join("-"),
+    ["saber", "apate"].join("-"),
+    "ap" + "ate",
+].join("|"), "i");
+const privateIdentityContentPattern = () => new RegExp([
+    ["saber", "zrelli", "private"].join("-"),
+    ["saber", "apate"].join("-"),
+    ["apate", "ai"].join("-"),
+    ["apate", "com"].join("\\."),
+].join("|"), "i");
+export const TEXT_EXTENSIONS = new Set([
+    ".css",
+    ".d.ts",
+    ".html",
+    ".js",
+    ".json",
+    ".md",
+    ".svg",
+    ".txt",
+]);
+export const FORBIDDEN_PATH_PATTERNS = [
+    { re: /(^|\/)(tasks|node_modules|\.git)(\/|$)/, reason: "task, node_modules, or git metadata" },
+    { re: /(^|\/)\.env($|\.)/, reason: "environment files" },
+    { re: /(\.test|\.itest)\.(js|d\.ts)$/i, reason: "compiled test artifacts" },
+    { re: /(^|\/)(id_rsa|id_ed25519|.*\.pem|.*\.key)$/i, reason: "private key material" },
+    { re: /(^|\/)Users\/|\/Users\//i, reason: "absolute local user paths" },
+    { re: privateIdentityPathPattern(), reason: "private identity references" },
+];
+export const FORBIDDEN_CONTENT_PATTERNS = [
+    { re: /gh[pousr]_[A-Za-z0-9_]{20,}/, reason: "GitHub token" },
+    { re: /github_pat_[A-Za-z0-9_]{20,}/, reason: "GitHub fine-grained token" },
+    { re: /sk-[A-Za-z0-9]{20,}/, reason: "OpenAI-style API key" },
+    { re: /AKIA[0-9A-Z]{16}/, reason: "AWS access key id" },
+    { re: /AIza[0-9A-Za-z_-]{35}/, reason: "Google API key" },
+    { re: /xox[baprs]-[0-9A-Za-z-]{20,}/, reason: "Slack token" },
+    { re: /-----BEGIN [A-Z ]*PRIVATE KEY-----/, reason: "private key block" },
+    { re: /\/Users\/saber\b/i, reason: "local user path" },
+    { re: privateIdentityContentPattern(), reason: "private identity reference" },
+];
+export function normalizePackPath(file) {
+    return file.replace(/^package\//, "");
+}
+export function findForbiddenPath(file, patterns = FORBIDDEN_PATH_PATTERNS) {
+    return patterns.find(({ re }) => re.test(file)) ?? null;
+}
+export function findForbiddenContent(content, patterns = FORBIDDEN_CONTENT_PATTERNS) {
+    return patterns.find(({ re }) => re.test(content)) ?? null;
+}
+export function assertPackageContents(pkg, files, patterns = FORBIDDEN_PATH_PATTERNS) {
+    const fileSet = new Set(files);
+    for (const requiredPath of pkg.requiredPaths) {
+        if (!fileSet.has(requiredPath)) {
+            throw new Error(`${pkg.name} package is missing required file: ${requiredPath}`);
+        }
+    }
+    for (const file of files) {
+        const forbidden = findForbiddenPath(file, patterns);
+        if (forbidden) {
+            throw new Error(`${pkg.name} package includes forbidden path (${forbidden.reason}): ${file}`);
+        }
+    }
+}
+export function shouldScanTextByMetadata(file, size, textExtensions = TEXT_EXTENSIONS) {
+    if (size > 2_000_000)
+        return false;
+    const lower = file.toLowerCase();
+    if (lower.endsWith(".d.ts"))
+        return true;
+    return textExtensions.has(path.extname(lower));
+}
+export function shouldScanText(file) {
+    return shouldScanTextByMetadata(file, fs.statSync(file).size);
+}
+export function assertSafeTextContent(pkgName, relPath, content) {
+    const forbidden = findForbiddenContent(content);
+    if (forbidden) {
+        throw new Error(`${pkgName} package includes forbidden content (${forbidden.reason}) in ${relPath}`);
+    }
+}
+//# sourceMappingURL=package-verifier.js.map

package/dist/provenance/origin.d.ts

@@ -0,0 +1,57 @@
+import type { BikkyConfig } from "../config.js";
+export type OriginIdentityType = "user" | "coding_agent" | "daemon" | "ui" | "api" | "cli" | "docs" | "system" | "unknown";
+export type OriginIdentitySource = "config" | "shell" | "git" | "env" | "hostname";
+export type OriginInterface = "mcp" | "daemon" | "ui" | "api" | "cli" | "system";
+export type OriginAction = "create" | "update" | "delete" | "verify" | "forget" | "review" | "correct" | "reinforce" | "supersede" | "feedback";
+export type OriginMetadataValue = string | number | boolean | null;
+export interface OriginIdentity {
+    type: OriginIdentityType;
+    id: string | null;
+    name: string | null;
+    source: OriginIdentitySource;
+}
+export interface OperationOrigin {
+    schema_version: 1;
+    user: OriginIdentity | null;
+    agent: OriginIdentity;
+    interface: OriginInterface;
+    operation: {
+        action: OriginAction;
+        tool?: string;
+        route?: string;
+        subsystem?: string;
+        outcome?: string;
+    };
+    metadata?: Record<string, OriginMetadataValue>;
+}
+export interface ResolveUserIdentityOptions {
+    config?: Pick<BikkyConfig, "identity"> | null;
+    env?: NodeJS.ProcessEnv;
+    cwd?: string;
+    hostname?: string;
+    shellUsername?: string | null;
+}
+export interface ResolveAgentIdentityOptions {
+    type?: OriginIdentityType;
+    interface?: OriginInterface;
+    env?: NodeJS.ProcessEnv;
+    hostname?: string;
+}
+export interface BuildOperationOriginInput extends ResolveUserIdentityOptions {
+    interface: OriginInterface;
+    action: OriginAction;
+    tool?: string;
+    route?: string;
+    subsystem?: string;
+    outcome?: string;
+    agentType?: OriginIdentityType;
+    metadata?: Record<string, unknown>;
+}
+export declare function normalizeOriginId(value: string | null | undefined): string | null;
+export declare function resolveUserIdentity(options?: ResolveUserIdentityOptions): OriginIdentity;
+export declare function inferUserIdentity(options?: Omit<ResolveUserIdentityOptions, "config">): OriginIdentity;
+export declare function resolveAgentIdentity(options?: ResolveAgentIdentityOptions): OriginIdentity;
+export declare function sanitizeOriginMetadata(metadata: Record<string, unknown> | undefined): Record<string, OriginMetadataValue> | undefined;
+export declare function buildOperationOrigin(input: BuildOperationOriginInput): OperationOrigin;
+export declare function isOperationOrigin(value: unknown): value is OperationOrigin;
+//# sourceMappingURL=origin.d.ts.map

package/dist/provenance/origin.js

@@ -0,0 +1,254 @@
+import crypto from "node:crypto";
+import { execFileSync } from "node:child_process";
+import os from "node:os";
+const MAX_NAME_LENGTH = 128;
+const MAX_OPERATION_FIELD_LENGTH = 128;
+const MAX_METADATA_KEYS = 32;
+const MAX_METADATA_KEY_LENGTH = 64;
+const MAX_METADATA_STRING_LENGTH = 256;
+const hash = (value) => crypto.createHash("sha256").update(value.trim().toLowerCase()).digest("hex").slice(0, 12);
+const slug = (value) => value.trim().toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
+const looksLikeEmail = (value) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value.trim());
+const cleanName = (value) => {
+    const trimmed = value?.trim();
+    if (!trimmed || looksLikeEmail(trimmed))
+        return null;
+    return trimmed.slice(0, MAX_NAME_LENGTH);
+};
+const cleanOperationField = (value) => {
+    const trimmed = value?.trim();
+    return trimmed ? trimmed.slice(0, MAX_OPERATION_FIELD_LENGTH) : undefined;
+};
+export function normalizeOriginId(value) {
+    const trimmed = value?.trim();
+    if (!trimmed)
+        return null;
+    if (looksLikeEmail(trimmed))
+        return `email:${hash(trimmed)}`;
+    const normalized = slug(trimmed);
+    return normalized || `id:${hash(trimmed)}`;
+}
+function generatedId(prefix, value) {
+    const trimmed = value?.trim();
+    if (!trimmed)
+        return null;
+    if (looksLikeEmail(trimmed))
+        return `${prefix}:email:${hash(trimmed)}`;
+    const normalized = slug(trimmed);
+    return normalized ? `${prefix}:${normalized}` : `${prefix}:${hash(trimmed)}`;
+}
+function configuredIdentity(type, rawId, rawName, source) {
+    const name = cleanName(rawName);
+    const id = normalizeOriginId(rawId) ?? (name ? generatedId(type === "user" ? "user" : type, name) : null);
+    if (!id && !name)
+        return null;
+    return { type, id, name, source };
+}
+function readGitConfig(key, cwd) {
+    try {
+        const value = execFileSync("git", ["config", "--get", key], {
+            cwd,
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+            timeout: 1000,
+        }).trim();
+        return value || undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function gitUserIdentity(cwd) {
+    const gitName = readGitConfig("user.name", cwd);
+    const gitEmail = readGitConfig("user.email", cwd);
+    const nameSlug = slug(gitName ?? "");
+    if (gitEmail) {
+        return {
+            type: "user",
+            id: nameSlug ? `git:${nameSlug}:${hash(gitEmail)}` : `git:${hash(gitEmail)}`,
+            name: cleanName(gitName),
+            source: "git",
+        };
+    }
+    if (nameSlug) {
+        return {
+            type: "user",
+            id: `git:${nameSlug}`,
+            name: cleanName(gitName),
+            source: "git",
+        };
+    }
+    return null;
+}
+function shellUserName(options) {
+    if (Object.prototype.hasOwnProperty.call(options, "shellUsername") && options.shellUsername === null) {
+        return null;
+    }
+    const explicit = cleanName(options.shellUsername);
+    if (explicit)
+        return explicit;
+    try {
+        const user = os.userInfo().username;
+        const cleaned = cleanName(user);
+        if (cleaned)
+            return cleaned;
+    }
+    catch {
+        // ignore and fall through to env-derived shell names
+    }
+    const env = options.env ?? process.env;
+    return cleanName(env.USER ?? env.LOGNAME ?? env.USERNAME);
+}
+function hostnameValue(hostname) {
+    const explicit = hostname?.trim();
+    if (explicit)
+        return explicit;
+    const detected = os.hostname().trim();
+    return detected || "unknown-host";
+}
+function hostnameIdentity(type, hostname, prefix) {
+    const host = hostnameValue(hostname);
+    return {
+        type,
+        id: generatedId(prefix ?? "host", host),
+        name: cleanName(host),
+        source: "hostname",
+    };
+}
+export function resolveUserIdentity(options = {}) {
+    const env = options.env ?? process.env;
+    const fromConfig = configuredIdentity("user", options.config?.identity.user_id, options.config?.identity.user_name, "config");
+    if (fromConfig)
+        return fromConfig;
+    const fromEnv = configuredIdentity("user", env.BIKKY_USER_ID, env.BIKKY_USER_NAME, "env");
+    if (fromEnv)
+        return fromEnv;
+    const fromGit = gitUserIdentity(options.cwd);
+    if (fromGit)
+        return fromGit;
+    const shellName = shellUserName(options);
+    if (shellName) {
+        return {
+            type: "user",
+            id: generatedId("shell", shellName),
+            name: shellName,
+            source: "shell",
+        };
+    }
+    return hostnameIdentity("user", options.hostname);
+}
+export function inferUserIdentity(options = {}) {
+    return resolveUserIdentity({ ...options, config: null });
+}
+function defaultAgentType(originInterface) {
+    switch (originInterface) {
+        case "mcp":
+            return "coding_agent";
+        case "daemon":
+            return "daemon";
+        case "ui":
+            return "ui";
+        case "api":
+            return "api";
+        case "cli":
+            return "cli";
+        case "system":
+            return "system";
+    }
+}
+function defaultAgentName(type, originInterface) {
+    if (type === "coding_agent" && originInterface === "mcp")
+        return "Bikky MCP client";
+    if (type === "daemon")
+        return "Bikky daemon";
+    if (type === "ui")
+        return "Bikky UI";
+    if (type === "api")
+        return "Bikky API";
+    if (type === "cli")
+        return "Bikky CLI";
+    if (type === "system")
+        return "Bikky system";
+    if (type === "docs")
+        return "Bikky docs importer";
+    return "Bikky";
+}
+export function resolveAgentIdentity(options = {}) {
+    const env = options.env ?? process.env;
+    const type = options.type ?? (options.interface ? defaultAgentType(options.interface) : "unknown");
+    const envIdentity = configuredIdentity(type, env.BIKKY_AGENT_ID, env.BIKKY_AGENT_NAME, "env");
+    if (envIdentity)
+        return envIdentity;
+    const host = hostnameValue(options.hostname);
+    return {
+        type,
+        id: generatedId(type, host),
+        name: cleanName(`${defaultAgentName(type, options.interface)} on ${host}`),
+        source: "hostname",
+    };
+}
+export function sanitizeOriginMetadata(metadata) {
+    if (!metadata)
+        return undefined;
+    const sanitized = {};
+    for (const [rawKey, rawValue] of Object.entries(metadata).slice(0, MAX_METADATA_KEYS)) {
+        const key = rawKey.trim().replace(/[^a-zA-Z0-9_.-]+/g, "_").slice(0, MAX_METADATA_KEY_LENGTH);
+        if (!key)
+            continue;
+        if (rawValue === null || typeof rawValue === "boolean") {
+            sanitized[key] = rawValue;
+        }
+        else if (typeof rawValue === "number") {
+            if (Number.isFinite(rawValue))
+                sanitized[key] = rawValue;
+        }
+        else if (typeof rawValue === "string") {
+            sanitized[key] = rawValue.slice(0, MAX_METADATA_STRING_LENGTH);
+        }
+    }
+    return Object.keys(sanitized).length > 0 ? sanitized : undefined;
+}
+export function buildOperationOrigin(input) {
+    const operation = {
+        action: input.action,
+    };
+    const tool = cleanOperationField(input.tool);
+    const route = cleanOperationField(input.route);
+    const subsystem = cleanOperationField(input.subsystem);
+    const outcome = cleanOperationField(input.outcome);
+    if (tool)
+        operation.tool = tool;
+    if (route)
+        operation.route = route;
+    if (subsystem)
+        operation.subsystem = subsystem;
+    if (outcome)
+        operation.outcome = outcome;
+    const origin = {
+        schema_version: 1,
+        user: resolveUserIdentity(input),
+        agent: resolveAgentIdentity({
+            type: input.agentType,
+            interface: input.interface,
+            env: input.env,
+            hostname: input.hostname,
+        }),
+        interface: input.interface,
+        operation,
+    };
+    const metadata = sanitizeOriginMetadata(input.metadata);
+    if (metadata)
+        origin.metadata = metadata;
+    return origin;
+}
+export function isOperationOrigin(value) {
+    if (!value || typeof value !== "object")
+        return false;
+    const candidate = value;
+    return candidate.schema_version === 1
+        && Boolean(candidate.agent)
+        && typeof candidate.interface === "string"
+        && Boolean(candidate.operation)
+        && typeof candidate.operation?.action === "string";
+}
+//# sourceMappingURL=origin.js.map

package/docs/config/fully-hosted.md

@@ -1,16 +1,16 @@
 # Fully hosted config
 
-Best for performance and teams. This setup uses Qdrant Cloud for managed vector storage and OpenAI-compatible hosted models for extraction, curation, and recall.
+Best for performance and teams. This setup uses Qdrant Cloud for managed vector storage and a hosted gateway/provider for extraction, curation, and recall.
 
 ## What you need
 
 - A Qdrant Cloud cluster URL.
 - A Qdrant API key.
-- An OpenAI API key, or another hosted provider configured in the full configuration guide.
+- A Portkey API key (recommended) — one key, many upstream providers, with built-in routing, fallbacks, and observability. Get one at [portkey.ai](https://portkey.ai). Or use OpenAI / Bedrock directly.
 
-For both `embedding.provider` and `llm.provider`, possible values are `openai`, `bedrock`, or `portkey` for hosted models. `ollama` is also supported when you want local model calls.
+For both `embedding.provider` and `llm.provider`, possible values are `portkey`, `openai`, or `bedrock` for hosted models. `ollama` is also supported when you want local model calls.
 
-## Config
+## Config (recommended: Portkey)
 
 Save this as `~/.bikky/config.json`:
 
@@ -18,10 +18,36 @@ Save this as `~/.bikky/config.json`:
 {
   "qdrant_url": "https://your-cluster.cloud.qdrant.io:6333",
   "qdrant_api_key": "your-qdrant-api-key",
+  "embedding": {
+    "provider": "portkey",
+    "model": "@openai/text-embedding-3-small",
+    "dimensions": 1024
+  },
+  "llm": {
+    "provider": "portkey",
+    "model": "@anthropic/claude-sonnet-4"
+  }
+}
+```
+
+Then export the gateway key:
+
+```bash
+export PORTKEY_API_KEY="pk-..."
+```
+
+bikky uses **1024-dimensional embeddings** as the canonical default. This is portable across modern providers (OpenAI 3-small/3-large via Matryoshka truncation, Cohere v3, Voyage, Mistral, Bedrock Titan v2, BGE/E5) so you can switch providers later without re-embedding.
+
+`qdrant_api_key` is optional only for unauthenticated self-hosted Qdrant. Qdrant Cloud usually requires it.
+
+## Alternative: OpenAI directly
+
+```json
+{
   "embedding": {
     "provider": "openai",
     "model": "text-embedding-3-small",
-    "dimensions": 1536,
+    "dimensions": 1024,
     "api_key": "sk-..."
   },
   "llm": {
@@ -32,13 +58,7 @@ Save this as `~/.bikky/config.json`:
 }
 ```
 
-`qdrant_api_key` is optional only for unauthenticated self-hosted Qdrant. Qdrant Cloud usually requires it.
-
-Prefer not to store hosted model keys in the config file? Omit `api_key` above and set:
-
-```bash
-export OPENAI_API_KEY="sk-..."
-```
+Or set `OPENAI_API_KEY` in the environment instead of the config file.
 
 ## Check it
 
@@ -54,4 +74,4 @@ bikky stop && bikky start
 
 Then restart your editor so its MCP process reloads.
 
-For Bedrock, Portkey, custom base URLs, or model-specific dimensions, see the [full configuration guide](../configuration.md).
+For Bedrock, custom base URLs, or model-specific dimensions, see the [full configuration guide](https://github.com/bikky-dev/bikky/blob/main/docs/configuration.md).

package/docs/config/hosted-models.md

@@ -1,15 +1,15 @@
 # Local Qdrant + hosted models config
 
-This setup keeps Qdrant local while hosted embeddings and LLM calls handle extraction, curation, and recall.
+This setup keeps Qdrant local while a hosted gateway/provider handles extraction, curation, and recall.
 
 ## What you need
 
 - Qdrant running locally, usually with Docker.
-- An OpenAI API key, or another hosted provider configured in the full configuration guide.
+- A Portkey API key (recommended) — one key, many upstream providers, with built-in routing, fallbacks, and observability. Get one at [portkey.ai](https://portkey.ai). Or use OpenAI / Bedrock directly.
 
-For both `embedding.provider` and `llm.provider`, possible values are `openai`, `bedrock`, or `portkey` for hosted models. `ollama` is also supported when you want local model calls.
+For both `embedding.provider` and `llm.provider`, possible values are `portkey`, `openai`, or `bedrock` for hosted models. `ollama` is also supported when you want local model calls.
 
-## Config
+## Config (recommended: Portkey)
 
 Save this as `~/.bikky/config.json`:
 
@@ -17,10 +17,36 @@ Save this as `~/.bikky/config.json`:
 {
   "qdrant_url": "http://localhost:6333",
   "qdrant_api_key": "",
+  "embedding": {
+    "provider": "portkey",
+    "model": "@openai/text-embedding-3-small",
+    "dimensions": 1024
+  },
+  "llm": {
+    "provider": "portkey",
+    "model": "@anthropic/claude-sonnet-4"
+  }
+}
+```
+
+Then export the gateway key:
+
+```bash
+export PORTKEY_API_KEY="pk-..."
+```
+
+bikky uses **1024-dimensional embeddings** as the canonical default. This is portable across modern providers (OpenAI 3-small/3-large via Matryoshka truncation, Cohere v3, Voyage, Mistral, Bedrock Titan v2, BGE/E5) so you can switch providers later without re-embedding.
+
+`qdrant_api_key` is optional. Leave it empty or omit it for local or unauthenticated self-hosted Qdrant.
+
+## Alternative: OpenAI directly
+
+```json
+{
   "embedding": {
     "provider": "openai",
     "model": "text-embedding-3-small",
-    "dimensions": 1536,
+    "dimensions": 1024,
     "api_key": "sk-..."
   },
   "llm": {
@@ -31,13 +57,7 @@ Save this as `~/.bikky/config.json`:
 }
 ```
 
-`qdrant_api_key` is optional. Leave it empty or omit it for local or unauthenticated self-hosted Qdrant.
-
-Prefer not to store hosted model keys in the config file? Omit `api_key` above and set:
-
-```bash
-export OPENAI_API_KEY="sk-..."
-```
+Or set `OPENAI_API_KEY` in the environment instead of the config file.
 
 ## Check it
 
@@ -47,4 +67,4 @@ bikky status
 
 If you started from a fresh install, run `bikky setup` after writing the config, then restart your editor so its MCP process reloads.
 
-For Bedrock, Portkey, custom base URLs, or model-specific dimensions, see the [full configuration guide](../configuration.md).
+For Bedrock, custom base URLs, or model-specific dimensions, see the [full configuration guide](https://github.com/bikky-dev/bikky/blob/main/docs/configuration.md).

package/docs/configuration.md

@@ -26,18 +26,32 @@ bikky status
 
 Config lives at `~/.bikky/config.json`, or at `BIKKY_HOME/config.json` when `BIKKY_HOME` is set. Environment variables override the config file.
 
+## Origin identity
+
+New memory writes store canonical `origin` metadata. `origin.user` is the configured human identity, `origin.agent` is the automated actor or local surface, `origin.interface` is the entry point (`mcp`, `daemon`, `ui`, `api`, `cli`, or `system`), and `origin.operation` records the create/update/delete/verify/forget/review/correct/reinforce/supersede/feedback action.
+
+`bikky setup` provisions `identity.user_id` and `identity.user_name` if they are missing. It never overwrites an existing configured user. Runtime detection uses this order:
+
+1. `identity.user_id` / `identity.user_name` from config
+2. `BIKKY_USER_ID` / `BIKKY_USER_NAME`
+3. Git config (`user.name`, `user.email`; email-like identifiers are hashed)
+4. Shell/OS username
+5. Hostname fallback
+
+MCP callers cannot pass `origin` or override the human user. Use `BIKKY_AGENT_ID` / `BIKKY_AGENT_NAME` only when you need to label the local automated agent process explicitly; otherwise bikky labels the daemon/UI/MCP surface from the hostname.
+
 ## Common setups
 
 If you know which path you want, start with the focused guide:
 
 | Setup                         | Best for                                                     | Guide                                                                    |
 | ----------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------------ |
-| Fully hosted                  | Best performance and teams; managed vector storage and models | [Fully hosted config](config/fully-hosted.md)                            |
-| Local Qdrant + hosted models  | Local vector storage with hosted extraction and embedding    | [Hosted models config](config/hosted-models.md)                          |
-| Local and free                | Local evaluation; quality depends on local models            | [Local config guide](config/local.md)                                    |
-| Hosted Qdrant + local models  | Shared vector storage while keeping model calls local        | [Hosted Qdrant + local models](config/hosted-qdrant-local-models.md)     |
+| Fully hosted                  | Best performance and teams; managed vector storage and models | [Fully hosted config](https://github.com/bikky-dev/bikky/blob/main/docs/config/fully-hosted.md)                            |
+| Local Qdrant + hosted models  | Local vector storage with hosted extraction and embedding    | [Hosted models config](https://github.com/bikky-dev/bikky/blob/main/docs/config/hosted-models.md)                          |
+| Local and free                | Local evaluation; quality depends on local models            | [Local config guide](https://github.com/bikky-dev/bikky/blob/main/docs/config/local.md)                                    |
+| Hosted Qdrant + local models  | Shared vector storage while keeping model calls local        | [Hosted Qdrant + local models](https://github.com/bikky-dev/bikky/blob/main/docs/config/hosted-qdrant-local-models.md)     |
 
-Privacy-conscious users should also read the [privacy-first quickstart](privacy-first.md), which combines local Qdrant, local Ollama models, and transcript-capture disable controls.
+Privacy-conscious users should also read the [privacy-first quickstart](https://github.com/bikky-dev/bikky/blob/main/docs/privacy-first.md), which combines local Qdrant, local Ollama models, and transcript-capture disable controls.
 
 ### Fully hosted
 
@@ -139,6 +153,10 @@ Useful basics:
 | `QDRANT_URL`     | `qdrant_url`     | Required unless set in config                                               |
 | `QDRANT_API_KEY` | `qdrant_api_key` | Optional for local/unauthenticated Qdrant; usually needed for Qdrant Cloud  |
 | `BIKKY_HOME`     | —                | Moves the config/log/state directory from `~/.bikky`                        |
+| `BIKKY_USER_ID`  | `identity.user_id` | Explicit human user id for origin provisioning                            |
+| `BIKKY_USER_NAME` | `identity.user_name` | Human-readable human user name for origin provisioning                  |
+| `BIKKY_AGENT_ID` | —                | Optional local automated-agent id stored in `origin.agent`                  |
+| `BIKKY_AGENT_NAME` | —              | Optional local automated-agent label stored in `origin.agent`               |
 
 ## Provider options
 

package/package.json

@@ -1,9 +1,13 @@
 {
   "name": "bikky",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Shared memory for AI coding sessions — MCP server + background daemon",
   "type": "module",
   "license": "AGPL-3.0-or-later",
+  "author": {
+    "name": "Saber Zrelli",
+    "url": "https://github.com/zrelli-s"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/bikky-dev/bikky.git"
@@ -56,7 +60,7 @@
     "@aws-sdk/client-bedrock-runtime": "^3.1006.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "pino": "^10.3.1",
-    "zod": "^3.24.0"
+    "zod": "^4.4.1"
   },
   "devDependencies": {
     "@types/node": "^25.6.0",