claude-mem-lite 2.91.0 → 2.93.0

package/registry.mjs

@@ -339,135 +339,3 @@ export function upsertResource(db, r) {
     return row?.id || 0;
   })();
 }
-
-/**
- * Get all active resources.
- * @param {Database} db Registry database
- * @returns {object[]} Array of resource objects
- */
-export function getActiveResources(db) {
-  return db.prepare('SELECT * FROM resources WHERE status = ? ORDER BY name').all('active');
-}
-
-/**
- * Get a resource by type and name.
- * @param {Database} db Registry database
- * @param {string} type 'skill' or 'agent'
- * @param {string} name Resource name
- * @returns {object|undefined} Resource or undefined
- */
-export function getResourceByName(db, type, name) {
-  return db.prepare('SELECT * FROM resources WHERE type = ? AND name = ?').get(type, name);
-}
-
-/**
- * Get a resource by ID.
- * @param {Database} db Registry database
- * @param {number} id Resource ID
- * @returns {object|undefined} Resource or undefined
- */
-export function getResourceById(db, id) {
-  return db.prepare('SELECT * FROM resources WHERE id = ?').get(id);
-}
-
-/**
- * Atomically increment a stats field on a resource.
- * @param {Database} db Registry database
- * @param {number} id Resource ID
- * @param {'recommend_count'|'adopt_count'|'success_count'} field Stats field
- */
-export function updateResourceStats(db, id, field) {
-  const allowed = new Set(['recommend_count', 'adopt_count', 'success_count']);
-  if (!allowed.has(field)) throw new Error(`Invalid stats field: ${field}`);
-  // String interpolation required: SQLite cannot parameterize column names.
-  // Safety: field is validated against allowlist above.
-  db.prepare(`UPDATE resources SET ${field} = ${field} + 1, updated_at = datetime('now') WHERE id = ?`).run(id);
-}
-
-/**
- * Atomically increment weighted_adopt_sum by a continuous score value.
- * @param {Database} db Registry database
- * @param {number} id Resource ID
- * @param {number} score Adoption confidence score (0.0-1.0)
- */
-export function incrementWeightedAdopt(db, id, score) {
-  db.prepare(`UPDATE resources SET weighted_adopt_sum = COALESCE(weighted_adopt_sum, 0) + ?, updated_at = datetime('now') WHERE id = ?`).run(score, id);
-}
-
-/**
- * Record a dispatch invocation.
- * @param {Database} db Registry database
- * @param {object} record Invocation record
- * @returns {number} Invocation ID
- */
-export function recordInvocation(db, record) {
-  const result = db.prepare(`
-    INSERT INTO invocations (resource_id, session_id, trigger, tier, recommended, adopted, outcome, score)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-  `).run(
-    record.resource_id, record.session_id || null,
-    record.trigger || null, record.tier || null,
-    record.recommended ?? 1, record.adopted ?? 0,
-    record.outcome || null, record.score ?? null
-  );
-  return Number(result.lastInsertRowid);
-}
-
-/**
- * Get success rates for resources over a time period.
- * @param {Database} db Registry database
- * @param {number} [days=30] Lookback period
- * @returns {object[]} Array of {resource_id, total, adopted, avg_score}
- */
-export function getResourceSuccessRates(db, days = 30) {
-  const since = new Date(Date.now() - days * 86400000).toISOString();
-  return db.prepare(`
-    SELECT resource_id,
-      COUNT(*) as total,
-      SUM(adopted) as adopted,
-      AVG(CASE WHEN score IS NOT NULL THEN score END) as avg_score
-    FROM invocations
-    WHERE created_at > ?
-    GROUP BY resource_id
-  `).all(since);
-}
-
-/**
- * Get invocations for a specific session (for feedback collection).
- * @param {Database} db Registry database
- * @param {string} sessionId Session identifier
- * @returns {object[]} Array of invocation records
- */
-export function getSessionInvocations(db, sessionId) {
-  return db.prepare(`
-    SELECT i.*, r.name as resource_name, r.type as resource_type,
-           r.invocation_name as invocation_name
-    FROM invocations i
-    JOIN resources r ON r.id = i.resource_id
-    WHERE i.session_id = ?
-    ORDER BY i.created_at
-  `).all(sessionId);
-}
-
-/**
- * Update invocation outcome (for feedback).
- * @param {Database} db Registry database
- * @param {number} id Invocation ID
- * @param {object} update Fields to update
- */
-export function updateInvocation(db, id, update) {
-  const allowed = new Set(['adopted', 'outcome', 'score', 'rejection_reason']);
-  const sets = [];
-  const vals = [];
-  for (const [key, val] of Object.entries(update)) {
-    if (val === undefined) continue;
-    if (!allowed.has(key)) throw new Error(`Invalid invocation field: ${key}`);
-    sets.push(`${key} = ?`);
-    vals.push(val);
-  }
-  if (sets.length === 0) return;
-  vals.push(id);
-  // String interpolation required: SQLite cannot parameterize column names.
-  // Safety: column names are validated against allowlist above.
-  db.prepare(`UPDATE invocations SET ${sets.join(', ')} WHERE id = ?`).run(...vals);
-}

package/schema.mjs

@@ -382,6 +382,7 @@ export function initSchema(db) {
 
   // FTS5 migration: recreate observations_fts when columns are missing (one-time)
   // Detect old FTS5 table missing lesson_learned or search_aliases and recreate with full column set
+  let obsFtsRecreated = false;
   try {
     const ftsDdl = db.prepare(`SELECT sql FROM sqlite_master WHERE type='table' AND name='observations_fts'`).get();
     if (ftsDdl && (!ftsDdl.sql.includes('lesson_learned') || !ftsDdl.sql.includes('search_aliases'))) {
@@ -389,6 +390,7 @@ export function initSchema(db) {
       db.exec(`DROP TRIGGER IF EXISTS observations_ad`);
       db.exec(`DROP TRIGGER IF EXISTS observations_au`);
       db.exec(`DROP TABLE IF EXISTS observations_fts`);
+      obsFtsRecreated = true;
     }
   } catch { /* non-critical — ensureFTS will create if missing */ }
 
@@ -416,14 +418,19 @@ export function initSchema(db) {
   ensureFTS(db, 'session_summaries_fts', 'session_summaries', ['request', 'investigated', 'learned', 'completed', 'next_steps', 'notes', 'remaining_items']);
   ensureFTS(db, 'user_prompts_fts', 'user_prompts', ['prompt_text']);
 
-  // Rebuild FTS5 if we just recreated it (migration populates from content table)
-  try {
-    const needsRebuild = db.prepare(`SELECT COUNT(*) as cnt FROM observations`).get();
-    const ftsCount = db.prepare(`SELECT COUNT(*) as cnt FROM observations_fts`).get();
-    if (needsRebuild.cnt > 0 && ftsCount.cnt === 0) {
-      db.exec(`INSERT INTO observations_fts(observations_fts) VALUES('rebuild')`);
-    }
-  } catch { /* non-critical */ }
+  // Rebuild FTS5 if we just recreated it above (the new index is empty and must be
+  // populated from the content table). The old emptiness probe — `SELECT COUNT(*) FROM
+  // observations_fts` — was DEAD: for an external-content FTS5 table, COUNT reads the
+  // CONTENT table (observations), not the index, so `ftsCount === 0` was only ever true
+  // on an empty DB (where needsRebuild>0 is false). The rebuild therefore never fired and
+  // full-text search silently returned 0 rows after the column-mismatch migration. Gate
+  // on the recreation flag instead, which is the only path that leaves the index empty.
+  if (obsFtsRecreated) {
+    try {
+      const cnt = db.prepare(`SELECT COUNT(*) as cnt FROM observations`).get();
+      if (cnt.cnt > 0) db.exec(`INSERT INTO observations_fts(observations_fts) VALUES('rebuild')`);
+    } catch { /* non-critical */ }
+  }
 
   // v36 migration: narrow events_fts_au like the v27 fix above. The events FTS
   // triggers were hand-written inline (below) rather than via ensureFTS, so

package/search-engine.mjs

@@ -179,7 +179,11 @@ export function countSearchTotal(db, {
 export function ftsRowToResult(r, { scoreMultiplier, snippet } = {}) {
   return {
     source: 'obs', id: r.id, type: r.type, title: r.title, subtitle: r.subtitle,
-    project: r.project, date: r.created_at, created_at_epoch: r.created_at_epoch,
+    // `date` is the legacy key the MCP paired-search path reads; `created_at` aligns the
+    // obs row shape with the session/prompt rows the CLI interleaves in the same results
+    // array (cmdSearch reads r.created_at uniformly) and with recent/recall output. Both
+    // hold the same ISO string — keep both so neither consumer breaks.
+    project: r.project, date: r.created_at, created_at: r.created_at, created_at_epoch: r.created_at_epoch,
     score: scoreMultiplier ? r.score * scoreMultiplier : r.score,
     files_modified: r.files_modified, importance: r.importance, lesson_learned: r.lesson_learned,
     snippet: snippet ? (r.match_snippet || '') : '',
@@ -366,6 +370,15 @@ export function searchObservationsHybrid(db, ctx) {
     if (vecResults.length === 0) return results;
 
     if (results.length > 0) {
+      // RRF fuses by RANK (array index), so the BM25 side must already be in
+      // composite-score order. `results` here is [full-FTS sorted, …concept ×0.7,
+      // …PRF ×0.6] with augmentation rows APPENDED, so its index order is only
+      // BM25-rank for the first block — a downweighted PRF row at the tail would be
+      // handed to RRF as a worse rank than its score warrants, and a strong one as
+      // better. Sort by the calibrated composite score (negative = more relevant)
+      // first so index == composite rank and the type-quality/decay/cite multipliers
+      // actually shape the fused ranking instead of being discarded by insertion order.
+      results.sort((a, b) => (a.score ?? 0) - (b.score ?? 0));
       const rrfRanking = rrfMerge(results, vecResults, ctx.rrfK);  // undefined → RRF_K
       const resultMap = new Map(results.map(r => [r.id, r]));
       for (const vr of vecResults) {

package/secret-scrub.mjs

@@ -18,8 +18,17 @@ export const SECRET_PATTERNS = [
   //   2. Structured keys (api_key, auth_token, …) keep the original behavior —
   //      a separator/compound key is unambiguous config syntax even when
   //      preceded by prose ("see auth_token: shhhhhh").
-  [/((?<![A-Za-z][ \t])\b(?:password|passwd|token|bearer)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
-  [/(\b(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
+  // `(?:\b|_)` before the keyword: a plain word-boundary misses the single most
+  // common credential shape — underscore-cased env vars (DB_PASSWORD, GH_TOKEN,
+  // MY_AUTH_TOKEN) — because `_` is a \w char, so there is NO \b between it and the
+  // keyword. Allowing a leading `_` catches those while the prose lookbehind still
+  // excludes "Marker token: …". `secret` added so a bare SECRET=… with a mixed-alnum
+  // value is covered (the hex-only assignment pattern below misses non-hex values).
+  [/((?<![A-Za-z][ \t])(?:\b|_)(?:password|passwd|token|bearer|secret)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
+  // access_token / refresh_token are the canonical OAuth2 field names — they were
+  // missing from this KV list (drift vs the JSON list below). `(?:\b|_)` for the same
+  // underscore-prefix reason.
+  [/((?:\b|_)(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
   // AWS access keys (AKIA...)
   [/\bAKIA[A-Z0-9]{16}\b/g, '***'],
   // OpenAI / Anthropic keys (sk-...) — specific prefixes have lower length threshold
@@ -56,7 +65,7 @@ export const SECRET_PATTERNS = [
   // as `{"api_key": "..."}`. The base key=value pattern stops at quotes, so
   // these slip through. Match the value-quoted form explicitly. Length floor
   // (6) avoids tripping on intentional placeholder shorts ("...", "secret").
-  [/("(?:password|passwd|token|api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|bearer|refresh[_-]?token|session[_-]?id|sessionid)"\s*:\s*")[^"]{6,}(")/gi, '$1***$2'],
+  [/("(?:password|passwd|token|api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|access[_-]?token|private[_-]?key|client[_-]?secret|auth[_-]?token|bearer|refresh[_-]?token|session[_-]?id|sessionid)"\s*:\s*")[^"]{6,}(")/gi, '$1***$2'],
   // Session cookies in headers / urlencoded bodies (sessionid=, session_id=, JSESSIONID=, PHPSESSID=).
   // 16+ chars filters out short test fixtures like sessionid=abc.
   [/\b((?:session[_-]?id|sessionid|jsessionid|phpsessid)\s*[=:]\s*)[^\s,;'"}\]]{16,}/gi, '$1***'],

package/server.mjs

@@ -15,6 +15,7 @@ import { selectCompressionCandidates, groupByProjectWeek, compressGroup } from '
 import {
   cleanupBroken, decayAndMarkIdle, boostAccessed, demotePinned, mergeDuplicates,
   purgeStale, purgeStalePreview, findDuplicates, maintenanceStats, rebuildVectors, vacuum,
+  recoverChildrenOf,
   OP_CAP, STALE_AGE_MS,
 } from './lib/maintain-core.mjs';
 import { effectiveQuiet, RUNTIME_DIR } from './hook-shared.mjs';
@@ -926,13 +927,20 @@ server.registerTool(
           db.prepare('UPDATE observations SET related_ids = ? WHERE id = ?').run(JSON.stringify(filtered), r.id);
         }
       }
+      // Resurface rows merged/compressed INTO the doomed keepers before deleting, else
+      // they dangle behind a now-missing parent (compressed_into has no FK) — invisible
+      // to every COALESCE(compressed_into,0)=0 view and unrecoverable. Mirrors the CLI
+      // delete path + the maintain hard-delete guard (recoverChildrenOf).
+      const recovered = recoverChildrenOf(db, args.ids);
       // Execute deletion (FTS5 cleanup handled by observations_ad trigger)
-      return db.prepare(`DELETE FROM observations WHERE id IN (${placeholders})`).run(...args.ids);
+      const deleted = db.prepare(`DELETE FROM observations WHERE id IN (${placeholders})`).run(...args.ids);
+      return { changes: deleted.changes, recovered };
     });
     const result = deleteTx();
 
     const missing = args.ids.filter(id => !rows.some(r => r.id === id));
     const msg = [`Deleted ${result.changes} observation(s).`];
+    if (result.recovered > 0) msg.push(`Recovered ${result.recovered} merged/compressed child observation(s) to live.`);
     if (missing.length > 0) msg.push(`Note: ID(s) ${missing.join(', ')} not found.`);
     return { content: [{ type: 'text', text: msg.join(' ') }] };
   })

package/source-files.mjs

@@ -77,6 +77,11 @@ export const SOURCE_FILES = [
   // mem-cli.mjs::cmdSave and server.mjs::mem_save. Statically imported from both
   // entry points; missing it from the manifest broke MCP saves on auto-update.
   'lib/save-observation.mjs',
+  // Single-source observations-table write primitives (insertObservationRow/Files/
+  // Vector). Statically imported by lib/save-observation.mjs and hook-llm.mjs (both
+  // entry-point-reachable); missing it from the manifest would break ALL saves on
+  // auto-update. Same single-source-of-truth pattern (see #8217).
+  'lib/observation-write.mjs',
   // Shared "compress old low-value observations into weekly summaries" core.
   // Statically imported by mem-cli.mjs (cmdCompress), server.mjs (mem_compress),
   // and hook.mjs (handleAutoCompress) — same single-source-of-truth pattern as

package/tier.mjs

@@ -44,9 +44,12 @@ export function computeTier(obs, ctx) {
     return 'working';
   }
 
-  // Rule 5: Active if within type-specific window
+  // Rule 5: Active if within type-specific window. Use `<=` so the exact-millisecond
+  // window edge matches TIER_CASE_SQL (`created_at_epoch >= now - window`, i.e. inclusive).
+  // The strict `<` here disagreed with the SQL classifier by one tier at the boundary,
+  // despite both being documented as the same classifier.
   const activeWindow = ACTIVE_WINDOWS[obs.type] ?? DEFAULT_ACTIVE_WINDOW_MS;
-  if (now - obs.created_at_epoch < activeWindow) return 'active';
+  if (now - obs.created_at_epoch <= activeWindow) return 'active';
 
   // Rule 6: Archive (fallback)
   return 'archive';

package/utils.mjs

@@ -77,8 +77,11 @@ export function estimateTokens(text) {
  * @returns {number} Clamped integer importance (1, 2, or 3)
  */
 export function clampImportance(val) {
-  if (typeof val !== 'number' || isNaN(val)) return 1;
-  return Math.max(1, Math.min(3, Math.round(val)));
+  // Coerce numeric strings: an LLM emitting "importance":"2" (quoted) would otherwise
+  // collapse to 1, silently dropping its signal. Non-numeric strings → NaN → 1.
+  const n = typeof val === 'number' ? val : (typeof val === 'string' ? Number(val) : NaN);
+  if (!Number.isFinite(n)) return 1;
+  return Math.max(1, Math.min(3, Math.round(n)));
 }
 
 /**
@@ -267,9 +270,39 @@ export function debugCatch(e, context) {
 
 // ─── JSON Parsing ────────────────────────────────────────────────────────────
 
+/**
+ * Extract the first brace-balanced JSON object substring from text, honoring strings
+ * and escapes so braces inside string values don't throw off the depth count. Returns
+ * null when there's no `{` or no balanced close. Used to recover a valid leading object
+ * when the LLM wrapped it in prose that ALSO contains braces — the greedy `{[\s\S]*}`
+ * fallback spans first-`{` to last-`}` and is defeated by an unrelated trailing `{…}`.
+ */
+function firstBalancedJsonObject(text) {
+  // Anchor on whichever structural opener comes first — `{` (object) or `[` (array) —
+  // so a prose-wrapped top-level array isn't truncated to its first inner object.
+  const braceAt = text.indexOf('{');
+  const brackAt = text.indexOf('[');
+  let start, open, close;
+  if (braceAt === -1 && brackAt === -1) return null;
+  if (brackAt !== -1 && (braceAt === -1 || brackAt < braceAt)) { start = brackAt; open = '['; close = ']'; }
+  else { start = braceAt; open = '{'; close = '}'; }
+  let depth = 0, inStr = false, esc = false;
+  for (let i = start; i < text.length; i++) {
+    const c = text[i];
+    if (inStr) {
+      if (esc) esc = false;
+      else if (c === '\\') esc = true;
+      else if (c === '"') inStr = false;
+    } else if (c === '"') inStr = true;
+    else if (c === open) depth++;
+    else if (c === close && --depth === 0) return text.slice(start, i + 1);
+  }
+  return null;
+}
+
 /**
  * Parse JSON from LLM output, handling markdown fences and embedded objects.
- * Tries: direct parse → fenced code block → regex object extraction.
+ * Tries: direct parse → fenced code block → first balanced object → greedy regex.
  * @param {string} text Raw LLM output text
  * @returns {object|null} Parsed JSON object or null on failure
  */
@@ -278,6 +311,10 @@ export function parseJsonFromLLM(text) {
   try { return JSON.parse(text); } catch {}
   const fenced = text.match(/```(?:json)?\s*([\s\S]*?)\s*```/);
   if (fenced) try { return JSON.parse(fenced[1]); } catch {}
+  // First balanced object — survives unfenced output wrapped in brace-containing prose.
+  const balanced = firstBalancedJsonObject(text);
+  if (balanced) try { return JSON.parse(balanced); } catch {}
+  // Last-resort greedy span (handles a payload that isn't the FIRST balanced object).
   const obj = text.match(/\{[\s\S]*\}/);
   if (obj) try { return JSON.parse(obj[0]); } catch {}
   return null;