npm - claude-mem-lite - Versions diffs - 2.93.0 → 2.95.0 - Mend

claude-mem-lite 2.93.0 → 2.95.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/.claude-plugin/marketplace.json +1 -1
package/.claude-plugin/plugin.json +1 -1
package/hook-update.mjs +102 -7
package/package.json +1 -1
package/scripts/hook-launcher.mjs +25 -0
package/scripts/launch.mjs +21 -0
package/secret-scrub.mjs +21 -0
package/synonyms.mjs +7 -0

package/.claude-plugin/marketplace.json CHANGED Viewed

@@ -10,7 +10,7 @@
   "plugins": [
     {
       "name": "claude-mem-lite",
-      "version": "2.93.0",
+      "version": "2.95.0",
       "source": "./",
       "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark)."
     }

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "2.93.0",
+  "version": "2.95.0",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "author": {
     "name": "sdsrss"

package/hook-update.mjs CHANGED Viewed

@@ -4,7 +4,7 @@
 import { execSync, execFileSync } from 'node:child_process';
 import { readFileSync, writeFileSync, copyFileSync, cpSync, readdirSync, existsSync, lstatSync, mkdirSync, rmSync, renameSync, chmodSync } from 'node:fs';
-import { join, dirname } from 'node:path';
+import { join, dirname, resolve } from 'node:path';
 import { pathToFileURL } from 'node:url';
 import { tmpdir, homedir } from 'node:os';
 import { DB_DIR, CODE_DIR } from './schema.mjs';
@@ -356,7 +356,15 @@ export function validateExtractedTarball(sourceDir, expectedVersion, expectedNam
   return { ok: true };
 }
-export async function installExtractedRelease(sourceDir, targetDir = INSTALL_DIR) {
+// opts.skipNpmInstall — copy + atomically switch the source files WITHOUT
+// running `npm install` in staging. Used by syncDataDirFromCache: when the
+// source is a local plugin-cache version (not a downloaded tarball), the
+// target data dir already carries a working, ABI-correct node_modules, so a
+// reinstall is pure cost. With staging holding no node_modules the switch loop
+// below skips the 'node_modules' switchable path (existsSync guard), leaving
+// the target's node_modules untouched. Dependency bumps still flow through the
+// GitHub-tarball path (downloadAndInstall), which keeps skipNpmInstall=false.
+export async function installExtractedRelease(sourceDir, targetDir = INSTALL_DIR, opts = {}) {
   const ts = `${Date.now()}-${process.pid}`;
   const stagingDir = join(targetDir, `.update-staging-${ts}`);
   const backupDir = join(targetDir, `.update-backup-${ts}`);
@@ -371,11 +379,13 @@ export async function installExtractedRelease(sourceDir, targetDir = INSTALL_DIR
     mkdirSync(backupDir, { recursive: true });
     copyReleaseIntoStaging(sourceDir, stagingDir, manifest);
-    execSync(NPM_INSTALL_CMD, {
-      cwd: stagingDir,
-      timeout: 60000,
-      stdio: 'pipe',
-    });
+    if (!opts.skipNpmInstall) {
+      execSync(NPM_INSTALL_CMD, {
+        cwd: stagingDir,
+        timeout: 60000,
+        stdio: 'pipe',
+      });
+    }
     for (const relPath of switchablePaths) {
       const stagedPath = join(stagingDir, relPath);
@@ -456,6 +466,91 @@ export async function installExtractedRelease(sourceDir, targetDir = INSTALL_DIR
   }
 }
+// ── Plugin-cache → data-dir code sync ──────────────────────
+// Root cause this fixes: a plugin-mode install carries TWO independently
+// versioned code copies sharing one DB. The plugin cache
+// (~/.claude/plugins/cache/<mp>/claude-mem-lite/<ver>/) runs the MCP server and
+// is advanced by Claude Code's marketplace updater; on launch it opens the
+// shared DB and migrates the schema FORWARD. The data-dir copy
+// (~/.claude-mem-lite/) backs the standalone CLI symlink and the settings.json
+// hooks, but is only advanced by the GitHub-tarball auto-update — which plugin
+// mode disables (allowInstall=false) and which stalls easily (24h throttle,
+// rate limits, staging npm install). The data-dir code then lags the schema the
+// cache wrote and the CLI/hooks fail to open the DB
+// ("schema is vN but binary supports up to vN-1").
+//
+// Fix: make the data-dir code TRACK the plugin-cache version. The exact files
+// are already on disk in the cache, so this is a local source-file copy — no
+// network, no npm install — and the synced code is precisely the version that
+// migrated the DB, so schema compatibility is guaranteed by construction.
+// node_modules is left untouched (skipNpmInstall). Only ever upgrades; equal
+// versions no-op, which is the natural per-session throttle.
+//
+// opts.sourceDir   — explicit source (launch.mjs passes the running ROOT, the
+//                    exact version that owns the migrated DB). Omitted → scan
+//                    the plugin cache for the highest valid version.
+// opts.targetDir   — defaults to INSTALL_DIR (the homedir code dir, NOT
+//                    CLAUDE_MEM_DIR — see schema.mjs CODE_DIR / #8632).
+// opts.cacheBase   — override the cache root (tests).
+export async function syncDataDirFromCache(opts = {}) {
+  try {
+    const targetDir = opts.targetDir || INSTALL_DIR;
+    // Dev install: the data-dir entries are symlinks into the source repo.
+    // Overwriting them would clobber the working tree — never sync.
+    if (isDevMode()) return { synced: false, reason: 'dev-mode' };
+    let sourceDir = opts.sourceDir || null;
+    if (!sourceDir) {
+      const cacheBase = opts.cacheBase
+        || join(homedir(), '.claude', 'plugins', 'cache', 'sdsrss', 'claude-mem-lite');
+      if (!existsSync(cacheBase)) return { synced: false, reason: 'no-cache' };
+      const versions = readdirSync(cacheBase)
+        .filter(n => /^\d+\.\d+/.test(n))
+        .sort((a, b) => compareVersions(b, a));   // newest first
+      for (const v of versions) {
+        const dir = join(cacheBase, v);
+        if (validateExtractedTarball(dir, null).ok) { sourceDir = dir; break; }
+      }
+      if (!sourceDir) return { synced: false, reason: 'no-valid-cache-version' };
+    }
+    // Non-plugin direct install: ROOT === data dir. Syncing a dir onto itself
+    // is a no-op at best and a same-path rename hazard at worst.
+    if (resolve(sourceDir) === resolve(targetDir)) {
+      return { synced: false, reason: 'source-is-target' };
+    }
+    const val = validateExtractedTarball(sourceDir, null);
+    if (!val.ok) return { synced: false, reason: `invalid-source: ${val.reason}` };
+    let sourceVersion;
+    try {
+      sourceVersion = JSON.parse(readFileSync(join(sourceDir, 'package.json'), 'utf8')).version;
+    } catch { return { synced: false, reason: 'source-version-unreadable' }; }
+    let dataVersion = '0.0.0';
+    try {
+      dataVersion = JSON.parse(readFileSync(join(targetDir, 'package.json'), 'utf8')).version || '0.0.0';
+    } catch { /* missing/corrupt target package.json → treat as 0.0.0, sync */ }
+    // Only ever upgrade. Equal → no-op (cheap version compare runs every session).
+    if (compareVersions(sourceVersion, dataVersion) <= 0) {
+      return { synced: false, reason: 'data-dir-current', sourceVersion, dataVersion };
+    }
+    debugLog('DEBUG', 'hook-update',
+      `Syncing data-dir code ${dataVersion} → ${sourceVersion} from plugin cache (${sourceDir})`);
+    const ok = await installExtractedRelease(sourceDir, targetDir, { skipNpmInstall: true });
+    return ok
+      ? { synced: true, from: dataVersion, to: sourceVersion }
+      : { synced: false, reason: 'install-failed', from: dataVersion, to: sourceVersion };
+  } catch (err) {
+    debugCatch(err, 'syncDataDirFromCache');
+    return { synced: false, reason: 'error' };
+  }
+}
 function copyReleaseIntoStaging(sourceDir, stagingDir, manifest = { SOURCE_FILES: LOCAL_SOURCE_FILES, HOOK_SCRIPT_FILES: LOCAL_HOOK_SCRIPT_FILES }) {
   let copied = 0;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "2.93.0",
+  "version": "2.95.0",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "type": "module",
   "packageManager": "npm@10.9.2",

package/scripts/hook-launcher.mjs CHANGED Viewed

@@ -104,6 +104,31 @@ async function attemptHeal(reason) {
   return result.status === 0;
 }
+// Defense-in-depth for plugin-mode version drift: the plugin-cache MCP server
+// (kept current by Claude Code) migrates the shared DB schema forward, while
+// this data-dir code (the standalone CLI + these hooks) is only advanced by the
+// GitHub-tarball auto-update, which plugin mode disables — so it can lag the
+// schema and fail to open the DB. syncDataDirFromCache copies the current cache
+// source files locally to close that gap. launch.mjs (MCP start) is the primary
+// healer; this is a backup that also covers the case where the MCP server never
+// starts. Gated to session-start (once per session, OFF the per-tool hot path)
+// and fully best-effort: a stale module without the fn, or any error, just
+// falls through to the normal entry import. The dynamic import keeps this
+// launcher's pure-`node:` static-import charter intact (it must survive a broken
+// install even if hook-update.mjs is unimportable).
+async function trySyncDataDirFromCache() {
+  try {
+    const { syncDataDirFromCache } = await import(
+      pathToFileURL(join(INSTALL_DIR, 'hook-update.mjs')).href
+    );
+    if (typeof syncDataDirFromCache === 'function') await syncDataDirFromCache();
+  } catch { /* best-effort — proceed to the normal entry regardless */ }
+}
+if (rest.includes('session-start')) {
+  await trySyncDataDirFromCache();
+}
 try {
   await runEntry();
 } catch (e) {

package/scripts/launch.mjs CHANGED Viewed

@@ -74,6 +74,27 @@ try {
   }
 }
+// Keep the data-dir code (~/.claude-mem-lite/ — backs the standalone CLI symlink
+// and the settings.json hooks) in lockstep with THIS running version. In plugin
+// mode the MCP server runs from the plugin cache (kept current by Claude Code's
+// marketplace updater) and migrates the shared DB schema forward; the data-dir
+// copy is only advanced by the GitHub-tarball auto-update, which plugin mode
+// disables and which stalls easily, so it drifts behind and the CLI/hooks then
+// fail to open the DB the cache migrated ("schema is vN but binary supports up
+// to vN-1"). syncDataDirFromCache copies the source files locally (no network,
+// no npm install) so the data-dir becomes exactly the version that owns the DB.
+// Best-effort — a sync failure must never block the MCP server launch. It runs
+// from the current cache code, so an already-drifted install self-heals on the
+// next launch once its cache reaches a version carrying this call.
+if (process.env.CLAUDE_PLUGIN_ROOT) {
+  try {
+    const { syncDataDirFromCache } = await import('../hook-update.mjs');
+    await syncDataDirFromCache({ sourceDir: ROOT });
+  } catch (e) {
+    process.stderr.write(`[claude-mem-lite] data-dir sync skipped: ${e.message}\n`);
+  }
+}
 // Dev mode: prefer ~/.claude-mem-lite/server.mjs (symlinked to source) over
 // CLAUDE_PLUGIN_ROOT (potentially stale plugin cache). This ensures the MCP
 // server always runs the latest code when installed with `install --dev`.

package/secret-scrub.mjs CHANGED Viewed

@@ -61,6 +61,18 @@ export const SECRET_PATTERNS = [
   [/\bnpm_[a-zA-Z0-9]{36,}\b/g, '***'],
   // Stripe keys (sk_live_, rk_live_, pk_live_, sk_test_, pk_test_)
   [/\b[srp]k_(?:live|test)_[a-zA-Z0-9]{20,}\b/g, '***'],
+  // SendGrid API keys: SG.<22>.<43> — two dots at fixed offsets make this
+  // structurally unmistakable; near-zero false-positive risk.
+  [/\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/g, '***'],
+  // Twilio identifiers: Account SID (AC…) + API Key SID (SK…), each = prefix
+  // + exactly 32 hex. The 2-letter prefix + 32-hex shape is specific: an MD5
+  // is 32 hex (no AC/SK prefix → no match) and a 40-hex git SHA has no internal
+  // \b so the trailing \b can't land mid-string. We deliberately do NOT scrub
+  // the bare-hex Twilio *auth token* — see comment block at end re: SHA collision.
+  [/\b(?:AC|SK)[0-9a-f]{32}\b/g, '***'],
+  // Mailgun private API keys: key-<32 hex>. Prefix-anchored for the same reason;
+  // bare 32-hex (no `key-`) is intentionally left alone to avoid hashing FPs.
+  [/\bkey-[0-9a-f]{32}\b/g, '***'],
   // JSON-quoted secrets — error payloads / API responses commonly carry creds
   // as `{"api_key": "..."}`. The base key=value pattern stops at quotes, so
   // these slip through. Match the value-quoted form explicitly. Length floor
@@ -69,6 +81,15 @@ export const SECRET_PATTERNS = [
   // Session cookies in headers / urlencoded bodies (sessionid=, session_id=, JSESSIONID=, PHPSESSID=).
   // 16+ chars filters out short test fixtures like sessionid=abc.
   [/\b((?:session[_-]?id|sessionid|jsessionid|phpsessid)\s*[=:]\s*)[^\s,;'"}\]]{16,}/gi, '$1***'],
+  // ── DELIBERATELY NOT COVERED: bare high-entropy / "raw N-char" tokens ──────
+  // A generic `[A-Fa-f0-9]{40}` / high-entropy regex would scrub this repo's own
+  // legitimate data: 40-hex git SHAs, 32-hex MD5s, 64-hex SHA256s, and stored
+  // `minhash_sig` values. In a hash-heavy codebase the false-positive cost
+  // (silent `***` over real content, lost recall) exceeds the marginal catch —
+  // and an entropy gate doesn't help because git SHAs are themselves high-entropy.
+  // The contextual forms (token=…, Authorization: Bearer …, "api_key":"…") above
+  // already cover the dangerous *labelled* shapes. If you are tempted to add a
+  // bare-token pattern here: don't — anchor it to a provider prefix instead.
 ];
 /**

package/synonyms.mjs CHANGED Viewed

@@ -265,6 +265,13 @@ export const CJK_COMPOUNDS = new Set([
   // architecture
   '架构', '设计', '方案', '规划', '文档', '注释', '版本', '分支', '依赖',
   '性能', '安全', '漏洞', '补丁', '系统', '算法',
+  // common task/dev vocab — mined from the zero-dict-keyword prompt slice
+  // (benchmark/cjk-straddle-prevalence.mjs). These ubiquitous words were absent
+  // from the dictionary, so ~15% of real CJK queries fell through to all-bigram
+  // noise. Adding real words is monotonically safe: greedy longest-match only
+  // improves, and real compounds cannot create boundary-straddle bigrams.
+  '工作', '用户', '完成', '计划', '命令', '工具', '插件', '实施', '处理',
+  '清理', '显示', '本地', '改动', '确认', '直接', '开始',
 ]);
 // ─── Dispatch Synonyms (unidirectional, broader groupings) ──────────────────