claude-mem-lite 3.7.1 → 3.8.0

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
   "plugins": [
     {
       "name": "claude-mem-lite",
-      "version": "3.7.1",
+      "version": "3.8.0",
       "source": "./",
       "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark)."
     }

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "3.7.1",
+  "version": "3.8.0",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "author": {
     "name": "sdsrss"

package/README.md

@@ -172,6 +172,8 @@ npx github:sdsrss/claude-mem-lite
 
 Source files are automatically copied to `~/.claude-mem-lite/` for persistence.
 
+> **Note:** `npx github:…` installs from the repo's **default branch (HEAD)**, which can be ahead of the latest published release. For the stable released version use the npm package (`npx claude-mem-lite`), or pin a release tag: `npx github:sdsrss/claude-mem-lite#vX.Y.Z`.
+
 ### Method 3: git clone
 
 ```bash

package/hook-update.mjs

@@ -15,6 +15,7 @@ import { debugCatch, debugLog } from './utils.mjs';
 import { SOURCE_FILES as LOCAL_SOURCE_FILES, HOOK_SCRIPT_FILES as LOCAL_HOOK_SCRIPT_FILES } from './source-files.mjs';
 import { acquireLock } from './lib/proc-lock.mjs';
 import { atomicWriteFileSync } from './lib/atomic-write.mjs';
+import { verifyReleaseFiles, verifyManifestSignature } from './lib/release-digest.mjs';
 
 // ── Configuration ──────────────────────────────────────────
 const GITHUB_REPO = 'sdsrss/claude-mem-lite';
@@ -77,7 +78,7 @@ export async function checkForUpdate(options = {}) {
     if (hasUpdate) {
       debugLog('DEBUG', 'hook-update', `Update available: ${currentVersion} → ${latest.version}`);
       const canInstall = !pluginMode && Boolean(allowInstall);
-      const success = canInstall ? await downloadAndInstall(latest.tarballUrl, latest.version) : false;
+      const success = canInstall ? await downloadAndInstall(latest.tarballUrl, latest.version, latest.assets) : false;
       const newState = {
         lastCheck: new Date().toISOString(),
         installedVersion: success ? latest.version : currentVersion,
@@ -206,6 +207,7 @@ async function fetchLatestRelease() {
       version: result.tag_name.replace(/^v/, ''),
       tarballUrl: result.tarball_url,
       releaseUrl: result.html_url,
+      assets: Array.isArray(result.assets) ? result.assets : [],
     };
   }
 
@@ -221,6 +223,7 @@ async function fetchLatestRelease() {
       version: tag.name.replace(/^v/, ''),
       tarballUrl: `https://api.github.com/repos/${GITHUB_REPO}/tarball/${tag.name}`,
       releaseUrl: `https://github.com/${GITHUB_REPO}/releases/tag/${tag.name}`,
+      assets: [],
     };
   }
 
@@ -301,7 +304,7 @@ async function loadReleaseManifest(sourceDir) {
 
 // ── Download & Install ─────────────────────────────────────
 // Direct file copy instead of running old install.mjs (avoids symlink overwrite in dev)
-async function downloadAndInstall(tarballUrl, expectedVersion) {
+async function downloadAndInstall(tarballUrl, expectedVersion, assets = []) {
   const tmpDir = join(tmpdir(), `claude-mem-lite-update-${Date.now()}`);
   try {
     mkdirSync(tmpDir, { recursive: true });
@@ -324,6 +327,17 @@ async function downloadAndInstall(tarballUrl, expectedVersion) {
       return false;
     }
 
+    // P1 supply-chain: cryptographically verify the release before installing.
+    // Opportunistic + inert until keyed — ok=false ONLY on a real tampering
+    // signal (signature present but invalid, or a file hash mismatch). Missing
+    // key / missing signature assets / fetch failure / escape hatch all proceed,
+    // so this never bricks auto-update for unsigned or pre-key releases.
+    const authentic = await verifyReleaseAuthenticity(tmpDir, assets);
+    if (!authentic.ok) {
+      debugLog('WARN', 'hook-update', `Release authenticity check failed (${authentic.action}) — aborting update`);
+      return false;
+    }
+
     return await installExtractedRelease(tmpDir);
   } catch (err) {
     debugCatch(err, 'downloadAndInstall');
@@ -372,6 +386,92 @@ export function validateExtractedTarball(sourceDir, expectedVersion, expectedNam
   return { ok: true };
 }
 
+// ── Release signature verification (P1 supply-chain hardening) ──────────────
+// Embedded Ed25519 PUBLIC key (SPKI PEM). EMPTY = unconfigured → verification is
+// INERT and auto-update behaves exactly as before. Activating it is a one-time
+// ops step (no private key ever ships in the repo):
+//   1. Generate a keypair (writes the PRIVATE key to a local file, prints PUBLIC):
+//        node -e "const c=require('crypto');const{publicKey,privateKey}=c.generateKeyPairSync('ed25519');process.stdout.write(publicKey.export({type:'spki',format:'pem'}));require('fs').writeFileSync('release-signing-key.pem',privateKey.export({type:'pkcs8',format:'pem'}))"
+//   2. Paste the printed PUBLIC key between the backticks below.
+//   3. Add the PRIVATE key (release-signing-key.pem contents) as the GitHub
+//      Actions secret RELEASE_SIGNING_KEY, then delete the local file.
+//      NEVER commit the private key.
+// Once a signed release exists, clients verify it; unsigned/older releases still
+// install (opportunistic). Signer: scripts/sign-release.mjs. Core: lib/release-digest.mjs.
+const RELEASE_PUBLIC_KEY = '';
+const MANIFEST_ASSET_NAME = 'release-manifest.json';
+const SIGNATURE_ASSET_NAME = 'release-manifest.json.sig';
+
+// Pure verifier (no I/O) — exported for unit testing. ok=true ONLY when the
+// Ed25519 signature over `manifestBytes` is valid for `publicKeyPem` AND every
+// file the manifest lists matches its sha256 under `extractedDir`.
+export function verifyDownloadedRelease(extractedDir, manifestBytes, signatureB64, publicKeyPem = RELEASE_PUBLIC_KEY) {
+  if (!verifyManifestSignature(manifestBytes, signatureB64, publicKeyPem)) {
+    return { ok: false, reason: 'signature-invalid' };
+  }
+  let manifest;
+  try {
+    manifest = JSON.parse(Buffer.isBuffer(manifestBytes) ? manifestBytes.toString('utf8') : String(manifestBytes));
+  } catch {
+    return { ok: false, reason: 'manifest-unparseable' };
+  }
+  const files = verifyReleaseFiles(extractedDir, manifest);
+  if (!files.ok) {
+    return { ok: false, reason: `file-mismatch: ${[...files.mismatches, ...files.missing].slice(0, 5).join(', ')}` };
+  }
+  return { ok: true, reason: 'verified' };
+}
+
+// Fetch a GitHub Release asset as a Buffer. Host-locked to github.com (the asset
+// browser_download_url); GitHub's own 302 to its CDN is followed by fetch.
+async function fetchAssetBuffer(url) {
+  if (!/^https:\/\/github\.com\/[\w./%~-]+$/.test(url || '')) {
+    throw new Error(`rejected asset url: ${url}`);
+  }
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, { signal: controller.signal, redirect: 'follow' });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    return Buffer.from(await res.arrayBuffer());
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+// I/O gate called from downloadAndInstall after validateExtractedTarball.
+// Opportunistic: returns ok=false ONLY on a genuine tampering signal. Missing
+// embedded key, missing signature assets, asset-fetch failure, or the
+// CLAUDE_MEM_SKIP_SIG_VERIFY escape hatch all return ok=true so a verification
+// gap can never permanently brick auto-update.
+export async function verifyReleaseAuthenticity(extractedDir, assets) {
+  if (process.env.CLAUDE_MEM_SKIP_SIG_VERIFY) return { ok: true, action: 'skipped-env' };
+  if (!RELEASE_PUBLIC_KEY) return { ok: true, action: 'skipped-no-pubkey' };
+
+  const list = Array.isArray(assets) ? assets : [];
+  const manifestAsset = list.find(a => a && a.name === MANIFEST_ASSET_NAME);
+  const sigAsset = list.find(a => a && a.name === SIGNATURE_ASSET_NAME);
+  if (!manifestAsset || !sigAsset) {
+    debugLog('WARN', 'hook-update', 'Release carries no signature assets — proceeding unverified (unsigned release)');
+    return { ok: true, action: 'skipped-no-signature' };
+  }
+
+  let manifestBytes, signatureB64;
+  try {
+    manifestBytes = await fetchAssetBuffer(manifestAsset.browser_download_url);
+    signatureB64 = (await fetchAssetBuffer(sigAsset.browser_download_url)).toString('utf8').trim();
+  } catch (e) {
+    // A flaky asset CDN is not a tampering signal — don't brick the update over it.
+    debugLog('WARN', 'hook-update', `Signature asset fetch failed (${e.message}) — proceeding unverified`);
+    return { ok: true, action: 'skipped-fetch-failed' };
+  }
+
+  const r = verifyDownloadedRelease(extractedDir, manifestBytes, signatureB64);
+  if (!r.ok) return { ok: false, action: r.reason };
+  debugLog('DEBUG', 'hook-update', 'Release signature verified');
+  return { ok: true, action: 'verified' };
+}
+
 // opts.skipNpmInstall — copy + atomically switch the source files WITHOUT
 // running `npm install` in staging. Used by syncDataDirFromCache: when the
 // source is a local plugin-cache version (not a downloaded tarball), the

package/lib/release-digest.mjs

@@ -0,0 +1,106 @@
+// lib/release-digest.mjs — shared release-signing core (P1 supply-chain hardening).
+//
+// One source of truth for BOTH sides of the auto-update authenticity check so the
+// CI signer and the runtime verifier can never drift:
+//   * scripts/sign-release.mjs (CI) — builds the manifest, serializes it, signs
+//     the EXACT serialized bytes with an Ed25519 private key (a GitHub secret),
+//     and uploads release-manifest.json (+ .sig) as GitHub Release assets.
+//   * hook-update.mjs (client) — downloads those assets, verifies the signature
+//     over the downloaded manifest bytes with an EMBEDDED public key, then checks
+//     each extracted file's sha256 against the signed manifest.
+//
+// Why content hashes, not a tarball-byte hash: GitHub's on-the-fly git-archive
+// tarballs are not guaranteed byte-stable over time, but the FILE CONTENTS at a
+// tag are (they are the git blobs). Hashing the extracted files sidesteps the
+// archive-byte-stability problem entirely.
+//
+// Why verify over the downloaded file bytes (not a re-serialization): the client
+// verifies the signature against the manifest bytes exactly as downloaded and
+// only THEN parses it — so there is no canonical-JSON drift between signer and
+// verifier. serializeManifest() exists so CI writes precisely what it signs.
+//
+// Pure Node built-ins (node:crypto Ed25519) — zero dependencies, no `gh`/cosign
+// needed on the user's machine, works in the silent SessionStart hook.
+
+import { createHash, verify as cryptoVerify } from 'node:crypto';
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+const PACKAGE_NAME = 'claude-mem-lite';
+
+export function sha256Hex(buf) {
+  return createHash('sha256').update(buf).digest('hex');
+}
+
+export function sha256File(absPath) {
+  return sha256Hex(readFileSync(absPath));
+}
+
+/**
+ * Build a release manifest: { name, version, algo, files: { <relPath>: <sha256> } }.
+ * Only files that exist under rootDir are listed; keys are sorted so the
+ * serialization is deterministic regardless of fileList order.
+ *
+ * @param {string} rootDir   Extracted release root (or CI checkout root)
+ * @param {string[]} fileList Relative paths to hash (typically SOURCE_FILES)
+ * @param {string} version   Release version (for the manifest body)
+ */
+export function buildReleaseManifest(rootDir, fileList, version) {
+  const files = {};
+  for (const rel of [...fileList].sort()) {
+    const abs = join(rootDir, rel);
+    if (existsSync(abs)) files[rel] = sha256File(abs);
+  }
+  return { name: PACKAGE_NAME, version, algo: 'sha256', files };
+}
+
+/**
+ * Deterministic byte serialization. CI writes EXACTLY this to
+ * release-manifest.json and signs these bytes; the client verifies the signature
+ * against the downloaded file bytes (it does not re-serialize), so signer and
+ * verifier cannot disagree on canonical form.
+ */
+export function serializeManifest(manifest) {
+  return JSON.stringify(manifest, null, 2) + '\n';
+}
+
+/**
+ * Verify every file the manifest lists matches its signed sha256 on disk.
+ * Returns { ok, mismatches: string[], missing: string[] }.
+ * A content change → mismatches; a manifest-listed file absent → missing.
+ * Both are failures (ok=false).
+ */
+export function verifyReleaseFiles(rootDir, manifest) {
+  const mismatches = [];
+  const missing = [];
+  const files = (manifest && manifest.files) || {};
+  for (const [rel, expected] of Object.entries(files)) {
+    const abs = join(rootDir, rel);
+    if (!existsSync(abs)) { missing.push(rel); continue; }
+    if (sha256File(abs) !== expected) mismatches.push(rel);
+  }
+  return { ok: mismatches.length === 0 && missing.length === 0, mismatches, missing };
+}
+
+/**
+ * Verify an Ed25519 signature over the manifest bytes. Never throws — a malformed
+ * key/signature/algorithm returns false so callers can treat "can't verify" the
+ * same as "invalid" without a try/catch at every call site.
+ *
+ * @param {Buffer|string} manifestBytes The EXACT manifest bytes that were signed
+ * @param {string} signatureB64         Base64-encoded Ed25519 signature
+ * @param {string} publicKeyPem         SPKI PEM public key
+ * @returns {boolean}
+ */
+export function verifyManifestSignature(manifestBytes, signatureB64, publicKeyPem) {
+  try {
+    if (!publicKeyPem || !signatureB64) return false;
+    const data = Buffer.isBuffer(manifestBytes) ? manifestBytes : Buffer.from(manifestBytes);
+    const sig = Buffer.from(signatureB64, 'base64');
+    if (sig.length === 0) return false;
+    // `null` algorithm = Ed25519 (the key type carries the algorithm in Node).
+    return cryptoVerify(null, data, publicKeyPem, sig);
+  } catch {
+    return false;
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "3.7.1",
+  "version": "3.8.0",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "type": "module",
   "packageManager": "npm@10.9.2",
@@ -73,6 +73,7 @@
     "lib/binding-probe.mjs",
     "lib/proc-lock.mjs",
     "lib/atomic-write.mjs",
+    "lib/release-digest.mjs",
     "lib/mem-override.mjs",
     "lib/save-observation.mjs",
     "lib/observation-write.mjs",

package/scripts/setup.sh

@@ -86,6 +86,7 @@ mark_deps_broken() {
   # having to re-derive them. Delegate JSON serialization to node so embedded
   # quotes / shell metachars in $ROOT or $reason can't produce an invalid file
   # (bash `printf '"..%s.."'` cannot escape arbitrary strings safely; v2.79.1 fix).
+  # shellcheck disable=SC2016  # node script single-quoted on purpose; vars passed via env (MARK_*), not shell expansion
   MARK_REASON="$reason" MARK_ROOT="$ROOT" MARK_FLAG="$DEPS_FLAG" node -e '
     const fs = require("fs");
     const reason = process.env.MARK_REASON || "unknown";
@@ -141,6 +142,7 @@ fi
 #    versions; same shape as the .deps-broken self-heal pattern.
 MCP_MIGRATION="$DATA_DIR/runtime/.mcp-dedup-v2.78"
 if [[ -n "${CLAUDE_PLUGIN_ROOT:-}" && ! -f "$MCP_MIGRATION" ]]; then
+  # shellcheck disable=SC2016  # node script single-quoted on purpose; CLAUDE_JSON passed via env, not shell expansion
   CLAUDE_JSON="$HOME/.claude.json" node -e '
     const fs = require("fs");
     let changed = false;

package/source-files.mjs

@@ -73,6 +73,10 @@ export const SOURCE_FILES = [
   // + auto-update lock). Must ship or a partial install/update skips them.
   'lib/proc-lock.mjs',
   'lib/atomic-write.mjs',
+  // P1 supply-chain: shared release-signing core (sha256 manifest + Ed25519
+  // verify). Imported by hook-update.mjs (verify) + scripts/sign-release.mjs (CI
+  // sign). Must ship or auto-update can't verify release signatures.
+  'lib/release-digest.mjs',
   // v2.41 god-module split — mem-cli.mjs router + per-cmd handlers under cli/
   'cli/common.mjs',
   'cli/fts-check.mjs',