claude-mem-lite 3.7.1 → 3.9.0

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
   "plugins": [
     {
       "name": "claude-mem-lite",
-      "version": "3.7.1",
+      "version": "3.9.0",
       "source": "./",
       "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark)."
     }

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "3.7.1",
+  "version": "3.9.0",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "author": {
     "name": "sdsrss"

package/README.md

@@ -172,6 +172,8 @@ npx github:sdsrss/claude-mem-lite
 
 Source files are automatically copied to `~/.claude-mem-lite/` for persistence.
 
+> **Note:** `npx github:…` installs from the repo's **default branch (HEAD)**, which can be ahead of the latest published release. For the stable released version use the npm package (`npx claude-mem-lite`), or pin a release tag: `npx github:sdsrss/claude-mem-lite#vX.Y.Z`.
+
 ### Method 3: git clone
 
 ```bash

package/hook-llm.mjs

@@ -20,6 +20,7 @@ import {
 } from './hook-shared.mjs';
 import { EVENT_TYPES, saveEvent } from './lib/activity.mjs';
 import { isNoiseObservation, capNoiseImportance, isLowYieldChangeObs } from './lib/low-signal-patterns.mjs';
+import { episodeHasSignificantContent } from './hook-episode.mjs';
 
 // T9: memdir-incompatible types live in the `events` table, not `observations`.
 // Set lookup is O(1) — authoritative source is lib/activity.mjs::EVENT_TYPES.
@@ -467,6 +468,24 @@ export function buildDegradedTitle(episode) {
     .trim();
 }
 
+// Best-effort SYNCHRONOUS persist of an episode's rule-based observation. Shared by
+// the normal flush and the SIGTERM/SIGINT shutdown handler. The ep-flush-* file the
+// shutdown handler writes has NO consumer (only spawnBackground-passed files are
+// processed), so without this the in-flight episode is silently lost on abnormal
+// termination — and spawning a detached child from a dying process is unreliable, so
+// the save must be synchronous (audit #6). Never throws; returns the obs id or null.
+export function saveEpisodeImmediate(episode, externalDb) {
+  try {
+    if (!episode || !Array.isArray(episode.entries) || episode.entries.length === 0) return null;
+    if (!episodeHasSignificantContent(episode)) return null;
+    const obs = buildImmediateObservation(episode);
+    return saveObservation(obs, episode.project, episode.sessionId, externalDb) || null;
+  } catch (e) {
+    debugCatch(e, 'saveEpisodeImmediate');
+    return null;
+  }
+}
+
 /**
  * Build a rule-based observation from episode metadata for immediate DB persistence.
  * Used as pre-save (before LLM) and as fallback when LLM is unavailable.

package/hook-update.mjs

@@ -15,6 +15,7 @@ import { debugCatch, debugLog } from './utils.mjs';
 import { SOURCE_FILES as LOCAL_SOURCE_FILES, HOOK_SCRIPT_FILES as LOCAL_HOOK_SCRIPT_FILES } from './source-files.mjs';
 import { acquireLock } from './lib/proc-lock.mjs';
 import { atomicWriteFileSync } from './lib/atomic-write.mjs';
+import { verifyReleaseFiles, verifyManifestSignature } from './lib/release-digest.mjs';
 
 // ── Configuration ──────────────────────────────────────────
 const GITHUB_REPO = 'sdsrss/claude-mem-lite';
@@ -77,7 +78,7 @@ export async function checkForUpdate(options = {}) {
     if (hasUpdate) {
       debugLog('DEBUG', 'hook-update', `Update available: ${currentVersion} → ${latest.version}`);
       const canInstall = !pluginMode && Boolean(allowInstall);
-      const success = canInstall ? await downloadAndInstall(latest.tarballUrl, latest.version) : false;
+      const success = canInstall ? await downloadAndInstall(latest.tarballUrl, latest.version, latest.assets) : false;
       const newState = {
         lastCheck: new Date().toISOString(),
         installedVersion: success ? latest.version : currentVersion,
@@ -206,6 +207,7 @@ async function fetchLatestRelease() {
       version: result.tag_name.replace(/^v/, ''),
       tarballUrl: result.tarball_url,
       releaseUrl: result.html_url,
+      assets: Array.isArray(result.assets) ? result.assets : [],
     };
   }
 
@@ -221,6 +223,7 @@ async function fetchLatestRelease() {
       version: tag.name.replace(/^v/, ''),
       tarballUrl: `https://api.github.com/repos/${GITHUB_REPO}/tarball/${tag.name}`,
       releaseUrl: `https://github.com/${GITHUB_REPO}/releases/tag/${tag.name}`,
+      assets: [],
     };
   }
 
@@ -301,7 +304,7 @@ async function loadReleaseManifest(sourceDir) {
 
 // ── Download & Install ─────────────────────────────────────
 // Direct file copy instead of running old install.mjs (avoids symlink overwrite in dev)
-async function downloadAndInstall(tarballUrl, expectedVersion) {
+async function downloadAndInstall(tarballUrl, expectedVersion, assets = []) {
   const tmpDir = join(tmpdir(), `claude-mem-lite-update-${Date.now()}`);
   try {
     mkdirSync(tmpDir, { recursive: true });
@@ -324,6 +327,17 @@ async function downloadAndInstall(tarballUrl, expectedVersion) {
       return false;
     }
 
+    // P1 supply-chain: cryptographically verify the release before installing.
+    // Opportunistic + inert until keyed — ok=false ONLY on a real tampering
+    // signal (signature present but invalid, or a file hash mismatch). Missing
+    // key / missing signature assets / fetch failure / escape hatch all proceed,
+    // so this never bricks auto-update for unsigned or pre-key releases.
+    const authentic = await verifyReleaseAuthenticity(tmpDir, assets);
+    if (!authentic.ok) {
+      debugLog('WARN', 'hook-update', `Release authenticity check failed (${authentic.action}) — aborting update`);
+      return false;
+    }
+
     return await installExtractedRelease(tmpDir);
   } catch (err) {
     debugCatch(err, 'downloadAndInstall');
@@ -372,6 +386,99 @@ export function validateExtractedTarball(sourceDir, expectedVersion, expectedNam
   return { ok: true };
 }
 
+// ── Release signature verification (P1 supply-chain hardening) ──────────────
+// Embedded Ed25519 PUBLIC key (SPKI PEM). EMPTY = unconfigured → verification is
+// INERT and auto-update behaves exactly as before. Activating it is a one-time
+// ops step (no private key ever ships in the repo):
+//   1. Generate a keypair (writes the PRIVATE key to a local file, prints PUBLIC):
+//        node -e "const c=require('crypto');const{publicKey,privateKey}=c.generateKeyPairSync('ed25519');process.stdout.write(publicKey.export({type:'spki',format:'pem'}));require('fs').writeFileSync('release-signing-key.pem',privateKey.export({type:'pkcs8',format:'pem'}))"
+//   2. Paste the printed PUBLIC key between the backticks below.
+//   3. Add the PRIVATE key (release-signing-key.pem contents) as the GitHub
+//      Actions secret RELEASE_SIGNING_KEY, then delete the local file.
+//      NEVER commit the private key.
+// Once a signed release exists, clients verify it; unsigned/older releases still
+// install (opportunistic). Signer: scripts/sign-release.mjs. Core: lib/release-digest.mjs.
+const RELEASE_PUBLIC_KEY = '';
+const MANIFEST_ASSET_NAME = 'release-manifest.json';
+const SIGNATURE_ASSET_NAME = 'release-manifest.json.sig';
+
+// Pure verifier (no I/O) — exported for unit testing. ok=true ONLY when the
+// Ed25519 signature over `manifestBytes` is valid for `publicKeyPem` AND every
+// file the manifest lists matches its sha256 under `extractedDir`.
+export function verifyDownloadedRelease(extractedDir, manifestBytes, signatureB64, publicKeyPem = RELEASE_PUBLIC_KEY) {
+  if (!verifyManifestSignature(manifestBytes, signatureB64, publicKeyPem)) {
+    return { ok: false, reason: 'signature-invalid' };
+  }
+  let manifest;
+  try {
+    manifest = JSON.parse(Buffer.isBuffer(manifestBytes) ? manifestBytes.toString('utf8') : String(manifestBytes));
+  } catch {
+    return { ok: false, reason: 'manifest-unparseable' };
+  }
+  const files = verifyReleaseFiles(extractedDir, manifest);
+  if (!files.ok) {
+    return { ok: false, reason: `file-mismatch: ${[...files.mismatches, ...files.missing].slice(0, 5).join(', ')}` };
+  }
+  return { ok: true, reason: 'verified' };
+}
+
+// Fetch a GitHub Release asset as a Buffer. Host-locked to github.com (the asset
+// browser_download_url); GitHub's own 302 to its CDN is followed by fetch.
+async function fetchAssetBuffer(url) {
+  if (!/^https:\/\/github\.com\/[\w./%~-]+$/.test(url || '')) {
+    throw new Error(`rejected asset url: ${url}`);
+  }
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, { signal: controller.signal, redirect: 'follow' });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    return Buffer.from(await res.arrayBuffer());
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+// I/O gate called from downloadAndInstall after validateExtractedTarball.
+// Two regimes, switched by whether a public key is embedded:
+//   • No embedded key (the shipped default, RELEASE_PUBLIC_KEY=''): INERT —
+//     skipped-no-pubkey so an un-provisioned key can never brick auto-update.
+//   • Key embedded (signing active): FAIL CLOSED — a missing signature asset, a
+//     signature-asset fetch failure, or an invalid signature all return ok=false.
+//     Once we publish signed releases, an attacker who can publish a release or MITM
+//     the asset CDN must not bypass verification by stripping the signature assets
+//     (the tags-fallback path also sends assets:[]). A transient fetch failure only
+//     defers the install to the next ~6h poll, not a permanent brick. (audit P1 #5)
+// The CLAUDE_MEM_SKIP_SIG_VERIFY escape hatch still forces a skip. publicKey is a
+// param (defaulting to the embedded constant) only so tests can exercise both regimes.
+export async function verifyReleaseAuthenticity(extractedDir, assets, publicKey = RELEASE_PUBLIC_KEY) {
+  if (process.env.CLAUDE_MEM_SKIP_SIG_VERIFY) return { ok: true, action: 'skipped-env' };
+  if (!publicKey) return { ok: true, action: 'skipped-no-pubkey' };
+
+  const list = Array.isArray(assets) ? assets : [];
+  const manifestAsset = list.find(a => a && a.name === MANIFEST_ASSET_NAME);
+  const sigAsset = list.find(a => a && a.name === SIGNATURE_ASSET_NAME);
+  if (!manifestAsset || !sigAsset) {
+    debugLog('WARN', 'hook-update', 'Signed-release mode: release carries no signature assets — refusing to install (possible downgrade/strip)');
+    return { ok: false, action: 'missing-signature' };
+  }
+
+  let manifestBytes, signatureB64;
+  try {
+    manifestBytes = await fetchAssetBuffer(manifestAsset.browser_download_url);
+    signatureB64 = (await fetchAssetBuffer(sigAsset.browser_download_url)).toString('utf8').trim();
+  } catch (e) {
+    // Can't fetch the signature → can't verify → don't install this cycle (retries next poll).
+    debugLog('WARN', 'hook-update', `Signed-release mode: signature asset fetch failed (${e.message}) — refusing to install this cycle`);
+    return { ok: false, action: 'signature-fetch-failed' };
+  }
+
+  const r = verifyDownloadedRelease(extractedDir, manifestBytes, signatureB64, publicKey);
+  if (!r.ok) return { ok: false, action: r.reason };
+  debugLog('DEBUG', 'hook-update', 'Release signature verified');
+  return { ok: true, action: 'verified' };
+}
+
 // opts.skipNpmInstall — copy + atomically switch the source files WITHOUT
 // running `npm install` in staging. Used by syncDataDirFromCache: when the
 // source is a local plugin-cache version (not a downloaded tarball), the

package/hook.mjs

@@ -27,7 +27,6 @@ import {
   extractErrorKeywords, extractFilePaths, isRelatedToEpisode,
   makeEntryDesc, scrubSecrets, stripPrivate, EDIT_TOOLS, debugCatch, debugLog,
   COMPRESSED_AUTO, COMPRESSED_PENDING_PURGE, OBS_BM25,
-  computeMinHash, estimateJaccardFromMinHash, jaccardSimilarity,
 } from './utils.mjs';
 import {
   readEpisodeRaw, episodeFile,
@@ -43,11 +42,11 @@ import {
   sessionFile, getSessionId, createSessionId, openDb,
   spawnBackground, sweepOrphanEpisodeFiles,
 } from './hook-shared.mjs';
-import { handleLLMEpisode, handleLLMSummary, saveObservation, buildImmediateObservation } from './hook-llm.mjs';
+import { handleLLMEpisode, handleLLMSummary, saveObservation, buildImmediateObservation, saveEpisodeImmediate } from './hook-llm.mjs';
 import { scrubRecord } from './lib/scrub-record.mjs';
 import { formatHookError } from './lib/native-binding-hint.mjs';
 import { selectCompressionCandidates, groupByProjectWeek, compressGroup } from './lib/compress-core.mjs';
-import { cleanupBroken, decayAndMarkIdle, boostAccessed } from './lib/maintain-core.mjs';
+import { cleanupBroken, decayAndMarkIdle, boostAccessed, selectFuzzyDedupeIds } from './lib/maintain-core.mjs';
 import {
   extractCitationsFromTranscript,
   extractAllInjected,
@@ -66,7 +65,6 @@ import { handleLLMOptimize } from './hook-optimize.mjs';
 import { silentAutoAdopt, hasAutoAdoptMarker } from './adopt-cli.mjs';
 import { emitV270UpgradeBanner } from './lib/upgrade-banner.mjs';
 import { loadCiteBackForEpisode, extractCiteBackSignals, buildUnsavedBugfixHint, countUnsavedBugfixShape, buildCiteRecallNudge as libBuildCiteRecallNudge, nextCiteLowStreak } from './lib/cite-back-hint.mjs';
-import { MINHASH_PREFILTER, FUZZY_DEDUP_THRESHOLD } from './lib/dedup-constants.mjs';
 // plugin-cache-guard.mjs loaded dynamically — pre-2.31.2 installs that auto-upgraded
 // from an older hook-update.mjs SOURCE_FILES (which did not list this module) would
 // crash on static import. Degrade gracefully to no-op when the module is absent.
@@ -115,6 +113,10 @@ for (const sig of ['SIGTERM', 'SIGINT']) {
       try {
         const ep = readEpisodeRaw();
         if (ep && ep.entries && ep.entries.length > 0) {
+          // Persist a rule-based observation synchronously BEFORE writing the flush
+          // file — that file has no consumer, so this is the only thing that prevents
+          // the in-flight episode being lost on abnormal termination (audit #6).
+          saveEpisodeImmediate(ep);
           const flushFile = join(RUNTIME_DIR, `ep-flush-${Date.now()}-${randomUUID().slice(0, 8)}.json`);
           writeFileSync(flushFile, JSON.stringify(ep));
           try { unlinkSync(join(RUNTIME_DIR, `ep-${inferProject()}.json`)); } catch {}
@@ -788,7 +790,7 @@ function runSessionStartAutoMaintain(db) {
         const SCAN_LIMIT = 500;
         const FUZZY_MAX_MERGES = 20;
         const recent = db.prepare(`
-          SELECT id, title, importance, created_at_epoch
+          SELECT id, title, importance, created_at_epoch, narrative, text
           FROM observations
           WHERE COALESCE(compressed_into, 0) = 0
             AND superseded_at IS NULL
@@ -797,24 +799,14 @@ function runSessionStartAutoMaintain(db) {
           ORDER BY created_at_epoch DESC LIMIT ${SCAN_LIMIT}
         `).all(STALE_AGE);
         if (recent.length >= 2) {
-          const titles = recent.map(r => r.title.trim());
-          const minhashes = titles.map(t => t ? computeMinHash(t) : null);
-          const fuzzyRemoveIds = [];
-          const removed = new Set();
-          outer: for (let i = 0; i < recent.length; i++) {
-            if (!minhashes[i] || removed.has(recent[i].id)) continue;
-            for (let j = i + 1; j < recent.length; j++) {
-              if (!minhashes[j] || removed.has(recent[j].id)) continue;
-              if (estimateJaccardFromMinHash(minhashes[i], minhashes[j]) < MINHASH_PREFILTER) continue;
-              if (jaccardSimilarity(titles[i], titles[j]) < FUZZY_DEDUP_THRESHOLD) continue;
-              // Keep the higher-importance row; tiebreak by older (lower id wins access history)
-              const keep = (recent[i].importance ?? 1) >= (recent[j].importance ?? 1) ? recent[i] : recent[j];
-              const remove = keep === recent[i] ? recent[j] : recent[i];
-              fuzzyRemoveIds.push(remove.id);
-              removed.add(remove.id);
-              if (fuzzyRemoveIds.length >= FUZZY_MAX_MERGES) break outer;
-            }
-          }
+          // audit #8: supersede only when title AND body match — title-only (a word-SET
+          // metric) collapsed distinct observations sharing a title token-set. The
+          // selection is the shared pure core in lib/maintain-core (unit-tested there).
+          const rows = recent.map(r => ({
+            id: r.id, title: r.title, importance: r.importance,
+            body: (r.narrative && r.narrative.trim()) || (r.text && r.text.trim()) || '',
+          }));
+          const fuzzyRemoveIds = selectFuzzyDedupeIds(rows, { maxMerges: FUZZY_MAX_MERGES });
           if (fuzzyRemoveIds.length > 0) {
             const ph = fuzzyRemoveIds.map(() => '?').join(',');
             db.prepare(`UPDATE observations SET superseded_at = ?, superseded_by = 'auto-dedup-fuzzy' WHERE id IN (${ph})`)

package/lib/dedup-constants.mjs

@@ -33,3 +33,10 @@ export const MINHASH_PREFILTER = 0.7;
 // 0.95: strict title-Jaccard cutoff for the hook post-inject fuzzy-dedup pass — only
 // collapse near-identical titles inline; anything softer waits for the maintain sweep.
 export const FUZZY_DEDUP_THRESHOLD = 0.95;
+
+// 0.5: companion BODY-Jaccard floor for the hook fuzzy-dedup pass (audit #8). Titles
+// alone are a word-SET metric, so two distinct observations sharing a title token-set
+// ("Fix auth bug in login.mjs" vs "Fix login.mjs auth bug") would collapse and hide
+// one body. Requiring the narratives to also overlap means only a genuine re-save of
+// the same event (near-identical body) supersedes; distinct bodies are kept.
+export const FUZZY_BODY_THRESHOLD = 0.5;

package/lib/err-sampler.mjs

@@ -15,7 +15,7 @@
 // Gated entirely by CLAUDE_MEM_CATCH_SAMPLE env (0..1). Default off. All
 // failures inside the sampler are swallowed — never crash the caller.
 
-import { appendFileSync, mkdirSync, existsSync } from 'fs';
+import { appendFileSync, mkdirSync, existsSync, readdirSync, statSync, unlinkSync } from 'fs';
 import { join } from 'path';
 import { scrubSecrets } from '../secret-scrub.mjs';
 
@@ -32,6 +32,22 @@ function parseSampleRate(raw) {
   return Number.isFinite(n) && n >= 0 && n <= 1 ? n : 0;
 }
 
+// Delete daily shards older than the retention window. Mirrors
+// lib/hook-telemetry.pruneOldShards (the sibling JSONL sink). Without this the
+// retention constant was dead and errors/ grew one shard/day forever once
+// CLAUDE_MEM_CATCH_SAMPLE was set — a slow unbounded leak in the user data dir.
+function pruneOldShards(dir) {
+  let entries;
+  try { entries = readdirSync(dir); } catch { return; }
+  const cutoff = Date.now() - SAMPLE_LOG_RETENTION_MS;
+  for (const f of entries) {
+    if (!/^\d{4}-\d{2}-\d{2}\.jsonl$/.test(f)) continue;
+    try {
+      if (statSync(join(dir, f)).mtimeMs < cutoff) unlinkSync(join(dir, f));
+    } catch { /* gone or unreadable — skip */ }
+  }
+}
+
 /**
  * Sample one caught error into the daily JSONL log.
  * @param {Error|unknown} e    Caught error
@@ -59,6 +75,7 @@ export function maybeSampleError(e, ctx, dbDir) {
     }) + '\n';
 
     appendFileSync(join(errDir, `${today()}.jsonl`), line, { mode: 0o600 });
+    pruneOldShards(errDir);
   } catch { /* sampler must never throw */ }
 }
 

package/lib/maintain-core.mjs

@@ -14,7 +14,7 @@
 
 import { COMPRESSED_PENDING_PURGE, computeMinHash, estimateJaccardFromMinHash, jaccardSimilarity } from '../utils.mjs';
 import { rebuildVocabulary, computeVector, _resetVocabCache } from '../tfidf.mjs';
-import { DEDUP_JACCARD_THRESHOLD, MINHASH_PRE_THRESHOLD as MINHASH_PRE_THRESHOLD_SRC } from './dedup-constants.mjs';
+import { DEDUP_JACCARD_THRESHOLD, MINHASH_PRE_THRESHOLD as MINHASH_PRE_THRESHOLD_SRC, FUZZY_DEDUP_THRESHOLD, FUZZY_BODY_THRESHOLD, MINHASH_PREFILTER } from './dedup-constants.mjs';
 
 export const STALE_AGE_MS = 30 * 86400000;
 export const OP_CAP = 1000;
@@ -28,6 +28,57 @@ export const MINHASH_PRE_THRESHOLD = MINHASH_PRE_THRESHOLD_SRC;
 // the regular decay op can't touch (decay protects injection_count>0).
 export const PINNED_INJ_THRESHOLD = 8;
 
+// Two trimmed bodies count as "the same body" when both are empty (a genuine
+// no-body re-save) or their word-set Jaccard clears the floor. One-empty-one-not
+// is treated as DISTINCT so a body-bearing observation is never hidden by a
+// body-less peer that merely shares its title.
+function bodiesSimilar(a, b, threshold) {
+  const ba = (a || '').trim();
+  const bb = (b || '').trim();
+  if (!ba && !bb) return true;
+  if (!ba || !bb) return false;
+  return jaccardSimilarity(ba, bb) >= threshold;
+}
+
+/**
+ * Pick which near-duplicate observation ids to supersede in the hook fuzzy-dedup
+ * pass. Pure (no DB) so it is unit-testable. A pair must clear BOTH the title
+ * thresholds (MinHash prefilter → exact title Jaccard) AND the body Jaccard floor
+ * before the lower-importance row is marked for superseding (audit #8 — title-only
+ * matching collapsed observations with the same title token-set but different bodies).
+ * @param {Array<{id:number,title:string,body:string,importance:number}>} rows
+ *        Candidate rows in scan order (caller decides ordering / recency window).
+ * @returns {number[]} ids to supersede (lower-importance member of each kept pair).
+ */
+export function selectFuzzyDedupeIds(rows, {
+  titleThreshold = FUZZY_DEDUP_THRESHOLD,
+  bodyThreshold = FUZZY_BODY_THRESHOLD,
+  minhashPrefilter = MINHASH_PREFILTER,
+  maxMerges = 20,
+} = {}) {
+  const removeIds = [];
+  if (!Array.isArray(rows) || rows.length < 2) return removeIds;
+  const removed = new Set();
+  const titles = rows.map(r => (r.title || '').trim());
+  const minhashes = titles.map(t => t ? computeMinHash(t) : null);
+  outer: for (let i = 0; i < rows.length; i++) {
+    if (!minhashes[i] || removed.has(rows[i].id)) continue;
+    for (let j = i + 1; j < rows.length; j++) {
+      if (!minhashes[j] || removed.has(rows[j].id)) continue;
+      if (estimateJaccardFromMinHash(minhashes[i], minhashes[j]) < minhashPrefilter) continue;
+      if (jaccardSimilarity(titles[i], titles[j]) < titleThreshold) continue;
+      if (!bodiesSimilar(rows[i].body, rows[j].body, bodyThreshold)) continue;
+      // Keep the higher-importance row; tiebreak by earlier scan position (kept as i).
+      const keep = (rows[i].importance ?? 1) >= (rows[j].importance ?? 1) ? rows[i] : rows[j];
+      const remove = keep === rows[i] ? rows[j] : rows[i];
+      removeIds.push(remove.id);
+      removed.add(remove.id);
+      if (removeIds.length >= maxMerges) break outer;
+    }
+  }
+  return removeIds;
+}
+
 /** Delete broken observations (no title AND no narrative). Returns rows deleted. */
 // Before hard-deleting observations, un-hide any rows merged INTO them. A child has
 // compressed_into = <keeperId>; deleting that keeper (compressed_into has no FK) would

package/lib/release-digest.mjs

@@ -0,0 +1,106 @@
+// lib/release-digest.mjs — shared release-signing core (P1 supply-chain hardening).
+//
+// One source of truth for BOTH sides of the auto-update authenticity check so the
+// CI signer and the runtime verifier can never drift:
+//   * scripts/sign-release.mjs (CI) — builds the manifest, serializes it, signs
+//     the EXACT serialized bytes with an Ed25519 private key (a GitHub secret),
+//     and uploads release-manifest.json (+ .sig) as GitHub Release assets.
+//   * hook-update.mjs (client) — downloads those assets, verifies the signature
+//     over the downloaded manifest bytes with an EMBEDDED public key, then checks
+//     each extracted file's sha256 against the signed manifest.
+//
+// Why content hashes, not a tarball-byte hash: GitHub's on-the-fly git-archive
+// tarballs are not guaranteed byte-stable over time, but the FILE CONTENTS at a
+// tag are (they are the git blobs). Hashing the extracted files sidesteps the
+// archive-byte-stability problem entirely.
+//
+// Why verify over the downloaded file bytes (not a re-serialization): the client
+// verifies the signature against the manifest bytes exactly as downloaded and
+// only THEN parses it — so there is no canonical-JSON drift between signer and
+// verifier. serializeManifest() exists so CI writes precisely what it signs.
+//
+// Pure Node built-ins (node:crypto Ed25519) — zero dependencies, no `gh`/cosign
+// needed on the user's machine, works in the silent SessionStart hook.
+
+import { createHash, verify as cryptoVerify } from 'node:crypto';
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+const PACKAGE_NAME = 'claude-mem-lite';
+
+export function sha256Hex(buf) {
+  return createHash('sha256').update(buf).digest('hex');
+}
+
+export function sha256File(absPath) {
+  return sha256Hex(readFileSync(absPath));
+}
+
+/**
+ * Build a release manifest: { name, version, algo, files: { <relPath>: <sha256> } }.
+ * Only files that exist under rootDir are listed; keys are sorted so the
+ * serialization is deterministic regardless of fileList order.
+ *
+ * @param {string} rootDir   Extracted release root (or CI checkout root)
+ * @param {string[]} fileList Relative paths to hash (typically SOURCE_FILES)
+ * @param {string} version   Release version (for the manifest body)
+ */
+export function buildReleaseManifest(rootDir, fileList, version) {
+  const files = {};
+  for (const rel of [...fileList].sort()) {
+    const abs = join(rootDir, rel);
+    if (existsSync(abs)) files[rel] = sha256File(abs);
+  }
+  return { name: PACKAGE_NAME, version, algo: 'sha256', files };
+}
+
+/**
+ * Deterministic byte serialization. CI writes EXACTLY this to
+ * release-manifest.json and signs these bytes; the client verifies the signature
+ * against the downloaded file bytes (it does not re-serialize), so signer and
+ * verifier cannot disagree on canonical form.
+ */
+export function serializeManifest(manifest) {
+  return JSON.stringify(manifest, null, 2) + '\n';
+}
+
+/**
+ * Verify every file the manifest lists matches its signed sha256 on disk.
+ * Returns { ok, mismatches: string[], missing: string[] }.
+ * A content change → mismatches; a manifest-listed file absent → missing.
+ * Both are failures (ok=false).
+ */
+export function verifyReleaseFiles(rootDir, manifest) {
+  const mismatches = [];
+  const missing = [];
+  const files = (manifest && manifest.files) || {};
+  for (const [rel, expected] of Object.entries(files)) {
+    const abs = join(rootDir, rel);
+    if (!existsSync(abs)) { missing.push(rel); continue; }
+    if (sha256File(abs) !== expected) mismatches.push(rel);
+  }
+  return { ok: mismatches.length === 0 && missing.length === 0, mismatches, missing };
+}
+
+/**
+ * Verify an Ed25519 signature over the manifest bytes. Never throws — a malformed
+ * key/signature/algorithm returns false so callers can treat "can't verify" the
+ * same as "invalid" without a try/catch at every call site.
+ *
+ * @param {Buffer|string} manifestBytes The EXACT manifest bytes that were signed
+ * @param {string} signatureB64         Base64-encoded Ed25519 signature
+ * @param {string} publicKeyPem         SPKI PEM public key
+ * @returns {boolean}
+ */
+export function verifyManifestSignature(manifestBytes, signatureB64, publicKeyPem) {
+  try {
+    if (!publicKeyPem || !signatureB64) return false;
+    const data = Buffer.isBuffer(manifestBytes) ? manifestBytes : Buffer.from(manifestBytes);
+    const sig = Buffer.from(signatureB64, 'base64');
+    if (sig.length === 0) return false;
+    // `null` algorithm = Ed25519 (the key type carries the algorithm in Node).
+    return cryptoVerify(null, data, publicKeyPem, sig);
+  } catch {
+    return false;
+  }
+}

package/lib/search-core.mjs

@@ -428,7 +428,10 @@ export async function coreRunSearchPipeline(ctx, opts) {
     const doReRank = rerankPolicy === 'mcp' ? (ftsQuery && !deepReranked) : !deepReranked;
     if (doReRank) reRankWithContext(db, obsResults, rerankProject);
     markSuperseded(obsResults);
-    const doReSort = rerankPolicy === 'mcp' ? (ftsQuery && !deepReranked) : isCrossSource;
+    // CLI single-source path must also re-sort when a context re-rank actually ran,
+    // else reRankWithContext's score boost mutates scores but never reorders output
+    // (audit #9). MCP branch unchanged. doReRank already implies a rerank happened.
+    const doReSort = rerankPolicy === 'mcp' ? (ftsQuery && !deepReranked) : (isCrossSource || doReRank);
     if (doReSort) results.sort((a, b) => (a.score ?? 0) - (b.score ?? 0));
   }
 

package/mem-cli.mjs

@@ -57,6 +57,11 @@ async function cmdSearch(db, args, { llm } = {}) {
     return;
   }
 
+  // Bare string flags parse to boolean `true`; without this guard `--branch` reaches
+  // the SQLite bind and crashes, while `--to`/`--project` silently change results
+  // (epoch-1 upper bound → zero rows; unscoped search). (audit P1 #3)
+  if (rejectBareStringFlags(flags, ['source', 'project', 'from', 'to', 'branch'])) return;
+
   const limit = parseIntFlag(flags.limit, { name: '--limit', defaultValue: 20, max: 1000 });
   const type = flags.type || null;
   const validObsTypes = new Set(['decision', 'bugfix', 'feature', 'refactor', 'discovery', 'change']);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "3.7.1",
+  "version": "3.9.0",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "type": "module",
   "packageManager": "npm@10.9.2",
@@ -73,6 +73,7 @@
     "lib/binding-probe.mjs",
     "lib/proc-lock.mjs",
     "lib/atomic-write.mjs",
+    "lib/release-digest.mjs",
     "lib/mem-override.mjs",
     "lib/save-observation.mjs",
     "lib/observation-write.mjs",

package/registry.mjs

@@ -110,7 +110,7 @@ const TRIGGERS_SCHEMA = `
 const INVOCATIONS_SCHEMA = `
   CREATE TABLE IF NOT EXISTS invocations (
     id            INTEGER PRIMARY KEY AUTOINCREMENT,
-    resource_id   INTEGER NOT NULL REFERENCES resources(id),
+    resource_id   INTEGER NOT NULL REFERENCES resources(id) ON DELETE CASCADE,
     session_id    TEXT,
     trigger       TEXT CHECK(trigger IN ('session_start','pre_tool_use','user_explicit','user_prompt')),
     tier          INTEGER CHECK(tier IN (1,2,3)),
@@ -195,11 +195,19 @@ export function ensureRegistryDb(dbPath) {
   } catch (e) { debugCatch(e, 'resources-column-migration'); }
 
   // Migrate: add 'github' to source CHECK constraint (required for smart import)
-  // Must disable FK checks during table recreation (RENAME triggers FK validation)
+  // Must disable FK checks during table recreation (RENAME triggers FK validation).
+  // legacy_alter_table=ON is REQUIRED: under modern SQLite (the better-sqlite3
+  // default) `ALTER TABLE resources RENAME TO resources_old` rewrites child-table FK
+  // references, so invocations.resource_id would become `REFERENCES resources_old`
+  // and the trailing DROP would leave it dangling — silently killing every future
+  // `INSERT INTO invocations` (audit P0 #1). Legacy mode keeps child FKs pointing at
+  // the original name, which the freshly-created `resources` table then satisfies.
+  let resourcesRebuilt = false;
   try {
     const resSchema = db.prepare(`SELECT sql FROM sqlite_master WHERE type='table' AND name='resources'`).get();
     if (resSchema?.sql && !resSchema.sql.includes("'github'")) {
       db.pragma('foreign_keys = OFF');
+      db.pragma('legacy_alter_table = ON');
       try {
         db.transaction(() => {
           const hasOld = db.prepare(`SELECT 1 FROM sqlite_master WHERE type='table' AND name='resources_old'`).get();
@@ -216,10 +224,18 @@ export function ensureRegistryDb(dbPath) {
           const common = cols.filter(c => newCols.has(c)).join(', ');
           db.exec(`INSERT INTO resources (${common}) SELECT ${common} FROM resources_old`);
           db.exec(`DROP TABLE resources_old`);
+          // Recreate the table's indexes: the CREATE INDEX IF NOT EXISTS inside
+          // RESOURCES_SCHEMA above was SKIPPED while resources_old still held the
+          // index names, so the rebuilt table had NONE — including the UNIQUE
+          // idx_res_type_name that upsertResource's ON CONFLICT(type,name) requires
+          // (review HIGH-1; pre-existing, closed here). Names are free post-DROP.
+          db.exec(RESOURCES_SCHEMA);
         })();
       } finally {
+        db.pragma('legacy_alter_table = OFF');
         db.pragma('foreign_keys = ON');
       }
+      resourcesRebuilt = true;
     }
   } catch (e) { debugCatch(e, 'resources-source-check-migration'); }
 
@@ -231,6 +247,16 @@ export function ensureRegistryDb(dbPath) {
   // Triggers: always ensure (IF NOT EXISTS) — fixes DBs where FTS5 was created without triggers
   db.exec(TRIGGERS_SCHEMA);
 
+  // The source-CHECK migration replaced the `resources` content table out from under
+  // the external-content FTS index (content=resources), leaving resources_fts stale.
+  // Rebuild it so a later DELETE's res_fts_delete trigger doesn't throw "database disk
+  // image is malformed" against the mismatched index. Gated on the migration actually
+  // having run so we don't rebuild on every open.
+  if (resourcesRebuilt) {
+    try { db.exec("INSERT INTO resources_fts(resources_fts) VALUES('rebuild')"); }
+    catch (e) { debugCatch(e, 'resources-fts-rebuild-after-source-check'); }
+  }
+
   db.exec(INVOCATIONS_SCHEMA);
 
   // Migrate invocations CHECK constraint: add 'user_prompt' trigger value
@@ -281,10 +307,44 @@ export function ensureRegistryDb(dbPath) {
     }
   } catch (e) { debugCatch(e, 'rejection_reason-migration'); }
 
-  // Migrate: ensure composite index on invocations(resource_id, created_at) for correlated subqueries
+  // Migrate: add ON DELETE CASCADE to invocations.resource_id (audit P0 #4). Old DBs
+  // declared the FK with no ON DELETE action, so deleting a resource that had
+  // invocation history threw SQLITE_CONSTRAINT_FOREIGNKEY (registry remove /
+  // mem_registry delete) or silently no-op'd (dead-repo purge). SQLite can't ALTER an
+  // FK, so rebuild the table. Renaming the CHILD table is safe (nothing references
+  // invocations), so legacy_alter_table is not a concern here. Runs after the
+  // rejection_reason ADD COLUMN so the column exists in both old and new tables.
   try {
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_invocations_resource_created ON invocations(resource_id, created_at)`);
-  } catch (e) { debugCatch(e, 'invocations-resource-created-index-migration'); }
+    const schema = db.prepare(`SELECT sql FROM sqlite_master WHERE type='table' AND name='invocations'`).get();
+    if (schema?.sql && !/ON DELETE CASCADE/i.test(schema.sql)) {
+      db.transaction(() => {
+        const hasOld = db.prepare(`SELECT 1 FROM sqlite_master WHERE type='table' AND name='invocations_old'`).get();
+        if (hasOld) db.exec(`DROP TABLE invocations_old`);
+        db.exec(`ALTER TABLE invocations RENAME TO invocations_old`);
+        db.exec(INVOCATIONS_SCHEMA);
+        // Omit rejection_reason from the copy (matching the CHECK migrations above):
+        // it was historically a bare TEXT with NO CHECK, so an old row could hold a
+        // value outside INVOCATIONS_SCHEMA's current rejection_reason CHECK whitelist.
+        // Copying it would throw SQLITE_CONSTRAINT_CHECK → rollback → the FK is left
+        // un-cascaded forever and every retry re-fails (review HIGH-2). The column is
+        // never written at runtime, so copied rows get NULL — no data loss.
+        db.exec(`INSERT INTO invocations
+          (id, resource_id, session_id, trigger, tier, recommended, adopted, outcome, score, created_at)
+          SELECT id, resource_id, session_id, trigger, tier, recommended, adopted, outcome, score, created_at
+          FROM invocations_old`);
+        db.exec(`DROP TABLE invocations_old`);
+        // Recreate the table's indexes — the INVOCATIONS_SCHEMA CREATE INDEX above was
+        // skipped while invocations_old held the names (review HIGH-1). Free post-DROP.
+        db.exec(INVOCATIONS_SCHEMA);
+      })();
+    }
+  } catch (e) { debugCatch(e, 'invocations-ondelete-cascade-migration'); }
+
+  // (Removed the separate idx_invocations_resource_created migration — it was a column-
+  // identical duplicate of idx_inv_resource (resource_id, created_at) in INVOCATIONS_SCHEMA.
+  // It only ever survived because the rebuild migrations dropped idx_inv_resource; now that
+  // the rebuilds recreate their indexes (review HIGH-1), the duplicate is pure dead weight.
+  // Pre-existing DBs keep their old idx_invocations_resource_created; it's harmless.)
 
   db.exec(PREINSTALLED_SCHEMA);
 

package/scripts/setup.sh

@@ -86,6 +86,7 @@ mark_deps_broken() {
   # having to re-derive them. Delegate JSON serialization to node so embedded
   # quotes / shell metachars in $ROOT or $reason can't produce an invalid file
   # (bash `printf '"..%s.."'` cannot escape arbitrary strings safely; v2.79.1 fix).
+  # shellcheck disable=SC2016  # node script single-quoted on purpose; vars passed via env (MARK_*), not shell expansion
   MARK_REASON="$reason" MARK_ROOT="$ROOT" MARK_FLAG="$DEPS_FLAG" node -e '
     const fs = require("fs");
     const reason = process.env.MARK_REASON || "unknown";
@@ -141,6 +142,7 @@ fi
 #    versions; same shape as the .deps-broken self-heal pattern.
 MCP_MIGRATION="$DATA_DIR/runtime/.mcp-dedup-v2.78"
 if [[ -n "${CLAUDE_PLUGIN_ROOT:-}" && ! -f "$MCP_MIGRATION" ]]; then
+  # shellcheck disable=SC2016  # node script single-quoted on purpose; CLAUDE_JSON passed via env, not shell expansion
   CLAUDE_JSON="$HOME/.claude.json" node -e '
     const fs = require("fs");
     let changed = false;

package/secret-scrub.mjs

@@ -1,6 +1,8 @@
 // claude-mem-lite: Secret pattern detection and scrubbing
 // Extracted from utils.mjs for focused responsibility
 
+import { stripPrivate } from './lib/private-strip.mjs';
+
 // ─── Secret Patterns ──────────────────────────────────────────────────────
 
 export const SECRET_PATTERNS = [
@@ -28,7 +30,28 @@ export const SECRET_PATTERNS = [
   // access_token / refresh_token are the canonical OAuth2 field names — they were
   // missing from this KV list (drift vs the JSON list below). `(?:\b|_)` for the same
   // underscore-prefix reason.
-  [/((?:\b|_)(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
+  // `pgpassword|pgpass|mysql_pwd` are well-known credential ENV-VAR names whose
+  // keyword tail is unreachable via the noun list above (`PGPASSWORD`=PG+password has
+  // no \b/_ before "password"; `MYSQL_PWD` has no "password"/"token" substring). They
+  // live in THIS pattern (no prose lookbehind) so `export PGPASSWORD=x` / `env MYSQL_PWD=x`
+  // scrub — a compound credential env-var name is unambiguous config even after a word.
+  // Enumerating known names (not a blanket letter-prefix) preserves the deliberate
+  // low-FP decision that `topsecret=` / `access_token_count:` are non-credentials
+  // (#8283 + utils.test.mjs:1089-1100); bare `pwd` is omitted so `PWD=` (a path) survives.
+  [/((?:\b|_)(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token|pgpassword|pgpass|mysql_pwd)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
+  // Bare-key QUOTED values — `api_key="..."`, `password: '...'`. The unquoted KV
+  // patterns above stop at `'`/`"` (excluded from their value class), so a quoted
+  // value matched 0 chars and slipped through. Consumes the opening quote, the value,
+  // and the matching close quote (backref \2), replacing only the value. Unlike the
+  // JSON pattern below it does NOT require the KEY to be quoted, covering `key="value"`
+  // object-literal / YAML / quoted-.env shapes. Split into the SAME two patterns as the
+  // unquoted KV pairs above so prose survives — a quoted value does not turn prose into
+  // config (`the token: "x"` is still prose, must NOT scrub; #8283 / utils.test.mjs:1090).
+  //   (a) bare credential nouns keep the prose lookbehind:
+  [/((?<![A-Za-z][ \t])(?:\b|_)(?:password|passwd|token|bearer|secret)\s*[=:]\s*)(['"])[^'"]{6,}\2/gi, '$1$2***$2'],
+  //   (b) structured keys + named env vars are unambiguous config even after a word
+  //       (`see api_key: "x"` DOES scrub, mirroring the unquoted structured-key path):
+  [/((?:\b|_)(?:pgpassword|pgpass|mysql_pwd|api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token)\s*[=:]\s*)(['"])[^'"]{6,}\2/gi, '$1$2***$2'],
   // AWS access keys (AKIA...)
   [/\bAKIA[A-Z0-9]{16}\b/g, '***'],
   // OpenAI / Anthropic keys (sk-...) — specific prefixes have lower length threshold
@@ -94,12 +117,15 @@ export const SECRET_PATTERNS = [
 
 /**
  * Scrub known secret patterns (API keys, tokens, credentials) from text.
+ * Also strips user-marked `<private>...</private>` blocks first, so every
+ * persistence/log path that scrubs secrets inherits the `<private>` opt-out —
+ * previously stripPrivate ran only on the user-prompt hook, not on writes.
  * @param {string} text Input text potentially containing secrets
  * @returns {string} Text with secrets replaced by '***'
  */
 export function scrubSecrets(text) {
   if (!text || typeof text !== 'string') return text || '';
-  let result = text;
+  let result = stripPrivate(text);
   for (const [pattern, replacement] of SECRET_PATTERNS) {
     result = result.replace(pattern, replacement);
   }

package/source-files.mjs

@@ -73,6 +73,10 @@ export const SOURCE_FILES = [
   // + auto-update lock). Must ship or a partial install/update skips them.
   'lib/proc-lock.mjs',
   'lib/atomic-write.mjs',
+  // P1 supply-chain: shared release-signing core (sha256 manifest + Ed25519
+  // verify). Imported by hook-update.mjs (verify) + scripts/sign-release.mjs (CI
+  // sign). Must ship or auto-update can't verify release signatures.
+  'lib/release-digest.mjs',
   // v2.41 god-module split — mem-cli.mjs router + per-cmd handlers under cli/
   'cli/common.mjs',
   'cli/fts-check.mjs',