claude-mem-lite 3.8.0 → 3.9.1

package/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
   "plugins": [
     {
       "name": "claude-mem-lite",
-      "version": "3.8.0",
+      "version": "3.9.1",
       "source": "./",
       "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark)."
     }

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "3.8.0",
+  "version": "3.9.1",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "author": {
     "name": "sdsrss"

package/hook-llm.mjs

@@ -20,6 +20,7 @@ import {
 } from './hook-shared.mjs';
 import { EVENT_TYPES, saveEvent } from './lib/activity.mjs';
 import { isNoiseObservation, capNoiseImportance, isLowYieldChangeObs } from './lib/low-signal-patterns.mjs';
+import { episodeHasSignificantContent } from './hook-episode.mjs';
 
 // T9: memdir-incompatible types live in the `events` table, not `observations`.
 // Set lookup is O(1) — authoritative source is lib/activity.mjs::EVENT_TYPES.
@@ -467,6 +468,24 @@ export function buildDegradedTitle(episode) {
     .trim();
 }
 
+// Best-effort SYNCHRONOUS persist of an episode's rule-based observation. Shared by
+// the normal flush and the SIGTERM/SIGINT shutdown handler. The ep-flush-* file the
+// shutdown handler writes has NO consumer (only spawnBackground-passed files are
+// processed), so without this the in-flight episode is silently lost on abnormal
+// termination — and spawning a detached child from a dying process is unreliable, so
+// the save must be synchronous (audit #6). Never throws; returns the obs id or null.
+export function saveEpisodeImmediate(episode, externalDb) {
+  try {
+    if (!episode || !Array.isArray(episode.entries) || episode.entries.length === 0) return null;
+    if (!episodeHasSignificantContent(episode)) return null;
+    const obs = buildImmediateObservation(episode);
+    return saveObservation(obs, episode.project, episode.sessionId, externalDb) || null;
+  } catch (e) {
+    debugCatch(e, 'saveEpisodeImmediate');
+    return null;
+  }
+}
+
 /**
  * Build a rule-based observation from episode metadata for immediate DB persistence.
  * Used as pre-save (before LLM) and as fallback when LLM is unavailable.

package/hook-update.mjs

@@ -440,20 +440,27 @@ async function fetchAssetBuffer(url) {
 }
 
 // I/O gate called from downloadAndInstall after validateExtractedTarball.
-// Opportunistic: returns ok=false ONLY on a genuine tampering signal. Missing
-// embedded key, missing signature assets, asset-fetch failure, or the
-// CLAUDE_MEM_SKIP_SIG_VERIFY escape hatch all return ok=true so a verification
-// gap can never permanently brick auto-update.
-export async function verifyReleaseAuthenticity(extractedDir, assets) {
+// Two regimes, switched by whether a public key is embedded:
+//   • No embedded key (the shipped default, RELEASE_PUBLIC_KEY=''): INERT —
+//     skipped-no-pubkey so an un-provisioned key can never brick auto-update.
+//   • Key embedded (signing active): FAIL CLOSED — a missing signature asset, a
+//     signature-asset fetch failure, or an invalid signature all return ok=false.
+//     Once we publish signed releases, an attacker who can publish a release or MITM
+//     the asset CDN must not bypass verification by stripping the signature assets
+//     (the tags-fallback path also sends assets:[]). A transient fetch failure only
+//     defers the install to the next ~6h poll, not a permanent brick. (audit P1 #5)
+// The CLAUDE_MEM_SKIP_SIG_VERIFY escape hatch still forces a skip. publicKey is a
+// param (defaulting to the embedded constant) only so tests can exercise both regimes.
+export async function verifyReleaseAuthenticity(extractedDir, assets, publicKey = RELEASE_PUBLIC_KEY) {
   if (process.env.CLAUDE_MEM_SKIP_SIG_VERIFY) return { ok: true, action: 'skipped-env' };
-  if (!RELEASE_PUBLIC_KEY) return { ok: true, action: 'skipped-no-pubkey' };
+  if (!publicKey) return { ok: true, action: 'skipped-no-pubkey' };
 
   const list = Array.isArray(assets) ? assets : [];
   const manifestAsset = list.find(a => a && a.name === MANIFEST_ASSET_NAME);
   const sigAsset = list.find(a => a && a.name === SIGNATURE_ASSET_NAME);
   if (!manifestAsset || !sigAsset) {
-    debugLog('WARN', 'hook-update', 'Release carries no signature assets — proceeding unverified (unsigned release)');
-    return { ok: true, action: 'skipped-no-signature' };
+    debugLog('WARN', 'hook-update', 'Signed-release mode: release carries no signature assets — refusing to install (possible downgrade/strip)');
+    return { ok: false, action: 'missing-signature' };
   }
 
   let manifestBytes, signatureB64;
@@ -461,12 +468,12 @@ export async function verifyReleaseAuthenticity(extractedDir, assets) {
     manifestBytes = await fetchAssetBuffer(manifestAsset.browser_download_url);
     signatureB64 = (await fetchAssetBuffer(sigAsset.browser_download_url)).toString('utf8').trim();
   } catch (e) {
-    // A flaky asset CDN is not a tampering signal — don't brick the update over it.
-    debugLog('WARN', 'hook-update', `Signature asset fetch failed (${e.message}) — proceeding unverified`);
-    return { ok: true, action: 'skipped-fetch-failed' };
+    // Can't fetch the signature → can't verify → don't install this cycle (retries next poll).
+    debugLog('WARN', 'hook-update', `Signed-release mode: signature asset fetch failed (${e.message}) — refusing to install this cycle`);
+    return { ok: false, action: 'signature-fetch-failed' };
   }
 
-  const r = verifyDownloadedRelease(extractedDir, manifestBytes, signatureB64);
+  const r = verifyDownloadedRelease(extractedDir, manifestBytes, signatureB64, publicKey);
   if (!r.ok) return { ok: false, action: r.reason };
   debugLog('DEBUG', 'hook-update', 'Release signature verified');
   return { ok: true, action: 'verified' };

package/hook.mjs

@@ -27,7 +27,6 @@ import {
   extractErrorKeywords, extractFilePaths, isRelatedToEpisode,
   makeEntryDesc, scrubSecrets, stripPrivate, EDIT_TOOLS, debugCatch, debugLog,
   COMPRESSED_AUTO, COMPRESSED_PENDING_PURGE, OBS_BM25,
-  computeMinHash, estimateJaccardFromMinHash, jaccardSimilarity,
 } from './utils.mjs';
 import {
   readEpisodeRaw, episodeFile,
@@ -43,11 +42,11 @@ import {
   sessionFile, getSessionId, createSessionId, openDb,
   spawnBackground, sweepOrphanEpisodeFiles,
 } from './hook-shared.mjs';
-import { handleLLMEpisode, handleLLMSummary, saveObservation, buildImmediateObservation } from './hook-llm.mjs';
+import { handleLLMEpisode, handleLLMSummary, saveObservation, buildImmediateObservation, saveEpisodeImmediate } from './hook-llm.mjs';
 import { scrubRecord } from './lib/scrub-record.mjs';
 import { formatHookError } from './lib/native-binding-hint.mjs';
 import { selectCompressionCandidates, groupByProjectWeek, compressGroup } from './lib/compress-core.mjs';
-import { cleanupBroken, decayAndMarkIdle, boostAccessed } from './lib/maintain-core.mjs';
+import { cleanupBroken, decayAndMarkIdle, boostAccessed, selectFuzzyDedupeIds } from './lib/maintain-core.mjs';
 import {
   extractCitationsFromTranscript,
   extractAllInjected,
@@ -66,7 +65,6 @@ import { handleLLMOptimize } from './hook-optimize.mjs';
 import { silentAutoAdopt, hasAutoAdoptMarker } from './adopt-cli.mjs';
 import { emitV270UpgradeBanner } from './lib/upgrade-banner.mjs';
 import { loadCiteBackForEpisode, extractCiteBackSignals, buildUnsavedBugfixHint, countUnsavedBugfixShape, buildCiteRecallNudge as libBuildCiteRecallNudge, nextCiteLowStreak } from './lib/cite-back-hint.mjs';
-import { MINHASH_PREFILTER, FUZZY_DEDUP_THRESHOLD } from './lib/dedup-constants.mjs';
 // plugin-cache-guard.mjs loaded dynamically — pre-2.31.2 installs that auto-upgraded
 // from an older hook-update.mjs SOURCE_FILES (which did not list this module) would
 // crash on static import. Degrade gracefully to no-op when the module is absent.
@@ -115,6 +113,10 @@ for (const sig of ['SIGTERM', 'SIGINT']) {
       try {
         const ep = readEpisodeRaw();
         if (ep && ep.entries && ep.entries.length > 0) {
+          // Persist a rule-based observation synchronously BEFORE writing the flush
+          // file — that file has no consumer, so this is the only thing that prevents
+          // the in-flight episode being lost on abnormal termination (audit #6).
+          saveEpisodeImmediate(ep);
           const flushFile = join(RUNTIME_DIR, `ep-flush-${Date.now()}-${randomUUID().slice(0, 8)}.json`);
           writeFileSync(flushFile, JSON.stringify(ep));
           try { unlinkSync(join(RUNTIME_DIR, `ep-${inferProject()}.json`)); } catch {}
@@ -551,7 +553,11 @@ async function handleStop() {
           // Union closed by extractAllInjected — one integration point so the
           // contract test in tests/citation-tracker-userprompt.test.mjs covers it.
           try {
-            const injected = extractAllInjected(transcriptPath);
+            // mainOnly: the injected denominator must use the same thread
+            // filter as citedMain (the numerator, below) — an obs injected only
+            // inside a subagent (sidechain) would otherwise enter the denominator
+            // but never the numerator and streak-demote despite being used there.
+            const injected = extractAllInjected(transcriptPath, { mainOnly: true });
             // P5 ①: cite-back signals — observations whose warned file the agent
             // edited this session. Union into injected so they're resolved (they
             // were injected via pre-tool-recall) and, below, into cited so the
@@ -788,7 +794,7 @@ function runSessionStartAutoMaintain(db) {
         const SCAN_LIMIT = 500;
         const FUZZY_MAX_MERGES = 20;
         const recent = db.prepare(`
-          SELECT id, title, importance, created_at_epoch
+          SELECT id, title, importance, created_at_epoch, narrative, text
           FROM observations
           WHERE COALESCE(compressed_into, 0) = 0
             AND superseded_at IS NULL
@@ -797,24 +803,14 @@ function runSessionStartAutoMaintain(db) {
           ORDER BY created_at_epoch DESC LIMIT ${SCAN_LIMIT}
         `).all(STALE_AGE);
         if (recent.length >= 2) {
-          const titles = recent.map(r => r.title.trim());
-          const minhashes = titles.map(t => t ? computeMinHash(t) : null);
-          const fuzzyRemoveIds = [];
-          const removed = new Set();
-          outer: for (let i = 0; i < recent.length; i++) {
-            if (!minhashes[i] || removed.has(recent[i].id)) continue;
-            for (let j = i + 1; j < recent.length; j++) {
-              if (!minhashes[j] || removed.has(recent[j].id)) continue;
-              if (estimateJaccardFromMinHash(minhashes[i], minhashes[j]) < MINHASH_PREFILTER) continue;
-              if (jaccardSimilarity(titles[i], titles[j]) < FUZZY_DEDUP_THRESHOLD) continue;
-              // Keep the higher-importance row; tiebreak by older (lower id wins access history)
-              const keep = (recent[i].importance ?? 1) >= (recent[j].importance ?? 1) ? recent[i] : recent[j];
-              const remove = keep === recent[i] ? recent[j] : recent[i];
-              fuzzyRemoveIds.push(remove.id);
-              removed.add(remove.id);
-              if (fuzzyRemoveIds.length >= FUZZY_MAX_MERGES) break outer;
-            }
-          }
+          // audit #8: supersede only when title AND body match — title-only (a word-SET
+          // metric) collapsed distinct observations sharing a title token-set. The
+          // selection is the shared pure core in lib/maintain-core (unit-tested there).
+          const rows = recent.map(r => ({
+            id: r.id, title: r.title, importance: r.importance,
+            body: (r.narrative && r.narrative.trim()) || (r.text && r.text.trim()) || '',
+          }));
+          const fuzzyRemoveIds = selectFuzzyDedupeIds(rows, { maxMerges: FUZZY_MAX_MERGES });
           if (fuzzyRemoveIds.length > 0) {
             const ph = fuzzyRemoveIds.map(() => '?').join(',');
             db.prepare(`UPDATE observations SET superseded_at = ?, superseded_by = 'auto-dedup-fuzzy' WHERE id IN (${ph})`)

package/lib/citation-tracker.mjs

@@ -182,8 +182,15 @@ function normalizeHookCommand(command) {
  *
  * @param {string|null|undefined} transcriptPath
  * @param {(ctx: {command: string, text: string}) => void} fn
+ * @param {object} [opts]
+ * @param {boolean} [opts.mainOnly=false] If true, skip attachments on sidechain
+ *   (subagent) transcript records. Mirrors extractCitationsFromTranscript's
+ *   mainOnly so the citation-decay injected DENOMINATOR uses the same thread
+ *   filter as the cited NUMERATOR — an obs injected only inside a subagent must
+ *   not enter the denominator, else it streak-demotes despite being used there.
  */
-function eachHookAttachment(transcriptPath, fn) {
+function eachHookAttachment(transcriptPath, fn, opts = {}) {
+  const { mainOnly = false } = opts;
   if (!transcriptPath || !existsSync(transcriptPath)) return;
   let raw;
   try { raw = readFileSync(transcriptPath, 'utf8'); } catch { return; }
@@ -192,6 +199,7 @@ function eachHookAttachment(transcriptPath, fn) {
     let entry;
     try { entry = JSON.parse(line); } catch { continue; }
     if (entry.type !== 'attachment') continue;
+    if (mainOnly && entry.isSidechain === true) continue;
     const att = entry.attachment;
     if (!att || att.type !== 'hook_success') continue;
     const stdout = att.stdout || '';
@@ -217,14 +225,14 @@ function eachHookAttachment(transcriptPath, fn) {
  * @param {string|null|undefined} transcriptPath
  * @returns {Set<number>} unique injected IDs (empty set on missing path/file)
  */
-export function extractInjectedFromPreToolUse(transcriptPath) {
+export function extractInjectedFromPreToolUse(transcriptPath, opts = {}) {
   const ids = new Set();
   eachHookAttachment(transcriptPath, ({ command, text }) => {
     if (!command.includes('pre-tool-recall')) return;
     INJECTED_RE.lastIndex = 0;
     let m;
     while ((m = INJECTED_RE.exec(text))) addObsId(ids, m[1]);
-  });
+  }, opts);
   return ids;
 }
 
@@ -251,7 +259,7 @@ const UPS_COMMAND_SUFFIX = 'hook.mjs user-prompt';
  * @param {string|null|undefined} transcriptPath
  * @returns {Set<number>}
  */
-export function extractInjectedFromUserPromptSubmit(transcriptPath) {
+export function extractInjectedFromUserPromptSubmit(transcriptPath, opts = {}) {
   const ids = new Set();
   eachHookAttachment(transcriptPath, ({ command, text }) => {
     if (!command.includes(UPS_COMMAND_SUFFIX)) return;
@@ -265,7 +273,7 @@ export function extractInjectedFromUserPromptSubmit(transcriptPath) {
       if (matches.length === 0) continue;
       addObsId(ids, matches[matches.length - 1][1]);
     }
-  });
+  }, opts);
   return ids;
 }
 
@@ -280,7 +288,7 @@ export function extractInjectedFromUserPromptSubmit(transcriptPath) {
  * @param {string|null|undefined} transcriptPath
  * @returns {Set<number>}
  */
-export function extractInjectedFromErrorRecall(transcriptPath) {
+export function extractInjectedFromErrorRecall(transcriptPath, opts = {}) {
   const ids = new Set();
   eachHookAttachment(transcriptPath, ({ command, text }) => {
     if (!command.includes('post-tool-use')) return;
@@ -290,7 +298,7 @@ export function extractInjectedFromErrorRecall(transcriptPath) {
     INJECTED_RE.lastIndex = 0;
     let m;
     while ((m = INJECTED_RE.exec(text))) addObsId(ids, m[1]);
-  });
+  }, opts);
   return ids;
 }
 
@@ -311,7 +319,7 @@ const FYI_LINE_ID_RE = /^#(\d{1,7})\s/;
  * @param {string|null|undefined} transcriptPath
  * @returns {Set<number>}
  */
-export function extractInjectedFromFyi(transcriptPath) {
+export function extractInjectedFromFyi(transcriptPath, opts = {}) {
   const ids = new Set();
   eachHookAttachment(transcriptPath, ({ command, text }) => {
     if (!command.includes('user-prompt-search')) return;
@@ -320,7 +328,7 @@ export function extractInjectedFromFyi(transcriptPath) {
       const m = FYI_LINE_ID_RE.exec(fyiLine);
       if (m) addObsId(ids, m[1]);
     }
-  });
+  }, opts);
   return ids;
 }
 
@@ -330,14 +338,18 @@ export function extractInjectedFromFyi(transcriptPath) {
  * user-prompt-search FYI block. Single integration point the Stop handler calls.
  *
  * @param {string|null|undefined} transcriptPath
+ * @param {object} [opts]
+ * @param {boolean} [opts.mainOnly=false] Skip sidechain-injected IDs. The
+ *   citation-decay caller passes true so the injected denominator matches the
+ *   mainOnly cited numerator; the P4 access-bump caller omits it (broader).
  * @returns {Set<number>}
  */
-export function extractAllInjected(transcriptPath) {
+export function extractAllInjected(transcriptPath, opts = {}) {
   return new Set([
-    ...extractInjectedFromPreToolUse(transcriptPath),
-    ...extractInjectedFromUserPromptSubmit(transcriptPath),
-    ...extractInjectedFromErrorRecall(transcriptPath),
-    ...extractInjectedFromFyi(transcriptPath),
+    ...extractInjectedFromPreToolUse(transcriptPath, opts),
+    ...extractInjectedFromUserPromptSubmit(transcriptPath, opts),
+    ...extractInjectedFromErrorRecall(transcriptPath, opts),
+    ...extractInjectedFromFyi(transcriptPath, opts),
   ]);
 }
 

package/lib/dedup-constants.mjs

@@ -33,3 +33,10 @@ export const MINHASH_PREFILTER = 0.7;
 // 0.95: strict title-Jaccard cutoff for the hook post-inject fuzzy-dedup pass — only
 // collapse near-identical titles inline; anything softer waits for the maintain sweep.
 export const FUZZY_DEDUP_THRESHOLD = 0.95;
+
+// 0.5: companion BODY-Jaccard floor for the hook fuzzy-dedup pass (audit #8). Titles
+// alone are a word-SET metric, so two distinct observations sharing a title token-set
+// ("Fix auth bug in login.mjs" vs "Fix login.mjs auth bug") would collapse and hide
+// one body. Requiring the narratives to also overlap means only a genuine re-save of
+// the same event (near-identical body) supersedes; distinct bodies are kept.
+export const FUZZY_BODY_THRESHOLD = 0.5;

package/lib/err-sampler.mjs

@@ -15,7 +15,7 @@
 // Gated entirely by CLAUDE_MEM_CATCH_SAMPLE env (0..1). Default off. All
 // failures inside the sampler are swallowed — never crash the caller.
 
-import { appendFileSync, mkdirSync, existsSync } from 'fs';
+import { appendFileSync, mkdirSync, existsSync, readdirSync, statSync, unlinkSync } from 'fs';
 import { join } from 'path';
 import { scrubSecrets } from '../secret-scrub.mjs';
 
@@ -32,6 +32,22 @@ function parseSampleRate(raw) {
   return Number.isFinite(n) && n >= 0 && n <= 1 ? n : 0;
 }
 
+// Delete daily shards older than the retention window. Mirrors
+// lib/hook-telemetry.pruneOldShards (the sibling JSONL sink). Without this the
+// retention constant was dead and errors/ grew one shard/day forever once
+// CLAUDE_MEM_CATCH_SAMPLE was set — a slow unbounded leak in the user data dir.
+function pruneOldShards(dir) {
+  let entries;
+  try { entries = readdirSync(dir); } catch { return; }
+  const cutoff = Date.now() - SAMPLE_LOG_RETENTION_MS;
+  for (const f of entries) {
+    if (!/^\d{4}-\d{2}-\d{2}\.jsonl$/.test(f)) continue;
+    try {
+      if (statSync(join(dir, f)).mtimeMs < cutoff) unlinkSync(join(dir, f));
+    } catch { /* gone or unreadable — skip */ }
+  }
+}
+
 /**
  * Sample one caught error into the daily JSONL log.
  * @param {Error|unknown} e    Caught error
@@ -59,6 +75,7 @@ export function maybeSampleError(e, ctx, dbDir) {
     }) + '\n';
 
     appendFileSync(join(errDir, `${today()}.jsonl`), line, { mode: 0o600 });
+    pruneOldShards(errDir);
   } catch { /* sampler must never throw */ }
 }
 

package/lib/maintain-core.mjs

@@ -14,7 +14,7 @@
 
 import { COMPRESSED_PENDING_PURGE, computeMinHash, estimateJaccardFromMinHash, jaccardSimilarity } from '../utils.mjs';
 import { rebuildVocabulary, computeVector, _resetVocabCache } from '../tfidf.mjs';
-import { DEDUP_JACCARD_THRESHOLD, MINHASH_PRE_THRESHOLD as MINHASH_PRE_THRESHOLD_SRC } from './dedup-constants.mjs';
+import { DEDUP_JACCARD_THRESHOLD, MINHASH_PRE_THRESHOLD as MINHASH_PRE_THRESHOLD_SRC, FUZZY_DEDUP_THRESHOLD, FUZZY_BODY_THRESHOLD, MINHASH_PREFILTER } from './dedup-constants.mjs';
 
 export const STALE_AGE_MS = 30 * 86400000;
 export const OP_CAP = 1000;
@@ -28,6 +28,57 @@ export const MINHASH_PRE_THRESHOLD = MINHASH_PRE_THRESHOLD_SRC;
 // the regular decay op can't touch (decay protects injection_count>0).
 export const PINNED_INJ_THRESHOLD = 8;
 
+// Two trimmed bodies count as "the same body" when both are empty (a genuine
+// no-body re-save) or their word-set Jaccard clears the floor. One-empty-one-not
+// is treated as DISTINCT so a body-bearing observation is never hidden by a
+// body-less peer that merely shares its title.
+function bodiesSimilar(a, b, threshold) {
+  const ba = (a || '').trim();
+  const bb = (b || '').trim();
+  if (!ba && !bb) return true;
+  if (!ba || !bb) return false;
+  return jaccardSimilarity(ba, bb) >= threshold;
+}
+
+/**
+ * Pick which near-duplicate observation ids to supersede in the hook fuzzy-dedup
+ * pass. Pure (no DB) so it is unit-testable. A pair must clear BOTH the title
+ * thresholds (MinHash prefilter → exact title Jaccard) AND the body Jaccard floor
+ * before the lower-importance row is marked for superseding (audit #8 — title-only
+ * matching collapsed observations with the same title token-set but different bodies).
+ * @param {Array<{id:number,title:string,body:string,importance:number}>} rows
+ *        Candidate rows in scan order (caller decides ordering / recency window).
+ * @returns {number[]} ids to supersede (lower-importance member of each kept pair).
+ */
+export function selectFuzzyDedupeIds(rows, {
+  titleThreshold = FUZZY_DEDUP_THRESHOLD,
+  bodyThreshold = FUZZY_BODY_THRESHOLD,
+  minhashPrefilter = MINHASH_PREFILTER,
+  maxMerges = 20,
+} = {}) {
+  const removeIds = [];
+  if (!Array.isArray(rows) || rows.length < 2) return removeIds;
+  const removed = new Set();
+  const titles = rows.map(r => (r.title || '').trim());
+  const minhashes = titles.map(t => t ? computeMinHash(t) : null);
+  outer: for (let i = 0; i < rows.length; i++) {
+    if (!minhashes[i] || removed.has(rows[i].id)) continue;
+    for (let j = i + 1; j < rows.length; j++) {
+      if (!minhashes[j] || removed.has(rows[j].id)) continue;
+      if (estimateJaccardFromMinHash(minhashes[i], minhashes[j]) < minhashPrefilter) continue;
+      if (jaccardSimilarity(titles[i], titles[j]) < titleThreshold) continue;
+      if (!bodiesSimilar(rows[i].body, rows[j].body, bodyThreshold)) continue;
+      // Keep the higher-importance row; tiebreak by earlier scan position (kept as i).
+      const keep = (rows[i].importance ?? 1) >= (rows[j].importance ?? 1) ? rows[i] : rows[j];
+      const remove = keep === rows[i] ? rows[j] : rows[i];
+      removeIds.push(remove.id);
+      removed.add(remove.id);
+      if (removeIds.length >= maxMerges) break outer;
+    }
+  }
+  return removeIds;
+}
+
 /** Delete broken observations (no title AND no narrative). Returns rows deleted. */
 // Before hard-deleting observations, un-hide any rows merged INTO them. A child has
 // compressed_into = <keeperId>; deleting that keeper (compressed_into has no FK) would

package/lib/search-core.mjs

@@ -428,7 +428,10 @@ export async function coreRunSearchPipeline(ctx, opts) {
     const doReRank = rerankPolicy === 'mcp' ? (ftsQuery && !deepReranked) : !deepReranked;
     if (doReRank) reRankWithContext(db, obsResults, rerankProject);
     markSuperseded(obsResults);
-    const doReSort = rerankPolicy === 'mcp' ? (ftsQuery && !deepReranked) : isCrossSource;
+    // CLI single-source path must also re-sort when a context re-rank actually ran,
+    // else reRankWithContext's score boost mutates scores but never reorders output
+    // (audit #9). MCP branch unchanged. doReRank already implies a rerank happened.
+    const doReSort = rerankPolicy === 'mcp' ? (ftsQuery && !deepReranked) : (isCrossSource || doReRank);
     if (doReSort) results.sort((a, b) => (a.score ?? 0) - (b.score ?? 0));
   }
 

package/mem-cli.mjs

@@ -57,6 +57,11 @@ async function cmdSearch(db, args, { llm } = {}) {
     return;
   }
 
+  // Bare string flags parse to boolean `true`; without this guard `--branch` reaches
+  // the SQLite bind and crashes, while `--to`/`--project` silently change results
+  // (epoch-1 upper bound → zero rows; unscoped search). (audit P1 #3)
+  if (rejectBareStringFlags(flags, ['source', 'project', 'from', 'to', 'branch'])) return;
+
   const limit = parseIntFlag(flags.limit, { name: '--limit', defaultValue: 20, max: 1000 });
   const type = flags.type || null;
   const validObsTypes = new Set(['decision', 'bugfix', 'feature', 'refactor', 'discovery', 'change']);
@@ -1400,8 +1405,11 @@ function cmdUpdate(db, args) {
          `Prompts and sessions are append-only.`);
     return;
   }
+  // Strict parseIdToken gate (aligned with cmdDelete): a bare parseInt fallback
+  // truncated "3.9" → 3 and silently UPDATE'd the WRONG row #3 (no preview, no
+  // --confirm). Require an exact obs-id token; non-matching input → usage error.
   const parsed = raw ? parseIdToken(raw) : null;
-  const id = parsed && parsed.source === null ? parsed.id : parseInt(raw, 10);
+  const id = parsed && parsed.source === null ? parsed.id : NaN;
   if (!id || isNaN(id)) {
     fail('[mem] Usage: claude-mem-lite update <id> [--title T] [--type T] [--importance N] [--lesson T] [--narrative T] [--concepts T]');
     return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-mem-lite",
-  "version": "3.8.0",
+  "version": "3.9.1",
   "description": "Persistent long-term memory for Claude Code via MCP — captures coding decisions, bugfixes, and context across sessions. Hybrid FTS5 + TF-IDF search with episode batching. Single SQLite DB, no external services. A lighter, lower-cost alternative to claude-mem (episode batching + a smaller model; cost savings are an internal estimate, not a measured benchmark).",
   "type": "module",
   "packageManager": "npm@10.9.2",

package/registry.mjs

@@ -110,7 +110,7 @@ const TRIGGERS_SCHEMA = `
 const INVOCATIONS_SCHEMA = `
   CREATE TABLE IF NOT EXISTS invocations (
     id            INTEGER PRIMARY KEY AUTOINCREMENT,
-    resource_id   INTEGER NOT NULL REFERENCES resources(id),
+    resource_id   INTEGER NOT NULL REFERENCES resources(id) ON DELETE CASCADE,
     session_id    TEXT,
     trigger       TEXT CHECK(trigger IN ('session_start','pre_tool_use','user_explicit','user_prompt')),
     tier          INTEGER CHECK(tier IN (1,2,3)),
@@ -195,11 +195,19 @@ export function ensureRegistryDb(dbPath) {
   } catch (e) { debugCatch(e, 'resources-column-migration'); }
 
   // Migrate: add 'github' to source CHECK constraint (required for smart import)
-  // Must disable FK checks during table recreation (RENAME triggers FK validation)
+  // Must disable FK checks during table recreation (RENAME triggers FK validation).
+  // legacy_alter_table=ON is REQUIRED: under modern SQLite (the better-sqlite3
+  // default) `ALTER TABLE resources RENAME TO resources_old` rewrites child-table FK
+  // references, so invocations.resource_id would become `REFERENCES resources_old`
+  // and the trailing DROP would leave it dangling — silently killing every future
+  // `INSERT INTO invocations` (audit P0 #1). Legacy mode keeps child FKs pointing at
+  // the original name, which the freshly-created `resources` table then satisfies.
+  let resourcesRebuilt = false;
   try {
     const resSchema = db.prepare(`SELECT sql FROM sqlite_master WHERE type='table' AND name='resources'`).get();
     if (resSchema?.sql && !resSchema.sql.includes("'github'")) {
       db.pragma('foreign_keys = OFF');
+      db.pragma('legacy_alter_table = ON');
       try {
         db.transaction(() => {
           const hasOld = db.prepare(`SELECT 1 FROM sqlite_master WHERE type='table' AND name='resources_old'`).get();
@@ -216,10 +224,18 @@ export function ensureRegistryDb(dbPath) {
           const common = cols.filter(c => newCols.has(c)).join(', ');
           db.exec(`INSERT INTO resources (${common}) SELECT ${common} FROM resources_old`);
           db.exec(`DROP TABLE resources_old`);
+          // Recreate the table's indexes: the CREATE INDEX IF NOT EXISTS inside
+          // RESOURCES_SCHEMA above was SKIPPED while resources_old still held the
+          // index names, so the rebuilt table had NONE — including the UNIQUE
+          // idx_res_type_name that upsertResource's ON CONFLICT(type,name) requires
+          // (review HIGH-1; pre-existing, closed here). Names are free post-DROP.
+          db.exec(RESOURCES_SCHEMA);
         })();
       } finally {
+        db.pragma('legacy_alter_table = OFF');
         db.pragma('foreign_keys = ON');
       }
+      resourcesRebuilt = true;
     }
   } catch (e) { debugCatch(e, 'resources-source-check-migration'); }
 
@@ -231,6 +247,16 @@ export function ensureRegistryDb(dbPath) {
   // Triggers: always ensure (IF NOT EXISTS) — fixes DBs where FTS5 was created without triggers
   db.exec(TRIGGERS_SCHEMA);
 
+  // The source-CHECK migration replaced the `resources` content table out from under
+  // the external-content FTS index (content=resources), leaving resources_fts stale.
+  // Rebuild it so a later DELETE's res_fts_delete trigger doesn't throw "database disk
+  // image is malformed" against the mismatched index. Gated on the migration actually
+  // having run so we don't rebuild on every open.
+  if (resourcesRebuilt) {
+    try { db.exec("INSERT INTO resources_fts(resources_fts) VALUES('rebuild')"); }
+    catch (e) { debugCatch(e, 'resources-fts-rebuild-after-source-check'); }
+  }
+
   db.exec(INVOCATIONS_SCHEMA);
 
   // Migrate invocations CHECK constraint: add 'user_prompt' trigger value
@@ -281,10 +307,44 @@ export function ensureRegistryDb(dbPath) {
     }
   } catch (e) { debugCatch(e, 'rejection_reason-migration'); }
 
-  // Migrate: ensure composite index on invocations(resource_id, created_at) for correlated subqueries
+  // Migrate: add ON DELETE CASCADE to invocations.resource_id (audit P0 #4). Old DBs
+  // declared the FK with no ON DELETE action, so deleting a resource that had
+  // invocation history threw SQLITE_CONSTRAINT_FOREIGNKEY (registry remove /
+  // mem_registry delete) or silently no-op'd (dead-repo purge). SQLite can't ALTER an
+  // FK, so rebuild the table. Renaming the CHILD table is safe (nothing references
+  // invocations), so legacy_alter_table is not a concern here. Runs after the
+  // rejection_reason ADD COLUMN so the column exists in both old and new tables.
   try {
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_invocations_resource_created ON invocations(resource_id, created_at)`);
-  } catch (e) { debugCatch(e, 'invocations-resource-created-index-migration'); }
+    const schema = db.prepare(`SELECT sql FROM sqlite_master WHERE type='table' AND name='invocations'`).get();
+    if (schema?.sql && !/ON DELETE CASCADE/i.test(schema.sql)) {
+      db.transaction(() => {
+        const hasOld = db.prepare(`SELECT 1 FROM sqlite_master WHERE type='table' AND name='invocations_old'`).get();
+        if (hasOld) db.exec(`DROP TABLE invocations_old`);
+        db.exec(`ALTER TABLE invocations RENAME TO invocations_old`);
+        db.exec(INVOCATIONS_SCHEMA);
+        // Omit rejection_reason from the copy (matching the CHECK migrations above):
+        // it was historically a bare TEXT with NO CHECK, so an old row could hold a
+        // value outside INVOCATIONS_SCHEMA's current rejection_reason CHECK whitelist.
+        // Copying it would throw SQLITE_CONSTRAINT_CHECK → rollback → the FK is left
+        // un-cascaded forever and every retry re-fails (review HIGH-2). The column is
+        // never written at runtime, so copied rows get NULL — no data loss.
+        db.exec(`INSERT INTO invocations
+          (id, resource_id, session_id, trigger, tier, recommended, adopted, outcome, score, created_at)
+          SELECT id, resource_id, session_id, trigger, tier, recommended, adopted, outcome, score, created_at
+          FROM invocations_old`);
+        db.exec(`DROP TABLE invocations_old`);
+        // Recreate the table's indexes — the INVOCATIONS_SCHEMA CREATE INDEX above was
+        // skipped while invocations_old held the names (review HIGH-1). Free post-DROP.
+        db.exec(INVOCATIONS_SCHEMA);
+      })();
+    }
+  } catch (e) { debugCatch(e, 'invocations-ondelete-cascade-migration'); }
+
+  // (Removed the separate idx_invocations_resource_created migration — it was a column-
+  // identical duplicate of idx_inv_resource (resource_id, created_at) in INVOCATIONS_SCHEMA.
+  // It only ever survived because the rebuild migrations dropped idx_inv_resource; now that
+  // the rebuilds recreate their indexes (review HIGH-1), the duplicate is pure dead weight.
+  // Pre-existing DBs keep their old idx_invocations_resource_created; it's harmless.)
 
   db.exec(PREINSTALLED_SCHEMA);
 

package/secret-scrub.mjs

@@ -1,6 +1,8 @@
 // claude-mem-lite: Secret pattern detection and scrubbing
 // Extracted from utils.mjs for focused responsibility
 
+import { stripPrivate } from './lib/private-strip.mjs';
+
 // ─── Secret Patterns ──────────────────────────────────────────────────────
 
 export const SECRET_PATTERNS = [
@@ -28,7 +30,28 @@ export const SECRET_PATTERNS = [
   // access_token / refresh_token are the canonical OAuth2 field names — they were
   // missing from this KV list (drift vs the JSON list below). `(?:\b|_)` for the same
   // underscore-prefix reason.
-  [/((?:\b|_)(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
+  // `pgpassword|pgpass|mysql_pwd` are well-known credential ENV-VAR names whose
+  // keyword tail is unreachable via the noun list above (`PGPASSWORD`=PG+password has
+  // no \b/_ before "password"; `MYSQL_PWD` has no "password"/"token" substring). They
+  // live in THIS pattern (no prose lookbehind) so `export PGPASSWORD=x` / `env MYSQL_PWD=x`
+  // scrub — a compound credential env-var name is unambiguous config even after a word.
+  // Enumerating known names (not a blanket letter-prefix) preserves the deliberate
+  // low-FP decision that `topsecret=` / `access_token_count:` are non-credentials
+  // (#8283 + utils.test.mjs:1089-1100); bare `pwd` is omitted so `PWD=` (a path) survives.
+  [/((?:\b|_)(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token|pgpassword|pgpass|mysql_pwd)\s*[=:]\s*)(?!process\.env\.)(?!new\s)(?!\w+\()(?!(?:null|undefined|true|false|None|nil|empty|""|''|0)\b)[^\s,;'"}\]]{6,}/gi, '$1***'],
+  // Bare-key QUOTED values — `api_key="..."`, `password: '...'`. The unquoted KV
+  // patterns above stop at `'`/`"` (excluded from their value class), so a quoted
+  // value matched 0 chars and slipped through. Consumes the opening quote, the value,
+  // and the matching close quote (backref \2), replacing only the value. Unlike the
+  // JSON pattern below it does NOT require the KEY to be quoted, covering `key="value"`
+  // object-literal / YAML / quoted-.env shapes. Split into the SAME two patterns as the
+  // unquoted KV pairs above so prose survives — a quoted value does not turn prose into
+  // config (`the token: "x"` is still prose, must NOT scrub; #8283 / utils.test.mjs:1090).
+  //   (a) bare credential nouns keep the prose lookbehind:
+  [/((?<![A-Za-z][ \t])(?:\b|_)(?:password|passwd|token|bearer|secret)\s*[=:]\s*)(['"])[^'"]{6,}\2/gi, '$1$2***$2'],
+  //   (b) structured keys + named env vars are unambiguous config even after a word
+  //       (`see api_key: "x"` DOES scrub, mirroring the unquoted structured-key path):
+  [/((?:\b|_)(?:pgpassword|pgpass|mysql_pwd|api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret|auth[_-]?token|access[_-]?token|refresh[_-]?token)\s*[=:]\s*)(['"])[^'"]{6,}\2/gi, '$1$2***$2'],
   // AWS access keys (AKIA...)
   [/\bAKIA[A-Z0-9]{16}\b/g, '***'],
   // OpenAI / Anthropic keys (sk-...) — specific prefixes have lower length threshold
@@ -94,12 +117,15 @@ export const SECRET_PATTERNS = [
 
 /**
  * Scrub known secret patterns (API keys, tokens, credentials) from text.
+ * Also strips user-marked `<private>...</private>` blocks first, so every
+ * persistence/log path that scrubs secrets inherits the `<private>` opt-out —
+ * previously stripPrivate ran only on the user-prompt hook, not on writes.
  * @param {string} text Input text potentially containing secrets
  * @returns {string} Text with secrets replaced by '***'
  */
 export function scrubSecrets(text) {
   if (!text || typeof text !== 'string') return text || '';
-  let result = text;
+  let result = stripPrivate(text);
   for (const [pattern, replacement] of SECRET_PATTERNS) {
     result = result.replace(pattern, replacement);
   }