claude-memory-layer 1.0.37 → 1.0.38

package/dist/cli/index.js

@@ -17,8 +17,8 @@ import * as os11 from "os";
 import * as os5 from "os";
 
 // src/core/engine/memory-service-composition.ts
-import * as os from "os";
-import * as path6 from "path";
+import * as os2 from "os";
+import * as path7 from "path";
 
 // src/core/metadata-extractor.ts
 function createToolObservationEmbedding(toolName, metadata, success) {
@@ -1529,8 +1529,8 @@ function createEndlessMemoryServices(options) {
 }
 
 // src/core/engine/memory-engine-services.ts
-import * as fs5 from "fs";
-import * as path4 from "path";
+import * as fs6 from "fs";
+import * as path5 from "path";
 
 // src/extensions/vector/embedder.ts
 var DEFAULT_EMBEDDING_MODEL = "Xenova/multilingual-e5-small";
@@ -2208,14 +2208,43 @@ function makeDedupeKey(content, sessionId) {
   return `${sessionId}:${contentHash}`;
 }
 
+// src/core/sqlite-event-store.ts
+import * as nodePath2 from "path";
+
+// src/core/registry/project-path.ts
+import * as crypto2 from "crypto";
+import * as fs3 from "fs";
+import * as os from "os";
+import * as path3 from "path";
+function normalizeProjectPath(projectPath) {
+  const expanded = projectPath.startsWith("~") ? path3.join(os.homedir(), projectPath.slice(1)) : projectPath;
+  try {
+    return fs3.realpathSync(expanded);
+  } catch {
+    return path3.resolve(expanded);
+  }
+}
+function hashProjectPath(projectPath) {
+  const normalizedPath = normalizeProjectPath(projectPath);
+  return crypto2.createHash("sha256").update(normalizedPath).digest("hex").slice(0, 8);
+}
+function getProjectStoragePath(projectPath) {
+  const hash = hashProjectPath(projectPath);
+  return path3.join(os.homedir(), ".claude-code", "memory", "projects", hash);
+}
+function resolveProjectStoragePath(projectOrHash) {
+  const isHash = /^[a-f0-9]{8}$/.test(projectOrHash);
+  return isHash ? path3.join(os.homedir(), ".claude-code", "memory", "projects", projectOrHash) : getProjectStoragePath(projectOrHash);
+}
+
 // src/core/sqlite-wrapper.ts
 import Database from "better-sqlite3";
-import * as fs3 from "fs";
+import * as fs4 from "fs";
 import * as nodePath from "path";
 function createSQLiteDatabase(path22, options) {
   const dir = nodePath.dirname(path22);
-  if (!fs3.existsSync(dir)) {
-    fs3.mkdirSync(dir, { recursive: true });
+  if (!fs4.existsSync(dir)) {
+    fs4.mkdirSync(dir, { recursive: true });
   }
   const db = new Database(path22, {
     readonly: options?.readonly ?? false
@@ -2264,8 +2293,8 @@ function toSQLiteTimestamp(date) {
 }
 
 // src/core/markdown-mirror.ts
-import * as fs4 from "fs/promises";
-import * as path3 from "path";
+import * as fs5 from "fs/promises";
+import * as path4 from "path";
 var DEFAULT_NAMESPACE = "default";
 var DEFAULT_CATEGORY = "uncategorized";
 function sanitizeSegment2(input, fallback) {
@@ -2294,7 +2323,7 @@ function buildMirrorPath2(rootDir, event) {
   const yyyy = d.getFullYear();
   const mm = String(d.getMonth() + 1).padStart(2, "0");
   const dd = String(d.getDate()).padStart(2, "0");
-  return path3.join(rootDir, "memory", namespace, ...categories, `${yyyy}-${mm}-${dd}.md`);
+  return path4.join(rootDir, "memory", namespace, ...categories, `${yyyy}-${mm}-${dd}.md`);
 }
 function formatMirrorEntry(event) {
   const category = Array.isArray(event.metadata?.categoryPath) ? event.metadata.categoryPath.join("/") : String(event.metadata?.category ?? event.eventType);
@@ -2315,8 +2344,8 @@ var MarkdownMirror2 = class {
   }
   async append(event) {
     const outPath = buildMirrorPath2(this.rootDir, event);
-    await fs4.mkdir(path3.dirname(outPath), { recursive: true });
-    await fs4.appendFile(outPath, formatMirrorEntry(event), "utf8");
+    await fs5.mkdir(path4.dirname(outPath), { recursive: true });
+    await fs5.appendFile(outPath, formatMirrorEntry(event), "utf8");
     return outPath;
   }
 };
@@ -2337,6 +2366,135 @@ function emptyOutboxRecoveryResult() {
     vector: { recoveredProcessing: 0, retriedFailed: 0 }
   };
 }
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function getNestedRecord(root, path22) {
+  let cursor = root;
+  for (const key of path22) {
+    if (!isRecord(cursor))
+      return void 0;
+    cursor = cursor[key];
+  }
+  return isRecord(cursor) ? cursor : void 0;
+}
+function getNestedString(root, path22) {
+  let cursor = root;
+  for (const key of path22) {
+    if (!isRecord(cursor))
+      return void 0;
+    cursor = cursor[key];
+  }
+  return typeof cursor === "string" && cursor.length > 0 ? cursor : void 0;
+}
+function metadataProjectHash(metadata) {
+  return getNestedString(metadata, ["scope", "project", "hash"]);
+}
+function metadataProjectPaths(metadata) {
+  const candidates = [
+    getNestedString(metadata, ["projectPath"]),
+    getNestedString(metadata, ["sourceProjectPath"]),
+    getNestedString(metadata, ["scope", "project", "path"])
+  ];
+  const paths = [];
+  for (const value of candidates) {
+    if (value && !paths.includes(value))
+      paths.push(value);
+  }
+  return paths;
+}
+function metadataProjectPath(metadata) {
+  return metadataProjectPaths(metadata)[0];
+}
+function isActiveQuarantinedMetadata(metadata) {
+  const quarantine = getNestedRecord(metadata, ["quarantine"]);
+  return quarantine?.status === "active";
+}
+function activeQuarantineStatusExpression(column = "metadata") {
+  return `COALESCE(json_extract(CASE WHEN json_valid(${column}) THEN ${column} ELSE '{}' END, '$.quarantine.status'), '')`;
+}
+function notActiveQuarantinedSql(column = "metadata") {
+  return `${activeQuarantineStatusExpression(column)} != 'active'`;
+}
+function maybeQuarantinePredicate(options, column = "metadata") {
+  return options?.includeQuarantined ? "1=1" : notActiveQuarantinedSql(column);
+}
+function safeParseMetadataValue(value) {
+  if (!value)
+    return void 0;
+  if (typeof value === "object")
+    return isRecord(value) ? value : void 0;
+  if (typeof value !== "string")
+    return void 0;
+  try {
+    const parsed = JSON.parse(value);
+    return isRecord(parsed) ? parsed : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function isImportedOrLegacyScopedMetadata(metadata) {
+  if (!metadata)
+    return false;
+  return Boolean(
+    metadata.importedFrom || metadata.sourceSessionId || metadata.sourceSessionHash || metadata.hermesSource || metadata.projectPath || metadata.sourceProjectPath || metadata.source === "hermes" || metadata.source === "claude" || metadata.source === "codex"
+  );
+}
+function addMetadataTag(metadata, tag) {
+  const current = Array.isArray(metadata.tags) ? metadata.tags.filter((value) => typeof value === "string") : [];
+  if (!current.includes(tag))
+    metadata.tags = [...current, tag];
+}
+function buildRepairResult(projectHash, dryRun) {
+  return {
+    dryRun,
+    projectHash,
+    scanned: 0,
+    repaired: 0,
+    quarantined: 0,
+    alreadyScoped: 0,
+    skipped: 0,
+    samples: []
+  };
+}
+function normalizeRepoName(value) {
+  return value.replace(/\.git$/i, "").trim().toLowerCase();
+}
+function projectBasename(projectPath) {
+  if (!projectPath)
+    return void 0;
+  const trimmed = projectPath.replace(/[\\/]+$/, "");
+  const basename7 = nodePath2.basename(trimmed);
+  return basename7 ? normalizeRepoName(basename7) : void 0;
+}
+function isProjectScopeRepairExplanation(content) {
+  const normalized = content.toLowerCase();
+  const hasRepairContext = /project[- ]scope|mis[- ]scoped|quarantine|contamination|legacy|오염|격리|repair/.test(normalized);
+  const hasExplanationContext = /example|detector|trap|not a .*project task|기억|메모리|설명|수정|검증/.test(normalized);
+  return hasRepairContext && hasExplanationContext;
+}
+function hasConflictingContentProjectHint(content, projectPath) {
+  const currentName = projectBasename(projectPath);
+  if (!currentName)
+    return false;
+  if (isProjectScopeRepairExplanation(content))
+    return false;
+  const githubRepoPattern = /github\.com[:/]([^/\s`'"#)]+)\/([^/\s`'"#)]+)(?:\.git)?/gi;
+  let githubMatch;
+  while ((githubMatch = githubRepoPattern.exec(content)) !== null) {
+    const repo = normalizeRepoName(githubMatch[2] || "");
+    if (repo && repo !== currentName)
+      return true;
+  }
+  const workspacePathPattern = /\/workspace\/([^/\s`'"#)]+)/gi;
+  let workspaceMatch;
+  while ((workspaceMatch = workspacePathPattern.exec(content)) !== null) {
+    const repo = normalizeRepoName(workspaceMatch[1] || "");
+    if (repo && repo !== currentName)
+      return true;
+  }
+  return false;
+}
 var SQLiteEventStore = class {
   db;
   initialized = false;
@@ -2835,11 +2993,11 @@ var SQLiteEventStore = class {
   /**
    * Get events by session ID
    */
-  async getSessionEvents(sessionId) {
+  async getSessionEvents(sessionId, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events WHERE session_id = ? ORDER BY timestamp ASC`,
+      `SELECT * FROM events WHERE session_id = ? AND ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC`,
       [sessionId]
     );
     return rows.map(this.rowToEvent);
@@ -2847,11 +3005,11 @@ var SQLiteEventStore = class {
   /**
    * Get recent events
    */
-  async getRecentEvents(limit = 100) {
+  async getRecentEvents(limit = 100, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events ORDER BY timestamp DESC LIMIT ?`,
+      `SELECT * FROM events WHERE ${maybeQuarantinePredicate(options)} ORDER BY timestamp DESC LIMIT ?`,
       [limit]
     );
     return rows.map(this.rowToEvent);
@@ -2859,11 +3017,11 @@ var SQLiteEventStore = class {
   /**
    * Get event by ID
    */
-  async getEvent(id) {
+  async getEvent(id, options) {
     await this.initialize();
     const row = sqliteGet(
       this.db,
-      `SELECT * FROM events WHERE id = ?`,
+      `SELECT * FROM events WHERE id = ? AND ${maybeQuarantinePredicate(options)}`,
       [id]
     );
     if (!row)
@@ -2873,11 +3031,11 @@ var SQLiteEventStore = class {
   /**
    * Get events since a timestamp (for sync)
    */
-  async getEventsSince(timestamp, limit = 1e3) {
+  async getEventsSince(timestamp, limit = 1e3, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events WHERE timestamp > ? ORDER BY timestamp ASC LIMIT ?`,
+      `SELECT * FROM events WHERE timestamp > ? AND ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC LIMIT ?`,
       [timestamp, limit]
     );
     return rows.map(this.rowToEvent);
@@ -2886,11 +3044,11 @@ var SQLiteEventStore = class {
    * Get events since a SQLite rowid (for robust incremental replication).
    * Rowid is monotonic for append-only tables, independent of client timestamps.
    */
-  async getEventsSinceRowid(lastRowid, limit = 1e3) {
+  async getEventsSinceRowid(lastRowid, limit = 1e3, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT rowid as _rowid, * FROM events WHERE rowid > ? ORDER BY rowid ASC LIMIT ?`,
+      `SELECT rowid as _rowid, * FROM events WHERE rowid > ? AND ${maybeQuarantinePredicate(options)} ORDER BY rowid ASC LIMIT ?`,
       [lastRowid, limit]
     );
     return rows.map((row) => ({
@@ -3125,19 +3283,19 @@ var SQLiteEventStore = class {
   /**
    * Count total events
    */
-  async countEvents() {
+  async countEvents(options) {
     await this.initialize();
-    const row = sqliteGet(this.db, `SELECT COUNT(*) as count FROM events`);
+    const row = sqliteGet(this.db, `SELECT COUNT(*) as count FROM events WHERE ${maybeQuarantinePredicate(options)}`);
     return row?.count || 0;
   }
   /**
    * Get events page in timestamp ascending order (stable migration/reindex scans)
    */
-  async getEventsPage(limit = 1e3, offset = 0) {
+  async getEventsPage(limit = 1e3, offset = 0, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events ORDER BY timestamp ASC LIMIT ? OFFSET ?`,
+      `SELECT * FROM events WHERE ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC LIMIT ? OFFSET ?`,
       [limit, offset]
     );
     return rows.map(this.rowToEvent);
@@ -3211,6 +3369,145 @@ var SQLiteEventStore = class {
     result.vector.retriedFailed = Number(vectorRetried.changes ?? 0);
     return result;
   }
+  /**
+   * Repair legacy imported events that predate canonical project scope metadata.
+   *
+   * Same-project legacy rows are tagged with scope.project.hash. Rows that look
+   * imported but cannot be proven to belong to this project are quarantined so
+   * dashboard default reads/search do not surface cross-project contamination.
+   */
+  async repairLegacyProjectScope(options = {}) {
+    await this.initialize();
+    const projectHash = options.projectHash || (options.projectPath ? hashProjectPath(options.projectPath) : void 0);
+    if (!projectHash) {
+      throw new Error("repairLegacyProjectScope requires projectPath or projectHash");
+    }
+    if (options.projectPath && options.projectHash && hashProjectPath(options.projectPath) !== options.projectHash) {
+      throw new Error("repairLegacyProjectScope projectPath and projectHash refer to different project stores");
+    }
+    const dryRun = options.dryRun === true;
+    const nowIso = (options.now || /* @__PURE__ */ new Date()).toISOString();
+    const result = buildRepairResult(projectHash, dryRun);
+    const rows = sqliteAll(
+      this.db,
+      `SELECT e.id, e.content, e.metadata, s.project_path as session_project_path
+       FROM events e
+       LEFT JOIN sessions s ON s.id = e.session_id
+       ORDER BY e.timestamp ASC`,
+      []
+    );
+    const sample = (entry) => {
+      if (result.samples.length < 20)
+        result.samples.push(entry);
+    };
+    for (const row of rows) {
+      result.scanned++;
+      let metadata = {};
+      let metadataParseInvalid = false;
+      if (row.metadata) {
+        const parsed = safeParseMetadataValue(row.metadata);
+        if (parsed) {
+          metadata = parsed;
+        } else {
+          metadataParseInvalid = true;
+        }
+      }
+      if (isActiveQuarantinedMetadata(metadata)) {
+        result.skipped++;
+        continue;
+      }
+      const currentHash = metadataProjectHash(metadata);
+      const explicitPath = metadataProjectPath(metadata);
+      const sessionProjectPath = typeof row.session_project_path === "string" && row.session_project_path.length > 0 ? row.session_project_path : void 0;
+      const candidatePaths = metadataProjectPaths(metadata);
+      if (sessionProjectPath && !candidatePaths.includes(sessionProjectPath)) {
+        candidatePaths.push(sessionProjectPath);
+      }
+      const importedOrLegacy = metadataParseInvalid || isImportedOrLegacyScopedMetadata(metadata) || Boolean(sessionProjectPath);
+      const pathHashes = candidatePaths.map((candidate) => {
+        try {
+          return { path: candidate, hash: hashProjectPath(candidate) };
+        } catch {
+          return { path: candidate, hash: void 0 };
+        }
+      });
+      const matchingPath = pathHashes.find((candidate) => candidate.hash === projectHash);
+      const foreignPath = pathHashes.find((candidate) => candidate.hash && candidate.hash !== projectHash);
+      let action = "skipped";
+      let reason;
+      let observedProjectHash;
+      if (foreignPath) {
+        action = "quarantined";
+        reason = "project-path-mismatch";
+        observedProjectHash = foreignPath.hash;
+      } else if (currentHash === projectHash && importedOrLegacy && hasConflictingContentProjectHint(row.content, options.projectPath)) {
+        action = "quarantined";
+        reason = "content-project-mismatch";
+      } else if (currentHash === projectHash) {
+        result.alreadyScoped++;
+        continue;
+      } else if (currentHash && currentHash !== projectHash) {
+        action = "quarantined";
+        reason = "scope-hash-mismatch";
+        observedProjectHash = currentHash;
+      } else if (matchingPath) {
+        action = "repaired";
+        reason = matchingPath.path === sessionProjectPath && matchingPath.path !== explicitPath ? "session-project-path" : "same-project-path";
+      } else if (candidatePaths.length > 0) {
+        action = "quarantined";
+        reason = "project-path-mismatch";
+      } else if (importedOrLegacy) {
+        action = "quarantined";
+        reason = "missing-project-scope";
+      }
+      if (action === "skipped" || !reason) {
+        result.skipped++;
+        continue;
+      }
+      if (action === "repaired") {
+        const scope = isRecord(metadata.scope) ? { ...metadata.scope } : {};
+        const project = isRecord(scope.project) ? { ...scope.project } : {};
+        project.hash = projectHash;
+        scope.project = project;
+        metadata.scope = scope;
+        metadata.repair = {
+          ...isRecord(metadata.repair) ? metadata.repair : {},
+          legacyProjectScope: {
+            action,
+            reason,
+            repairedAt: nowIso
+          }
+        };
+        addMetadataTag(metadata, `proj:${projectHash}`);
+        result.repaired++;
+      } else {
+        metadata.quarantine = {
+          ...isRecord(metadata.quarantine) ? metadata.quarantine : {},
+          status: "active",
+          category: "project-scope",
+          reason,
+          detectedAt: nowIso,
+          expectedProjectHash: projectHash,
+          ...observedProjectHash ? { observedProjectHash } : {}
+        };
+        metadata.repair = {
+          ...isRecord(metadata.repair) ? metadata.repair : {},
+          legacyProjectScope: {
+            action,
+            reason,
+            repairedAt: nowIso
+          }
+        };
+        addMetadataTag(metadata, "quarantine:project-scope");
+        result.quarantined++;
+      }
+      sample({ eventId: row.id, action, reason });
+      if (!dryRun) {
+        sqliteRun(this.db, `UPDATE events SET metadata = ? WHERE id = ?`, [JSON.stringify(metadata), row.id]);
+      }
+    }
+    return result;
+  }
   /**
    * Get embedding/vector outbox health statistics
    */
@@ -3258,7 +3555,11 @@ var SQLiteEventStore = class {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT level, COUNT(*) as count FROM memory_levels GROUP BY level`
+      `SELECT ml.level, COUNT(*) as count
+       FROM memory_levels ml
+       INNER JOIN events e ON e.id = ml.event_id
+       WHERE ${notActiveQuarantinedSql("e.metadata")}
+       GROUP BY ml.level`
     );
     return rows;
   }
@@ -3274,6 +3575,7 @@ var SQLiteEventStore = class {
       `SELECT e.* FROM events e
        INNER JOIN memory_levels ml ON e.id = ml.event_id
        WHERE ml.level = ?
+         AND ${notActiveQuarantinedSql("e.metadata")}
        ORDER BY e.timestamp DESC
        LIMIT ? OFFSET ?`,
       [level, limit, offset]
@@ -3366,12 +3668,13 @@ var SQLiteEventStore = class {
   /**
    * Get most accessed memories (falls back to recent events if none accessed)
    */
-  async getMostAccessed(limit = 10) {
+  async getMostAccessed(limit = 10, options) {
     await this.initialize();
     let rows = sqliteAll(
       this.db,
       `SELECT * FROM events
        WHERE access_count > 0
+         AND ${maybeQuarantinePredicate(options)}
        ORDER BY access_count DESC, last_accessed_at DESC
        LIMIT ?`,
       [limit]
@@ -3380,6 +3683,7 @@ var SQLiteEventStore = class {
       rows = sqliteAll(
         this.db,
         `SELECT * FROM events
+         WHERE ${maybeQuarantinePredicate(options)}
          ORDER BY timestamp DESC
          LIMIT ?`,
         [limit]
@@ -3510,6 +3814,7 @@ var SQLiteEventStore = class {
        FROM memory_helpfulness mh
        JOIN events e ON e.id = mh.event_id
        WHERE mh.measured_at IS NOT NULL
+         AND ${notActiveQuarantinedSql("e.metadata")}
        GROUP BY mh.event_id
        ORDER BY avg_score DESC
        LIMIT ?`,
@@ -3574,6 +3879,7 @@ var SQLiteEventStore = class {
          FROM events_fts fts
          JOIN events e ON e.id = fts.event_id
          WHERE events_fts MATCH ?
+           AND ${notActiveQuarantinedSql("e.metadata")}
          ORDER BY fts.rank
          LIMIT ?`,
         [searchTerms, limit]
@@ -3588,6 +3894,7 @@ var SQLiteEventStore = class {
         this.db,
         `SELECT *, 0 as rank FROM events
          WHERE content LIKE ?
+           AND ${notActiveQuarantinedSql()}
          ORDER BY timestamp DESC
          LIMIT ?`,
         [likePattern, limit]
@@ -3794,6 +4101,7 @@ var SQLiteEventStore = class {
       `SELECT turn_id, MIN(timestamp) as min_ts
        FROM events
        WHERE session_id = ? AND turn_id IS NOT NULL
+         AND ${maybeQuarantinePredicate(options)}
        GROUP BY turn_id
        ORDER BY min_ts DESC
        LIMIT ? OFFSET ?`,
@@ -3801,7 +4109,7 @@ var SQLiteEventStore = class {
     );
     const turns = [];
     for (const turnRow of turnRows) {
-      const events = await this.getEventsByTurn(turnRow.turn_id);
+      const events = await this.getEventsByTurn(turnRow.turn_id, options);
       const promptEvent = events.find((e) => e.eventType === "user_prompt");
       const toolEvents = events.filter((e) => e.eventType === "tool_observation");
       const hasResponse = events.some((e) => e.eventType === "agent_response");
@@ -3820,11 +4128,11 @@ var SQLiteEventStore = class {
   /**
    * Get all events for a specific turn_id
    */
-  async getEventsByTurn(turnId) {
+  async getEventsByTurn(turnId, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events WHERE turn_id = ? ORDER BY timestamp ASC`,
+      `SELECT * FROM events WHERE turn_id = ? AND ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC`,
       [turnId]
     );
     return rows.map(this.rowToEvent);
@@ -3832,13 +4140,14 @@ var SQLiteEventStore = class {
   /**
    * Count total turns for a session
    */
-  async countSessionTurns(sessionId) {
+  async countSessionTurns(sessionId, options) {
     await this.initialize();
     const row = sqliteGet(
       this.db,
       `SELECT COUNT(DISTINCT turn_id) as count
        FROM events
-       WHERE session_id = ? AND turn_id IS NOT NULL`,
+       WHERE session_id = ? AND turn_id IS NOT NULL
+         AND ${maybeQuarantinePredicate(options)}`,
       [sessionId]
     );
     return row?.count || 0;
@@ -3930,7 +4239,7 @@ var SQLiteEventStore = class {
       content: row.content,
       canonicalKey: row.canonical_key,
       dedupeKey: row.dedupe_key,
-      metadata: row.metadata ? JSON.parse(row.metadata) : void 0
+      metadata: safeParseMetadataValue(row.metadata)
     };
     if (row.access_count !== void 0) {
       event.access_count = row.access_count;
@@ -4525,6 +4834,10 @@ var MemoryQueryService = class {
     await this.initialize();
     return this.getMaintenanceStore("recoverStuckOutboxItems").recoverStuckOutboxItems(options);
   }
+  async repairLegacyProjectScope(options) {
+    await this.initialize();
+    return this.getMaintenanceStore("repairLegacyProjectScope").repairLegacyProjectScope(options);
+  }
   async getStats() {
     await this.initialize();
     const deps = this.getStatsDeps();
@@ -6147,18 +6460,18 @@ function assertDefaultRetrieverStore(eventStore) {
 function createMemoryEngineServices(options) {
   const factories = options.factories ?? {};
   const storagePath = options.storagePath;
-  if (!options.readOnly && !fs5.existsSync(storagePath)) {
-    fs5.mkdirSync(storagePath, { recursive: true });
+  if (!options.readOnly && !fs6.existsSync(storagePath)) {
+    fs6.mkdirSync(storagePath, { recursive: true });
   }
   const sqliteStore = (factories.createSQLiteEventStore ?? defaultCreateSQLiteEventStore)(
-    path4.join(storagePath, "events.sqlite"),
+    path5.join(storagePath, "events.sqlite"),
     {
       readonly: options.readOnly,
       markdownMirrorRoot: storagePath
     }
   );
   const vectorStore = (factories.createVectorStore ?? defaultCreateVectorStore)(
-    path4.join(storagePath, "vectors")
+    path5.join(storagePath, "vectors")
   );
   const embeddingModel = options.embeddingModel || process.env.CLAUDE_MEMORY_EMBEDDING_MODEL;
   const embedder = embeddingModel ? (factories.createEmbedder ?? defaultCreateEmbedder)(embeddingModel) : (factories.getDefaultEmbedder ?? getDefaultEmbedder)();
@@ -6569,8 +6882,8 @@ function createMemoryRuntimeService(deps) {
 }
 
 // src/extensions/shared-memory/shared-memory-services.ts
-import * as fs6 from "fs";
-import * as path5 from "path";
+import * as fs7 from "fs";
+import * as path6 from "path";
 
 // src/core/shared-event-store.ts
 var SharedEventStore = class {
@@ -7258,7 +7571,7 @@ var SharedMemoryServices = class {
     this.ensureDirectory(sharedPath, { allowCreate: true });
     const store = await this.openStore(sharedPath);
     this.sharedVectorStore = this.factories.createSharedVectorStore(
-      path5.join(sharedPath, "vectors")
+      path6.join(sharedPath, "vectors")
     );
     await this.sharedVectorStore.initialize();
     this.sharedPromoter = this.factories.createSharedPromoter(
@@ -7331,7 +7644,7 @@ var SharedMemoryServices = class {
   async createOpenStorePromise(sharedPath) {
     if (!this.sharedEventStore) {
       const sharedEventStore = this.factories.createSharedEventStore(
-        path5.join(sharedPath, "shared.duckdb")
+        path6.join(sharedPath, "shared.duckdb")
       );
       await sharedEventStore.initialize();
       this.sharedEventStore = sharedEventStore;
@@ -7351,9 +7664,9 @@ var SharedMemoryServices = class {
   }
   get factories() {
     return {
-      existsSync: this.options.factories?.existsSync ?? fs6.existsSync,
+      existsSync: this.options.factories?.existsSync ?? fs7.existsSync,
       mkdirSync: this.options.factories?.mkdirSync ?? ((targetPath) => {
-        fs6.mkdirSync(targetPath, { recursive: true });
+        fs7.mkdirSync(targetPath, { recursive: true });
       }),
       createSharedEventStore: this.options.factories?.createSharedEventStore ?? createSharedEventStore,
       createSharedStore: this.options.factories?.createSharedStore ?? createSharedStore,
@@ -7468,37 +7781,11 @@ function createMemoryServiceComposition(options) {
 }
 function defaultExpandPath(targetPath) {
   if (targetPath.startsWith("~")) {
-    return path6.join(os.homedir(), targetPath.slice(1));
+    return path7.join(os2.homedir(), targetPath.slice(1));
   }
   return targetPath;
 }
 
-// src/core/registry/project-path.ts
-import * as crypto2 from "crypto";
-import * as fs7 from "fs";
-import * as os2 from "os";
-import * as path7 from "path";
-function normalizeProjectPath(projectPath) {
-  const expanded = projectPath.startsWith("~") ? path7.join(os2.homedir(), projectPath.slice(1)) : projectPath;
-  try {
-    return fs7.realpathSync(expanded);
-  } catch {
-    return path7.resolve(expanded);
-  }
-}
-function hashProjectPath(projectPath) {
-  const normalizedPath = normalizeProjectPath(projectPath);
-  return crypto2.createHash("sha256").update(normalizedPath).digest("hex").slice(0, 8);
-}
-function getProjectStoragePath(projectPath) {
-  const hash = hashProjectPath(projectPath);
-  return path7.join(os2.homedir(), ".claude-code", "memory", "projects", hash);
-}
-function resolveProjectStoragePath(projectOrHash) {
-  const isHash = /^[a-f0-9]{8}$/.test(projectOrHash);
-  return isHash ? path7.join(os2.homedir(), ".claude-code", "memory", "projects", projectOrHash) : getProjectStoragePath(projectOrHash);
-}
-
 // src/core/registry/session-registry.ts
 import * as fs8 from "fs";
 import * as os3 from "os";
@@ -7825,6 +8112,9 @@ var MemoryService = class {
   async recoverStuckOutboxItems(options) {
     return this.queryService.recoverStuckOutboxItems(options);
   }
+  async repairLegacyProjectScope(options) {
+    return this.queryService.repairLegacyProjectScope(options);
+  }
   async getRetrievalTraceStats() {
     return this.retrievalAnalyticsService.getRetrievalTraceStats();
   }
@@ -8554,7 +8844,7 @@ import * as os7 from "os";
 import * as readline2 from "readline";
 import { createHash as createHash3, randomUUID as randomUUID9 } from "crypto";
 var CODEX_VALIDATION_DEFAULT_MAX_CONTENT_CHARS = 1e4;
-function isRecord(value) {
+function isRecord2(value) {
   return typeof value === "object" && value !== null;
 }
 function normalizeMaybeRealpath(p) {
@@ -8571,7 +8861,7 @@ function extractCodexContentText(content, maxContentChars = CODEX_VALIDATION_DEF
       texts.push(content);
   } else if (Array.isArray(content)) {
     for (const block of content) {
-      if (!isRecord(block))
+      if (!isRecord2(block))
         continue;
       const b = block;
       const t = typeof b.type === "string" ? b.type : "";
@@ -8659,7 +8949,7 @@ async function readCodexSessionMeta(filePath) {
         const obj = JSON.parse(line);
         if (obj.type !== "session_meta")
           continue;
-        if (!isRecord(obj.payload))
+        if (!isRecord2(obj.payload))
           break;
         const payload = obj.payload;
         const sessionId = typeof payload.id === "string" ? payload.id : null;
@@ -8797,7 +9087,7 @@ async function normalizeCodexSessionFile(filePath, options = {}) {
       }
       if (entry.type === "session_meta")
         continue;
-      if (entry.type !== "response_item" || !isRecord(entry.payload)) {
+      if (entry.type !== "response_item" || !isRecord2(entry.payload)) {
         summary.skippedUnsupportedRecords += 1;
         continue;
       }
@@ -8952,7 +9242,7 @@ var CodexSessionHistoryImporter = class {
           const obj = JSON.parse(line);
           if (obj.type !== "session_meta")
             continue;
-          if (!isRecord(obj.payload))
+          if (!isRecord2(obj.payload))
             break;
           const payload = obj.payload;
           const sessionId = typeof payload.id === "string" ? payload.id : null;
@@ -9168,7 +9458,7 @@ var CodexSessionHistoryImporter = class {
         try {
           const entry = JSON.parse(line);
           result.totalMessages++;
-          if (entry.type === "response_item" && isRecord(entry.payload)) {
+          if (entry.type === "response_item" && isRecord2(entry.payload)) {
             const payload = entry.payload;
             if (payload.type !== "message")
               continue;
@@ -9360,10 +9650,10 @@ var SENSITIVE_PATTERNS = [
   // Redact the whole URI so usernames, credentials, hosts, paths, and query
   // params do not leak either.
   /\b[a-z][a-z0-9+.-]*:\/\/[^\s'"`<>/@]+@[^\s'"`<>]+/gi,
-  /password\s*[:=]\s*['"]?[^\s'"]+/gi,
-  /api[_-]?key\s*[:=]\s*['"]?[^\s'"]+/gi,
-  /secret\s*[:=]\s*['"]?[^\s'"]+/gi,
-  /token\s*[:=]\s*['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?password\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?api[-_]?key\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?secret\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?token\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
   /bearer\s+[a-zA-Z0-9\-_.]+/gi,
   /AWS[_-]?ACCESS[_-]?KEY[_-]?ID\s*[:=]\s*['"]?[A-Z0-9]+/gi,
   /AWS[_-]?SECRET[_-]?ACCESS[_-]?KEY\s*[:=]\s*['"]?[^\s'"]+/gi,
@@ -9373,6 +9663,35 @@ var SENSITIVE_PATTERNS = [
   /sk-[a-zA-Z0-9]{48}/g
   // OpenAI API Key
 ];
+var CLI_SECRET_OPTION_PATTERNS = [
+  /(--(?:[a-z0-9]+[-_])*(?:password|secret|api[-_]?key|token|bearer)(?:[-_][a-z0-9]+)*(?:\s+|=))(?:"[^"]*"|'[^']*'|[^\s'"`<>]+)/gi
+];
+var URL_FOLLOWING_SECRET_PATTERN = /((?:https?:\/\/[^\s'"`<>]+)\s*\r?\n\s*)([A-Za-z0-9!@#$%^&*._+\-~:=/]{6,})(?=\s*(?:\r?\n|$))/gi;
+function looksLikePastedSecret(value) {
+  return value.length >= 8 && /(?:\d|[^A-Za-z0-9])/.test(value);
+}
+function maskUrlFollowingSecret(value) {
+  let count = 0;
+  const content = value.replace(URL_FOLLOWING_SECRET_PATTERN, (_match, prefix, secret) => {
+    if (!looksLikePastedSecret(secret))
+      return `${prefix}${secret}`;
+    count++;
+    return `${prefix}[REDACTED]`;
+  });
+  return { content, count };
+}
+function maskCliSecretOptions(value) {
+  let count = 0;
+  let filtered = value;
+  for (const pattern of CLI_SECRET_OPTION_PATTERNS) {
+    pattern.lastIndex = 0;
+    filtered = filtered.replace(pattern, (_match, prefix) => {
+      count++;
+      return `${prefix}[REDACTED]`;
+    });
+  }
+  return { content: filtered, count };
+}
 function applyPrivacyFilter(content, config) {
   let filtered = content;
   let privateTagCount = 0;
@@ -9386,6 +9705,12 @@ function applyPrivacyFilter(content, config) {
     filtered = tagResult.filtered;
     privateTagCount = tagResult.stats.count;
   }
+  const cliResult = maskCliSecretOptions(filtered);
+  filtered = cliResult.content;
+  patternMatchCount += cliResult.count;
+  const urlSecretResult = maskUrlFollowingSecret(filtered);
+  filtered = urlSecretResult.content;
+  patternMatchCount += urlSecretResult.count;
   for (const pattern of SENSITIVE_PATTERNS) {
     pattern.lastIndex = 0;
     const matches = filtered.match(pattern);
@@ -9397,13 +9722,13 @@ function applyPrivacyFilter(content, config) {
   for (const patternStr of config.excludePatterns || []) {
     try {
       const regex = new RegExp(
-        `(${patternStr})\\s*[:=]\\s*['"]?[^\\s'"]+`,
+        `(^|[^\\w-])(${patternStr})\\s*[:=]\\s*['"]?[^\\s'"]+`,
         "gi"
       );
       const matches = filtered.match(regex);
       if (matches) {
         patternMatchCount += matches.length;
-        filtered = filtered.replace(regex, "[REDACTED]");
+        filtered = filtered.replace(regex, "$1[REDACTED]");
       }
     } catch {
     }
@@ -13632,6 +13957,54 @@ function resolveDashboardCommandOptions(options) {
   };
 }
 
+// src/apps/cli/repair-command.ts
+function resolveLegacyProjectScopeRepairOptions(options) {
+  if (options.project !== void 0 && options.project.trim().length === 0) {
+    throw new Error("legacy project-scope repair --project must not be empty");
+  }
+  if (options.projectHash !== void 0 && options.projectHash.trim().length === 0) {
+    throw new Error("legacy project-scope repair --project-hash must not be empty");
+  }
+  const projectPath = typeof options.project === "string" && options.project.length > 0 ? options.project : void 0;
+  const projectHash = typeof options.projectHash === "string" && options.projectHash.length > 0 ? options.projectHash : void 0;
+  if (!projectPath && !projectHash) {
+    throw new Error("legacy project-scope repair requires --project or --project-hash");
+  }
+  if (projectHash && !/^[a-f0-9]{8}$/.test(projectHash)) {
+    throw new Error("legacy project-scope repair --project-hash must be an 8-character lowercase hex hash");
+  }
+  if (projectPath && projectHash && hashProjectPath(projectPath) !== projectHash) {
+    throw new Error("legacy project-scope repair --project and --project-hash refer to different project stores");
+  }
+  return {
+    projectPath,
+    projectHash,
+    dryRun: options.apply !== true
+  };
+}
+function formatLegacyProjectScopeRepairResult(result) {
+  const lines = [
+    "Legacy project-scope repair",
+    `Mode: ${result.dryRun ? "dry-run" : "apply"}`,
+    `Project: ${result.projectHash}`,
+    `Scanned: ${result.scanned}`,
+    `Already scoped: ${result.alreadyScoped}`,
+    `Repaired: ${result.repaired}`,
+    `Quarantined: ${result.quarantined}`,
+    `Skipped: ${result.skipped}`
+  ];
+  if (result.samples.length > 0) {
+    lines.push("Samples:");
+    for (const sample of result.samples) {
+      lines.push(`- ${sample.eventId} ${sample.action} ${sample.reason}`);
+    }
+  }
+  if (result.dryRun) {
+    lines.push("Dry-run only. Re-run with --apply to mutate event metadata.");
+  }
+  return lines.join("\n");
+}
+
 // src/core/external-market-context.ts
 var MAX_RENDERED_ITEMS = 8;
 var MAX_FRED_SERIES = 10;
@@ -14242,7 +14615,7 @@ async function runMarketContextCommand(options) {
   }
 }
 var program = new Command();
-program.name("claude-memory-layer").description("Claude Code Memory Plugin CLI").version("1.0.37");
+program.name("claude-memory-layer").description("Claude Code Memory Plugin CLI").version("1.0.38");
 program.command("market-context").description("Fetch read-only DART/FRED/Finnhub context with structured MarketContextSnapshot bull/bear/risk/catalyst analysis").option("--company <name>", "Company name for DART fallback search and report subject").option("--dart-corp-code <code>", "Exact DART corp_code for issuer-specific filings").option("--symbol <ticker>", "Listed ticker for Finnhub company profile").option("--providers <list>", "Comma-separated providers: dart,fred,finnhub").option("--fred-series <list>", "Comma-separated FRED series IDs").option("--json", "Print structured JSON including analysis.marketSnapshot").option("--no-snapshot", "Disable MarketContextSnapshot and DART company snapshot analysis").action(async (options) => {
   try {
     await runMarketContextCommand(options);
@@ -14498,6 +14871,46 @@ program.command("process").description("Process pending embeddings").option("-p,
     process.exit(1);
   }
 });
+var repairCommand = program.command("repair").description("Repair or quarantine legacy memory metadata");
+repairCommand.command("legacy-project-scope").description("Dry-run or apply project-scope repair/quarantine for legacy imported events").option("-p, --project <path>", "Project path (defaults to cwd unless --project-hash is used)").option("--project-hash <hash>", "Project storage hash for hash-only repair flows").option("--apply", "Apply metadata changes (default is dry-run)").action(async (options) => {
+  try {
+    const projectPath = options.project !== void 0 ? options.project : !options.projectHash ? process.cwd() : void 0;
+    const repairOptions = resolveLegacyProjectScopeRepairOptions({
+      project: projectPath,
+      projectHash: options.projectHash,
+      apply: options.apply
+    });
+    const storagePath = projectPath ? getProjectStoragePath(projectPath) : resolveProjectStoragePath(repairOptions.projectHash);
+    const dbPath = path21.join(storagePath, "events.sqlite");
+    if (repairOptions.dryRun && !fs18.existsSync(dbPath)) {
+      const projectHash = repairOptions.projectHash || hashProjectPath(repairOptions.projectPath);
+      console.log(formatLegacyProjectScopeRepairResult({
+        dryRun: true,
+        projectHash,
+        scanned: 0,
+        repaired: 0,
+        quarantined: 0,
+        alreadyScoped: 0,
+        skipped: 0,
+        samples: []
+      }));
+      return;
+    }
+    const store = new SQLiteEventStore(dbPath, {
+      readonly: repairOptions.dryRun
+    });
+    try {
+      const result = await store.repairLegacyProjectScope(repairOptions);
+      console.log(formatLegacyProjectScopeRepairResult(result));
+    } finally {
+      await store.close().catch(() => void 0);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(`Repair failed: ${message}`);
+    process.exit(1);
+  }
+});
 program.command("mongo-sync").description("Sync events with MongoDB for multi-server collaboration (optional)").option("-p, --project <path>", "Project path (defaults to cwd)").option("--mongo-uri <uri>", "MongoDB connection URI (env: CLAUDE_MEMORY_MONGO_URI)").option("--mongo-db <name>", "MongoDB database name (env: CLAUDE_MEMORY_MONGO_DB)").option("--mongo-project <key>", "Remote project key (env: CLAUDE_MEMORY_MONGO_PROJECT, default: basename(projectPath))").option("--direction <dir>", "push|pull|both", "both").option("--batch-size <n>", "Batch size", "500").option("--interval <ms>", "Watch interval ms", "30000").option("--watch", "Run continuously").action(async (options) => {
   const projectPath = options.project || process.cwd();
   const mongoUri = options.mongoUri || process.env.CLAUDE_MEMORY_MONGO_URI;