npm - claude-memory-layer - Versions diffs - 1.0.37 → 1.0.38 - Mend

claude-memory-layer 1.0.37 → 1.0.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/cli/index.js +497 -84
package/dist/cli/index.js.map +4 -4
package/dist/core/index.js +309 -22
package/dist/core/index.js.map +3 -3
package/dist/hooks/post-tool-use.js +399 -74
package/dist/hooks/post-tool-use.js.map +4 -4
package/dist/hooks/semantic-daemon.js +357 -67
package/dist/hooks/semantic-daemon.js.map +4 -4
package/dist/hooks/session-end.js +357 -67
package/dist/hooks/session-end.js.map +4 -4
package/dist/hooks/session-start.js +357 -67
package/dist/hooks/session-start.js.map +4 -4
package/dist/hooks/stop.js +398 -73
package/dist/hooks/stop.js.map +4 -4
package/dist/hooks/user-prompt-submit.js +357 -67
package/dist/hooks/user-prompt-submit.js.map +4 -4
package/dist/index.js +318 -28
package/dist/index.js.map +3 -3
package/dist/mcp/index.js +403 -78
package/dist/mcp/index.js.map +4 -4
package/dist/server/api/index.js +361 -71
package/dist/server/api/index.js.map +4 -4
package/dist/server/index.js +361 -71
package/dist/server/index.js.map +4 -4
package/dist/services/memory-service.js +357 -67
package/dist/services/memory-service.js.map +4 -4
package/package.json +1 -1

package/dist/hooks/stop.js CHANGED Viewed

@@ -10,8 +10,8 @@ const __dirname = dirname(__filename);
 import * as os5 from "os";
 // src/core/engine/memory-service-composition.ts
-import * as os from "os";
-import * as path6 from "path";
+import * as os2 from "os";
+import * as path7 from "path";
 // src/core/metadata-extractor.ts
 function createToolObservationEmbedding(toolName, metadata, success) {
@@ -1522,8 +1522,8 @@ function createEndlessMemoryServices(options) {
 }
 // src/core/engine/memory-engine-services.ts
-import * as fs5 from "fs";
-import * as path4 from "path";
+import * as fs6 from "fs";
+import * as path5 from "path";
 // src/extensions/vector/embedder.ts
 var DEFAULT_EMBEDDING_MODEL = "Xenova/multilingual-e5-small";
@@ -2201,14 +2201,39 @@ function makeDedupeKey(content, sessionId) {
   return `${sessionId}:${contentHash}`;
 }
+// src/core/sqlite-event-store.ts
+import * as nodePath2 from "path";
+// src/core/registry/project-path.ts
+import * as crypto2 from "crypto";
+import * as fs3 from "fs";
+import * as os from "os";
+import * as path3 from "path";
+function normalizeProjectPath(projectPath) {
+  const expanded = projectPath.startsWith("~") ? path3.join(os.homedir(), projectPath.slice(1)) : projectPath;
+  try {
+    return fs3.realpathSync(expanded);
+  } catch {
+    return path3.resolve(expanded);
+  }
+}
+function hashProjectPath(projectPath) {
+  const normalizedPath = normalizeProjectPath(projectPath);
+  return crypto2.createHash("sha256").update(normalizedPath).digest("hex").slice(0, 8);
+}
+function getProjectStoragePath(projectPath) {
+  const hash = hashProjectPath(projectPath);
+  return path3.join(os.homedir(), ".claude-code", "memory", "projects", hash);
+}
 // src/core/sqlite-wrapper.ts
 import Database from "better-sqlite3";
-import * as fs3 from "fs";
+import * as fs4 from "fs";
 import * as nodePath from "path";
 function createSQLiteDatabase(path12, options) {
   const dir = nodePath.dirname(path12);
-  if (!fs3.existsSync(dir)) {
-    fs3.mkdirSync(dir, { recursive: true });
+  if (!fs4.existsSync(dir)) {
+    fs4.mkdirSync(dir, { recursive: true });
   }
   const db = new Database(path12, {
     readonly: options?.readonly ?? false
@@ -2257,8 +2282,8 @@ function toSQLiteTimestamp(date) {
 }
 // src/core/markdown-mirror.ts
-import * as fs4 from "fs/promises";
-import * as path3 from "path";
+import * as fs5 from "fs/promises";
+import * as path4 from "path";
 var DEFAULT_NAMESPACE = "default";
 var DEFAULT_CATEGORY = "uncategorized";
 function sanitizeSegment2(input, fallback) {
@@ -2287,7 +2312,7 @@ function buildMirrorPath2(rootDir, event) {
   const yyyy = d.getFullYear();
   const mm = String(d.getMonth() + 1).padStart(2, "0");
   const dd = String(d.getDate()).padStart(2, "0");
-  return path3.join(rootDir, "memory", namespace, ...categories, `${yyyy}-${mm}-${dd}.md`);
+  return path4.join(rootDir, "memory", namespace, ...categories, `${yyyy}-${mm}-${dd}.md`);
 }
 function formatMirrorEntry(event) {
   const category = Array.isArray(event.metadata?.categoryPath) ? event.metadata.categoryPath.join("/") : String(event.metadata?.category ?? event.eventType);
@@ -2308,8 +2333,8 @@ var MarkdownMirror2 = class {
   }
   async append(event) {
     const outPath = buildMirrorPath2(this.rootDir, event);
-    await fs4.mkdir(path3.dirname(outPath), { recursive: true });
-    await fs4.appendFile(outPath, formatMirrorEntry(event), "utf8");
+    await fs5.mkdir(path4.dirname(outPath), { recursive: true });
+    await fs5.appendFile(outPath, formatMirrorEntry(event), "utf8");
     return outPath;
   }
 };
@@ -2330,6 +2355,135 @@ function emptyOutboxRecoveryResult() {
     vector: { recoveredProcessing: 0, retriedFailed: 0 }
   };
 }
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function getNestedRecord(root, path12) {
+  let cursor = root;
+  for (const key of path12) {
+    if (!isRecord(cursor))
+      return void 0;
+    cursor = cursor[key];
+  }
+  return isRecord(cursor) ? cursor : void 0;
+}
+function getNestedString(root, path12) {
+  let cursor = root;
+  for (const key of path12) {
+    if (!isRecord(cursor))
+      return void 0;
+    cursor = cursor[key];
+  }
+  return typeof cursor === "string" && cursor.length > 0 ? cursor : void 0;
+}
+function metadataProjectHash(metadata) {
+  return getNestedString(metadata, ["scope", "project", "hash"]);
+}
+function metadataProjectPaths(metadata) {
+  const candidates = [
+    getNestedString(metadata, ["projectPath"]),
+    getNestedString(metadata, ["sourceProjectPath"]),
+    getNestedString(metadata, ["scope", "project", "path"])
+  ];
+  const paths = [];
+  for (const value of candidates) {
+    if (value && !paths.includes(value))
+      paths.push(value);
+  }
+  return paths;
+}
+function metadataProjectPath(metadata) {
+  return metadataProjectPaths(metadata)[0];
+}
+function isActiveQuarantinedMetadata(metadata) {
+  const quarantine = getNestedRecord(metadata, ["quarantine"]);
+  return quarantine?.status === "active";
+}
+function activeQuarantineStatusExpression(column = "metadata") {
+  return `COALESCE(json_extract(CASE WHEN json_valid(${column}) THEN ${column} ELSE '{}' END, '$.quarantine.status'), '')`;
+}
+function notActiveQuarantinedSql(column = "metadata") {
+  return `${activeQuarantineStatusExpression(column)} != 'active'`;
+}
+function maybeQuarantinePredicate(options, column = "metadata") {
+  return options?.includeQuarantined ? "1=1" : notActiveQuarantinedSql(column);
+}
+function safeParseMetadataValue(value) {
+  if (!value)
+    return void 0;
+  if (typeof value === "object")
+    return isRecord(value) ? value : void 0;
+  if (typeof value !== "string")
+    return void 0;
+  try {
+    const parsed = JSON.parse(value);
+    return isRecord(parsed) ? parsed : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function isImportedOrLegacyScopedMetadata(metadata) {
+  if (!metadata)
+    return false;
+  return Boolean(
+    metadata.importedFrom || metadata.sourceSessionId || metadata.sourceSessionHash || metadata.hermesSource || metadata.projectPath || metadata.sourceProjectPath || metadata.source === "hermes" || metadata.source === "claude" || metadata.source === "codex"
+  );
+}
+function addMetadataTag(metadata, tag) {
+  const current = Array.isArray(metadata.tags) ? metadata.tags.filter((value) => typeof value === "string") : [];
+  if (!current.includes(tag))
+    metadata.tags = [...current, tag];
+}
+function buildRepairResult(projectHash, dryRun) {
+  return {
+    dryRun,
+    projectHash,
+    scanned: 0,
+    repaired: 0,
+    quarantined: 0,
+    alreadyScoped: 0,
+    skipped: 0,
+    samples: []
+  };
+}
+function normalizeRepoName(value) {
+  return value.replace(/\.git$/i, "").trim().toLowerCase();
+}
+function projectBasename(projectPath) {
+  if (!projectPath)
+    return void 0;
+  const trimmed = projectPath.replace(/[\\/]+$/, "");
+  const basename2 = nodePath2.basename(trimmed);
+  return basename2 ? normalizeRepoName(basename2) : void 0;
+}
+function isProjectScopeRepairExplanation(content) {
+  const normalized = content.toLowerCase();
+  const hasRepairContext = /project[- ]scope|mis[- ]scoped|quarantine|contamination|legacy|오염|격리|repair/.test(normalized);
+  const hasExplanationContext = /example|detector|trap|not a .*project task|기억|메모리|설명|수정|검증/.test(normalized);
+  return hasRepairContext && hasExplanationContext;
+}
+function hasConflictingContentProjectHint(content, projectPath) {
+  const currentName = projectBasename(projectPath);
+  if (!currentName)
+    return false;
+  if (isProjectScopeRepairExplanation(content))
+    return false;
+  const githubRepoPattern = /github\.com[:/]([^/\s`'"#)]+)\/([^/\s`'"#)]+)(?:\.git)?/gi;
+  let githubMatch;
+  while ((githubMatch = githubRepoPattern.exec(content)) !== null) {
+    const repo = normalizeRepoName(githubMatch[2] || "");
+    if (repo && repo !== currentName)
+      return true;
+  }
+  const workspacePathPattern = /\/workspace\/([^/\s`'"#)]+)/gi;
+  let workspaceMatch;
+  while ((workspaceMatch = workspacePathPattern.exec(content)) !== null) {
+    const repo = normalizeRepoName(workspaceMatch[1] || "");
+    if (repo && repo !== currentName)
+      return true;
+  }
+  return false;
+}
 var SQLiteEventStore = class {
   db;
   initialized = false;
@@ -2828,11 +2982,11 @@ var SQLiteEventStore = class {
   /**
    * Get events by session ID
    */
-  async getSessionEvents(sessionId) {
+  async getSessionEvents(sessionId, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events WHERE session_id = ? ORDER BY timestamp ASC`,
+      `SELECT * FROM events WHERE session_id = ? AND ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC`,
       [sessionId]
     );
     return rows.map(this.rowToEvent);
@@ -2840,11 +2994,11 @@ var SQLiteEventStore = class {
   /**
    * Get recent events
    */
-  async getRecentEvents(limit = 100) {
+  async getRecentEvents(limit = 100, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events ORDER BY timestamp DESC LIMIT ?`,
+      `SELECT * FROM events WHERE ${maybeQuarantinePredicate(options)} ORDER BY timestamp DESC LIMIT ?`,
       [limit]
     );
     return rows.map(this.rowToEvent);
@@ -2852,11 +3006,11 @@ var SQLiteEventStore = class {
   /**
    * Get event by ID
    */
-  async getEvent(id) {
+  async getEvent(id, options) {
     await this.initialize();
     const row = sqliteGet(
       this.db,
-      `SELECT * FROM events WHERE id = ?`,
+      `SELECT * FROM events WHERE id = ? AND ${maybeQuarantinePredicate(options)}`,
       [id]
     );
     if (!row)
@@ -2866,11 +3020,11 @@ var SQLiteEventStore = class {
   /**
    * Get events since a timestamp (for sync)
    */
-  async getEventsSince(timestamp, limit = 1e3) {
+  async getEventsSince(timestamp, limit = 1e3, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events WHERE timestamp > ? ORDER BY timestamp ASC LIMIT ?`,
+      `SELECT * FROM events WHERE timestamp > ? AND ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC LIMIT ?`,
       [timestamp, limit]
     );
     return rows.map(this.rowToEvent);
@@ -2879,11 +3033,11 @@ var SQLiteEventStore = class {
    * Get events since a SQLite rowid (for robust incremental replication).
    * Rowid is monotonic for append-only tables, independent of client timestamps.
    */
-  async getEventsSinceRowid(lastRowid, limit = 1e3) {
+  async getEventsSinceRowid(lastRowid, limit = 1e3, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT rowid as _rowid, * FROM events WHERE rowid > ? ORDER BY rowid ASC LIMIT ?`,
+      `SELECT rowid as _rowid, * FROM events WHERE rowid > ? AND ${maybeQuarantinePredicate(options)} ORDER BY rowid ASC LIMIT ?`,
       [lastRowid, limit]
     );
     return rows.map((row) => ({
@@ -3118,19 +3272,19 @@ var SQLiteEventStore = class {
   /**
    * Count total events
    */
-  async countEvents() {
+  async countEvents(options) {
     await this.initialize();
-    const row = sqliteGet(this.db, `SELECT COUNT(*) as count FROM events`);
+    const row = sqliteGet(this.db, `SELECT COUNT(*) as count FROM events WHERE ${maybeQuarantinePredicate(options)}`);
     return row?.count || 0;
   }
   /**
    * Get events page in timestamp ascending order (stable migration/reindex scans)
    */
-  async getEventsPage(limit = 1e3, offset = 0) {
+  async getEventsPage(limit = 1e3, offset = 0, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events ORDER BY timestamp ASC LIMIT ? OFFSET ?`,
+      `SELECT * FROM events WHERE ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC LIMIT ? OFFSET ?`,
       [limit, offset]
     );
     return rows.map(this.rowToEvent);
@@ -3204,6 +3358,145 @@ var SQLiteEventStore = class {
     result.vector.retriedFailed = Number(vectorRetried.changes ?? 0);
     return result;
   }
+  /**
+   * Repair legacy imported events that predate canonical project scope metadata.
+   *
+   * Same-project legacy rows are tagged with scope.project.hash. Rows that look
+   * imported but cannot be proven to belong to this project are quarantined so
+   * dashboard default reads/search do not surface cross-project contamination.
+   */
+  async repairLegacyProjectScope(options = {}) {
+    await this.initialize();
+    const projectHash = options.projectHash || (options.projectPath ? hashProjectPath(options.projectPath) : void 0);
+    if (!projectHash) {
+      throw new Error("repairLegacyProjectScope requires projectPath or projectHash");
+    }
+    if (options.projectPath && options.projectHash && hashProjectPath(options.projectPath) !== options.projectHash) {
+      throw new Error("repairLegacyProjectScope projectPath and projectHash refer to different project stores");
+    }
+    const dryRun = options.dryRun === true;
+    const nowIso = (options.now || /* @__PURE__ */ new Date()).toISOString();
+    const result = buildRepairResult(projectHash, dryRun);
+    const rows = sqliteAll(
+      this.db,
+      `SELECT e.id, e.content, e.metadata, s.project_path as session_project_path
+       FROM events e
+       LEFT JOIN sessions s ON s.id = e.session_id
+       ORDER BY e.timestamp ASC`,
+      []
+    );
+    const sample = (entry) => {
+      if (result.samples.length < 20)
+        result.samples.push(entry);
+    };
+    for (const row of rows) {
+      result.scanned++;
+      let metadata = {};
+      let metadataParseInvalid = false;
+      if (row.metadata) {
+        const parsed = safeParseMetadataValue(row.metadata);
+        if (parsed) {
+          metadata = parsed;
+        } else {
+          metadataParseInvalid = true;
+        }
+      }
+      if (isActiveQuarantinedMetadata(metadata)) {
+        result.skipped++;
+        continue;
+      }
+      const currentHash = metadataProjectHash(metadata);
+      const explicitPath = metadataProjectPath(metadata);
+      const sessionProjectPath = typeof row.session_project_path === "string" && row.session_project_path.length > 0 ? row.session_project_path : void 0;
+      const candidatePaths = metadataProjectPaths(metadata);
+      if (sessionProjectPath && !candidatePaths.includes(sessionProjectPath)) {
+        candidatePaths.push(sessionProjectPath);
+      }
+      const importedOrLegacy = metadataParseInvalid || isImportedOrLegacyScopedMetadata(metadata) || Boolean(sessionProjectPath);
+      const pathHashes = candidatePaths.map((candidate) => {
+        try {
+          return { path: candidate, hash: hashProjectPath(candidate) };
+        } catch {
+          return { path: candidate, hash: void 0 };
+        }
+      });
+      const matchingPath = pathHashes.find((candidate) => candidate.hash === projectHash);
+      const foreignPath = pathHashes.find((candidate) => candidate.hash && candidate.hash !== projectHash);
+      let action = "skipped";
+      let reason;
+      let observedProjectHash;
+      if (foreignPath) {
+        action = "quarantined";
+        reason = "project-path-mismatch";
+        observedProjectHash = foreignPath.hash;
+      } else if (currentHash === projectHash && importedOrLegacy && hasConflictingContentProjectHint(row.content, options.projectPath)) {
+        action = "quarantined";
+        reason = "content-project-mismatch";
+      } else if (currentHash === projectHash) {
+        result.alreadyScoped++;
+        continue;
+      } else if (currentHash && currentHash !== projectHash) {
+        action = "quarantined";
+        reason = "scope-hash-mismatch";
+        observedProjectHash = currentHash;
+      } else if (matchingPath) {
+        action = "repaired";
+        reason = matchingPath.path === sessionProjectPath && matchingPath.path !== explicitPath ? "session-project-path" : "same-project-path";
+      } else if (candidatePaths.length > 0) {
+        action = "quarantined";
+        reason = "project-path-mismatch";
+      } else if (importedOrLegacy) {
+        action = "quarantined";
+        reason = "missing-project-scope";
+      }
+      if (action === "skipped" || !reason) {
+        result.skipped++;
+        continue;
+      }
+      if (action === "repaired") {
+        const scope = isRecord(metadata.scope) ? { ...metadata.scope } : {};
+        const project = isRecord(scope.project) ? { ...scope.project } : {};
+        project.hash = projectHash;
+        scope.project = project;
+        metadata.scope = scope;
+        metadata.repair = {
+          ...isRecord(metadata.repair) ? metadata.repair : {},
+          legacyProjectScope: {
+            action,
+            reason,
+            repairedAt: nowIso
+          }
+        };
+        addMetadataTag(metadata, `proj:${projectHash}`);
+        result.repaired++;
+      } else {
+        metadata.quarantine = {
+          ...isRecord(metadata.quarantine) ? metadata.quarantine : {},
+          status: "active",
+          category: "project-scope",
+          reason,
+          detectedAt: nowIso,
+          expectedProjectHash: projectHash,
+          ...observedProjectHash ? { observedProjectHash } : {}
+        };
+        metadata.repair = {
+          ...isRecord(metadata.repair) ? metadata.repair : {},
+          legacyProjectScope: {
+            action,
+            reason,
+            repairedAt: nowIso
+          }
+        };
+        addMetadataTag(metadata, "quarantine:project-scope");
+        result.quarantined++;
+      }
+      sample({ eventId: row.id, action, reason });
+      if (!dryRun) {
+        sqliteRun(this.db, `UPDATE events SET metadata = ? WHERE id = ?`, [JSON.stringify(metadata), row.id]);
+      }
+    }
+    return result;
+  }
   /**
    * Get embedding/vector outbox health statistics
    */
@@ -3251,7 +3544,11 @@ var SQLiteEventStore = class {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT level, COUNT(*) as count FROM memory_levels GROUP BY level`
+      `SELECT ml.level, COUNT(*) as count
+       FROM memory_levels ml
+       INNER JOIN events e ON e.id = ml.event_id
+       WHERE ${notActiveQuarantinedSql("e.metadata")}
+       GROUP BY ml.level`
     );
     return rows;
   }
@@ -3267,6 +3564,7 @@ var SQLiteEventStore = class {
       `SELECT e.* FROM events e
        INNER JOIN memory_levels ml ON e.id = ml.event_id
        WHERE ml.level = ?
+         AND ${notActiveQuarantinedSql("e.metadata")}
        ORDER BY e.timestamp DESC
        LIMIT ? OFFSET ?`,
       [level, limit, offset]
@@ -3359,12 +3657,13 @@ var SQLiteEventStore = class {
   /**
    * Get most accessed memories (falls back to recent events if none accessed)
    */
-  async getMostAccessed(limit = 10) {
+  async getMostAccessed(limit = 10, options) {
     await this.initialize();
     let rows = sqliteAll(
       this.db,
       `SELECT * FROM events
        WHERE access_count > 0
+         AND ${maybeQuarantinePredicate(options)}
        ORDER BY access_count DESC, last_accessed_at DESC
        LIMIT ?`,
       [limit]
@@ -3373,6 +3672,7 @@ var SQLiteEventStore = class {
       rows = sqliteAll(
         this.db,
         `SELECT * FROM events
+         WHERE ${maybeQuarantinePredicate(options)}
          ORDER BY timestamp DESC
          LIMIT ?`,
         [limit]
@@ -3503,6 +3803,7 @@ var SQLiteEventStore = class {
        FROM memory_helpfulness mh
        JOIN events e ON e.id = mh.event_id
        WHERE mh.measured_at IS NOT NULL
+         AND ${notActiveQuarantinedSql("e.metadata")}
        GROUP BY mh.event_id
        ORDER BY avg_score DESC
        LIMIT ?`,
@@ -3567,6 +3868,7 @@ var SQLiteEventStore = class {
          FROM events_fts fts
          JOIN events e ON e.id = fts.event_id
          WHERE events_fts MATCH ?
+           AND ${notActiveQuarantinedSql("e.metadata")}
          ORDER BY fts.rank
          LIMIT ?`,
         [searchTerms, limit]
@@ -3581,6 +3883,7 @@ var SQLiteEventStore = class {
         this.db,
         `SELECT *, 0 as rank FROM events
          WHERE content LIKE ?
+           AND ${notActiveQuarantinedSql()}
          ORDER BY timestamp DESC
          LIMIT ?`,
         [likePattern, limit]
@@ -3787,6 +4090,7 @@ var SQLiteEventStore = class {
       `SELECT turn_id, MIN(timestamp) as min_ts
        FROM events
        WHERE session_id = ? AND turn_id IS NOT NULL
+         AND ${maybeQuarantinePredicate(options)}
        GROUP BY turn_id
        ORDER BY min_ts DESC
        LIMIT ? OFFSET ?`,
@@ -3794,7 +4098,7 @@ var SQLiteEventStore = class {
     );
     const turns = [];
     for (const turnRow of turnRows) {
-      const events = await this.getEventsByTurn(turnRow.turn_id);
+      const events = await this.getEventsByTurn(turnRow.turn_id, options);
       const promptEvent = events.find((e) => e.eventType === "user_prompt");
       const toolEvents = events.filter((e) => e.eventType === "tool_observation");
       const hasResponse = events.some((e) => e.eventType === "agent_response");
@@ -3813,11 +4117,11 @@ var SQLiteEventStore = class {
   /**
    * Get all events for a specific turn_id
    */
-  async getEventsByTurn(turnId) {
+  async getEventsByTurn(turnId, options) {
     await this.initialize();
     const rows = sqliteAll(
       this.db,
-      `SELECT * FROM events WHERE turn_id = ? ORDER BY timestamp ASC`,
+      `SELECT * FROM events WHERE turn_id = ? AND ${maybeQuarantinePredicate(options)} ORDER BY timestamp ASC`,
       [turnId]
     );
     return rows.map(this.rowToEvent);
@@ -3825,13 +4129,14 @@ var SQLiteEventStore = class {
   /**
    * Count total turns for a session
    */
-  async countSessionTurns(sessionId) {
+  async countSessionTurns(sessionId, options) {
     await this.initialize();
     const row = sqliteGet(
       this.db,
       `SELECT COUNT(DISTINCT turn_id) as count
        FROM events
-       WHERE session_id = ? AND turn_id IS NOT NULL`,
+       WHERE session_id = ? AND turn_id IS NOT NULL
+         AND ${maybeQuarantinePredicate(options)}`,
       [sessionId]
     );
     return row?.count || 0;
@@ -3923,7 +4228,7 @@ var SQLiteEventStore = class {
       content: row.content,
       canonicalKey: row.canonical_key,
       dedupeKey: row.dedupe_key,
-      metadata: row.metadata ? JSON.parse(row.metadata) : void 0
+      metadata: safeParseMetadataValue(row.metadata)
     };
     if (row.access_count !== void 0) {
       event.access_count = row.access_count;
@@ -4518,6 +4823,10 @@ var MemoryQueryService = class {
     await this.initialize();
     return this.getMaintenanceStore("recoverStuckOutboxItems").recoverStuckOutboxItems(options);
   }
+  async repairLegacyProjectScope(options) {
+    await this.initialize();
+    return this.getMaintenanceStore("repairLegacyProjectScope").repairLegacyProjectScope(options);
+  }
   async getStats() {
     await this.initialize();
     const deps = this.getStatsDeps();
@@ -6140,18 +6449,18 @@ function assertDefaultRetrieverStore(eventStore) {
 function createMemoryEngineServices(options) {
   const factories = options.factories ?? {};
   const storagePath = options.storagePath;
-  if (!options.readOnly && !fs5.existsSync(storagePath)) {
-    fs5.mkdirSync(storagePath, { recursive: true });
+  if (!options.readOnly && !fs6.existsSync(storagePath)) {
+    fs6.mkdirSync(storagePath, { recursive: true });
   }
   const sqliteStore = (factories.createSQLiteEventStore ?? defaultCreateSQLiteEventStore)(
-    path4.join(storagePath, "events.sqlite"),
+    path5.join(storagePath, "events.sqlite"),
     {
       readonly: options.readOnly,
       markdownMirrorRoot: storagePath
     }
   );
   const vectorStore = (factories.createVectorStore ?? defaultCreateVectorStore)(
-    path4.join(storagePath, "vectors")
+    path5.join(storagePath, "vectors")
   );
   const embeddingModel = options.embeddingModel || process.env.CLAUDE_MEMORY_EMBEDDING_MODEL;
   const embedder = embeddingModel ? (factories.createEmbedder ?? defaultCreateEmbedder)(embeddingModel) : (factories.getDefaultEmbedder ?? getDefaultEmbedder)();
@@ -6562,8 +6871,8 @@ function createMemoryRuntimeService(deps) {
 }
 // src/extensions/shared-memory/shared-memory-services.ts
-import * as fs6 from "fs";
-import * as path5 from "path";
+import * as fs7 from "fs";
+import * as path6 from "path";
 // src/core/shared-event-store.ts
 var SharedEventStore = class {
@@ -7251,7 +7560,7 @@ var SharedMemoryServices = class {
     this.ensureDirectory(sharedPath, { allowCreate: true });
     const store = await this.openStore(sharedPath);
     this.sharedVectorStore = this.factories.createSharedVectorStore(
-      path5.join(sharedPath, "vectors")
+      path6.join(sharedPath, "vectors")
     );
     await this.sharedVectorStore.initialize();
     this.sharedPromoter = this.factories.createSharedPromoter(
@@ -7324,7 +7633,7 @@ var SharedMemoryServices = class {
   async createOpenStorePromise(sharedPath) {
     if (!this.sharedEventStore) {
       const sharedEventStore = this.factories.createSharedEventStore(
-        path5.join(sharedPath, "shared.duckdb")
+        path6.join(sharedPath, "shared.duckdb")
       );
       await sharedEventStore.initialize();
       this.sharedEventStore = sharedEventStore;
@@ -7344,9 +7653,9 @@ var SharedMemoryServices = class {
   }
   get factories() {
     return {
-      existsSync: this.options.factories?.existsSync ?? fs6.existsSync,
+      existsSync: this.options.factories?.existsSync ?? fs7.existsSync,
       mkdirSync: this.options.factories?.mkdirSync ?? ((targetPath) => {
-        fs6.mkdirSync(targetPath, { recursive: true });
+        fs7.mkdirSync(targetPath, { recursive: true });
       }),
       createSharedEventStore: this.options.factories?.createSharedEventStore ?? createSharedEventStore,
       createSharedStore: this.options.factories?.createSharedStore ?? createSharedStore,
@@ -7461,33 +7770,11 @@ function createMemoryServiceComposition(options) {
 }
 function defaultExpandPath(targetPath) {
   if (targetPath.startsWith("~")) {
-    return path6.join(os.homedir(), targetPath.slice(1));
+    return path7.join(os2.homedir(), targetPath.slice(1));
   }
   return targetPath;
 }
-// src/core/registry/project-path.ts
-import * as crypto2 from "crypto";
-import * as fs7 from "fs";
-import * as os2 from "os";
-import * as path7 from "path";
-function normalizeProjectPath(projectPath) {
-  const expanded = projectPath.startsWith("~") ? path7.join(os2.homedir(), projectPath.slice(1)) : projectPath;
-  try {
-    return fs7.realpathSync(expanded);
-  } catch {
-    return path7.resolve(expanded);
-  }
-}
-function hashProjectPath(projectPath) {
-  const normalizedPath = normalizeProjectPath(projectPath);
-  return crypto2.createHash("sha256").update(normalizedPath).digest("hex").slice(0, 8);
-}
-function getProjectStoragePath(projectPath) {
-  const hash = hashProjectPath(projectPath);
-  return path7.join(os2.homedir(), ".claude-code", "memory", "projects", hash);
-}
 // src/core/registry/session-registry.ts
 import * as fs8 from "fs";
 import * as os3 from "os";
@@ -7789,6 +8076,9 @@ var MemoryService = class {
   async recoverStuckOutboxItems(options) {
     return this.queryService.recoverStuckOutboxItems(options);
   }
+  async repairLegacyProjectScope(options) {
+    return this.queryService.repairLegacyProjectScope(options);
+  }
   async getRetrievalTraceStats() {
     return this.retrievalAnalyticsService.getRetrievalTraceStats();
   }
@@ -8174,10 +8464,10 @@ var SENSITIVE_PATTERNS = [
   // Redact the whole URI so usernames, credentials, hosts, paths, and query
   // params do not leak either.
   /\b[a-z][a-z0-9+.-]*:\/\/[^\s'"`<>/@]+@[^\s'"`<>]+/gi,
-  /password\s*[:=]\s*['"]?[^\s'"]+/gi,
-  /api[_-]?key\s*[:=]\s*['"]?[^\s'"]+/gi,
-  /secret\s*[:=]\s*['"]?[^\s'"]+/gi,
-  /token\s*[:=]\s*['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?password\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?api[-_]?key\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?secret\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
+  /(?:[\w.-]+[-_])?token\s*[:=]\s*(?!\[REDACTED\])['"]?[^\s'"]+/gi,
   /bearer\s+[a-zA-Z0-9\-_.]+/gi,
   /AWS[_-]?ACCESS[_-]?KEY[_-]?ID\s*[:=]\s*['"]?[A-Z0-9]+/gi,
   /AWS[_-]?SECRET[_-]?ACCESS[_-]?KEY\s*[:=]\s*['"]?[^\s'"]+/gi,
@@ -8187,6 +8477,35 @@ var SENSITIVE_PATTERNS = [
   /sk-[a-zA-Z0-9]{48}/g
   // OpenAI API Key
 ];
+var CLI_SECRET_OPTION_PATTERNS = [
+  /(--(?:[a-z0-9]+[-_])*(?:password|secret|api[-_]?key|token|bearer)(?:[-_][a-z0-9]+)*(?:\s+|=))(?:"[^"]*"|'[^']*'|[^\s'"`<>]+)/gi
+];
+var URL_FOLLOWING_SECRET_PATTERN = /((?:https?:\/\/[^\s'"`<>]+)\s*\r?\n\s*)([A-Za-z0-9!@#$%^&*._+\-~:=/]{6,})(?=\s*(?:\r?\n|$))/gi;
+function looksLikePastedSecret(value) {
+  return value.length >= 8 && /(?:\d|[^A-Za-z0-9])/.test(value);
+}
+function maskUrlFollowingSecret(value) {
+  let count = 0;
+  const content = value.replace(URL_FOLLOWING_SECRET_PATTERN, (_match, prefix, secret) => {
+    if (!looksLikePastedSecret(secret))
+      return `${prefix}${secret}`;
+    count++;
+    return `${prefix}[REDACTED]`;
+  });
+  return { content, count };
+}
+function maskCliSecretOptions(value) {
+  let count = 0;
+  let filtered = value;
+  for (const pattern of CLI_SECRET_OPTION_PATTERNS) {
+    pattern.lastIndex = 0;
+    filtered = filtered.replace(pattern, (_match, prefix) => {
+      count++;
+      return `${prefix}[REDACTED]`;
+    });
+  }
+  return { content: filtered, count };
+}
 function applyPrivacyFilter(content, config) {
   let filtered = content;
   let privateTagCount = 0;
@@ -8200,6 +8519,12 @@ function applyPrivacyFilter(content, config) {
     filtered = tagResult.filtered;
     privateTagCount = tagResult.stats.count;
   }
+  const cliResult = maskCliSecretOptions(filtered);
+  filtered = cliResult.content;
+  patternMatchCount += cliResult.count;
+  const urlSecretResult = maskUrlFollowingSecret(filtered);
+  filtered = urlSecretResult.content;
+  patternMatchCount += urlSecretResult.count;
   for (const pattern of SENSITIVE_PATTERNS) {
     pattern.lastIndex = 0;
     const matches = filtered.match(pattern);
@@ -8211,13 +8536,13 @@ function applyPrivacyFilter(content, config) {
   for (const patternStr of config.excludePatterns || []) {
     try {
       const regex = new RegExp(
-        `(${patternStr})\\s*[:=]\\s*['"]?[^\\s'"]+`,
+        `(^|[^\\w-])(${patternStr})\\s*[:=]\\s*['"]?[^\\s'"]+`,
         "gi"
       );
       const matches = filtered.match(regex);
       if (matches) {
         patternMatchCount += matches.length;
-        filtered = filtered.replace(regex, "[REDACTED]");
+        filtered = filtered.replace(regex, "$1[REDACTED]");
       }
     } catch {
     }