context-vault 3.8.0 → 3.10.0

package/bin/cli.js

@@ -414,6 +414,9 @@ ${bold('Commands:')}
   ${cyan('restore')} <id>               Restore an archived entry back into the vault
   ${cyan('prune')}                      Remove expired entries (use --dry-run to preview)
   ${cyan('stats')} recall|co-retrieval  Measure recall ratio and co-retrieval graph
+  ${cyan('remote')} setup|status|sync|pull  Connect to hosted vault (cloud sync)
+  ${cyan('team')} join|leave|status|browse  Join or manage a team vault
+  ${cyan('public')} create|seed|list|add  Manage and consume public vaults
   ${cyan('update')}                     Check for and install updates
   ${cyan('uninstall')}                  Remove MCP configs and optionally data
 `);
@@ -2783,8 +2786,8 @@ async function runStatus() {
       const filled = maxCount > 0 ? Math.round((c / maxCount) * BAR_WIDTH) : 0;
       const bar = '█'.repeat(filled) + '░'.repeat(BAR_WIDTH - filled);
       const countStr = String(c).padStart(4);
-      const IRREGULAR_PLURALS = { activity: 'activities', inbox: 'inboxes', index: 'indexes', match: 'matches' };
-      const plural = IRREGULAR_PLURALS[kind] || (kind.endsWith('s') ? kind : kind + 's');
+      const IRREGULAR_PLURALS = { activity: 'activities', inbox: 'inboxes', index: 'indexes', match: 'matches', entity: 'entities', summary: 'summaries' };
+      const plural = IRREGULAR_PLURALS[kind] || (kind.endsWith('y') ? kind.slice(0, -1) + 'ies' : kind.endsWith('s') || kind.endsWith('x') || kind.endsWith('ch') || kind.endsWith('sh') ? kind + 'es' : kind + 's');
       console.log(`    ${dim(bar)} ${countStr} ${plural}`);
     }
   } else {
@@ -4390,6 +4393,35 @@ async function runPostToolCall() {
 }
 
 async function runSave() {
+  if (flags.has('--help')) {
+    console.log(`
+  ${bold('context-vault save')}
+
+  Save an entry to the vault from CLI.
+
+${bold('Required:')}
+  --kind <kind>        Entry kind (insight, decision, pattern, reference, event)
+  --title <title>      Entry title
+
+${bold('Content')} (one of):
+  --body <text>        Inline body text
+  --file <path>        Read body from a file
+  (stdin)              Pipe content via stdin
+
+${bold('Optional:')}
+  --tags <a,b,c>       Comma-separated tags
+  --tier <tier>        working (default) or durable
+  --source <source>    Source label (default: cli)
+  --identity-key <key> Identity key (for entity kinds)
+  --meta <json>        Additional metadata as JSON
+
+${bold('Examples:')}
+  context-vault save --kind insight --title "Express 5 gotcha" --body "body parser changed"
+  echo "content" | context-vault save --kind reference --title "API notes"
+`);
+    return;
+  }
+
   const kind = getFlag('--kind');
   const title = getFlag('--title');
   const tags = getFlag('--tags');
@@ -4487,6 +4519,30 @@ async function runSave() {
 }
 
 async function runSearch() {
+  if (flags.has('--help')) {
+    console.log(`
+  ${bold('context-vault search')} <query> [options]
+
+  Search vault entries from CLI using hybrid semantic + full-text search.
+
+${bold('Usage:')}
+  context-vault search "express middleware"
+  context-vault search --kind insight --tags "bucket:myproject"
+  context-vault search "auth" --limit 20 --format json
+
+${bold('Options:')}
+  --kind <kind>        Filter by kind (insight, decision, pattern, reference, event)
+  --tags <a,b,c>       Filter by tags (comma-separated)
+  --limit <n>          Max results (default: 10)
+  --sort <mode>        Sort by: relevance (default), recent
+  --format <fmt>       Output format: plain (default), json
+  --scope <scope>      Search scope: hot (default), events, all
+  --full               Show full entry body (not truncated)
+  --query <text>       Explicit query (alternative to positional args)
+`);
+    return;
+  }
+
   const kind = getFlag('--kind');
   const tagsStr = getFlag('--tags');
   const limit = parseInt(getFlag('--limit') || '10', 10);
@@ -7040,6 +7096,1119 @@ async function runServe() {
   await import('../dist/server.js');
 }
 
+async function runTeam() {
+  const subcommand = args[1];
+  const { getRemoteConfig, saveRemoteConfig } = await import('@context-vault/core/config');
+  const dataDir = join(HOME, '.context-mcp');
+
+  if (subcommand === 'join') {
+    const teamId = args[2];
+    if (!teamId) {
+      console.error(`\n  ${red('Usage:')} context-vault team join <team-id>\n`);
+      process.exit(1);
+    }
+
+    const remote = getRemoteConfig(dataDir);
+    if (!remote || !remote.enabled || !remote.apiKey) {
+      console.error(`\n  ${red('✘')} Remote is not configured. Run ${cyan('context-vault remote setup')} first.\n`);
+      process.exit(1);
+    }
+
+    console.log(`\n  Testing connection to team ${dim(teamId)}...`);
+    try {
+      const res = await fetch(`${remote.url.replace(/\/$/, '')}/api/team/${teamId}/status`, {
+        headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+        signal: AbortSignal.timeout(10000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        saveRemoteConfig({ teamId }, dataDir);
+        console.log(`  ${green('✓')} Joined team: ${bold(data.name || teamId)}`);
+        if (data.entry_count != null) {
+          console.log(`  ${dim(`${data.entry_count} entries, ${data.member_count || '?'} members`)}`);
+        }
+      } else {
+        const text = await res.text().catch(() => '');
+        console.error(`  ${red('✘')} Failed to connect to team: HTTP ${res.status}`);
+        if (text) console.error(`  ${dim(text.slice(0, 200))}`);
+        process.exit(1);
+      }
+    } catch (e) {
+      console.error(`  ${red('✘')} Connection failed: ${e.message}`);
+      process.exit(1);
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'leave') {
+    const remote = getRemoteConfig(dataDir);
+    if (!remote?.teamId) {
+      console.log(`\n  ${dim('Not currently in a team.')}\n`);
+      return;
+    }
+    saveRemoteConfig({ teamId: '' }, dataDir);
+    console.log(`\n  ${green('✓')} Left team. Team vault queries disabled.\n`);
+    return;
+  }
+
+  if (subcommand === 'status') {
+    const remote = getRemoteConfig(dataDir);
+    console.log();
+    console.log(`  ${bold('◇ Team Status')}`);
+    console.log();
+
+    if (!remote || !remote.teamId) {
+      console.log(`  Team:    ${dim('not joined')}`);
+      console.log(`  ${dim('Run')} ${cyan('context-vault team join <team-id>')} ${dim('to connect.')}`);
+      console.log();
+      return;
+    }
+
+    console.log(`  Team ID: ${remote.teamId}`);
+
+    if (remote.enabled && remote.apiKey) {
+      console.log(`  Checking status...`);
+      try {
+        const res = await fetch(`${remote.url.replace(/\/$/, '')}/api/team/${remote.teamId}/status`, {
+          headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+          signal: AbortSignal.timeout(10000),
+        });
+        if (res.ok) {
+          const data = await res.json();
+          console.log(`  Name:    ${data.name || dim('(unnamed)')}`);
+          console.log(`  Members: ${data.member_count ?? dim('?')}`);
+          console.log(`  Entries: ${data.entry_count ?? dim('?')}`);
+          console.log(`  Health:  ${green('connected')}`);
+        } else {
+          console.log(`  Health:  ${red('error')} (HTTP ${res.status})`);
+        }
+      } catch (e) {
+        console.log(`  Health:  ${red('unreachable')} (${e.message})`);
+      }
+    } else {
+      console.log(`  Health:  ${yellow('remote not configured')}`);
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'seed') {
+    const teamIdFlag = getFlag('--team');
+    const tagsFlag = getFlag('--tags');
+    const remote = getRemoteConfig(dataDir);
+
+    if (!remote || !remote.enabled || !remote.apiKey) {
+      console.error(`\n  ${red('✘')} Remote is not configured. Run ${cyan('context-vault remote setup')} first.\n`);
+      process.exit(1);
+    }
+
+    const teamId = teamIdFlag || remote.teamId;
+    if (!teamId) {
+      console.error(`\n  ${red('✘')} No team ID. Pass ${cyan('--team <id>')} or join a team first.\n`);
+      process.exit(1);
+    }
+
+    // Load local vault DB
+    const { resolveConfig } = await import('@context-vault/core/config');
+    const config = resolveConfig();
+
+    let DatabaseSync;
+    try {
+      DatabaseSync = (await import('node:sqlite')).DatabaseSync;
+    } catch {
+      console.error(`\n  ${red('✘')} Node.js SQLite not available. Requires Node >= 22.5.\n`);
+      process.exit(1);
+    }
+
+    const db = new DatabaseSync(config.dbPath, { open: true });
+
+    // Build query based on tag filter
+    let sql = 'SELECT id, kind, category, title, body, tags, meta, source, identity_key, tier FROM vault WHERE superseded_by IS NULL';
+    const params = [];
+
+    if (tagsFlag) {
+      sql += ' AND tags LIKE ?';
+      params.push(`%"${tagsFlag}"%`);
+    }
+
+    const rows = db.prepare(sql).all(...params);
+    db.close();
+
+    let publishedKnowledge = 0;
+    let federatedEntities = 0;
+    let skippedEvents = 0;
+    let blockedPrivacy = 0;
+    const blockedEntries = [];
+    let errors = 0;
+
+    const apiUrl = remote.url.replace(/\/$/, '');
+
+    console.log();
+    console.log(`  ${bold('◇ Team Seed')}`);
+    console.log(`  Team: ${teamId}`);
+    console.log(`  Filter: ${tagsFlag || dim('(all entries)')}`);
+    console.log(`  Entries: ${rows.length}`);
+    console.log();
+
+    if (isDryRun) {
+      for (const row of rows) {
+        if (row.category === 'event') {
+          skippedEvents++;
+        } else if (row.category === 'entity') {
+          federatedEntities++;
+        } else {
+          publishedKnowledge++;
+        }
+      }
+      console.log(`  ${dim('[dry run]')}`);
+      console.log(`  Would publish: ${green(publishedKnowledge)} knowledge, ${cyan(federatedEntities)} entities`);
+      console.log(`  Would skip:    ${dim(skippedEvents)} events (private)`);
+      console.log();
+      return;
+    }
+
+    for (const row of rows) {
+      if (row.category === 'event') {
+        skippedEvents++;
+        continue;
+      }
+
+      const tags = row.tags ? JSON.parse(row.tags) : [];
+      const meta = row.meta ? JSON.parse(row.meta) : {};
+
+      try {
+        const res = await fetch(`${apiUrl}/api/vault/publish`, {
+          method: 'POST',
+          headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+          signal: AbortSignal.timeout(15000),
+          body: JSON.stringify({
+            entryId: row.id,
+            teamId,
+            visibility: 'team',
+            kind: row.kind,
+            title: row.title,
+            body: row.body,
+            tags,
+            meta,
+            source: row.source,
+            identity_key: row.identity_key,
+            tier: row.tier,
+            category: row.category,
+          }),
+        });
+
+        if (res.ok) {
+          if (row.category === 'entity') {
+            federatedEntities++;
+          } else {
+            publishedKnowledge++;
+          }
+        } else if (res.status === 422) {
+          const data = await res.json().catch(() => ({}));
+          if (data.code === 'PRIVACY_SCAN_FAILED') {
+            const matchTypes = Array.isArray(data.matches) ? data.matches.map(m => m.type) : [];
+            const uniqueTypes = [...new Set(matchTypes)];
+            console.log(`  ${yellow('!')} Blocked: "${row.title || row.id}" (${uniqueTypes.join(', ') || 'sensitive content'})`);
+            blockedPrivacy++;
+            blockedEntries.push({ title: row.title || row.id, types: uniqueTypes });
+          } else {
+            errors++;
+            console.error(`  ${red('!')} 422 for "${row.title || row.id}": ${data.error || 'unknown'}`);
+          }
+        } else {
+          const data = await res.json().catch(() => ({}));
+          if (data.conflict) {
+            console.log(`  ${yellow('!')} Conflict for "${row.title || row.id}": ${data.conflict.suggestion || 'similar entry exists'}`);
+          }
+          if (row.category === 'entity') {
+            federatedEntities++;
+          } else {
+            publishedKnowledge++;
+          }
+        }
+      } catch (e) {
+        errors++;
+        console.error(`  ${red('✘')} Failed: ${row.title || row.id} (${e.message})`);
+      }
+
+      // Progress indicator every 10 entries
+      const processed = publishedKnowledge + federatedEntities + skippedEvents + blockedPrivacy + errors;
+      if (processed % 10 === 0) {
+        process.stdout.write(`  ${dim(`${processed}/${rows.length}...`)}\r`);
+      }
+    }
+
+    console.log(`  Seeded: ${green(publishedKnowledge)} published, ${cyan(federatedEntities)} federated, ${dim(skippedEvents)} skipped (events), ${blockedPrivacy > 0 ? yellow(blockedPrivacy) : dim(blockedPrivacy)} blocked (privacy scan)`);
+    if (errors > 0) {
+      console.log(`  Errors:  ${red(errors)}`);
+    }
+    if (blockedEntries.length > 0) {
+      console.log();
+      console.log(`  ${yellow('Blocked entries (review and clean before re-seeding):')}`);
+      for (const entry of blockedEntries) {
+        console.log(`    - ${entry.title} [${entry.types.join(', ')}]`);
+      }
+    }
+    console.log();
+    return;
+  }
+
+  // Default: show team help
+  console.log();
+  console.log(`  ${bold('◇ context-vault team')}`);
+  console.log();
+  console.log(`  ${cyan('join <team-id>')}    Join a team vault`);
+  console.log(`  ${cyan('leave')}             Leave the current team`);
+  console.log(`  ${cyan('status')}            Show team connection status`);
+  console.log(`  ${cyan('seed')}              Publish local entries to team vault`);
+  console.log(`    ${dim('--team <id>')}      Team ID (defaults to joined team)`);
+  console.log(`    ${dim('--tags <filter>')}  Filter entries by tag (e.g. bucket:stormfors)`);
+  console.log(`    ${dim('--dry-run')}        Preview without publishing`);
+  console.log();
+}
+
+async function runPublic() {
+  const subcommand = args[1];
+  const { getRemoteConfig, saveRemoteConfig } = await import('@context-vault/core/config');
+  const dataDir = join(HOME, '.context-mcp');
+
+  if (subcommand === 'create') {
+    const name = args[2];
+    const slug = getFlag('--slug') || (name ? name.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-') : null);
+    const description = getFlag('--description') || '';
+    const domainTags = getFlag('--domains') ? getFlag('--domains').split(',').map(s => s.trim()) : [];
+    const visibility = getFlag('--visibility') || 'free';
+
+    if (!name || !slug) {
+      console.error(`\n  ${red('Usage:')} context-vault public create <name> [--slug <slug>] [--description <desc>] [--domains <tag1,tag2>] [--visibility free|pro]\n`);
+      process.exit(1);
+    }
+
+    const remote = getRemoteConfig(dataDir);
+    if (!remote || !remote.enabled || !remote.apiKey) {
+      console.error(`\n  ${red('✘')} Remote is not configured. Run ${cyan('context-vault remote setup')} first.\n`);
+      process.exit(1);
+    }
+
+    console.log(`\n  Creating public vault "${bold(name)}" (${slug})...`);
+    try {
+      const res = await fetch(`${remote.url.replace(/\/$/, '')}/api/public/vaults`, {
+        method: 'POST',
+        headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+        signal: AbortSignal.timeout(15000),
+        body: JSON.stringify({ name, slug, description, domain_tags: domainTags, visibility }),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        console.log(`  ${green('✓')} Created public vault: ${bold(data.slug || slug)}`);
+        console.log(`  Visibility: ${visibility}`);
+        if (domainTags.length) console.log(`  Domains:    ${domainTags.join(', ')}`);
+      } else {
+        const data = await res.json().catch(() => ({}));
+        console.error(`  ${red('✘')} Failed: ${data.error || `HTTP ${res.status}`}`);
+        process.exit(1);
+      }
+    } catch (e) {
+      console.error(`  ${red('✘')} Connection failed: ${e.message}`);
+      process.exit(1);
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'seed') {
+    const vaultSlug = getFlag('--vault');
+    const tagsFlag = getFlag('--tags');
+    const remote = getRemoteConfig(dataDir);
+
+    if (!remote || !remote.enabled || !remote.apiKey) {
+      console.error(`\n  ${red('✘')} Remote is not configured. Run ${cyan('context-vault remote setup')} first.\n`);
+      process.exit(1);
+    }
+
+    if (!vaultSlug) {
+      console.error(`\n  ${red('Usage:')} context-vault public seed --vault <slug> [--tags <filter>] [--dry-run]\n`);
+      process.exit(1);
+    }
+
+    // Load local vault DB
+    const { resolveConfig } = await import('@context-vault/core/config');
+    const config = resolveConfig();
+
+    let DatabaseSync;
+    try {
+      DatabaseSync = (await import('node:sqlite')).DatabaseSync;
+    } catch {
+      console.error(`\n  ${red('✘')} Node.js SQLite not available. Requires Node >= 22.5.\n`);
+      process.exit(1);
+    }
+
+    const db = new DatabaseSync(config.dbPath, { open: true });
+
+    let sql = 'SELECT id, kind, category, title, body, tags, meta, source, identity_key, tier FROM vault WHERE superseded_by IS NULL';
+    const params = [];
+    if (tagsFlag) {
+      sql += ' AND tags LIKE ?';
+      params.push(`%"${tagsFlag}"%`);
+    }
+
+    const rows = db.prepare(sql).all(...params);
+    db.close();
+
+    let publishedKnowledge = 0;
+    let publishedEntities = 0;
+    let skippedEvents = 0;
+    let blockedPrivacy = 0;
+    const blockedEntries = [];
+    let errors = 0;
+
+    const apiUrl = remote.url.replace(/\/$/, '');
+
+    console.log();
+    console.log(`  ${bold('◇ Public Vault Seed')}`);
+    console.log(`  Vault: ${vaultSlug}`);
+    console.log(`  Filter: ${tagsFlag || dim('(all entries)')}`);
+    console.log(`  Entries: ${rows.length}`);
+    console.log();
+
+    if (isDryRun) {
+      for (const row of rows) {
+        if (row.category === 'event') skippedEvents++;
+        else if (row.category === 'entity') publishedEntities++;
+        else publishedKnowledge++;
+      }
+      console.log(`  ${dim('[dry run]')}`);
+      console.log(`  Would publish: ${green(publishedKnowledge)} knowledge, ${cyan(publishedEntities)} entities`);
+      console.log(`  Would skip:    ${dim(skippedEvents)} events (blocked for public)`);
+      console.log();
+      return;
+    }
+
+    for (const row of rows) {
+      if (row.category === 'event') {
+        skippedEvents++;
+        continue;
+      }
+
+      const tags = row.tags ? JSON.parse(row.tags) : [];
+      const meta = row.meta ? JSON.parse(row.meta) : {};
+
+      try {
+        const res = await fetch(`${apiUrl}/api/public/${vaultSlug}/entries`, {
+          method: 'POST',
+          headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+          signal: AbortSignal.timeout(15000),
+          body: JSON.stringify({
+            kind: row.kind,
+            title: row.title,
+            body: row.body,
+            tags,
+            meta,
+            source: row.source,
+            identity_key: row.identity_key,
+            tier: row.tier,
+            category: row.category,
+          }),
+        });
+
+        if (res.ok) {
+          if (row.category === 'entity') publishedEntities++;
+          else publishedKnowledge++;
+        } else if (res.status === 422) {
+          const data = await res.json().catch(() => ({}));
+          if (data.code === 'PRIVACY_SCAN_FAILED') {
+            const matchTypes = Array.isArray(data.matches) ? data.matches.map(m => m.type) : [];
+            const uniqueTypes = [...new Set(matchTypes)];
+            console.log(`  ${yellow('!')} Blocked: "${row.title || row.id}" (${uniqueTypes.join(', ') || 'sensitive content'})`);
+            blockedPrivacy++;
+            blockedEntries.push({ title: row.title || row.id, types: uniqueTypes });
+          } else {
+            errors++;
+            console.error(`  ${red('!')} 422 for "${row.title || row.id}": ${data.error || 'unknown'}`);
+          }
+        } else {
+          errors++;
+          const text = await res.text().catch(() => '');
+          console.error(`  ${red('!')} HTTP ${res.status} for "${row.title || row.id}": ${text.slice(0, 200)}`);
+        }
+      } catch (e) {
+        errors++;
+        console.error(`  ${red('✘')} Failed: ${row.title || row.id} (${e.message})`);
+      }
+
+      const processed = publishedKnowledge + publishedEntities + skippedEvents + blockedPrivacy + errors;
+      if (processed % 10 === 0) {
+        process.stdout.write(`  ${dim(`${processed}/${rows.length}...`)}\r`);
+      }
+    }
+
+    console.log(`  Seeded: ${green(publishedKnowledge)} knowledge, ${cyan(publishedEntities)} entities, ${dim(skippedEvents)} skipped (events), ${blockedPrivacy > 0 ? yellow(blockedPrivacy) : dim(blockedPrivacy)} blocked (privacy)`);
+    if (errors > 0) console.log(`  Errors: ${red(errors)}`);
+    if (blockedEntries.length > 0) {
+      console.log();
+      console.log(`  ${yellow('Blocked entries (review and clean before re-seeding):')}`);
+      for (const entry of blockedEntries) {
+        console.log(`    - ${entry.title} [${entry.types.join(', ')}]`);
+      }
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'list') {
+    const domain = getFlag('--domain');
+    const remote = getRemoteConfig(dataDir);
+
+    const apiUrl = remote?.url?.replace(/\/$/, '') || 'https://api.context-vault.com';
+    const headers = {};
+    if (remote?.apiKey) headers['Authorization'] = `Bearer ${remote.apiKey}`;
+    headers['Content-Type'] = 'application/json';
+
+    const query = new URLSearchParams();
+    if (domain) query.set('domain', domain);
+
+    console.log();
+    console.log(`  ${bold('◇ Public Vaults')}`);
+    console.log();
+
+    try {
+      const res = await fetch(`${apiUrl}/api/public/vaults?${query.toString()}`, {
+        headers,
+        signal: AbortSignal.timeout(10000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        const vaults = Array.isArray(data.vaults) ? data.vaults : Array.isArray(data) ? data : [];
+        if (vaults.length === 0) {
+          console.log(`  ${dim('No public vaults found.')}`);
+        } else {
+          for (const v of vaults) {
+            const domains = Array.isArray(v.domain_tags) ? v.domain_tags.join(', ') : '';
+            console.log(`  ${bold(v.name || v.slug)} ${dim(`(${v.slug})`)}`);
+            if (v.description) console.log(`    ${v.description}`);
+            const stats = [`${v.consumer_count ?? 0} consumers`, `${v.total_recalls ?? 0} recalls`];
+            if (domains) stats.push(domains);
+            console.log(`    ${dim(stats.join(' · '))}`);
+            console.log();
+          }
+        }
+      } else {
+        console.error(`  ${red('✘')} Failed to list vaults: HTTP ${res.status}`);
+      }
+    } catch (e) {
+      console.error(`  ${red('✘')} Connection failed: ${e.message}`);
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'add') {
+    const slug = args[2];
+    if (!slug) {
+      console.error(`\n  ${red('Usage:')} context-vault public add <slug>\n`);
+      process.exit(1);
+    }
+
+    const configPath = join(dataDir, 'config.json');
+    let config = {};
+    try {
+      config = JSON.parse(readFileSync(configPath, 'utf-8'));
+    } catch {}
+
+    if (!config.remote) config.remote = {};
+    if (!Array.isArray(config.remote.publicVaults)) config.remote.publicVaults = [];
+
+    if (config.remote.publicVaults.includes(slug)) {
+      console.log(`\n  ${dim('Already added:')} ${slug}\n`);
+      return;
+    }
+
+    config.remote.publicVaults.push(slug);
+    writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+    console.log(`\n  ${green('✓')} Added public vault: ${bold(slug)}`);
+    console.log(`  Your agent will now query this vault in get_context, session_start, and recall.\n`);
+    return;
+  }
+
+  if (subcommand === 'remove') {
+    const slug = args[2];
+    if (!slug) {
+      console.error(`\n  ${red('Usage:')} context-vault public remove <slug>\n`);
+      process.exit(1);
+    }
+
+    const configPath = join(dataDir, 'config.json');
+    let config = {};
+    try {
+      config = JSON.parse(readFileSync(configPath, 'utf-8'));
+    } catch {}
+
+    if (!config.remote?.publicVaults || !config.remote.publicVaults.includes(slug)) {
+      console.log(`\n  ${dim('Not found:')} ${slug}\n`);
+      return;
+    }
+
+    config.remote.publicVaults = config.remote.publicVaults.filter(s => s !== slug);
+    writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+    console.log(`\n  ${green('✓')} Removed public vault: ${bold(slug)}\n`);
+    return;
+  }
+
+  // Default: show public help
+  console.log();
+  console.log(`  ${bold('◇ context-vault public')}`);
+  console.log();
+  console.log(`  ${cyan('create <name>')}      Create a new public vault`);
+  console.log(`    ${dim('--slug <slug>')}      URL-friendly identifier`);
+  console.log(`    ${dim('--description <d>')} Vault description`);
+  console.log(`    ${dim('--domains <tags>')}  Comma-separated domain tags`);
+  console.log(`    ${dim('--visibility <v>')} free (default) or pro`);
+  console.log(`  ${cyan('seed')}               Publish local entries to a public vault`);
+  console.log(`    ${dim('--vault <slug>')}    Target public vault slug (required)`);
+  console.log(`    ${dim('--tags <filter>')}   Filter entries by tag`);
+  console.log(`    ${dim('--dry-run')}         Preview without publishing`);
+  console.log(`  ${cyan('list')}               Browse available public vaults`);
+  console.log(`    ${dim('--domain <tag>')}    Filter by domain tag`);
+  console.log(`  ${cyan('add <slug>')}         Add a public vault to your agent config`);
+  console.log(`  ${cyan('remove <slug>')}      Remove a public vault from your config`);
+  console.log();
+}
+
+async function runRemote() {
+  const subcommand = args[1];
+  const { getRemoteConfig, saveRemoteConfig } = await import('@context-vault/core/config');
+  const dataDir = join(HOME, '.context-mcp');
+
+  if (subcommand === 'setup') {
+    const readline = await import('node:readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const ask = (q) => new Promise((resolve) => rl.question(q, resolve));
+
+    console.log();
+    console.log(`  ${bold('◇ Remote Vault Setup')}`);
+    console.log();
+
+    const defaultUrl = 'https://api.context-vault.com';
+    const urlInput = await ask(`  API URL ${dim(`(${defaultUrl})`)}: `);
+    const url = urlInput.trim() || defaultUrl;
+
+    const apiKey = await ask('  API Key: ');
+    rl.close();
+
+    if (!apiKey.trim()) {
+      console.error(`\n  ${red('✘')} API key is required.`);
+      process.exit(1);
+    }
+
+    console.log(`\n  Testing connection to ${dim(url)}...`);
+    try {
+      const res = await fetch(`${url.replace(/\/$/, '')}/api/vault/status`, {
+        headers: { 'Authorization': `Bearer ${apiKey.trim()}`, 'Content-Type': 'application/json' },
+        signal: AbortSignal.timeout(10000),
+      });
+      if (res.ok) {
+        saveRemoteConfig({ enabled: true, url, apiKey: apiKey.trim() }, dataDir);
+        console.log(`  ${green('✓')} Connected successfully. Remote sync enabled.`);
+        console.log(dim(`  Config saved to ${join(dataDir, 'config.json')}`));
+      } else {
+        const text = await res.text().catch(() => '');
+        console.error(`  ${red('✘')} Connection failed: HTTP ${res.status}`);
+        if (text) console.error(`  ${dim(text.slice(0, 200))}`);
+        process.exit(1);
+      }
+    } catch (e) {
+      console.error(`  ${red('✘')} Connection failed: ${e.message}`);
+      process.exit(1);
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'status') {
+    const remote = getRemoteConfig(dataDir);
+    console.log();
+    console.log(`  ${bold('◇ Remote Status')}`);
+    console.log();
+    if (!remote) {
+      console.log(`  Remote:  ${dim('not configured')}`);
+      console.log(`  ${dim('Run')} ${cyan('context-vault remote setup')} ${dim('to connect.')}`);
+    } else {
+      const keyPreview = remote.apiKey ? remote.apiKey.slice(0, 6) + '...' : dim('(none)');
+      console.log(`  Enabled: ${remote.enabled ? green('yes') : red('no')}`);
+      console.log(`  URL:     ${remote.url}`);
+      console.log(`  API Key: ${keyPreview}`);
+
+      if (remote.enabled && remote.apiKey) {
+        console.log(`\n  Testing connection...`);
+        try {
+          const res = await fetch(`${remote.url.replace(/\/$/, '')}/api/vault/status`, {
+            headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+            signal: AbortSignal.timeout(10000),
+          });
+          if (res.ok) {
+            console.log(`  ${green('✓')} Remote is reachable.`);
+          } else {
+            console.log(`  ${red('✘')} HTTP ${res.status}`);
+          }
+        } catch (e) {
+          console.log(`  ${red('✘')} ${e.message}`);
+        }
+      }
+    }
+    console.log();
+    return;
+  }
+
+  if (subcommand === 'disconnect') {
+    const remote = getRemoteConfig(dataDir);
+    if (!remote || !remote.enabled) {
+      console.log(`\n  ${dim('Remote sync is already disabled.')}\n`);
+      return;
+    }
+    saveRemoteConfig({ enabled: false }, dataDir);
+    console.log(`\n  ${green('✓')} Remote sync disabled. API key preserved (re-enable with ${cyan('context-vault remote setup')}).\n`);
+    return;
+  }
+
+  if (subcommand === 'sync') {
+    await runRemoteSync(getRemoteConfig, dataDir);
+    return;
+  }
+
+  if (subcommand === 'pull') {
+    await runRemotePull(getRemoteConfig, dataDir);
+    return;
+  }
+
+  console.log();
+  console.log(`  ${bold('◇ context-vault remote')}`);
+  console.log();
+  console.log(`  ${cyan('setup')}       Connect to a hosted vault API`);
+  console.log(`  ${cyan('status')}      Show remote config and test connection`);
+  console.log(`  ${cyan('sync')}  ${dim('[--full] [--dry-run]')}  Sync local vault to hosted`);
+  console.log(`  ${cyan('pull')}        Pull remote entries to local`);
+  console.log(`  ${cyan('disconnect')}  Disable remote sync (preserves API key)`);
+  console.log();
+}
+
+// ---------------------------------------------------------------------------
+// remote sync — push local vault to hosted
+// ---------------------------------------------------------------------------
+async function runRemoteSync(getRemoteConfig, dataDir) {
+  const remote = getRemoteConfig(dataDir);
+  if (!remote || !remote.enabled || !remote.apiKey) {
+    console.error(`\n  ${red('✘')} Remote is not configured. Run ${cyan('context-vault remote setup')} first.\n`);
+    process.exit(1);
+  }
+
+  const isFullSync = flags.has('--full');
+  const { createHash } = await import('node:crypto');
+  const { resolveConfig } = await import('@context-vault/core/config');
+  const config = resolveConfig();
+
+  let DatabaseSync;
+  try {
+    DatabaseSync = (await import('node:sqlite')).DatabaseSync;
+  } catch {
+    console.error(`\n  ${red('✘')} Node.js SQLite not available. Requires Node >= 22.5.\n`);
+    process.exit(1);
+  }
+
+  const db = new DatabaseSync(config.dbPath, { open: true });
+  const apiUrl = remote.url.replace(/\/$/, '');
+
+  function contentHash(entry) {
+    const data = (entry.title || '') + (entry.body || '') + JSON.stringify(entry.tags || []) + JSON.stringify(entry.meta || {});
+    return createHash('sha256').update(data).digest('hex');
+  }
+
+  console.log();
+  console.log(`  ${bold('◇ Remote Sync')}`);
+  console.log();
+
+  // Read all local entries
+  const localRows = db.prepare(
+    'SELECT id, kind, category, title, body, tags, meta, source, identity_key, tier, expires_at, created_at, updated_at FROM vault WHERE superseded_by IS NULL'
+  ).all();
+  db.close();
+
+  const localEntries = localRows.map((row) => ({
+    ...row,
+    tags: typeof row.tags === 'string' ? JSON.parse(row.tags) : (row.tags || []),
+    meta: typeof row.meta === 'string' ? JSON.parse(row.meta) : (row.meta || {}),
+  }));
+
+  console.log(`  Local entries: ${localEntries.length}`);
+
+  let toUpload;
+
+  if (isFullSync) {
+    console.log(`  Mode: ${cyan('full')} (uploading all entries)`);
+    toUpload = localEntries;
+  } else {
+    // Fetch remote manifest
+    console.log(`  Fetching remote manifest...`);
+    let manifest;
+    try {
+      const res = await fetch(`${apiUrl}/api/vault/manifest`, {
+        headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+        signal: AbortSignal.timeout(30000),
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => '');
+        console.error(`  ${red('✘')} Manifest fetch failed: HTTP ${res.status}`);
+        if (text) console.error(`  ${dim(text.slice(0, 200))}`);
+        process.exit(1);
+      }
+      manifest = await res.json();
+    } catch (e) {
+      console.error(`  ${red('✘')} Manifest fetch failed: ${e.message}`);
+      process.exit(1);
+    }
+
+    const remoteEntries = manifest.entries || [];
+    const remoteMap = new Map();
+    for (const entry of remoteEntries) {
+      remoteMap.set(entry.id, entry);
+    }
+
+    // If remote manifest has content_hash, do a hash diff. Otherwise fall back to full sync.
+    const hasContentHash = remoteEntries.length > 0 && remoteEntries[0].content_hash;
+
+    if (!hasContentHash && remoteEntries.length > 0) {
+      console.log(`  ${yellow('!')} Remote manifest lacks content_hash. Falling back to full upload.`);
+      toUpload = localEntries;
+    } else {
+      toUpload = [];
+      let unchanged = 0;
+      for (const entry of localEntries) {
+        const remoteEntry = remoteMap.get(entry.id);
+        if (!remoteEntry) {
+          toUpload.push(entry);
+        } else if (remoteEntry.content_hash !== contentHash(entry)) {
+          toUpload.push(entry);
+        } else {
+          unchanged++;
+        }
+      }
+      console.log(`  Unchanged: ${unchanged}`);
+    }
+  }
+
+  const newCount = toUpload.length;
+  console.log(`  To upload: ${newCount}`);
+
+  if (newCount === 0) {
+    console.log(`\n  ${green('✓')} Everything is in sync.\n`);
+    await drainOfflineQueue(apiUrl, remote.apiKey);
+    return;
+  }
+
+  if (isDryRun) {
+    console.log();
+    for (const entry of toUpload.slice(0, 20)) {
+      console.log(`  ${dim(entry.id)} ${entry.kind || '?'} ${entry.title || dim('(untitled)')}`);
+    }
+    if (toUpload.length > 20) {
+      console.log(`  ${dim(`... and ${toUpload.length - 20} more`)}`);
+    }
+    console.log(`\n  ${dim('Dry run. No changes made.')}\n`);
+    return;
+  }
+
+  // Stream as NDJSON
+  console.log(`  Uploading...`);
+  const ndjsonBody = toUpload.map((entry) => JSON.stringify(entry)).join('\n') + '\n';
+
+  let jobId, entriesUploaded;
+  try {
+    const res = await fetch(`${apiUrl}/api/vault/import/stream`, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${remote.apiKey}`,
+        'Content-Type': 'application/x-ndjson',
+      },
+      body: ndjsonBody,
+      signal: AbortSignal.timeout(120000),
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => '');
+      console.error(`  ${red('✘')} Upload failed: HTTP ${res.status}`);
+      if (text) console.error(`  ${dim(text.slice(0, 200))}`);
+      process.exit(1);
+    }
+    const data = await res.json();
+    jobId = data.job_id;
+    entriesUploaded = data.entries_uploaded || newCount;
+  } catch (e) {
+    console.error(`  ${red('✘')} Upload failed: ${e.message}`);
+    process.exit(1);
+  }
+
+  console.log(`  ${green('✓')} Uploaded ${entriesUploaded} entries.`);
+
+  if (!jobId) {
+    console.log(`\n  ${green('✓')} Sync complete (no job tracking available).\n`);
+    await drainOfflineQueue(apiUrl, remote.apiKey);
+    return;
+  }
+
+  // Poll job status until embeddings complete
+  console.log(`  Job: ${dim(jobId)}`);
+  console.log(`  Waiting for embeddings...`);
+
+  let attempts = 0;
+  const maxAttempts = 300; // 10 min max
+  while (attempts < maxAttempts) {
+    await new Promise((r) => setTimeout(r, 2000));
+    attempts++;
+    try {
+      const res = await fetch(`${apiUrl}/api/vault/jobs/${jobId}`, {
+        headers: { 'Authorization': `Bearer ${remote.apiKey}` },
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!res.ok) {
+        if (res.status === 404) {
+          console.log(`  ${yellow('!')} Job not found (server may not support job tracking yet).`);
+          break;
+        }
+        continue;
+      }
+      const job = await res.json();
+      const embedded = job.entries_embedded || 0;
+      const total = job.total_entries || entriesUploaded;
+      const pct = total > 0 ? Math.round((embedded / total) * 100) : 0;
+      process.stdout.write(`\r  Embeddings: ${embedded}/${total} (${pct}%)   `);
+
+      if (job.status === 'complete') {
+        process.stdout.write('\n');
+        console.log(`  ${green('✓')} Embeddings complete.`);
+        break;
+      }
+      if (job.status === 'failed') {
+        process.stdout.write('\n');
+        console.error(`  ${red('✘')} Embedding job failed.`);
+        if (job.errors) console.error(`  ${dim(JSON.stringify(job.errors).slice(0, 300))}`);
+        break;
+      }
+    } catch {
+      // Transient error, keep polling
+    }
+  }
+
+  if (attempts >= maxAttempts) {
+    console.log(`\n  ${yellow('!')} Timed out waiting for embeddings. They will complete in the background.`);
+  }
+
+  console.log(`\n  ${green('✓')} Synced ${entriesUploaded} entries.\n`);
+  await drainOfflineQueue(apiUrl, remote.apiKey);
+}
+
+// ---------------------------------------------------------------------------
+// remote pull — fetch remote entries to local
+// ---------------------------------------------------------------------------
+async function runRemotePull(getRemoteConfig, dataDir) {
+  const remote = getRemoteConfig(dataDir);
+  if (!remote || !remote.enabled || !remote.apiKey) {
+    console.error(`\n  ${red('✘')} Remote is not configured. Run ${cyan('context-vault remote setup')} first.\n`);
+    process.exit(1);
+  }
+
+  const { resolveConfig } = await import('@context-vault/core/config');
+  const config = resolveConfig();
+
+  let DatabaseSync;
+  try {
+    DatabaseSync = (await import('node:sqlite')).DatabaseSync;
+  } catch {
+    console.error(`\n  ${red('✘')} Node.js SQLite not available. Requires Node >= 22.5.\n`);
+    process.exit(1);
+  }
+
+  const db = new DatabaseSync(config.dbPath, { open: true });
+  const apiUrl = remote.url.replace(/\/$/, '');
+
+  console.log();
+  console.log(`  ${bold('◇ Remote Pull')}`);
+  console.log();
+
+  // Fetch remote manifest
+  console.log(`  Fetching remote manifest...`);
+  let manifest;
+  try {
+    const res = await fetch(`${apiUrl}/api/vault/manifest`, {
+      headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+      signal: AbortSignal.timeout(30000),
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => '');
+      console.error(`  ${red('✘')} Manifest fetch failed: HTTP ${res.status}`);
+      if (text) console.error(`  ${dim(text.slice(0, 200))}`);
+      db.close();
+      process.exit(1);
+    }
+    manifest = await res.json();
+  } catch (e) {
+    console.error(`  ${red('✘')} Manifest fetch failed: ${e.message}`);
+    db.close();
+    process.exit(1);
+  }
+
+  const remoteEntries = manifest.entries || [];
+  console.log(`  Remote entries: ${remoteEntries.length}`);
+
+  // Build local manifest
+  const localRows = db.prepare('SELECT id, updated_at FROM vault').all();
+  const localMap = new Map();
+  for (const row of localRows) {
+    localMap.set(row.id, row.updated_at);
+  }
+
+  // Diff: remote entries not in local, or remote.updated_at > local.updated_at
+  const toPull = [];
+  for (const entry of remoteEntries) {
+    const localUpdated = localMap.get(entry.id);
+    if (!localUpdated) {
+      toPull.push(entry.id);
+    } else if (entry.updated_at && entry.updated_at > localUpdated) {
+      toPull.push(entry.id);
+    }
+  }
+
+  console.log(`  To pull: ${toPull.length}`);
+
+  if (toPull.length === 0) {
+    console.log(`\n  ${green('✓')} Local vault is up to date.\n`);
+    db.close();
+    await drainOfflineQueue(apiUrl, remote.apiKey);
+    return;
+  }
+
+  if (isDryRun) {
+    for (const id of toPull.slice(0, 20)) {
+      const remoteEntry = remoteEntries.find((e) => e.id === id);
+      console.log(`  ${dim(id)} ${remoteEntry?.kind || '?'} ${remoteEntry?.title || dim('(untitled)')}`);
+    }
+    if (toPull.length > 20) {
+      console.log(`  ${dim(`... and ${toPull.length - 20} more`)}`);
+    }
+    console.log(`\n  ${dim('Dry run. No changes made.')}\n`);
+    db.close();
+    return;
+  }
+
+  // Batch fetch in groups of 100
+  let pulled = 0;
+
+  // Ensure vault table has the columns we need for INSERT OR REPLACE
+  const insertStmt = db.prepare(`
+    INSERT OR REPLACE INTO vault (id, kind, category, title, body, tags, meta, source, identity_key, tier, expires_at, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+
+  for (let i = 0; i < toPull.length; i += 100) {
+    const batch = toPull.slice(i, i + 100);
+    const idsParam = batch.join(',');
+    try {
+      const res = await fetch(`${apiUrl}/api/vault/entries?ids=${encodeURIComponent(idsParam)}`, {
+        headers: { 'Authorization': `Bearer ${remote.apiKey}`, 'Content-Type': 'application/json' },
+        signal: AbortSignal.timeout(30000),
+      });
+      if (!res.ok) {
+        console.error(`  ${red('✘')} Batch fetch failed: HTTP ${res.status}`);
+        continue;
+      }
+      const data = await res.json();
+      const entries = data.entries || data;
+      for (const entry of (Array.isArray(entries) ? entries : [])) {
+        const tags = typeof entry.tags === 'string' ? entry.tags : JSON.stringify(entry.tags || []);
+        const meta = typeof entry.meta === 'string' ? entry.meta : JSON.stringify(entry.meta || {});
+        insertStmt.run(
+          entry.id,
+          entry.kind || null,
+          entry.category || 'knowledge',
+          entry.title || null,
+          entry.body || '',
+          tags,
+          meta,
+          entry.source || null,
+          entry.identity_key || null,
+          entry.tier || 'working',
+          entry.expires_at || null,
+          entry.created_at || new Date().toISOString(),
+          entry.updated_at || new Date().toISOString()
+        );
+        pulled++;
+      }
+    } catch (e) {
+      console.error(`  ${yellow('!')} Batch fetch error: ${e.message}`);
+    }
+    process.stdout.write(`\r  Progress: ${Math.min(i + 100, toPull.length)}/${toPull.length}   `);
+  }
+
+  db.close();
+  process.stdout.write('\n');
+  console.log(`\n  ${green('✓')} Pulled ${pulled} entries from remote.\n`);
+  await drainOfflineQueue(apiUrl, remote.apiKey);
+}
+
+// ---------------------------------------------------------------------------
+// Offline queue drain — best-effort, runs after any successful remote call
+// ---------------------------------------------------------------------------
+async function drainOfflineQueue(apiUrl, apiKey) {
+  const queuePath = join(HOME, '.context-mcp', 'sync-queue.jsonl');
+  if (!existsSync(queuePath)) return;
+
+  let lines;
+  try {
+    const content = readFileSync(queuePath, 'utf-8').trim();
+    if (!content) {
+      unlinkSync(queuePath);
+      return;
+    }
+    lines = content.split('\n').filter(Boolean);
+  } catch {
+    return;
+  }
+
+  if (lines.length === 0) {
+    try { unlinkSync(queuePath); } catch {}
+    return;
+  }
+
+  console.log(`  ${dim(`Draining offline queue (${lines.length} entries)...`)}`);
+  const remaining = [];
+
+  for (const line of lines) {
+    try {
+      const entry = JSON.parse(line);
+      const res = await fetch(`${apiUrl}/api/vault/entries`, {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${apiKey}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(entry),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!res.ok) {
+        remaining.push(line);
+      }
+    } catch {
+      remaining.push(line);
+    }
+  }
+
+  if (remaining.length > 0) {
+    writeFileSync(queuePath, remaining.join('\n') + '\n');
+    console.log(`  ${yellow('!')} ${remaining.length} entries still queued (will retry next sync).`);
+  } else {
+    try { unlinkSync(queuePath); } catch {}
+    console.log(`  ${green('✓')} Offline queue drained.`);
+  }
+}
+
 async function main() {
   if (flags.has('--version') || command === 'version') {
     console.log(VERSION);
@@ -7047,8 +8216,13 @@ async function main() {
   }
 
   if (flags.has('--help') || command === 'help') {
-    showHelp(flags.has('--all'));
-    return;
+    // Commands with their own --help handling: delegate to them
+    const commandsWithHelp = new Set(['save', 'search', 'rules', 'hooks', 'daemon', 'team', 'remote']);
+    if (!command || command === 'help' || !commandsWithHelp.has(command)) {
+      showHelp(flags.has('--all'));
+      return;
+    }
+    // Fall through to command switch for commands with built-in --help
   }
 
   if (!command) {
@@ -7173,6 +8347,15 @@ async function main() {
     case 'stats':
       await runStats();
       break;
+    case 'remote':
+      await runRemote();
+      break;
+    case 'team':
+      await runTeam();
+      break;
+    case 'public':
+      await runPublic();
+      break;
     default:
       console.error(red(`Unknown command: ${command}`));
       console.error(`Run ${cyan('context-vault --help')} for usage.`);