eagle-mem 2.0.7 → 3.0.1

package/bin/eagle-mem

@@ -27,6 +27,9 @@ case "$command" in
     refresh)    bash "$SCRIPTS_DIR/refresh.sh" "$@" ;;
     prune)      bash "$SCRIPTS_DIR/prune.sh" "$@" ;;
     memories)   bash "$SCRIPTS_DIR/memories.sh" "$@" ;;
+    config)     bash "$SCRIPTS_DIR/config.sh" "$@" ;;
+    curate)     bash "$SCRIPTS_DIR/curate.sh" "$@" ;;
+    feature)    bash "$SCRIPTS_DIR/feature.sh" "$@" ;;
     help|--help|-h)
                 bash "$SCRIPTS_DIR/help.sh" ;;
     version|--version|-v|-V)

package/db/013_features.sql

@@ -0,0 +1,69 @@
+-- Migration 013: Feature graph for deployment regression prevention
+-- Features are persistent entities with lifecycle, dependencies, files, and smoke tests.
+-- Auto-discovered by curator from accumulated session data (tasks, key_files, decisions).
+
+CREATE TABLE IF NOT EXISTS features (
+    id INTEGER PRIMARY KEY,
+    project TEXT NOT NULL,
+    name TEXT NOT NULL,
+    description TEXT,
+    status TEXT DEFAULT 'active',
+    last_verified_at TIMESTAMP,
+    last_verified_notes TEXT,
+    created_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    UNIQUE(project, name)
+);
+
+CREATE TABLE IF NOT EXISTS feature_dependencies (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    kind TEXT NOT NULL,
+    target TEXT NOT NULL,
+    name TEXT NOT NULL,
+    notes TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, kind, target, name)
+);
+
+CREATE TABLE IF NOT EXISTS feature_files (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    file_path TEXT NOT NULL,
+    role TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, file_path)
+);
+
+CREATE TABLE IF NOT EXISTS feature_smoke_tests (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    command TEXT NOT NULL,
+    description TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE
+);
+
+-- FTS5 for feature search
+CREATE VIRTUAL TABLE IF NOT EXISTS features_fts USING fts5(
+    name,
+    description,
+    content='features',
+    content_rowid='id'
+);
+
+CREATE TRIGGER IF NOT EXISTS features_ai AFTER INSERT ON features BEGIN
+    INSERT INTO features_fts(rowid, name, description)
+    VALUES (new.id, new.name, new.description);
+END;
+
+CREATE TRIGGER IF NOT EXISTS features_ad AFTER DELETE ON features BEGIN
+    INSERT INTO features_fts(features_fts, rowid, name, description)
+    VALUES ('delete', old.id, old.name, old.description);
+END;
+
+CREATE TRIGGER IF NOT EXISTS features_au AFTER UPDATE ON features BEGIN
+    INSERT INTO features_fts(features_fts, rowid, name, description)
+    VALUES ('delete', old.id, old.name, old.description);
+    INSERT INTO features_fts(rowid, name, description)
+    VALUES (new.id, new.name, new.description);
+END;

package/db/014_command_intelligence.sql

@@ -0,0 +1,25 @@
+-- Migration 014: Command intelligence — output size tracking + command rules
+-- Adds output metrics to observations for adaptive command filtering.
+
+ALTER TABLE observations ADD COLUMN output_bytes INTEGER;
+ALTER TABLE observations ADD COLUMN output_lines INTEGER;
+ALTER TABLE observations ADD COLUMN command_category TEXT;
+
+-- Command rules table — populated by curator, consumed by PreToolUse hook
+CREATE TABLE IF NOT EXISTS command_rules (
+    id INTEGER PRIMARY KEY,
+    project TEXT,
+    pattern TEXT NOT NULL,
+    strategy TEXT NOT NULL DEFAULT 'summary',
+    max_lines INTEGER,
+    reason TEXT,
+    times_seen INTEGER DEFAULT 0,
+    avg_output_bytes INTEGER DEFAULT 0,
+    enabled INTEGER DEFAULT 1,
+    created_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    UNIQUE(project, pattern)
+);
+
+CREATE INDEX IF NOT EXISTS idx_command_rules_pattern ON command_rules(pattern);
+CREATE INDEX IF NOT EXISTS idx_observations_category ON observations(command_category);

package/db/015_integrity_fixes.sql

@@ -0,0 +1,156 @@
+-- Migration 015: Data integrity fixes
+-- 1. Add CHECK constraints for status fields (claude_tasks, features, command_rules)
+-- 2. Add UNIQUE constraint to feature_smoke_tests to prevent duplicates
+-- 3. Deduplicate any existing smoke test rows before adding constraint
+
+-- ─── 1. CHECK constraints via table rebuild ──────────────────
+
+-- claude_tasks: enforce status values
+CREATE TABLE claude_tasks_new (
+    id                INTEGER PRIMARY KEY AUTOINCREMENT,
+    project           TEXT NOT NULL DEFAULT '',
+    source_session_id TEXT NOT NULL,
+    source_task_id    TEXT NOT NULL,
+    file_path         TEXT UNIQUE,
+    subject           TEXT,
+    description       TEXT,
+    active_form       TEXT,
+    status            TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'in_progress', 'completed', 'cancelled')),
+    blocks            TEXT DEFAULT '[]',
+    blocked_by        TEXT DEFAULT '[]',
+    content_hash      TEXT,
+    captured_at       TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at        TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+);
+
+INSERT INTO claude_tasks_new SELECT * FROM claude_tasks;
+DROP TABLE claude_tasks;
+ALTER TABLE claude_tasks_new RENAME TO claude_tasks;
+
+CREATE INDEX IF NOT EXISTS idx_claude_tasks_project ON claude_tasks(project);
+CREATE INDEX IF NOT EXISTS idx_claude_tasks_session ON claude_tasks(source_session_id);
+CREATE INDEX IF NOT EXISTS idx_claude_tasks_status ON claude_tasks(status);
+
+-- Recreate FTS triggers (dropped with table)
+CREATE TRIGGER claude_tasks_ai AFTER INSERT ON claude_tasks BEGIN
+    INSERT INTO claude_tasks_fts(rowid, subject, description)
+    VALUES (new.id, new.subject, new.description);
+END;
+
+CREATE TRIGGER claude_tasks_ad AFTER DELETE ON claude_tasks BEGIN
+    INSERT INTO claude_tasks_fts(claude_tasks_fts, rowid, subject, description)
+    VALUES ('delete', old.id, old.subject, old.description);
+END;
+
+CREATE TRIGGER claude_tasks_au AFTER UPDATE ON claude_tasks BEGIN
+    INSERT INTO claude_tasks_fts(claude_tasks_fts, rowid, subject, description)
+    VALUES ('delete', old.id, old.subject, old.description);
+    INSERT INTO claude_tasks_fts(rowid, subject, description)
+    VALUES (new.id, new.subject, new.description);
+END;
+
+-- features: enforce status values
+CREATE TABLE features_new (
+    id INTEGER PRIMARY KEY,
+    project TEXT NOT NULL,
+    name TEXT NOT NULL,
+    description TEXT,
+    status TEXT DEFAULT 'active' CHECK (status IN ('active', 'archived', 'deprecated')),
+    last_verified_at TIMESTAMP,
+    last_verified_notes TEXT,
+    created_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    UNIQUE(project, name)
+);
+
+INSERT INTO features_new SELECT * FROM features;
+DROP TABLE features;
+ALTER TABLE features_new RENAME TO features;
+
+-- Recreate FTS triggers for features (dropped with table)
+CREATE TRIGGER features_ai AFTER INSERT ON features BEGIN
+    INSERT INTO features_fts(rowid, name, description)
+    VALUES (new.id, new.name, new.description);
+END;
+
+CREATE TRIGGER features_ad AFTER DELETE ON features BEGIN
+    INSERT INTO features_fts(features_fts, rowid, name, description)
+    VALUES ('delete', old.id, old.name, old.description);
+END;
+
+CREATE TRIGGER features_au AFTER UPDATE ON features BEGIN
+    INSERT INTO features_fts(features_fts, rowid, name, description)
+    VALUES ('delete', old.id, old.name, old.description);
+    INSERT INTO features_fts(rowid, name, description)
+    VALUES (new.id, new.name, new.description);
+END;
+
+-- Rebuild child tables with CASCADE FKs (they reference features.id)
+-- feature_dependencies: recreate to pick up new parent table
+CREATE TABLE feature_dependencies_new (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    kind TEXT NOT NULL,
+    target TEXT NOT NULL,
+    name TEXT NOT NULL,
+    notes TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, kind, target, name)
+);
+INSERT INTO feature_dependencies_new SELECT * FROM feature_dependencies;
+DROP TABLE feature_dependencies;
+ALTER TABLE feature_dependencies_new RENAME TO feature_dependencies;
+
+-- feature_files: recreate to pick up new parent table
+CREATE TABLE feature_files_new (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    file_path TEXT NOT NULL,
+    role TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, file_path)
+);
+INSERT INTO feature_files_new SELECT * FROM feature_files;
+DROP TABLE feature_files;
+ALTER TABLE feature_files_new RENAME TO feature_files;
+
+-- ─── 2. feature_smoke_tests: deduplicate + add UNIQUE constraint ──
+
+-- Remove duplicates, keeping the row with the lowest id per (feature_id, command)
+DELETE FROM feature_smoke_tests WHERE id NOT IN (
+    SELECT MIN(id) FROM feature_smoke_tests GROUP BY feature_id, command
+);
+
+CREATE TABLE feature_smoke_tests_new (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    command TEXT NOT NULL,
+    description TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, command)
+);
+INSERT INTO feature_smoke_tests_new SELECT * FROM feature_smoke_tests;
+DROP TABLE feature_smoke_tests;
+ALTER TABLE feature_smoke_tests_new RENAME TO feature_smoke_tests;
+
+-- ─── 3. command_rules: add CHECK on strategy ─────────────────
+
+CREATE TABLE command_rules_new (
+    id INTEGER PRIMARY KEY,
+    project TEXT,
+    pattern TEXT NOT NULL,
+    strategy TEXT NOT NULL DEFAULT 'summary' CHECK (strategy IN ('summary', 'truncate')),
+    max_lines INTEGER,
+    reason TEXT,
+    times_seen INTEGER DEFAULT 0,
+    avg_output_bytes INTEGER DEFAULT 0,
+    enabled INTEGER DEFAULT 1,
+    created_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    UNIQUE(project, pattern)
+);
+INSERT INTO command_rules_new SELECT * FROM command_rules;
+DROP TABLE command_rules;
+ALTER TABLE command_rules_new RENAME TO command_rules;
+
+CREATE INDEX IF NOT EXISTS idx_command_rules_pattern ON command_rules(pattern);

package/db/migrate.sh

@@ -9,6 +9,9 @@ EAGLE_MEM_DIR="${EAGLE_MEM_DIR:-$HOME/.eagle-mem}"
 DB="$EAGLE_MEM_DIR/memory.db"
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
+# Restrict permissions: DB and config contain session data and may contain
+# residual secrets despite redaction. Owner-only access (700 dir, 600 files).
+umask 077
 mkdir -p "$EAGLE_MEM_DIR"
 
 run_migration() {

package/hooks/post-tool-use.sh

@@ -31,9 +31,16 @@ esac
 
 project=$(eagle_project_from_cwd "$cwd")
 
+# Ensure session row exists before inserting observations (FK constraint).
+# PostToolUse can race SessionStart — the session row might not exist yet.
+eagle_upsert_session "$session_id" "$project" "$cwd" "" ""
+
 files_read="[]"
 files_modified="[]"
 tool_summary=""
+output_bytes=""
+output_lines=""
+command_category=""
 
 case "$tool_name" in
     Read)
@@ -53,24 +60,34 @@ case "$tool_name" in
         ;;
     Bash)
         cmd=$(echo "$input" | jq -r '.tool_input.command // empty' | cut -c1-200)
-        # Redact common secret patterns before storing
-        cmd=$(echo "$cmd" | sed -E \
-            -e 's/(Bearer )[^ ]*/\1[REDACTED]/gi' \
-            -e 's/(api[_-]?key[= :])[^ ]*/\1[REDACTED]/gi' \
-            -e 's/(password[= :])[^ ]*/\1[REDACTED]/gi' \
-            -e 's/(secret[= :])[^ ]*/\1[REDACTED]/gi' \
-            -e 's/(token[= :])[^ ]*/\1[REDACTED]/gi' \
-            -e 's/(Authorization: )[^ ]*/\1[REDACTED]/gi' \
-            -e 's/sk_live_[A-Za-z0-9]+/[REDACTED]/g' \
-            -e 's/sk_test_[A-Za-z0-9]+/[REDACTED]/g' \
-            -e 's/AKIA[A-Z0-9]{16}/[REDACTED]/g' \
-            -e 's/ghp_[A-Za-z0-9]{36}/[REDACTED]/g' \
-            -e 's/gho_[A-Za-z0-9]{36}/[REDACTED]/g' \
-            -e 's/sk-ant-[A-Za-z0-9_-]+/[REDACTED]/g' \
-            -e 's/sk-[A-Za-z0-9]{20,}/[REDACTED]/g' \
-            -e 's/(ANTHROPIC_API_KEY[= :])[^ ]*/\1[REDACTED]/g' \
-            -e 's/(OPENAI_API_KEY[= :])[^ ]*/\1[REDACTED]/g')
+        cmd=$(echo "$cmd" | eagle_redact)
         tool_summary="Bash: $cmd"
+
+        # Output metrics
+        tool_output=$(echo "$input" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+        if [ -n "$tool_output" ]; then
+            output_bytes=${#tool_output}
+            output_lines=$(echo "$tool_output" | wc -l | tr -d ' ')
+        fi
+
+        # Command category extraction
+        first_word=$(echo "$cmd" | awk '{print $1}' | sed 's|.*/||')
+        case "$first_word" in
+            git|gh) command_category="git" ;;
+            npm|npx|pnpm|yarn|bun) command_category="js" ;;
+            pip|pip3|python|python3|uv) command_category="python" ;;
+            cargo|rustc) command_category="rust" ;;
+            go) command_category="go" ;;
+            docker|docker-compose|podman) command_category="docker" ;;
+            kubectl|helm|k9s) command_category="k8s" ;;
+            aws|gcloud|az) command_category="cloud" ;;
+            make|cmake|ninja) command_category="build" ;;
+            grep|find|ls|cat|head|tail|wc|sort|sed|awk) command_category="files" ;;
+            curl|wget|http) command_category="http" ;;
+            *test*|jest|pytest|vitest|mocha) command_category="test" ;;
+            *lint*|eslint|ruff|golangci-lint) command_category="lint" ;;
+            *) command_category="other" ;;
+        esac
         ;;
     TaskCreate|TaskUpdate)
         task_subject=$(echo "$input" | jq -r '.tool_input.subject // empty')
@@ -158,6 +175,74 @@ case "$tool_name" in
         ;;
 esac
 
-eagle_insert_observation "$session_id" "$project" "$tool_name" "$tool_summary" "$files_read" "$files_modified"
+# ─── Decision + feature surfacing on Read ──────────────────
+# When Claude reads a file, surface past decisions and feature pipeline context.
+case "$tool_name" in
+    Read)
+        if [ -n "$fp" ]; then
+            fname=$(basename "$fp")
+            fname_stem="${fname%.*}"
+            read_context=""
+            case "$fp" in
+                "$HOME/.claude/"*) ;; # skip Claude config files
+                *)
+                    p_esc=$(eagle_sql_escape "$project")
+
+                    # Decision history from summaries
+                    if [ ${#fname_stem} -ge 3 ]; then
+                        fts_query=$(eagle_fts_sanitize "$fname_stem")
+                        if [ -n "$fts_query" ]; then
+                            fts_esc=$(eagle_sql_escape "$fts_query")
+                            decision_hit=$(eagle_db "SELECT s.decisions
+                                FROM summaries s
+                                JOIN summaries_fts f ON f.rowid = s.id
+                                WHERE summaries_fts MATCH '$fts_esc'
+                                AND s.project = '$p_esc'
+                                AND s.decisions IS NOT NULL
+                                AND s.decisions != ''
+                                ORDER BY s.created_at DESC
+                                LIMIT 1;")
+                            if [ -n "$decision_hit" ]; then
+                                read_context+="Eagle Mem decision history for '${fname}': ${decision_hit} — Do not revert without explicit user request. "
+                            fi
+                        fi
+                    fi
+
+                    # Feature pipeline context
+                    feature_hit=$(eagle_find_features_for_file "$project" "$fp")
+                    if [ -n "$feature_hit" ]; then
+                        while IFS='|' read -r feat_name feat_desc feat_verified _role feat_deps feat_other_files feat_smoke; do
+                            [ -z "$feat_name" ] && continue
+                            read_context+="Eagle Mem: '${fname}' is part of feature '${feat_name}'"
+                            [ -n "$feat_desc" ] && read_context+=" ($feat_desc)"
+                            read_context+="."
+                            if [ -n "$feat_verified" ]; then
+                                read_context+=" Last verified: ${feat_verified}."
+                            fi
+                            if [ -n "$feat_deps" ]; then
+                                read_context+=" Dependencies: ${feat_deps}."
+                            fi
+                            if [ -n "$feat_other_files" ]; then
+                                read_context+=" Other files in pipeline: ${feat_other_files}."
+                            fi
+                            if [ -n "$feat_smoke" ]; then
+                                read_context+=" Smoke tests: ${feat_smoke}."
+                            fi
+                            read_context+=" Changes require re-testing after deploy. "
+                        done <<< "$feature_hit"
+                    fi
+
+                    if [ -n "$read_context" ]; then
+                        jq -nc --arg ctx "$read_context" '{"hookSpecificOutput":{"hookEventName":"PostToolUse","additionalContext":$ctx}}'
+                    fi
+                    ;;
+            esac
+        fi
+        ;;
+esac
+
+if ! eagle_insert_observation "$session_id" "$project" "$tool_name" "$tool_summary" "$files_read" "$files_modified" "$output_bytes" "$output_lines" "$command_category"; then
+    eagle_log "ERROR" "PostToolUse: observation insert failed for session=$session_id tool=$tool_name"
+fi
 
 exit 0

package/hooks/pre-tool-use.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — PreToolUse hook
+# Fires before every Bash tool use
+# 1. Surfaces feature verification checklists before git push
+# 2. Applies learned command filtering rules (RTK-style adaptive)
+# ═══════════════════════════════════════════════════════════
+set +e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+LIB_DIR="$SCRIPT_DIR/../lib"
+
+. "$LIB_DIR/common.sh"
+. "$LIB_DIR/db.sh"
+
+input=$(eagle_read_stdin)
+[ -z "$input" ] && exit 0
+
+tool_name=$(echo "$input" | jq -r '.tool_name // empty')
+[ "$tool_name" != "Bash" ] && exit 0
+
+[ ! -f "$EAGLE_MEM_DB" ] && exit 0
+
+cmd=$(echo "$input" | jq -r '.tool_input.command // empty')
+[ -z "$cmd" ] && exit 0
+
+session_id=$(echo "$input" | jq -r '.session_id // empty')
+cwd=$(echo "$input" | jq -r '.cwd // empty')
+project=$(eagle_project_from_cwd "$cwd")
+p_esc=$(eagle_sql_escape "$project")
+
+context=""
+
+# ─── Feature verification on git push ─────────────────────
+
+case "$cmd" in
+    *"git push"*|*"gh pr create"*)
+        has_features=$(eagle_db "SELECT COUNT(*) FROM features WHERE project = '$p_esc' AND status = 'active';")
+        if [ "${has_features:-0}" -gt 0 ]; then
+            changed_files=""
+            if [ -n "$cwd" ] && [ -d "$cwd" ]; then
+                changed_files=$(git -C "$cwd" diff --name-only HEAD 2>/dev/null)
+                [ -z "$changed_files" ] && changed_files=$(git -C "$cwd" diff --cached --name-only 2>/dev/null)
+            fi
+
+            if [ -n "$changed_files" ]; then
+                seen_features=""
+                while IFS= read -r changed_file; do
+                    [ -z "$changed_file" ] && continue
+                    fname=$(basename "$changed_file")
+                    fname_esc=$(eagle_sql_escape "$fname")
+                    fname_like=$(eagle_like_escape "$fname_esc")
+
+                    feature_hits=$(eagle_db "SELECT DISTINCT f.name,
+                        (SELECT GROUP_CONCAT(fst.command, '; ')
+                         FROM feature_smoke_tests fst WHERE fst.feature_id = f.id) as smoke,
+                        (SELECT GROUP_CONCAT(fd.target || ':' || fd.name, ', ')
+                         FROM feature_dependencies fd WHERE fd.feature_id = f.id) as deps,
+                        f.last_verified_at
+                        FROM features f
+                        JOIN feature_files ff ON ff.feature_id = f.id
+                        WHERE f.project = '$p_esc'
+                        AND f.status = 'active'
+                        AND (ff.file_path LIKE '%$fname_like' ESCAPE '\\' OR ff.file_path LIKE '%$fname_like%' ESCAPE '\\');")
+
+                    while IFS='|' read -r feat_name feat_smoke feat_deps feat_verified; do
+                        [ -z "$feat_name" ] && continue
+                        case "$seen_features" in *"|$feat_name|"*) continue ;; esac
+                        seen_features+="|$feat_name|"
+
+                        context+="  - $feat_name"
+                        [ -n "$feat_smoke" ] && context+=" | smoke: $feat_smoke"
+                        [ -n "$feat_deps" ] && context+=" | deps: $feat_deps"
+                        if [ -n "$feat_verified" ]; then
+                            context+=" | last verified: $feat_verified"
+                        else
+                            context+=" | never verified"
+                        fi
+                        context+=$'\n'
+                    done <<< "$feature_hits"
+                done <<< "$changed_files"
+
+                if [ -n "$context" ]; then
+                    context="Eagle Mem: This push affects the following features. After deploy, verify each works and run 'eagle-mem feature verify <name>'.
+${context}"
+                fi
+            fi
+        fi
+        ;;
+esac
+
+# ─── Command output filtering (learned rules) ─────────────
+
+# Extract the base command for rule matching
+base_cmd=$(echo "$cmd" | awk '{print $1}' | sed 's|.*/||')
+cmd_esc=$(eagle_sql_escape "$base_cmd")
+
+rule=$(eagle_db "SELECT strategy, max_lines, reason
+    FROM command_rules
+    WHERE enabled = 1
+    AND (project = '$p_esc' OR project IS NULL)
+    AND ('$cmd_esc' LIKE pattern OR '$cmd_esc' = pattern)
+    ORDER BY
+        CASE WHEN project IS NOT NULL THEN 0 ELSE 1 END
+    LIMIT 1;")
+
+if [ -n "$rule" ]; then
+    IFS='|' read -r strategy max_lines reason <<< "$rule"
+    case "$strategy" in
+        summary)
+            context+="Eagle Mem command hint: '${base_cmd}' output is typically noisy (${reason}). Consider piping through 'tail -5' or checking exit code only."
+            ;;
+        truncate)
+            if [ -n "$max_lines" ] && [ "$max_lines" -gt 0 ] 2>/dev/null; then
+                context+="Eagle Mem command hint: '${base_cmd}' produces long output (${reason}). Consider: ${cmd} | head -${max_lines}"
+            fi
+            ;;
+    esac
+fi
+
+[ -z "$context" ] && exit 0
+
+jq -nc --arg ctx "$context" '{"hookSpecificOutput":{"hookEventName":"PreToolUse","additionalContext":$ctx}}'
+
+exit 0

package/hooks/session-end.sh

@@ -38,4 +38,7 @@ fi
 eagle_end_session "$session_id"
 eagle_log "INFO" "SessionEnd: session=$session_id marked completed"
 
+# Prune observations older than 90 days (keeps DB size bounded)
+eagle_prune_observations 90 "$project"
+
 exit 0

package/hooks/session-start.sh

@@ -268,6 +268,10 @@ $eagle_banner
 
 This gives the user visibility into the full context Eagle Mem loaded for this session.
 
+ANTI-REGRESSION: When Eagle Mem surfaces decision history about a file you are reading (via PostToolUse context), those decisions were made deliberately in past sessions. Do NOT revert or change the implementation approach without explicit user request. If you believe a past decision should change, state why and ask the user before proceeding. This prevents the common regression where Claude 'improves' code back to an older approach that was already rejected.
+
+SECRET SAFETY: Never include raw API keys, tokens, passwords, or secrets in eagle-summary fields or any text that Eagle Mem stores. Reference secrets by name (e.g., 'the Stripe API key', 'GOOGLE_APPLICATION_CREDENTIALS_JSON') not by value. Eagle Mem redacts common patterns automatically, but prevention is better than redaction.
+
 MEMORY FRESHNESS: The memories above include age indicators. If you make a change (edit a file, update a config, change a pattern) that contradicts what a loaded memory says, you MUST update that memory file immediately. Read the memory file, edit it to reflect the new reality, and the PostToolUse hook will sync the update to Eagle Mem. Stale memories mislead future sessions — keeping them current is as important as writing good code.
 
 === EAGLE MEM — SESSION SUMMARY (MANDATORY) ===

package/hooks/stop.sh

@@ -140,11 +140,25 @@ if [ -z "$request" ] && [ -n "$transcript_path" ] && [ -f "$transcript_path" ];
     fi
 fi
 
+# ─── Redact secrets from all text fields before storage ────
+
+request=$(echo "$request" | eagle_redact)
+investigated=$(echo "$investigated" | eagle_redact)
+learned=$(echo "$learned" | eagle_redact)
+completed=$(echo "$completed" | eagle_redact)
+next_steps=$(echo "$next_steps" | eagle_redact)
+decisions=$(echo "$decisions" | eagle_redact)
+gotchas=$(echo "$gotchas" | eagle_redact)
+key_files=$(echo "$key_files" | eagle_redact)
+
 # ─── Write to database ─────────────────────────────────────
 
 if [ -n "$request" ] || [ -n "$completed" ] || [ -n "$learned" ]; then
-    eagle_insert_summary "$session_id" "$project" "$request" "$investigated" "$learned" "$completed" "$next_steps" "$files_read" "$files_modified" "$notes" "$decisions" "$gotchas" "$key_files"
-    eagle_log "INFO" "Stop: summary saved for session=$session_id"
+    if eagle_insert_summary "$session_id" "$project" "$request" "$investigated" "$learned" "$completed" "$next_steps" "$files_read" "$files_modified" "$notes" "$decisions" "$gotchas" "$key_files"; then
+        eagle_log "INFO" "Stop: summary saved for session=$session_id"
+    else
+        eagle_log "ERROR" "Stop: summary insert FAILED for session=$session_id — check DB constraints"
+    fi
 fi
 
 exit 0

package/lib/common.sh

@@ -13,6 +13,10 @@ EAGLE_SKILLS_DIR="$HOME/.claude/skills"
 eagle_log() {
     local level="$1"
     shift
+    # Ensure log file is owner-only (may contain debug data)
+    if [ ! -f "$EAGLE_MEM_LOG" ]; then
+        touch "$EAGLE_MEM_LOG" 2>/dev/null && chmod 600 "$EAGLE_MEM_LOG" 2>/dev/null
+    fi
     echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [$level] $*" >> "$EAGLE_MEM_LOG" 2>/dev/null || true
 }
 
@@ -42,6 +46,12 @@ eagle_fts_sanitize() {
     printf '%s' "$1" | sed 's/[*"(){}^~:]/  /g' | sed 's/  */ /g; s/^ //; s/ $//'
 }
 
+# Escape SQL LIKE wildcards (% and _) so literal filenames match exactly.
+# Apply AFTER eagle_sql_escape, since this only handles LIKE metacharacters.
+eagle_like_escape() {
+    printf '%s' "$1" | sed 's/%/\\%/g; s/_/\\_/g'
+}
+
 # Validate a session ID is safe for use in file paths (no traversal).
 # Claude Code session IDs are UUIDs or hex strings — reject anything else.
 eagle_validate_session_id() {
@@ -59,6 +69,41 @@ eagle_read_stdin() {
     echo "$input"
 }
 
+# Redact secrets from text before storage.
+# Covers: Bearer tokens, API keys, passwords, secrets, tokens,
+# Stripe/AWS/GitHub/Anthropic/OpenAI key patterns, named env vars.
+eagle_redact() {
+    sed -E \
+        -e 's/(Bearer )[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(api[_-]?key[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(password[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(secret[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(token[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(Authorization: )[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(client_secret[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(private_key[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(access_token[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/sk_live_[A-Za-z0-9]+/[REDACTED]/g' \
+        -e 's/sk_test_[A-Za-z0-9]+/[REDACTED]/g' \
+        -e 's/whsec_[A-Za-z0-9]+/[REDACTED]/g' \
+        -e 's/AKIA[A-Z0-9]{16}/[REDACTED]/g' \
+        -e 's/ghp_[A-Za-z0-9]{36}/[REDACTED]/g' \
+        -e 's/gho_[A-Za-z0-9]{36}/[REDACTED]/g' \
+        -e 's/glpat-[A-Za-z0-9_-]{20,}/[REDACTED]/g' \
+        -e 's/sk-ant-[A-Za-z0-9_-]+/[REDACTED]/g' \
+        -e 's/sk-[A-Za-z0-9]{20,}/[REDACTED]/g' \
+        -e 's/AIza[0-9A-Za-z_-]{35}/[REDACTED]/g' \
+        -e 's/xox[abps]-[A-Za-z0-9-]+/[REDACTED]/g' \
+        -e 's/eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/[REDACTED_JWT]/g' \
+        -e 's|(https?://[^/:]+:)[^@]+(@)|\1[REDACTED]\2|g' \
+        -e 's/-----BEGIN [A-Z ]*PRIVATE KEY-----/[REDACTED_PRIVATE_KEY]/g' \
+        -e 's/(ANTHROPIC_API_KEY[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(OPENAI_API_KEY[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(GOOGLE_API_KEY[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(SLACK_TOKEN[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(DATABASE_URL[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g'
+}
+
 # Collect project files into a destination file.
 # Uses git ls-files when available, falls back to find with common exclusions.
 # Usage: eagle_collect_files <target_dir> <output_file>