eagle-mem 3.0.0 → 3.0.1

package/db/015_integrity_fixes.sql

@@ -0,0 +1,156 @@
+-- Migration 015: Data integrity fixes
+-- 1. Add CHECK constraints for status fields (claude_tasks, features, command_rules)
+-- 2. Add UNIQUE constraint to feature_smoke_tests to prevent duplicates
+-- 3. Deduplicate any existing smoke test rows before adding constraint
+
+-- ─── 1. CHECK constraints via table rebuild ──────────────────
+
+-- claude_tasks: enforce status values
+CREATE TABLE claude_tasks_new (
+    id                INTEGER PRIMARY KEY AUTOINCREMENT,
+    project           TEXT NOT NULL DEFAULT '',
+    source_session_id TEXT NOT NULL,
+    source_task_id    TEXT NOT NULL,
+    file_path         TEXT UNIQUE,
+    subject           TEXT,
+    description       TEXT,
+    active_form       TEXT,
+    status            TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'in_progress', 'completed', 'cancelled')),
+    blocks            TEXT DEFAULT '[]',
+    blocked_by        TEXT DEFAULT '[]',
+    content_hash      TEXT,
+    captured_at       TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at        TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+);
+
+INSERT INTO claude_tasks_new SELECT * FROM claude_tasks;
+DROP TABLE claude_tasks;
+ALTER TABLE claude_tasks_new RENAME TO claude_tasks;
+
+CREATE INDEX IF NOT EXISTS idx_claude_tasks_project ON claude_tasks(project);
+CREATE INDEX IF NOT EXISTS idx_claude_tasks_session ON claude_tasks(source_session_id);
+CREATE INDEX IF NOT EXISTS idx_claude_tasks_status ON claude_tasks(status);
+
+-- Recreate FTS triggers (dropped with table)
+CREATE TRIGGER claude_tasks_ai AFTER INSERT ON claude_tasks BEGIN
+    INSERT INTO claude_tasks_fts(rowid, subject, description)
+    VALUES (new.id, new.subject, new.description);
+END;
+
+CREATE TRIGGER claude_tasks_ad AFTER DELETE ON claude_tasks BEGIN
+    INSERT INTO claude_tasks_fts(claude_tasks_fts, rowid, subject, description)
+    VALUES ('delete', old.id, old.subject, old.description);
+END;
+
+CREATE TRIGGER claude_tasks_au AFTER UPDATE ON claude_tasks BEGIN
+    INSERT INTO claude_tasks_fts(claude_tasks_fts, rowid, subject, description)
+    VALUES ('delete', old.id, old.subject, old.description);
+    INSERT INTO claude_tasks_fts(rowid, subject, description)
+    VALUES (new.id, new.subject, new.description);
+END;
+
+-- features: enforce status values
+CREATE TABLE features_new (
+    id INTEGER PRIMARY KEY,
+    project TEXT NOT NULL,
+    name TEXT NOT NULL,
+    description TEXT,
+    status TEXT DEFAULT 'active' CHECK (status IN ('active', 'archived', 'deprecated')),
+    last_verified_at TIMESTAMP,
+    last_verified_notes TEXT,
+    created_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    UNIQUE(project, name)
+);
+
+INSERT INTO features_new SELECT * FROM features;
+DROP TABLE features;
+ALTER TABLE features_new RENAME TO features;
+
+-- Recreate FTS triggers for features (dropped with table)
+CREATE TRIGGER features_ai AFTER INSERT ON features BEGIN
+    INSERT INTO features_fts(rowid, name, description)
+    VALUES (new.id, new.name, new.description);
+END;
+
+CREATE TRIGGER features_ad AFTER DELETE ON features BEGIN
+    INSERT INTO features_fts(features_fts, rowid, name, description)
+    VALUES ('delete', old.id, old.name, old.description);
+END;
+
+CREATE TRIGGER features_au AFTER UPDATE ON features BEGIN
+    INSERT INTO features_fts(features_fts, rowid, name, description)
+    VALUES ('delete', old.id, old.name, old.description);
+    INSERT INTO features_fts(rowid, name, description)
+    VALUES (new.id, new.name, new.description);
+END;
+
+-- Rebuild child tables with CASCADE FKs (they reference features.id)
+-- feature_dependencies: recreate to pick up new parent table
+CREATE TABLE feature_dependencies_new (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    kind TEXT NOT NULL,
+    target TEXT NOT NULL,
+    name TEXT NOT NULL,
+    notes TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, kind, target, name)
+);
+INSERT INTO feature_dependencies_new SELECT * FROM feature_dependencies;
+DROP TABLE feature_dependencies;
+ALTER TABLE feature_dependencies_new RENAME TO feature_dependencies;
+
+-- feature_files: recreate to pick up new parent table
+CREATE TABLE feature_files_new (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    file_path TEXT NOT NULL,
+    role TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, file_path)
+);
+INSERT INTO feature_files_new SELECT * FROM feature_files;
+DROP TABLE feature_files;
+ALTER TABLE feature_files_new RENAME TO feature_files;
+
+-- ─── 2. feature_smoke_tests: deduplicate + add UNIQUE constraint ──
+
+-- Remove duplicates, keeping the row with the lowest id per (feature_id, command)
+DELETE FROM feature_smoke_tests WHERE id NOT IN (
+    SELECT MIN(id) FROM feature_smoke_tests GROUP BY feature_id, command
+);
+
+CREATE TABLE feature_smoke_tests_new (
+    id INTEGER PRIMARY KEY,
+    feature_id INTEGER NOT NULL,
+    command TEXT NOT NULL,
+    description TEXT,
+    FOREIGN KEY (feature_id) REFERENCES features(id) ON DELETE CASCADE,
+    UNIQUE(feature_id, command)
+);
+INSERT INTO feature_smoke_tests_new SELECT * FROM feature_smoke_tests;
+DROP TABLE feature_smoke_tests;
+ALTER TABLE feature_smoke_tests_new RENAME TO feature_smoke_tests;
+
+-- ─── 3. command_rules: add CHECK on strategy ─────────────────
+
+CREATE TABLE command_rules_new (
+    id INTEGER PRIMARY KEY,
+    project TEXT,
+    pattern TEXT NOT NULL,
+    strategy TEXT NOT NULL DEFAULT 'summary' CHECK (strategy IN ('summary', 'truncate')),
+    max_lines INTEGER,
+    reason TEXT,
+    times_seen INTEGER DEFAULT 0,
+    avg_output_bytes INTEGER DEFAULT 0,
+    enabled INTEGER DEFAULT 1,
+    created_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    updated_at TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    UNIQUE(project, pattern)
+);
+INSERT INTO command_rules_new SELECT * FROM command_rules;
+DROP TABLE command_rules;
+ALTER TABLE command_rules_new RENAME TO command_rules;
+
+CREATE INDEX IF NOT EXISTS idx_command_rules_pattern ON command_rules(pattern);

package/db/migrate.sh

@@ -9,6 +9,9 @@ EAGLE_MEM_DIR="${EAGLE_MEM_DIR:-$HOME/.eagle-mem}"
 DB="$EAGLE_MEM_DIR/memory.db"
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
+# Restrict permissions: DB and config contain session data and may contain
+# residual secrets despite redaction. Owner-only access (700 dir, 600 files).
+umask 077
 mkdir -p "$EAGLE_MEM_DIR"
 
 run_migration() {

package/hooks/post-tool-use.sh

@@ -31,6 +31,10 @@ esac
 
 project=$(eagle_project_from_cwd "$cwd")
 
+# Ensure session row exists before inserting observations (FK constraint).
+# PostToolUse can race SessionStart — the session row might not exist yet.
+eagle_upsert_session "$session_id" "$project" "$cwd" "" ""
+
 files_read="[]"
 files_modified="[]"
 tool_summary=""
@@ -237,6 +241,8 @@ case "$tool_name" in
         ;;
 esac
 
-eagle_insert_observation "$session_id" "$project" "$tool_name" "$tool_summary" "$files_read" "$files_modified" "$output_bytes" "$output_lines" "$command_category"
+if ! eagle_insert_observation "$session_id" "$project" "$tool_name" "$tool_summary" "$files_read" "$files_modified" "$output_bytes" "$output_lines" "$command_category"; then
+    eagle_log "ERROR" "PostToolUse: observation insert failed for session=$session_id tool=$tool_name"
+fi
 
 exit 0

package/hooks/pre-tool-use.sh

@@ -49,6 +49,7 @@ case "$cmd" in
                     [ -z "$changed_file" ] && continue
                     fname=$(basename "$changed_file")
                     fname_esc=$(eagle_sql_escape "$fname")
+                    fname_like=$(eagle_like_escape "$fname_esc")
 
                     feature_hits=$(eagle_db "SELECT DISTINCT f.name,
                         (SELECT GROUP_CONCAT(fst.command, '; ')
@@ -60,7 +61,7 @@ case "$cmd" in
                         JOIN feature_files ff ON ff.feature_id = f.id
                         WHERE f.project = '$p_esc'
                         AND f.status = 'active'
-                        AND (ff.file_path LIKE '%$fname_esc' OR ff.file_path LIKE '%$fname_esc%');")
+                        AND (ff.file_path LIKE '%$fname_like' ESCAPE '\\' OR ff.file_path LIKE '%$fname_like%' ESCAPE '\\');")
 
                     while IFS='|' read -r feat_name feat_smoke feat_deps feat_verified; do
                         [ -z "$feat_name" ] && continue

package/hooks/session-end.sh

@@ -38,4 +38,7 @@ fi
 eagle_end_session "$session_id"
 eagle_log "INFO" "SessionEnd: session=$session_id marked completed"
 
+# Prune observations older than 90 days (keeps DB size bounded)
+eagle_prune_observations 90 "$project"
+
 exit 0

package/hooks/stop.sh

@@ -154,8 +154,11 @@ key_files=$(echo "$key_files" | eagle_redact)
 # ─── Write to database ─────────────────────────────────────
 
 if [ -n "$request" ] || [ -n "$completed" ] || [ -n "$learned" ]; then
-    eagle_insert_summary "$session_id" "$project" "$request" "$investigated" "$learned" "$completed" "$next_steps" "$files_read" "$files_modified" "$notes" "$decisions" "$gotchas" "$key_files"
-    eagle_log "INFO" "Stop: summary saved for session=$session_id"
+    if eagle_insert_summary "$session_id" "$project" "$request" "$investigated" "$learned" "$completed" "$next_steps" "$files_read" "$files_modified" "$notes" "$decisions" "$gotchas" "$key_files"; then
+        eagle_log "INFO" "Stop: summary saved for session=$session_id"
+    else
+        eagle_log "ERROR" "Stop: summary insert FAILED for session=$session_id — check DB constraints"
+    fi
 fi
 
 exit 0

package/lib/common.sh

@@ -13,6 +13,10 @@ EAGLE_SKILLS_DIR="$HOME/.claude/skills"
 eagle_log() {
     local level="$1"
     shift
+    # Ensure log file is owner-only (may contain debug data)
+    if [ ! -f "$EAGLE_MEM_LOG" ]; then
+        touch "$EAGLE_MEM_LOG" 2>/dev/null && chmod 600 "$EAGLE_MEM_LOG" 2>/dev/null
+    fi
     echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [$level] $*" >> "$EAGLE_MEM_LOG" 2>/dev/null || true
 }
 
@@ -42,6 +46,12 @@ eagle_fts_sanitize() {
     printf '%s' "$1" | sed 's/[*"(){}^~:]/  /g' | sed 's/  */ /g; s/^ //; s/ $//'
 }
 
+# Escape SQL LIKE wildcards (% and _) so literal filenames match exactly.
+# Apply AFTER eagle_sql_escape, since this only handles LIKE metacharacters.
+eagle_like_escape() {
+    printf '%s' "$1" | sed 's/%/\\%/g; s/_/\\_/g'
+}
+
 # Validate a session ID is safe for use in file paths (no traversal).
 # Claude Code session IDs are UUIDs or hex strings — reject anything else.
 eagle_validate_session_id() {
@@ -64,21 +74,34 @@ eagle_read_stdin() {
 # Stripe/AWS/GitHub/Anthropic/OpenAI key patterns, named env vars.
 eagle_redact() {
     sed -E \
-        -e 's/(Bearer )[^ ]*/\1[REDACTED]/gi' \
-        -e 's/(api[_-]?key[= :])[^ ]*/\1[REDACTED]/gi' \
-        -e 's/(password[= :])[^ ]*/\1[REDACTED]/gi' \
-        -e 's/(secret[= :])[^ ]*/\1[REDACTED]/gi' \
-        -e 's/(token[= :])[^ ]*/\1[REDACTED]/gi' \
-        -e 's/(Authorization: )[^ ]*/\1[REDACTED]/gi' \
+        -e 's/(Bearer )[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(api[_-]?key[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(password[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(secret[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(token[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(Authorization: )[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(client_secret[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(private_key[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
+        -e 's/(access_token[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/gi' \
         -e 's/sk_live_[A-Za-z0-9]+/[REDACTED]/g' \
         -e 's/sk_test_[A-Za-z0-9]+/[REDACTED]/g' \
+        -e 's/whsec_[A-Za-z0-9]+/[REDACTED]/g' \
         -e 's/AKIA[A-Z0-9]{16}/[REDACTED]/g' \
         -e 's/ghp_[A-Za-z0-9]{36}/[REDACTED]/g' \
         -e 's/gho_[A-Za-z0-9]{36}/[REDACTED]/g' \
+        -e 's/glpat-[A-Za-z0-9_-]{20,}/[REDACTED]/g' \
         -e 's/sk-ant-[A-Za-z0-9_-]+/[REDACTED]/g' \
         -e 's/sk-[A-Za-z0-9]{20,}/[REDACTED]/g' \
-        -e 's/(ANTHROPIC_API_KEY[= :])[^ ]*/\1[REDACTED]/g' \
-        -e 's/(OPENAI_API_KEY[= :])[^ ]*/\1[REDACTED]/g'
+        -e 's/AIza[0-9A-Za-z_-]{35}/[REDACTED]/g' \
+        -e 's/xox[abps]-[A-Za-z0-9-]+/[REDACTED]/g' \
+        -e 's/eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/[REDACTED_JWT]/g' \
+        -e 's|(https?://[^/:]+:)[^@]+(@)|\1[REDACTED]\2|g' \
+        -e 's/-----BEGIN [A-Z ]*PRIVATE KEY-----/[REDACTED_PRIVATE_KEY]/g' \
+        -e 's/(ANTHROPIC_API_KEY[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(OPENAI_API_KEY[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(GOOGLE_API_KEY[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(SLACK_TOKEN[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g' \
+        -e 's/(DATABASE_URL[= :])[^[:space:],;"'"'"']*/\1[REDACTED]/g'
 }
 
 # Collect project files into a destination file.

package/lib/db.sh

@@ -14,15 +14,45 @@ PRAGMA trusted_schema=ON;
 .output stdout"
 
 eagle_db() {
-    { echo "$EAGLE_DB_SETUP"; echo "$*"; } | sqlite3 "$EAGLE_MEM_DB" 2>>"$EAGLE_MEM_LOG"
+    local _eagle_db_err
+    _eagle_db_err=$(mktemp 2>/dev/null || echo "/tmp/_eagle_db_err.$$")
+    local _eagle_db_out
+    _eagle_db_out=$({ echo "$EAGLE_DB_SETUP"; echo "$*"; } | sqlite3 "$EAGLE_MEM_DB" 2>"$_eagle_db_err")
+    local _eagle_db_rc=$?
+    if [ -s "$_eagle_db_err" ]; then
+        cat "$_eagle_db_err" >> "$EAGLE_MEM_LOG" 2>/dev/null
+    fi
+    rm -f "$_eagle_db_err" 2>/dev/null
+    [ -n "$_eagle_db_out" ] && printf '%s\n' "$_eagle_db_out"
+    return $_eagle_db_rc
 }
 
 eagle_db_pipe() {
-    { echo "$EAGLE_DB_SETUP"; echo ".bail on"; cat; } | sqlite3 "$EAGLE_MEM_DB" 2>>"$EAGLE_MEM_LOG"
+    local _eagle_db_err
+    _eagle_db_err=$(mktemp 2>/dev/null || echo "/tmp/_eagle_db_pipe_err.$$")
+    local _eagle_db_out
+    _eagle_db_out=$({ echo "$EAGLE_DB_SETUP"; echo ".bail on"; cat; } | sqlite3 "$EAGLE_MEM_DB" 2>"$_eagle_db_err")
+    local _eagle_db_rc=$?
+    if [ -s "$_eagle_db_err" ]; then
+        cat "$_eagle_db_err" >> "$EAGLE_MEM_LOG" 2>/dev/null
+    fi
+    rm -f "$_eagle_db_err" 2>/dev/null
+    [ -n "$_eagle_db_out" ] && printf '%s\n' "$_eagle_db_out"
+    return $_eagle_db_rc
 }
 
 eagle_db_json() {
-    { echo "$EAGLE_DB_SETUP"; echo ".mode json"; echo "$*"; } | sqlite3 "$EAGLE_MEM_DB" 2>>"$EAGLE_MEM_LOG"
+    local _eagle_db_err
+    _eagle_db_err=$(mktemp 2>/dev/null || echo "/tmp/_eagle_db_json_err.$$")
+    local _eagle_db_out
+    _eagle_db_out=$({ echo "$EAGLE_DB_SETUP"; echo ".mode json"; echo "$*"; } | sqlite3 "$EAGLE_MEM_DB" 2>"$_eagle_db_err")
+    local _eagle_db_rc=$?
+    if [ -s "$_eagle_db_err" ]; then
+        cat "$_eagle_db_err" >> "$EAGLE_MEM_LOG" 2>/dev/null
+    fi
+    rm -f "$_eagle_db_err" 2>/dev/null
+    [ -n "$_eagle_db_out" ] && printf '%s\n' "$_eagle_db_out"
+    return $_eagle_db_rc
 }
 
 eagle_ensure_db() {
@@ -615,7 +645,7 @@ eagle_add_feature_smoke_test() {
     local command; command=$(eagle_sql_escape "$2")
     local description; description=$(eagle_sql_escape "${3:-}")
 
-    eagle_db "INSERT INTO feature_smoke_tests (feature_id, command, description)
+    eagle_db "INSERT OR IGNORE INTO feature_smoke_tests (feature_id, command, description)
         VALUES ($feature_id, '$command', '$description');"
 }
 
@@ -690,6 +720,7 @@ eagle_find_features_for_file() {
     local file_path="$2"
     local fname; fname=$(basename "$file_path")
     local fname_esc; fname_esc=$(eagle_sql_escape "$fname")
+    local fname_like; fname_like=$(eagle_like_escape "$fname_esc")
 
     eagle_db "SELECT f.name, f.description, f.last_verified_at,
         ff.role,
@@ -703,7 +734,7 @@ eagle_find_features_for_file() {
         JOIN feature_files ff ON ff.feature_id = f.id
         WHERE f.project = '$project'
         AND f.status = 'active'
-        AND (ff.file_path LIKE '%$fname_esc' OR ff.file_path LIKE '%$fname_esc%')
+        AND (ff.file_path LIKE '%$fname_like' ESCAPE '\\' OR ff.file_path LIKE '%$fname_like%' ESCAPE '\\')
         ORDER BY f.updated_at DESC
         LIMIT 3;"
 }

package/lib/provider.sh

@@ -50,19 +50,30 @@ eagle_config_set() {
     local key="$2"
     local value="$3"
 
+    # Validate section/key are alphanumeric+underscore (safe for grep/sed patterns)
+    if [[ ! "$section" =~ ^[A-Za-z0-9_-]+$ ]] || [[ ! "$key" =~ ^[A-Za-z0-9_-]+$ ]]; then
+        eagle_log "ERROR" "config_set: invalid section/key: [$section] $key"
+        return 1
+    fi
+
     if [ ! -f "$EAGLE_CONFIG_FILE" ]; then
         eagle_config_init
     fi
 
+    # Escape sed metacharacters in value to prevent injection via |, &, \, /
+    local safe_value
+    safe_value=$(printf '%s' "$value" | sed 's/[|&/\]/\\&/g')
+
     if grep -q "^\[${section}\]" "$EAGLE_CONFIG_FILE" 2>/dev/null; then
         if grep -q "^[[:space:]]*${key}[[:space:]]*=" "$EAGLE_CONFIG_FILE" 2>/dev/null; then
-            sed -i '' "s|^[[:space:]]*${key}[[:space:]]*=.*|${key} = \"${value}\"|" "$EAGLE_CONFIG_FILE"
+            sed -i '' "s|^[[:space:]]*${key}[[:space:]]*=.*|${key} = \"${safe_value}\"|" "$EAGLE_CONFIG_FILE"
         else
             sed -i '' "/^\[${section}\]/a\\
-${key} = \"${value}\"
+${key} = \"${safe_value}\"
 " "$EAGLE_CONFIG_FILE"
         fi
     else
+        # printf is safe — no sed interpolation needed for append
         printf '\n[%s]\n%s = "%s"\n' "$section" "$key" "$value" >> "$EAGLE_CONFIG_FILE"
     fi
 }
@@ -115,7 +126,10 @@ eagle_config_init() {
         model="gpt-4o-mini"
     fi
 
-    cat > "$EAGLE_CONFIG_FILE" << TOML
+    # Create config with restrictive permissions from the start (no TOCTOU window)
+    (
+        umask 077
+        cat > "$EAGLE_CONFIG_FILE" << TOML
 # Eagle Mem configuration
 # Docs: https://github.com/eagleisbatman/eagle-mem
 
@@ -144,7 +158,7 @@ schedule = "manual"
 # Additional secret patterns (regex) beyond built-in defaults
 # extra_patterns = ["MY_CUSTOM_SECRET_.*"]
 TOML
-
+    )
     eagle_log "INFO" "Config initialized: provider=$provider model=$model"
 }
 
@@ -236,11 +250,12 @@ _eagle_call_anthropic() {
             messages: [{role: "user", content: $prompt}]
         }')
 
+    # Pass API key via config stdin to avoid exposing it in process list (ps aux)
     local response
     response=$(curl -sf "https://api.anthropic.com/v1/messages" \
         --connect-timeout 5 \
         --max-time 120 \
-        -H "x-api-key: ${api_key}" \
+        -K <(printf 'header = "x-api-key: %s"' "$api_key") \
         -H "anthropic-version: 2023-06-01" \
         -H "content-type: application/json" \
         -d "$body" 2>/dev/null)
@@ -280,11 +295,12 @@ _eagle_call_openai() {
             ]
         }')
 
+    # Pass API key via config stdin to avoid exposing it in process list (ps aux)
     local response
     response=$(curl -sf "https://api.openai.com/v1/chat/completions" \
         --connect-timeout 5 \
         --max-time 120 \
-        -H "Authorization: Bearer ${api_key}" \
+        -K <(printf 'header = "Authorization: Bearer %s"' "$api_key") \
         -H "content-type: application/json" \
         -d "$body" 2>/dev/null)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eagle-mem",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "Persistent memory for Claude Code — SQLite + FTS5, no daemon, no bloat",
   "bin": {
     "eagle-mem": "bin/eagle-mem"

package/scripts/curate.sh

@@ -213,6 +213,16 @@ If no rules needed, output: NONE"
                         max_lines=$(echo "$max_lines" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
                         reason=$(echo "$reason" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
 
+                        # Guard: skip malformed lines missing required fields
+                        if [ -z "$pattern" ] || [ -z "$strategy" ]; then
+                            eagle_log "WARN" "Curator: skipping malformed RULE line: $line"
+                            continue
+                        fi
+                        case "$strategy" in summary|truncate) ;; *)
+                            eagle_log "WARN" "Curator: skipping RULE with invalid strategy '$strategy'"
+                            continue
+                        ;; esac
+
                         [ "$max_lines" = "-" ] && max_lines=""
 
                         if [ "$DRY_RUN" -eq 1 ]; then
@@ -292,6 +302,12 @@ Rules:
                     fdesc=$(echo "$fdesc" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
                     ffiles=$(echo "$ffiles" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
 
+                    # Guard: skip malformed lines missing required name
+                    if [ -z "$fname" ]; then
+                        eagle_log "WARN" "Curator: skipping malformed FEATURE line: $line"
+                        continue
+                    fi
+
                     if [ "$DRY_RUN" -eq 1 ]; then
                         eagle_info "  Feature: $fname — $fdesc"
                         eagle_info "    Files: $ffiles"

package/scripts/install.sh

@@ -152,7 +152,10 @@ eagle_ok "Files copied to $EAGLE_MEM_DIR"
 
 # ─── Run migrations ────────────────────────────────────────
 
-"$EAGLE_MEM_DIR/db/migrate.sh" 2>/dev/null | grep -v -E '^(wal|5000|Eagle Mem database)$' > /dev/null
+if ! "$EAGLE_MEM_DIR/db/migrate.sh" 2>/dev/null; then
+    eagle_err "Database migration failed"
+    exit 1
+fi
 eagle_ok "Database ready"
 
 # ─── Patch settings.json ───────────────────────────────────
@@ -242,7 +245,7 @@ else
         echo ""
         eagle_ok "Statusline ${DIM}(manual patch needed — instructions above)${RESET}"
     else
-        eagle_ok "Statusline ${DIM}(already has Eagle Mem)${RESET}"
+        eagle_ok "Statusline ${DIM}(existing — cannot auto-patch; add Eagle Mem manually)${RESET}"
     fi
 fi
 

package/scripts/uninstall.sh

@@ -18,7 +18,7 @@ eagle_header "Uninstall"
 # ─── Remove hooks from settings.json ──────────────────────
 
 if [ -f "$SETTINGS" ] && command -v jq &>/dev/null; then
-    for event in SessionStart Stop PostToolUse SessionEnd UserPromptSubmit; do
+    for event in SessionStart Stop PostToolUse PreToolUse SessionEnd UserPromptSubmit; do
         if jq -e ".hooks.${event}" "$SETTINGS" &>/dev/null; then
             tmp=$(mktemp)
             jq ".hooks.${event} = [.hooks.${event}[]? | select(any(.hooks[]?; .command | contains(\"eagle-mem\")) | not)]" "$SETTINGS" > "$tmp" && mv "$tmp" "$SETTINGS"

package/scripts/update.sh

@@ -46,7 +46,11 @@ eagle_ok "Files updated"
 
 # ─── Run pending migrations ────────────────────────────────
 
-migration_output=$("$EAGLE_MEM_DIR/db/migrate.sh" 2>/dev/null | grep -v -E '^(wal|5000)$')
+migration_output=$("$EAGLE_MEM_DIR/db/migrate.sh" 2>&1) || {
+    eagle_err "Database migration failed"
+    eagle_err "$migration_output"
+    exit 1
+}
 if echo "$migration_output" | grep -q "applied:"; then
     echo "$migration_output" | grep "applied:" | while read -r line; do
         eagle_ok "Migration: ${line#*applied: }"