eagle-mem 3.0.0 → 3.0.2

package/lib/hooks-posttool.sh

@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — PostToolUse extracted responsibilities
+# Source from hooks/post-tool-use.sh after common.sh + db.sh
+# ═══════════════════════════════════════════════════════════
+[ -n "${_EAGLE_HOOKS_POSTTOOL_LOADED:-}" ] && return 0
+_EAGLE_HOOKS_POSTTOOL_LOADED=1
+
+eagle_posttool_mirror_writes() {
+    local tool_name="$1" fp="$2" session_id="$3" project="$4"
+
+    case "$tool_name" in
+        Write|Edit)
+            if [ -n "$fp" ]; then
+                case "$fp" in
+                    *..*) ;; # path traversal — skip
+                    "$EAGLE_CLAUDE_PROJECTS_DIR"/*/memory/*.md)
+                        local mem_base
+                        mem_base=$(basename "$fp")
+                        if [ "$mem_base" != "MEMORY.md" ] && [ -f "$fp" ]; then
+                            eagle_capture_claude_memory "$fp" "$session_id" "$project"
+                        fi
+                        ;;
+                    "$EAGLE_CLAUDE_PLANS_DIR/"*.md)
+                        if [ -f "$fp" ]; then
+                            eagle_capture_claude_plan "$fp" "$session_id" "$project"
+                        fi
+                        ;;
+                esac
+            fi
+            ;;
+    esac
+}
+
+eagle_posttool_mirror_tasks() {
+    local tool_name="$1" session_id="$2" project="$3" input="$4"
+
+    case "$tool_name" in
+        TaskCreate|TaskUpdate)
+            if eagle_validate_session_id "$session_id"; then
+                local task_dir="$EAGLE_CLAUDE_TASKS_DIR/$session_id"
+                if [ -d "$task_dir" ]; then
+                    local task_id
+                    task_id=$(echo "$input" | jq -r '.tool_input.id // empty')
+                    if [ -z "$task_id" ]; then
+                        local newest
+                        newest=$(ls -t "$task_dir"/*.json 2>/dev/null | head -1)
+                        [ -n "$newest" ] && [ -f "$newest" ] && eagle_capture_claude_task "$newest" "$session_id" "$project"
+                    elif eagle_validate_session_id "$task_id"; then
+                        local task_json="$task_dir/$task_id.json"
+                        [ -f "$task_json" ] && eagle_capture_claude_task "$task_json" "$session_id" "$project"
+                    fi
+                fi
+            fi
+            ;;
+    esac
+}
+
+eagle_posttool_stale_hint() {
+    local tool_name="$1" fp="$2" project="$3"
+
+    case "$tool_name" in
+        Write|Edit)
+            if [ -n "$fp" ]; then
+                local fname fname_stem
+                fname=$(basename "$fp")
+                fname_stem="${fname%.*}"
+                case "$fp" in
+                    "$HOME/.claude/"*) ;; # skip Claude config files
+                    *)
+                        if [ ${#fname_stem} -ge 3 ]; then
+                            local fts_query
+                            fts_query=$(eagle_fts_sanitize "$fname_stem")
+                            if [ -n "$fts_query" ]; then
+                                local stale_hit
+                                stale_hit=$(eagle_search_stale_memories "$project" "$fts_query")
+                                if [ -n "$stale_hit" ]; then
+                                    local stale_msg="Eagle Mem: Memory '${stale_hit}' may reference '${fname}'. If your edit contradicts it, update the memory."
+                                    jq -nc --arg ctx "$stale_msg" '{"hookSpecificOutput":{"hookEventName":"PostToolUse","additionalContext":$ctx}}'
+                                fi
+                            fi
+                        fi
+                        ;;
+                esac
+            fi
+            ;;
+    esac
+}
+
+eagle_posttool_decision_surface() {
+    local tool_name="$1" fp="$2" project="$3"
+
+    case "$tool_name" in
+        Read)
+            if [ -n "$fp" ]; then
+                local fname fname_stem read_context=""
+                fname=$(basename "$fp")
+                fname_stem="${fname%.*}"
+                case "$fp" in
+                    "$HOME/.claude/"*) ;; # skip Claude config files
+                    *)
+                        if [ ${#fname_stem} -ge 3 ]; then
+                            local fts_query
+                            fts_query=$(eagle_fts_sanitize "$fname_stem")
+                            if [ -n "$fts_query" ]; then
+                                local decision_hit
+                                decision_hit=$(eagle_search_decisions_for_file "$project" "$fts_query")
+                                if [ -n "$decision_hit" ]; then
+                                    read_context+="Eagle Mem decision history for '${fname}': ${decision_hit} — Do not revert without explicit user request. "
+                                fi
+                            fi
+                        fi
+
+                        local feature_hit
+                        feature_hit=$(eagle_find_features_for_file "$project" "$fp")
+                        if [ -n "$feature_hit" ]; then
+                            while IFS='|' read -r feat_name feat_desc feat_verified _role feat_deps feat_other_files feat_smoke; do
+                                [ -z "$feat_name" ] && continue
+                                read_context+="Eagle Mem: '${fname}' is part of feature '${feat_name}'"
+                                [ -n "$feat_desc" ] && read_context+=" ($feat_desc)"
+                                read_context+="."
+                                [ -n "$feat_verified" ] && read_context+=" Last verified: ${feat_verified}."
+                                [ -n "$feat_deps" ] && read_context+=" Dependencies: ${feat_deps}."
+                                [ -n "$feat_other_files" ] && read_context+=" Other files in pipeline: ${feat_other_files}."
+                                [ -n "$feat_smoke" ] && read_context+=" Smoke tests: ${feat_smoke}."
+                                read_context+=" Changes require re-testing after deploy. "
+                            done <<< "$feature_hit"
+                        fi
+
+                        if [ -n "$read_context" ]; then
+                            jq -nc --arg ctx "$read_context" '{"hookSpecificOutput":{"hookEventName":"PostToolUse","additionalContext":$ctx}}'
+                        fi
+                        ;;
+                esac
+            fi
+            ;;
+    esac
+}

package/lib/provider.sh

@@ -50,19 +50,30 @@ eagle_config_set() {
     local key="$2"
     local value="$3"
 
+    # Validate section/key are alphanumeric+underscore (safe for grep/sed patterns)
+    if [[ ! "$section" =~ ^[A-Za-z0-9_-]+$ ]] || [[ ! "$key" =~ ^[A-Za-z0-9_-]+$ ]]; then
+        eagle_log "ERROR" "config_set: invalid section/key: [$section] $key"
+        return 1
+    fi
+
     if [ ! -f "$EAGLE_CONFIG_FILE" ]; then
         eagle_config_init
     fi
 
+    # Escape sed metacharacters in value to prevent injection via |, &, \, /
+    local safe_value
+    safe_value=$(printf '%s' "$value" | sed 's/[|&/\]/\\&/g')
+
     if grep -q "^\[${section}\]" "$EAGLE_CONFIG_FILE" 2>/dev/null; then
         if grep -q "^[[:space:]]*${key}[[:space:]]*=" "$EAGLE_CONFIG_FILE" 2>/dev/null; then
-            sed -i '' "s|^[[:space:]]*${key}[[:space:]]*=.*|${key} = \"${value}\"|" "$EAGLE_CONFIG_FILE"
+            sed -i '' "s|^[[:space:]]*${key}[[:space:]]*=.*|${key} = \"${safe_value}\"|" "$EAGLE_CONFIG_FILE"
         else
             sed -i '' "/^\[${section}\]/a\\
-${key} = \"${value}\"
+${key} = \"${safe_value}\"
 " "$EAGLE_CONFIG_FILE"
         fi
     else
+        # printf is safe — no sed interpolation needed for append
         printf '\n[%s]\n%s = "%s"\n' "$section" "$key" "$value" >> "$EAGLE_CONFIG_FILE"
     fi
 }
@@ -115,7 +126,10 @@ eagle_config_init() {
         model="gpt-4o-mini"
     fi
 
-    cat > "$EAGLE_CONFIG_FILE" << TOML
+    # Create config with restrictive permissions from the start (no TOCTOU window)
+    (
+        umask 077
+        cat > "$EAGLE_CONFIG_FILE" << TOML
 # Eagle Mem configuration
 # Docs: https://github.com/eagleisbatman/eagle-mem
 
@@ -144,7 +158,7 @@ schedule = "manual"
 # Additional secret patterns (regex) beyond built-in defaults
 # extra_patterns = ["MY_CUSTOM_SECRET_.*"]
 TOML
-
+    )
     eagle_log "INFO" "Config initialized: provider=$provider model=$model"
 }
 
@@ -236,11 +250,12 @@ _eagle_call_anthropic() {
             messages: [{role: "user", content: $prompt}]
         }')
 
+    # Pass API key via config stdin to avoid exposing it in process list (ps aux)
     local response
     response=$(curl -sf "https://api.anthropic.com/v1/messages" \
         --connect-timeout 5 \
         --max-time 120 \
-        -H "x-api-key: ${api_key}" \
+        -K <(printf 'header = "x-api-key: %s"' "$api_key") \
         -H "anthropic-version: 2023-06-01" \
         -H "content-type: application/json" \
         -d "$body" 2>/dev/null)
@@ -280,11 +295,12 @@ _eagle_call_openai() {
             ]
         }')
 
+    # Pass API key via config stdin to avoid exposing it in process list (ps aux)
     local response
     response=$(curl -sf "https://api.openai.com/v1/chat/completions" \
         --connect-timeout 5 \
         --max-time 120 \
-        -H "Authorization: Bearer ${api_key}" \
+        -K <(printf 'header = "Authorization: Bearer %s"' "$api_key") \
         -H "content-type: application/json" \
         -d "$body" 2>/dev/null)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eagle-mem",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "Persistent memory for Claude Code — SQLite + FTS5, no daemon, no bloat",
   "bin": {
     "eagle-mem": "bin/eagle-mem"

package/scripts/curate.sh

@@ -213,6 +213,16 @@ If no rules needed, output: NONE"
                         max_lines=$(echo "$max_lines" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
                         reason=$(echo "$reason" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
 
+                        # Guard: skip malformed lines missing required fields
+                        if [ -z "$pattern" ] || [ -z "$strategy" ]; then
+                            eagle_log "WARN" "Curator: skipping malformed RULE line: $line"
+                            continue
+                        fi
+                        case "$strategy" in summary|truncate) ;; *)
+                            eagle_log "WARN" "Curator: skipping RULE with invalid strategy '$strategy'"
+                            continue
+                        ;; esac
+
                         [ "$max_lines" = "-" ] && max_lines=""
 
                         if [ "$DRY_RUN" -eq 1 ]; then
@@ -292,6 +302,12 @@ Rules:
                     fdesc=$(echo "$fdesc" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
                     ffiles=$(echo "$ffiles" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
 
+                    # Guard: skip malformed lines missing required name
+                    if [ -z "$fname" ]; then
+                        eagle_log "WARN" "Curator: skipping malformed FEATURE line: $line"
+                        continue
+                    fi
+
                     if [ "$DRY_RUN" -eq 1 ]; then
                         eagle_info "  Feature: $fname — $fdesc"
                         eagle_info "    Files: $ffiles"

package/scripts/install.sh

@@ -152,7 +152,10 @@ eagle_ok "Files copied to $EAGLE_MEM_DIR"
 
 # ─── Run migrations ────────────────────────────────────────
 
-"$EAGLE_MEM_DIR/db/migrate.sh" 2>/dev/null | grep -v -E '^(wal|5000|Eagle Mem database)$' > /dev/null
+if ! "$EAGLE_MEM_DIR/db/migrate.sh" 2>/dev/null; then
+    eagle_err "Database migration failed"
+    exit 1
+fi
 eagle_ok "Database ready"
 
 # ─── Patch settings.json ───────────────────────────────────
@@ -242,7 +245,7 @@ else
         echo ""
         eagle_ok "Statusline ${DIM}(manual patch needed — instructions above)${RESET}"
     else
-        eagle_ok "Statusline ${DIM}(already has Eagle Mem)${RESET}"
+        eagle_ok "Statusline ${DIM}(existing — cannot auto-patch; add Eagle Mem manually)${RESET}"
     fi
 fi
 

package/scripts/memories.sh

@@ -438,7 +438,7 @@ memories_sync() {
     eagle_info "Scanning for Claude Code auto-memory files..."
     echo ""
 
-    local claude_mem_root="$HOME/.claude/projects"
+    local claude_mem_root="$EAGLE_CLAUDE_PROJECTS_DIR"
     local mem_synced=0
     local mem_skipped=0
 
@@ -471,7 +471,7 @@ memories_sync() {
     eagle_info "Scanning for Claude Code plan files..."
     echo ""
 
-    local plans_dir="$HOME/.claude/plans"
+    local plans_dir="$EAGLE_CLAUDE_PLANS_DIR"
     local plan_synced=0
     local plan_skipped=0
 
@@ -504,7 +504,7 @@ memories_sync() {
     eagle_info "Scanning for Claude Code task files..."
     echo ""
 
-    local tasks_dir="$HOME/.claude/tasks"
+    local tasks_dir="$EAGLE_CLAUDE_TASKS_DIR"
     local task_synced=0
     local task_skipped=0
 

package/scripts/uninstall.sh

@@ -18,7 +18,7 @@ eagle_header "Uninstall"
 # ─── Remove hooks from settings.json ──────────────────────
 
 if [ -f "$SETTINGS" ] && command -v jq &>/dev/null; then
-    for event in SessionStart Stop PostToolUse SessionEnd UserPromptSubmit; do
+    for event in SessionStart Stop PostToolUse PreToolUse SessionEnd UserPromptSubmit; do
         if jq -e ".hooks.${event}" "$SETTINGS" &>/dev/null; then
             tmp=$(mktemp)
             jq ".hooks.${event} = [.hooks.${event}[]? | select(any(.hooks[]?; .command | contains(\"eagle-mem\")) | not)]" "$SETTINGS" > "$tmp" && mv "$tmp" "$SETTINGS"

package/scripts/update.sh

@@ -46,7 +46,11 @@ eagle_ok "Files updated"
 
 # ─── Run pending migrations ────────────────────────────────
 
-migration_output=$("$EAGLE_MEM_DIR/db/migrate.sh" 2>/dev/null | grep -v -E '^(wal|5000)$')
+migration_output=$("$EAGLE_MEM_DIR/db/migrate.sh" 2>&1) || {
+    eagle_err "Database migration failed"
+    eagle_err "$migration_output"
+    exit 1
+}
 if echo "$migration_output" | grep -q "applied:"; then
     echo "$migration_output" | grep "applied:" | while read -r line; do
         eagle_ok "Migration: ${line#*applied: }"