engramx 2.0.1 → 2.1.0

package/dist/{core-6IY5L6II.js → core-TSXA5XZH.js}

@@ -11,7 +11,7 @@ import {
   path,
   query,
   stats
-} from "./chunk-SJT7VS2G.js";
+} from "./chunk-ZVWRIVWQ.js";
 import "./chunk-PEH54LYC.js";
 export {
   benchmark,

package/dist/{cursor-mdc-GJ7E5LDD.js → cursor-mdc-VEOFFDVO.js}

@@ -33,7 +33,7 @@ function buildSection(heading, bullets) {
   return [`## ${heading}`, "", ...bullets, ""].join("\n");
 }
 async function generateCursorMdc(projectPath) {
-  const { getStore } = await import("./core-6IY5L6II.js");
+  const { getStore } = await import("./core-TSXA5XZH.js");
   const store = await getStore(projectPath);
   try {
     const allNodes = store.getAllNodes();

package/dist/{exporter-GWU2GF23.js → exporter-AWXS34AS.js}

@@ -12,7 +12,7 @@ function buildSection(heading, nodes) {
   return [`## ${heading}`, "", ...bullets, ""].join("\n");
 }
 async function exportCcs(projectRoot) {
-  const { getStore } = await import("./core-6IY5L6II.js");
+  const { getStore } = await import("./core-TSXA5XZH.js");
   const store = await getStore(projectRoot);
   try {
     const allNodes = store.getAllNodes();

package/dist/{importer-V62NGZRK.js → importer-3Q5M6QBL.js}

@@ -25,7 +25,7 @@ async function importCcs(projectRoot) {
   if (!existsSync(filePath)) {
     return { nodesCreated: 0, sectionsFound: 0 };
   }
-  const { getStore } = await import("./core-6IY5L6II.js");
+  const { getStore } = await import("./core-TSXA5XZH.js");
   const store = await getStore(projectRoot);
   try {
     const raw = readFileSync(filePath, "utf-8");

package/dist/index.js

@@ -4,7 +4,7 @@ import {
   generateSummary,
   install,
   uninstall
-} from "./chunk-C6GBUOAL.js";
+} from "./chunk-4XA6ENNL.js";
 import {
   GraphStore,
   SUPPORTED_EXTENSIONS,
@@ -23,7 +23,7 @@ import {
   sliceGraphemeSafe,
   stats,
   truncateGraphemeSafe
-} from "./chunk-SJT7VS2G.js";
+} from "./chunk-ZVWRIVWQ.js";
 import "./chunk-PEH54LYC.js";
 export {
   GraphStore,

package/dist/install-YVMVCFQW.js

@@ -0,0 +1,121 @@
+// src/update/install.ts
+import { execFileSync, spawnSync } from "child_process";
+import { existsSync } from "fs";
+import { dirname } from "path";
+import { fileURLToPath } from "url";
+var PACKAGE_NAME = "engramx";
+function detectPackageManager() {
+  let installPath = null;
+  try {
+    installPath = dirname(fileURLToPath(import.meta.url));
+  } catch {
+    installPath = null;
+  }
+  if (!installPath) {
+    return { manager: null, installPath: null, reason: "none" };
+  }
+  const lower = installPath.toLowerCase();
+  if (lower.includes("/pnpm/") || lower.includes("\\pnpm\\")) {
+    return { manager: "pnpm", installPath, reason: "pnpm-path-marker" };
+  }
+  if (lower.includes("/.yarn/") || lower.includes("\\.yarn\\")) {
+    return { manager: "yarn", installPath, reason: "yarn-path-marker" };
+  }
+  if (lower.includes("/bun/") || lower.includes("\\bun\\")) {
+    return { manager: "bun", installPath, reason: "bun-path-marker" };
+  }
+  return { manager: "npm", installPath, reason: "npm-fallback" };
+}
+function upgradeCommand(manager, channel = "latest") {
+  const target = `${PACKAGE_NAME}@${channel}`;
+  switch (manager) {
+    case "npm":
+      return { cmd: "npm", args: ["install", "-g", target] };
+    case "pnpm":
+      return { cmd: "pnpm", args: ["add", "-g", target] };
+    case "yarn":
+      return { cmd: "yarn", args: ["global", "add", target] };
+    case "bun":
+      return { cmd: "bun", args: ["add", "-g", target] };
+  }
+}
+function managerOnPath(manager) {
+  try {
+    const r = spawnSync(manager, ["--version"], {
+      encoding: "utf-8",
+      timeout: 2e3
+    });
+    return r.status === 0;
+  } catch {
+    return false;
+  }
+}
+function runUpgrade(opts = {}) {
+  const channel = opts.channel ?? "latest";
+  const detected = opts.manager !== void 0 ? { manager: opts.manager, installPath: null, reason: "override" } : detectPackageManager();
+  if (detected.manager === null) {
+    return {
+      ok: false,
+      message: "Could not detect how engram was installed. Run your package manager's upgrade manually.",
+      executed: null,
+      stderrTail: null
+    };
+  }
+  if (!managerOnPath(detected.manager)) {
+    return {
+      ok: false,
+      message: `${detected.manager} not found on PATH. Install it or use a different package manager.`,
+      executed: null,
+      stderrTail: null
+    };
+  }
+  const { cmd, args } = upgradeCommand(detected.manager, channel);
+  const executed = `${cmd} ${args.join(" ")}`;
+  if (opts.dryRun) {
+    return {
+      ok: true,
+      message: `Would run: ${executed}`,
+      executed,
+      stderrTail: null
+    };
+  }
+  try {
+    execFileSync(cmd, args, {
+      stdio: "inherit",
+      timeout: 12e4
+    });
+    return {
+      ok: true,
+      message: `Upgrade complete via ${detected.manager}.`,
+      executed,
+      stderrTail: null
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    const tail = msg.split("\n").slice(-5).join("\n");
+    return {
+      ok: false,
+      message: `Upgrade failed via ${detected.manager}. Try manually: ${executed}`,
+      executed,
+      stderrTail: tail
+    };
+  }
+}
+function manualCommand(channel = "latest") {
+  return `npm install -g ${PACKAGE_NAME}@${channel}`;
+}
+function safeEnvironment() {
+  if (existsSync("/opt/homebrew/bin/engram") || existsSync("/usr/local/Homebrew/bin/engram")) {
+  }
+  return { ok: true };
+}
+var PACKAGE = PACKAGE_NAME;
+export {
+  PACKAGE,
+  detectPackageManager,
+  managerOnPath,
+  manualCommand,
+  runUpgrade,
+  safeEnvironment,
+  upgradeCommand
+};

package/dist/notify-5POGKMRX.js

@@ -0,0 +1,36 @@
+import {
+  cachePath,
+  isNewer,
+  optedOut
+} from "./chunk-RM2TBOVW.js";
+
+// src/update/notify.ts
+import chalk from "chalk";
+import { existsSync, readFileSync } from "fs";
+var printedThisProcess = false;
+function maybePrintUpdateHint(currentVersion) {
+  if (printedThisProcess) return null;
+  if (optedOut()) return null;
+  const path = cachePath();
+  if (!existsSync(path)) return null;
+  let latest = null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf-8"));
+    if (typeof parsed?.latest === "string") latest = parsed.latest;
+  } catch {
+    return null;
+  }
+  if (!latest) return null;
+  if (!isNewer(latest, currentVersion)) return null;
+  const hint = chalk.dim("\u{1F4A1} ") + chalk.yellow(`engram v${latest}`) + chalk.dim(" is available \u2014 run ") + chalk.white("engram update") + chalk.dim(` (you're on v${currentVersion})`);
+  process.stderr.write(hint + "\n");
+  printedThisProcess = true;
+  return hint;
+}
+function _resetPrintedFlag() {
+  printedThisProcess = false;
+}
+export {
+  _resetPrintedFlag,
+  maybePrintUpdateHint
+};

package/dist/report-C3GTM3HY.js

@@ -0,0 +1,12 @@
+import {
+  buildReport,
+  exportReport,
+  formatReport
+} from "./chunk-XVYE4OX2.js";
+import "./chunk-RM2TBOVW.js";
+import "./chunk-G4U3QOOW.js";
+export {
+  buildReport,
+  exportReport,
+  formatReport
+};

package/dist/serve.js

@@ -2,13 +2,14 @@
 import {
   MAX_MISTAKE_LABEL_CHARS,
   benchmark,
+  formatThousands,
   godNodes,
   mistakes,
   path,
   query,
   stats,
   truncateGraphemeSafe
-} from "./chunk-SJT7VS2G.js";
+} from "./chunk-ZVWRIVWQ.js";
 import "./chunk-PEH54LYC.js";
 
 // src/serve.ts
@@ -111,8 +112,8 @@ AMBIGUOUS: ${s.ambiguousPct}%`;
     case "benchmark": {
       const b = await benchmark(PROJECT_ROOT);
       return [
-        `Full corpus: ~${b.naiveFullCorpus.toLocaleString()} tokens`,
-        `Avg graph query: ~${b.avgQueryTokens.toLocaleString()} tokens`,
+        `Full corpus: ~${formatThousands(b.naiveFullCorpus)} tokens`,
+        `Avg graph query: ~${formatThousands(b.avgQueryTokens)} tokens`,
         `Reduction vs full corpus: ${b.reductionVsFull}x`,
         `Reduction vs relevant files: ${b.reductionVsRelevant}x`,
         "",

package/dist/{server-6AOI7NQP.js → server-A6MUVKQK.js}

@@ -3,9 +3,18 @@ import {
   getContextCache
 } from "./chunk-CIQQ5Y3S.js";
 import {
-  getComponentStatus,
+  getOrCreateToken,
+  isHostValid,
+  isOriginAllowed,
+  parseCookies,
+  safeEqual
+} from "./chunk-N6PPKOPK.js";
+import {
   summarizeHookLog
-} from "./chunk-533LR4I7.js";
+} from "./chunk-XFE6ZANP.js";
+import {
+  getComponentStatus
+} from "./chunk-G4U3QOOW.js";
 import {
   readHookLog
 } from "./chunk-KL6NSPVA.js";
@@ -14,7 +23,7 @@ import {
   learn,
   query,
   stats
-} from "./chunk-SJT7VS2G.js";
+} from "./chunk-ZVWRIVWQ.js";
 import "./chunk-PEH54LYC.js";
 
 // src/server/http.ts
@@ -1006,6 +1015,14 @@ var PROVIDERS = [
   "context7",
   "obsidian"
 ];
+var serverToken = "";
+var serverPort = 0;
+function currentToken() {
+  return serverToken;
+}
+function authCookie(token) {
+  return `engram_token=${token}; HttpOnly; SameSite=Strict; Path=/`;
+}
 function parseUrl(req) {
   return new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
 }
@@ -1014,23 +1031,42 @@ async function readBody(req) {
   for await (const chunk of req) chunks.push(chunk);
   return Buffer.concat(chunks).toString("utf-8");
 }
-function json(res, status, data) {
+function corsHeaders(req) {
+  const origin = req.headers.origin;
+  if (!origin || !isOriginAllowed(origin, serverPort)) return {};
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Credentials": "true",
+    "Vary": "Origin"
+  };
+}
+function json(res, status, data, extraHeaders = {}) {
   res.writeHead(status, {
     "Content-Type": "application/json",
-    "Access-Control-Allow-Origin": "*",
-    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-    "Access-Control-Allow-Headers": "Authorization, Content-Type"
+    ...extraHeaders
   });
   res.end(JSON.stringify(data));
 }
 function checkAuth(req, res) {
-  const token = process.env.ENGRAM_API_TOKEN;
-  if (!token) return true;
-  const header = req.headers.authorization ?? "";
-  if (header === `Bearer ${token}`) return true;
+  const expected = currentToken();
+  const auth = req.headers.authorization ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const presented = auth.slice(7).trim();
+    if (safeEqual(presented, expected)) return true;
+  }
+  const cookies = parseCookies(req.headers.cookie);
+  if (cookies.engram_token && safeEqual(cookies.engram_token, expected)) {
+    return true;
+  }
   json(res, 401, { error: "Unauthorized" });
   return false;
 }
+function requireJsonContentType(req, res) {
+  const ct = (req.headers["content-type"] ?? "").toLowerCase();
+  if (ct.startsWith("application/json")) return true;
+  json(res, 415, { error: "Content-Type must be application/json" });
+  return false;
+}
 function handleHealth(_req, res, startedAt) {
   json(res, 200, {
     ok: true,
@@ -1219,12 +1255,12 @@ async function handleGraphGodNodes(_req, res, projectRoot) {
 }
 var sseClients = /* @__PURE__ */ new Set();
 var hookLogWatcher = null;
-function handleSSE(_req, res, projectRoot) {
+function handleSSE(req, res, projectRoot) {
   res.writeHead(200, {
     "Content-Type": "text/event-stream",
     "Cache-Control": "no-cache",
     "Connection": "keep-alive",
-    "Access-Control-Allow-Origin": "*"
+    ...corsHeaders(req)
   });
   res.write('data: {"type":"connected"}\n\n');
   sseClients.add(res);
@@ -1277,23 +1313,73 @@ function removePid(projectRoot) {
 function createHttpServer(projectRoot, port) {
   return new Promise((resolve, reject) => {
     const startedAt = Date.now();
+    const tokenInfo = getOrCreateToken();
+    serverToken = tokenInfo.token;
+    serverPort = port;
     const server = createServer(async (req, res) => {
+      if (!isHostValid(req.headers.host, port)) {
+        res.writeHead(400);
+        res.end();
+        return;
+      }
+      const origin = req.headers.origin;
+      if (origin && !isOriginAllowed(origin, port)) {
+        res.writeHead(403);
+        res.end();
+        return;
+      }
+      if (origin && isOriginAllowed(origin, port)) {
+        res.setHeader("Access-Control-Allow-Origin", origin);
+        res.setHeader("Access-Control-Allow-Credentials", "true");
+        res.setHeader("Vary", "Origin");
+      }
       if (req.method === "OPTIONS") {
         res.writeHead(204, {
-          "Access-Control-Allow-Origin": "*",
           "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
           "Access-Control-Allow-Headers": "Authorization, Content-Type"
         });
         res.end();
         return;
       }
-      if (!checkAuth(req, res)) return;
       const url = parseUrl(req);
       const path = url.pathname;
+      if (req.method === "GET" && path === "/health") {
+        handleHealth(req, res, startedAt);
+        return;
+      }
+      if (req.method === "GET" && path === "/favicon.ico") {
+        const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><rect width="100" height="100" rx="20" fill="#0a0a0b"/><text x="50" y="62" font-size="56" text-anchor="middle" fill="#10b981" font-family="Menlo,monospace">&#9670;</text></svg>';
+        res.writeHead(200, {
+          "Content-Type": "image/svg+xml",
+          "Cache-Control": "public, max-age=86400"
+        });
+        res.end(svg);
+        return;
+      }
+      if (req.method === "GET" && (path === "/ui" || path === "/ui/")) {
+        const queryToken = url.searchParams.get("token");
+        if (queryToken) {
+          const fetchSite = req.headers["sec-fetch-site"];
+          const siteOk = fetchSite === void 0 || fetchSite === "none" || fetchSite === "same-origin";
+          if (siteOk && safeEqual(queryToken, currentToken())) {
+            res.writeHead(302, {
+              Location: "/ui",
+              "Set-Cookie": authCookie(currentToken()),
+              "Referrer-Policy": "no-referrer",
+              "Cache-Control": "no-store",
+              "X-Content-Type-Options": "nosniff"
+            });
+            res.end();
+            return;
+          }
+        }
+      }
+      if (!checkAuth(req, res)) return;
+      if (req.method === "POST" || req.method === "PUT" || req.method === "DELETE") {
+        if (!requireJsonContentType(req, res)) return;
+      }
       try {
-        if (req.method === "GET" && path === "/health") {
-          handleHealth(req, res, startedAt);
-        } else if (req.method === "GET" && path === "/query") {
+        if (req.method === "GET" && path === "/query") {
           await handleQuery(req, res, projectRoot);
         } else if (req.method === "GET" && path === "/stats") {
           await handleStats(req, res, projectRoot);
@@ -1322,16 +1408,11 @@ function createHttpServer(projectRoot, port) {
         } else if (req.method === "GET" && (path === "/ui" || path === "/ui/")) {
           res.writeHead(200, {
             "Content-Type": "text/html; charset=utf-8",
-            "Cache-Control": "no-cache"
+            "Cache-Control": "no-cache",
+            "Set-Cookie": authCookie(currentToken()),
+            "X-Content-Type-Options": "nosniff"
           });
           res.end(buildDashboardHtml());
-        } else if (req.method === "GET" && path === "/favicon.ico") {
-          const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><rect width="100" height="100" rx="20" fill="#0a0a0b"/><text x="50" y="62" font-size="56" text-anchor="middle" fill="#10b981" font-family="Menlo,monospace">&#9670;</text></svg>';
-          res.writeHead(200, {
-            "Content-Type": "image/svg+xml",
-            "Cache-Control": "public, max-age=86400"
-          });
-          res.end(svg);
         } else {
           json(res, 404, { error: "Not found" });
         }
@@ -1351,7 +1432,7 @@ function createHttpServer(projectRoot, port) {
       };
       process.on("SIGINT", cleanup);
       process.on("SIGTERM", cleanup);
-      resolve();
+      resolve(tokenInfo);
     });
   });
 }
@@ -1359,11 +1440,26 @@ function createHttpServer(projectRoot, port) {
 // src/server/index.ts
 var DEFAULT_PORT = 7337;
 async function startHttpServer(projectRoot, port = DEFAULT_PORT) {
-  await createHttpServer(projectRoot, port);
-  process.stdout.write(
-    `engram HTTP server listening on http://127.0.0.1:${port}
+  const tokenInfo = await createHttpServer(projectRoot, port);
+  const url = `http://127.0.0.1:${port}`;
+  process.stdout.write(`engram HTTP server listening on ${url}
+`);
+  if (tokenInfo.source === "env") {
+    process.stderr.write(
+      "engram: auth token from ENGRAM_API_TOKEN env var\n"
+    );
+  } else if (tokenInfo.source === "file") {
+    process.stderr.write(
+      `engram: auth token at ${tokenInfo.path}
 `
-  );
+    );
+  } else {
+    process.stderr.write(
+      `engram: auth token generated at ${tokenInfo.path} (0600)
+        curl -H "Authorization: Bearer $(cat ${tokenInfo.path})" ${url}/stats
+`
+    );
+  }
 }
 export {
   startHttpServer

package/dist/{windsurf-rules-C7SVDHBL.js → windsurf-rules-RWPKBHRD.js}

@@ -7,7 +7,7 @@ function buildSection(heading, lines) {
   return [`## ${heading}`, "", ...lines, ""].join("\n");
 }
 async function generateWindsurfRules(projectRoot) {
-  const { getStore } = await import("./core-6IY5L6II.js");
+  const { getStore } = await import("./core-TSXA5XZH.js");
   const store = await getStore(projectRoot);
   try {
     const allNodes = store.getAllNodes();