gitmem-mcp 1.0.11 → 1.0.13

package/CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.12] - 2026-02-16
+
+### Fixed
+- **Table prefix for pro tier**: `getTableName()` was resolving to `gitmem_*` tables for pro tier, but those tables don't exist yet. All tiers now default to `orchestra_` prefix until schema migration is complete.
+
+### Changed
+- **Dynamic table names**: Replaced all hardcoded `orchestra_*` table name strings across 22 source files with `getTableName()` calls, making table prefixes configurable via `GITMEM_TABLE_PREFIX` env var.
+- **Release status script**: Added `npm run release-status` to check unpublished commits vs npm.
+
 ## [1.0.11] - 2026-02-16
 
 ### Changed

package/CLAUDE.md.template

@@ -7,6 +7,30 @@ open threads across sessions and projects. Search it. Test it. You might be
 amazed at what's already there. If convinced, make it your own — update your
 MEMORY.md with how you want to use it.
 
+## Red Lines
+
+These constraints are enforced by infrastructure (PreToolUse hooks). Attempting to bypass them will be blocked.
+
+### Credential Protection
+
+Credential exposure in conversation history is permanent and irreversible.
+
+1. **NEVER read credential files in full.** Files like `mcp-config.json`, `.env`, `.credentials.json`, `.netrc`, `.npmrc`, SSH keys, or `.pem`/`.key` files must not be read with the Read tool or dumped with cat/head/tail.
+2. **NEVER print environment variable values that contain secrets.** Commands like `env | grep KEY`, `echo $API_KEY`, or `printenv TOKEN` expose credentials in output.
+3. **NEVER display API keys, tokens, or secrets in conversation output.**
+
+Safe alternatives: `env | grep -c VARNAME` (count only), `[ -n "$VARNAME" ] && echo "set"` (existence check), `grep -c '"key"' config.json` (structure check).
+
+A PreToolUse hook hard-blocks matching commands — the agent cannot execute them.
+
+### Recall Before Consequential Actions
+
+1. **NEVER parallelize `recall()` with actions that expose, modify, or transmit sensitive data.** Recall must complete first.
+2. **Confirm scars before acting.** Each recalled scar requires APPLYING (past-tense evidence), N_A (explanation), or REFUTED (risk acknowledgment).
+3. **Parallel recall is only safe with benign reads** — source code, docs, non-sensitive config.
+
+A PreToolUse hook blocks consequential actions until all recalled scars are confirmed.
+
 ## Tools
 
 | Tool | When to use |

package/README.md

@@ -139,6 +139,13 @@ Your AI agent likely has its own memory file (MEMORY.md, .cursorrules, etc.). He
 
 **Tip:** Include `.gitmem/agent-briefing.md` in your MEMORY.md for a lightweight bridge between the two systems.
 
+## Privacy & Data
+
+- **Local-first** — All data stored in `.gitmem/` on your machine by default
+- **No telemetry** — GitMem does not collect usage data or phone home
+- **Cloud opt-in** — Pro tier Supabase backend requires explicit configuration via environment variables
+- **Your data** — Sessions, scars, and decisions belong to you. Delete `.gitmem/` to remove everything
+
 ## Development
 
 ```bash

package/dist/services/analytics.d.ts

@@ -137,11 +137,11 @@ export interface BlindspotsData {
  */
 export declare function queryScarUsageByDateRange(startDate: string, _endDate: string, _project: Project, agentFilter?: string): Promise<ScarUsageRecord[]>;
 /**
- * Fetch repeat mistakes from orchestra_learnings within a date range.
+ * Fetch repeat mistakes from the learnings table within a date range.
  */
 export declare function queryRepeatMistakes(startDate: string, _endDate: string, project: Project): Promise<RepeatMistakeRecord[]>;
 /**
- * Resolve scar titles and severities from orchestra_learnings for scar_usage
+ * Resolve scar titles and severities from the learnings table for scar_usage
  * records that have null/missing title data.
  */
 export declare function enrichScarUsageTitles(usages: ScarUsageRecord[]): Promise<ScarUsageRecord[]>;

package/dist/services/analytics.js

@@ -8,6 +8,7 @@
  */
 import { directQuery, directQueryAll, safeInFilter } from "./supabase-client.js";
 import { getCache } from "./cache.js";
+import { getTableName } from "./tier.js";
 // --- Query Layer ---
 /**
  * Fetch sessions within a date range.
@@ -22,7 +23,7 @@ export async function querySessionsByDateRange(startDate, endDate, project, agen
             project: `eq.${project}`,
             "created_at": `gte.${startDate}`,
         };
-        return directQueryAll("orchestra_sessions", {
+        return directQueryAll(getTableName("sessions"), {
             select: "id,session_title,session_date,agent,linear_issue,decisions,open_threads,closing_reflection,close_compliance,created_at,project",
             filters,
             order: "created_at.desc",
@@ -60,7 +61,7 @@ export async function queryScarUsageByDateRange(startDate, _endDate, _project, a
     });
 }
 /**
- * Fetch repeat mistakes from orchestra_learnings within a date range.
+ * Fetch repeat mistakes from the learnings table within a date range.
  */
 export async function queryRepeatMistakes(startDate, _endDate, project) {
     const filters = {
@@ -69,7 +70,7 @@ export async function queryRepeatMistakes(startDate, _endDate, project) {
         created_at: `gte.${startDate}`,
         is_active: "eq.true",
     };
-    const repeats = await directQuery("orchestra_learnings", {
+    const repeats = await directQuery(getTableName("learnings"), {
         select: "id,title,related_scar_id,repeat_mistake_details,created_at",
         filters,
         order: "created_at.desc",
@@ -79,7 +80,7 @@ export async function queryRepeatMistakes(startDate, _endDate, project) {
     return repeats.filter(r => r.created_at <= _endDate);
 }
 /**
- * Resolve scar titles and severities from orchestra_learnings for scar_usage
+ * Resolve scar titles and severities from the learnings table for scar_usage
  * records that have null/missing title data.
  */
 export async function enrichScarUsageTitles(usages) {
@@ -92,9 +93,9 @@ export async function enrichScarUsageTitles(usages) {
     }
     if (idsNeedingResolution.size === 0)
         return usages;
-    // Fetch titles from orchestra_learnings
+    // Fetch titles from the learnings table
     const ids = Array.from(idsNeedingResolution);
-    const learnings = await directQuery("orchestra_learnings", {
+    const learnings = await directQuery(getTableName("learnings"), {
         select: "id,title,severity",
         filters: {
             id: safeInFilter(ids),

package/dist/services/startup.js

@@ -15,6 +15,7 @@
 import * as fs from "fs";
 import * as path from "path";
 import { isConfigured, loadScarsWithEmbeddings } from "./supabase-client.js";
+import { getTableName } from "./tier.js";
 import { getGitmemDir } from "./gitmem-dir.js";
 import { initializeLocalSearch, reinitializeLocalSearch, isLocalSearchReady, getLocalVectorSearch, getCacheMetadata, setCacheTtl, } from "./local-vector-search.js";
 import { getConfig, shouldUseLocalSearch } from "./config.js";
@@ -101,7 +102,7 @@ async function getRemoteScarStats() {
         // Quick query to get count and latest timestamp (no embeddings needed)
         // Cross-project — matches unified cache loading
         // Filter embedding=not.is.null to match cache indexing (which skips entries without embeddings)
-        const learnings = await directQuery("orchestra_learnings", {
+        const learnings = await directQuery(getTableName("learnings"), {
             select: "id,updated_at",
             filters: {
                 learning_type: "in.(scar,pattern,win,anti_pattern)",

package/dist/services/supabase-client.js

@@ -8,6 +8,7 @@
  * Integrates with CacheService for performance.
  */
 import { getCache } from "./cache.js";
+import { getTableName } from "./tier.js";
 // --- PostgREST Input Sanitization ---
 const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 /**
@@ -390,7 +391,7 @@ export async function loadScarsWithEmbeddings(project, limit = 500) {
         if (project) {
             filters.project = project;
         }
-        const learnings = await directQuery("orchestra_learnings", {
+        const learnings = await directQuery(getTableName("learnings"), {
             select: "id,title,description,severity,counter_arguments,applies_when,source_linear_issue,project,embedding,updated_at,learning_type,decay_multiplier",
             filters,
             order: "updated_at.desc",
@@ -435,7 +436,7 @@ export async function cachedScarSearch(query, matchCount = 5, project = "default
 export async function cachedListDecisions(project = "default", limit = 5) {
     const cache = getCache();
     const { data, cache_hit, cache_age_ms } = await cache.getOrFetchDecisions(project, limit, async () => listRecords({
-        table: "orchestra_decisions_lite",
+        table: getTableName("decisions_lite"),
         limit,
         orderBy: { column: "created_at", ascending: false },
     }));
@@ -447,7 +448,7 @@ export async function cachedListDecisions(project = "default", limit = 5) {
 export async function cachedListWins(project = "default", limit = 8, columns) {
     const cache = getCache();
     const { data, cache_hit, cache_age_ms } = await cache.getOrFetchWins(project, limit, async () => listRecords({
-        table: "orchestra_learnings_lite",
+        table: getTableName("learnings_lite"),
         columns,
         filters: {
             learning_type: "win",
@@ -519,7 +520,7 @@ export async function saveTranscript(sessionId, transcript, metadata = {}) {
     // Update the session record with transcript_path (direct REST API)
     let patch_warning;
     try {
-        await directPatch("orchestra_sessions", { id: sessionId }, { transcript_path: path });
+        await directPatch(getTableName("sessions"), { id: sessionId }, { transcript_path: path });
     }
     catch (error) {
         // File is saved; session record update failed — warn, don't fail
@@ -538,7 +539,7 @@ export async function saveTranscript(sessionId, transcript, metadata = {}) {
  */
 export async function getTranscript(sessionId) {
     // First, get the session to find transcript_path
-    const session = await getRecord("orchestra_sessions", sessionId);
+    const session = await getRecord(getTableName("sessions"), sessionId);
     if (!session?.transcript_path) {
         return null;
     }

package/dist/services/thread-suggestions.js

@@ -16,7 +16,7 @@ import * as path from "path";
 import * as crypto from "crypto";
 import { getGitmemDir } from "./gitmem-dir.js";
 import { directQuery } from "./supabase-client.js";
-import { hasSupabase } from "./tier.js";
+import { hasSupabase, getTableName } from "./tier.js";
 import { cosineSimilarity } from "./thread-dedup.js";
 // ---------- Constants ----------
 export const SESSION_SIMILARITY_THRESHOLD = 0.70;
@@ -203,7 +203,7 @@ export async function loadRecentSessionEmbeddings(project = "default", days = 30
         const cutoff = new Date();
         cutoff.setDate(cutoff.getDate() - days);
         const cutoffStr = cutoff.toISOString().split("T")[0]; // YYYY-MM-DD
-        const rows = await directQuery("orchestra_sessions", {
+        const rows = await directQuery(getTableName("sessions"), {
             select: "id,session_title,embedding",
             filters: {
                 project,

package/dist/services/thread-supabase.d.ts

@@ -1,7 +1,7 @@
 /**
  * Thread Supabase Service
  *
- * Provides Supabase CRUD operations for the orchestra_threads table.
+ * Provides Supabase CRUD operations for the threads table.
  * Supabase is the source of truth; local .gitmem/threads.json is a cache.
  *
  * Uses directQuery/directUpsert (PostgREST) like other Supabase operations
@@ -11,7 +11,7 @@
 import type { LifecycleStatus } from "./thread-vitality.js";
 import type { ThreadWithEmbedding } from "./thread-dedup.js";
 import type { ThreadObject, Project } from "../types/index.js";
-/** Shape of a row in orchestra_threads / orchestra_threads_lite */
+/** Shape of a row in threads / threads_lite */
 export interface ThreadRow {
     id: string;
     thread_id: string;
@@ -65,7 +65,7 @@ export declare function resolveThreadInSupabase(threadId: string, options?: {
 }): Promise<boolean>;
 /**
  * List threads from Supabase with project filter.
- * Uses orchestra_threads_lite view (no embedding column).
+ * Uses threads_lite view (no embedding column).
  * Returns null if Supabase is unavailable (caller should fall back to local).
  */
 export declare function listThreadsFromSupabase(project?: Project, options?: {
@@ -74,7 +74,7 @@ export declare function listThreadsFromSupabase(project?: Project, options?: {
 }): Promise<ThreadObject[] | null>;
 /**
  * Load active (non-archived, non-resolved) threads from Supabase for session_start.
- * Uses orchestra_threads_lite view ordered by vitality_score DESC.
+ * Uses threads_lite view ordered by vitality_score DESC.
  * Returns null if Supabase is unavailable.
  */
 export declare function loadActiveThreadsFromSupabase(project?: Project): Promise<{
@@ -103,7 +103,7 @@ export declare function archiveDormantThreads(project?: Project, dormantDays?: n
 }>;
 /**
  * Load open threads WITH embeddings from Supabase for dedup comparison.
- * Uses the full orchestra_threads table (not _lite view) to include embedding column.
+ * Uses the full threads table (not _lite view) to include embedding column.
  * Returns null if Supabase is unavailable.
  */
 export declare function loadOpenThreadEmbeddings(project?: Project): Promise<ThreadWithEmbedding[] | null>;

package/dist/services/thread-supabase.js

@@ -1,7 +1,7 @@
 /**
  * Thread Supabase Service
  *
- * Provides Supabase CRUD operations for the orchestra_threads table.
+ * Provides Supabase CRUD operations for the threads table.
  * Supabase is the source of truth; local .gitmem/threads.json is a cache.
  *
  * Uses directQuery/directUpsert (PostgREST) like other Supabase operations
@@ -9,7 +9,7 @@
  * fall back to local file operations.
  */
 import * as supabase from "./supabase-client.js";
-import { hasSupabase } from "./tier.js";
+import { hasSupabase, getTableName } from "./tier.js";
 import { computeLifecycleStatus, detectThreadClass } from "./thread-vitality.js";
 import { normalizeText, deduplicateThreadList } from "./thread-dedup.js";
 // ---------- Mapping Helpers ----------
@@ -96,7 +96,7 @@ export async function createThreadInSupabase(thread, project = "default", embedd
     }
     try {
         const row = threadObjectToRow(thread, project, embedding);
-        const result = await supabase.directUpsert("orchestra_threads", row);
+        const result = await supabase.directUpsert(getTableName("threads"), row);
         console.error(`[thread-supabase] Created thread ${thread.id} in Supabase`);
         return result;
     }
@@ -116,7 +116,7 @@ export async function resolveThreadInSupabase(threadId, options = {}) {
     }
     try {
         // First, find the UUID primary key for this thread_id
-        const rows = await supabase.directQuery("orchestra_threads", {
+        const rows = await supabase.directQuery(getTableName("threads"), {
             select: "id,thread_id",
             filters: { thread_id: threadId },
             limit: 1,
@@ -136,7 +136,7 @@ export async function resolveThreadInSupabase(threadId, options = {}) {
         if (options.resolvedBySession) {
             patchData.resolved_by_session = options.resolvedBySession;
         }
-        await supabase.directPatch("orchestra_threads", { id: uuid }, patchData);
+        await supabase.directPatch(getTableName("threads"), { id: uuid }, patchData);
         console.error(`[thread-supabase] Resolved thread ${threadId} in Supabase`);
         return true;
     }
@@ -147,7 +147,7 @@ export async function resolveThreadInSupabase(threadId, options = {}) {
 }
 /**
  * List threads from Supabase with project filter.
- * Uses orchestra_threads_lite view (no embedding column).
+ * Uses threads_lite view (no embedding column).
  * Returns null if Supabase is unavailable (caller should fall back to local).
  */
 export async function listThreadsFromSupabase(project = "default", options = {}) {
@@ -176,7 +176,7 @@ export async function listThreadsFromSupabase(project = "default", options = {})
             // Default: exclude resolved and archived
             filters.status = "not.in.(resolved,archived)";
         }
-        const rows = await supabase.directQuery("orchestra_threads_lite", {
+        const rows = await supabase.directQuery(getTableName("threads_lite"), {
             select: "*",
             filters,
             order: "vitality_score.desc,last_touched_at.desc",
@@ -193,7 +193,7 @@ export async function listThreadsFromSupabase(project = "default", options = {})
 }
 /**
  * Load active (non-archived, non-resolved) threads from Supabase for session_start.
- * Uses orchestra_threads_lite view ordered by vitality_score DESC.
+ * Uses threads_lite view ordered by vitality_score DESC.
  * Returns null if Supabase is unavailable.
  */
 export async function loadActiveThreadsFromSupabase(project = "default") {
@@ -202,7 +202,7 @@ export async function loadActiveThreadsFromSupabase(project = "default") {
     }
     try {
         // Get only non-resolved, non-archived threads (open/active only)
-        const rows = await supabase.directQuery("orchestra_threads_lite", {
+        const rows = await supabase.directQuery(getTableName("threads_lite"), {
             select: "*",
             filters: {
                 project,
@@ -264,7 +264,7 @@ export async function touchThreadsInSupabase(threadIds) {
     for (const threadId of threadIds) {
         try {
             // Fetch current state (need created_at and thread_class for vitality recomputation)
-            const rows = await supabase.directQuery("orchestra_threads", {
+            const rows = await supabase.directQuery(getTableName("threads"), {
                 select: "id,touch_count,created_at,thread_class,status",
                 filters: { thread_id: threadId },
                 limit: 1,
@@ -295,7 +295,7 @@ export async function touchThreadsInSupabase(threadIds) {
             else if (lifecycle_status !== "dormant") {
                 delete metadata.dormant_since;
             }
-            await supabase.directPatch("orchestra_threads", { id: row.id }, {
+            await supabase.directPatch(getTableName("threads"), { id: row.id }, {
                 touch_count: newTouchCount,
                 last_touched_at: nowIso,
                 vitality_score: vitality.vitality_score,
@@ -323,7 +323,7 @@ export async function syncThreadsToSupabase(threads, project = "default", sessio
     // for threads that already exist with the same (or similar) text.
     let existingOpenThreads = [];
     try {
-        existingOpenThreads = await supabase.directQuery("orchestra_threads", {
+        existingOpenThreads = await supabase.directQuery(getTableName("threads"), {
             select: "thread_id,text,status",
             filters: {
                 project,
@@ -346,7 +346,7 @@ export async function syncThreadsToSupabase(threads, project = "default", sessio
     for (const thread of threads) {
         try {
             // Check if thread exists in Supabase by ID
-            const existing = await supabase.directQuery("orchestra_threads", {
+            const existing = await supabase.directQuery(getTableName("threads"), {
                 select: "id,thread_id,status",
                 filters: { thread_id: thread.id },
                 limit: 1,
@@ -400,7 +400,7 @@ export async function archiveDormantThreads(project = "default", dormantDays = 3
     }
     try {
         // Fetch dormant threads
-        const rows = await supabase.directQuery("orchestra_threads", {
+        const rows = await supabase.directQuery(getTableName("threads"), {
             select: "id,thread_id,metadata",
             filters: {
                 project,
@@ -417,7 +417,7 @@ export async function archiveDormantThreads(project = "default", dormantDays = 3
             const dormantStart = new Date(dormantSince);
             const daysDormant = (now.getTime() - dormantStart.getTime()) / (1000 * 60 * 60 * 24);
             if (daysDormant >= dormantDays) {
-                await supabase.directPatch("orchestra_threads", { id: row.id }, {
+                await supabase.directPatch(getTableName("threads"), { id: row.id }, {
                     status: "archived",
                 });
                 archived_ids.push(row.thread_id);
@@ -457,7 +457,7 @@ function parseEmbedding(raw) {
 }
 /**
  * Load open threads WITH embeddings from Supabase for dedup comparison.
- * Uses the full orchestra_threads table (not _lite view) to include embedding column.
+ * Uses the full threads table (not _lite view) to include embedding column.
  * Returns null if Supabase is unavailable.
  */
 export async function loadOpenThreadEmbeddings(project = "default") {
@@ -465,7 +465,7 @@ export async function loadOpenThreadEmbeddings(project = "default") {
         return null;
     }
     try {
-        const rows = await supabase.directQuery("orchestra_threads", {
+        const rows = await supabase.directQuery(getTableName("threads"), {
             select: "thread_id,text,embedding",
             filters: {
                 project,

package/dist/services/tier.js

@@ -95,10 +95,8 @@ export function hasEnforcementFields() {
  * Get the table prefix for the current tier
  */
 export function getTablePrefix() {
-    if (getTier() === "dev") {
-        return process.env.GITMEM_TABLE_PREFIX || "orchestra_";
-    }
-    return process.env.GITMEM_TABLE_PREFIX || "gitmem_";
+    // Default prefix for all tiers. Override with GITMEM_TABLE_PREFIX env var.
+    return process.env.GITMEM_TABLE_PREFIX || "orchestra_";
 }
 /**
  * Get the fully-qualified table name for a base table name

package/dist/services/transcript-chunker.d.ts

@@ -2,7 +2,7 @@
  * Transcript Chunking Service
  *
  * Parses JSONL session transcripts, chunks them intelligently,
- * generates embeddings, and stores in orchestra_transcript_chunks.
+ * generates embeddings, and stores in the transcript_chunks table.
  *
  *
  */

package/dist/services/transcript-chunker.js

@@ -2,10 +2,11 @@
  * Transcript Chunking Service
  *
  * Parses JSONL session transcripts, chunks them intelligently,
- * generates embeddings, and stores in orchestra_transcript_chunks.
+ * generates embeddings, and stores in the transcript_chunks table.
  *
  *
  */
+import { getTableName } from "./tier.js";
 // OpenRouter API configuration (same as local-vector-search)
 const OPENROUTER_API_URL = "https://openrouter.ai/api/v1/embeddings";
 const EMBEDDING_MODEL = "openai/text-embedding-3-small";
@@ -221,7 +222,7 @@ export async function processTranscript(sessionId, transcriptContent, project =
             if (!SUPABASE_URL || !SUPABASE_KEY) {
                 throw new Error("Supabase configuration missing");
             }
-            const restUrl = `${SUPABASE_URL}/rest/v1/orchestra_transcript_chunks?on_conflict=session_id,chunk_index`;
+            const restUrl = `${SUPABASE_URL}/rest/v1/${getTableName("transcript_chunks")}?on_conflict=session_id,chunk_index`;
             const response = await fetch(restUrl, {
                 method: "POST",
                 headers: {

package/dist/tools/absorb-observations.js

@@ -14,7 +14,7 @@
 import { v4 as uuidv4 } from "uuid";
 import { wrapDisplay } from "../services/display-protocol.js";
 import { addObservations, getObservations, getCurrentSession } from "../services/session-state.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import * as supabase from "../services/supabase-client.js";
 import { Timer, recordMetrics, buildPerformanceData, } from "../services/metrics.js";
 // --- Scar Candidate Detection ---
@@ -49,7 +49,7 @@ export async function absorbObservations(params) {
     // 3. Optionally persist to Supabase (fire-and-forget, non-fatal)
     const session = getCurrentSession();
     if (hasSupabase() && supabase.isConfigured() && session) {
-        supabase.directUpsert("orchestra_sessions", {
+        supabase.directUpsert(getTableName("sessions"), {
             id: session.sessionId,
             task_observations: getObservations(),
         }).catch((err) => {

package/dist/tools/analyze.js

@@ -75,7 +75,7 @@ export async function analyze(params) {
                     queryScarUsageByDateRange(startDate, endDate, project, params.agent),
                     queryRepeatMistakes(startDate, endDate, project),
                 ]);
-                // Resolve missing scar titles from orchestra_learnings
+                // Resolve missing scar titles from the learnings table
                 const usages = await enrichScarUsageTitles(rawUsages);
                 data = computeBlindspots(usages, repeats, days);
                 break;

package/dist/tools/archive-learning.js

@@ -9,7 +9,7 @@
  * removed from in-memory search results.
  */
 import { directPatch, isConfigured } from "../services/supabase-client.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getStorage } from "../services/storage.js";
 import { flushCache } from "../services/startup.js";
 import { Timer } from "../services/metrics.js";
@@ -32,7 +32,7 @@ export async function archiveLearning(params) {
         let cacheFlushed = false;
         if (hasSupabase() && isConfigured()) {
             // Pro/dev: patch in Supabase
-            await directPatch("orchestra_learnings", { id: `eq.${params.id}` }, {
+            await directPatch(getTableName("learnings"), { id: `eq.${params.id}` }, {
                 is_active: false,
                 archived_at: archivedAt,
             });

package/dist/tools/cleanup-threads.js

@@ -8,7 +8,7 @@
  */
 import { v4 as uuidv4 } from "uuid";
 import * as supabase from "../services/supabase-client.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getProject } from "../services/session-state.js";
 import { computeLifecycleStatus } from "../services/thread-vitality.js";
 import { archiveDormantThreads } from "../services/thread-supabase.js";
@@ -127,7 +127,7 @@ export async function cleanupThreads(params) {
         archived_ids = archiveResult.archived_ids;
     }
     // Step 2: Fetch all non-resolved, non-archived threads
-    const rows = await supabase.directQuery("orchestra_threads_lite", {
+    const rows = await supabase.directQuery(getTableName("threads_lite"), {
         select: "*",
         filters: {
             project,
@@ -180,7 +180,7 @@ export async function cleanupThreads(params) {
         id: metricsId,
         tool_name: "cleanup_threads",
         query_text: `cleanup:${project}:auto_archive=${!!params.auto_archive}`,
-        tables_searched: ["orchestra_threads_lite"],
+        tables_searched: [getTableName("threads_lite")],
         latency_ms: latencyMs,
         result_count: totalOpen,
         phase_tag: "ad_hoc",

package/dist/tools/create-decision.d.ts

@@ -1,7 +1,7 @@
 /**
  * create_decision Tool
  *
- * Log architectural/operational decision to orchestra_decisions.
+ * Log architectural/operational decision to the decisions table.
  * Generates embeddings client-side and writes directly to Supabase REST API,
  * eliminating the ww-mcp Edge Function dependency.
  *

package/dist/tools/create-decision.js

@@ -1,7 +1,7 @@
 /**
  * create_decision Tool
  *
- * Log architectural/operational decision to orchestra_decisions.
+ * Log architectural/operational decision to the decisions table.
  * Generates embeddings client-side and writes directly to Supabase REST API,
  * eliminating the ww-mcp Edge Function dependency.
  *
@@ -14,7 +14,7 @@ import { wrapDisplay } from "../services/display-protocol.js";
 import { getAgentIdentity } from "../services/agent-detection.js";
 import { writeTriplesForDecision } from "../services/triple-writer.js";
 import { getEffectTracker } from "../services/effect-tracker.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getStorage } from "../services/storage.js";
 import { getProject } from "../services/session-state.js";
 import { Timer, recordMetrics, buildPerformanceData, } from "../services/metrics.js";
@@ -67,7 +67,7 @@ export async function createDecision(params) {
             }
             // Write directly to Supabase REST API (bypasses ww-mcp)
             const upsertStart = Date.now();
-            await supabase.directUpsert("orchestra_decisions", decisionData);
+            await supabase.directUpsert(getTableName("decisions"), decisionData);
             breakdown.upsert = {
                 latency_ms: Date.now() - upsertStart,
                 source: "supabase",
@@ -108,7 +108,7 @@ export async function createDecision(params) {
             id: metricsId,
             session_id: params.session_id,
             tool_name: "create_decision",
-            tables_searched: ["orchestra_decisions"],
+            tables_searched: [getTableName("decisions")],
             latency_ms: latencyMs,
             result_count: 1,
             phase_tag: "decision_capture",

package/dist/tools/create-learning.d.ts

@@ -1,7 +1,7 @@
 /**
  * create_learning Tool
  *
- * Create scar, win, or pattern entry in orchestra_learnings.
+ * Create scar, win, or pattern entry in the learnings table.
  * Generates embeddings client-side and writes directly to Supabase REST API,
  * eliminating the ww-mcp Edge Function dependency.
  *

package/dist/tools/create-learning.js

@@ -1,7 +1,7 @@
 /**
  * create_learning Tool
  *
- * Create scar, win, or pattern entry in orchestra_learnings.
+ * Create scar, win, or pattern entry in the learnings table.
  * Generates embeddings client-side and writes directly to Supabase REST API,
  * eliminating the ww-mcp Edge Function dependency.
  *
@@ -16,7 +16,7 @@ import { flushCache } from "../services/startup.js";
 import { writeTriplesForLearning } from "../services/triple-writer.js";
 import { generateVariantsForScar } from "../services/variant-generation.js";
 import { getEffectTracker } from "../services/effect-tracker.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getStorage } from "../services/storage.js";
 import { getProject } from "../services/session-state.js";
 import { Timer, recordMetrics, buildPerformanceData, } from "../services/metrics.js";
@@ -143,7 +143,7 @@ export async function createLearning(params) {
             console.error(`[create_learning] Learning type: ${params.learning_type}, Project: ${params.project || getProject() || "default"}`);
             // Write directly to Supabase REST API (bypasses ww-mcp)
             const upsertStart = Date.now();
-            const writeResult = await supabase.directUpsert("orchestra_learnings", learningData);
+            const writeResult = await supabase.directUpsert(getTableName("learnings"), learningData);
             const upsertLatency = Date.now() - upsertStart;
             breakdown.upsert = {
                 latency_ms: upsertLatency,
@@ -210,7 +210,7 @@ export async function createLearning(params) {
         recordMetrics({
             id: metricsId,
             tool_name: "create_learning",
-            tables_searched: ["orchestra_learnings"],
+            tables_searched: [getTableName("learnings")],
             latency_ms: latencyMs,
             result_count: 1,
             phase_tag: "learning_capture",

package/dist/tools/create-thread.js

@@ -14,6 +14,7 @@
  * Performance target: <500ms (Supabase write + file write)
  */
 import { v4 as uuidv4 } from "uuid";
+import { getTableName } from "../services/tier.js";
 import { getThreads, setThreads, getCurrentSession, getProject } from "../services/session-state.js";
 import { generateThreadId, loadThreadsFile, saveThreadsFile, } from "../services/thread-manager.js";
 import { createThreadInSupabase, loadOpenThreadEmbeddings, touchThreadsInSupabase, } from "../services/thread-supabase.js";
@@ -89,7 +90,7 @@ export async function createThread(params) {
             id: metricsId,
             tool_name: "create_thread",
             query_text: `dedup:${dedupResult.matched_thread_id}`,
-            tables_searched: ["orchestra_threads"],
+            tables_searched: [getTableName("threads")],
             latency_ms: latencyMs,
             result_count: 0,
             phase_tag: "ad_hoc",
@@ -147,7 +148,7 @@ export async function createThread(params) {
         id: metricsId,
         tool_name: "create_thread",
         query_text: `create:${thread.id}`,
-        tables_searched: supabaseSynced ? ["orchestra_threads"] : [],
+        tables_searched: supabaseSynced ? [getTableName("threads")] : [],
         latency_ms: latencyMs,
         result_count: 1,
         phase_tag: "ad_hoc",

package/dist/tools/list-threads.js

@@ -11,7 +11,7 @@
  * Performance target: <500ms (Supabase query with fallback)
  */
 import { v4 as uuidv4 } from "uuid";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getProject } from "../services/session-state.js";
 import { aggregateThreads, loadThreadsFile, mergeThreadStates } from "../services/thread-manager.js";
 import { deduplicateThreadList } from "../services/thread-dedup.js";
@@ -81,7 +81,7 @@ export async function listThreads(params) {
     if (allThreads === null && hasSupabase()) {
         try {
             const sessions = await supabase.listRecords({
-                table: "orchestra_sessions_lite",
+                table: getTableName("sessions_lite"),
                 filters: { project },
                 limit: 10,
                 orderBy: { column: "created_at", ascending: false },
@@ -137,7 +137,7 @@ export async function listThreads(params) {
         id: metricsId,
         tool_name: "list_threads",
         query_text: `list:${statusFilter}:${includeResolved ? "all" : "filtered"}`,
-        tables_searched: source === "supabase" ? ["orchestra_threads_lite"] : source === "aggregation" ? ["orchestra_sessions_lite"] : [],
+        tables_searched: source === "supabase" ? [getTableName("threads_lite")] : source === "aggregation" ? [getTableName("sessions_lite")] : [],
         latency_ms: latencyMs,
         result_count: threads.length,
         phase_tag: "ad_hoc",

package/dist/tools/log.js

@@ -10,7 +10,7 @@
  * Performance target: 500ms
  */
 import * as supabase from "../services/supabase-client.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getProject } from "../services/session-state.js";
 import { getStorage } from "../services/storage.js";
 import { Timer, recordMetrics, buildPerformanceData, buildComponentPerformance, } from "../services/metrics.js";
@@ -168,7 +168,7 @@ export async function log(params) {
         if (sinceDate) {
             filters.created_at = `gte.${sinceDate}`;
         }
-        const records = await supabase.directQuery("orchestra_learnings", {
+        const records = await supabase.directQuery(getTableName("learnings"), {
             select: "id,title,learning_type,severity,created_at,source_linear_issue,project,persona_name",
             filters,
             order: "created_at.desc",
@@ -187,7 +187,7 @@ export async function log(params) {
         recordMetrics({
             id: metricsId,
             tool_name: "log",
-            tables_searched: ["orchestra_learnings"],
+            tables_searched: [getTableName("learnings")],
             latency_ms: latencyMs,
             result_count: records.length,
             phase_tag: "ad_hoc",

package/dist/tools/prepare-context.js

@@ -18,7 +18,7 @@
 import * as supabase from "../services/supabase-client.js";
 import { localScarSearch, isLocalSearchReady } from "../services/local-vector-search.js";
 import { getProject } from "../services/session-state.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getStorage } from "../services/storage.js";
 import { Timer, recordMetrics, buildPerformanceData, buildComponentPerformance, } from "../services/metrics.js";
 import { v4 as uuidv4 } from "uuid";
@@ -153,7 +153,7 @@ function buildResult(scars, plan, format, maxTokens, timer, metricsId, project,
         id: metricsId,
         tool_name: "prepare_context",
         query_text: `prepare_context:${format}:${plan.slice(0, 80)}`,
-        tables_searched: search_mode === "local" ? [] : ["orchestra_learnings"],
+        tables_searched: search_mode === "local" ? [] : [getTableName("learnings")],
         latency_ms: latencyMs,
         result_count: scars_included,
         phase_tag: "recall",

package/dist/tools/recall.d.ts

@@ -72,7 +72,7 @@ export interface RecallResult {
 /**
  * Execute recall tool
  *
- * Queries orchestra_learnings for scars matching the provided plan
+ * Queries the learnings table for scars matching the provided plan
  * using weighted semantic search (severity-weighted, temporally-decayed).
  */
 export declare function recall(params: RecallParams): Promise<RecallResult>;

package/dist/tools/recall.js

@@ -14,7 +14,7 @@
  */
 import * as supabase from "../services/supabase-client.js";
 import { localScarSearch, isLocalSearchReady } from "../services/local-vector-search.js";
-import { hasSupabase, hasVariants, hasMetrics } from "../services/tier.js";
+import { hasSupabase, hasVariants, hasMetrics, getTableName } from "../services/tier.js";
 import { getProject } from "../services/session-state.js";
 import { getStorage } from "../services/storage.js";
 import { Timer, recordMetrics, buildPerformanceData, buildComponentPerformance, calculateContextBytes, } from "../services/metrics.js";
@@ -144,7 +144,7 @@ No past lessons match this plan closely enough. Scars accumulate as you work —
 /**
  * Execute recall tool
  *
- * Queries orchestra_learnings for scars matching the provided plan
+ * Queries the learnings table for scars matching the provided plan
  * using weighted semantic search (severity-weighted, temporally-decayed).
  */
 export async function recall(params) {
@@ -423,7 +423,7 @@ export async function recall(params) {
             id: metricsId,
             tool_name: "recall",
             query_text: plan,
-            tables_searched: search_mode === "local" ? [] : ["orchestra_learnings"],
+            tables_searched: search_mode === "local" ? [] : [getTableName("learnings")],
             latency_ms: latencyMs,
             result_count: scars.length,
             similarity_scores: similarityScores,

package/dist/tools/record-scar-usage-batch.js

@@ -4,7 +4,7 @@
  */
 import { v4 as uuidv4 } from "uuid";
 import * as supabase from "../services/supabase-client.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { Timer, recordMetrics, buildPerformanceData } from "../services/metrics.js";
 const TARGET_LATENCY_MS = 2000; // Target for batch operation
 /**
@@ -27,7 +27,7 @@ async function resolveScarIdentifier(identifier, project) {
         }
         // Try exact title match first
         const titleResult = await supabase.listRecords({
-            table: "orchestra_learnings",
+            table: getTableName("learnings"),
             columns: "id,title,description,scar_type,severity",
             filters: { ...filters, title: identifier },
             limit: 1,
@@ -37,7 +37,7 @@ async function resolveScarIdentifier(identifier, project) {
         }
         // Try partial title match (get more records to search)
         const partialResult = await supabase.listRecords({
-            table: "orchestra_learnings",
+            table: getTableName("learnings"),
             columns: "id,title,description,scar_type,severity",
             filters: { ...filters },
             limit: 100,
@@ -128,7 +128,7 @@ export async function recordScarUsageBatch(params) {
         recordMetrics({
             id: metricsId,
             tool_name: "record_scar_usage_batch",
-            tables_searched: ["scar_usage", "orchestra_learnings"],
+            tables_searched: ["scar_usage", getTableName("learnings")],
             latency_ms: latencyMs,
             result_count: usageIds.length,
             phase_tag: "scar_tracking",

package/dist/tools/resolve-thread.js

@@ -12,6 +12,7 @@
  * Performance target: <500ms (Supabase update + file write)
  */
 import { v4 as uuidv4 } from "uuid";
+import { getTableName } from "../services/tier.js";
 import { getThreads, getCurrentSession } from "../services/session-state.js";
 import { resolveThread as resolveThreadInList, findThreadById, loadThreadsFile, saveThreadsFile, } from "../services/thread-manager.js";
 import { resolveThreadInSupabase } from "../services/thread-supabase.js";
@@ -106,7 +107,7 @@ export async function resolveThread(params) {
         id: metricsId,
         tool_name: "resolve_thread",
         query_text: `resolve:${params.thread_id || "text:" + params.text_match}`,
-        tables_searched: supabaseSynced ? ["orchestra_threads"] : [],
+        tables_searched: supabaseSynced ? [getTableName("threads")] : [],
         latency_ms: latencyMs,
         result_count: 1 + alsoResolved.length,
         phase_tag: "ad_hoc",

package/dist/tools/search.js

@@ -12,7 +12,7 @@
  */
 import * as supabase from "../services/supabase-client.js";
 import { localScarSearch, isLocalSearchReady } from "../services/local-vector-search.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getProject } from "../services/session-state.js";
 import { getStorage } from "../services/storage.js";
 import { Timer, recordMetrics, buildPerformanceData, buildComponentPerformance, } from "../services/metrics.js";
@@ -218,7 +218,7 @@ export async function search(params) {
             id: metricsId,
             tool_name: "search",
             query_text: query,
-            tables_searched: search_mode === "local" ? [] : ["orchestra_learnings"],
+            tables_searched: search_mode === "local" ? [] : [getTableName("learnings")],
             latency_ms: latencyMs,
             result_count: results.length,
             similarity_scores: results.map(r => r.similarity),

package/dist/tools/session-close.js

@@ -10,7 +10,7 @@ import { v4 as uuidv4 } from "uuid";
 import { detectAgent } from "../services/agent-detection.js";
 import * as supabase from "../services/supabase-client.js";
 import { embed, isEmbeddingAvailable } from "../services/embedding.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getStorage } from "../services/storage.js";
 import { clearCurrentSession, getSurfacedScars, getConfirmations, getObservations, getChildren, getThreads, getSessionActivity } from "../services/session-state.js";
 import { normalizeThreads, mergeThreadStates, migrateStringThread, saveThreadsFile } from "../services/thread-manager.js"; // 
@@ -59,10 +59,10 @@ function countScarsApplied(scarsApplied) {
  */
 function findMostRecentTranscript(projectsDir, cwdBasename, cwdFull) {
     // Claude Code names project dirs by replacing / with - in the full CWD path
-    // e.g., /Users/chriscrawford/nTEG-Labs -> -Users-chriscrawford-nTEG-Labs
+    // e.g., /Users/dev/my-project -> -Users-dev-my-project
     const claudeCodeDirName = cwdFull.replace(/\//g, "-");
     const possibleDirs = [
-        path.join(projectsDir, claudeCodeDirName), // Primary: full path with dashes (e.g., -Users-chriscrawford-nTEG-Labs)
+        path.join(projectsDir, claudeCodeDirName), // Primary: full path with dashes
         path.join(projectsDir, "-workspace"),
         path.join(projectsDir, "workspace"),
         path.join(projectsDir, cwdBasename), // Legacy fallback
@@ -832,7 +832,7 @@ export async function sessionClose(params) {
         const today = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
         try {
             const sessions = await supabase.listRecords({
-                table: "orchestra_sessions_lite",
+                table: getTableName("sessions_lite"),
                 filters: { agent },
                 limit: 10,
                 orderBy: { column: "created_at", ascending: false },
@@ -938,7 +938,7 @@ export async function sessionClose(params) {
         sessionId = params.session_id;
         // Try Supabase first
         try {
-            existingSession = await supabase.getRecord("orchestra_sessions", sessionId);
+            existingSession = await supabase.getRecord(getTableName("sessions"), sessionId);
         }
         catch {
             // Supabase might not be configured (free tier) or session not found
@@ -1036,7 +1036,7 @@ export async function sessionClose(params) {
     try {
         // Upsert session WITHOUT embedding (fast path)
         // Embedding + thread detection run fire-and-forget after
-        await supabase.directUpsert("orchestra_sessions", sessionData);
+        await supabase.directUpsert(getTableName("sessions"), sessionData);
         // Tracked fire-and-forget embedding generation + session update + thread detection
         if (isEmbeddingAvailable()) {
             getEffectTracker().track("embedding", "session_close", async () => {
@@ -1052,7 +1052,7 @@ export async function sessionClose(params) {
                     if (embeddingVector) {
                         const embeddingJson = JSON.stringify(embeddingVector);
                         // Update session with embedding (PATCH, not upsert — row already exists)
-                        await supabase.directPatch("orchestra_sessions", { id: sessionId }, { embedding: embeddingJson });
+                        await supabase.directPatch(getTableName("sessions"), { id: sessionId }, { embedding: embeddingJson });
                         console.error("[session_close] Embedding saved to session");
                         // Phase 5: Implicit thread detection (chained after embedding)
                         const suggestProject = existingSession?.project || "default";
@@ -1090,7 +1090,7 @@ export async function sessionClose(params) {
             session_id: sessionId,
             agent: agentIdentity,
             tool_name: "session_close",
-            tables_searched: ["orchestra_sessions"],
+            tables_searched: [getTableName("sessions")],
             latency_ms: latencyMs,
             result_count: 1,
             phase_tag: "session_close",

package/dist/tools/session-start.js

@@ -17,7 +17,7 @@ import { detectAgent } from "../services/agent-detection.js";
 import * as supabase from "../services/supabase-client.js";
 // Scar search removed from start pipeline (loads on-demand via recall)
 import { ensureInitialized } from "../services/startup.js";
-import { hasSupabase } from "../services/tier.js";
+import { hasSupabase, getTableName } from "../services/tier.js";
 import { getStorage } from "../services/storage.js";
 import { Timer, recordMetrics, calculateContextBytes, buildPerformanceData, buildComponentPerformance, } from "../services/metrics.js";
 import { setCurrentSession, getCurrentSession, addSurfacedScars, getSurfacedScars } from "../services/session-state.js";
@@ -68,7 +68,7 @@ async function loadLastSession(agent, project) {
         // Use _lite view for performance (excludes embedding)
         // View now includes decisions/open_threads arrays
         const sessions = await supabase.listRecords({
-            table: "orchestra_sessions_lite",
+            table: getTableName("sessions_lite"),
             filters: { agent, project },
             limit: 10, // Get several to find a closed one + aggregate threads
             orderBy: { column: "created_at", ascending: false },
@@ -149,7 +149,7 @@ async function loadRecentRapport(project) {
         return [];
     try {
         const sessions = await supabase.listRecords({
-            table: "orchestra_sessions_lite",
+            table: getTableName("sessions_lite"),
             columns: "agent,rapport_summary,created_at",
             filters: { project },
             limit: 20, // Fetch more to find ones with rapport
@@ -233,7 +233,7 @@ async function createSessionRecord(agent, project, linearIssue, preGeneratedId /
     try {
         // Capture asciinema recording path from Docker entrypoint
         const recordingPath = process.env.GITMEM_RECORDING_PATH || null;
-        await supabase.directUpsert("orchestra_sessions", {
+        await supabase.directUpsert(getTableName("sessions"), {
             id: sessionId,
             session_date: today,
             session_title: linearIssue ? `Session for ${linearIssue}` : "Interactive Session",
@@ -273,12 +273,12 @@ async function markSessionSuperseded(oldSessionId, newSessionId) {
         return; // Free tier: no remote session tracking
     try {
         // Check if session already has close_compliance (was properly closed)
-        const existing = await supabase.directQuery("orchestra_sessions", { filters: { id: oldSessionId }, select: "close_compliance" });
+        const existing = await supabase.directQuery(getTableName("sessions"), { filters: { id: oldSessionId }, select: "close_compliance" });
         if (existing.length > 0 && existing[0].close_compliance != null) {
             // Already closed — don't overwrite
             return;
         }
-        await supabase.directPatch("orchestra_sessions", { id: oldSessionId }, {
+        await supabase.directPatch(getTableName("sessions"), { id: oldSessionId }, {
             close_compliance: {
                 close_type: "superseded",
                 superseded_by: newSessionId,
@@ -819,7 +819,7 @@ export async function sessionStart(params) {
         agent: agent,
         tool_name: "session_start",
         query_text: [params.issue_title, params.issue_description].filter(Boolean).join(" ").slice(0, 500),
-        tables_searched: ["orchestra_sessions_lite", "orchestra_decisions_lite"],
+        tables_searched: [getTableName("sessions_lite"), getTableName("decisions_lite")],
         latency_ms: latencyMs,
         result_count: decisions.length + (lastSession ? 1 : 0),
         context_bytes: calculateContextBytes(result),
@@ -966,7 +966,7 @@ export async function sessionRefresh(params) {
         agent: agent,
         tool_name: "session_refresh",
         query_text: "mid-session context refresh",
-        tables_searched: ["orchestra_sessions_lite", "orchestra_decisions_lite"],
+        tables_searched: [getTableName("sessions_lite"), getTableName("decisions_lite")],
         latency_ms: latencyMs,
         result_count: decisions.length + (lastSession ? 1 : 0),
         context_bytes: calculateContextBytes(result),

package/hooks/hooks/hooks.json

@@ -28,6 +28,11 @@
       {
         "matcher": "Bash",
         "hooks": [
+          {
+            "type": "command",
+            "command": "bash ${CLAUDE_PLUGIN_ROOT}/scripts/credential-guard.sh",
+            "timeout": 3000
+          },
           {
             "type": "command",
             "command": "bash ${CLAUDE_PLUGIN_ROOT}/scripts/recall-check.sh",
@@ -35,6 +40,16 @@
           }
         ]
       },
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ${CLAUDE_PLUGIN_ROOT}/scripts/credential-guard.sh",
+            "timeout": 3000
+          }
+        ]
+      },
       {
         "matcher": "Write",
         "hooks": [

package/hooks/scripts/credential-guard.sh

@@ -0,0 +1,139 @@
+#!/bin/bash
+# GitMem Hooks Plugin — PreToolUse Hook (Credential Guard)
+#
+# CONSTITUTIONAL ENFORCEMENT: Hard-blocks any tool call that would expose
+# credentials, API keys, tokens, or secrets in conversation output.
+#
+# Intercepts:
+#   - Bash: env/printenv/export dumps, echo $SECRET, cat/read of credential files
+#   - Read: Direct reads of known credential files (mcp-config.json, .env, etc.)
+#
+# This is a RED LINE — no override, no exception. Credential exposure is
+# permanent and irreversible once it enters conversation history.
+#
+# Input: JSON via stdin with tool_name and tool_input
+# Output: JSON with decision:block OR empty (exit 0 = allow)
+
+set -e
+
+HOOK_INPUT=$(cat -)
+
+# ============================================================================
+# Parse tool info
+# ============================================================================
+
+parse_json() {
+    local INPUT="$1"
+    local FIELD="$2"
+    if command -v jq &>/dev/null; then
+        echo "$INPUT" | jq -r "$FIELD // empty" 2>/dev/null
+    else
+        echo "$INPUT" | node -e "
+            let d='';
+            process.stdin.on('data',c=>d+=c);
+            process.stdin.on('end',()=>{
+                try {
+                    const j=JSON.parse(d);
+                    const path='$FIELD'.replace(/^\./,'').split('.');
+                    let v=j;
+                    for(const p of path) v=v?.[p];
+                    process.stdout.write(String(v||''));
+                } catch(e) { process.stdout.write(''); }
+            });
+        " 2>/dev/null
+    fi
+}
+
+TOOL_NAME=$(parse_json "$HOOK_INPUT" ".tool_name")
+
+# ============================================================================
+# Credential file patterns (basenames and paths)
+# ============================================================================
+
+# Files that are PRIMARILY credential stores — never read in full
+CREDENTIAL_FILES_PATTERN='(mcp-config\.json|\.env($|\.)|\.credentials\.json|credentials\.json|\.netrc|\.npmrc|\.pypirc|id_rsa|id_ed25519|\.pem$|\.key$)'
+
+# ============================================================================
+# BASH TOOL GUARD
+# ============================================================================
+
+if [ "$TOOL_NAME" = "Bash" ]; then
+    COMMAND=$(parse_json "$HOOK_INPUT" ".tool_input.command")
+
+    # Guard 1: env/printenv dumps that would expose secret values
+    # Blocks: env | grep KEY, printenv TOKEN, export -p | grep SECRET
+    # Allows: env | grep -c KEY (count only), [ -n "$VAR" ] checks
+    if echo "$COMMAND" | grep -qEi '(^|\|)\s*(env|printenv|export\s+-p)\s*(\||$)' && \
+       ! echo "$COMMAND" | grep -qE 'grep\s+-(c|l)\s'; then
+        # Check if the piped grep targets secret-looking patterns
+        if echo "$COMMAND" | grep -qEi '(key|secret|token|password|credential|auth|pat[^h]|api_|twitter|supabase|linear|notion|openrouter|perplexity|anthropic|github)'; then
+            cat <<'HOOKJSON'
+{
+  "decision": "block",
+  "reason": "RED LINE — CREDENTIAL EXPOSURE BLOCKED: This command would print secret values from environment variables into the conversation. Use count-only checks instead:\n\n  env | grep -c VARNAME        # returns count, not value\n  [ -n \"$VARNAME\" ] && echo set  # existence check only\n\nThis rule is constitutional. There is no override."
+}
+HOOKJSON
+            exit 0
+        fi
+    fi
+
+    # Guard 2: Direct echo/printf of secret-looking env vars
+    if echo "$COMMAND" | grep -qEi '(echo|printf)\s+.*\$\{?(TWITTER|API_KEY|API_SECRET|ACCESS_TOKEN|ACCESS_SECRET|GITHUB_PAT|LINEAR_API|SUPABASE_SERVICE|NOTION_TOKEN|OPENROUTER|PERPLEXITY|ANTHROPIC)'; then
+        cat <<'HOOKJSON'
+{
+  "decision": "block",
+  "reason": "RED LINE — CREDENTIAL EXPOSURE BLOCKED: This command would print a secret environment variable value. Use existence checks instead:\n\n  [ -n \"$VARNAME\" ] && echo \"set\" || echo \"unset\"\n\nThis rule is constitutional. There is no override."
+}
+HOOKJSON
+        exit 0
+    fi
+
+    # Guard 3: cat/head/tail/less of credential files via Bash
+    if echo "$COMMAND" | grep -qEi "(cat|head|tail|less|more|bat)\s+" && \
+       echo "$COMMAND" | grep -qEi "$CREDENTIAL_FILES_PATTERN"; then
+        cat <<'HOOKJSON'
+{
+  "decision": "block",
+  "reason": "RED LINE — CREDENTIAL EXPOSURE BLOCKED: This command would dump a credential file into the conversation. Use targeted, value-safe searches instead:\n\n  grep -c '\"server_name\"' config.json  # check structure, not secrets\n\nThis rule is constitutional. There is no override."
+}
+HOOKJSON
+        exit 0
+    fi
+fi
+
+# ============================================================================
+# READ TOOL GUARD
+# ============================================================================
+
+if [ "$TOOL_NAME" = "Read" ]; then
+    FILE_PATH=$(parse_json "$HOOK_INPUT" ".tool_input.file_path")
+    BASENAME=$(basename "$FILE_PATH" 2>/dev/null || echo "$FILE_PATH")
+
+    # Block reading known credential files
+    if echo "$BASENAME" | grep -qEi "$CREDENTIAL_FILES_PATTERN"; then
+        cat <<HOOKJSON
+{
+  "decision": "block",
+  "reason": "RED LINE — CREDENTIAL EXPOSURE BLOCKED: Reading '${BASENAME}' would dump secrets (API keys, tokens) into the conversation. This file is a credential store.\n\nSafe alternatives:\n  grep -c '\"server_name\"' ${FILE_PATH}   # check if a key exists\n  grep '\"twitter\"' ${FILE_PATH}            # check specific non-secret structure\n\nThis rule is constitutional. There is no override."
+}
+HOOKJSON
+        exit 0
+    fi
+
+    # Block reading files in sensitive directories
+    if echo "$FILE_PATH" | grep -qEi '(/\.ssh/|/\.gnupg/|/secrets?/)'; then
+        cat <<HOOKJSON
+{
+  "decision": "block",
+  "reason": "RED LINE — CREDENTIAL EXPOSURE BLOCKED: Reading files from '${FILE_PATH}' would expose sensitive cryptographic material or secrets. This rule is constitutional. There is no override."
+}
+HOOKJSON
+        exit 0
+    fi
+fi
+
+# ============================================================================
+# No credential risk detected — allow
+# ============================================================================
+
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitmem-mcp",
-  "version": "1.0.11",
+  "version": "1.0.13",
   "description": "Institutional memory for AI coding agents. Memory that compounds.",
   "type": "module",
   "main": "dist/index.js",
@@ -24,7 +24,8 @@
     "test:all": "npm run test:unit && npm run test:smoke && npm run test:integration && npm run test:perf && npm run test:e2e",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit",
-    "prepublishOnly": "tsc"
+    "prepublishOnly": "tsc",
+    "release-status": "bash scripts/release-status.sh"
   },
   "dependencies": {
     "@huggingface/transformers": "^3.0.0",