gitmem-mcp 1.0.15 → 1.1.1

package/bin/uninstall.js

@@ -4,7 +4,9 @@
  * GitMem Uninstall
  *
  * Cleanly reverses everything `npx gitmem-mcp init` did.
- * Usage: npx gitmem-mcp uninstall [--yes] [--all]
+ * Supports Claude Code and Cursor IDE.
+ *
+ * Usage: npx gitmem-mcp uninstall [--yes] [--all] [--client <claude|cursor>]
  */
 
 import {
@@ -23,16 +25,81 @@ const cwd = process.cwd();
 const args = process.argv.slice(2);
 const autoYes = args.includes("--yes") || args.includes("-y");
 const deleteAll = args.includes("--all");
+const clientIdx = args.indexOf("--client");
+const clientFlag = clientIdx !== -1 ? args[clientIdx + 1]?.toLowerCase() : null;
+
+// ── Client Configuration ──
+
+const CLIENT_CONFIGS = {
+  claude: {
+    name: "Claude Code",
+    mcpConfigPath: join(cwd, ".mcp.json"),
+    mcpConfigName: ".mcp.json",
+    instructionsFile: join(cwd, "CLAUDE.md"),
+    instructionsName: "CLAUDE.md",
+    startMarker: "<!-- gitmem:start -->",
+    endMarker: "<!-- gitmem:end -->",
+    configDir: join(cwd, ".claude"),
+    settingsFile: join(cwd, ".claude", "settings.json"),
+    hasPermissions: true,
+    hooksInSettings: true,
+  },
+  cursor: {
+    name: "Cursor",
+    mcpConfigPath: join(cwd, ".cursor", "mcp.json"),
+    mcpConfigName: ".cursor/mcp.json",
+    instructionsFile: join(cwd, ".cursorrules"),
+    instructionsName: ".cursorrules",
+    startMarker: "# --- gitmem:start ---",
+    endMarker: "# --- gitmem:end ---",
+    configDir: join(cwd, ".cursor"),
+    settingsFile: null,
+    hasPermissions: false,
+    hooksInSettings: false,
+    hooksFile: join(cwd, ".cursor", "hooks.json"),
+    hooksFileName: ".cursor/hooks.json",
+  },
+};
+
+// ── Client Detection ──
+
+function detectClient() {
+  if (clientFlag) {
+    if (clientFlag !== "claude" && clientFlag !== "cursor") {
+      console.error(`  Error: Unknown client "${clientFlag}". Use --client claude or --client cursor.`);
+      process.exit(1);
+    }
+    return clientFlag;
+  }
+
+  const hasCursorDir = existsSync(join(cwd, ".cursor"));
+  const hasClaudeDir = existsSync(join(cwd, ".claude"));
+  const hasMcpJson = existsSync(join(cwd, ".mcp.json"));
+  const hasClaudeMd = existsSync(join(cwd, "CLAUDE.md"));
+  const hasCursorRules = existsSync(join(cwd, ".cursorrules"));
+  const hasCursorMcp = existsSync(join(cwd, ".cursor", "mcp.json"));
+
+  if (hasCursorDir && !hasClaudeDir && !hasMcpJson && !hasClaudeMd) return "cursor";
+  if (hasCursorRules && !hasClaudeMd) return "cursor";
+  if (hasCursorMcp && !hasMcpJson) return "cursor";
+
+  if (hasClaudeDir && !hasCursorDir) return "claude";
+  if (hasMcpJson && !hasCursorMcp) return "claude";
+  if (hasClaudeMd && !hasCursorRules) return "claude";
+
+  return "claude";
+}
+
+const client = detectClient();
+const cc = CLIENT_CONFIGS[client];
 
 const gitmemDir = join(cwd, ".gitmem");
-const mcpJsonPath = join(cwd, ".mcp.json");
-const claudeMdPath = join(cwd, "CLAUDE.md");
-const claudeDir = join(cwd, ".claude");
-const settingsPath = join(claudeDir, "settings.json");
 const gitignorePath = join(cwd, ".gitignore");
 
 let rl;
 
+// ── Helpers ──
+
 async function confirm(message, defaultYes = true) {
   if (autoYes) return defaultYes;
   if (!rl) {
@@ -58,62 +125,66 @@ function writeJson(path, data) {
 }
 
 function isGitmemHook(entry) {
-  if (!entry.hooks || !Array.isArray(entry.hooks)) return false;
-  return entry.hooks.some(
-    (h) => typeof h.command === "string" && h.command.includes("gitmem")
-  );
+  // Claude Code format: entry.hooks is an array of {command: "..."}
+  if (entry.hooks && Array.isArray(entry.hooks)) {
+    return entry.hooks.some(
+      (h) => typeof h.command === "string" && h.command.includes("gitmem")
+    );
+  }
+  // Cursor format: entry itself has {command: "..."}
+  if (typeof entry.command === "string") {
+    return entry.command.includes("gitmem");
+  }
+  return false;
 }
 
 // ── Steps ──
 
-function stepClaudeMd() {
-  if (!existsSync(claudeMdPath)) {
-    console.log("  No CLAUDE.md found. Skipping.");
+function stepInstructions() {
+  if (!existsSync(cc.instructionsFile)) {
+    console.log(`  No ${cc.instructionsName} found. Skipping.`);
     return;
   }
 
-  let content = readFileSync(claudeMdPath, "utf-8");
-  const startMarker = "<!-- gitmem:start -->";
-  const endMarker = "<!-- gitmem:end -->";
+  let content = readFileSync(cc.instructionsFile, "utf-8");
 
-  if (!content.includes(startMarker)) {
-    console.log("  No gitmem section in CLAUDE.md. Skipping.");
+  if (!content.includes(cc.startMarker)) {
+    console.log(`  No gitmem section in ${cc.instructionsName}. Skipping.`);
     return;
   }
 
-  const startIdx = content.indexOf(startMarker);
-  const endIdx = content.indexOf(endMarker);
+  const startIdx = content.indexOf(cc.startMarker);
+  const endIdx = content.indexOf(cc.endMarker);
   if (startIdx === -1 || endIdx === -1) {
-    console.log("  Malformed gitmem markers in CLAUDE.md. Skipping.");
+    console.log(`  Malformed gitmem markers in ${cc.instructionsName}. Skipping.`);
     return;
   }
 
   // Remove the block including markers and surrounding whitespace
   const before = content.slice(0, startIdx).trimEnd();
-  const after = content.slice(endIdx + endMarker.length).trimStart();
+  const after = content.slice(endIdx + cc.endMarker.length).trimStart();
 
   const result = before + (before && after ? "\n\n" : "") + after;
 
   if (result.trim() === "") {
-    // CLAUDE.md would be empty — delete it
-    rmSync(claudeMdPath);
-    console.log("  Removed CLAUDE.md (was gitmem-only)");
+    rmSync(cc.instructionsFile);
+    console.log(`  Removed ${cc.instructionsName} (was gitmem-only)`);
   } else {
-    writeFileSync(claudeMdPath, result.trimEnd() + "\n");
-    console.log("  Stripped gitmem section from CLAUDE.md");
+    writeFileSync(cc.instructionsFile, result.trimEnd() + "\n");
+    console.log(`  Stripped gitmem section from ${cc.instructionsName}`);
   }
 }
 
 function stepMcpJson() {
-  const config = readJson(mcpJsonPath);
+  const config = readJson(cc.mcpConfigPath);
   if (!config?.mcpServers) {
-    console.log("  No .mcp.json found. Skipping.");
+    console.log(`  No ${cc.mcpConfigName} found. Skipping.`);
     return;
   }
 
   const had = !!config.mcpServers.gitmem || !!config.mcpServers["gitmem-mcp"];
   if (!had) {
-    console.log("  No gitmem in .mcp.json. Skipping.");
+    console.log(`  No gitmem in ${cc.mcpConfigName}. Skipping.`);
     return;
   }
 
@@ -121,14 +192,21 @@ function stepMcpJson() {
   delete config.mcpServers["gitmem-mcp"];
 
   const remaining = Object.keys(config.mcpServers).length;
-  writeJson(mcpJsonPath, config);
+  writeJson(cc.mcpConfigPath, config);
   console.log(
     `  Removed gitmem server (${remaining} other server${remaining !== 1 ? "s" : ""} preserved)`
   );
 }
 
 function stepHooks() {
-  const settings = readJson(settingsPath);
+  if (cc.hooksInSettings) {
+    return stepHooksClaude();
+  }
+  return stepHooksCursor();
+}
+
+function stepHooksClaude() {
+  const settings = readJson(cc.settingsFile);
   if (!settings?.hooks) {
     console.log("  No hooks in .claude/settings.json. Skipping.");
     return;
@@ -164,7 +242,53 @@ function stepHooks() {
     delete settings.hooks;
   }
 
-  writeJson(settingsPath, settings);
+  writeJson(cc.settingsFile, settings);
+  console.log(
+    `  Removed gitmem hooks` +
+      (preserved > 0
+        ? ` (${preserved} other hook${preserved !== 1 ? "s" : ""} preserved)`
+        : "")
+  );
+}
+
+function stepHooksCursor() {
+  const config = readJson(cc.hooksFile);
+  if (!config?.hooks) {
+    console.log(`  No hooks in ${cc.hooksFileName}. Skipping.`);
+    return;
+  }
+
+  let removed = 0;
+  let preserved = 0;
+  const cleaned = {};
+
+  for (const [eventType, entries] of Object.entries(config.hooks)) {
+    if (!Array.isArray(entries)) continue;
+    const nonGitmem = entries.filter((e) => {
+      if (isGitmemHook(e)) {
+        removed++;
+        return false;
+      }
+      preserved++;
+      return true;
+    });
+    if (nonGitmem.length > 0) {
+      cleaned[eventType] = nonGitmem;
+    }
+  }
+
+  if (removed === 0) {
+    console.log("  No gitmem hooks found. Skipping.");
+    return;
+  }
+
+  if (Object.keys(cleaned).length > 0) {
+    config.hooks = cleaned;
+  } else {
+    delete config.hooks;
+  }
+
+  writeJson(cc.hooksFile, config);
   console.log(
     `  Removed gitmem hooks` +
       (preserved > 0
@@ -174,7 +298,12 @@ function stepHooks() {
 }
 
 function stepPermissions() {
-  const settings = readJson(settingsPath);
+  if (!cc.hasPermissions) {
+    console.log(`  Not needed for ${cc.name}. Skipping.`);
+    return;
+  }
+
+  const settings = readJson(cc.settingsFile);
   const allow = settings?.permissions?.allow;
   if (!Array.isArray(allow)) {
     console.log("  No permissions in .claude/settings.json. Skipping.");
@@ -202,7 +331,7 @@ function stepPermissions() {
     delete settings.permissions;
   }
 
-  writeJson(settingsPath, settings);
+  writeJson(cc.settingsFile, settings);
   console.log("  Removed mcp__gitmem__* from permissions.allow");
 }
 
@@ -247,28 +376,41 @@ function stepGitignore() {
 
 async function main() {
   console.log("");
-  console.log("  gitmem — Uninstall");
+  console.log(`  gitmem — Uninstall (${cc.name})`);
+  if (clientFlag) {
+    console.log(`  (client: ${client} — via --client flag)`);
+  } else {
+    console.log(`  (client: ${client} — auto-detected)`);
+  }
   console.log("");
 
-  console.log("  Step 1/5 — Remove gitmem section from CLAUDE.md");
-  stepClaudeMd();
+  const stepCount = cc.hasPermissions ? 5 : 4;
+  let step = 1;
+
+  console.log(`  Step ${step}/${stepCount} — Remove gitmem section from ${cc.instructionsName}`);
+  stepInstructions();
   console.log("");
+  step++;
 
-  console.log("  Step 2/5 — Remove gitmem from .mcp.json");
+  console.log(`  Step ${step}/${stepCount} — Remove gitmem from ${cc.mcpConfigName}`);
   stepMcpJson();
   console.log("");
+  step++;
 
-  console.log("  Step 3/5 — Remove gitmem hooks from .claude/settings.json");
+  const hooksTarget = cc.hooksInSettings ? ".claude/settings.json" : cc.hooksFileName;
+  console.log(`  Step ${step}/${stepCount} — Remove gitmem hooks from ${hooksTarget}`);
   stepHooks();
   console.log("");
+  step++;
 
-  console.log(
-    "  Step 4/5 — Remove gitmem permissions from .claude/settings.json"
-  );
-  stepPermissions();
-  console.log("");
+  if (cc.hasPermissions) {
+    console.log(`  Step ${step}/${stepCount} — Remove gitmem permissions from .claude/settings.json`);
+    stepPermissions();
+    console.log("");
+    step++;
+  }
 
-  console.log("  Step 5/5 — Delete .gitmem/ directory?");
+  console.log(`  Step ${step}/${stepCount} — Delete .gitmem/ directory?`);
   await stepGitmemDir();
 
   // Also clean .gitignore entry

package/cursorrules.template

@@ -0,0 +1,92 @@
+# --- gitmem:start ---
+# GitMem — Persistent Memory
+
+You have a persistent memory layer called gitmem. Every session starts from
+zero — but gitmem carries forward lessons, mistakes, wins, decisions, and
+open threads across sessions and projects. Search it. Test it. You might be
+amazed at what's already there. If convinced, make it your own.
+
+## Red Lines
+
+These constraints are enforced by hooks. Attempting to bypass them will be blocked.
+
+### Credential Protection
+
+Credential exposure in conversation history is permanent and irreversible.
+
+1. **NEVER read credential files in full.** Files like `mcp-config.json`, `.env`, `.credentials.json`, `.netrc`, `.npmrc`, SSH keys, or `.pem`/`.key` files must not be read or dumped.
+2. **NEVER print environment variable values that contain secrets.** Commands like `env | grep KEY`, `echo $API_KEY`, or `printenv TOKEN` expose credentials in output.
+3. **NEVER display API keys, tokens, or secrets in conversation output.**
+
+Safe alternatives: `env | grep -c VARNAME` (count only), `[ -n "$VARNAME" ] && echo "set"` (existence check), `grep -c '"key"' config.json` (structure check).
+
+### Recall Before Consequential Actions
+
+1. **NEVER parallelize `recall()` with actions that expose, modify, or transmit sensitive data.** Recall must complete first.
+2. **Confirm scars before acting.** Each recalled scar requires APPLYING (past-tense evidence), N_A (explanation), or REFUTED (risk acknowledgment).
+3. **Parallel recall is only safe with benign reads** — source code, docs, non-sensitive config.
+
+## Tools
+
+| Tool | When to use |
+|------|-------------|
+| `recall` | Before any task — surfaces relevant warnings from past experience |
+| `confirm_scars` | After recall — acknowledge each scar as APPLYING, N_A, or REFUTED |
+| `search` | Explore institutional knowledge by topic |
+| `log` | Browse recent learnings chronologically |
+| `session_start` | Beginning of session — loads last session context and open threads |
+| `session_close` | End of session — persists what you learned |
+| `create_learning` | Capture a mistake (scar), success (win), or pattern |
+| `create_decision` | Log an architectural or operational decision with rationale |
+| `list_threads` | See unresolved work carrying over between sessions |
+| `create_thread` | Track something that needs follow-up in a future session |
+| `help` | Show all available commands |
+
+## Session end
+
+On "closing", "done for now", or "wrapping up":
+
+1. **Answer these reflection questions** and display to the human:
+   - What broke that you didn't expect?
+   - What took longer than it should have?
+   - What would you do differently next time?
+   - What pattern or approach worked well?
+   - What assumption was wrong?
+   - Which scars did you apply?
+   - What should be captured as institutional memory?
+
+2. **Ask the human**: "Any corrections or additions?" Wait for their response.
+
+3. **Write payload** to `.gitmem/closing-payload.json`:
+   ```json
+   {
+     "closing_reflection": {
+       "what_broke": "...",
+       "what_took_longer": "...",
+       "do_differently": "...",
+       "what_worked": "...",
+       "wrong_assumption": "...",
+       "scars_applied": ["scar title 1", "scar title 2"],
+       "institutional_memory_items": "...",
+       "collaborative_dynamic": "Q8: How human preferred to work",
+       "rapport_notes": "Q9: What collaborative dynamic worked"
+     },
+     "task_completion": {
+       "questions_displayed_at": "ISO timestamp",
+       "reflection_completed_at": "ISO timestamp",
+       "human_asked_at": "ISO timestamp",
+       "human_response_at": "ISO timestamp",
+       "human_response": "human's correction text or 'Looks good'"
+     },
+     "human_corrections": "",
+     "scars_to_record": [],
+     "learnings_created": [],
+     "open_threads": [],
+     "decisions": []
+   }
+   ```
+
+4. **Call `session_close`** with `session_id` and `close_type: "standard"`
+
+For short exploratory sessions (< 30 min, no real work), use `close_type: "quick"` — no questions needed.
+# --- gitmem:end ---

package/dist/commands/check.js

@@ -119,6 +119,7 @@ async function runQuickCheck() {
                     apikey: supabaseKey,
                     Authorization: `Bearer ${supabaseKey}`,
                 },
+                signal: AbortSignal.timeout(5_000),
             });
             const durationMs = Date.now() - startTime;
             if (response.ok) {
@@ -158,6 +159,7 @@ async function runQuickCheck() {
                     headers: {
                         Authorization: `Bearer ${openaiKey}`,
                     },
+                    signal: AbortSignal.timeout(5_000),
                 });
                 const durationMs = Date.now() - startTime;
                 if (response.ok) {
@@ -189,6 +191,7 @@ async function runQuickCheck() {
                     headers: {
                         Authorization: `Bearer ${openrouterKey}`,
                     },
+                    signal: AbortSignal.timeout(5_000),
                 });
                 const durationMs = Date.now() - startTime;
                 if (response.ok) {
@@ -216,7 +219,9 @@ async function runQuickCheck() {
         else if (embeddingProvider === "ollama") {
             try {
                 const startTime = Date.now();
-                const response = await fetch(`${ollamaUrl}/api/tags`);
+                const response = await fetch(`${ollamaUrl}/api/tags`, {
+                    signal: AbortSignal.timeout(5_000),
+                });
                 const durationMs = Date.now() - startTime;
                 if (response.ok) {
                     health.embedding = {
@@ -327,6 +332,7 @@ async function runQuickCheck() {
                             Authorization: `Bearer ${supabaseKey}`,
                             Prefer: "count=exact",
                         },
+                        signal: AbortSignal.timeout(5_000),
                     });
                     const count = response.headers.get("content-range");
                     if (count) {
@@ -403,6 +409,7 @@ async function runFullCheck() {
                         apikey: supabaseKey,
                         Authorization: `Bearer ${supabaseKey}`,
                     },
+                    signal: AbortSignal.timeout(5_000),
                 });
             }, 5);
         }

package/dist/schemas/absorb-observations.js

@@ -4,10 +4,10 @@
 import { z } from "zod";
 export const ObservationSeveritySchema = z.enum(["info", "warning", "scar_candidate"]);
 export const ObservationSchema = z.object({
-    source: z.string().min(1, "source is required — who made this observation?"),
-    text: z.string().min(1, "text is required — what was observed?"),
+    source: z.string().min(1, "source is required — who made this observation?").max(500),
+    text: z.string().min(1, "text is required — what was observed?").max(5000),
     severity: ObservationSeveritySchema,
-    context: z.string().optional(),
+    context: z.string().max(1000).optional(),
 });
 export const AbsorbObservationsParamsSchema = z.object({
     task_id: z.string().optional(),

package/dist/schemas/create-decision.js

@@ -7,14 +7,14 @@ import { ProjectSchema } from "./common.js";
  * Create decision parameters schema
  */
 export const CreateDecisionParamsSchema = z.object({
-    title: z.string().min(1, "title is required"),
-    decision: z.string().min(1, "decision text is required"),
-    rationale: z.string().min(1, "rationale is required"),
-    alternatives_considered: z.array(z.string()).optional(),
-    personas_involved: z.array(z.string()).optional(),
-    docs_affected: z.array(z.string()).optional(),
-    linear_issue: z.string().optional(),
-    session_id: z.string().optional(),
+    title: z.string().min(1, "title is required").max(500),
+    decision: z.string().min(1, "decision text is required").max(2000),
+    rationale: z.string().min(1, "rationale is required").max(2000),
+    alternatives_considered: z.array(z.string().max(1000)).optional(),
+    personas_involved: z.array(z.string().max(200)).optional(),
+    docs_affected: z.array(z.string().max(500)).optional(),
+    linear_issue: z.string().max(100).optional(),
+    session_id: z.string().max(100).optional(),
     project: ProjectSchema.optional(),
 });
 /**

package/dist/schemas/create-learning.js

@@ -13,22 +13,22 @@ import { LearningTypeSchema, ScarSeveritySchema, ProjectSchema } from "./common.
 export const CreateLearningParamsSchema = z
     .object({
     learning_type: LearningTypeSchema,
-    title: z.string().min(1, "title is required"),
-    description: z.string().min(1, "description is required"),
+    title: z.string().min(1, "title is required").max(1000),
+    description: z.string().min(1, "description is required").max(5000),
     severity: ScarSeveritySchema.optional(),
-    scar_type: z.string().optional(),
-    counter_arguments: z.array(z.string()).optional(),
-    problem_context: z.string().optional(),
-    solution_approach: z.string().optional(),
-    applies_when: z.array(z.string()).optional(),
-    domain: z.array(z.string()).optional(),
-    keywords: z.array(z.string()).optional(),
-    source_linear_issue: z.string().optional(),
+    scar_type: z.string().max(100).optional(),
+    counter_arguments: z.array(z.string().max(2000)).optional(),
+    problem_context: z.string().max(2000).optional(),
+    solution_approach: z.string().max(2000).optional(),
+    applies_when: z.array(z.string().max(500)).optional(),
+    domain: z.array(z.string().max(100)).optional(),
+    keywords: z.array(z.string().max(100)).optional(),
+    source_linear_issue: z.string().max(100).optional(),
     project: ProjectSchema.optional(),
     // LLM-cooperative enforcement fields
-    why_this_matters: z.string().optional(),
-    action_protocol: z.array(z.string()).optional(),
-    self_check_criteria: z.array(z.string()).optional(),
+    why_this_matters: z.string().max(2000).optional(),
+    action_protocol: z.array(z.string().max(1000)).optional(),
+    self_check_criteria: z.array(z.string().max(1000)).optional(),
 })
     .superRefine((data, ctx) => {
     // Scars require severity

package/dist/schemas/prepare-context.js

@@ -11,10 +11,10 @@ export const PrepareContextFormatSchema = z.enum(["full", "compact", "gate"]);
  * PrepareContext parameters schema
  */
 export const PrepareContextParamsSchema = z.object({
-    plan: z.string().min(1, "plan is required - describe what the team is about to do"),
+    plan: z.string().min(1, "plan is required - describe what the team is about to do").max(500),
     format: PrepareContextFormatSchema,
     max_tokens: PositiveIntSchema.optional(),
-    agent_role: z.string().optional(),
+    agent_role: z.string().max(100).optional(),
     project: ProjectSchema.optional(),
 });
 /**

package/dist/schemas/thread.js

@@ -11,14 +11,14 @@ export const ThreadStatusSchema = z.enum(["open", "resolved"]);
  * Thread object schema (structured thread with lifecycle)
  */
 export const ThreadObjectSchema = z.object({
-    id: z.string(),
-    text: z.string(),
+    id: z.string().max(100),
+    text: z.string().max(3000),
     status: ThreadStatusSchema,
-    created_at: z.string(),
-    resolved_at: z.string().optional(),
-    source_session: z.string().optional(),
-    resolved_by_session: z.string().optional(),
-    resolution_note: z.string().optional(),
+    created_at: z.string().max(100),
+    resolved_at: z.string().max(100).optional(),
+    source_session: z.string().max(100).optional(),
+    resolved_by_session: z.string().max(100).optional(),
+    resolution_note: z.string().max(1000).optional(),
 });
 /**
  * list_threads parameters
@@ -32,8 +32,8 @@ export const ListThreadsParamsSchema = z.object({
  * resolve_thread parameters
  */
 export const ResolveThreadParamsSchema = z.object({
-    thread_id: z.string().optional(),
-    text_match: z.string().optional(),
-    resolution_note: z.string().optional(),
+    thread_id: z.string().max(100).optional(),
+    text_match: z.string().max(500).optional(),
+    resolution_note: z.string().max(1000).optional(),
 });
 //# sourceMappingURL=thread.js.map

package/dist/server.js

@@ -330,7 +330,7 @@ export function createServer() {
                 .replace(/\b\d{5}\b/g, "[code]") // redact PG error codes
                 .replace(/at\s+\S+\s+\(.+\)/g, "") // strip stack frames
                 .slice(0, 200); // cap length
-            console.error(`[server] Tool error:`, rawMessage);
+            console.error(`[server] Tool error:`, safeMessage);
             return {
                 content: [
                     {

package/dist/services/behavioral-decay.js

@@ -38,10 +38,11 @@ export async function refreshBehavioralScores() {
                 "Content-Profile": "public",
             },
             body: "{}",
+            signal: AbortSignal.timeout(10_000),
         });
         if (!response.ok) {
             const text = await response.text();
-            console.error(`[behavioral-decay] RPC failed: ${response.status} - ${text.slice(0, 200)}`);
+            console.error(`[behavioral-decay] RPC failed: ${response.status} - ${text.replace(/[\x00-\x1f\x7f]/g, "").slice(0, 200)}`);
             return null;
         }
         const result = await response.json();
@@ -87,6 +88,7 @@ export async function fetchDismissalCounts(scarIds) {
                 "Content-Type": "application/json",
                 "Accept-Profile": "public",
             },
+            signal: AbortSignal.timeout(10_000),
         });
         if (!response.ok) {
             return result;

package/dist/services/embedding.js

@@ -156,6 +156,7 @@ async function embedOpenAI(text, config) {
             model: config.model,
             input: text,
         }),
+        signal: AbortSignal.timeout(30_000),
     });
     if (!response.ok) {
         const errorText = await response.text();
@@ -180,6 +181,7 @@ async function embedOllama(text, config) {
             model: config.model,
             input: text,
         }),
+        signal: AbortSignal.timeout(30_000),
     });
     if (!response.ok) {
         const errorText = await response.text();

package/dist/services/local-file-storage.js

@@ -175,9 +175,11 @@ export class LocalFileStorage {
             const existing = this.readCollection("learnings");
             const existingIds = new Set(existing.map((e) => e.id));
             let loaded = 0;
+            const now = new Date().toISOString();
             for (const scar of scars) {
                 if (!existingIds.has(scar.id)) {
-                    existing.push(scar);
+                    // Stamp created_at to install time so starter scars don't show stale ages
+                    existing.push({ ...scar, created_at: now });
                     loaded++;
                 }
             }