gitmem-mcp 1.4.4 → 1.6.0

package/dist/services/license.d.ts

@@ -0,0 +1,57 @@
+/**
+ * License Key Validation for GitMem Pro Tier
+ *
+ * Detection chain:
+ *   1. GITMEM_TIER env var (explicit override — testing/dev)
+ *   2. api_key in config.json or GITMEM_API_KEY env var:
+ *      a. Check license-cache.json → if valid + not expired (72h) → return cached tier
+ *      b. No cache → optimistic "pro" (validated async in runServer)
+ *   3. No key + no SUPABASE_URL + no config.supabase_url → free
+ *   4. No key + SUPABASE_URL set (env var) → pro (backward compat for us)
+ *
+ * Async validation (validateLicense()):
+ *   - Called in runServer() startup (non-blocking)
+ *   - POST to hardcoded validation endpoint with api_key + install_id
+ *   - Success: cache to ~/.gitmem/license-cache.json (72h TTL)
+ *   - Failure: downgrade _tier to free, log warning
+ *   - Network error: honor existing cache if valid, else downgrade
+ */
+export interface LicenseValidationResult {
+    valid: boolean;
+    tier: string | null;
+    message: string;
+}
+/**
+ * Get license key from env var or config.json
+ */
+export declare function getLicenseKey(): string | null;
+/**
+ * Get Pro config (Supabase + OpenRouter credentials) from config.json
+ * Env vars override config.json values.
+ */
+export declare function getProConfig(): {
+    supabaseUrl: string;
+    supabaseKey: string;
+    openrouterKey: string;
+};
+/**
+ * Delete license cache (used by deactivate)
+ */
+export declare function clearLicenseCache(): void;
+/**
+ * Check if license key has a valid cached result (non-async, for tier detection)
+ */
+export declare function getCachedLicenseTier(): string | null;
+/**
+ * Validate license key against GitMem's Supabase RPC endpoint.
+ * Calls gitmem_validate_license() via PostgREST using the anon key.
+ * Returns the validation result.
+ *
+ * This is async and should be called non-blocking during startup.
+ */
+export declare function validateLicense(apiKey: string, installId: string): Promise<LicenseValidationResult>;
+/**
+ * Get the validation URL (for diagnostics/testing)
+ */
+export declare function getValidationUrl(): string;
+//# sourceMappingURL=license.d.ts.map

package/dist/services/license.js

@@ -0,0 +1,200 @@
+/**
+ * License Key Validation for GitMem Pro Tier
+ *
+ * Detection chain:
+ *   1. GITMEM_TIER env var (explicit override — testing/dev)
+ *   2. api_key in config.json or GITMEM_API_KEY env var:
+ *      a. Check license-cache.json → if valid + not expired (72h) → return cached tier
+ *      b. No cache → optimistic "pro" (validated async in runServer)
+ *   3. No key + no SUPABASE_URL + no config.supabase_url → free
+ *   4. No key + SUPABASE_URL set (env var) → pro (backward compat for us)
+ *
+ * Async validation (validateLicense()):
+ *   - Called in runServer() startup (non-blocking)
+ *   - POST to hardcoded validation endpoint with api_key + install_id
+ *   - Success: cache to ~/.gitmem/license-cache.json (72h TTL)
+ *   - Failure: downgrade _tier to free, log warning
+ *   - Network error: honor existing cache if valid, else downgrade
+ */
+import * as fs from "fs";
+import * as path from "path";
+import { getGitmemDir } from "./gitmem-dir.js";
+// Hardcoded validation endpoint — calls RPC directly on our Supabase via PostgREST.
+// Users never see or configure this URL.
+const VALIDATION_URL = "https://cjptxyezuxdiinufgrrm.supabase.co/rest/v1/rpc/gitmem_validate_license";
+// Anon key for our project (safe to embed — RPC is SECURITY DEFINER, RLS blocks direct table access)
+const VALIDATION_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImNqcHR4eWV6dXhkaWludWZncnJtIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjYxODY3MDMsImV4cCI6MjA4MTc2MjcwM30.L0oZy3LYCMikmZ15IUU5DnfJmucM37DJ14nUkM3AreY";
+// Cache TTL: 72 hours
+const CACHE_TTL_MS = 72 * 60 * 60 * 1000;
+/**
+ * Get license key from env var or config.json
+ */
+export function getLicenseKey() {
+    // Env var takes priority
+    const envKey = process.env.GITMEM_API_KEY;
+    if (envKey)
+        return envKey;
+    // Read from config.json
+    try {
+        const configPath = path.join(getGitmemDir(), "config.json");
+        if (fs.existsSync(configPath)) {
+            const raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+            if (raw.api_key && typeof raw.api_key === "string") {
+                return raw.api_key;
+            }
+        }
+    }
+    catch {
+        // File doesn't exist or is invalid
+    }
+    return null;
+}
+/**
+ * Get Pro config (Supabase + OpenRouter credentials) from config.json
+ * Env vars override config.json values.
+ */
+export function getProConfig() {
+    let supabaseUrl = process.env.SUPABASE_URL || "";
+    let supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_KEY || "";
+    let openrouterKey = process.env.OPENROUTER_API_KEY || "";
+    // Fall back to config.json
+    try {
+        const configPath = path.join(getGitmemDir(), "config.json");
+        if (fs.existsSync(configPath)) {
+            const raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+            if (!supabaseUrl && raw.supabase_url)
+                supabaseUrl = raw.supabase_url;
+            if (!supabaseKey && raw.supabase_key)
+                supabaseKey = raw.supabase_key;
+            if (!openrouterKey && raw.openrouter_key)
+                openrouterKey = raw.openrouter_key;
+        }
+    }
+    catch {
+        // File doesn't exist or is invalid
+    }
+    return { supabaseUrl, supabaseKey, openrouterKey };
+}
+/**
+ * Read cached license validation result
+ */
+function readLicenseCache() {
+    try {
+        const cachePath = path.join(getGitmemDir(), "license-cache.json");
+        if (!fs.existsSync(cachePath))
+            return null;
+        const raw = JSON.parse(fs.readFileSync(cachePath, "utf-8"));
+        const validatedAt = new Date(raw.validated_at).getTime();
+        const now = Date.now();
+        // Check TTL
+        if (now - validatedAt > CACHE_TTL_MS) {
+            console.error("[gitmem:license] Cache expired");
+            return null;
+        }
+        return raw;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write license validation result to cache
+ */
+function writeLicenseCache(result) {
+    try {
+        const gitmemDir = getGitmemDir();
+        if (!fs.existsSync(gitmemDir)) {
+            fs.mkdirSync(gitmemDir, { recursive: true });
+        }
+        const cachePath = path.join(gitmemDir, "license-cache.json");
+        fs.writeFileSync(cachePath, JSON.stringify(result, null, 2));
+    }
+    catch (err) {
+        console.error("[gitmem:license] Failed to write cache:", err);
+    }
+}
+/**
+ * Delete license cache (used by deactivate)
+ */
+export function clearLicenseCache() {
+    try {
+        const cachePath = path.join(getGitmemDir(), "license-cache.json");
+        if (fs.existsSync(cachePath)) {
+            fs.unlinkSync(cachePath);
+        }
+    }
+    catch {
+        // Ignore
+    }
+}
+/**
+ * Check if license key has a valid cached result (non-async, for tier detection)
+ */
+export function getCachedLicenseTier() {
+    const cache = readLicenseCache();
+    if (cache && cache.valid) {
+        return cache.tier;
+    }
+    return null;
+}
+/**
+ * Validate license key against GitMem's Supabase RPC endpoint.
+ * Calls gitmem_validate_license() via PostgREST using the anon key.
+ * Returns the validation result.
+ *
+ * This is async and should be called non-blocking during startup.
+ */
+export async function validateLicense(apiKey, installId) {
+    try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 10000); // 10s timeout
+        const response = await fetch(VALIDATION_URL, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                apikey: VALIDATION_ANON_KEY,
+                Authorization: `Bearer ${VALIDATION_ANON_KEY}`,
+            },
+            body: JSON.stringify({ p_api_key: apiKey, p_install_id: installId }),
+            signal: controller.signal,
+        });
+        clearTimeout(timeout);
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            return { valid: false, tier: null, message: `HTTP ${response.status}: ${text}` };
+        }
+        // PostgREST RPC returns an array of rows
+        const rows = await response.json();
+        const data = Array.isArray(rows) ? rows[0] : rows;
+        if (!data) {
+            return { valid: false, tier: null, message: "Empty validation response" };
+        }
+        // Cache successful validation
+        if (data.valid && data.tier) {
+            writeLicenseCache({
+                valid: true,
+                tier: data.tier,
+                validated_at: new Date().toISOString(),
+                api_key_prefix: apiKey.substring(0, 16) + "...",
+            });
+        }
+        return data;
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : "Unknown error";
+        // Network error: honor existing cache
+        const cache = readLicenseCache();
+        if (cache && cache.valid) {
+            console.error(`[gitmem:license] Network error, using cached validation: ${message}`);
+            return { valid: true, tier: cache.tier, message: "Using cached validation (offline)" };
+        }
+        return { valid: false, tier: null, message: `Network error: ${message}` };
+    }
+}
+/**
+ * Get the validation URL (for diagnostics/testing)
+ */
+export function getValidationUrl() {
+    return VALIDATION_URL;
+}
+//# sourceMappingURL=license.js.map

package/dist/services/supabase-client.d.ts

@@ -37,6 +37,9 @@ export declare function getRecord<T = unknown>(table: string, id: string): Promi
 export declare function upsertRecord<T = unknown>(table: string, data: Record<string, unknown>): Promise<T>;
 /**
  * Semantic search across tables
+ *
+ * Generates an embedding for the query, then calls the gitmem_semantic_search
+ * RPC function directly via PostgREST.
  */
 export declare function semanticSearch<T = unknown>(options: SupabaseSearchOptions): Promise<T[]>;
 /**
@@ -115,6 +118,9 @@ export declare function directPatch<T = unknown>(table: string, filters: Record<
 export declare function loadScarsWithEmbeddings<T = unknown>(project?: string, limit?: number): Promise<T[]>;
 /**
  * Scar search with severity weighting
+ *
+ * Generates an embedding for the query, then calls the gitmem_scar_search
+ * RPC function directly via PostgREST. No Edge Function required.
  */
 export declare function scarSearch<T = unknown>(query: string, matchCount?: number, project?: Project): Promise<T[]>;
 /**

package/dist/services/supabase-client.js

@@ -45,9 +45,11 @@ export function escapePostgRESTValue(value) {
     // PostgREST uses ( ) , as structural delimiters in or=() expressions
     return value.replace(/[(),]/g, "");
 }
-// Configuration from environment
-const SUPABASE_URL = process.env.SUPABASE_URL || "";
-const SUPABASE_KEY = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_KEY || "";
+// Configuration from environment, with config.json fallback for Pro tier
+import { getProConfig } from "./license.js";
+const _proConfig = getProConfig();
+const SUPABASE_URL = _proConfig.supabaseUrl;
+const SUPABASE_KEY = _proConfig.supabaseKey;
 // Direct REST API base URL
 const SUPABASE_REST_URL = SUPABASE_URL ? `${SUPABASE_URL}/rest/v1` : "";
 /**
@@ -141,21 +143,45 @@ export async function upsertRecord(table, data) {
 }
 /**
  * Semantic search across tables
+ *
+ * Generates an embedding for the query, then calls the gitmem_semantic_search
+ * RPC function directly via PostgREST.
  */
 export async function semanticSearch(options) {
-    const { query, tables, match_count = 10, project } = options;
-    const args = {
-        query,
-        match_count,
-    };
-    if (tables && tables.length > 0) {
-        args.tables = tables;
+    if (!isConfigured()) {
+        throw new Error("Supabase not configured");
     }
-    if (project) {
-        args.project = project;
+    const { query, match_count = 10 } = options;
+    // Generate embedding for the query
+    const { embed } = await import("./embedding.js");
+    const embedding = await embed(query);
+    if (!embedding) {
+        console.error("[semantic-search] No embedding provider configured — cannot run semantic search");
+        return [];
+    }
+    // Call the RPC function directly via PostgREST
+    const rpcName = `${getTableName("").replace(/_$/, "")}_semantic_search`;
+    const url = `${SUPABASE_URL}/rest/v1/rpc/${rpcName}`;
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            apikey: SUPABASE_KEY,
+            Authorization: `Bearer ${SUPABASE_KEY}`,
+        },
+        body: JSON.stringify({
+            query_embedding: `[${embedding.join(",")}]`,
+            match_count,
+            similarity_threshold: 0.0,
+        }),
+        signal: AbortSignal.timeout(15_000),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Supabase RPC error: ${response.status} - ${text.slice(0, 200)}`);
     }
-    const result = await callMcp("semantic_search", args);
-    return result.results || [];
+    const rows = (await response.json());
+    return rows || [];
 }
 // ============================================================================
 // DIRECT SUPABASE QUERIES (bypass ww-mcp for bulk operations)
@@ -408,17 +434,44 @@ export async function loadScarsWithEmbeddings(project, limit = 500) {
 }
 /**
  * Scar search with severity weighting
+ *
+ * Generates an embedding for the query, then calls the gitmem_scar_search
+ * RPC function directly via PostgREST. No Edge Function required.
  */
 export async function scarSearch(query, matchCount = 5, project) {
-    const args = {
-        query,
-        match_count: matchCount,
-    };
-    if (project) {
-        args.project = project;
+    if (!isConfigured()) {
+        throw new Error("Supabase not configured");
+    }
+    // Generate embedding for the query
+    const { embed } = await import("./embedding.js");
+    const embedding = await embed(query);
+    if (!embedding) {
+        console.error("[scar-search] No embedding provider configured — cannot run semantic search");
+        return [];
+    }
+    // Call the RPC function directly via PostgREST
+    const rpcName = `${getTableName("").replace(/_$/, "")}_scar_search`;
+    const url = `${SUPABASE_URL}/rest/v1/rpc/${rpcName}`;
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            apikey: SUPABASE_KEY,
+            Authorization: `Bearer ${SUPABASE_KEY}`,
+        },
+        body: JSON.stringify({
+            query_embedding: `[${embedding.join(",")}]`,
+            match_count: matchCount,
+            similarity_threshold: 0.0,
+        }),
+        signal: AbortSignal.timeout(15_000),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Supabase RPC error: ${response.status} - ${text.slice(0, 200)}`);
     }
-    const result = await callMcp("scar_search", args);
-    return result.results || [];
+    const rows = (await response.json());
+    return rows || [];
 }
 /**
  * Scar search with caching

package/dist/services/tier.d.ts

@@ -6,15 +6,23 @@
  *   pro  — Supabase + embeddings, semantic search, cloud persistence, variants
  *   dev  — Everything in pro + compliance, transcripts, metrics
  *
- * Detection:
- *   GITMEM_TIER=free|pro|dev   (explicit override)
- *   Auto-detect: no SUPABASE_URL → free, GITMEM_DEV=1 → dev, else → pro
+ * Detection chain:
+ *   1. GITMEM_TIER env var (explicit override — testing/dev)
+ *   2. api_key in config.json or GITMEM_API_KEY env var:
+ *      a. Check license-cache.json → if valid + not expired (72h) → return cached tier
+ *      b. No cache → optimistic "pro" (validated async in runServer)
+ *   3. No key + no SUPABASE_URL + no config.supabase_url → free
+ *   4. No key + SUPABASE_URL set (env var) → pro (backward compat for us)
  */
 export type GitMemTier = "free" | "pro" | "dev";
 /**
  * Get the current tier (cached after first call)
  */
 export declare function getTier(): GitMemTier;
+/**
+ * Force-set tier (used by license validation on failure)
+ */
+export declare function setTier(tier: GitMemTier): void;
 /**
  * Reset tier detection (for testing)
  */
@@ -33,6 +41,8 @@ export declare function hasTranscripts(): boolean;
 export declare function hasBatchOperations(): boolean;
 /** Whether cache management tools are available (pro, dev) */
 export declare function hasCacheManagement(): boolean;
+/** Whether Pro-tier insights (decay tags, analytics snippets, blindspots) are active (pro, dev) */
+export declare function hasProInsights(): boolean;
 /** Whether detailed performance metrics recording is active (pro, dev — aligned with hasVariants) */
 export declare function hasMetrics(): boolean;
 /** Whether advanced agent detection (5-agent matrix) is active (dev only) */

package/dist/services/tier.js

@@ -6,23 +6,42 @@
  *   pro  — Supabase + embeddings, semantic search, cloud persistence, variants
  *   dev  — Everything in pro + compliance, transcripts, metrics
  *
- * Detection:
- *   GITMEM_TIER=free|pro|dev   (explicit override)
- *   Auto-detect: no SUPABASE_URL → free, GITMEM_DEV=1 → dev, else → pro
+ * Detection chain:
+ *   1. GITMEM_TIER env var (explicit override — testing/dev)
+ *   2. api_key in config.json or GITMEM_API_KEY env var:
+ *      a. Check license-cache.json → if valid + not expired (72h) → return cached tier
+ *      b. No cache → optimistic "pro" (validated async in runServer)
+ *   3. No key + no SUPABASE_URL + no config.supabase_url → free
+ *   4. No key + SUPABASE_URL set (env var) → pro (backward compat for us)
  */
+import { getLicenseKey, getCachedLicenseTier, getProConfig } from "./license.js";
 let _tier = null;
 /**
- * Detect tier from environment variables
+ * Detect tier from environment variables, license key, and config
  */
 function detectTier() {
+    // 1. Explicit override via env var (testing/dev)
     const explicit = process.env.GITMEM_TIER?.toLowerCase();
     if (explicit === "free" || explicit === "pro" || explicit === "dev") {
         return explicit;
     }
-    const supabaseUrl = process.env.SUPABASE_URL;
+    // 2. License key present → check cache or optimistic pro
+    const apiKey = getLicenseKey();
+    if (apiKey) {
+        // 2a. Check cached validation
+        const cachedTier = getCachedLicenseTier();
+        if (cachedTier === "pro" || cachedTier === "dev") {
+            return cachedTier;
+        }
+        // 2b. Key present but no valid cache → optimistic pro
+        // (validated async in runServer, downgraded if invalid)
+        return "pro";
+    }
+    // 3. No key — check for Supabase URL (env var or config.json)
+    const supabaseUrl = process.env.SUPABASE_URL || getProConfig().supabaseUrl;
     if (!supabaseUrl)
         return "free";
-    // Dev tier markers
+    // 4. Supabase URL set but no license key → backward compat (internal dev)
     if (process.env.GITMEM_DEV === "true" || process.env.GITMEM_DEV === "1") {
         return "dev";
     }
@@ -38,6 +57,13 @@ export function getTier() {
     }
     return _tier;
 }
+/**
+ * Force-set tier (used by license validation on failure)
+ */
+export function setTier(tier) {
+    _tier = tier;
+    console.error(`[gitmem] Tier updated: ${tier}`);
+}
 /**
  * Reset tier detection (for testing)
  */
@@ -75,6 +101,10 @@ export function hasBatchOperations() {
 export function hasCacheManagement() {
     return getTier() !== "free";
 }
+/** Whether Pro-tier insights (decay tags, analytics snippets, blindspots) are active (pro, dev) */
+export function hasProInsights() {
+    return getTier() !== "free";
+}
 /** Whether detailed performance metrics recording is active (pro, dev — aligned with hasVariants) */
 export function hasMetrics() {
     return getTier() !== "free";
@@ -96,7 +126,8 @@ export function hasEnforcementFields() {
  */
 export function getTablePrefix() {
     // Default prefix for all tiers. Override with GITMEM_TABLE_PREFIX env var.
-    return process.env.GITMEM_TABLE_PREFIX || "orchestra_";
+    // User schema uses gitmem_ prefix. Orchestra infra uses orchestra_ (set via env var).
+    return process.env.GITMEM_TABLE_PREFIX || "gitmem_";
 }
 /**
  * Get the fully-qualified table name for a base table name