hippo-memory 0.38.0 → 0.40.0

package/dist/src/auth.js

@@ -17,6 +17,14 @@ function hashKey(plaintext) {
     const hash = scryptSync(plaintext, salt, SCRYPT_KEYLEN);
     return `scrypt$${salt.toString('hex')}$${hash.toString('hex')}`;
 }
+// Constant dummy hash precomputed once at module load. Used by validateApiKey
+// to pay the scrypt cost on the miss path (unknown / revoked / malformed key)
+// so the timing signal between hit and miss is reduced. The DB lookup branch
+// itself can still leak via cache effects — v0.40 follow-up: request-level
+// rate limit on /v1/* to bound key-id enumeration. Stored format identical to
+// real hashes: scrypt$saltHex$hashHex.
+const DUMMY_PLAINTEXT = 'hk_dummy_constant_padding_for_timing.dummy_secret_padding_for_timing_x';
+const DUMMY_HASH = hashKey(DUMMY_PLAINTEXT);
 function verifyKey(plaintext, stored) {
     const parts = stored.split('$');
     if (parts.length !== 3 || parts[0] !== 'scrypt')
@@ -36,15 +44,23 @@ export function createApiKey(db, opts) {
 }
 export function validateApiKey(db, plaintext) {
     const dot = plaintext.indexOf('.');
-    if (dot < 0)
+    if (dot < 0) {
+        // Malformed input still pays the scrypt cost so caller cannot distinguish
+        // "no dot" from "unknown key_id" by timing.
+        verifyKey(DUMMY_PLAINTEXT, DUMMY_HASH);
         return { valid: false };
+    }
     const keyId = plaintext.slice(0, dot);
     const row = db
         .prepare(`SELECT key_hash, tenant_id, revoked_at FROM api_keys WHERE key_id = ?`)
         .get(keyId);
-    if (!row || row.revoked_at)
-        return { valid: false };
-    if (!verifyKey(plaintext, row.key_hash))
+    // Always run verifyKey — on miss/revoked, against DUMMY_HASH so scrypt cost
+    // is paid. This reduces timing signal between hit and miss, but the DB
+    // lookup itself can still leak via cache effects. v0.40 follow-up: add
+    // request-level rate limit on /v1/* to bound enumeration.
+    const target = (row && !row.revoked_at) ? row.key_hash : DUMMY_HASH;
+    const matches = verifyKey(plaintext, target);
+    if (!row || row.revoked_at || !matches)
         return { valid: false };
     return { valid: true, tenantId: row.tenant_id, keyId };
 }

package/dist/src/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGvE,MAAM,UAAU,GAAG,KAAK,CAAC;AACzB,MAAM,MAAM,GAAG,EAAE,CAAC,CAAO,4BAA4B;AACrD,MAAM,UAAU,GAAG,EAAE,CAAC,CAAG,yBAAyB;AAClD,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB,MAAM,MAAM,GAAG,kCAAkC,CAAC;AAElD,SAAS,UAAU,CAAC,CAAS;IAC3B,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,EAAE,CAAC,CAAC;IAC1D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,SAAiB;IAChC,qCAAqC;IACrC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;IACxD,OAAO,UAAU,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,SAAS,CAAC,SAAiB,EAAE,MAAc;IAClD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5D,OAAO,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AAChF,CAAC;AAYD,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,IAAsB;IACvE,MAAM,KAAK,GAAG,GAAG,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;IACnD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,GAAG,KAAK,IAAI,MAAM,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,EAAE,CAAC,OAAO,CACR,8FAA8F,CAC/F,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAChF,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC9B,CAAC;AAQD,MAAM,UAAU,cAAc,CAAC,EAAoB,EAAE,SAAiB;IACpE,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CAAC,uEAAuE,CAAC;SAChF,GAAG,CAAC,KAAK,CAAmF,CAAC;IAChG,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACpD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACjE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,KAAa;IAC9D,EAAE,CAAC,OAAO,CAAC,4EAA4E,CAAC;SACrF,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;AAC1C,CAAC;AAUD,MAAM,UAAU,WAAW,CAAC,EAAoB,EAAE,IAAyB;IACzE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,iHAAiH;QACnH,CAAC,CAAC,wFAAwF,CAAC;IAC7F,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAE9B,CAAC;IACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;QACtD,SAAS,EAAE,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,UAAU;KACjD,CAAC,CAAC,CAAC;AACN,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGvE,MAAM,UAAU,GAAG,KAAK,CAAC;AACzB,MAAM,MAAM,GAAG,EAAE,CAAC,CAAO,4BAA4B;AACrD,MAAM,UAAU,GAAG,EAAE,CAAC,CAAG,yBAAyB;AAClD,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB,MAAM,MAAM,GAAG,kCAAkC,CAAC;AAElD,SAAS,UAAU,CAAC,CAAS;IAC3B,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,EAAE,CAAC,CAAC;IAC1D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,SAAiB;IAChC,qCAAqC;IACrC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;IACxD,OAAO,UAAU,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,8EAA8E;AAC9E,8EAA8E;AAC9E,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,uCAAuC;AACvC,MAAM,eAAe,GAAG,wEAAwE,CAAC;AACjG,MAAM,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;AAE5C,SAAS,SAAS,CAAC,SAAiB,EAAE,MAAc;IAClD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5D,OAAO,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AAChF,CAAC;AAYD,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,IAAsB;IACvE,MAAM,KAAK,GAAG,GAAG,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;IACnD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,GAAG,KAAK,IAAI,MAAM,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,EAAE,CAAC,OAAO,CACR,8FAA8F,CAC/F,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAChF,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC9B,CAAC;AAQD,MAAM,UAAU,cAAc,CAAC,EAAoB,EAAE,SAAiB;IACpE,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;QACZ,0EAA0E;QAC1E,4CAA4C;QAC5C,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;IACD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CAAC,uEAAuE,CAAC;SAChF,GAAG,CAAC,KAAK,CAAmF,CAAC;IAEhG,4EAA4E;IAC5E,uEAAuE;IACvE,uEAAuE;IACvE,0DAA0D;IAC1D,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;IACpE,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAChE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,KAAa;IAC9D,EAAE,CAAC,OAAO,CAAC,4EAA4E,CAAC;SACrF,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;AAC1C,CAAC;AAUD,MAAM,UAAU,WAAW,CAAC,EAAoB,EAAE,IAAyB;IACzE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,iHAAiH;QACnH,CAAC,CAAC,wFAAwF,CAAC;IAC7F,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAE9B,CAAC;IACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;QACtD,SAAS,EAAE,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,UAAU;KACjD,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/src/cli.js

@@ -53,6 +53,8 @@ import { importChatGPT, importClaude, importCursor, importGenericFile, importMar
 import { cmdCapture } from './capture.js';
 import { auditMemories, appendAuditEvent, } from './audit.js';
 import { listApiKeys, revokeApiKey } from './auth.js';
+import { buildProvenanceCoverage } from './provenance-coverage.js';
+import { buildCorrectionLatency } from './correction-latency.js';
 import * as api from './api.js';
 import * as client from './client.js';
 import { detectServer, removePidfile } from './server-detect.js';
@@ -64,7 +66,7 @@ import { wmPush, wmRead, wmClear, wmFlush } from './working-memory.js';
 import { multihopSearch } from './multihop.js';
 import { computeSalience } from './salience.js';
 import { computeAmbientState, renderAmbientSummary } from './ambient.js';
-import { listDlq } from './connectors/slack/dlq.js';
+import { listDlq, replayDlqEntry } from './connectors/slack/dlq.js';
 import { backfillChannel } from './connectors/slack/backfill.js';
 import { slackHistoryFetcher } from './connectors/slack/web-client.js';
 // ---------------------------------------------------------------------------
@@ -3992,12 +3994,17 @@ function cmdAuthCreate(hippoRoot, flags) {
     const tenantFlag = typeof flags['tenant'] === 'string' ? flags['tenant'] : undefined;
     const labelFlag = typeof flags['label'] === 'string' ? flags['label'] : undefined;
     const asJson = Boolean(flags['json']);
+    // The CLI's --tenant flag is the only legitimate cross-tenant override
+    // (admin minting a key for another tenant from the local machine). It
+    // flows through ctx.tenantId, NOT through opts — authCreate's opts no
+    // longer accepts a tenantId field, so the HTTP layer cannot smuggle a
+    // body.tenantId across.
     const ctx = {
         hippoRoot: root,
-        tenantId: resolveTenantId({}),
+        tenantId: tenantFlag ?? resolveTenantId({}),
         actor: 'cli',
     };
-    const result = api.authCreate(ctx, { tenantId: tenantFlag, label: labelFlag });
+    const result = api.authCreate(ctx, { label: labelFlag });
     if (asJson) {
         console.log(JSON.stringify({
             keyId: result.keyId,
@@ -4464,6 +4471,28 @@ function cmdSlackDlqList(hippoRoot, _flags) {
         closeHippoDb(db);
     }
 }
+function cmdSlackDlqReplay(hippoRoot, args, flags) {
+    const idArg = args[2];
+    if (!idArg) {
+        console.error('Usage: hippo slack dlq replay <id> [--force]');
+        process.exit(1);
+    }
+    const id = Number(idArg);
+    if (!Number.isFinite(id) || !Number.isInteger(id) || id < 1) {
+        console.error(`replay: invalid id ${idArg}`);
+        process.exit(1);
+    }
+    const force = flags.force === true;
+    const result = replayDlqEntry({ hippoRoot }, id, {
+        force,
+        signingSecret: process.env.SLACK_SIGNING_SECRET,
+    });
+    if (!result.ok) {
+        console.error(`replay failed: status=${result.status} retry_count=${result.retryCount}${result.reason ? ` reason=${result.reason}` : ''}`);
+        process.exit(1);
+    }
+    console.log(`replay ok: status=${result.status} memory_id=${result.memoryId ?? '(none)'} retry_count=${result.retryCount}`);
+}
 function cmdSlack(hippoRoot, args, flags) {
     const sub = args[0];
     if (sub === 'backfill') {
@@ -4474,7 +4503,11 @@ function cmdSlack(hippoRoot, args, flags) {
         cmdSlackDlqList(hippoRoot, flags);
         return;
     }
-    console.error('Usage: hippo slack <backfill|dlq list> [...]');
+    if (sub === 'dlq' && args[1] === 'replay') {
+        cmdSlackDlqReplay(hippoRoot, args, flags);
+        return;
+    }
+    console.error('Usage: hippo slack <backfill|dlq list|dlq replay <id> [--force]> [...]');
     process.exit(1);
 }
 function printUsage() {
@@ -4590,6 +4623,11 @@ Commands:
     --threshold <n>        Overlap threshold 0-1 (default: 0.7)
   status                   Show memory health stats
   audit [--fix]            Check memory quality (--fix removes junk)
+  provenance               Provenance coverage gate for kind='raw' rows
+    --json                 Output as JSON
+    --strict               Exit non-zero when coverage < 100%
+  correction-latency       Wall-clock lag from receipt to supersession (p50/p95/max)
+    --json                 Output as JSON
   outcome                  Apply feedback to last recall
     --good                 Memories were helpful
     --bad                  Memories were irrelevant
@@ -4977,6 +5015,62 @@ async function main() {
             }
             break;
         }
+        case 'correction-latency': {
+            requireInit(hippoRoot);
+            const entries = loadAllEntries(hippoRoot);
+            const report = buildCorrectionLatency(entries);
+            if (flags['json']) {
+                console.log(JSON.stringify(report, null, 2));
+            }
+            else if (report.count === 0) {
+                console.log('No supersessions found. Correction latency is undefined.');
+            }
+            else {
+                const fmt = (ms) => {
+                    if (ms === null)
+                        return 'n/a';
+                    if (ms < 1000)
+                        return `${ms}ms`;
+                    if (ms < 60_000)
+                        return `${(ms / 1000).toFixed(1)}s`;
+                    if (ms < 3_600_000)
+                        return `${(ms / 60_000).toFixed(1)}m`;
+                    return `${(ms / 3_600_000).toFixed(1)}h`;
+                };
+                console.log(`Corrections: ${report.count} total (${report.extractionCount} extraction-driven, ${report.manualCount} manual)`);
+                console.log(`Latency p50: ${fmt(report.p50Ms)}, p95: ${fmt(report.p95Ms)}, max: ${fmt(report.maxMs)}`);
+                if (report.extractionCount === 0 && report.manualCount > 0) {
+                    console.log(`\nAll ${report.manualCount} corrections were manual supersedes: no measurable observation lag.`);
+                    console.log(`To measure latency, route corrections through extraction (set new.extracted_from to the raw receipt).`);
+                }
+            }
+            break;
+        }
+        case 'provenance': {
+            requireInit(hippoRoot);
+            const entries = loadAllEntries(hippoRoot);
+            const coverage = buildProvenanceCoverage(entries);
+            if (flags['json']) {
+                console.log(JSON.stringify(coverage, null, 2));
+            }
+            else if (coverage.rawTotal === 0) {
+                console.log('No kind=raw memories present. Coverage gate trivially satisfied.');
+            }
+            else {
+                const pct = (coverage.coverage * 100).toFixed(1);
+                console.log(`Provenance coverage: ${coverage.rawWithEnvelope}/${coverage.rawTotal} raw rows envelope-complete (${pct}%)`);
+                if (coverage.gaps.length > 0) {
+                    console.log(`\nGaps:`);
+                    for (const g of coverage.gaps) {
+                        console.log(`  ${g.id}: missing ${g.missing.join(', ')}`);
+                    }
+                }
+            }
+            if (flags['strict'] && coverage.coverage < 1) {
+                process.exit(1);
+            }
+            break;
+        }
         case 'status':
             cmdStatus(hippoRoot);
             break;
@@ -5106,13 +5200,14 @@ async function main() {
             else if (shareId) {
                 requireInit(hippoRoot);
                 const force = Boolean(flags['force']);
-                const result = shareMemory(hippoRoot, shareId, { force });
+                const tenantId = resolveTenantId({});
+                const result = shareMemory(hippoRoot, shareId, { force, tenantId });
                 if (result) {
                     console.log(`Shared [${result.id}] to global store.`);
                     console.log(`  Source: ${result.source}`);
                 }
                 else {
-                    const entry = readEntry(hippoRoot, shareId);
+                    const entry = readEntry(hippoRoot, shareId, tenantId);
                     if (entry) {
                         const score = transferScore(entry);
                         console.log(`Transfer score too low (${fmt(score)}). This memory looks project-specific.`);