hippo-memory 0.39.0 → 1.0.0

package/README.md

@@ -85,6 +85,18 @@ hippo recall "data pipeline issues" --budget 2000
 
 ---
 
+### What's new in v1.0.0
+
+- **Tenant-isolation security release.** v0.40.0's measurement gates surfaced a real cross-tenant data leak on the continuity tables (`task_snapshots`, `session_events`, `session_handoffs`). Schema migration v22 closes the gap: every continuity helper now scopes reads and writes by `tenantId`. Markdown mirror files (`buffer/active-task.md`, `buffer/recent-session.md`) are tenant-scoped too; the default tenant keeps the unsuffixed filename for on-disk back-compat.
+- **Slack envelope fix.** `messageToRememberOpts` now sets `owner: 'user:<slack_user_id>'` so ingested Slack rows pass the v0.40.0 `hippo provenance --strict` gate.
+- **Breaking change for JS callers.** 10 store helpers (`saveActiveTaskSnapshot`, `loadLatestHandoff`, `appendSessionEvent`, etc.) gained a required `tenantId` second argument. TypeScript callers get a compile error. JS callers get a runtime guard error (`assertTenantId`) that detects the most common misbinding (passing a `sess-*` session id) and points at the migration. See CHANGELOG for the full helper list.
+- **Schema v22 migration.** Idempotent, transactional, with smart tenant backfill via unambiguous `task_snapshots.session_id` joins.
+
+### What's new in v0.40.0
+
+- **Company Brain measurement gates.** Two new diagnostic commands close the last blocked rows of the Company Brain scorecard. `hippo provenance [--json] [--strict]` audits every `kind='raw'` row for `owner` + `artifact_ref`; `--strict` exits non-zero so CI can block on coverage regressions. `hippo correction-latency [--json]` reports p50 / p95 / max wall-clock lag from receipt to supersession across `superseded_by` chains. Both helpers (`buildProvenanceCoverage`, `buildCorrectionLatency`) are importable from `src/`.
+- **No behavioral change to remember / recall.** Additive only: schema unchanged, retrieval untouched.
+
 ### What's new in v0.39.0
 
 - Security hardening release: 5 CRITICAL cross-tenant fixes (CVE candidates), GDPR Path A on archive (true RTBF), MCP per-client isolation, Slack ingestion race + idempotency hardening, auth timing leak reduction.

package/dist/cli.js

@@ -53,6 +53,8 @@ import { importChatGPT, importClaude, importCursor, importGenericFile, importMar
 import { cmdCapture } from './capture.js';
 import { auditMemories, appendAuditEvent, } from './audit.js';
 import { listApiKeys, revokeApiKey } from './auth.js';
+import { buildProvenanceCoverage } from './provenance-coverage.js';
+import { buildCorrectionLatency } from './correction-latency.js';
 import * as api from './api.js';
 import * as client from './client.js';
 import { detectServer, removePidfile } from './server-detect.js';
@@ -2498,7 +2500,7 @@ function cmdSnapshot(hippoRoot, args, flags) {
             console.error('Usage: hippo snapshot save --task <task> --summary <summary> --next-step <step> [--source <source>] [--session <session-id>]');
             process.exit(1);
         }
-        const snapshot = saveActiveTaskSnapshot(hippoRoot, {
+        const snapshot = saveActiveTaskSnapshot(hippoRoot, resolveTenantId({}), {
             task,
             summary,
             next_step: nextStep,
@@ -2514,7 +2516,7 @@ function cmdSnapshot(hippoRoot, args, flags) {
         return;
     }
     if (subcommand === 'clear') {
-        const cleared = clearActiveTaskSnapshot(hippoRoot, String(flags['status'] ?? 'cleared'));
+        const cleared = clearActiveTaskSnapshot(hippoRoot, resolveTenantId({}), String(flags['status'] ?? 'cleared'));
         if (!cleared) {
             console.log('No active task snapshot to clear.');
             return;
@@ -2523,7 +2525,7 @@ function cmdSnapshot(hippoRoot, args, flags) {
         return;
     }
     if (subcommand === 'show') {
-        const snapshot = loadActiveTaskSnapshot(hippoRoot);
+        const snapshot = loadActiveTaskSnapshot(hippoRoot, resolveTenantId({}));
         if (!snapshot) {
             if (flags['json']) {
                 console.log(JSON.stringify({ snapshot: null }));
@@ -2556,7 +2558,7 @@ function cmdSession(hippoRoot, args, flags) {
             console.error('Usage: hippo session log --id <session-id> --content <text> [--type <type>] [--task <task>] [--source <source>]');
             process.exit(1);
         }
-        const event = appendSessionEvent(hippoRoot, {
+        const event = appendSessionEvent(hippoRoot, resolveTenantId({}), {
             session_id: sessionId,
             task: task || null,
             event_type: eventType || 'note',
@@ -2569,7 +2571,7 @@ function cmdSession(hippoRoot, args, flags) {
         return;
     }
     if (subcommand === 'show') {
-        const events = listSessionEvents(hippoRoot, {
+        const events = listSessionEvents(hippoRoot, resolveTenantId({}), {
             session_id: sessionId || undefined,
             task: task || undefined,
             limit,
@@ -2582,8 +2584,8 @@ function cmdSession(hippoRoot, args, flags) {
         return;
     }
     if (subcommand === 'latest') {
-        const snapshot = loadActiveTaskSnapshot(hippoRoot);
-        const events = listSessionEvents(hippoRoot, {
+        const snapshot = loadActiveTaskSnapshot(hippoRoot, resolveTenantId({}));
+        const events = listSessionEvents(hippoRoot, resolveTenantId({}), {
             session_id: sessionId || snapshot?.session_id || undefined,
             limit,
         });
@@ -2616,7 +2618,7 @@ function cmdSession(hippoRoot, args, flags) {
         const metadata = { ended_at: new Date().toISOString() };
         if (summary)
             metadata.summary = summary;
-        const event = appendSessionEvent(hippoRoot, {
+        const event = appendSessionEvent(hippoRoot, resolveTenantId({}), {
             session_id: sessionId,
             task: task || null,
             event_type: 'session_complete',
@@ -2628,7 +2630,7 @@ function cmdSession(hippoRoot, args, flags) {
         return;
     }
     if (subcommand === 'resume') {
-        const handoff = loadLatestHandoff(hippoRoot, sessionId || undefined);
+        const handoff = loadLatestHandoff(hippoRoot, resolveTenantId({}), sessionId || undefined);
         if (!handoff) {
             console.log('No handoff to resume from.');
             return;
@@ -2701,7 +2703,7 @@ function cmdHandoff(hippoRoot, args, flags) {
         const artifacts = Array.isArray(artifactFlag)
             ? artifactFlag
             : (typeof artifactFlag === 'string' ? [artifactFlag] : []);
-        const handoff = saveSessionHandoff(hippoRoot, {
+        const handoff = saveSessionHandoff(hippoRoot, resolveTenantId({}), {
             version: 1,
             sessionId,
             repoRoot: process.cwd(),
@@ -2721,7 +2723,7 @@ function cmdHandoff(hippoRoot, args, flags) {
     }
     if (subcommand === 'latest') {
         const sessionId = String(flags['session'] ?? flags['id'] ?? '').trim() || undefined;
-        const handoff = loadLatestHandoff(hippoRoot, sessionId);
+        const handoff = loadLatestHandoff(hippoRoot, resolveTenantId({}), sessionId);
         if (!handoff) {
             if (flags['json']) {
                 console.log(JSON.stringify({ handoff: null }));
@@ -2749,7 +2751,7 @@ function cmdHandoff(hippoRoot, args, flags) {
             console.error(`Invalid handoff ID: ${idArg}`);
             process.exit(1);
         }
-        const handoff = loadHandoffById(hippoRoot, handoffId);
+        const handoff = loadHandoffById(hippoRoot, resolveTenantId({}), handoffId);
         if (!handoff) {
             if (flags['json']) {
                 console.log(JSON.stringify({ handoff: null }));
@@ -2774,9 +2776,9 @@ function cmdCurrent(hippoRoot, args, flags) {
     const subcommand = args[0] ?? 'show';
     if (subcommand === 'show') {
         const asJson = Boolean(flags['json']);
-        const snapshot = loadActiveTaskSnapshot(hippoRoot);
+        const snapshot = loadActiveTaskSnapshot(hippoRoot, resolveTenantId({}));
         const sessionId = snapshot?.session_id ?? undefined;
-        const events = listSessionEvents(hippoRoot, {
+        const events = listSessionEvents(hippoRoot, resolveTenantId({}), {
             session_id: sessionId,
             limit: 5,
         });
@@ -2865,12 +2867,12 @@ async function cmdContext(hippoRoot, args, flags) {
     let totalTokens = 0;
     // Task snapshots / session events live in the local store. Skip when
     // local isn't initialized — loading would auto-create .hippo in the cwd.
-    const activeSnapshot = hasLocal ? loadActiveTaskSnapshot(hippoRoot) : null;
+    const activeSnapshot = hasLocal ? loadActiveTaskSnapshot(hippoRoot, resolveTenantId({})) : null;
     const sessionHandoff = hasLocal && activeSnapshot?.session_id
-        ? loadLatestHandoff(hippoRoot, activeSnapshot.session_id)
+        ? loadLatestHandoff(hippoRoot, resolveTenantId({}), activeSnapshot.session_id)
         : null;
     const recentSessionEvents = hasLocal && activeSnapshot?.session_id
-        ? listSessionEvents(hippoRoot, { session_id: activeSnapshot.session_id, limit: 5 })
+        ? listSessionEvents(hippoRoot, resolveTenantId({}), { session_id: activeSnapshot.session_id, limit: 5 })
         : [];
     if (localEntries.length === 0 && globalEntries.length === 0 && !activeSnapshot && !sessionHandoff && recentSessionEvents.length === 0) {
         return;
@@ -4621,6 +4623,11 @@ Commands:
     --threshold <n>        Overlap threshold 0-1 (default: 0.7)
   status                   Show memory health stats
   audit [--fix]            Check memory quality (--fix removes junk)
+  provenance               Provenance coverage gate for kind='raw' rows
+    --json                 Output as JSON
+    --strict               Exit non-zero when coverage < 100%
+  correction-latency       Wall-clock lag from receipt to supersession (p50/p95/max)
+    --json                 Output as JSON
   outcome                  Apply feedback to last recall
     --good                 Memories were helpful
     --bad                  Memories were irrelevant
@@ -5008,6 +5015,62 @@ async function main() {
             }
             break;
         }
+        case 'correction-latency': {
+            requireInit(hippoRoot);
+            const entries = loadAllEntries(hippoRoot);
+            const report = buildCorrectionLatency(entries);
+            if (flags['json']) {
+                console.log(JSON.stringify(report, null, 2));
+            }
+            else if (report.count === 0) {
+                console.log('No supersessions found. Correction latency is undefined.');
+            }
+            else {
+                const fmt = (ms) => {
+                    if (ms === null)
+                        return 'n/a';
+                    if (ms < 1000)
+                        return `${ms}ms`;
+                    if (ms < 60_000)
+                        return `${(ms / 1000).toFixed(1)}s`;
+                    if (ms < 3_600_000)
+                        return `${(ms / 60_000).toFixed(1)}m`;
+                    return `${(ms / 3_600_000).toFixed(1)}h`;
+                };
+                console.log(`Corrections: ${report.count} total (${report.extractionCount} extraction-driven, ${report.manualCount} manual)`);
+                console.log(`Latency p50: ${fmt(report.p50Ms)}, p95: ${fmt(report.p95Ms)}, max: ${fmt(report.maxMs)}`);
+                if (report.extractionCount === 0 && report.manualCount > 0) {
+                    console.log(`\nAll ${report.manualCount} corrections were manual supersedes: no measurable observation lag.`);
+                    console.log(`To measure latency, route corrections through extraction (set new.extracted_from to the raw receipt).`);
+                }
+            }
+            break;
+        }
+        case 'provenance': {
+            requireInit(hippoRoot);
+            const entries = loadAllEntries(hippoRoot);
+            const coverage = buildProvenanceCoverage(entries);
+            if (flags['json']) {
+                console.log(JSON.stringify(coverage, null, 2));
+            }
+            else if (coverage.rawTotal === 0) {
+                console.log('No kind=raw memories present. Coverage gate trivially satisfied.');
+            }
+            else {
+                const pct = (coverage.coverage * 100).toFixed(1);
+                console.log(`Provenance coverage: ${coverage.rawWithEnvelope}/${coverage.rawTotal} raw rows envelope-complete (${pct}%)`);
+                if (coverage.gaps.length > 0) {
+                    console.log(`\nGaps:`);
+                    for (const g of coverage.gaps) {
+                        console.log(`  ${g.id}: missing ${g.missing.join(', ')}`);
+                    }
+                }
+            }
+            if (flags['strict'] && coverage.coverage < 1) {
+                process.exit(1);
+            }
+            break;
+        }
         case 'status':
             cmdStatus(hippoRoot);
             break;