ihow-memory 0.1.0-alpha.0

package/dist/governance.js

@@ -0,0 +1,369 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import crypto from 'node:crypto';
+import { absoluteFromMemoryPath, isMcpSandboxPath, relativeToMemory, relativeToSpace } from './workspace.js';
+import { appendEvent } from './store/events.js';
+import { atomicWriteFile, nowCompact, readMemoryFile, safeFileSlug } from './store/files.js';
+import { withWorkspaceLock } from './store/lock.js';
+export const DEFAULT_PROTECTED_PATTERNS = [
+    'SOUL.md',
+    'USER.md',
+    'IDENTITY.md',
+    'MEMORY.md',
+    'AGENTS.md',
+    'memory/SOUL.md',
+    'memory/USER.md',
+    'memory/IDENTITY.md',
+    'memory/MEMORY.md',
+    'current.md'
+];
+const SECRET_LIKE_PATTERNS = [
+    /\b(api[_-]?key|secret|token|password|passwd|cookie|authorization|bearer|refresh[_-]?token)\b\s*[:=]/i,
+    /\bBearer\s+[A-Za-z0-9._~+/=-]{12,}/i,
+    /\bsk-[A-Za-z0-9_-]{16,}\b/i,
+    /\bghp_[A-Za-z0-9_]{16,}\b/i,
+    /\bAKIA[0-9A-Z]{16}\b/,
+    /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/i,
+    /(?:账号|账户|邮箱)\s*[:：=]\s*\S+/i
+];
+function candidateText(payload) {
+    const text = payload.text ?? payload.content;
+    if (typeof text !== 'string' || !text.trim()) {
+        throw new Error('candidate_text_required');
+    }
+    assertNoSecretLikeContent(text);
+    return text.trim();
+}
+function assertNoSecretLikeContent(text) {
+    if (SECRET_LIKE_PATTERNS.some((pattern)=>pattern.test(text))) {
+        throw new Error('candidate_contains_secret_like_content');
+    }
+}
+function assertNoSecretLikeDurableCandidate(content) {
+    if (SECRET_LIKE_PATTERNS.some((pattern)=>pattern.test(content))) {
+        throw new Error('redact_check_failed_candidate_contains_secret_like_content');
+    }
+}
+function frontMatter(data) {
+    const lines = [
+        '---'
+    ];
+    for (const [key, value] of Object.entries(data)){
+        lines.push(`${key}: ${JSON.stringify(value)}`);
+    }
+    lines.push('---');
+    return `${lines.join('\n')}\n`;
+}
+function markdownCandidate(candidateId, payload) {
+    const title = payload.title || `Candidate ${candidateId}`;
+    const sourceAgent = payload.sourceAgent || payload.source || 'unknown';
+    const metadata = payload.metadata && typeof payload.metadata === 'object' ? payload.metadata : {};
+    return `${frontMatter({
+        type: 'memory_candidate',
+        candidate_id: candidateId,
+        status: 'candidate',
+        source_agent: sourceAgent,
+        created_at: new Date().toISOString(),
+        ...metadata
+    })}\n# ${title}\n\n${candidateText(payload)}\n`;
+}
+export function isProtectedPath(ref) {
+    const normalized = ref.replace(/\\/g, '/').replace(/^\/+/, '');
+    return DEFAULT_PROTECTED_PATTERNS.some((pattern)=>normalized === pattern || normalized.endsWith(`/${pattern}`));
+}
+function normalizeRef(ref) {
+    return ref.replace(/\\/g, '/').replace(/^\/+/, '');
+}
+function stripMemoryPrefix(ref) {
+    const normalized = normalizeRef(ref);
+    return normalized.startsWith('memory/') ? normalized.slice('memory/'.length) : normalized;
+}
+function resolveTargetPath(workspace, candidateId, target = {}) {
+    if (workspace.mode === 'existing-memory-root') {
+        const title = safeFileSlug(target.title || candidateId, candidateId);
+        return path.join(workspace.promotedDir, `${nowCompact()}-${title}.md`);
+    }
+    const explicit = target.path?.trim();
+    if (explicit) {
+        if (isProtectedPath(explicit)) throw new Error('protected_core_path');
+        const absolute = absoluteFromMemoryPath(workspace, explicit);
+        return absolute;
+    }
+    const scope = safeFileSlug(target.scope || 'general', 'general');
+    const title = safeFileSlug(target.title || candidateId, candidateId);
+    const relative = path.join('scopes', scope, `${nowCompact()}-${title}.md`);
+    if (isProtectedPath(relative)) throw new Error('protected_core_path');
+    return path.join(workspace.memoryDir, relative);
+}
+function candidateDirForAgent(workspace, sourceAgent) {
+    if (workspace.mode === 'existing-memory-root') {
+        return path.join(workspace.candidatesDir, safeFileSlug(sourceAgent, 'unknown'));
+    }
+    return workspace.candidatesDir;
+}
+function isAllowedCandidatePath(workspace, relativePath, absolutePath) {
+    if (workspace.mode === 'existing-memory-root') {
+        return relativePath.startsWith('memory/_mcp/candidates/') && isMcpSandboxPath(workspace, absolutePath);
+    }
+    return relativePath.startsWith('memory/candidate/inbox/');
+}
+function isAllowedDurableTargetPath(relativePath) {
+    const normalized = normalizeRef(relativePath);
+    const memoryRelative = stripMemoryPrefix(normalized);
+    if (/^\d{4}-\d{2}-\d{2}\.md$/.test(memoryRelative)) return true;
+    if (memoryRelative.startsWith('scopes/')) return true;
+    if (memoryRelative.startsWith('inbox/')) return true;
+    if (normalized.startsWith('projects/')) return true;
+    return false;
+}
+function isForbiddenDurableTargetPath(relativePath) {
+    const memoryRelative = stripMemoryPrefix(relativePath);
+    return memoryRelative === 'recent/latest.md' || memoryRelative === 'decisions.md' || memoryRelative === 'workflows.md' || memoryRelative === 'codex/current.md' || memoryRelative === 'claude-code/current.md' || memoryRelative.endsWith('/current.md');
+}
+function resolveDurableTargetPath(workspace, candidateId, target = {}) {
+    const explicit = target.path?.trim();
+    if (explicit) {
+        if (isProtectedPath(explicit)) throw new Error('protected_core_path');
+        const normalized = normalizeRef(explicit);
+        if (normalized.startsWith('projects/')) {
+            const workspaceRoot = workspace.mode === 'existing-memory-root' ? path.dirname(workspace.memoryDir) : workspace.spaceDir;
+            return path.resolve(workspaceRoot, normalized);
+        }
+        return absoluteFromMemoryPath(workspace, normalized);
+    }
+    const scope = safeFileSlug(target.scope || 'general', 'general');
+    const title = safeFileSlug(target.title || candidateId, candidateId);
+    return path.join(workspace.memoryDir, 'scopes', scope, `${nowCompact()}-${title}.md`);
+}
+function relativeDurableTarget(workspace, targetPath) {
+    const resolved = path.resolve(targetPath);
+    const memoryDir = path.resolve(workspace.memoryDir);
+    if (resolved === memoryDir || resolved.startsWith(`${memoryDir}${path.sep}`)) {
+        return relativeToSpace(workspace, resolved);
+    }
+    const workspaceRoot = workspace.mode === 'existing-memory-root' ? path.dirname(workspace.memoryDir) : workspace.spaceDir;
+    const root = path.resolve(workspaceRoot);
+    if (resolved === root || resolved.startsWith(`${root}${path.sep}`)) {
+        return path.relative(root, resolved).split(path.sep).join('/');
+    }
+    throw new Error('target_outside_workspace');
+}
+function durableAppendContent(candidateContent) {
+    return candidateContent.replace(/^status:\s*"candidate"\s*$/m, 'status: "promoted"').replace(/^type:\s*"memory_candidate"\s*$/m, 'type: "memory"').replace(/^---\n/, `---\npromoted_at: "${new Date().toISOString()}"\n`);
+}
+async function durableTargetContent(targetPath, appendContent) {
+    try {
+        const existing = await fs.readFile(targetPath, 'utf8');
+        return `${existing.replace(/\s*$/, '\n\n')}${appendContent}`;
+    } catch (error) {
+        if (error.code === 'ENOENT') return appendContent;
+        throw error;
+    }
+}
+function assertCandidateFrontMatter(content) {
+    const hasCandidateType = /^type:\s*"memory_candidate"\s*$/m.test(content);
+    const hasCandidateStatus = /^status:\s*"candidate"\s*$/m.test(content);
+    if (!hasCandidateType || !hasCandidateStatus) {
+        throw new Error('candidate_frontmatter_required');
+    }
+}
+export async function writeCandidate(workspace, payload) {
+    return await withWorkspaceLock(workspace, async ()=>{
+        const candidateId = crypto.randomUUID();
+        const title = safeFileSlug(payload.title || candidateId, candidateId);
+        const sourceAgent = payload.sourceAgent || payload.source || 'unknown';
+        const filePath = path.join(candidateDirForAgent(workspace, sourceAgent), `${nowCompact()}-${title}.md`);
+        await atomicWriteFile(filePath, markdownCandidate(candidateId, payload));
+        const relativePath = relativeToSpace(workspace, filePath);
+        await appendEvent(workspace, {
+            type: 'candidate.created',
+            path: relativePath,
+            actor: sourceAgent,
+            metadata: {
+                candidateId,
+                status: 'candidate',
+                sandbox: workspace.mode === 'existing-memory-root' ? 'memory/_mcp' : undefined
+            }
+        });
+        return {
+            candidateId,
+            path: relativePath,
+            status: 'candidate'
+        };
+    });
+}
+export async function promoteCandidate(workspace, candidateRef, target = {}) {
+    return await withWorkspaceLock(workspace, async ()=>{
+        const candidate = await readMemoryFile(workspace, candidateRef);
+        const candidateAbsolute = absoluteFromMemoryPath(workspace, candidate.path);
+        if (!isAllowedCandidatePath(workspace, candidate.path, candidateAbsolute)) {
+            throw new Error('candidate_must_be_from_inbox');
+        }
+        const candidateIdMatch = candidate.content.match(/^candidate_id:\s*"?(.*?)"?\s*$/m);
+        const candidateId = candidateIdMatch?.[1] || path.basename(candidate.path, '.md');
+        const targetPath = resolveTargetPath(workspace, candidateId, target);
+        const targetRelative = relativeToSpace(workspace, targetPath);
+        if (isProtectedPath(targetRelative)) throw new Error('protected_core_path');
+        const body = candidate.content.replace(/^status:\s*"candidate"\s*$/m, 'status: "promoted"').replace(/^type:\s*"memory_candidate"\s*$/m, 'type: "memory"').replace(/^---\n/, `---\npromoted_at: "${new Date().toISOString()}"\n`);
+        await atomicWriteFile(targetPath, body);
+        if (workspace.mode === 'existing-memory-root') {
+            if (!isMcpSandboxPath(workspace, targetPath)) throw new Error('target_outside_mcp_sandbox');
+            await fs.rm(candidateAbsolute, {
+                force: true
+            });
+        } else {
+            const historyPath = path.join(workspace.historyDir, 'promoted-candidates', path.basename(candidate.path));
+            await fs.mkdir(path.dirname(historyPath), {
+                recursive: true
+            });
+            await fs.rename(candidateAbsolute, historyPath);
+        }
+        const event = await appendEvent(workspace, {
+            type: 'memory.promoted',
+            candidatePath: candidate.path,
+            targetPath: targetRelative,
+            actor: 'core.promote',
+            metadata: {
+                candidateId,
+                target,
+                stagingOnly: workspace.mode === 'existing-memory-root',
+                targetMemoryPath: relativeToMemory(workspace, targetPath)
+            }
+        });
+        return {
+            candidateId,
+            path: targetRelative,
+            status: 'promoted',
+            eventId: event.id
+        };
+    });
+}
+export async function durablePromoteCandidate(workspace, candidateRef, options = {}) {
+    if (options.dryRun === true && options.realWrite === true) {
+        throw new Error('durable_promote_mode_conflict');
+    }
+    if (options.dryRun !== true && options.realWrite !== true) {
+        throw new Error('durable_promote_requires_explicit_dry_run_or_real_write');
+    }
+    return await withWorkspaceLock(workspace, async ()=>{
+        const candidate = await readMemoryFile(workspace, candidateRef);
+        const candidateAbsolute = absoluteFromMemoryPath(workspace, candidate.path);
+        if (!isAllowedCandidatePath(workspace, candidate.path, candidateAbsolute)) {
+            throw new Error('candidate_must_be_from_inbox');
+        }
+        assertCandidateFrontMatter(candidate.content);
+        assertNoSecretLikeDurableCandidate(candidate.content);
+        const candidateIdMatch = candidate.content.match(/^candidate_id:\s*"?(.*?)"?\s*$/m);
+        const candidateId = candidateIdMatch?.[1] || path.basename(candidate.path, '.md');
+        const targetPath = resolveDurableTargetPath(workspace, candidateId, options.target || {});
+        const targetRelative = relativeDurableTarget(workspace, targetPath);
+        if (isProtectedPath(targetRelative)) throw new Error('protected_core_path');
+        if (isForbiddenDurableTargetPath(targetRelative)) throw new Error('durable_target_forbidden');
+        if (!isAllowedDurableTargetPath(targetRelative)) throw new Error('durable_target_not_whitelisted');
+        const appendContent = durableAppendContent(candidate.content);
+        assertNoSecretLikeDurableCandidate(appendContent);
+        const at = new Date().toISOString();
+        const eventId = crypto.randomUUID();
+        const actor = options.actor || 'core.durable-promote';
+        const archiveCandidateTo = relativeToSpace(workspace, path.join(workspace.historyDir, 'promoted-candidates', path.basename(candidate.path)));
+        const auditEventPath = relativeToSpace(workspace, path.join(workspace.eventsDir, `${at.slice(0, 10)}.ndjson`));
+        const dryRun = options.dryRun === true;
+        const writeGuards = [
+            'explicit-durable-promote-call',
+            'candidate-inbox-source-only',
+            'protected-core-blocked',
+            'target-whitelist-enforced',
+            'redact-check-before-write',
+            'withWorkspaceLock',
+            'atomicWriteFile-for-real-write',
+            dryRun ? 'dry-run-no-write' : 'real-write-explicitly-enabled'
+        ];
+        const plan = {
+            candidatePath: candidate.path,
+            targetPath: targetRelative,
+            targetAbsolutePath: targetPath,
+            operation: 'append',
+            appendContent,
+            archiveCandidateTo,
+            auditEventPath,
+            auditEvent: {
+                id: eventId,
+                type: 'memory.promoted.durable',
+                at,
+                actor,
+                candidatePath: candidate.path,
+                targetPath: targetRelative,
+                metadata: {
+                    candidateId,
+                    target: options.target || {},
+                    dryRun,
+                    source: 'candidate/inbox',
+                    archiveCandidateTo
+                }
+            },
+            writeGuards
+        };
+        if (dryRun) {
+            return {
+                candidateId,
+                status: 'dry-run',
+                dryRun: true,
+                plan,
+                proof: {
+                    explicitDurableTrigger: true,
+                    sourceCandidateInboxOnly: true,
+                    protectedCoreBlocked: true,
+                    targetWhitelistEnforced: true,
+                    redactCheck: 'passed',
+                    dryRunNoWrites: true
+                }
+            };
+        }
+        await atomicWriteFile(targetPath, await durableTargetContent(targetPath, appendContent));
+        const archiveAbsolute = path.join(workspace.historyDir, 'promoted-candidates', path.basename(candidate.path));
+        await fs.mkdir(path.dirname(archiveAbsolute), {
+            recursive: true
+        });
+        await fs.rename(candidateAbsolute, archiveAbsolute);
+        const event = await appendEvent(workspace, {
+            type: 'memory.promoted.durable',
+            candidatePath: candidate.path,
+            targetPath: targetRelative,
+            actor,
+            metadata: {
+                candidateId,
+                target: options.target || {},
+                dryRun: false,
+                source: 'candidate/inbox',
+                archiveCandidateTo
+            }
+        });
+        return {
+            candidateId,
+            status: 'promoted',
+            dryRun: false,
+            eventId: event.id,
+            path: targetRelative,
+            archivedCandidatePath: archiveCandidateTo,
+            plan: {
+                ...plan,
+                auditEvent: {
+                    ...plan.auditEvent,
+                    id: event.id,
+                    at: event.at
+                }
+            },
+            proof: {
+                explicitDurableTrigger: true,
+                sourceCandidateInboxOnly: true,
+                protectedCoreBlocked: true,
+                targetWhitelistEnforced: true,
+                redactCheck: 'passed',
+                dryRunNoWrites: false
+            }
+        };
+    });
+}
+
+
+//# sourceURL=governance.ts

package/dist/http/console.js

@@ -0,0 +1,287 @@
+#!/usr/bin/env -S node --experimental-strip-types
+import http from 'node:http';
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import { openCore } from '../core.js';
+const DEFAULT_HOST = '127.0.0.1';
+const DEFAULT_PORT = 8788;
+const LOCAL_IPS = new Set([
+    '127.0.0.1',
+    '::1',
+    '0.0.0.0'
+]);
+function json(res, status, payload) {
+    const body = `${JSON.stringify(payload, null, 2)}\n`;
+    res.writeHead(status, {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Content-Length': Buffer.byteLength(body),
+        'Cache-Control': 'no-store'
+    });
+    res.end(body);
+}
+function html(res, status, body) {
+    res.writeHead(status, {
+        'Content-Type': 'text/html; charset=utf-8',
+        'Content-Length': Buffer.byteLength(body),
+        'Cache-Control': 'no-store'
+    });
+    res.end(body);
+}
+function remoteIp(req) {
+    return (req.socket.remoteAddress || '').replace(/^::ffff:/, '');
+}
+function assertSafeRef(ref) {
+    if (typeof ref !== 'string' || !ref.trim()) throw new Error('ref_required');
+    const normalized = ref.replace(/\\/g, '/');
+    if (normalized.includes('\0')) throw new Error('invalid_ref');
+    if (path.isAbsolute(normalized) || normalized.split('/').includes('..')) {
+        throw new Error('path_traversal_rejected');
+    }
+}
+async function auditEvents(core, limit) {
+    let entries;
+    try {
+        entries = await fs.readdir(core.workspace.eventsDir);
+    } catch  {
+        return [];
+    }
+    const files = entries.filter((entry)=>entry.endsWith('.ndjson')).sort().slice(-10);
+    const events = [];
+    for (const file of files){
+        const content = await fs.readFile(path.join(core.workspace.eventsDir, file), 'utf8');
+        for (const line of content.split('\n')){
+            if (!line.trim()) continue;
+            try {
+                events.push(JSON.parse(line));
+            } catch  {}
+        }
+    }
+    return events.slice(-limit);
+}
+export async function createConsoleServer(options = {}) {
+    const core = await openCore(options);
+    return http.createServer(async (req, res)=>{
+        try {
+            const ip = remoteIp(req);
+            if (ip && !LOCAL_IPS.has(ip)) return json(res, 403, {
+                ok: false,
+                error: 'local_only'
+            });
+            if (req.method !== 'GET') return json(res, 405, {
+                ok: false,
+                error: 'read_only_console'
+            });
+            const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+            const route = url.pathname;
+            if (route === '/' || route === '/index.html') return html(res, 200, PAGE);
+            if (route === '/health') return json(res, 200, {
+                ok: true,
+                mode: 'local-console',
+                readOnly: true
+            });
+            if (route === '/api/status') return json(res, 200, await core.status());
+            if (route === '/api/search') {
+                const query = url.searchParams.get('q') || '';
+                const limit = Math.min(Number(url.searchParams.get('limit') || 10), 50);
+                return json(res, 200, await core.search(query, {
+                    limit
+                }));
+            }
+            if (route === '/api/read') {
+                const ref = url.searchParams.get('ref') || '';
+                assertSafeRef(ref);
+                return json(res, 200, await core.read(ref));
+            }
+            if (route === '/api/audit') {
+                const limit = Math.min(Number(url.searchParams.get('limit') || 25), 100);
+                return json(res, 200, {
+                    ok: true,
+                    events: await auditEvents(core, limit)
+                });
+            }
+            return json(res, 404, {
+                ok: false,
+                error: 'not_found'
+            });
+        } catch (caught) {
+            const message = caught instanceof Error ? caught.message : String(caught);
+            const status = message === 'path_traversal_rejected' ? 400 : message === 'ref_required' ? 400 : 400;
+            return json(res, status, {
+                ok: false,
+                error: message || 'bad_request'
+            });
+        }
+    });
+}
+export async function main() {
+    const argv = process.argv.slice(2);
+    const options = {};
+    for(let index = 0; index < argv.length; index += 1){
+        const arg = argv[index];
+        if (arg === '--host') options.host = argv[++index];
+        else if (arg === '--port') options.port = Number(argv[++index]);
+        else if (arg === '--space') options.space = argv[++index];
+        else if (arg === '--root') options.root = argv[++index];
+        else if (arg === '--memory-root') options.memoryRoot = argv[++index];
+        else if (arg === '--state-root') options.stateRoot = argv[++index];
+        else if (arg === '--cwd') options.cwd = argv[++index];
+        else if (arg === '--engine') options.engine = argv[++index];
+    }
+    const host = options.host || process.env.IHOW_MEMORY_CONSOLE_HOST || DEFAULT_HOST;
+    const port = options.port ?? Number(process.env.IHOW_MEMORY_CONSOLE_PORT || DEFAULT_PORT);
+    const server = await createConsoleServer(options);
+    server.listen(port, host, ()=>{
+        console.log('cloud: disabled / local only');
+        console.log(`iHow Memory console (read-only): http://${host}:${port}`);
+        console.log('Open the URL in a browser. Ctrl+C to stop.');
+    });
+}
+const PAGE = `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>iHow Memory — Local Console</title>
+<style>
+  :root { --bg:#0f1419; --panel:#fff; --ink:#1b2733; --muted:#6b7785; --line:#e3e8ee; --accent:#2f6f4f; --chip:#eef3f0; }
+  * { box-sizing: border-box; }
+  body { margin:0; font:14px/1.5 -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif; color:var(--ink); background:#f5f7f9; }
+  header { background:var(--bg); color:#e8eef2; padding:14px 22px; display:flex; align-items:center; gap:12px; flex-wrap:wrap; }
+  header h1 { font-size:16px; margin:0; font-weight:600; letter-spacing:.2px; }
+  .badge { font-size:11px; padding:2px 8px; border-radius:999px; background:#1d2b22; color:#7fd1a3; border:1px solid #2c4435; }
+  .badge.cloud { background:#2a2030; color:#d8a7d8; border-color:#43314a; }
+  .wrap { max-width:1080px; margin:0 auto; padding:22px; display:grid; gap:18px; grid-template-columns:1fr 1fr; }
+  .card { background:var(--panel); border:1px solid var(--line); border-radius:10px; padding:16px 18px; }
+  .card.full { grid-column:1 / -1; }
+  .card h2 { font-size:13px; text-transform:uppercase; letter-spacing:.6px; color:var(--muted); margin:0 0 12px; }
+  .kv { display:grid; grid-template-columns:auto 1fr; gap:4px 14px; font-size:13px; }
+  .kv dt { color:var(--muted); }
+  .kv dd { margin:0; font-family:ui-monospace,SFMono-Regular,Menlo,monospace; word-break:break-all; }
+  .row { display:flex; gap:8px; }
+  input[type=text] { flex:1; padding:9px 11px; border:1px solid var(--line); border-radius:8px; font:inherit; }
+  button { padding:9px 14px; border:0; border-radius:8px; background:var(--accent); color:#fff; font:inherit; cursor:pointer; }
+  button:hover { background:#27593f; }
+  .hit { padding:9px 10px; border:1px solid var(--line); border-radius:8px; margin-top:8px; cursor:pointer; }
+  .hit:hover { border-color:var(--accent); background:#fafdfb; }
+  .hit .path { font-family:ui-monospace,Menlo,monospace; font-size:12px; color:var(--accent); word-break:break-all; }
+  .hit .snip { color:var(--muted); margin-top:3px; font-size:12.5px; }
+  pre { background:#0f1419; color:#d6e2ea; padding:12px; border-radius:8px; overflow:auto; max-height:340px; font-size:12px; white-space:pre-wrap; word-break:break-word; }
+  .cite { font-family:ui-monospace,Menlo,monospace; font-size:12px; color:var(--accent); margin-bottom:8px; word-break:break-all; }
+  .ev { font-family:ui-monospace,Menlo,monospace; font-size:12px; padding:5px 0; border-bottom:1px solid var(--line); }
+  .ev .t { color:var(--accent); }
+  .muted { color:var(--muted); }
+  .empty { color:var(--muted); font-style:italic; padding:6px 0; }
+</style>
+</head>
+<body>
+<header>
+  <h1>iHow Memory</h1>
+  <span class="badge">read-only console</span>
+  <span class="badge cloud">cloud disabled · local only</span>
+</header>
+<div class="wrap">
+  <section class="card">
+    <h2>Status</h2>
+    <dl class="kv" id="status"><dd class="muted">loading…</dd></dl>
+  </section>
+  <section class="card">
+    <h2>Audit (recent)</h2>
+    <div id="audit"><div class="empty">loading…</div></div>
+  </section>
+  <section class="card">
+    <h2>Search</h2>
+    <div class="row">
+      <input type="text" id="q" placeholder="search memory… (e.g. alpha sprint)" />
+      <button id="go">Search</button>
+    </div>
+    <div id="hits"></div>
+  </section>
+  <section class="card">
+    <h2>Read · citation</h2>
+    <div id="cite" class="cite muted">click a search result to view its cited source</div>
+    <pre id="content" class="muted">—</pre>
+  </section>
+</div>
+<script>
+const $ = (id) => document.getElementById(id);
+async function getJSON(u) { const r = await fetch(u); return r.json(); }
+
+async function loadStatus() {
+  try {
+    const s = await getJSON('/api/status');
+    const w = s.workspace || {}, p = s.provider || {}, i = s.index || {}, sync = s.sync || {};
+    $('status').innerHTML =
+      row('memory root', w.memoryRoot || w.path || '—') +
+      row('mode', w.mode || '—') +
+      row('provider', (p.id || '?') + ' (ready=' + (p.ready ?? '?') + ', cloud=' + (p.cloud ?? '?') + ')') +
+      (p.fallback ? row('fallback', (p.fallbackFrom||'?') + ' → fts (' + (p.lastError||'') + ')') : '') +
+      row('index', (i.status || '?') + ', documents=' + (i.documents ?? '?')) +
+      row('sync', 'enabled=' + (sync.enabled ?? false));
+  } catch (e) { $('status').innerHTML = '<dd class="muted">status error: ' + e + '</dd>'; }
+}
+function row(k, v) { return '<dt>' + esc(k) + '</dt><dd>' + esc(String(v)) + '</dd>'; }
+
+async function loadAudit() {
+  try {
+    const a = await getJSON('/api/audit?limit=25');
+    const events = a.events || (Array.isArray(a) ? a : []);
+    if (!events.length) { $('audit').innerHTML = '<div class="empty">no audit events yet</div>'; return; }
+    $('audit').innerHTML = events.slice().reverse().map(function(e){
+      const t = e.type || e.event || e.kind || 'event';
+      const id = e.id || e.ref || e.path || '';
+      const when = e.at || e.ts || e.time || '';
+      return '<div class="ev"><span class="t">' + esc(t) + '</span> <span class="muted">' + esc(String(when)) + '</span><br>' + esc(String(id)) + '</div>';
+    }).join('');
+  } catch (e) { $('audit').innerHTML = '<div class="empty">audit error: ' + e + '</div>'; }
+}
+
+async function doSearch() {
+  const q = $('q').value.trim();
+  if (!q) return;
+  $('hits').innerHTML = '<div class="empty">searching…</div>';
+  try {
+    const data = await getJSON('/api/search?limit=10&q=' + encodeURIComponent(q));
+    const hits = Array.isArray(data) ? data : (data.hits || data.results || data.matches || []);
+    if (!hits.length) { $('hits').innerHTML = '<div class="empty">no matches</div>'; return; }
+    $('hits').innerHTML = '';
+    hits.forEach(function(h){
+      const ref = h.ref || h.path || (h.citation && h.citation.path) || '';
+      const snip = h.snippet || h.preview || h.text || h.excerpt || '';
+      const div = document.createElement('div');
+      div.className = 'hit';
+      div.innerHTML = '<div class="path">' + esc(ref || '(no path)') + '</div>' + (snip ? '<div class="snip">' + esc(String(snip).slice(0,180)) + '</div>' : '');
+      div.onclick = function(){ openRead(ref); };
+      $('hits').appendChild(div);
+    });
+  } catch (e) { $('hits').innerHTML = '<div class="empty">search error: ' + e + '</div>'; }
+}
+
+async function openRead(ref) {
+  if (!ref) return;
+  $('cite').textContent = ref; $('cite').className = 'cite';
+  $('content').textContent = 'loading…'; $('content').className = '';
+  try {
+    const d = await getJSON('/api/read?ref=' + encodeURIComponent(ref));
+    const cite = (d.citation && (d.citation.path || d.citation)) || d.path || ref;
+    $('cite').textContent = String(cite);
+    $('content').textContent = d.content || d.text || JSON.stringify(d, null, 2);
+  } catch (e) { $('content').textContent = 'read error: ' + e; }
+}
+
+function esc(s){ return String(s).replace(/[&<>"]/g, function(c){ return ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;'})[c]; }); }
+
+$('go').onclick = doSearch;
+$('q').addEventListener('keydown', function(e){ if (e.key === 'Enter') doSearch(); });
+loadStatus(); loadAudit();
+</script>
+</body>
+</html>`;
+if (process.argv[1] && import.meta.url === new URL(process.argv[1], 'file://').href) {
+    main().catch((caught)=>{
+        console.error(caught instanceof Error ? caught.message : String(caught));
+        process.exitCode = 1;
+    });
+}
+
+
+//# sourceURL=http/console.ts