kiro-memory 2.1.0 → 3.0.0

package/plugin/dist/hooks/postToolUse.js

@@ -16,6 +16,290 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/utils/secrets.ts
+function redactSecrets(text) {
+  if (!text) return text;
+  let redacted = text;
+  for (const { pattern } of SECRET_PATTERNS) {
+    pattern.lastIndex = 0;
+    redacted = redacted.replace(pattern, (match) => {
+      const prefix = match.substring(0, Math.min(4, match.length));
+      return `${prefix}***REDACTED***`;
+    });
+  }
+  return redacted;
+}
+var SECRET_PATTERNS;
+var init_secrets = __esm({
+  "src/utils/secrets.ts"() {
+    "use strict";
+    SECRET_PATTERNS = [
+      // AWS Access Keys (AKIA, ABIA, ACCA, ASIA prefixes + 16 alphanumeric chars)
+      { name: "aws-key", pattern: /(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}/g },
+      // JWT tokens (three base64url segments separated by dots)
+      { name: "jwt", pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g },
+      // Generic API keys in key=value or key: value assignments
+      { name: "api-key", pattern: /(?:api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?/gi },
+      // Password/secret/token in variable assignments
+      { name: "credential", pattern: /(?:password|passwd|pwd|secret|token|auth[_-]?token|access[_-]?token|bearer)\s*[:=]\s*['"]?([^\s'"]{8,})['"]?/gi },
+      // Credentials embedded in URLs (user:pass@host)
+      { name: "url-credential", pattern: /(?:https?:\/\/)([^:]+):([^@]+)@/g },
+      // PEM-encoded private keys (RSA, EC, DSA, OpenSSH)
+      { name: "private-key", pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+      // GitHub personal access tokens (ghp_, gho_, ghu_, ghs_, ghr_ prefixes)
+      { name: "github-token", pattern: /gh[pousr]_[a-zA-Z0-9]{36,}/g },
+      // Slack bot/user/app tokens
+      { name: "slack-token", pattern: /xox[bpoas]-[a-zA-Z0-9-]{10,}/g },
+      // HTTP Authorization Bearer header values
+      { name: "bearer-header", pattern: /\bBearer\s+([a-zA-Z0-9_\-\.]{20,})/g },
+      // Generic hex secrets (32+ hex chars after a key/secret/token/password label)
+      { name: "hex-secret", pattern: /(?:key|secret|token|password)\s*[:=]\s*['"]?([0-9a-f]{32,})['"]?/gi }
+    ];
+  }
+});
+
+// src/utils/categorizer.ts
+function categorize(input) {
+  const scores = /* @__PURE__ */ new Map();
+  const searchText = [
+    input.title,
+    input.text || "",
+    input.narrative || "",
+    input.concepts || ""
+  ].join(" ").toLowerCase();
+  const allFiles = [input.filesModified || "", input.filesRead || ""].join(",");
+  for (const rule of CATEGORY_RULES) {
+    let score = 0;
+    for (const kw of rule.keywords) {
+      if (searchText.includes(kw.toLowerCase())) {
+        score += rule.weight;
+      }
+    }
+    if (rule.types && rule.types.includes(input.type)) {
+      score += rule.weight * 2;
+    }
+    if (rule.filePatterns && allFiles) {
+      for (const pattern of rule.filePatterns) {
+        if (pattern.test(allFiles)) {
+          score += rule.weight;
+        }
+      }
+    }
+    if (score > 0) {
+      scores.set(rule.category, (scores.get(rule.category) || 0) + score);
+    }
+  }
+  let bestCategory = "general";
+  let bestScore = 0;
+  for (const [category, score] of scores) {
+    if (score > bestScore) {
+      bestScore = score;
+      bestCategory = category;
+    }
+  }
+  return bestCategory;
+}
+var CATEGORY_RULES;
+var init_categorizer = __esm({
+  "src/utils/categorizer.ts"() {
+    "use strict";
+    CATEGORY_RULES = [
+      {
+        category: "security",
+        keywords: [
+          "security",
+          "vulnerability",
+          "cve",
+          "xss",
+          "csrf",
+          "injection",
+          "sanitize",
+          "escape",
+          "auth",
+          "authentication",
+          "authorization",
+          "permission",
+          "helmet",
+          "cors",
+          "rate-limit",
+          "token",
+          "encrypt",
+          "decrypt",
+          "secret",
+          "redact",
+          "owasp"
+        ],
+        filePatterns: [/security/i, /auth/i, /secrets?\.ts/i],
+        weight: 10
+      },
+      {
+        category: "testing",
+        keywords: [
+          "test",
+          "spec",
+          "expect",
+          "assert",
+          "mock",
+          "stub",
+          "fixture",
+          "coverage",
+          "jest",
+          "vitest",
+          "bun test",
+          "unit test",
+          "integration test",
+          "e2e"
+        ],
+        types: ["test"],
+        filePatterns: [/\.test\./i, /\.spec\./i, /tests?\//i, /__tests__/i],
+        weight: 8
+      },
+      {
+        category: "debugging",
+        keywords: [
+          "debug",
+          "fix",
+          "bug",
+          "error",
+          "crash",
+          "stacktrace",
+          "stack trace",
+          "exception",
+          "breakpoint",
+          "investigate",
+          "root cause",
+          "troubleshoot",
+          "diagnose",
+          "bisect",
+          "regression"
+        ],
+        types: ["bugfix"],
+        weight: 8
+      },
+      {
+        category: "architecture",
+        keywords: [
+          "architect",
+          "design",
+          "pattern",
+          "modular",
+          "migration",
+          "schema",
+          "database",
+          "api design",
+          "abstract",
+          "dependency injection",
+          "singleton",
+          "factory",
+          "observer",
+          "middleware",
+          "pipeline",
+          "microservice",
+          "monolith"
+        ],
+        types: ["decision", "constraint"],
+        weight: 7
+      },
+      {
+        category: "refactoring",
+        keywords: [
+          "refactor",
+          "rename",
+          "extract",
+          "inline",
+          "move",
+          "split",
+          "merge",
+          "simplify",
+          "cleanup",
+          "clean up",
+          "dead code",
+          "consolidate",
+          "reorganize",
+          "restructure",
+          "decouple"
+        ],
+        weight: 6
+      },
+      {
+        category: "config",
+        keywords: [
+          "config",
+          "configuration",
+          "env",
+          "environment",
+          "dotenv",
+          ".env",
+          "settings",
+          "tsconfig",
+          "eslint",
+          "prettier",
+          "webpack",
+          "vite",
+          "esbuild",
+          "docker",
+          "ci/cd",
+          "github actions",
+          "deploy",
+          "build",
+          "bundle",
+          "package.json"
+        ],
+        filePatterns: [
+          /\.config\./i,
+          /\.env/i,
+          /tsconfig/i,
+          /\.ya?ml/i,
+          /Dockerfile/i,
+          /docker-compose/i
+        ],
+        weight: 5
+      },
+      {
+        category: "docs",
+        keywords: [
+          "document",
+          "readme",
+          "changelog",
+          "jsdoc",
+          "comment",
+          "explain",
+          "guide",
+          "tutorial",
+          "api doc",
+          "openapi",
+          "swagger"
+        ],
+        types: ["docs"],
+        filePatterns: [/\.md$/i, /docs?\//i, /readme/i, /changelog/i],
+        weight: 5
+      },
+      {
+        category: "feature-dev",
+        keywords: [
+          "feature",
+          "implement",
+          "add",
+          "create",
+          "new",
+          "endpoint",
+          "component",
+          "module",
+          "service",
+          "handler",
+          "route",
+          "hook",
+          "plugin",
+          "integration"
+        ],
+        types: ["feature", "file-write"],
+        weight: 3
+        // lowest — generic catch-all for development
+      }
+    ];
+  }
+});
+
 // src/services/sqlite/Observations.ts
 var Observations_exports = {};
 __export(Observations_exports, {
@@ -41,11 +325,23 @@ function isDuplicateObservation(db, contentHash, windowMs = 3e4) {
 }
 function createObservation(db, memorySessionId, project, type, title, subtitle, text, narrative, facts, concepts, filesRead, filesModified, promptNumber, contentHash = null, discoveryTokens = 0) {
   const now = /* @__PURE__ */ new Date();
+  const safeTitle = redactSecrets(title);
+  const safeText = text ? redactSecrets(text) : text;
+  const safeNarrative = narrative ? redactSecrets(narrative) : narrative;
+  const autoCategory = categorize({
+    type,
+    title: safeTitle,
+    text: safeText,
+    narrative: safeNarrative,
+    concepts,
+    filesModified,
+    filesRead
+  });
   const result = db.run(
     `INSERT INTO observations
-     (memory_session_id, project, type, title, subtitle, text, narrative, facts, concepts, files_read, files_modified, prompt_number, created_at, created_at_epoch, content_hash, discovery_tokens)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-    [memorySessionId, project, type, title, subtitle, text, narrative, facts, concepts, filesRead, filesModified, promptNumber, now.toISOString(), now.getTime(), contentHash, discoveryTokens]
+     (memory_session_id, project, type, title, subtitle, text, narrative, facts, concepts, files_read, files_modified, prompt_number, created_at, created_at_epoch, content_hash, discovery_tokens, auto_category)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    [memorySessionId, project, type, safeTitle, subtitle, safeText, safeNarrative, facts, concepts, filesRead, filesModified, promptNumber, now.toISOString(), now.getTime(), contentHash, discoveryTokens, autoCategory]
   );
   return Number(result.lastInsertRowid);
 }
@@ -57,16 +353,16 @@ function getObservationsBySession(db, memorySessionId) {
 }
 function getObservationsByProject(db, project, limit = 100) {
   const query = db.query(
-    "SELECT * FROM observations WHERE project = ? ORDER BY created_at_epoch DESC LIMIT ?"
+    "SELECT * FROM observations WHERE project = ? ORDER BY created_at_epoch DESC, id DESC LIMIT ?"
   );
   return query.all(project, limit);
 }
 function searchObservations(db, searchTerm, project) {
   const sql = project ? `SELECT * FROM observations
        WHERE project = ? AND (title LIKE ? ESCAPE '\\' OR text LIKE ? ESCAPE '\\' OR narrative LIKE ? ESCAPE '\\')
-       ORDER BY created_at_epoch DESC` : `SELECT * FROM observations
+       ORDER BY created_at_epoch DESC, id DESC` : `SELECT * FROM observations
        WHERE title LIKE ? ESCAPE '\\' OR text LIKE ? ESCAPE '\\' OR narrative LIKE ? ESCAPE '\\'
-       ORDER BY created_at_epoch DESC`;
+       ORDER BY created_at_epoch DESC, id DESC`;
   const pattern = `%${escapeLikePattern(searchTerm)}%`;
   const query = db.query(sql);
   if (project) {
@@ -122,7 +418,7 @@ function consolidateObservations(db, project, options = {}) {
       const obsIds = group.ids.split(",").map(Number);
       const placeholders = obsIds.map(() => "?").join(",");
       const observations = db.query(
-        `SELECT * FROM observations WHERE id IN (${placeholders}) ORDER BY created_at_epoch DESC`
+        `SELECT * FROM observations WHERE id IN (${placeholders}) ORDER BY created_at_epoch DESC, id DESC`
       ).all(...obsIds);
       if (observations.length < minGroupSize) continue;
       const keeper = observations[0];
@@ -153,6 +449,8 @@ function consolidateObservations(db, project, options = {}) {
 var init_Observations = __esm({
   "src/services/sqlite/Observations.ts"() {
     "use strict";
+    init_secrets();
+    init_categorizer();
   }
 });
 
@@ -272,7 +570,7 @@ function searchObservationsLIKE(db, query, filters = {}) {
     sql += " AND created_at_epoch <= ?";
     params.push(filters.dateEnd);
   }
-  sql += " ORDER BY created_at_epoch DESC LIMIT ?";
+  sql += " ORDER BY created_at_epoch DESC, id DESC LIMIT ?";
   params.push(limit);
   const stmt = db.query(sql);
   return stmt.all(...params);
@@ -297,7 +595,7 @@ function searchSummariesFiltered(db, query, filters = {}) {
     sql += " AND created_at_epoch <= ?";
     params.push(filters.dateEnd);
   }
-  sql += " ORDER BY created_at_epoch DESC LIMIT ?";
+  sql += " ORDER BY created_at_epoch DESC, id DESC LIMIT ?";
   params.push(limit);
   const stmt = db.query(sql);
   return stmt.all(...params);
@@ -307,7 +605,7 @@ function getObservationsByIds(db, ids) {
   const validIds = ids.filter((id) => typeof id === "number" && Number.isInteger(id) && id > 0).slice(0, 500);
   if (validIds.length === 0) return [];
   const placeholders = validIds.map(() => "?").join(",");
-  const sql = `SELECT * FROM observations WHERE id IN (${placeholders}) ORDER BY created_at_epoch DESC`;
+  const sql = `SELECT * FROM observations WHERE id IN (${placeholders}) ORDER BY created_at_epoch DESC, id DESC`;
   const stmt = db.query(sql);
   return stmt.all(...validIds);
 }
@@ -319,11 +617,11 @@ function getTimeline(db, anchorId, depthBefore = 5, depthAfter = 5) {
   const beforeStmt = db.query(`
     SELECT id, 'observation' as type, title, text as content, project, created_at, created_at_epoch
     FROM observations
-    WHERE created_at_epoch < ?
-    ORDER BY created_at_epoch DESC
+    WHERE (created_at_epoch < ? OR (created_at_epoch = ? AND id < ?))
+    ORDER BY created_at_epoch DESC, id DESC
     LIMIT ?
   `);
-  const before = beforeStmt.all(anchorEpoch, depthBefore).reverse();
+  const before = beforeStmt.all(anchorEpoch, anchorEpoch, anchorId, depthBefore).reverse();
   const selfStmt = db.query(`
     SELECT id, 'observation' as type, title, text as content, project, created_at, created_at_epoch
     FROM observations WHERE id = ?
@@ -332,11 +630,11 @@ function getTimeline(db, anchorId, depthBefore = 5, depthAfter = 5) {
   const afterStmt = db.query(`
     SELECT id, 'observation' as type, title, text as content, project, created_at, created_at_epoch
     FROM observations
-    WHERE created_at_epoch > ?
-    ORDER BY created_at_epoch ASC
+    WHERE (created_at_epoch > ? OR (created_at_epoch = ? AND id > ?))
+    ORDER BY created_at_epoch ASC, id ASC
     LIMIT ?
   `);
-  const after = afterStmt.all(anchorEpoch, depthAfter);
+  const after = afterStmt.all(anchorEpoch, anchorEpoch, anchorId, depthAfter);
   return [...before, ...self, ...after];
 }
 function getProjectStats(db, project) {
@@ -379,7 +677,7 @@ function getStaleObservations(db, project) {
   const rows = db.query(`
     SELECT * FROM observations
     WHERE project = ? AND files_modified IS NOT NULL AND files_modified != ''
-    ORDER BY created_at_epoch DESC
+    ORDER BY created_at_epoch DESC, id DESC
     LIMIT 500
   `).all(project);
   const staleObs = [];
@@ -1208,11 +1506,104 @@ var MigrationRunner = class {
           db.run("CREATE INDEX IF NOT EXISTS idx_summaries_project_epoch ON summaries(project, created_at_epoch DESC)");
           db.run("CREATE INDEX IF NOT EXISTS idx_prompts_project_epoch ON prompts(project, created_at_epoch DESC)");
         }
+      },
+      {
+        version: 10,
+        up: (db) => {
+          db.run(`
+            CREATE TABLE IF NOT EXISTS job_queue (
+              id INTEGER PRIMARY KEY AUTOINCREMENT,
+              type TEXT NOT NULL,
+              status TEXT NOT NULL DEFAULT 'pending',
+              payload TEXT,
+              result TEXT,
+              error TEXT,
+              retry_count INTEGER DEFAULT 0,
+              max_retries INTEGER DEFAULT 3,
+              priority INTEGER DEFAULT 0,
+              created_at TEXT NOT NULL,
+              created_at_epoch INTEGER NOT NULL,
+              started_at_epoch INTEGER,
+              completed_at_epoch INTEGER
+            )
+          `);
+          db.run("CREATE INDEX IF NOT EXISTS idx_jobs_status ON job_queue(status)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_jobs_type ON job_queue(type)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_jobs_priority ON job_queue(status, priority DESC, created_at_epoch ASC)");
+        }
+      },
+      {
+        version: 11,
+        up: (db) => {
+          db.run("ALTER TABLE observations ADD COLUMN auto_category TEXT");
+          db.run("CREATE INDEX IF NOT EXISTS idx_observations_category ON observations(auto_category)");
+        }
+      },
+      {
+        version: 12,
+        up: (db) => {
+          db.run(`
+            CREATE TABLE IF NOT EXISTS github_links (
+              id INTEGER PRIMARY KEY AUTOINCREMENT,
+              observation_id INTEGER,
+              session_id TEXT,
+              repo TEXT NOT NULL,
+              issue_number INTEGER,
+              pr_number INTEGER,
+              event_type TEXT NOT NULL,
+              action TEXT,
+              title TEXT,
+              url TEXT,
+              author TEXT,
+              created_at TEXT NOT NULL,
+              created_at_epoch INTEGER NOT NULL,
+              FOREIGN KEY (observation_id) REFERENCES observations(id)
+            )
+          `);
+          db.run("CREATE INDEX IF NOT EXISTS idx_github_links_repo ON github_links(repo)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_github_links_obs ON github_links(observation_id)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_github_links_event ON github_links(event_type)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_github_links_repo_issue ON github_links(repo, issue_number)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_github_links_repo_pr ON github_links(repo, pr_number)");
+        }
+      },
+      {
+        version: 13,
+        up: (db) => {
+          db.run("CREATE INDEX IF NOT EXISTS idx_observations_keyset ON observations(created_at_epoch DESC, id DESC)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_observations_project_keyset ON observations(project, created_at_epoch DESC, id DESC)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_summaries_keyset ON summaries(created_at_epoch DESC, id DESC)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_summaries_project_keyset ON summaries(project, created_at_epoch DESC, id DESC)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_prompts_keyset ON prompts(created_at_epoch DESC, id DESC)");
+          db.run("CREATE INDEX IF NOT EXISTS idx_prompts_project_keyset ON prompts(project, created_at_epoch DESC, id DESC)");
+        }
       }
     ];
   }
 };
 
+// src/services/sqlite/cursor.ts
+function encodeCursor(id, epoch) {
+  const raw = `${epoch}:${id}`;
+  return Buffer.from(raw, "utf8").toString("base64url");
+}
+function decodeCursor(cursor) {
+  try {
+    const raw = Buffer.from(cursor, "base64url").toString("utf8");
+    const colonIdx = raw.indexOf(":");
+    if (colonIdx === -1) return null;
+    const epochStr = raw.substring(0, colonIdx);
+    const idStr = raw.substring(colonIdx + 1);
+    const epoch = parseInt(epochStr, 10);
+    const id = parseInt(idStr, 10);
+    if (!Number.isInteger(epoch) || epoch <= 0) return null;
+    if (!Number.isInteger(id) || id <= 0) return null;
+    return { epoch, id };
+  } catch {
+    return null;
+  }
+}
+
 // src/services/sqlite/Sessions.ts
 function createSession(db, contentSessionId, project, userPrompt) {
   const now = /* @__PURE__ */ new Date();
@@ -1256,16 +1647,16 @@ function createSummary(db, sessionId, project, request, investigated, learned, c
 }
 function getSummariesByProject(db, project, limit = 50) {
   const query = db.query(
-    "SELECT * FROM summaries WHERE project = ? ORDER BY created_at_epoch DESC LIMIT ?"
+    "SELECT * FROM summaries WHERE project = ? ORDER BY created_at_epoch DESC, id DESC LIMIT ?"
   );
   return query.all(project, limit);
 }
 function searchSummaries(db, searchTerm, project) {
   const sql = project ? `SELECT * FROM summaries
        WHERE project = ? AND (request LIKE ? ESCAPE '\\' OR learned LIKE ? ESCAPE '\\' OR completed LIKE ? ESCAPE '\\' OR notes LIKE ? ESCAPE '\\')
-       ORDER BY created_at_epoch DESC` : `SELECT * FROM summaries
+       ORDER BY created_at_epoch DESC, id DESC` : `SELECT * FROM summaries
        WHERE request LIKE ? ESCAPE '\\' OR learned LIKE ? ESCAPE '\\' OR completed LIKE ? ESCAPE '\\' OR notes LIKE ? ESCAPE '\\'
-       ORDER BY created_at_epoch DESC`;
+       ORDER BY created_at_epoch DESC, id DESC`;
   const pattern = `%${escapeLikePattern2(searchTerm)}%`;
   const query = db.query(sql);
   if (project) {
@@ -1287,7 +1678,7 @@ function createPrompt(db, contentSessionId, project, promptNumber, promptText) {
 }
 function getPromptsByProject(db, project, limit = 100) {
   const query = db.query(
-    "SELECT * FROM prompts WHERE project = ? ORDER BY created_at_epoch DESC LIMIT ?"
+    "SELECT * FROM prompts WHERE project = ? ORDER BY created_at_epoch DESC, id DESC LIMIT ?"
   );
   return query.all(project, limit);
 }
@@ -1315,13 +1706,13 @@ function createCheckpoint(db, sessionId, project, data) {
 }
 function getLatestCheckpoint(db, sessionId) {
   const query = db.query(
-    "SELECT * FROM checkpoints WHERE session_id = ? ORDER BY created_at_epoch DESC LIMIT 1"
+    "SELECT * FROM checkpoints WHERE session_id = ? ORDER BY created_at_epoch DESC, id DESC LIMIT 1"
   );
   return query.get(sessionId);
 }
 function getLatestCheckpointByProject(db, project) {
   const query = db.query(
-    "SELECT * FROM checkpoints WHERE project = ? ORDER BY created_at_epoch DESC LIMIT 1"
+    "SELECT * FROM checkpoints WHERE project = ? ORDER BY created_at_epoch DESC, id DESC LIMIT 1"
   );
   return query.get(project);
 }
@@ -1383,9 +1774,9 @@ function getReportData(db, project, startEpoch, endEpoch) {
   const staleCount = (project ? db.query(staleSql).get(project, startEpoch, endEpoch)?.count : db.query(staleSql).get(startEpoch, endEpoch)?.count) || 0;
   const summarySql = project ? `SELECT learned, completed, next_steps FROM summaries
        WHERE project = ? AND created_at_epoch >= ? AND created_at_epoch <= ?
-       ORDER BY created_at_epoch DESC` : `SELECT learned, completed, next_steps FROM summaries
+       ORDER BY created_at_epoch DESC, id DESC` : `SELECT learned, completed, next_steps FROM summaries
        WHERE created_at_epoch >= ? AND created_at_epoch <= ?
-       ORDER BY created_at_epoch DESC`;
+       ORDER BY created_at_epoch DESC, id DESC`;
   const summaryRows = project ? db.query(summarySql).all(project, startEpoch, endEpoch) : db.query(summarySql).all(startEpoch, endEpoch);
   const topLearnings = [];
   const completedTasks = [];
@@ -1450,20 +1841,61 @@ function getReportData(db, project, startEpoch, endEpoch) {
 // src/services/sqlite/index.ts
 init_Search();
 
+// src/types/worker-types.ts
+var KNOWLEDGE_TYPES = ["constraint", "decision", "heuristic", "rejected"];
+
+// src/services/sqlite/Retention.ts
+var KNOWLEDGE_TYPE_LIST = KNOWLEDGE_TYPES;
+var KNOWLEDGE_PLACEHOLDERS = KNOWLEDGE_TYPE_LIST.map(() => "?").join(", ");
+
 // src/sdk/index.ts
 init_Observations();
 import { createHash } from "crypto";
 init_Search();
 
 // src/services/search/EmbeddingService.ts
+var MODEL_CONFIGS = {
+  "all-MiniLM-L6-v2": {
+    modelId: "Xenova/all-MiniLM-L6-v2",
+    dimensions: 384
+  },
+  "jina-code-v2": {
+    modelId: "jinaai/jina-embeddings-v2-base-code",
+    dimensions: 768
+  },
+  "bge-small-en": {
+    modelId: "BAAI/bge-small-en-v1.5",
+    dimensions: 384
+  }
+};
+var FASTEMBED_COMPATIBLE_MODELS = /* @__PURE__ */ new Set(["all-MiniLM-L6-v2", "bge-small-en"]);
 var EmbeddingService = class {
   provider = null;
   model = null;
   initialized = false;
   initializing = null;
+  config;
+  configName;
+  constructor() {
+    const envModel = process.env.KIRO_MEMORY_EMBEDDING_MODEL || "all-MiniLM-L6-v2";
+    this.configName = envModel;
+    if (MODEL_CONFIGS[envModel]) {
+      this.config = MODEL_CONFIGS[envModel];
+    } else if (envModel.includes("/")) {
+      const dimensions = parseInt(process.env.KIRO_MEMORY_EMBEDDING_DIMENSIONS || "384", 10);
+      this.config = {
+        modelId: envModel,
+        dimensions: isNaN(dimensions) ? 384 : dimensions
+      };
+    } else {
+      logger.warn("EMBEDDING", `Unknown model name '${envModel}', falling back to 'all-MiniLM-L6-v2'`);
+      this.configName = "all-MiniLM-L6-v2";
+      this.config = MODEL_CONFIGS["all-MiniLM-L6-v2"];
+    }
+  }
   /**
    * Initialize the embedding service.
-   * Tries fastembed, then @huggingface/transformers, then fallback to null.
+   * Tries fastembed (when compatible), then @huggingface/transformers, then falls back to null.
    */
   async initialize() {
     if (this.initialized) return this.provider !== null;
@@ -1474,32 +1906,35 @@ var EmbeddingService = class {
     return result;
   }
   async _doInitialize() {
-    try {
-      const fastembed = await import("fastembed");
-      const EmbeddingModel = fastembed.EmbeddingModel || fastembed.default?.EmbeddingModel;
-      const FlagEmbedding = fastembed.FlagEmbedding || fastembed.default?.FlagEmbedding;
-      if (FlagEmbedding && EmbeddingModel) {
-        this.model = await FlagEmbedding.init({
-          model: EmbeddingModel.BGESmallENV15
-        });
-        this.provider = "fastembed";
-        this.initialized = true;
-        logger.info("EMBEDDING", "Initialized with fastembed (BGE-small-en-v1.5)");
-        return true;
+    const fastembedCompatible = FASTEMBED_COMPATIBLE_MODELS.has(this.configName);
+    if (fastembedCompatible) {
+      try {
+        const fastembed = await import("fastembed");
+        const EmbeddingModel = fastembed.EmbeddingModel || fastembed.default?.EmbeddingModel;
+        const FlagEmbedding = fastembed.FlagEmbedding || fastembed.default?.FlagEmbedding;
+        if (FlagEmbedding && EmbeddingModel) {
+          this.model = await FlagEmbedding.init({
+            model: EmbeddingModel.BGESmallENV15
+          });
+          this.provider = "fastembed";
+          this.initialized = true;
+          logger.info("EMBEDDING", `Initialized with fastembed (BGE-small-en-v1.5) for model '${this.configName}'`);
+          return true;
+        }
+      } catch (error) {
+        logger.debug("EMBEDDING", `fastembed not available: ${error}`);
       }
-    } catch (error) {
-      logger.debug("EMBEDDING", `fastembed not available: ${error}`);
     }
     try {
       const transformers = await import("@huggingface/transformers");
       const pipeline = transformers.pipeline || transformers.default?.pipeline;
       if (pipeline) {
-        this.model = await pipeline("feature-extraction", "Xenova/all-MiniLM-L6-v2", {
+        this.model = await pipeline("feature-extraction", this.config.modelId, {
           quantized: true
         });
         this.provider = "transformers";
         this.initialized = true;
-        logger.info("EMBEDDING", "Initialized with @huggingface/transformers (all-MiniLM-L6-v2)");
+        logger.info("EMBEDDING", `Initialized with @huggingface/transformers (${this.config.modelId})`);
         return true;
       }
     } catch (error) {
@@ -1512,7 +1947,7 @@ var EmbeddingService = class {
   }
   /**
    * Generate embedding for a single text.
-   * Returns Float32Array with 384 dimensions, or null if not available.
+   * Returns Float32Array with configured dimensions, or null if not available.
    */
   async embed(text) {
     if (!this.initialized) await this.initialize();
@@ -1563,10 +1998,17 @@ var EmbeddingService = class {
     return this.provider;
   }
   /**
-   * Embedding vector dimensions.
+   * Embedding vector dimensions for the active model configuration.
    */
   getDimensions() {
-    return 384;
+    return this.config.dimensions;
+  }
+  /**
+   * Human-readable model name used as identifier in the observation_embeddings table.
+   * Returns the short name (e.g., 'all-MiniLM-L6-v2') or the full HF model ID for custom models.
+   */
+  getModelName() {
+    return this.configName;
   }
   // --- Batch implementations ---
   /**
@@ -1785,7 +2227,7 @@ var VectorSearch = class {
     `).all(batchSize);
     if (rows.length === 0) return 0;
     let count = 0;
-    const model = embeddingService2.getProvider() || "unknown";
+    const model = embeddingService2.getModelName();
     for (const row of rows) {
       const parts = [row.title];
       if (row.text) parts.push(row.text);
@@ -1963,9 +2405,6 @@ function getHybridSearch() {
   return hybridSearch;
 }
 
-// src/types/worker-types.ts
-var KNOWLEDGE_TYPES = ["constraint", "decision", "heuristic", "rejected"];
-
 // src/sdk/index.ts
 var KiroMemorySDK = class {
   db;
@@ -2522,6 +2961,66 @@ var KiroMemorySDK = class {
     }
     return getReportData(this.db.db, this.project, startEpoch, endEpoch);
   }
+  /**
+   * Lista osservazioni con keyset pagination.
+   * Restituisce un oggetto { data, next_cursor, has_more }.
+   *
+   * Esempio:
+   *   const page1 = await sdk.listObservations({ limit: 50 });
+   *   const page2 = await sdk.listObservations({ cursor: page1.next_cursor });
+   */
+  async listObservations(options = {}) {
+    const limit = Math.min(Math.max(options.limit ?? 50, 1), 200);
+    const project = options.project ?? this.project;
+    let rows;
+    if (options.cursor) {
+      const decoded = decodeCursor(options.cursor);
+      if (!decoded) throw new Error("Cursor non valido");
+      const sql = project ? `SELECT * FROM observations
+           WHERE project = ? AND (created_at_epoch < ? OR (created_at_epoch = ? AND id < ?))
+           ORDER BY created_at_epoch DESC, id DESC
+           LIMIT ?` : `SELECT * FROM observations
+           WHERE (created_at_epoch < ? OR (created_at_epoch = ? AND id < ?))
+           ORDER BY created_at_epoch DESC, id DESC
+           LIMIT ?`;
+      rows = project ? this.db.db.query(sql).all(project, decoded.epoch, decoded.epoch, decoded.id, limit) : this.db.db.query(sql).all(decoded.epoch, decoded.epoch, decoded.id, limit);
+    } else {
+      const sql = project ? "SELECT * FROM observations WHERE project = ? ORDER BY created_at_epoch DESC, id DESC LIMIT ?" : "SELECT * FROM observations ORDER BY created_at_epoch DESC, id DESC LIMIT ?";
+      rows = project ? this.db.db.query(sql).all(project, limit) : this.db.db.query(sql).all(limit);
+    }
+    const next_cursor = rows.length >= limit ? encodeCursor(rows[rows.length - 1].id, rows[rows.length - 1].created_at_epoch) : null;
+    return { data: rows, next_cursor, has_more: next_cursor !== null };
+  }
+  /**
+   * Lista sommari con keyset pagination.
+   * Restituisce un oggetto { data, next_cursor, has_more }.
+   *
+   * Esempio:
+   *   const page1 = await sdk.listSummaries({ limit: 20 });
+   *   const page2 = await sdk.listSummaries({ cursor: page1.next_cursor });
+   */
+  async listSummaries(options = {}) {
+    const limit = Math.min(Math.max(options.limit ?? 20, 1), 200);
+    const project = options.project ?? this.project;
+    let rows;
+    if (options.cursor) {
+      const decoded = decodeCursor(options.cursor);
+      if (!decoded) throw new Error("Cursor non valido");
+      const sql = project ? `SELECT * FROM summaries
+           WHERE project = ? AND (created_at_epoch < ? OR (created_at_epoch = ? AND id < ?))
+           ORDER BY created_at_epoch DESC, id DESC
+           LIMIT ?` : `SELECT * FROM summaries
+           WHERE (created_at_epoch < ? OR (created_at_epoch = ? AND id < ?))
+           ORDER BY created_at_epoch DESC, id DESC
+           LIMIT ?`;
+      rows = project ? this.db.db.query(sql).all(project, decoded.epoch, decoded.epoch, decoded.id, limit) : this.db.db.query(sql).all(decoded.epoch, decoded.epoch, decoded.id, limit);
+    } else {
+      const sql = project ? "SELECT * FROM summaries WHERE project = ? ORDER BY created_at_epoch DESC, id DESC LIMIT ?" : "SELECT * FROM summaries ORDER BY created_at_epoch DESC, id DESC LIMIT ?";
+      rows = project ? this.db.db.query(sql).all(project, limit) : this.db.db.query(sql).all(limit);
+    }
+    const next_cursor = rows.length >= limit ? encodeCursor(rows[rows.length - 1].id, rows[rows.length - 1].created_at_epoch) : null;
+    return { data: rows, next_cursor, has_more: next_cursor !== null };
+  }
   /**
    * Getter for direct database access (for API routes)
    */
@@ -2540,6 +3039,7 @@ function createKiroMemory(config) {
 }
 
 // src/hooks/postToolUse.ts
+init_secrets();
 runHook("postToolUse", async (input) => {
   if (input.hook_event_name === "afterFileEdit" && !input.tool_name) {
     input.tool_name = "Write";
@@ -2564,10 +3064,10 @@ runHook("postToolUse", async (input) => {
       const concepts = extractConcepts(input.tool_name, input.tool_input, files);
       await sdk2.storeObservation({
         type: "file-read",
-        title,
+        title: redactSecrets(title),
         subtitle,
-        content: files.length > 0 ? `Files: ${files.join(", ")}` : `Tool ${input.tool_name} executed`,
-        narrative,
+        content: redactSecrets(files.length > 0 ? `Files: ${files.join(", ")}` : `Tool ${input.tool_name} executed`),
+        narrative: redactSecrets(narrative),
         concepts: concepts.length > 0 ? concepts : void 0,
         filesRead: files
       });
@@ -2589,11 +3089,11 @@ runHook("postToolUse", async (input) => {
     const isWrite = type === "file-write";
     await sdk.storeObservation({
       type,
-      title,
+      title: redactSecrets(title),
       subtitle,
-      content,
-      narrative,
-      facts: facts || void 0,
+      content: redactSecrets(content),
+      narrative: redactSecrets(narrative),
+      facts: facts ? redactSecrets(facts) : void 0,
       concepts: concepts.length > 0 ? concepts : void 0,
       filesRead: isWrite ? void 0 : files,
       filesModified: isWrite ? files : void 0