memoir-cli 2.5.3 → 2.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memoir-cli",
-  "version": "2.5.3",
+  "version": "2.6.0",
   "description": "Sync AI memory across devices. Back up and restore Claude, Gemini, Codex, Cursor, Copilot, Windsurf configs. Snapshot coding sessions and resume on another machine. Migrate instructions between AI assistants.",
   "main": "src/index.js",
   "type": "module",

package/src/commands/init.js

@@ -108,6 +108,19 @@ export async function initCommand() {
     }
   }
 
+  // Ask about encryption
+  const { encrypt } = await inquirer.prompt([{
+    type: 'confirm',
+    name: 'encrypt',
+    message: 'Enable E2E encryption? (protects your data even if backup is compromised)',
+    default: true
+  }]);
+  config.encrypt = encrypt;
+
+  if (encrypt) {
+    console.log(chalk.gray('  You\'ll set a passphrase on first push. Same passphrase on all machines.'));
+  }
+
   await saveConfig(config);
   console.log(chalk.green('✔ Saved!\n'));
 

package/src/commands/push.js

@@ -8,6 +8,10 @@ import gradient from 'gradient-string';
 import { getConfig } from '../config.js';
 import { extractMemories, adapters } from '../adapters/index.js';
 import { syncToLocal, syncToGit } from '../providers/index.js';
+import inquirer from 'inquirer';
+import { findClaudeSessions, parseSession, generateContextHandoff } from '../context/capture.js';
+import { scanForSecrets, printSecurityReport } from '../security/scanner.js';
+import { encryptDirectory, createVerifyToken } from '../security/encryption.js';
 
 export async function pushCommand(options = {}) {
   const config = await getConfig(options.profile);
@@ -43,6 +47,57 @@ export async function pushCommand(options = {}) {
       return;
     }
 
+    // Capture session context from latest Claude session
+    let contextCaptured = false;
+    let sessionInfo = null;
+    spinner.text = chalk.gray('Capturing session context...');
+    try {
+      const sessions = findClaudeSessions();
+      if (sessions.length > 0) {
+        const parsed = parseSession(sessions[0].path);
+        if (parsed.userMessages.length > 0) {
+          // Scan the generated handoff for any remaining secrets
+          const handoff = generateContextHandoff(parsed);
+          const { found, clean } = scanForSecrets(handoff);
+
+          // Save handoff to staging dir
+          const handoffDir = path.join(stagingDir, 'handoffs');
+          await fs.ensureDir(handoffDir);
+          const timestamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+          await fs.writeFile(path.join(handoffDir, `${timestamp}-claude.md`), clean);
+          await fs.writeFile(path.join(handoffDir, 'latest.md'), clean);
+
+          // Also save locally for memoir resume
+          const localHandoffDir = path.join(os.homedir(), '.config', 'memoir', 'handoffs');
+          await fs.ensureDir(localHandoffDir);
+          await fs.writeFile(path.join(localHandoffDir, `${timestamp}-claude.md`), clean);
+          await fs.writeFile(path.join(localHandoffDir, 'latest.md'), clean);
+
+          contextCaptured = true;
+          sessionInfo = {
+            slug: parsed.slug,
+            filesModified: parsed.filesWritten.length,
+            duration: parsed.firstTimestamp && parsed.lastTimestamp
+              ? (() => {
+                  const ms = new Date(parsed.lastTimestamp) - new Date(parsed.firstTimestamp);
+                  const mins = Math.floor(ms / 60000);
+                  return mins < 60 ? `${mins}m` : `${Math.floor(mins / 60)}h ${mins % 60}m`;
+                })()
+              : null,
+            secretsRedacted: found.length
+          };
+
+          spinner.stop();
+          if (found.length > 0) {
+            printSecurityReport(found);
+          }
+          spinner.start();
+        }
+      }
+    } catch {
+      // Context capture is best-effort — don't fail the push
+    }
+
     // Count what was found
     const found = [];
     for (const adapter of adapters) {
@@ -58,12 +113,38 @@ export async function pushCommand(options = {}) {
       }
     }
 
+    // Encrypt if enabled
+    let uploadDir = stagingDir;
+    let encrypted = false;
+    if (config.encrypt) {
+      spinner.stop();
+      const { passphrase } = await inquirer.prompt([{
+        type: 'password',
+        name: 'passphrase',
+        message: '🔒 Encryption passphrase:',
+        mask: '*',
+        validate: (input) => input.length >= 6 ? true : 'Passphrase must be at least 6 characters'
+      }]);
+      spinner.start(chalk.gray('Encrypting...'));
+
+      const encryptedDir = path.join(os.tmpdir(), `memoir-encrypted-${Date.now()}`);
+      await fs.ensureDir(encryptedDir);
+      await encryptDirectory(stagingDir, encryptedDir, passphrase);
+
+      // Save verify token so restore can check passphrase before decrypting
+      const token = createVerifyToken(passphrase);
+      await fs.writeFile(path.join(encryptedDir, 'verify.enc'), token);
+
+      uploadDir = encryptedDir;
+      encrypted = true;
+    }
+
     spinner.text = chalk.gray('Uploading to ' + (config.provider === 'git' ? 'GitHub' : 'local storage') + '...');
 
     if (config.provider === 'local' || config.provider.includes('local')) {
-      await syncToLocal(config, stagingDir, spinner);
+      await syncToLocal(config, uploadDir, spinner);
     } else if (config.provider === 'git' || config.provider.includes('git')) {
-      await syncToGit(config, stagingDir, spinner);
+      await syncToGit(config, uploadDir, spinner);
     } else {
       spinner.fail(chalk.red(`Unknown provider: ${config.provider}`));
       return;
@@ -93,10 +174,22 @@ export async function pushCommand(options = {}) {
 
     // Success output
     const toolList = found.map(t => chalk.cyan('  ✔ ' + t)).join('\n');
+    let contextLine = '';
+    if (contextCaptured && sessionInfo) {
+      const parts = [];
+      if (sessionInfo.slug) parts.push(sessionInfo.slug);
+      if (sessionInfo.duration) parts.push(sessionInfo.duration);
+      if (sessionInfo.filesModified) parts.push(`${sessionInfo.filesModified} files changed`);
+      contextLine = '\n' + chalk.green('  ✔ Session Context') + chalk.gray(` (${parts.join(', ')})`) + '\n';
+      if (sessionInfo.secretsRedacted > 0) {
+        contextLine += chalk.yellow(`  🔒 ${sessionInfo.secretsRedacted} secret(s) auto-redacted`) + '\n';
+      }
+    }
     console.log('\n' + boxen(
       gradient.pastel('  Backed up!  ') + '\n\n' +
-      toolList + '\n\n' +
+      toolList + contextLine + '\n' +
       chalk.white(`${totalFiles} files from ${found.length} tool${found.length !== 1 ? 's' : ''}`) + '\n' +
+      (encrypted ? chalk.green('  🔒 E2E encrypted') + '\n' : '') +
       chalk.gray(`→ ${dest}`) + '\n\n' +
       chalk.gray('Restore on another machine with: ') + chalk.cyan('memoir restore'),
       { padding: 1, borderStyle: 'round', borderColor: 'green', dimBorder: true }
@@ -105,5 +198,14 @@ export async function pushCommand(options = {}) {
     spinner.fail(chalk.red('Sync failed: ') + error.message);
   } finally {
     await fs.remove(stagingDir);
+    // Clean up encrypted dir if it was created
+    if (config.encrypt) {
+      const encDirs = await fs.readdir(os.tmpdir());
+      for (const d of encDirs) {
+        if (d.startsWith('memoir-encrypted-')) {
+          await fs.remove(path.join(os.tmpdir(), d)).catch(() => {});
+        }
+      }
+    }
   }
 }

package/src/commands/restore.js

@@ -5,8 +5,12 @@ import os from 'os';
 import ora from 'ora';
 import boxen from 'boxen';
 import gradient from 'gradient-string';
+import inquirer from 'inquirer';
 import { getConfig } from '../config.js';
 import { fetchFromLocal, fetchFromGit } from '../providers/restore.js';
+import { decryptDirectory, verifyPassphrase } from '../security/encryption.js';
+
+const home = os.homedir();
 
 export async function restoreCommand(options = {}) {
   const config = await getConfig(options.profile);
@@ -42,13 +46,132 @@ export async function restoreCommand(options = {}) {
       return;
     }
 
+    // If backup is encrypted, decrypt it first then re-restore
+    const manifestPath = path.join(stagingDir, 'manifest.enc');
+    if (!restored && await fs.pathExists(manifestPath)) {
+      spinner.stop();
+      console.log(chalk.cyan('\n  🔒 Backup is encrypted'));
+
+      // Verify passphrase first
+      const verifyPath = path.join(stagingDir, 'verify.enc');
+      let passphrase;
+      for (let attempt = 0; attempt < 3; attempt++) {
+        const { pass } = await inquirer.prompt([{
+          type: 'password',
+          name: 'pass',
+          message: 'Decryption passphrase:',
+          mask: '*',
+        }]);
+        passphrase = pass;
+
+        if (await fs.pathExists(verifyPath)) {
+          const token = await fs.readFile(verifyPath);
+          if (!verifyPassphrase(token, passphrase)) {
+            console.log(chalk.red('  Wrong passphrase. Try again.'));
+            passphrase = null;
+            continue;
+          }
+        }
+        break;
+      }
+
+      if (!passphrase) {
+        console.log(chalk.red('\n  Too many failed attempts.'));
+        return;
+      }
+
+      spinner.start(chalk.gray('Decrypting...'));
+      const decryptedDir = path.join(os.tmpdir(), `memoir-decrypted-${Date.now()}`);
+      try {
+        const count = await decryptDirectory(stagingDir, decryptedDir, passphrase);
+        spinner.succeed(chalk.green(`Decrypted ${count} files`));
+
+        // Now restore from decrypted dir
+        spinner.start(chalk.gray('Restoring...'));
+        const { restoreMemories } = await import('../adapters/restore.js');
+        restored = await restoreMemories(decryptedDir, spinner, onlyFilter, autoYes);
+
+        // Copy staging dir contents for handoff injection below
+        await fs.copy(decryptedDir, stagingDir, { overwrite: true });
+      } catch (err) {
+        spinner.fail(chalk.red('Decryption failed: ') + err.message);
+        return;
+      } finally {
+        await fs.remove(decryptedDir);
+      }
+    }
+
     spinner.stop();
 
+    // Auto-inject session handoff if available
+    let handoffInjected = false;
+    let handoffInfo = null;
+    if (restored) {
+      try {
+        // Check staging dir for handoffs (came from backup)
+        const handoffDir = path.join(stagingDir, 'handoffs');
+        let handoffContent = null;
+
+        if (await fs.pathExists(handoffDir)) {
+          const latestPath = path.join(handoffDir, 'latest.md');
+          if (await fs.pathExists(latestPath)) {
+            handoffContent = await fs.readFile(latestPath, 'utf8');
+          } else {
+            // Find newest handoff
+            const files = (await fs.readdir(handoffDir))
+              .filter(f => f.endsWith('.md'))
+              .sort()
+              .reverse();
+            if (files.length > 0) {
+              handoffContent = await fs.readFile(path.join(handoffDir, files[0]), 'utf8');
+            }
+          }
+        }
+
+        if (handoffContent) {
+          // Save locally
+          const localHandoffDir = path.join(home, '.config', 'memoir', 'handoffs');
+          await fs.ensureDir(localHandoffDir);
+          await fs.writeFile(path.join(localHandoffDir, 'latest.md'), handoffContent);
+
+          // Inject into Claude's home-level memory so it's always loaded
+          const cwdKey = '-' + home.replace(/^\//, '').replace(/\\/g, '-').replace(/\//g, '-').replace(/:/g, '');
+          const claudeMemDir = path.join(home, '.claude', 'projects', cwdKey, 'memory');
+          if (await fs.pathExists(path.join(home, '.claude'))) {
+            await fs.ensureDir(claudeMemDir);
+            await fs.writeFile(path.join(claudeMemDir, 'handoff.md'), handoffContent);
+            handoffInjected = true;
+          }
+
+          // Extract info for display
+          const fromMatch = handoffContent.match(/\*\*From:\*\*\s*(.+)/);
+          const whenMatch = handoffContent.match(/\*\*When:\*\*\s*(.+)/);
+          const durationMatch = handoffContent.match(/\*\*Duration:\*\*\s*(.+)/);
+          handoffInfo = {
+            from: fromMatch ? fromMatch[1] : 'another machine',
+            when: whenMatch ? whenMatch[1] : 'recently',
+            duration: durationMatch ? durationMatch[1] : null,
+          };
+        }
+      } catch {
+        // Handoff injection is best-effort
+      }
+    }
+
     if (restored) {
+      let handoffMsg = '';
+      if (handoffInjected && handoffInfo) {
+        handoffMsg = '\n\n' + chalk.cyan('📋 Session context injected') + '\n' +
+          chalk.gray(`   From: ${handoffInfo.from}`) + '\n' +
+          chalk.gray(`   When: ${handoffInfo.when}`) +
+          (handoffInfo.duration ? '\n' + chalk.gray(`   Duration: ${handoffInfo.duration}`) : '') + '\n' +
+          chalk.gray('   Your AI will pick up where you left off.');
+      }
       console.log(boxen(
         gradient.pastel('  Done!  ') + '\n\n' +
-        chalk.white('Your AI tools have their memories back.') + '\n' +
-        chalk.gray('Restart your AI tools to pick up the changes.'),
+        chalk.white('Your AI tools have their memories back.') +
+        handoffMsg + '\n' +
+        chalk.gray(handoffInjected ? '' : 'Restart your AI tools to pick up the changes.'),
         { padding: 1, borderStyle: 'round', borderColor: 'green', dimBorder: true }
       ) + '\n');
     } else {

package/src/context/capture.js

@@ -0,0 +1,242 @@
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+import { scanForSecrets, redactSecrets } from '../security/scanner.js';
+
+const home = os.homedir();
+
+/**
+ * Find all Claude session files, sorted newest first
+ */
+export function findClaudeSessions() {
+  const projectsDir = path.join(home, '.claude', 'projects');
+  if (!fs.existsSync(projectsDir)) return [];
+
+  const sessions = [];
+  const scanDir = (dir) => {
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        scanDir(full);
+      } else if (entry.name.endsWith('.jsonl') && !entry.name.includes('subagent')) {
+        try {
+          const stat = fs.statSync(full);
+          // Skip files older than 7 days for performance
+          if (Date.now() - stat.mtimeMs < 7 * 24 * 60 * 60 * 1000) {
+            sessions.push({ path: full, mtime: stat.mtimeMs, size: stat.size });
+          }
+        } catch {}
+      }
+    }
+  };
+  scanDir(projectsDir);
+  sessions.sort((a, b) => b.mtime - a.mtime);
+  return sessions;
+}
+
+/**
+ * Parse a Claude session file and extract context (with secret redaction)
+ * Streams large files instead of loading entirely into memory
+ */
+export function parseSession(sessionPath, maxSizeMB = 10) {
+  const stat = fs.statSync(sessionPath);
+  if (stat.size > maxSizeMB * 1024 * 1024) {
+    // For large files, only parse the last portion
+    const raw = fs.readFileSync(sessionPath, 'utf8');
+    const lines = raw.split('\n');
+    const lastLines = lines.slice(-500); // Last 500 lines
+    return parseLines(lastLines);
+  }
+
+  const raw = fs.readFileSync(sessionPath, 'utf8').trim();
+  return parseLines(raw.split('\n'));
+}
+
+function parseLines(lines) {
+  const result = {
+    sessionId: null,
+    slug: null,
+    gitBranch: null,
+    cwd: null,
+    firstTimestamp: null,
+    lastTimestamp: null,
+    userMessages: [],
+    filesWritten: new Set(),
+    filesRead: new Set(),
+    bashCommands: [],
+    errors: [],
+    decisions: [],
+  };
+
+  for (const line of lines) {
+    let obj;
+    try { obj = JSON.parse(line); } catch { continue; }
+
+    if (!result.sessionId && obj.sessionId) result.sessionId = obj.sessionId;
+    if (!result.slug && obj.slug) result.slug = obj.slug;
+    if (!result.gitBranch && obj.gitBranch) result.gitBranch = obj.gitBranch;
+    if (!result.cwd && obj.cwd) result.cwd = obj.cwd;
+    if (!result.firstTimestamp && obj.timestamp) result.firstTimestamp = obj.timestamp;
+    if (obj.timestamp) result.lastTimestamp = obj.timestamp;
+
+    // User messages — redact secrets
+    if (obj.type === 'user' && obj.message?.content) {
+      const content = typeof obj.message.content === 'string' ? obj.message.content : '';
+      if (content.length > 3 && !content.startsWith('<task-notification>')) {
+        result.userMessages.push(redactSecrets(content));
+      }
+    }
+
+    // Tool uses from assistant
+    if (obj.type === 'assistant' && Array.isArray(obj.message?.content)) {
+      for (const block of obj.message.content) {
+        if (block.type !== 'tool_use') continue;
+        const name = block.name;
+        const input = block.input || {};
+
+        if (name === 'Write' || name === 'Edit') {
+          const fp = input.file_path || '';
+          if (fp && !fp.startsWith('/tmp/') && !fp.startsWith('/private/tmp/')) {
+            result.filesWritten.add(fp);
+          }
+        } else if (name === 'Read') {
+          const fp = input.file_path || '';
+          if (fp && !fp.startsWith('/tmp/') && !fp.startsWith('/private/tmp/')) {
+            result.filesRead.add(fp);
+          }
+        } else if (name === 'Bash') {
+          const cmd = (input.command || '').trim();
+          if (cmd && !cmd.startsWith('sleep') && !cmd.startsWith('cat /private/tmp')) {
+            // Redact secrets from commands
+            const clean = redactSecrets(cmd.length > 120 ? cmd.slice(0, 120) + '...' : cmd);
+            result.bashCommands.push(clean);
+          }
+        }
+      }
+    }
+
+    // Errors from tool results
+    if (obj.type === 'tool_result' && obj.message?.content) {
+      const content = typeof obj.message.content === 'string' ? obj.message.content : '';
+      if (content.includes('Error') || content.includes('error') || content.includes('FAIL')) {
+        const errorLine = content.split('\n').find(l => /error|fail/i.test(l));
+        if (errorLine && errorLine.length < 200) {
+          result.errors.push(redactSecrets(errorLine.trim()));
+        }
+      }
+    }
+  }
+
+  result.filesWritten = [...result.filesWritten];
+  result.filesRead = [...result.filesRead];
+  result.errors = [...new Set(result.errors)].slice(0, 10);
+
+  return result;
+}
+
+/**
+ * Generate a concise handoff markdown from parsed session
+ * This is what gets injected into the AI tool on the other machine
+ */
+export function generateContextHandoff(parsed) {
+  const now = new Date();
+  const hostname = os.hostname();
+  const platform = process.platform === 'darwin' ? 'macOS' : process.platform === 'win32' ? 'Windows' : 'Linux';
+  const cwd = parsed.cwd || home;
+
+  // Duration
+  let duration = 'unknown';
+  if (parsed.firstTimestamp && parsed.lastTimestamp) {
+    const ms = new Date(parsed.lastTimestamp) - new Date(parsed.firstTimestamp);
+    const mins = Math.floor(ms / 60000);
+    duration = mins < 60 ? `${mins}m` : `${Math.floor(mins / 60)}h ${mins % 60}m`;
+  }
+
+  // Shorten paths
+  const shorten = (fp) => {
+    if (fp.startsWith(cwd + '/')) return fp.slice(cwd.length + 1);
+    if (fp.startsWith(cwd + '\\')) return fp.slice(cwd.length + 1);
+    if (fp.startsWith(home + '/')) return '~/' + fp.slice(home.length + 1);
+    if (fp.startsWith(home + '\\')) return '~\\' + fp.slice(home.length + 1);
+    return fp;
+  };
+
+  // Filter meaningful user messages
+  const meaningful = parsed.userMessages
+    .filter(m => m.length > 10 && !/^(ok|yes|no|sure|yea|yeah|yep|nah|nope|thanks|ty|thx|good|great|nice|cool|done|hmm)$/i.test(m.trim()))
+    .map(m => m.length > 150 ? m.slice(0, 150) + '...' : m);
+
+  let md = `---
+name: Session Handoff
+description: Auto-generated context from last coding session for seamless cross-device continuity
+type: project
+---
+
+# Session Handoff
+
+**From:** ${hostname} (${platform})
+**When:** ${now.toISOString().split('T')[0]} ${now.toLocaleTimeString('en-US', { hour: 'numeric', minute: '2-digit' })}
+**Duration:** ${duration}
+**Project:** ${cwd}
+**Branch:** ${parsed.gitBranch || 'unknown'}
+
+## What was being worked on
+${meaningful.length > 0 ? meaningful.slice(0, 8).map(m => `- ${m}`).join('\n') : '_No significant messages captured_'}
+
+## Files modified
+${parsed.filesWritten.length > 0
+    ? parsed.filesWritten.slice(0, 15).map(f => `- \`${shorten(f)}\``).join('\n')
+    : '_None_'}
+
+## Key files referenced
+${parsed.filesRead.length > 0
+    ? parsed.filesRead.filter(f => !parsed.filesWritten.includes(f)).slice(0, 10).map(f => `- \`${shorten(f)}\``).join('\n')
+    : '_None_'}
+`;
+
+  if (parsed.errors.length > 0) {
+    md += `\n## Errors hit\n${parsed.errors.slice(0, 5).map(e => `- ${e}`).join('\n')}\n`;
+  }
+
+  md += `\n## Context for continuing
+This session ran for ${duration} on ${platform}. ${parsed.filesWritten.length} files were modified and ${parsed.bashCommands.length} commands were run.`;
+
+  if (parsed.filesWritten.length > 0) {
+    md += ` Start by reviewing: ${parsed.filesWritten.slice(0, 3).map(f => '`' + shorten(f) + '`').join(', ')}.`;
+  }
+
+  md += '\n';
+
+  return md;
+}
+
+/**
+ * Check if a project path should be ignored based on .memoirignore
+ */
+export function shouldIgnoreProject(projectPath) {
+  // Check for .memoirignore in home dir
+  const ignoreFile = path.join(home, '.memoirignore');
+  if (!fs.existsSync(ignoreFile)) return false;
+
+  const patterns = fs.readFileSync(ignoreFile, 'utf8')
+    .split('\n')
+    .map(l => l.trim())
+    .filter(l => l && !l.startsWith('#'));
+
+  const projectName = path.basename(projectPath);
+  const projectFull = projectPath.toLowerCase();
+
+  for (const pattern of patterns) {
+    const p = pattern.toLowerCase();
+    // Exact match on project name
+    if (projectName.toLowerCase() === p) return true;
+    // Path contains pattern
+    if (projectFull.includes(p)) return true;
+    // Glob-like: pattern ends with *
+    if (p.endsWith('*') && projectFull.startsWith(p.slice(0, -1))) return true;
+  }
+
+  return false;
+}