memory-journal-mcp 7.5.0 → 7.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/README.md +86 -74
  2. package/dist/{chunk-XNOUTCRV.js → chunk-NSEHC6MZ.js} +3274 -1305
  3. package/dist/{chunk-VHA46GLM.js → chunk-SV3CKPMF.js} +6881 -4912
  4. package/dist/cli.js +227 -51
  5. package/dist/index.d.ts +267 -162
  6. package/dist/index.js +2 -4
  7. package/dist/tools-QF7CPU2H.js +1 -0
  8. package/dist/worker-script.js +113 -23
  9. package/package.json +4 -2
  10. package/skills/github-commander/workflows/copilot-audit.md +3 -1
  11. package/skills/package.json +1 -1
  12. package/dist/chunk-OKOVZ5QE.js +0 -28
  13. package/dist/chunk-WXDEVIFL.js +0 -1745
  14. package/dist/github-integration-YODGZH3K.js +0 -1
  15. package/dist/tools-HTE4YXMW.js +0 -3
package/README.md CHANGED
@@ -10,7 +10,7 @@
10
10
  [![MCP Registry](https://img.shields.io/badge/MCP_Registry-Published-green)](https://registry.modelcontextprotocol.io/v0/servers?search=io.github.neverinfamous/memory-journal-mcp)
11
11
  [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](SECURITY.md)
12
12
  [![TypeScript](https://img.shields.io/badge/TypeScript-Strict-blue.svg)](https://github.com/neverinfamous/memory-journal-mcp)
13
- ![Coverage](https://img.shields.io/badge/Coverage-95.83%25-brightgreen.svg)
13
+ ![Coverage](https://img.shields.io/badge/Coverage-91.25%25-green.svg)
14
14
  ![Tests](https://img.shields.io/badge/Tests-1782_passed-brightgreen.svg)
15
15
  ![E2E Tests](https://img.shields.io/badge/E2E_Tests-391_passed-brightgreen.svg)
16
16
  [![CI](https://github.com/neverinfamous/memory-journal-mcp/actions/workflows/gatekeeper.yml/badge.svg)](https://github.com/neverinfamous/memory-journal-mcp/actions/workflows/gatekeeper.yml)
@@ -42,6 +42,7 @@ Memory Journal solves this by acting as your project's **long-term memory**, bri
42
42
  - _"Why did we choose SQLite over Postgres for this service last month?"_ (Semantic search)
43
43
  - _"Run the `/issue-triage` workflow on the top priority ticket in the Kanban board."_ (GitHub operations)
44
44
  - _"Who has been touching the auth module recently, and what's our team collaboration density?"_ (Team analytics)
45
+ - _"I'm stuck on this database error. Raise a 'blocker' flag for @sarah so her agent sees it next session."_ (Hush Protocol)
45
46
  - _"Close issue #42 and log an entry explaining our architectural fix for the parsing bug."_ (Context lifecycles)
46
47
  - _"Draw a visual graph showing how my last 10 architectural decisions relate to each other."_ (Knowledge graph)
47
48
 
@@ -60,7 +61,7 @@ Memory Journal solves this by acting as your project's **long-term memory**, bri
60
61
  | **Dynamic Project Routing** | Seamlessly switch contexts and access CI/Issue tracking across multiple repositories using a single server instance via `PROJECT_REGISTRY` |
61
62
  | **Knowledge Graphs** | 8 relationship types linking specs → implementations → tests → PRs with Mermaid visualization |
62
63
  | **Hybrid Search** | Reciprocal Rank Fusion combining FTS5 keywords, semantic vector similarity, auto-heuristics, and date-range filters |
63
- | **Code Mode** | Execute multi-step operations in a secure sandbox — up to 90% token savings via `mj.*` API |
64
+ | **Code Mode** | Execute multi-step operations in a trusted-admin execution environment — up to 90% token savings via `mj.*` API |
64
65
  | **Configurable Briefing** | 15 env vars / CLI flags control `memory://briefing` content — entries, team, GitHub detail, skills awareness, chronological grounding |
65
66
  | **Reports & Analytics** | Standups, retrospectives, PR summaries, digests, period analyses, and milestone tracking |
66
67
  | **Hush Protocol (Flags)** | Replace Slack/Teams noise with structured, actionable, and searchable AI flags (blockers, reviews) that automatically surface in session briefings |
@@ -118,7 +119,7 @@ flowchart TB
118
119
  ---
119
120
 
120
121
  <details>
121
- <summary><strong>🤖 Recommended AI Agent Instructions/Rule</strong></summary>
122
+ <summary><strong>Recommended AI Agent Instructions/Rule</strong></summary>
122
123
 
123
124
  _Suggested Rule (Add to AGENTS.md, GEMINI.md, system prompts, etc.)_
124
125
 
@@ -129,16 +130,12 @@ Execute BEFORE fulfilling any user request in a new session:
129
130
  1. **TARGET**: Infer `repo_name` from the active workspace context or user prompt. If the task is not associated with a specific project, fallback to using the generic resource without a repo name (which defaults to the first registered workspace).
130
131
  2. **FETCH**: Use the MCP `read_resource` tool (Server: `memory-journal-mcp`) to read `memory://briefing/{repo_name}` (or `memory://briefing` if falling back).
131
132
  - **RESTRICTION**: Do NOT use `execute_code` for this step.
132
- 3. **RENDER TABLE**: Parse the briefing JSON and output a dense 2-column Markdown Table (Field, Value) capturing the core context.
133
- - **RESTRICTION**: NO bulleted lists. Do NOT truncate issues or summaries.
134
- - **FORMATTING**: Group related properties to save vertical space. Use `<br>` tags for inner-cell line breaks.
135
- - **REQUIRED GROUPS**:
136
- - **GitHub**: Combine Repo, Branch, CI, PRs, and Insights.
137
- - **GitHub Issues**: List every issue, one per line.
138
- - **Active Flags (Hush Protocol)**: If the briefing JSON contains an `activeFlags` object (with `count > 0`), render each flag in a dedicated row using format: `🚩 {flag_type} → @{target_user}: {preview}`. If `count` is 0 or the field is absent, omit the row entirely.
139
- - Also include Entry Counts (Journal/Team), Latest Entries/Summaries (titles only), Proactive Analytics/Team Density, Milestones, and Workspaces.
140
- - **FLAG PROMINENCE**: When `activeFlags.count > 0`, prepend a bold callout line **above** the table: `⚠️ **{count} active flag(s)** — review before proceeding.` This ensures blockers and review requests are impossible to miss.
141
- 4. **STOP & WAIT**: Do NOT autonomously resume past tasks or start work on new issues mentioned in the session summary. The briefing is strictly for context.
133
+ 3. **ACKNOWLEDGE FLAGS**: If the briefing JSON contains `activeFlags` (count > 0), you MUST print an alert ABOVE the table: `⚠️ **{count} active flag(s)** — review before proceeding.` followed by each flag (`🚩 {flag_type} → @{target_user}: {preview}`).
134
+ 4. **RENDER TABLE**: Parse the remaining JSON into a dense 2-column Markdown Table (Field, Value).
135
+ - **RESTRICTION**: NO bulleted lists inside the table. Do NOT truncate summaries or issues.
136
+ - **FORMATTING**: Group related properties (use `<br>` for line breaks).
137
+ - **REQUIRED GROUPS**: GitHub (Repo, Branch, CI, PRs, Insights), Issues, Entry Counts, Latest Entries/Summaries, Analytics, Milestones, Workspaces.
138
+ 5. **STOP & WAIT**: Do NOT autonomously resume past tasks or start work on new issues mentioned in the session summary. The briefing is strictly for context.
142
139
 
143
140
  </details>
144
141
 
@@ -156,9 +153,9 @@ Control which tools are exposed via `MEMORY_JOURNAL_MCP_TOOL_FILTER` (or CLI: `-
156
153
  | `full` | 70 | All tools (default) |
157
154
  | `starter` | ~11 | Core + search + codemode |
158
155
  | `essential` | ~7 | Minimal footprint |
159
- | `readonly` | 18 | Disable all mutations |
156
+ | `readonly` | 17 | Disable all mutations |
160
157
  | `-github` | 52 | Exclude a group |
161
- | `-github,-analytics` | 48 | Exclude multiple groups |
158
+ | `-github,-analytics` | 50 | Exclude multiple groups |
162
159
 
163
160
  **Filter Syntax:** `shortcut` or `group` or `tool_name` (whitelist mode) · `-group` (disable group) · `-tool` (disable tool) · `+tool` (re-enable after group disable)
164
161
 
@@ -208,7 +205,7 @@ Control which tools are exposed via `MEMORY_JOURNAL_MCP_TOOL_FILTER` (or CLI: `-
208
205
  - `confirm-briefing` - Acknowledge session context to user
209
206
  - `session-summary` - Create a session summary entry with accomplishments, pending items, and next-session context
210
207
  - `team-session-summary` - Create a retrospective team session summary entry securely isolated to the team database
211
- - `load-project-kanban` - Dynamic project board injection
208
+
212
209
 
213
210
  **[Complete prompts guide →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Prompts)**
214
211
 
@@ -240,7 +237,7 @@ Control which tools are exposed via `MEMORY_JOURNAL_MCP_TOOL_FILTER` (or CLI: `-
240
237
  - `memory://metrics/tokens` - Per-tool token usage breakdown sorted by output token cost — MEDIUM priority
241
238
  - `memory://metrics/system` - Process-level metrics: memory (MB), uptime (s), Node.js version, platform — MEDIUM priority
242
239
  - `memory://metrics/users` - Per-user call counts (populated when OAuth user identifiers are present) — LOW priority
243
- - `memory://audit` - Last 50 write/admin tool call entries from the JSONL audit log (requires `AUDIT_LOG_PATH`)
240
+ - `memory://audit` - Last 50 write/admin tool call entries from the JSONL operational telemetry log (requires `AUDIT_LOG_PATH`)
244
241
  - `memory://flags` - Active (unresolved) team flags dashboard (requires `TEAM_DB_PATH`)
245
242
  - `memory://flags/vocabulary` - Configured flag vocabulary terms
246
243
 
@@ -264,7 +261,7 @@ _Note: The `memory://github/status`, `memory://github/insights`, `memory://githu
264
261
 
265
262
  Code Mode (`mj_execute_code`) is a revolutionary approach that **dramatically reduces token usage by up to 90%** and is included by default in all presets. Instead of spending thousands of tokens on sequential tool calls, AI agents use a single sandboxed execution to reason faster.
266
263
 
267
- Code executes in a **sandboxed VM context** with multiple layers of security. All `mj.*` API calls execute against the journal within the sandbox, providing:
264
+ Code executes in a **worker_threads sandbox** designed as a secure multi-tenant process isolation environment. All `mj.*` API calls execute against the journal within the sandbox, providing:
268
265
 
269
266
  - **Static code validation** — blocked patterns include `require()`, `process`, `eval()`, and filesystem access
270
267
  - **Rate limiting** — 60 executions per minute per client
@@ -313,6 +310,8 @@ When you encounter a blocker, need a review, or want to broadcast a milestone, y
313
310
 
314
311
  **Dashboard & Operations**: Read `memory://flags` to see an active dashboard overview and use `mj.team.passTeamFlag()` / `mj.team.resolveTeamFlag()` to manage them programmatically in Code Mode.
315
312
 
313
+ **[Complete Hush Protocol guide and Mermaid sequence diagrams →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Hush-Protocol)**
314
+
316
315
  ---
317
316
 
318
317
  ## 🚀 Quick Start
@@ -345,7 +344,8 @@ Add this to your `~/.cursor/mcp.json`, Claude Desktop config, or equivalent:
345
344
  "command": "memory-journal-mcp",
346
345
  "env": {
347
346
  "GITHUB_TOKEN": "ghp_your_token_here",
348
- "PROJECT_REGISTRY": "{\"my-repo\":{\"path\":\"/path/to/your/git/repo\",\"project_number\":1}}"
347
+ "PROJECT_REGISTRY": "{\"my-repo\":{\"path\":\"/path/to/your/git/repo\",\"project_number\":1}}",
348
+ "ALLOWED_IO_ROOTS": "/path/to/your/git/repo"
349
349
  }
350
350
  }
351
351
  }
@@ -366,8 +366,10 @@ Showcasing the full power of the server, including Multi-Project Routing, Team C
366
366
  "TEAM_DB_PATH": "/path/to/shared/team.db",
367
367
  "GITHUB_TOKEN": "ghp_your_token_here",
368
368
  "PROJECT_REGISTRY": "{\"my-repo\":{\"path\":\"/path/to/repo\",\"project_number\":1},\"other-repo\":{\"path\":\"/path/to/other\",\"project_number\":5}}",
369
+ "ALLOWED_IO_ROOTS": "/path/to/repo,/path/to/other,/path/to/your/skills",
369
370
  "AUTO_REBUILD_INDEX": "true",
370
371
  "MEMORY_JOURNAL_MCP_TOOL_FILTER": "codemode",
372
+ "CODEMODE_INTERNAL_FULL_ACCESS": "true",
371
373
  "BRIEFING_ENTRY_COUNT": "3",
372
374
  "BRIEFING_SUMMARY_COUNT": "1",
373
375
  "BRIEFING_INCLUDE_TEAM": "true",
@@ -379,7 +381,9 @@ Showcasing the full power of the server, including Multi-Project Routing, Team C
379
381
  "BRIEFING_COPILOT_REVIEWS": "true",
380
382
  "RULES_FILE_PATH": "/path/to/your/RULES.md",
381
383
  "SKILLS_DIR_PATH": "/path/to/your/skills",
382
- "MEMORY_JOURNAL_WORKFLOW_SUMMARY": "/deploy: prod deployment | /audit: security scan"
384
+ "MEMORY_JOURNAL_WORKFLOW_SUMMARY": "/deploy: prod deployment | /audit: security scan",
385
+ "AUDIT_LOG_PATH": "/path/to/your/mcp-audit.jsonl",
386
+ "TEAM_AUTHOR": "your_username"
383
387
  }
384
388
  }
385
389
  }
@@ -403,15 +407,21 @@ Restart your MCP client and start journaling!
403
407
 
404
408
  ### Option 3: HTTP/SSE Transport (Remote Access)
405
409
 
410
+ > 🔒 **Security Posture: Stdio vs HTTP**
411
+ >
412
+ > - **Stdio (Default):** Runs implicitly within the secure boundaries of your local IDE or command-line environment. No explicit authentication is required because the execution context is already trusted.
413
+ > - **HTTP/SSE:** Exposes the server over a network socket. By default, HTTP binds ONLY to `localhost` and blocks wildcard CORS to prevent unauthorized access and CSRF attacks. **Public network binding (`--server-host 0.0.0.0`) requires explicit authentication** (`--auth-token` or `--oauth-enabled`). The server will throw a fatal error if you attempt to expose it publicly without securing it.
414
+
406
415
  For remote access or web-based clients, run the server in HTTP mode:
407
416
 
408
417
  ```bash
409
418
  memory-journal-mcp --transport http --port 3000
410
419
  ```
411
420
 
412
- To bind to all interfaces (required for containers) and enable the automated proactive analytics scheduler (e.g. daily digest):
421
+ To bind to all interfaces (required for containers) and enable the automated proactive analytics scheduler (e.g. daily digest), you MUST provide an authentication token:
413
422
 
414
423
  ```bash
424
+ export MCP_AUTH_TOKEN="your_secure_random_token"
415
425
  memory-journal-mcp --transport http --port 3000 --server-host 0.0.0.0 --digest-interval 1440
416
426
  ```
417
427
 
@@ -496,57 +506,59 @@ Each job is error-isolated — a failure in one job won't affect the others. Sch
496
506
 
497
507
  The GitHub tools (`get_github_issues`, `get_github_prs`, etc.) auto-detect the repository from your git context when `PROJECT_REGISTRY` is configured or the MCP server is run inside a git repository.
498
508
 
499
- | Environment Variable | Description |
500
- | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
501
- | `DB_PATH` | Database file location (CLI: `--db`; default: `./memory_journal.db`) |
502
- | `TEAM_DB_PATH` | Team database file location (CLI: `--team-db`) |
503
- | `TEAM_AUTHOR` | Override author name for team entries (default: `git config user.name`) |
504
- | `GITHUB_TOKEN` | GitHub personal access token for API access |
505
- | `DEFAULT_PROJECT_NUMBER` | Default GitHub Project number for auto-assignment when creating issues |
506
- | `PROJECT_REGISTRY` | JSON map of repos to `{ path, project_number }` for multi-project auto-detection and routing |
507
- | `AUTO_REBUILD_INDEX` | Set to `true` to rebuild vector index on server startup |
508
- | `MCP_HOST` | Server bind host (`0.0.0.0` for containers, default: `localhost`) |
509
- | `MCP_AUTH_TOKEN` | Bearer token for HTTP transport authentication (CLI: `--auth-token`) |
510
- | `MCP_CORS_ORIGIN` | Allowed CORS origins for HTTP transport, comma-separated (default: `*`) |
511
- | `MCP_RATE_LIMIT_MAX` | Max requests per minute per client IP, HTTP only (default: `100`) |
512
- | `LOG_LEVEL` | Log verbosity: `error`, `warn`, `info`, `debug` (default: `info`; CLI: `--log-level`) |
513
- | `MCP_ENABLE_HSTS` | Enable HSTS security header on HTTP responses (CLI: `--enable-hsts`; default: `false`) |
514
- | `OAUTH_ENABLED` | Set to `true` to enable OAuth 2.1 authentication (HTTP only) |
515
- | `OAUTH_ISSUER` | OAuth issuer URL (e.g., `https://auth.example.com/realms/mcp`) |
516
- | `OAUTH_AUDIENCE` | Expected JWT audience claim |
517
- | `OAUTH_JWKS_URI` | JWKS endpoint for token signature verification |
518
- | `OAUTH_CLOCK_TOLERANCE` | Allowed clock skew tolerance in seconds for JWT verification (default: `5`) |
519
- | `CODE_MODE_MAX_RESULT_SIZE` | Maximum size in bytes for mj_execute_code result payload (CLI: `--codemode-max-result-size`; default: `102400`) |
520
- | `BRIEFING_ENTRY_COUNT` | Journal entries in briefing (CLI: `--briefing-entries`; default: `3`) |
521
- | `BRIEFING_SUMMARY_COUNT` | Session summaries to list in briefing (CLI: `--briefing-summaries`; default: `1`) |
522
- | `BRIEFING_INCLUDE_TEAM` | Include team DB entries in briefing (`true`/`false`; default: `false`) |
523
- | `BRIEFING_ISSUE_COUNT` | Issues to list in briefing; `0` = count only (default: `0`) |
524
- | `BRIEFING_PR_COUNT` | PRs to list in briefing; `0` = count only (default: `0`) |
525
- | `BRIEFING_PR_STATUS` | Show PR status breakdown (open/merged/closed; default: `false`) |
526
- | `BRIEFING_MILESTONE_COUNT` | Milestones to list in briefing; `0` = hide entirely (CLI: `--briefing-milestones`; default: `3`) |
527
- | `BRIEFING_WORKFLOW_COUNT` | Workflow runs to list in briefing; `0` = status only (default: `0`) |
528
- | `BRIEFING_WORKFLOW_STATUS` | Show workflow status breakdown in briefing (default: `false`) |
529
- | `BRIEFING_COPILOT_REVIEWS` | Aggregate Copilot review state in briefing (default: `false`) |
530
- | `RULES_FILE_PATH` | Path to user rules file for agent awareness (CLI: `--rules-file`) |
531
- | `SKILLS_DIR_PATH` | Path to skills directory for agent awareness (CLI: `--skills-dir`) |
532
- | `MEMORY_JOURNAL_WORKFLOW_SUMMARY` | Free-text workflow summary for `memory://workflows` (CLI: `--workflow-summary`) |
533
- | `INSTRUCTION_LEVEL` | Briefing depth: `essential`, `standard`, `full` (CLI: `--instruction-level`; default: `standard`) |
534
- | `PROJECT_LINT_CMD` | Project lint command for GitHub Commander validation gates (default: `npm run lint`) |
535
- | `PROJECT_TYPECHECK_CMD` | Project typecheck command (default: `npm run typecheck`; empty = skip) |
536
- | `PROJECT_BUILD_CMD` | Project build command (default: `npm run build`; empty = skip) |
537
- | `PROJECT_TEST_CMD` | Project test command (default: `npm run test`) |
538
- | `PROJECT_E2E_CMD` | Project E2E test command (default: empty = skip) |
539
- | `PROJECT_PACKAGE_MANAGER` | Package manager override: `npm`, `yarn`, `pnpm`, `bun` (default: auto-detect from lockfile) |
540
- | `PROJECT_HAS_DOCKERFILE` | Enable Docker audit steps (default: auto-detect) |
541
- | `COMMANDER_HITL_FILE_THRESHOLD` | Human-in-the-loop checkpoint if changes touch > N files (default: `10`) |
542
- | `COMMANDER_SECURITY_TOOLS` | Override security tool auto-detection (comma-separated; default: auto-detect) |
543
- | `COMMANDER_BRANCH_PREFIX` | Branch naming prefix for PRs (default: `fix`) |
544
- | `AUDIT_LOG_PATH` | Path for the JSONL audit log of write/admin tool calls. Rotates at 10 MB (keeps 5 archives). Omit to disable audit logging. |
545
- | `AUDIT_REDACT` | Set to `true` to omit tool arguments from audit log entries for privacy (default: `false`) |
546
- | `AUDIT_READS` | Log read-scoped tool calls in addition to write/admin (CLI: `--audit-reads`; default: `false`) |
547
- | `AUDIT_LOG_MAX_SIZE` | Maximum audit log file size in bytes before rotation (CLI: `--audit-log-max-size`; default: `10485760`) |
548
- | `MCP_METRICS_ENABLED` | Set to `false` to disable in-memory tool call metrics accumulation (default: `true`) |
549
- | `FLAG_VOCABULARY` | Comma-separated flag types for Hush Protocol (CLI: `--flag-vocabulary`; default: `blocker,needs_review,help_requested,fyi`) |
509
+ | Environment Variable | Description |
510
+ | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
511
+ | `DB_PATH` | Database file location (CLI: `--db`; default: `./memory_journal.db`) |
512
+ | `TEAM_DB_PATH` | Team database file location (CLI: `--team-db`) |
513
+ | `TEAM_AUTHOR` | Override author name for team entries (default: `git config user.name`) |
514
+ | `GITHUB_TOKEN` | GitHub personal access token for API access |
515
+ | `DEFAULT_PROJECT_NUMBER` | Default GitHub Project number for auto-assignment when creating issues |
516
+ | `PROJECT_REGISTRY` | JSON map of repos to `{ path, project_number }` for multi-project auto-detection and routing |
517
+ | `AUTO_REBUILD_INDEX` | Set to `true` to rebuild vector index on server startup |
518
+ | `MCP_HOST` | Server bind host (`0.0.0.0` for containers, default: `localhost`) |
519
+ | `MCP_AUTH_TOKEN` | Bearer token for HTTP transport authentication (CLI: `--auth-token`). Must NOT be the default placeholder token. |
520
+ | `ALLOWED_IO_ROOTS` | **Critical Security Boundary**: Comma-separated absolute paths granting filesystem access to Code Mode and export tools (default: none / fail-closed) |
521
+ | `MCP_CORS_ORIGIN` | Allowed CORS origins for HTTP transport, comma-separated (default: blank, strict opt-in) |
522
+ | `MCP_RATE_LIMIT_MAX` | Max requests per minute per client IP, HTTP only (default: `100`) |
523
+ | `LOG_LEVEL` | Log verbosity: `error`, `warn`, `info`, `debug` (default: `info`; CLI: `--log-level`) |
524
+ | `MCP_ENABLE_HSTS` | Enable HSTS security header on HTTP responses (CLI: `--enable-hsts`; default: `false`) |
525
+ | `OAUTH_ENABLED` | Set to `true` to enable OAuth 2.1 authentication (HTTP only) |
526
+ | `OAUTH_ISSUER` | OAuth issuer URL (e.g., `https://auth.example.com/realms/mcp`) |
527
+ | `OAUTH_AUDIENCE` | Expected JWT audience claim |
528
+ | `OAUTH_JWKS_URI` | JWKS endpoint for token signature verification |
529
+ | `OAUTH_CLOCK_TOLERANCE` | Allowed clock skew tolerance in seconds for JWT verification (default: `5`) |
530
+ | `CODE_MODE_MAX_RESULT_SIZE` | Maximum size in bytes for mj_execute_code result payload (CLI: `--codemode-max-result-size`; default: `102400`) |
531
+ | `CODEMODE_INTERNAL_FULL_ACCESS` | Bypass tool filter constraints within the Code Mode sandbox (CLI: `--codemode-internal-full-access`; default: `false`) |
532
+ | `BRIEFING_ENTRY_COUNT` | Journal entries in briefing (CLI: `--briefing-entries`; default: `3`) |
533
+ | `BRIEFING_SUMMARY_COUNT` | Session summaries to list in briefing (CLI: `--briefing-summaries`; default: `1`) |
534
+ | `BRIEFING_INCLUDE_TEAM` | Include team DB entries in briefing (`true`/`false`; default: `false`) |
535
+ | `BRIEFING_ISSUE_COUNT` | Issues to list in briefing; `0` = count only (default: `0`) |
536
+ | `BRIEFING_PR_COUNT` | PRs to list in briefing; `0` = count only (default: `0`) |
537
+ | `BRIEFING_PR_STATUS` | Show PR status breakdown (open/merged/closed; default: `false`) |
538
+ | `BRIEFING_MILESTONE_COUNT` | Milestones to list in briefing; `0` = hide entirely (CLI: `--briefing-milestones`; default: `3`) |
539
+ | `BRIEFING_WORKFLOW_COUNT` | Workflow runs to list in briefing; `0` = status only (default: `0`) |
540
+ | `BRIEFING_WORKFLOW_STATUS` | Show workflow status breakdown in briefing (default: `false`) |
541
+ | `BRIEFING_COPILOT_REVIEWS` | Aggregate Copilot review state in briefing (default: `false`) |
542
+ | `RULES_FILE_PATH` | Path to user rules file for agent awareness (CLI: `--rules-file`) |
543
+ | `SKILLS_DIR_PATH` | Path to skills directory for agent awareness (CLI: `--skills-dir`) |
544
+ | `MEMORY_JOURNAL_WORKFLOW_SUMMARY` | Free-text workflow summary for `memory://workflows` (CLI: `--workflow-summary`) |
545
+ | `INSTRUCTION_LEVEL` | Briefing depth: `essential`, `standard`, `full` (CLI: `--instruction-level`; default: `standard`) |
546
+ | `PROJECT_LINT_CMD` | Project lint command for GitHub Commander validation gates (default: `npm run lint`) |
547
+ | `PROJECT_TYPECHECK_CMD` | Project typecheck command (default: `npm run typecheck`; empty = skip) |
548
+ | `PROJECT_BUILD_CMD` | Project build command (default: `npm run build`; empty = skip) |
549
+ | `PROJECT_TEST_CMD` | Project test command (default: `npm run test`) |
550
+ | `PROJECT_E2E_CMD` | Project E2E test command (default: empty = skip) |
551
+ | `PROJECT_PACKAGE_MANAGER` | Package manager override: `npm`, `yarn`, `pnpm`, `bun` (default: auto-detect from lockfile) |
552
+ | `PROJECT_HAS_DOCKERFILE` | Enable Docker audit steps (default: auto-detect) |
553
+ | `COMMANDER_HITL_FILE_THRESHOLD` | Human-in-the-loop checkpoint if changes touch > N files (default: `10`) |
554
+ | `COMMANDER_SECURITY_TOOLS` | Override security tool auto-detection (comma-separated; default: auto-detect) |
555
+ | `COMMANDER_BRANCH_PREFIX` | Branch naming prefix for PRs (default: `fix`) |
556
+ | `AUDIT_LOG_PATH` | Path for the JSONL operational telemetry log of write/admin tool calls. Rotates at 10 MB (keeps 5 archives). Omit to disable telemetry logging. |
557
+ | `AUDIT_REDACT` | Set to `false` to include tool arguments in telemetry log entries (default: `true`) |
558
+ | `AUDIT_READS` | Log read-scoped tool calls in addition to write/admin (CLI: `--audit-reads`; default: `false`) |
559
+ | `AUDIT_LOG_MAX_SIZE` | Maximum operational telemetry file size in bytes before rotation (CLI: `--audit-log-max-size`; default: `10485760`) |
560
+ | `MCP_METRICS_ENABLED` | Set to `false` to disable in-memory tool call metrics accumulation (default: `true`) |
561
+ | `FLAG_VOCABULARY` | Comma-separated flag types for Hush Protocol (CLI: `--flag-vocabulary`; default: `blocker,needs_review,help_requested,fyi`) |
550
562
 
551
563
  **Multi-Project Workflows**: For agents to seamlessly support multiple projects, provide **`PROJECT_REGISTRY`**.
552
564
 
@@ -715,8 +727,8 @@ flowchart TB
715
727
 
716
728
  - **TypeScript + Native SQLite** - High-performance `better-sqlite3` with synchronous I/O
717
729
  - **sqlite-vec** - Vector similarity search via SQLite extension
718
- - **@huggingface/transformers** - ML embeddings in JavaScript
719
- - **Lazy loading** - ML models load on first use, not startup
730
+ - **@huggingface/transformers** - Local ML embedding models in JavaScript
731
+ - **Background Warmup** - Model weights (~23MB) are loaded into memory asynchronously on server startup to avoid first-request latency. If the server is invoked before warmup completes, the first semantic search or vector insertion will incur a network-bound cold start (~1.5s - 3s) while the weights are cached locally.
720
732
 
721
733
  ### Performance Benchmarks
722
734