mixdog 0.7.1

package/lib/keychain-cjs.cjs

@@ -0,0 +1,263 @@
+'use strict';
+
+const { spawnSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+const { resolvePluginData } = require('./plugin-paths.cjs');
+
+const SERVICE = 'mixdog';
+const POWERSHELL_TIMEOUT_MS = Number(process.env.MIXDOG_KEYCHAIN_TIMEOUT_MS || 15000);
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function platform() {
+    return process.platform;
+}
+
+function run(cmd, args, opts) {
+    // windowsHide + stdio:['ignore','pipe','pipe'] keeps powershell.exe
+    // consoleless during DPAPI ops. Without these flags every keychain
+    // read/write flashes a conhost window: setup-html's loaders call
+    // /agent/config, /memory/auth, /search/config which each invoke
+    // hasOpenAIOAuthCredentials / hasAnthropicOAuthCredentials /
+    // getSearchApiKey, and each of those triggers one powershell.exe
+    // spawn — users saw 8-15 console flashes during config-UI page load.
+    // Default opts go BEFORE the spread so callers can still override.
+    const result = spawnSync(cmd, args, {
+        encoding: 'utf8',
+        shell: false,
+        windowsHide: true,
+        stdio: ['ignore', 'pipe', 'pipe'],
+        ...opts,
+    });
+    return result;
+}
+
+// PS 5.1(powershell.exe) first: pwsh(PS 7) does not auto-load ProtectedData assembly,
+// so DPAPI calls silently fail there. Windows always ships powershell.exe.
+function powershell(script) {
+    // Bound DPAPI PowerShell calls with a timeout: a hung powershell.exe
+    // (AV scan stall, profile loader, transient cert chain lookup) would
+    // otherwise block hook/server callers synchronously. The default is long
+    // enough for cold PowerShell startup on Windows without silently dropping
+    // setup UI credential saves.
+    // Resolve powershell.exe to its deterministic System32 location rather than
+    // a PATH lookup, so a shadow `powershell.exe` earlier in PATH cannot hijack
+    // secret encryption/decryption. (pwsh/PS7 is intentionally not used: it does
+    // not auto-load the ProtectedData assembly, so DPAPI silently fails there.)
+    const _sysRoot = process.env.SystemRoot || process.env.windir;
+    if (!_sysRoot) {
+        throw new Error('[keychain] cannot resolve SystemRoot to locate powershell.exe for DPAPI');
+    }
+    const _psHosts = [path.join(_sysRoot, 'System32', 'WindowsPowerShell', 'v1.0', 'powershell.exe')];
+    let timedOut = null;
+    for (const exe of _psHosts) {
+        const r = run(exe, ['-NonInteractive', '-NoProfile', '-Command', script], { timeout: POWERSHELL_TIMEOUT_MS });
+        if (r.error && r.error.code === 'ENOENT') continue;
+        if (r.error && r.error.code === 'ETIMEDOUT') {
+            timedOut = { exe, timeoutMs: POWERSHELL_TIMEOUT_MS };
+            continue;
+        }
+        return r;
+    }
+    if (timedOut) {
+        throw new Error(`[keychain] PowerShell DPAPI command timed out after ${timedOut.timeoutMs}ms (last host: ${timedOut.exe})`);
+    }
+    const err = new Error('[keychain] PowerShell not found (tried powershell, pwsh)');
+    throw err;
+}
+
+function secretsDir() {
+    return path.join(resolvePluginData(), 'secrets');
+}
+
+function dpApiFile(account) {
+    return path.join(secretsDir(), account + '.dpapi');
+}
+
+// ---------------------------------------------------------------------------
+// darwin — security(1)
+// ---------------------------------------------------------------------------
+
+function darwinGet(account) {
+    const r = run('security', ['find-generic-password', '-a', account, '-s', SERVICE, '-w']);
+    if (r.status !== 0) return null;
+    return r.stdout.trimEnd();
+}
+
+function darwinSet(account, value) {
+    const r = run('security', ['add-generic-password', '-a', account, '-s', SERVICE, '-w', value, '-U']);
+    if (r.status !== 0) throw new Error(`[keychain] security set failed: ${r.stderr || r.stdout}`);
+}
+
+function darwinDelete(account) {
+    const r = run('security', ['delete-generic-password', '-a', account, '-s', SERVICE]);
+    if (r.status !== 0) throw new Error(`[keychain] security delete failed: ${r.stderr || r.stdout}`);
+}
+
+// ---------------------------------------------------------------------------
+// linux/WSL — keytar (libsecret binding, optionalDependency)
+// ---------------------------------------------------------------------------
+// keytar must be installed: npm install keytar (requires libsecret-dev on
+// Debian/Ubuntu, or libsecret on other distros). If not installed, every
+// call throws immediately — silent credential loss is not permitted.
+
+let _keytarMod = null;
+function loadKeytar() {
+    if (_keytarMod !== null) return _keytarMod;
+    try { _keytarMod = require('keytar'); }
+    catch {
+        throw new Error(
+            '[keychain] keytar is not installed — run: npm install keytar\n' +
+            '  Requires libsecret-dev (Debian/Ubuntu) or libsecret (other distros).\n' +
+            '  Cannot access credentials on this platform without it.'
+        );
+    }
+    return _keytarMod;
+}
+
+// keytar is Promise-based; bridge to sync via spawnSync of a child Node process.
+// Avoids Atomics.wait on main thread (which hangs when SAB is not forwarded to worker).
+function keytarSync(method, ...args) {
+    loadKeytar(); // throws if not installed — before spawning child
+    const { spawnSync } = require('child_process');
+    // Pass service/account/value via env to avoid shell injection entirely.
+    const env = {
+        ...process.env,
+        _KEYTAR_METHOD: method,
+        _KEYTAR_ARGS: JSON.stringify(args),
+    };
+    const script = [
+        'const kt = require("keytar");',
+        'const method = process.env._KEYTAR_METHOD;',
+        'const args = JSON.parse(process.env._KEYTAR_ARGS);',
+        'kt[method](...args)',
+        '  .then(v => { process.stdout.write(JSON.stringify({ ok: true, value: v })); })',
+        '  .catch(e => { process.stdout.write(JSON.stringify({ ok: false, error: e.message })); });',
+    ].join(' ');
+    const r = spawnSync(process.execPath, ['-e', script], {
+        env,
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 5000,
+        encoding: 'utf8',
+        windowsHide: true,
+    });
+    if (r.error) throw new Error(`[keychain] keytar.${method} spawnSync failed: ${r.error.message}`);
+    if (r.status !== 0) {
+        const detail = (r.stderr || '').trim() || `exit ${r.status}`;
+        throw new Error(`[keychain] keytar.${method} child exited with error: ${detail}`);
+    }
+    let parsed;
+    try { parsed = JSON.parse(r.stdout); } catch {
+        throw new Error(`[keychain] keytar.${method} child returned unparseable output: ${String(r.stdout).slice(0, 200)}`);
+    }
+    if (!parsed.ok) throw new Error(`[keychain] keytar.${method} failed: ${parsed.error}`);
+    return parsed.value ?? null;
+}
+
+function linuxGet(account) {
+    return keytarSync('getPassword', SERVICE, account);
+}
+
+function linuxSet(account, value) {
+    keytarSync('setPassword', SERVICE, account, value);
+}
+
+function linuxDelete(account) {
+    keytarSync('deletePassword', SERVICE, account);
+}
+
+// ---------------------------------------------------------------------------
+// win32 — DPAPI via PowerShell
+// ---------------------------------------------------------------------------
+
+// Add-Type loads System.Security on PS 5.1 hosts where the assembly is not
+// auto-loaded — ProtectedData/DataProtectionScope resolve to TypeNotFound
+// otherwise, and the host returns exit 0 with empty stdout, which then falls
+// through win32Set's empty-output guard. PS 7+ already has the type loaded;
+// SilentlyContinue covers the benign "already loaded" case on repeat calls.
+const PS_PROTECT = [
+    'Add-Type -AssemblyName System.Security -ErrorAction SilentlyContinue;',
+    '[Console]::OutputEncoding = [System.Text.Encoding]::UTF8;',
+    '$value = $args[0];',
+    '$bytes = [System.Text.Encoding]::UTF8.GetBytes($value);',
+    '$scope = [System.Security.Cryptography.DataProtectionScope]::CurrentUser;',
+    '$enc = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, $scope);',
+    '[Convert]::ToBase64String($enc)',
+].join(' ');
+
+const PS_UNPROTECT = [
+    'Add-Type -AssemblyName System.Security -ErrorAction SilentlyContinue;',
+    '[Console]::OutputEncoding = [System.Text.Encoding]::UTF8;',
+    '$b64 = $args[0];',
+    '$enc = [Convert]::FromBase64String($b64);',
+    '$scope = [System.Security.Cryptography.DataProtectionScope]::CurrentUser;',
+    '$dec = [System.Security.Cryptography.ProtectedData]::Unprotect($enc, $null, $scope);',
+    '[System.Text.Encoding]::UTF8.GetString($dec)',
+].join(' ');
+
+function win32Get(account) {
+    const file = dpApiFile(account);
+    if (!fs.existsSync(file)) return null;
+    const b64 = fs.readFileSync(file, 'utf8').trim();
+    if (!b64) throw new Error(`[keychain] DPAPI ciphertext file is empty: ${file}`);
+    const r = powershell(`& { ${PS_UNPROTECT} } '${b64}'`);
+    if (r.status !== 0) throw new Error(`[keychain] DPAPI decrypt failed (exit ${r.status}): ${r.stderr || r.stdout}`);
+    const out = (r.stdout || '').trim();
+    if (!out) throw new Error(`[keychain] DPAPI decrypt returned empty output (stderr: ${(r.stderr || '').trim()})`);
+    return out;
+}
+
+function win32Set(account, value) {
+    const dir = secretsDir();
+    fs.mkdirSync(dir, { recursive: true });
+    // Pass value as a PS argument via -Command inline to avoid shell injection;
+    // value is embedded as a PS single-quoted string literal with ' escaped.
+    const escaped = value.replace(/'/g, "''");
+    const r = powershell(`& { ${PS_PROTECT} } '${escaped}'`);
+    if (r.status !== 0) throw new Error(`[keychain] DPAPI encrypt failed (exit ${r.status}): ${r.stderr || r.stdout}`);
+    const out = (r.stdout || '').trim();
+    if (!out) throw new Error(`[keychain] DPAPI encrypt returned empty output (stderr: ${(r.stderr || '').trim()})`);
+    fs.writeFileSync(dpApiFile(account), out, 'utf8');
+}
+
+function win32Delete(account) {
+    const file = dpApiFile(account);
+    if (!fs.existsSync(file)) throw new Error(`[keychain] secret not found: ${account}`);
+    fs.unlinkSync(file);
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+function getSecret(account) {
+    switch (platform()) {
+        case 'darwin': return darwinGet(account);
+        case 'linux':  return linuxGet(account);
+        case 'win32':  return win32Get(account);
+        default: throw new Error(`[keychain] unsupported platform: ${process.platform}`);
+    }
+}
+
+function setSecret(account, value) {
+    switch (platform()) {
+        case 'darwin': return darwinSet(account, value);
+        case 'linux':  return linuxSet(account, value);
+        case 'win32':  return win32Set(account, value);
+        default: throw new Error(`[keychain] unsupported platform: ${process.platform}`);
+    }
+}
+
+function deleteSecret(account) {
+    switch (platform()) {
+        case 'darwin': return darwinDelete(account);
+        case 'linux':  return linuxDelete(account);
+        case 'win32':  return win32Delete(account);
+        default: throw new Error(`[keychain] unsupported platform: ${process.platform}`);
+    }
+}
+
+module.exports = { getSecret, setSecret, deleteSecret, SERVICE };

package/lib/plugin-paths.cjs

@@ -0,0 +1,61 @@
+'use strict';
+
+/**
+ * Canonical resolver for CLAUDE_PLUGIN_DATA (plugin data dir).
+ *
+ * Resolution order:
+ *   1. process.env.CLAUDE_PLUGIN_DATA  — set by Claude Code when spawning
+ *                                        the MCP server or a hook.
+ *   2. Derive from CLAUDE_PLUGIN_ROOT  — works both for cache layout
+ *                                        (.../cache/{marketplace}/{plugin}/{version}/)
+ *                                        and marketplace layout
+ *                                        (.../marketplaces/{marketplace}/external_plugins/{plugin}/).
+ *
+ * Throws if neither env var is present — the plugin always runs under
+ * Claude Code, which sets one of them. Callers must not silently fall
+ * back to a hardcoded path.
+ *
+ * DEFAULT_PLUGIN / DEFAULT_MARKETPLACE are exported so a handful of
+ * callers (MCP client spawning sibling plugins, session-manager building
+ * PLUGIN_ROOT for rule injection) can reference the canonical names
+ * without re-hardcoding the strings. Update both in lockstep with
+ * `.claude-plugin/marketplace.json` if the marketplace is ever renamed.
+ */
+
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+
+const DEFAULT_PLUGIN = 'mixdog';
+const DEFAULT_MARKETPLACE = 'trib-plugin';
+
+function readPluginManifestName(root) {
+  try {
+    const manifest = JSON.parse(fs.readFileSync(path.join(root, '.claude-plugin', 'plugin.json'), 'utf8'));
+    if (manifest && typeof manifest.name === 'string' && manifest.name.trim()) return manifest.name.trim();
+  } catch { /* fall through to default */ }
+  return DEFAULT_PLUGIN;
+}
+
+function resolvePluginData() {
+  if (process.env.CLAUDE_PLUGIN_DATA) return process.env.CLAUDE_PLUGIN_DATA;
+  const root = process.env.CLAUDE_PLUGIN_ROOT;
+  if (root) {
+    const dirName = path.basename(root);
+    // Cache layout schema: <plugin>/mixdog/<semver>/ — regex matches the semver dir prefix in the path.
+    if (/^\d+\.\d+\.\d+/.test(dirName)) {
+      const pluginName = path.basename(path.join(root, '..'));
+      const marketplace = path.basename(path.join(root, '..', '..'));
+      return path.join(os.homedir(), '.claude', 'plugins', 'data', `${pluginName}-${marketplace}`);
+    }
+    // Marketplace layout: .../marketplaces/{marketplace}/
+    // The root dir itself is the marketplace. Plugin name lives in the
+    // manifest; fall back to DEFAULT_PLUGIN when it's unreadable.
+    const marketplace = dirName;
+    const pluginName = readPluginManifestName(root);
+    return path.join(os.homedir(), '.claude', 'plugins', 'data', `${pluginName}-${marketplace}`);
+  }
+  throw new Error('[plugin-paths] CLAUDE_PLUGIN_DATA and CLAUDE_PLUGIN_ROOT are both unset — cannot resolve plugin data dir outside of Claude Code.');
+}
+
+module.exports = { resolvePluginData, DEFAULT_PLUGIN, DEFAULT_MARKETPLACE };

package/lib/rules-builder.cjs

@@ -0,0 +1,241 @@
+'use strict';
+
+/**
+ * mixdog rules builder.
+ *
+ * Three surfaces:
+ *   - buildInjectionContent              — Lead (Claude Code main session)
+ *   - buildBridgeInjectionContent        — bridge session BP1 (true cross-role common)
+ *   - buildBridgeRoleSpecificContent     — bridge session BP3 (role-specific instructions)
+ *
+ * 4-BP cache layout (composeSystemPrompt):
+ *   BP1 = bridge BP1 content (this file's buildBridgeInjectionContent) — every role identical
+ *   BP2 = scoped role catalog (collect.mjs loadScopedRoleCatalog) — role family / self
+ *   BP3 = project context + role marker + permission + role-specific instructions
+ *   BP4 = task brief + memory recap (5m volatile)
+ *
+ * Source files (rules/):
+ *   - shared/01-tool.md              — universal tool policy (Lead + bridge BP1, identical full set)
+ *   - lead/00-tool-lead.md           — Lead-specific control-tower / delegation / ToolSearch guidance
+ *   - lead/01-04                     — Lead workflow / channels / team / general
+ *   - bridge/00-common.md            — bridge common behavior + universal worker contract (BP1)
+ *   - bridge/10..50-*.md             — per-hidden-role bodies (consumed by loadScopedRoleCatalog)
+ *
+ * Core memory snapshot and session recap are injected separately by
+ * hooks/session-start.cjs from the memory worker (pgdata) (Lead only).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Read a single section from mixdog-config.json (unified config).
+ *
+ * @param {string} dataDir  — DATA_DIR passed into build* functions
+ * @param {string} section  — top-level key ('memory' | 'search' | …)
+ * @returns {object}
+ */
+function readConfigSection(dataDir, section) {
+  try {
+    const unified = JSON.parse(fs.readFileSync(path.join(dataDir, 'mixdog-config.json'), 'utf8'));
+    if (unified && typeof unified === 'object') return unified[section] || {};
+  } catch {}
+  return {};
+}
+
+function readOptional(filePath) {
+  try { return fs.readFileSync(filePath, 'utf8').trim(); } catch { return ''; }
+}
+
+/**
+ * Recursively collect all `.md` files under `dir`. Returns absolute paths
+ * in stack-DFS order (callers sort before use). Missing/unreadable `dir`
+ * yields an empty array — matches the previous inline `try {} catch {}`
+ * behavior at every call site.
+ */
+function collectMarkdownFilesRecursive(dir) {
+  const collected = [];
+  try {
+    const stack = [dir];
+    while (stack.length) {
+      const current = stack.pop();
+      const entries = fs.readdirSync(current, { withFileTypes: true });
+      for (const entry of entries) {
+        const full = path.join(current, entry.name);
+        if (entry.isDirectory()) stack.push(full);
+        else if (entry.isFile() && entry.name.endsWith('.md')) collected.push(full);
+      }
+    }
+  } catch {}
+  return collected;
+}
+
+// Address-form rule. Reads only `user.title` — `user.name` is intentionally
+// not consumed; the user is addressed solely by the configured form.
+// Returns '' when title is empty so nothing is injected.
+function composeUserAddressBullet(memoryConfig) {
+  const userTitle = (memoryConfig.user && memoryConfig.user.title || '').trim();
+  if (!userTitle) return '';
+  return `- User address form: ${userTitle} (use this address form exactly as written; do not combine it with any other name or honorific)`;
+}
+
+/**
+ * Build the Lead injection content.
+ */
+function buildInjectionContent({ PLUGIN_ROOT, DATA_DIR }) {
+  const RULES_DIR = path.join(PLUGIN_ROOT, 'rules');
+  const SHARED_DIR = path.join(RULES_DIR, 'shared');
+  const LEAD_DIR = path.join(RULES_DIR, 'lead');
+  const HISTORY_DIR = path.join(DATA_DIR, 'history');
+
+  const memoryConfig = readConfigSection(DATA_DIR, 'memory');
+  const parts = [];
+
+  // Language policy injects first — global default, applied to every Lead reply
+  // and to plugin-internal communication regardless of locale.
+  const language = readOptional(path.join(SHARED_DIR, '00-language.md'));
+  if (language) parts.push(language);
+
+  const general = readOptional(path.join(LEAD_DIR, '01-general.md'));
+  if (general) {
+    const addressBullet = composeUserAddressBullet(memoryConfig);
+    parts.push(addressBullet ? `${general}\n${addressBullet}` : general);
+  }
+
+  const tool = readOptional(path.join(SHARED_DIR, '01-tool.md'));
+  if (tool) parts.push(tool);
+
+  const toolLead = readOptional(path.join(LEAD_DIR, '00-tool-lead.md'));
+  if (toolLead) parts.push(toolLead);
+
+  const channels = readOptional(path.join(LEAD_DIR, '02-channels.md'));
+  if (channels) parts.push(channels);
+
+  const team = readOptional(path.join(LEAD_DIR, '03-team.md'));
+  if (team) parts.push(team);
+
+  const workflow = readOptional(path.join(LEAD_DIR, '04-workflow.md'));
+  if (workflow) parts.push(workflow);
+
+  const userWorkflowJsonPath = path.join(DATA_DIR, 'user-workflow.json');
+  let userWorkflow = { roles: [] };
+  try {
+    if (fs.existsSync(userWorkflowJsonPath)) {
+      userWorkflow = JSON.parse(fs.readFileSync(userWorkflowJsonPath, 'utf8'));
+    }
+  } catch {}
+  if (Array.isArray(userWorkflow.roles) && userWorkflow.roles.length > 0) {
+    const roleLines = ['# Roles', ''];
+    for (const role of userWorkflow.roles) {
+      roleLines.push(`- ${role.name}: ${role.preset}`);
+    }
+    parts.push(roleLines.join('\n'));
+  }
+
+  const userWorkflowMdPath = path.join(DATA_DIR, 'user-workflow.md');
+  const userWorkflowMd = readOptional(userWorkflowMdPath);
+  if (userWorkflowMd) {
+    const startsWithHeader = /^#\s+User Workflow/i.test(userWorkflowMd);
+    parts.push(startsWithHeader ? userWorkflowMd : `# User Workflow\n\n${userWorkflowMd}`);
+  }
+
+  const userProfile = readOptional(path.join(HISTORY_DIR, 'user.md'));
+  if (userProfile) parts.push(`# User Profile\n\n${userProfile}`);
+
+  const botPersona = readOptional(path.join(HISTORY_DIR, 'bot.md'));
+  if (botPersona) parts.push(`# Bot Persona\n\n${botPersona}`);
+
+  return parts.join('\n\n');
+}
+
+/**
+ * BP1 — true cross-role common. Identical for every bridge role; the
+ * role-specific stuff (per-event webhook instructions, per-task schedule
+ * instructions, hidden role tool detail) lives in BP3 instead.
+ *
+ * @param {object} opts
+ * @param {string} opts.PLUGIN_ROOT
+ * @param {string} opts.DATA_DIR
+ * @returns {string}
+ */
+function buildBridgeInjectionContent({ PLUGIN_ROOT, DATA_DIR }) {
+  const RULES_DIR = path.join(PLUGIN_ROOT, 'rules');
+  const SHARED_DIR = path.join(RULES_DIR, 'shared');
+  const BRIDGE_DIR = path.join(RULES_DIR, 'bridge');
+  const parts = [];
+
+  // 0. Language policy — global default, language-neutral plugin behavior.
+  const language = readOptional(path.join(SHARED_DIR, '00-language.md'));
+  if (language) parts.push(language);
+
+  // 1. Universal tool policy — same full set Lead receives.
+  const tool = readOptional(path.join(SHARED_DIR, '01-tool.md'));
+  if (tool) parts.push(tool);
+
+  // 2. Bridge common behavior.
+  const common = readOptional(path.join(BRIDGE_DIR, '00-common.md'));
+  if (common) parts.push(common);
+
+  // 3. User-defined work-role overrides (DATA_DIR/roles/*.md). Pool-wide.
+  const rolesDir = path.join(DATA_DIR, 'roles');
+  const collected = collectMarkdownFilesRecursive(rolesDir);
+  if (collected.length > 0) {
+    collected.sort();
+    const blocks = collected.map(f => readOptional(f)).filter(Boolean);
+    if (blocks.length > 0) {
+      parts.push(['# Agent roles', '', blocks.join('\n\n')].join('\n'));
+    }
+  }
+
+  // userTitle / address form is intentionally NOT injected here — bridge
+  // workers produce tool I/O, not user-facing replies, so the persona signal
+  // only biases response language/tone without serving a purpose. Lead BP1
+  // (buildInjectionContent above) still carries it.
+
+  return parts.join('\n\n');
+}
+
+/**
+ * BP3 role-specific instructions. Only the calling role's own task / tool
+ * detail body emits — webhook-handler gets webhooks/<all-events>/, scheduler
+ * gets schedules/<all-tasks>/, hidden retrieval roles get their own tool
+ * detail. Other roles return ''.
+ *
+ * NOTE: webhook-event narrowing (one event per call) requires the inbound
+ * payload's event id at compose time; not implemented yet, so all 4 webhook
+ * instructions still bake into webhook-handler BP3 for now.
+ *
+ * @param {object} opts
+ * @param {string} opts.DATA_DIR
+ * @param {string|null} opts.currentRole
+ * @returns {string}
+ */
+function buildBridgeRoleSpecificContent({ DATA_DIR, currentRole }) {
+  if (!currentRole) return '';
+  const parts = [];
+
+  // webhook-handler / scheduler-task — pull their respective instruction trees.
+  const subdirForRole =
+    currentRole === 'webhook-handler' ? 'webhooks'
+    : currentRole === 'scheduler-task' ? 'schedules'
+    : null;
+  if (subdirForRole) {
+    const dir = path.join(DATA_DIR, subdirForRole);
+    const collected = collectMarkdownFilesRecursive(dir);
+    if (collected.length > 0) {
+      collected.sort();
+      const blocks = collected.map(f => readOptional(f)).filter(Boolean);
+      if (blocks.length > 0) {
+        parts.push([`# Agent ${subdirForRole}`, '', blocks.join('\n\n')].join('\n'));
+      }
+    }
+  }
+
+  return parts.join('\n\n');
+}
+
+module.exports = {
+  buildInjectionContent,
+  buildBridgeInjectionContent,
+  buildBridgeRoleSpecificContent,
+};

package/lib/text-utils.cjs

@@ -0,0 +1,61 @@
+'use strict';
+
+/**
+ * Shared text-cleaning utilities. Used by both:
+ *   - hooks/session-start.cjs (CJS hook)
+ *   - src/memory/lib/memory-extraction.mjs (ESM, via createRequire re-export)
+ *
+ * Single source of truth for the regex set that strips:
+ *   - markdown fences, headers, list markers, bold
+ *   - tool/system tags emitted by Claude Code (system-reminder, tool-use-id,
+ *     local-command-*, etc.)
+ *   - mixdog tags (channel, schedule-context, teammate-message)
+ *   - URLs, emoji, "Ran X", "Process exited", and other transcript noise
+ */
+
+function cleanMemoryText(text) {
+  return String(text ?? '')
+    .replace(/```[\s\S]*?```/g, '')
+    .replace(/<memory-context>[\s\S]*?<\/memory-context>/gi, '')
+    .replace(/<local-command-caveat>[\s\S]*?<\/local-command-caveat>/gi, '')
+    .replace(/<local-command-stdout>[\s\S]*?<\/local-command-stdout>/gi, '')
+    .replace(/<command-name>[\s\S]*?<\/command-name>/gi, '')
+    .replace(/<command-message>[\s\S]*?<\/command-message>/gi, '')
+    .replace(/<command-args>[\s\S]*?<\/command-args>/gi, '')
+    .replace(/<task-notification>[\s\S]*?<\/task-notification>/gi, '')
+    .replace(/<tool-use-id>[\s\S]*?<\/tool-use-id>/gi, '')
+    .replace(/<output-file>[\s\S]*?<\/output-file>/gi, '')
+    .replace(/<system-reminder>[\s\S]*?<\/system-reminder>/gi, '')
+    .replace(/<schedule-context>[\s\S]*?<\/schedule-context>/gi, '')
+    .replace(/<teammate-message[\s\S]*?<\/teammate-message>/gi, '')
+    .replace(/<channel[^>]*>\n?([\s\S]*?)\n?<\/channel>/g, '$1')
+    .replace(/^[ \t]*\|.*\|[ \t]*$/gm, '')
+    .replace(/`([^`]+)`/g, '$1')
+    .replace(/\*\*/g, '')
+    .replace(/^#{1,4}\s+/gm, '')
+    .replace(/^>\s?/gm, '')
+    .replace(/^[-*]\s+/gm, '')
+    .replace(/https?:\/\/\S+/g, '')
+    .replace(/^This session is being continued from a previous conversation[\s\S]*?(?=\n\n|$)/gim, '')
+    .replace(/^\[[^\]\n]{1,140}\]\s*$/gm, '')
+    .replace(/^\s*●\s.*$/gm, '')
+    .replace(/^\s*Ran .*$/gm, '')
+    // stable best-effort sanitization, do not extend without justification
+    .replace(/^\s*Command: .*$/gm, '')
+    .replace(/^\s*Process exited .*$/gm, '')
+    .replace(/^\s*Full transcript available at: .*$/gm, '')
+    .replace(/^\s*Read the output file to retrieve the result: .*$/gm, '')
+    .replace(/^\s*Original token count: .*$/gm, '')
+    .replace(/^\s*Wall time: .*$/gm, '')
+    .replace(/^\s*Chunk ID: .*$/gm, '')
+    .replace(/^\s*tool_uses: .*$/gm, '')
+    .replace(/^\s*menu item .*$/gm, '')
+    .replace(/<\/?[a-z][-a-z]*(?:\s[^>]*)?\/?>/gi, '')
+    .replace(/[\u{1F300}-\u{1FAD6}\u{2600}-\u{27BF}]/gu, '')
+    .replace(/[ \t]+/g, ' ')
+    .replace(/\n{2,}/g, '\n')
+    .replace(/^\s+|\s+$/gm, '')
+    .trim();
+}
+
+module.exports = { cleanMemoryText };