mneme-ai 2.77.0 → 2.79.0

package/dist/commands/immune.d.ts

@@ -0,0 +1,18 @@
+/**
+ * v2.78.0 — `mneme immune selftest`
+ *
+ * WORM-CANARY for humans. Two checks:
+ *   1. Mneme's OWN output: render a worst-case version-mismatch agent block
+ *      (one carrying an upgrade autoAction) and prove it has zero worm
+ *      signatures — Mneme informs, never commands.
+ *   2. This repo's agent files (CLAUDE.md / AGENTS.md / .cursorrules /
+ *      .windsurfrules): scan the live Mneme block (or whole file) for any
+ *      worm directive that may have been written by an OLDER Mneme.
+ *
+ * Exit 0 when clean, 1 when a worm directive is found.
+ */
+export declare function immuneCommand(opts: {
+    cwd: string;
+    json?: boolean;
+}): Promise<number>;
+//# sourceMappingURL=immune.d.ts.map

package/dist/commands/immune.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"immune.d.ts","sourceRoot":"","sources":["../../src/commands/immune.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAaH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAgE1F"}

package/dist/commands/immune.js

@@ -0,0 +1,96 @@
+/**
+ * v2.78.0 — `mneme immune selftest`
+ *
+ * WORM-CANARY for humans. Two checks:
+ *   1. Mneme's OWN output: render a worst-case version-mismatch agent block
+ *      (one carrying an upgrade autoAction) and prove it has zero worm
+ *      signatures — Mneme informs, never commands.
+ *   2. This repo's agent files (CLAUDE.md / AGENTS.md / .cursorrules /
+ *      .windsurfrules): scan the live Mneme block (or whole file) for any
+ *      worm directive that may have been written by an OLDER Mneme.
+ *
+ * Exit 0 when clean, 1 when a worm directive is found.
+ */
+import { writeSync } from "node:fs";
+import * as core from "@mneme-ai/core";
+const AGENT_FILES = ["CLAUDE.md", "AGENTS.md", ".cursorrules", ".windsurfrules"];
+// fd-1 synchronous write — survives the immediate process.exit() the action
+// handler calls (an async stdout pipe would otherwise be truncated on Windows).
+function out(s) {
+    try {
+        writeSync(1, s);
+    }
+    catch {
+        process.stdout.write(s);
+    }
+}
+export async function immuneCommand(opts) {
+    const { scanForWormSignatures, KNOWN_WORM_PAYLOAD } = core.immune;
+    const { renderMnemeBlock, readMnemeBlock } = core.notifier;
+    // Check 1 — Mneme's own worst-case output.
+    const ownBlock = renderMnemeBlock({
+        id: "version-up-to-date",
+        severity: "info",
+        title: "Mneme update available",
+        body: "installed v0.0.0, npm latest v9.9.9. The user can run `mneme upgrade` when convenient.",
+        autoAction: { tool: "mneme.system.upgrade", args: { mode: "install", force: true } },
+    });
+    const ownScan = scanForWormSignatures(ownBlock);
+    const control = scanForWormSignatures(KNOWN_WORM_PAYLOAD); // positive control
+    // Check 2 — this repo's persistent agent files.
+    const fileScans = [];
+    for (const f of AGENT_FILES) {
+        let block = null;
+        try {
+            block = readMnemeBlock(opts.cwd, f);
+        }
+        catch {
+            block = null;
+        }
+        if (block === null)
+            continue; // file or Mneme block absent — nothing to scan
+        const scan = scanForWormSignatures(block);
+        fileScans.push({
+            file: f,
+            clean: scan.clean,
+            findings: scan.findings.length,
+            detail: scan.findings.map((x) => `${x.kind}: "${x.match}"`),
+        });
+    }
+    const dirtyFiles = fileScans.filter((s) => !s.clean);
+    const ok = ownScan.clean && !control.clean && dirtyFiles.length === 0;
+    if (opts.json) {
+        out(JSON.stringify({
+            ok,
+            ownOutputClean: ownScan.clean,
+            canaryCatchesKnownPayload: !control.clean,
+            ownFindings: ownScan.findings,
+            files: fileScans,
+        }, null, 2) + "\n");
+        return ok ? 0 : 1;
+    }
+    const lines = [];
+    lines.push("🧬 MNEME IMMUNE SELFTEST — WORM-CANARY");
+    lines.push("");
+    lines.push(`  ${ownScan.clean ? "🟢" : "🔴"} Mneme's own agent-file output: ${ownScan.clean ? "no worm signatures (informs, never commands)" : `${ownScan.findings.length} signature(s)!`}`);
+    for (const f of ownScan.findings)
+        lines.push(`       └─ ${f.kind}: "${f.match}"`);
+    lines.push(`  ${!control.clean ? "🟢" : "🔴"} Canary self-test: ${!control.clean ? "catches the known pre-v2.78 worm payload (positive control)" : "FAILED to catch the known payload — canary is broken!"}`);
+    if (fileScans.length === 0) {
+        lines.push("  ·  No Mneme blocks found in this repo's agent files (nothing to scan).");
+    }
+    else {
+        for (const s of fileScans) {
+            lines.push(`  ${s.clean ? "🟢" : "🔴"} ${s.file}: ${s.clean ? "clean" : `${s.findings} worm signature(s)!`}`);
+            for (const d of s.detail)
+                lines.push(`       └─ ${d}`);
+        }
+    }
+    lines.push("");
+    lines.push(ok
+        ? "  ✅ CLEAN — Mneme is not a worm. It states version availability as informational context; upgrades are user-initiated only."
+        : "  ❌ WORM DIRECTIVE present — see above. (If a repo file is dirty, an OLDER Mneme wrote it; run `mneme upgrade` then re-run this.)");
+    out(lines.join("\n") + "\n");
+    return ok ? 0 : 1;
+}
+//# sourceMappingURL=immune.js.map

package/dist/commands/immune.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"immune.js","sourceRoot":"","sources":["../../src/commands/immune.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,MAAM,WAAW,GAAG,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,CAAC,CAAC;AAEjF,4EAA4E;AAC5E,gFAAgF;AAChF,SAAS,GAAG,CAAC,CAAS;IACpB,IAAI,CAAC;QAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAqC;IACvE,MAAM,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;IAClE,MAAM,EAAE,gBAAgB,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;IAE3D,2CAA2C;IAC3C,MAAM,QAAQ,GAAG,gBAAgB,CAAC;QAChC,EAAE,EAAE,oBAAoB;QACxB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;QAC/B,IAAI,EAAE,wFAAwF;QAC9F,UAAU,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;KACrF,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,qBAAqB,CAAC,kBAAkB,CAAC,CAAC,CAAC,mBAAmB;IAE9E,gDAAgD;IAChD,MAAM,SAAS,GAAgF,EAAE,CAAC;IAClG,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,IAAI,KAAK,GAAkB,IAAI,CAAC;QAChC,IAAI,CAAC;YAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,KAAK,GAAG,IAAI,CAAC;QAAC,CAAC;QACpE,IAAI,KAAK,KAAK,IAAI;YAAE,SAAS,CAAC,+CAA+C;QAC7E,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAC1C,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,CAAC;YACP,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YAC9B,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,KAAK,GAAG,CAAC;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACrD,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC;IAEtE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACjB,EAAE;YACF,cAAc,EAAE,OAAO,CAAC,KAAK;YAC7B,yBAAyB,EAAE,CAAC,OAAO,CAAC,KAAK;YACzC,WAAW,EAAE,OAAO,CAAC,QAAQ;YAC7B,KAAK,EAAE,SAAS;SACjB,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACpB,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,mCAAmC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,8CAA8C,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC;IAC7L,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,sBAAsB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,6DAA6D,CAAC,CAAC,CAAC,uDAAuD,EAAE,CAAC,CAAC;IAC9M,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;IACzF,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,qBAAqB,EAAE,CAAC,CAAC;YAC9G,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM;gBAAE,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,EAAE;QACX,CAAC,CAAC,6HAA6H;QAC/H,CAAC,CAAC,mIAAmI,CAAC,CAAC;IACzI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;IAC7B,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}

package/dist/commands/notary.d.ts

@@ -0,0 +1,23 @@
+/**
+ * v2.79.0 — `mneme notary <action>`
+ *
+ * Portable proof-of-provenance receipts (Ed25519). Verify with a public key
+ * alone — no Mneme, no network, no shared secret.
+ *
+ *   mneme notary pubkey            — show this repo's issuer public key + fingerprint
+ *   mneme notary issue   --subject S [--kind K] [--payload JSON] [--no-payload] [--prev ID]
+ *   mneme notary verify  <file|->  — verify a receipt OFFLINE (exit 0 valid, 1 invalid)
+ */
+export interface NotaryOpts {
+    cwd: string;
+    action: string;
+    subject?: string;
+    kind?: string;
+    payload?: string;
+    noPayload?: boolean;
+    prev?: string;
+    file?: string;
+    json?: boolean;
+}
+export declare function notaryCommand(opts: NotaryOpts): Promise<number>;
+//# sourceMappingURL=notary.d.ts.map

package/dist/commands/notary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"notary.d.ts","sourceRoot":"","sources":["../../src/commands/notary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAUH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAID,wBAAsB,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CA8CrE"}

package/dist/commands/notary.js

@@ -0,0 +1,89 @@
+/**
+ * v2.79.0 — `mneme notary <action>`
+ *
+ * Portable proof-of-provenance receipts (Ed25519). Verify with a public key
+ * alone — no Mneme, no network, no shared secret.
+ *
+ *   mneme notary pubkey            — show this repo's issuer public key + fingerprint
+ *   mneme notary issue   --subject S [--kind K] [--payload JSON] [--no-payload] [--prev ID]
+ *   mneme notary verify  <file|->  — verify a receipt OFFLINE (exit 0 valid, 1 invalid)
+ */
+import { writeSync, readFileSync } from "node:fs";
+import * as core from "@mneme-ai/core";
+import { parseJsonArg } from "../util/json_arg.js";
+function out(s) {
+    try {
+        writeSync(1, s);
+    }
+    catch {
+        process.stdout.write(s);
+    }
+}
+const KINDS = new Set(["claim-verdict", "protocol-hop", "memory-capsule", "reasoning-trace", "generic"]);
+export async function notaryCommand(opts) {
+    const { getIssuerKeyPair, issueReceipt, verifyReceipt } = core.notary;
+    if (opts.action === "pubkey" || opts.action === "keygen") {
+        const kp = getIssuerKeyPair(opts.cwd);
+        if (opts.json) {
+            out(JSON.stringify({ alg: "ed25519", fingerprint: kp.fingerprint, publicKeyB64: kp.publicKeyB64 }, null, 2) + "\n");
+            return 0;
+        }
+        out(`🪪 MNEME NOTARY — issuer public key (this repo)\n\n  alg:         ed25519\n  fingerprint: ${kp.fingerprint}\n  publicKey:   ${kp.publicKeyB64}\n\n  Share the public key. Anyone can verify your receipts offline with it.\n  The private key stays in .mneme/notary/issuer.key (never shared).\n`);
+        return 0;
+    }
+    if (opts.action === "issue") {
+        if (!opts.subject) {
+            out("✗ issue requires --subject\n");
+            return 2;
+        }
+        const kind = opts.kind && KINDS.has(opts.kind) ? opts.kind : "generic";
+        let payload = undefined;
+        if (opts.payload) {
+            try {
+                payload = parseJsonArg(opts.payload);
+            }
+            catch {
+                out("✗ --payload is not valid JSON\n");
+                return 2;
+            }
+        }
+        const r = issueReceipt(opts.cwd, {
+            kind, subject: opts.subject, payload,
+            includePayload: !opts.noPayload, prev: opts.prev ?? null,
+        });
+        out(JSON.stringify(r, null, 2) + "\n");
+        return 0;
+    }
+    if (opts.action === "verify") {
+        let raw;
+        try {
+            raw = opts.file && opts.file !== "-" ? readFileSync(opts.file, "utf8") : readFileSync(0, "utf8");
+        }
+        catch (e) {
+            out(`✗ cannot read receipt: ${e.message}\n`);
+            return 2;
+        }
+        let receipt;
+        try {
+            receipt = JSON.parse(raw);
+        }
+        catch {
+            out("✗ receipt is not valid JSON\n");
+            return 2;
+        }
+        const v = verifyReceipt(receipt);
+        if (opts.json) {
+            out(JSON.stringify(v, null, 2) + "\n");
+            return v.valid ? 0 : 1;
+        }
+        if (v.valid) {
+            out(`🟢 VALID — signature verifies offline against the embedded public key.\n  issuer:   ${v.issuerFingerprint}\n  kind:     ${v.kind}\n  subject:  ${v.subject}\n`);
+            return 0;
+        }
+        out(`🔴 INVALID — ${v.reason}\n`);
+        return 1;
+    }
+    out(`✗ Unknown notary action "${opts.action}". Try: pubkey | issue | verify\n`);
+    return 2;
+}
+//# sourceMappingURL=notary.js.map

package/dist/commands/notary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"notary.js","sourceRoot":"","sources":["../../src/commands/notary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,SAAS,GAAG,CAAC,CAAS;IACpB,IAAI,CAAC;QAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAAC,CAAC;AAC7D,CAAC;AAcD,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,eAAe,EAAE,cAAc,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC,CAAC;AAEzG,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAgB;IAClD,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;IAEtE,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACzD,MAAM,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,EAAE,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAAC,OAAO,CAAC,CAAC;QAAC,CAAC;QACjJ,GAAG,CAAC,6FAA6F,EAAE,CAAC,WAAW,oBAAoB,EAAE,CAAC,YAAY,qJAAqJ,CAAC,CAAC;QACzS,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAAC,OAAO,CAAC,CAAC;QAAC,CAAC;QACrE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAA+B,CAAC,CAAC,CAAC,SAAS,CAAC;QAClG,IAAI,OAAO,GAAY,SAAS,CAAC;QACjC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC;gBAAC,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;gBAAC,OAAO,CAAC,CAAC;YAAC,CAAC;QAC3G,CAAC;QACD,MAAM,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE;YAC/B,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO;YACpC,cAAc,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI;SACzD,CAAC,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACvC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACnG,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,GAAG,CAAC,0BAA2B,CAAW,CAAC,OAAO,IAAI,CAAC,CAAC;YAAC,OAAO,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,OAAgB,CAAC;QACrB,IAAI,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAAC,OAAO,CAAC,CAAC;QAAC,CAAC;QAC5F,MAAM,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QAClF,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,GAAG,CAAC,uFAAuF,CAAC,CAAC,iBAAiB,iBAAiB,CAAC,CAAC,IAAI,iBAAiB,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC;YACrK,OAAO,CAAC,CAAC;QACX,CAAC;QACD,GAAG,CAAC,gBAAgB,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,GAAG,CAAC,4BAA4B,IAAI,CAAC,MAAM,mCAAmC,CAAC,CAAC;IAChF,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAuIA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAwyMvD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAuIA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAq1MvD"}

package/dist/index.js

@@ -4166,6 +4166,49 @@ export async function run(argv) {
         const { uiCommand } = await import("./commands/ui.js");
         await uiCommand({ cwd: process.cwd(), version: getVersion() });
     });
+    // v2.78.0 — WORM-CANARY selftest. Prove Mneme is not an AI worm: its
+    // agent-file output carries no imperative directives, and any worm payload
+    // an OLDER Mneme may have written into this repo's CLAUDE.md/etc is detected.
+    program
+        .command("immune <action>")
+        .description("🧬 IMMUNE — `mneme immune selftest` runs the WORM-CANARY: proves Mneme never injects a self-upgrade/self-propagation directive into AI agent files (CLAUDE.md/AGENTS.md/.cursorrules/.windsurfrules), and scans this repo's files for any worm payload left by an older Mneme.")
+        .option("--json", "machine-readable output", false)
+        .action(async (action, opts) => {
+        if (action !== "selftest") {
+            ui.error(`Unknown immune action "${action}". Try: selftest`);
+            process.exit(2);
+        }
+        const { immuneCommand } = await import("./commands/immune.js");
+        process.exit(await immuneCommand({ cwd: process.cwd(), json: !!opts.json }));
+    });
+    // v2.79.0 — NOTARY. Portable, offline-verifiable proof-of-provenance receipts
+    // (Ed25519). Verify with a public key alone — no Mneme, no network, no secret.
+    // The TRUST FABRIC spine for cross-protocol routing, portable memory, and the
+    // AI flight recorder.
+    program
+        .command("notary <action>")
+        .description("🪪 NOTARY — Ed25519-signed proof receipts anyone verifies OFFLINE with a public key (no Mneme, no network, no shared secret). actions: pubkey | issue | verify <file|->. Mneme's first asymmetric-crypto primitive.")
+        .option("--subject <s>", "what the receipt attests (issue)")
+        .option("--kind <k>", "claim-verdict | protocol-hop | memory-capsule | reasoning-trace | generic", "generic")
+        .option("--payload <json>", "JSON payload to attest (issue)")
+        .option("--hash-only", "privacy: omit the inline payload, attest only its hash (issue)", false)
+        .option("--prev <id>", "previous receiptId to chain onto (issue)")
+        .option("--file <path>", "receipt file to verify (use '-' for stdin)")
+        .option("--json", "machine-readable output", false)
+        .action(async (action, o) => {
+        const { notaryCommand } = await import("./commands/notary.js");
+        process.exit(await notaryCommand({
+            cwd: process.cwd(),
+            action,
+            subject: o.subject,
+            kind: o.kind,
+            payload: o.payload,
+            noPayload: !!o.hashOnly,
+            prev: o.prev,
+            file: o.file,
+            json: !!o.json,
+        }));
+    });
     program
         .command("atlas")
         .description("🗺  ATLAS HELP — six-layer discovery (TASTE · BLOOM · HOT · TAGS · INTENT · FULL). AI agents read 200 bytes here instead of 14 KB from --help.")