mop-agent 0.1.0

package/apps/web/app/team/page.tsx

@@ -0,0 +1,86 @@
+"use client";
+/** Team — your role, members, and (owner) invite management. */
+import { useEffect, useState } from "react";
+
+type Me = { user: { email: string; name: string }; role: string };
+type Member = { id: string; email: string; name: string; role: string };
+type Invite = { email: string; role: string; expiresAt: number; usedAt: number | null };
+
+export default function TeamPage() {
+  const [me, setMe] = useState<Me | null>(null);
+  const [members, setMembers] = useState<Member[]>([]);
+  const [invites, setInvites] = useState<Invite[]>([]);
+  const [email, setEmail] = useState("");
+  const [role, setRole] = useState<"member" | "owner">("member");
+  const [msg, setMsg] = useState("");
+
+  const isOwner = me?.role === "owner";
+
+  function load() {
+    fetch("/api/me").then((r) => r.json()).then(setMe).catch(() => {});
+    fetch("/api/members").then((r) => (r.ok ? r.json() : { members: [] })).then((d) => setMembers(d.members ?? [])).catch(() => {});
+    fetch("/api/invites").then((r) => (r.ok ? r.json() : { invites: [] })).then((d) => setInvites(d.invites ?? [])).catch(() => {});
+  }
+  useEffect(load, []);
+
+  async function invite(e: React.FormEvent) {
+    e.preventDefault();
+    setMsg("…");
+    const r = await fetch("/api/invites", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ email, role }) });
+    setMsg(r.ok ? `✅ invited ${email}` : `error ${r.status}`);
+    setEmail("");
+    load();
+  }
+
+  async function revoke(em: string) {
+    await fetch(`/api/invites?email=${encodeURIComponent(em)}`, { method: "DELETE" });
+    load();
+  }
+
+  return (
+    <main style={{ maxWidth: 640, margin: "0 auto", padding: "40px 24px" }}>
+      <a href="/brain" style={{ color: "#7aa2ff" }}>← Brain</a>
+      <h1 style={{ fontSize: 24 }}>👥 Team</h1>
+      <p style={{ opacity: 0.7 }}>You are <strong>{me?.user.email}</strong> · role <strong>{me?.role}</strong></p>
+
+      <h2 style={{ fontSize: 16, marginTop: 20 }}>Members ({members.length})</h2>
+      <ul style={{ listStyle: "none", padding: 0 }}>
+        {members.map((m) => (
+          <li key={m.id} style={row}>{m.role === "owner" ? "👑" : "👤"} {m.email} <span style={{ opacity: 0.5 }}>· {m.role}</span></li>
+        ))}
+        {!isOwner && members.length === 0 && <p style={{ opacity: 0.5 }}>Owner-only view.</p>}
+      </ul>
+
+      {isOwner && (
+        <>
+          <h2 style={{ fontSize: 16, marginTop: 20 }}>Invite a member</h2>
+          <form onSubmit={invite} style={{ display: "flex", gap: 8, flexWrap: "wrap" }}>
+            <input placeholder="email" type="email" required value={email} onChange={(e) => setEmail(e.target.value)} style={inp} />
+            <select value={role} onChange={(e) => setRole(e.target.value as "member" | "owner")} style={inp}>
+              <option value="member">member</option>
+              <option value="owner">owner</option>
+            </select>
+            <button type="submit" style={btn}>Invite</button>
+          </form>
+          {msg && <p style={{ opacity: 0.8 }}>{msg}</p>}
+
+          <h2 style={{ fontSize: 16, marginTop: 20 }}>Pending invites</h2>
+          <ul style={{ listStyle: "none", padding: 0 }}>
+            {invites.filter((i) => !i.usedAt).map((i) => (
+              <li key={i.email} style={row}>
+                ✉️ {i.email} <span style={{ opacity: 0.5 }}>· {i.role}</span>
+                <button onClick={() => revoke(i.email)} style={{ float: "right", ...btn, background: "#7f1a1a", borderColor: "#7f1a1a", padding: "2px 10px" }}>revoke</button>
+              </li>
+            ))}
+            {invites.filter((i) => !i.usedAt).length === 0 && <p style={{ opacity: 0.5 }}>None.</p>}
+          </ul>
+          <p style={{ opacity: 0.55, fontSize: 13 }}>Invited people sign up at <code>/setup</code> with that exact email.</p>
+        </>
+      )}
+    </main>
+  );
+}
+
+const row: React.CSSProperties = { border: "1px solid #1f2a3a", borderRadius: 8, padding: "8px 12px", marginBottom: 6 };
+const inp: React.CSSProperties = { padding: "8px 10px", borderRadius: 8, border: "1px solid #1f2a3a", background: "#111824", color: "#e6edf3" };
+const btn: React.CSSProperties = { padding: "8px 14px", borderRadius: 8, border: "1px solid #2b5cff", background: "#2b5cff", color: "white", cursor: "pointer" };

package/apps/web/bin/mop-agent.mjs

@@ -0,0 +1,85 @@
+#!/usr/bin/env node
+/**
+ * Thin `mop-agent` CLI (Fasa 3.5) — local ops against the same SQLite Brain.
+ * Loads apps/web/.env so it targets the same data dir as the server.
+ *
+ *   mop-agent migrate
+ *   mop-agent status
+ *   mop-agent projects
+ *   mop-agent consolidate
+ *   mop-agent skills
+ *   mop-agent skill-add "<name>" "<description>" "<body>"
+ */
+import { readFileSync, existsSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const webRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
+
+// Minimal .env loader (existing env wins) so the CLI targets the same Brain as the server.
+const envPath = join(webRoot, ".env");
+if (existsSync(envPath)) {
+  for (const line of readFileSync(envPath, "utf8").split("\n")) {
+    const m = line.match(/^\s*([A-Z0-9_]+)\s*=\s*(.*)\s*$/i);
+    if (m && process.env[m[1]] === undefined) process.env[m[1]] = m[2].replace(/^["']|["']$/g, "");
+  }
+}
+
+const [cmd, ...rest] = process.argv.slice(2);
+
+async function main() {
+  switch (cmd) {
+    case "migrate": {
+      const { runAllMigrations } = await import("../lib/db/migrate.js");
+      await runAllMigrations();
+      console.log("✅ migrated");
+      break;
+    }
+    case "status": {
+      const { ownerExists } = await import("../lib/auth.js");
+      const { listProjects } = await import("../lib/link/store.js");
+      const { listSemanticNotes } = await import("../lib/brain/consolidate.js");
+      const { listSkills } = await import("../lib/brain/skills.js");
+      const projects = listProjects();
+      console.log(`owner: ${ownerExists() ? "yes" : "no (run /setup)"}`);
+      console.log(`projects: ${projects.length} (${projects.filter((p) => p.status === "online").length} online)`);
+      console.log(`main-brain patterns: ${listSemanticNotes().length}`);
+      console.log(`skills: ${listSkills().length}`);
+      break;
+    }
+    case "projects": {
+      const { listProjects } = await import("../lib/link/store.js");
+      for (const p of listProjects()) console.log(`${p.status === "online" ? "🟢" : "⚪"} ${p.id} (${p.name})`);
+      break;
+    }
+    case "consolidate": {
+      const { consolidate } = await import("../lib/brain/consolidate.js");
+      const r = await consolidate();
+      console.log(`scanned ${r.scanned} → ${r.notesCreated} pattern(s)`);
+      for (const n of r.notes) console.log(`  • ${n.title} (${n.confidence}%)`);
+      break;
+    }
+    case "skills": {
+      const { listSkills } = await import("../lib/brain/skills.js");
+      for (const s of listSkills()) console.log(`🛠 ${s.name} — ${s.description}`);
+      break;
+    }
+    case "skill-add": {
+      const [name, description = "", body = ""] = rest;
+      if (!name) return fail("usage: mop-agent skill-add \"<name>\" \"<description>\" \"<body>\"");
+      const { addSkill } = await import("../lib/brain/skills.js");
+      const id = await addSkill({ name, description, body: body || description || name });
+      console.log(`added ${id}`);
+      break;
+    }
+    default:
+      console.log("commands: migrate | status | projects | consolidate | skills | skill-add");
+  }
+}
+
+function fail(msg) {
+  console.error(msg);
+  process.exit(1);
+}
+
+main().catch((e) => fail(e instanceof Error ? e.message : String(e)));

package/apps/web/lib/auth-client.ts

@@ -0,0 +1,5 @@
+"use client";
+import { createAuthClient } from "better-auth/react";
+
+export const authClient = createAuthClient();
+export const { signIn, signUp, signOut, useSession } = authClient;

package/apps/web/lib/auth.ts

@@ -0,0 +1,86 @@
+/**
+ * Better Auth — owner account + sessions + team (Fasa 7).
+ *
+ * Uses the SAME better-sqlite3 connection as Drizzle (its Kysely adapter detects
+ * the instance). First user to register becomes the owner; further signups are
+ * invite-gated (email-scoped). Roles live in app_role.
+ */
+import { betterAuth } from "better-auth";
+import { APIError } from "better-auth/api";
+import { getSqlite } from "./db/client";
+
+function userCount(): number {
+  try {
+    const row = getSqlite().prepare("SELECT count(*) AS c FROM user").get() as { c: number };
+    return row.c;
+  } catch {
+    return 0; // table not migrated yet
+  }
+}
+
+function validInviteFor(email: string): { role: string } | undefined {
+  try {
+    return getSqlite()
+      .prepare("SELECT role FROM invite WHERE email = ? AND used_at IS NULL AND expires_at > ?")
+      .get(email, Date.now()) as { role: string } | undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+export function getRole(userId: string): "owner" | "member" | undefined {
+  try {
+    const row = getSqlite().prepare("SELECT role FROM app_role WHERE user_id = ?").get(userId) as { role: string } | undefined;
+    return row?.role as "owner" | "member" | undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+export const auth = betterAuth({
+  database: getSqlite(),
+  secret: process.env.BETTER_AUTH_SECRET ?? "dev-insecure-secret-change-me",
+  baseURL: process.env.BETTER_AUTH_URL ?? "http://localhost:3000",
+  emailAndPassword: {
+    enabled: true,
+    requireEmailVerification: false,
+  },
+  session: {
+    expiresIn: 60 * 60 * 24 * 30, // 30 days
+    updateAge: 60 * 60 * 24, // refresh daily
+  },
+  databaseHooks: {
+    user: {
+      create: {
+        before: async (user) => {
+          // First user = owner. Otherwise an email-scoped invite is required.
+          if (userCount() === 0) return { data: user };
+          if (!validInviteFor(user.email)) {
+            throw new APIError("FORBIDDEN", {
+              message: "Signup requires an invite for this email.",
+            });
+          }
+          return { data: user };
+        },
+        after: async (user) => {
+          const sqlite = getSqlite();
+          let role = "member";
+          if (userCount() === 1) {
+            role = "owner"; // the bootstrap user
+          } else {
+            const inv = validInviteFor(user.email);
+            if (inv) {
+              role = inv.role;
+              sqlite.prepare("UPDATE invite SET used_at = ? WHERE email = ?").run(Date.now(), user.email);
+            }
+          }
+          sqlite.prepare("INSERT OR REPLACE INTO app_role(user_id, role) VALUES(?, ?)").run(user.id, role);
+        },
+      },
+    },
+  },
+});
+
+export function ownerExists(): boolean {
+  return userCount() > 0;
+}

package/apps/web/lib/authz.ts

@@ -0,0 +1,23 @@
+/** Role-based authorization helper (Fasa 7). */
+import { auth, getRole } from "./auth";
+
+export type Role = "owner" | "member";
+
+export type AuthzResult =
+  | { ok: true; userId: string; role: Role }
+  | { ok: false; response: Response };
+
+export async function requireRole(req: Request, roles: Role[]): Promise<AuthzResult> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return { ok: false, response: Response.json({ error: "unauthorized" }, { status: 401 }) };
+  const role = (getRole(session.user.id) ?? "member") as Role;
+  if (!roles.includes(role)) {
+    return { ok: false, response: Response.json({ error: "forbidden", needed: roles, have: role }, { status: 403 }) };
+  }
+  return { ok: true, userId: session.user.id, role };
+}
+
+/** Any authenticated member. */
+export async function requireAuth(req: Request): Promise<AuthzResult> {
+  return requireRole(req, ["owner", "member"]);
+}

package/apps/web/lib/brain/answer.ts

@@ -0,0 +1,27 @@
+/**
+ * Non-streaming grounded answer (recall + provider) — used by channels and any
+ * non-SSE caller. /api/chat keeps its own streaming variant.
+ */
+import { recall } from "./broker";
+import { resolveProvider } from "../providers";
+
+export async function groundedAnswerText(
+  projectId: string,
+  message: string,
+  opts?: { allowCrossProject?: boolean },
+): Promise<{ text: string; provider: string; contextCount: number }> {
+  const pack = await recall({ query: message, projectId, allowCrossProject: opts?.allowCrossProject });
+  const provider = resolveProvider();
+  const system = [
+    "You are the MOP-AGENT brain. Answer using the project context below when relevant.",
+    "If the context is empty, say so plainly.",
+    "",
+    pack.toPromptString(),
+  ].join("\n");
+
+  let text = "";
+  for await (const delta of provider.chat({ system, messages: [{ role: "user", content: message }] })) {
+    text += delta;
+  }
+  return { text, provider: provider.id, contextCount: pack.episodic.length + pack.semantic.length };
+}

package/apps/web/lib/brain/approvals.ts

@@ -0,0 +1,81 @@
+/**
+ * Approval queue for AGENT → FLOW write actions (Fasa 4).
+ *
+ * Security model: writes (append_memory / write_artifact / workflow_next / shell …)
+ * never auto-execute. They land here as pending, the owner approves, then we send
+ * them down the live link. FLOW re-checks capability + session regardless (the
+ * approval flag is never trusted FLOW-side — defense in depth).
+ *
+ * In-memory + globalThis (pending actions are transient; survive Next bundle split).
+ */
+import { randomUUID } from "node:crypto";
+import { isReadTool, type McpToolName } from "@mop/link-protocol";
+import { callFlow, isOnline } from "../ws/gateway";
+
+export type ActionStatus = "pending" | "denied" | "executed" | "failed";
+
+export type Action = {
+  id: string;
+  projectId: string;
+  tool: McpToolName;
+  args: Record<string, unknown>;
+  summary: string;
+  status: ActionStatus;
+  createdAt: number;
+  result?: unknown;
+  error?: string;
+};
+
+const g = globalThis as unknown as { __mopActions?: Map<string, Action> };
+const actions = (g.__mopActions ??= new Map<string, Action>());
+
+export function requestAction(input: {
+  projectId: string;
+  tool: McpToolName;
+  args: Record<string, unknown>;
+  summary?: string;
+}): Action {
+  const action: Action = {
+    id: `act-${randomUUID().slice(0, 8)}`,
+    projectId: input.projectId,
+    tool: input.tool,
+    args: input.args,
+    summary: input.summary ?? `${input.tool} on ${input.projectId}`,
+    status: "pending",
+    createdAt: Date.now(),
+  };
+  actions.set(action.id, action);
+  return action;
+}
+
+export function listActions(): Action[] {
+  return [...actions.values()].sort((a, b) => b.createdAt - a.createdAt);
+}
+
+export function denyAction(id: string): Action | undefined {
+  const a = actions.get(id);
+  if (a && a.status === "pending") a.status = "denied";
+  return a;
+}
+
+/** Approve → execute over the live link. FLOW enforces capability + session. */
+export async function approveAction(id: string): Promise<Action | undefined> {
+  const a = actions.get(id);
+  if (!a || a.status !== "pending") return a;
+
+  // Read tools never needed approval, but allow execution anyway.
+  if (!isReadTool(a.tool) && !isOnline(a.projectId)) {
+    a.status = "failed";
+    a.error = "project_offline";
+    return a;
+  }
+
+  try {
+    a.result = await callFlow(a.projectId, a.tool, a.args);
+    a.status = "executed";
+  } catch (e) {
+    a.status = "failed";
+    a.error = e instanceof Error ? e.message : String(e);
+  }
+  return a;
+}

package/apps/web/lib/brain/broker.ts

@@ -0,0 +1,98 @@
+/**
+ * Memory broker — federated recall with the judgment layer (PRD §2.3–2.4).
+ *
+ * Episodic memory is private to its project by default. Main Brain semantic notes
+ * are always shareable. Cross-project episodic recall requires allowCrossProject
+ * (TODO: gate on an explicit project link once links are modelled).
+ */
+import { inArray } from "drizzle-orm";
+import { getDb } from "../db/client";
+import { memoryEntry, semanticNote, skill } from "../db/schema";
+import { semanticSearch } from "../memory/embed";
+
+export type RecalledMemory = {
+  id: string;
+  projectId: string;
+  kind: string;
+  summary: string;
+  body: string | null;
+  at: number;
+};
+
+export class ContextPack {
+  constructor(
+    readonly episodic: RecalledMemory[],
+    readonly semantic: Array<{ id: string; title: string; body: string }>,
+    readonly procedural: Array<{ id: string; name: string; description: string }> = [],
+  ) {}
+
+  get isEmpty(): boolean {
+    return this.episodic.length === 0 && this.semantic.length === 0 && this.procedural.length === 0;
+  }
+
+  toPromptString(): string {
+    const lines: string[] = [];
+    if (this.procedural.length) {
+      lines.push("Reusable skills (procedural memory):");
+      for (const s of this.procedural) lines.push(`- ${s.name}: ${s.description}`);
+    }
+    if (this.semantic.length) {
+      lines.push("Cross-project knowledge (Main Brain):");
+      for (const s of this.semantic) lines.push(`- ${s.title}: ${s.body}`);
+    }
+    if (this.episodic.length) {
+      lines.push("Relevant project memory:");
+      for (const m of this.episodic) {
+        lines.push(`- [${m.kind}] ${m.summary}${m.body ? ` — ${m.body}` : ""}`);
+      }
+    }
+    return lines.join("\n");
+  }
+}
+
+export type RecallOptions = {
+  query: string;
+  projectId: string;
+  allowCrossProject?: boolean;
+  k?: number;
+};
+
+export async function recall(opts: RecallOptions): Promise<ContextPack> {
+  const db = getDb();
+  const hits = await semanticSearch(opts.query, opts.k ?? 16);
+
+  const episodicIds = hits.filter((h) => h.refType === "episodic").map((h) => h.refId);
+  const semanticIds = hits.filter((h) => h.refType === "semantic").map((h) => h.refId);
+  const skillIds = hits.filter((h) => h.refType === "skill").map((h) => h.refId);
+
+  // Episodic: load, then apply the judgment layer.
+  const episodicRows = episodicIds.length
+    ? db.select().from(memoryEntry).where(inArray(memoryEntry.id, episodicIds)).all()
+    : [];
+  const order = new Map(hits.map((h, i) => [h.refId, i]));
+  const episodic: RecalledMemory[] = episodicRows
+    .filter((m) => m.projectId === opts.projectId || opts.allowCrossProject === true)
+    .sort((a, b) => (order.get(a.id) ?? 0) - (order.get(b.id) ?? 0))
+    .map((m) => ({
+      id: m.id,
+      projectId: m.projectId,
+      kind: m.kind,
+      summary: m.summary,
+      body: m.body,
+      at: m.at,
+    }));
+
+  // Semantic (Main Brain): always allowed.
+  const semanticRows = semanticIds.length
+    ? db.select().from(semanticNote).where(inArray(semanticNote.id, semanticIds)).all()
+    : [];
+  const semantic = semanticRows.map((s) => ({ id: s.id, title: s.title, body: s.body }));
+
+  // Procedural (skills): always allowed (shared layer).
+  const skillRows = skillIds.length
+    ? db.select().from(skill).where(inArray(skill.id, skillIds)).all()
+    : [];
+  const procedural = skillRows.map((s) => ({ id: s.id, name: s.name, description: s.description }));
+
+  return new ContextPack(episodic, semantic, procedural);
+}

package/apps/web/lib/brain/consolidate.ts

@@ -0,0 +1,133 @@
+/**
+ * Consolidation engine (Fasa 4, manual trigger) — episodic → semantic.
+ *
+ * Promotes patterns that RECUR across memories/projects into the Main Brain, the
+ * way human memory consolidates experience into general knowledge (PRD §2.2).
+ * Respects the judgment layer (§2.4): only generalized, anonymized patterns are
+ * promoted — raw project ids never go into the semantic body.
+ *
+ * Pattern extraction is pluggable. The default is deterministic (no LLM) so this
+ * runs offline; pass an LLM-backed extractor for richer synthesis.
+ */
+import { randomUUID } from "node:crypto";
+import { getDb } from "../db/client";
+import { memoryEntry, semanticNote } from "../db/schema";
+import { embedAndIndex } from "../memory/embed";
+
+const STOPWORDS = new Set([
+  "the", "and", "for", "with", "that", "this", "from", "into", "when", "every",
+  "use", "uses", "used", "are", "was", "were", "will", "your", "you", "via",
+  "should", "must", "have", "has", "had", "not", "but", "its", "their", "them",
+]);
+
+export type ClusterMember = { id: string; projectId: string; summary: string; body: string | null };
+
+export type Pattern = { title: string; body: string; confidence: number };
+
+export type PatternExtractor = (members: ClusterMember[], keyword: string) => Promise<Pattern>;
+
+/** Deterministic, offline default: generalize the recurring members. */
+export const deterministicExtractor: PatternExtractor = async (members, keyword) => {
+  const projects = new Set(members.map((m) => m.projectId));
+  const uniqueSummaries = [...new Set(members.map((m) => m.summary.trim()))];
+  const confidence = Math.min(95, 40 + members.length * 10 + projects.size * 10);
+  const body =
+    `Recurring across ${members.length} memories in ${projects.size} project(s). ` +
+    `Common theme: "${keyword}". Examples: ` +
+    uniqueSummaries.slice(0, 4).map((s) => `“${s}”`).join("; ") +
+    ".";
+  return { title: `Pattern: ${keyword}`, body, confidence };
+};
+
+function keywordsOf(text: string): string[] {
+  return [
+    ...new Set(
+      text
+        .toLowerCase()
+        .split(/\W+/)
+        .filter((w) => w.length >= 4 && !STOPWORDS.has(w)),
+    ),
+  ];
+}
+
+export type ConsolidateOptions = {
+  sinceDays?: number;
+  minClusterSize?: number;
+  maxNotes?: number;
+  extractor?: PatternExtractor;
+};
+
+export type ConsolidateResult = {
+  scanned: number;
+  clusters: number;
+  notesCreated: number;
+  notes: Array<{ id: string; title: string; sourceProjects: string[]; confidence: number }>;
+};
+
+export async function consolidate(opts: ConsolidateOptions = {}): Promise<ConsolidateResult> {
+  const db = getDb();
+  const minSize = opts.minClusterSize ?? 2;
+  const maxNotes = opts.maxNotes ?? 5;
+  const extract = opts.extractor ?? deterministicExtractor;
+
+  const since = opts.sinceDays ? Date.now() - opts.sinceDays * 86_400_000 : 0;
+  const rows = db.select().from(memoryEntry).all().filter((r) => r.at >= since);
+
+  // doc-frequency of each keyword + which projects it spans
+  const byKeyword = new Map<string, ClusterMember[]>();
+  for (const r of rows) {
+    const member: ClusterMember = { id: r.id, projectId: r.projectId, summary: r.summary, body: r.body };
+    for (const kw of keywordsOf(`${r.summary} ${r.body ?? ""}`)) {
+      const arr = byKeyword.get(kw) ?? [];
+      arr.push(member);
+      byKeyword.set(kw, arr);
+    }
+  }
+
+  // Rank candidate clusters: prefer cross-project, then size.
+  const candidates = [...byKeyword.entries()]
+    .map(([kw, members]) => {
+      const dedup = [...new Map(members.map((m) => [m.id, m])).values()];
+      const projectSpan = new Set(dedup.map((m) => m.projectId)).size;
+      return { kw, members: dedup, projectSpan };
+    })
+    .filter((c) => c.members.length >= minSize)
+    .sort((a, b) => b.projectSpan - a.projectSpan || b.members.length - a.members.length);
+
+  const usedMemoryIds = new Set<string>();
+  const notes: ConsolidateResult["notes"] = [];
+  let clusters = 0;
+
+  for (const c of candidates) {
+    if (notes.length >= maxNotes) break;
+    // Skip near-duplicate clusters already mostly covered.
+    const fresh = c.members.filter((m) => !usedMemoryIds.has(m.id));
+    if (fresh.length < minSize) continue;
+    clusters += 1;
+
+    const pattern = await extract(c.members, c.kw);
+    const id = `sem-${randomUUID().slice(0, 8)}`;
+    const sourceProjects = [...new Set(c.members.map((m) => m.projectId))];
+
+    db.insert(semanticNote)
+      .values({
+        id,
+        title: pattern.title,
+        body: pattern.body,
+        sourceProjects,
+        confidence: pattern.confidence,
+        createdAt: Date.now(),
+      })
+      .run();
+    await embedAndIndex("semantic", id, `${pattern.title}\n${pattern.body}`);
+
+    for (const m of c.members) usedMemoryIds.add(m.id);
+    notes.push({ id, title: pattern.title, sourceProjects, confidence: pattern.confidence });
+  }
+
+  return { scanned: rows.length, clusters, notesCreated: notes.length, notes };
+}
+
+export function listSemanticNotes(): Array<typeof semanticNote.$inferSelect> {
+  return getDb().select().from(semanticNote).all();
+}