nlm-memory 0.4.1 → 0.5.0

package/src/core/adapters/windsurf.ts

@@ -0,0 +1,386 @@
+/**
+ * WindsurfAdapter — reads Windsurf (Codeium Cascade) sessions.
+ *
+ * ## Storage locations (macOS; Linux uses ~/.config/)
+ *
+ *   Workspace DBs  ~/Library/Application Support/Windsurf/User/workspaceStorage/<hash>/state.vscdb
+ *     Table: ItemTable
+ *     Key:   workbench.panel.aichat.view.aichat.chatdata  — chat tabs
+ *     Bubble role: type 'user' → user, type 'ai' → assistant
+ *
+ *   Global DB  ~/Library/Application Support/Windsurf/User/globalStorage/state.vscdb
+ *     Table: cursorDiskKV (if present) — composerData:*, agentData:*, flowData:*
+ *     Table: ItemTable (fallback)     — keys matching %agent%, %flow%, %cascade%
+ *     Conversation format: type 1/2 (user/assistant) or role: user/assistant
+ *
+ * ## Session ID prefixes
+ *
+ *   ws_  — workspace chat tab (ItemTable chatdata)
+ *   wsg_ — global DB agent/flow session (cursorDiskKV or ItemTable)
+ *
+ * ## pathOrUrl in source registry
+ *   Path to the Windsurf User directory. The adapter discovers:
+ *     <userDir>/workspaceStorage/<hash>/state.vscdb  (workspace)
+ *     <userDir>/globalStorage/state.vscdb             (global)
+ *
+ * Env override: NLM_WINDSURF_USER_DIR
+ */
+
+import { existsSync, readdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import Database from "better-sqlite3";
+import type {
+  DetectionResult,
+  DiscoverOptions,
+  SessionChunk,
+  TranscriptAdapter,
+} from "@ports/transcript-adapter.js";
+import { durationMinutes, normalizeTimestamp, safeSessionId } from "./common.js";
+
+export interface WindsurfAdapterOptions {
+  readonly userDir?: string;
+}
+
+// ── Types ─────────────────────────────────────────────────────────────────────
+
+interface ItemTableRow {
+  readonly key: string;
+  readonly value: string | null;
+}
+
+interface KVRow {
+  readonly key: string;
+  readonly value: string | null;
+}
+
+interface ChatTab {
+  readonly tabId?: string;
+  readonly chatTitle?: string;
+  readonly lastSendTime?: number;
+  readonly bubbles?: ChatBubble[];
+}
+
+interface ChatBubble {
+  readonly type?: "user" | "ai" | string;
+  readonly text?: string;
+  readonly rawText?: string;
+}
+
+interface AgentComposer {
+  readonly composerId?: string;
+  readonly name?: string;
+  readonly createdAt?: unknown;
+  readonly lastUpdatedAt?: unknown;
+  readonly conversation?: AgentBubble[];
+  readonly status?: string;
+}
+
+interface AgentBubble {
+  readonly type?: number | string;
+  readonly role?: string;
+  readonly text?: string;
+}
+
+type Turn = { role: "user" | "assistant"; text: string };
+
+const CHAT_KEY = "workbench.panel.aichat.view.aichat.chatdata";
+
+// ── Path helpers ──────────────────────────────────────────────────────────────
+
+export function defaultUserDir(): string {
+  if (process.env["NLM_WINDSURF_USER_DIR"]) return process.env["NLM_WINDSURF_USER_DIR"];
+  const home = homedir();
+  if (process.platform === "darwin") {
+    return join(home, "Library/Application Support/Windsurf/User");
+  }
+  return join(home, ".config/Windsurf/User");
+}
+
+function workspaceStorageDir(userDir: string): string {
+  return join(userDir, "workspaceStorage");
+}
+
+function globalDbPath(userDir: string): string {
+  return join(userDir, "globalStorage", "state.vscdb");
+}
+
+function listWorkspaceDbs(userDir: string): string[] {
+  const wsDir = workspaceStorageDir(userDir);
+  if (!existsSync(wsDir)) return [];
+  try {
+    return readdirSync(wsDir, { withFileTypes: true })
+      .filter((e) => e.isDirectory())
+      .map((e) => join(wsDir, e.name, "state.vscdb"))
+      .filter((p) => existsSync(p));
+  } catch {
+    return [];
+  }
+}
+
+// ── Turn extraction ───────────────────────────────────────────────────────────
+
+function extractChatTurns(bubbles: ChatBubble[]): Turn[] {
+  const turns: Turn[] = [];
+  for (const b of bubbles) {
+    const text = (b.rawText ?? b.text ?? "").trim();
+    if (!text) continue;
+    turns.push({ role: b.type === "user" ? "user" : "assistant", text });
+  }
+  return turns;
+}
+
+function extractAgentTurns(bubbles: AgentBubble[]): Turn[] {
+  const turns: Turn[] = [];
+  for (const b of bubbles) {
+    const text = (b.text ?? "").trim();
+    if (!text) continue;
+    // Accept numeric type (1/2) or string role
+    const isUser = b.type === 1 || b.role === "user";
+    const isAssistant = b.type === 2 || b.role === "assistant";
+    if (!isUser && !isAssistant) continue;
+    turns.push({ role: isUser ? "user" : "assistant", text });
+  }
+  return turns;
+}
+
+function provisionalLabel(turns: ReadonlyArray<Turn>): string {
+  for (const t of turns) {
+    if (t.role !== "user") continue;
+    const first = t.text.split("\n", 1)[0]?.trim();
+    if (first) return first.slice(0, 80);
+  }
+  return "Untitled session";
+}
+
+function buildChunk(
+  id: string,
+  runtimeSessionId: string,
+  sourcePath: string,
+  turns: Turn[],
+  startedAt: string,
+  endedAt: string,
+  label: string,
+): SessionChunk {
+  const text = turns.map((t) => `${t.role}: ${t.text}`).join("\n\n");
+  return {
+    id,
+    runtime: "windsurf/1.0",
+    runtimeSessionId,
+    sourcePath,
+    startedAt,
+    endedAt,
+    durationMin: durationMinutes(startedAt, endedAt),
+    turnCount: turns.length,
+    byteRange: [0, Buffer.byteLength(text, "utf8")],
+    projectDir: "",
+    gitBranch: "",
+    text,
+    label,
+  };
+}
+
+// ── Workspace chat helpers ────────────────────────────────────────────────────
+
+function parseTabsFromDb(dbPath: string): ChatTab[] {
+  let db: Database.Database | undefined;
+  try {
+    db = new Database(dbPath, { readonly: true });
+    const row = db
+      .prepare<[string], ItemTableRow>(`SELECT key, value FROM ItemTable WHERE key = ?`)
+      .get(CHAT_KEY);
+    if (!row?.value) return [];
+    const data = JSON.parse(row.value) as { tabs?: ChatTab[] };
+    return Array.isArray(data.tabs) ? data.tabs : [];
+  } catch {
+    return [];
+  } finally {
+    db?.close();
+  }
+}
+
+// ── Global DB helpers ─────────────────────────────────────────────────────────
+
+interface GlobalSession {
+  readonly id: string;       // raw composerId/session key
+  readonly meta: AgentComposer;
+  readonly dbPath: string;
+}
+
+function parseGlobalSessions(globalPath: string): GlobalSession[] {
+  if (!existsSync(globalPath)) return [];
+  let db: Database.Database | undefined;
+  const results: GlobalSession[] = [];
+  try {
+    db = new Database(globalPath, { readonly: true });
+    const tables = db
+      .prepare<[], { name: string }>(`SELECT name FROM sqlite_master WHERE type='table'`)
+      .all()
+      .map((r) => r.name);
+
+    if (tables.includes("cursorDiskKV")) {
+      const rows = db
+        .prepare<[], KVRow>(
+          `SELECT key, value FROM cursorDiskKV
+           WHERE key LIKE 'composerData:%' OR key LIKE 'agentData:%' OR key LIKE 'flowData:%'
+           ORDER BY rowid ASC`,
+        )
+        .all();
+      for (const row of rows) {
+        if (!row.value) continue;
+        try {
+          const meta = JSON.parse(row.value) as AgentComposer;
+          const rawId = meta.composerId ?? row.key.split(":").slice(1).join(":");
+          if (rawId) results.push({ id: rawId, meta, dbPath: globalPath });
+        } catch { /* skip */ }
+      }
+    } else if (tables.includes("ItemTable")) {
+      // Fallback: probe for agent/flow/cascade keys
+      const rows = db
+        .prepare<[], ItemTableRow>(
+          `SELECT key, value FROM ItemTable
+           WHERE key LIKE '%agent%' OR key LIKE '%flow%' OR key LIKE '%cascade%'`,
+        )
+        .all();
+      for (const row of rows) {
+        if (!row.value) continue;
+        try {
+          const data = JSON.parse(row.value);
+          if (typeof data !== "object" || !data) continue;
+          // Accept any object with a conversation array
+          const conv = (data as AgentComposer).conversation;
+          if (!Array.isArray(conv) || conv.length === 0) continue;
+          const id = (data as AgentComposer).composerId ?? row.key;
+          results.push({ id, meta: data as AgentComposer, dbPath: globalPath });
+        } catch { /* skip */ }
+      }
+    }
+  } catch { /* inaccessible */ } finally {
+    db?.close();
+  }
+  return results;
+}
+
+// ── Adapter ───────────────────────────────────────────────────────────────────
+
+export class WindsurfAdapter implements TranscriptAdapter {
+  readonly name = "windsurf";
+  readonly runtimeVersion = "windsurf/1.0";
+  readonly transcriptKind = "windsurf-sqlite";
+
+  private readonly userDir: string;
+
+  constructor(opts: WindsurfAdapterOptions = {}) {
+    this.userDir = opts.userDir ?? defaultUserDir();
+  }
+
+  detect(): DetectionResult {
+    if (existsSync(this.userDir)) {
+      return { adapterName: this.name, enabled: true, path: this.userDir, hint: null };
+    }
+    return {
+      adapterName: this.name,
+      enabled: false,
+      path: null,
+      hint: "Windsurf User directory not found — install Windsurf or set NLM_WINDSURF_USER_DIR.",
+    };
+  }
+
+  async discover(options?: DiscoverOptions): Promise<ReadonlyArray<string>> {
+    const seen = new Set<string>();
+    const ids: string[] = [];
+    const add = (id: string) => { if (!seen.has(id)) { seen.add(id); ids.push(id); } };
+    const cutoff = options?.since?.getTime();
+
+    // ── Workspace chat tabs ───────────────────────────────────────────────
+    for (const dbPath of listWorkspaceDbs(this.userDir)) {
+      for (const tab of parseTabsFromDb(dbPath)) {
+        if (!tab.tabId) continue;
+        if (!(tab.bubbles && tab.bubbles.length > 0)) continue;
+        if (cutoff !== undefined) {
+          const ts = tab.lastSendTime;
+          // Only skip when we have a real non-zero timestamp older than the cutoff.
+          // Missing (undefined) or zero timestamps are treated as "unknown age" — include.
+          if (ts !== undefined && ts > 0 && ts < cutoff) continue;
+        }
+        add(`ws_${tab.tabId}`);
+      }
+    }
+
+    // ── Global agent/flow sessions ────────────────────────────────────────
+    for (const gs of parseGlobalSessions(globalDbPath(this.userDir))) {
+      if (cutoff !== undefined) {
+        const ts = gs.meta.lastUpdatedAt ?? gs.meta.createdAt;
+        if (ts !== undefined && ts !== null) {
+          const normalized = normalizeTimestamp(ts);
+          if (normalized && Date.parse(normalized) < cutoff) continue;
+        }
+      }
+      add(`wsg_${gs.id}`);
+    }
+
+    return ids;
+  }
+
+  async parseSession(id: string): Promise<SessionChunk | null> {
+    if (id.startsWith("wsg_")) {
+      return this._parseGlobalSession(id.slice("wsg_".length));
+    }
+    // ws_ prefix or legacy plain tabId
+    const tabId = id.startsWith("ws_") ? id.slice("ws_".length) : id;
+    return this._parseWorkspaceChatTab(tabId);
+  }
+
+  private _parseWorkspaceChatTab(tabId: string): SessionChunk | null {
+    for (const dbPath of listWorkspaceDbs(this.userDir)) {
+      const tabs = parseTabsFromDb(dbPath);
+      const tab = tabs.find((t) => t.tabId === tabId);
+      if (!tab) continue;
+
+      const turns = extractChatTurns(tab.bubbles ?? []);
+      if (turns.length === 0) return null;
+
+      const endedAtMs = tab.lastSendTime ?? 0;
+      const endedAt = endedAtMs > 0 ? new Date(endedAtMs).toISOString() : "";
+      const label = tab.chatTitle?.trim()
+        ? tab.chatTitle.trim().slice(0, 80)
+        : provisionalLabel(turns);
+
+      return buildChunk(
+        safeSessionId("ws", tabId),
+        tabId,
+        `${dbPath}::${tabId}`,
+        turns,
+        endedAt,
+        endedAt,
+        label,
+      );
+    }
+    return null;
+  }
+
+  private _parseGlobalSession(rawId: string): SessionChunk | null {
+    for (const gs of parseGlobalSessions(globalDbPath(this.userDir))) {
+      if (gs.id !== rawId) continue;
+      const turns = extractAgentTurns(gs.meta.conversation ?? []);
+      if (turns.length === 0) return null;
+
+      const startedAt = normalizeTimestamp(gs.meta.createdAt ?? gs.meta.lastUpdatedAt ?? "");
+      const endedAt = normalizeTimestamp(gs.meta.lastUpdatedAt ?? gs.meta.createdAt ?? "");
+      const label = gs.meta.name?.trim()
+        ? gs.meta.name.trim().slice(0, 80)
+        : provisionalLabel(turns);
+
+      return buildChunk(
+        safeSessionId("wsg", rawId),
+        rawId,
+        `${gs.dbPath}::${rawId}`,
+        turns,
+        startedAt,
+        endedAt,
+        label,
+      );
+    }
+    return null;
+  }
+}

package/src/core/hook/claude-settings.ts

@@ -32,11 +32,26 @@ export function shellQuote(arg: string): string {
   return `'${arg.replace(/'/g, "'\\''")}'`;
 }
 
+/**
+ * Double-quote a cmd.exe argument. Embedded double quotes are doubled per
+ * cmd.exe parsing rules. Used for hook commands on Windows where Claude
+ * Code dispatches via cmd.exe /c rather than sh -c.
+ */
+export function cmdQuote(arg: string): string {
+  return `"${arg.replace(/"/g, '""')}"`;
+}
+
 export function buildHookCommand(
   execPath: string,
   hookJs: string,
   mode: "shadow" | "live",
+  targetPlatform: NodeJS.Platform = process.platform,
 ): string {
+  if (targetPlatform === "win32") {
+    // cmd.exe: `set VAR=val && "exec" "script"`. The set is scoped to the
+    // cmd /c invocation so the env var is visible to the chained child.
+    return `set NLM_HOOK_MODE=${mode} && ${cmdQuote(execPath)} ${cmdQuote(hookJs)}`;
+  }
   return `NLM_HOOK_MODE=${mode} ${shellQuote(execPath)} ${shellQuote(hookJs)}`;
 }
 
@@ -47,10 +62,11 @@ export interface SmokeTestResult {
 }
 
 /**
- * Invoke the wired command exactly the way Claude Code does (sh -c with
- * JSON on stdin) and confirm the hook log gained an entry. Catches the
- * class of failures where settings.json looks valid but the hook fails
- * at startup (path tokenization, missing modules, etc.).
+ * Invoke the wired command exactly the way Claude Code does (sh -c on
+ * POSIX, cmd.exe /c on Windows) with JSON on stdin and confirm the hook
+ * log gained an entry. Catches the class of failures where settings.json
+ * looks valid but the hook fails at startup (path tokenization, missing
+ * modules, missing shell, etc.).
  */
 export function smokeTestHookCommand(
   command: string,
@@ -58,11 +74,16 @@ export function smokeTestHookCommand(
   timeoutMs = 5000,
 ): SmokeTestResult {
   const sizeBefore = existsSync(hookLogPath) ? statSync(hookLogPath).size : 0;
-  const result = spawnSync("sh", ["-c", command], {
-    input: JSON.stringify({ prompt: "smoke test", session_id: "install-smoke" }),
-    timeout: timeoutMs,
-    encoding: "utf8",
-  });
+  const isWin = process.platform === "win32";
+  const result = spawnSync(
+    isWin ? "cmd.exe" : "sh",
+    [isWin ? "/c" : "-c", command],
+    {
+      input: JSON.stringify({ prompt: "smoke test", session_id: "install-smoke" }),
+      timeout: timeoutMs,
+      encoding: "utf8",
+    },
+  );
   if (result.error) {
     return { ok: false, reason: `spawn failed: ${result.error.message}` };
   }

package/src/core/sources/source-registry.ts

@@ -19,10 +19,12 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 import type Database from "better-sqlite3";
 import { defaultHistoryFile as defaultAiderHistoryFile } from "../adapters/aider.js";
+import { defaultDbPath as defaultCursorDbPath } from "../adapters/cursor.js";
 import { defaultDbPath as defaultHermesAgentDbPath } from "../adapters/hermes-agent.js";
 import { defaultDbPath as defaultOpenCodeDbPath } from "../adapters/opencode.js";
+import { defaultUserDir as defaultWindsurfUserDir } from "../adapters/windsurf.js";
 
-export type SourceKind = "claude-code" | "hermes" | "hermes-agent" | "aider" | "opencode" | "pi" | "jsonl-generic" | "webhook";
+export type SourceKind = "claude-code" | "hermes" | "hermes-agent" | "aider" | "cursor" | "windsurf" | "opencode" | "pi" | "jsonl-generic" | "webhook";
 
 export interface SourceRow {
   readonly id: number;
@@ -210,6 +212,8 @@ export class SourceRegistry {
     const openCodeDbPath = defaultOpenCodeDbPath();
     const hermesAgentDbPath = defaultHermesAgentDbPath();
     const aiderHistoryFile = defaultAiderHistoryFile();
+    const cursorDbPath = defaultCursorDbPath();
+    const windsurfUserDir = defaultWindsurfUserDir();
 
     const presets: SourceInsert[] = [
       {
@@ -240,6 +244,20 @@ export class SourceRegistry {
         runtimeLabel: "aider/1.0",
         enabled: existsSync(aiderHistoryFile),
       },
+      {
+        kind: "cursor",
+        name: "Cursor",
+        pathOrUrl: cursorDbPath,
+        runtimeLabel: "cursor/1.0",
+        enabled: existsSync(cursorDbPath),
+      },
+      {
+        kind: "windsurf",
+        name: "Windsurf",
+        pathOrUrl: windsurfUserDir,
+        runtimeLabel: "windsurf/1.0",
+        enabled: existsSync(windsurfUserDir),
+      },
       {
         kind: "opencode",
         name: "OpenCode",

package/src/core/storage/sqlite-session-store.ts

@@ -491,8 +491,9 @@ export class SqliteSessionStore implements SessionStore {
     if (!row) return null;
     const entities = this.loadEntities([sessionId]);
     const markers = this.loadMarkers([sessionId]);
+    const edges = this.loadSessionEdges([sessionId]);
     const overlay = loadActionOverlay(this.db);
-    return this.rowToSession(row, entities, markers, overlay);
+    return this.rowToSession(row, entities, markers, overlay, edges);
   }
 
   /**
@@ -650,6 +651,18 @@ export class SqliteSessionStore implements SessionStore {
     session.open.forEach((q, i) => markerStmt.run(session.id, "open", q, i));
   }
 
+  insertEdgeForTest(
+    fromSession: string,
+    toSession: string,
+    kind: "supersedes" | "continues" = "supersedes",
+  ): void {
+    this.db
+      .prepare(
+        "INSERT OR IGNORE INTO session_edges (from_session, to_session, kind) VALUES (?, ?, ?)",
+      )
+      .run(fromSession, toSession, kind);
+  }
+
   insertEmbeddingForTest(sessionId: string, vector: Float32Array): void {
     this.insertChunkEmbeddingForTest(sessionId, 0, vector);
   }
@@ -684,6 +697,33 @@ export class SqliteSessionStore implements SessionStore {
     return out;
   }
 
+  private loadSessionEdges(
+    ids: ReadonlyArray<string>,
+  ): Map<string, { supersededBy: string | null; supersedes: string[] }> {
+    if (ids.length === 0) return new Map();
+    const placeholders = ids.map(() => "?").join(",");
+    const rows = this.db
+      .prepare<string[], { from_session: string; to_session: string }>(`
+        SELECT from_session, to_session
+        FROM session_edges
+        WHERE kind = 'supersedes'
+          AND (from_session IN (${placeholders}) OR to_session IN (${placeholders}))
+      `)
+      .all(...ids, ...ids);
+
+    const out = new Map<string, { supersededBy: string | null; supersedes: string[] }>();
+    for (const id of ids) {
+      out.set(id, { supersededBy: null, supersedes: [] });
+    }
+    for (const r of rows) {
+      const fromEntry = out.get(r.from_session);
+      if (fromEntry) fromEntry.supersedes.push(r.to_session);
+      const toEntry = out.get(r.to_session);
+      if (toEntry) toEntry.supersededBy = r.from_session;
+    }
+    return out;
+  }
+
   private loadMarkers(
     ids: ReadonlyArray<string>,
   ): Map<string, { decisions: string[]; open: string[] }> {
@@ -716,6 +756,7 @@ export class SqliteSessionStore implements SessionStore {
     entitiesById: Map<string, string[]>,
     markersById: Map<string, { decisions: string[]; open: string[] }>,
     overlay: ActionOverlay,
+    edgesById?: Map<string, { supersededBy: string | null; supersedes: string[] }>,
   ): Session {
     const m = markersById.get(row.id);
     const rawDecisions = m?.decisions ?? [];
@@ -732,6 +773,7 @@ export class SqliteSessionStore implements SessionStore {
       }
       activeOpen.push(text);
     }
+    const edges = edgesById?.get(row.id);
     return {
       id: row.id,
       runtime: row.runtime,
@@ -748,6 +790,9 @@ export class SqliteSessionStore implements SessionStore {
       entities: entitiesById.get(row.id) ?? [],
       decisions: [...rawDecisions, ...promotedDecisions],
       open: activeOpen,
+      ...(edges !== undefined
+        ? { supersededBy: edges.supersededBy, supersedes: edges.supersedes }
+        : {}),
     };
   }
 }

package/src/hook/hook-auth.ts

@@ -0,0 +1,18 @@
+/**
+ * Shared helper: Bearer token for hook → /api/* HTTP calls.
+ *
+ * The HTTP daemon's /api/* gate requires either a same-origin browser
+ * request (Origin header set by the browser) or a Bearer token. Hooks
+ * are CLI processes with no Origin, so they need the token.
+ *
+ * Reads NLM_MCP_TOKEN from process.env (assumes autoloadEnv() has been
+ * called first). Returns an empty headers object when no token is set
+ * so legacy installs without a token still work — the daemon's gate
+ * also accepts unauthenticated loopback requests when no token is set.
+ */
+
+export function hookAuthHeaders(extra: Record<string, string> = {}): Record<string, string> {
+  const token = process.env["NLM_MCP_TOKEN"];
+  if (!token) return { ...extra };
+  return { ...extra, authorization: `Bearer ${token}` };
+}

package/src/hook/prompt-recall-hook.ts

@@ -16,6 +16,8 @@ import { appendHookLog } from "@core/hook/hook-log.js";
 import { loadSurfaced, recordSurfaced } from "@core/hook/memo.js";
 import { formatPointerBlock } from "@core/hook/pointer-block.js";
 import { selectHits, type RecallHitInput } from "@core/hook/select.js";
+import { autoloadEnv } from "../llm/env-autoload.js";
+import { hookAuthHeaders } from "./hook-auth.js";
 
 // Keyword recall returns raw BM25 scores (unbounded, not the 0..1 hybrid
 // scale). FTS5 MATCH already gates relevance — only lexically-matching
@@ -116,7 +118,7 @@ async function recallOverHttp(prompt: string): Promise<ReadonlyArray<RecallHitIn
   const timer = setTimeout(() => controller.abort(), RECALL_TIMEOUT_MS);
   try {
     const res = await fetch(url, {
-      headers: { "x-recall-source": "hook" },
+      headers: hookAuthHeaders({ "x-recall-source": "hook" }),
       signal: controller.signal,
     });
     if (!res.ok) return [];
@@ -147,6 +149,10 @@ async function recallOverHttp(prompt: string): Promise<ReadonlyArray<RecallHitIn
 
 async function main(): Promise<void> {
   try {
+    // Load ~/.nlm/.env so NLM_MCP_TOKEN is available before we hit /api/recall.
+    // Hooks run as short-lived processes spawned by Claude Code with no shell
+    // env beyond what the parent passed — explicit .env load is required.
+    autoloadEnv();
     const raw = await readStdin();
     const payload = JSON.parse(raw) as {
       prompt?: unknown;

package/src/hook/session-start-hook.ts

@@ -17,6 +17,8 @@ import { appendHookLog } from "@core/hook/hook-log.js";
 import { loadSurfaced, recordSurfaced } from "@core/hook/memo.js";
 import { formatPointerBlock } from "@core/hook/pointer-block.js";
 import { selectHits, type RecallHitInput } from "@core/hook/select.js";
+import { autoloadEnv } from "../llm/env-autoload.js";
+import { hookAuthHeaders } from "./hook-auth.js";
 
 const SCORE_THRESHOLD = 0;
 const PER_FIRE_CAP = 3;
@@ -103,7 +105,7 @@ async function recallOverHttp(query: string): Promise<ReadonlyArray<RecallHitInp
   const timer = setTimeout(() => controller.abort(), RECALL_TIMEOUT_MS);
   try {
     const res = await fetch(url, {
-      headers: { "x-recall-source": "session-start-hook" },
+      headers: hookAuthHeaders({ "x-recall-source": "session-start-hook" }),
       signal: controller.signal,
     });
     if (!res.ok) return [];
@@ -134,6 +136,7 @@ async function recallOverHttp(query: string): Promise<ReadonlyArray<RecallHitInp
 
 async function main(): Promise<void> {
   try {
+    autoloadEnv();
     const raw = await readStdin();
     const payload = JSON.parse(raw) as {
       session_id?: unknown;

package/src/hook/stop-hook.ts

@@ -30,6 +30,8 @@ import {
   readAllAssistantTurns,
   type ToolUseBlock,
 } from "@core/hook/transcript.js";
+import { autoloadEnv } from "../llm/env-autoload.js";
+import { hookAuthHeaders } from "./hook-auth.js";
 
 const RESPONSE_PREVIEW_CHARS = 200;
 const POST_TIMEOUT_MS = 1500;
@@ -193,7 +195,7 @@ async function postCitationOverHttp(
   try {
     await fetch(url, {
       method: "POST",
-      headers: { "content-type": "application/json" },
+      headers: hookAuthHeaders({ "content-type": "application/json" }),
       body: JSON.stringify({
         conversation_id: conversationId,
         cited_id: citedId,
@@ -209,6 +211,7 @@ async function postCitationOverHttp(
 
 async function main(): Promise<void> {
   try {
+    autoloadEnv();
     const raw = await readStdin();
     const payload = JSON.parse(raw) as {
       session_id?: unknown;