sandstream-kit 1.0.0 → 1.1.0

package/dist/memory/parser.js

@@ -0,0 +1,164 @@
+/**
+ * kit memory — Claude Code transcript parser.
+ *
+ * Reads raw session transcripts from ~/.claude/projects/<project>/<session>.jsonl
+ * and indexes them into the memory store. RAW + idempotent: one row per message
+ * (deduped by uuid), no summarisation. Re-running is safe — already-seen messages
+ * are ignored. Field mapping mirrors the Claude Code transcript format (also used
+ * by cloudctx, MIT). Other harnesses (Codex/Cursor) get their own parser later;
+ * sessions carry a `harness` tag so the store stays multi-harness.
+ */
+import { readFileSync, readdirSync, existsSync, statSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, basename } from "node:path";
+import { insertMessage, insertToolUse, upsertSession } from "./db.js";
+export function getClaudeProjectsDir() {
+    const base = process.env.KIT_CLAUDE_DIR ?? join(homedir(), ".claude");
+    return join(base, "projects");
+}
+/** Flatten transcript content (string or block array) into searchable plain text. */
+export function extractText(content) {
+    if (typeof content === "string")
+        return content;
+    if (Array.isArray(content)) {
+        return content
+            .map((b) => {
+            if (b?.type === "text")
+                return b.text ?? "";
+            if (b?.type === "tool_use")
+                return `[Tool: ${b.name ?? "unknown"}]`;
+            if (b?.type === "tool_result")
+                return "[Tool Result]";
+            return "";
+        })
+            .filter(Boolean)
+            .join("\n");
+    }
+    return "";
+}
+/** Extract tool_use blocks from a message's content. */
+export function extractToolUses(content) {
+    if (!Array.isArray(content))
+        return [];
+    const out = [];
+    for (const b of content) {
+        if (b?.type === "tool_use") {
+            out.push({
+                name: b.name ?? "unknown",
+                input: b.input === undefined ? "" : JSON.stringify(b.input),
+            });
+        }
+    }
+    return out;
+}
+function indexFile(db, filepath, project) {
+    const sessionId = basename(filepath, ".jsonl");
+    let raw;
+    try {
+        raw = readFileSync(filepath, "utf8");
+    }
+    catch {
+        return { messages: 0, toolUses: 0 };
+    }
+    // Ensure the session row exists before inserting messages so per-message
+    // counters resolve against a real row.
+    upsertSession(db, { sessionId, harness: "claude-code", project });
+    let messages = 0;
+    let toolUses = 0;
+    let firstTs;
+    let lastTs;
+    let isSidechain = false;
+    for (const line of raw.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        let rec;
+        try {
+            rec = JSON.parse(trimmed);
+        }
+        catch {
+            continue; // skip malformed lines, keep indexing the rest
+        }
+        if (rec.type !== "user" && rec.type !== "assistant")
+            continue;
+        if (!rec.uuid)
+            continue;
+        if (rec.isSidechain)
+            isSidechain = true;
+        const msg = rec.message;
+        const ts = rec.timestamp;
+        if (ts) {
+            if (!firstTs)
+                firstTs = ts;
+            lastTs = ts;
+        }
+        const added = insertMessage(db, {
+            uuid: rec.uuid,
+            sessionId: rec.sessionId ?? sessionId,
+            parentUuid: rec.parentUuid,
+            type: rec.type,
+            role: msg?.role,
+            content: extractText(msg?.content),
+            model: msg?.model,
+            inputTokens: msg?.usage?.input_tokens,
+            outputTokens: msg?.usage?.output_tokens,
+            timestamp: ts,
+            cwd: rec.cwd,
+            gitBranch: rec.gitBranch,
+            version: rec.version,
+        });
+        if (added) {
+            messages++;
+            for (const tool of extractToolUses(msg?.content)) {
+                insertToolUse(db, {
+                    messageUuid: rec.uuid,
+                    sessionId: rec.sessionId ?? sessionId,
+                    toolName: tool.name,
+                    toolInput: tool.input,
+                    timestamp: ts,
+                });
+                toolUses++;
+            }
+        }
+    }
+    // Final upsert records the session's time bounds + sidechain flag.
+    upsertSession(db, {
+        sessionId,
+        harness: "claude-code",
+        project,
+        firstMessageAt: firstTs,
+        lastMessageAt: lastTs,
+        isAgentSidechain: isSidechain,
+    });
+    return { messages, toolUses };
+}
+/** Walk ~/.claude/projects and index every transcript. Idempotent. */
+export function indexClaudeTranscripts(db) {
+    const projectsDir = getClaudeProjectsDir();
+    const result = { files: 0, sessions: 0, messages: 0, toolUses: 0 };
+    if (!existsSync(projectsDir))
+        return result;
+    for (const projectName of readdirSync(projectsDir).sort()) {
+        const projectPath = join(projectsDir, projectName);
+        let isDir = false;
+        try {
+            isDir = statSync(projectPath).isDirectory();
+        }
+        catch {
+            continue;
+        }
+        if (!isDir)
+            continue;
+        for (const entry of readdirSync(projectPath).sort()) {
+            if (!entry.endsWith(".jsonl"))
+                continue;
+            const counts = indexFile(db, join(projectPath, entry), projectName);
+            result.files++;
+            result.sessions++;
+            result.messages += counts.messages;
+            result.toolUses += counts.toolUses;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=parser.js.map

package/dist/memory/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../../src/memory/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAE3C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAStE,MAAM,UAAU,oBAAoB;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AAChC,CAAC;AAUD,qFAAqF;AACrF,MAAM,UAAU,WAAW,CAAC,OAAgB;IAC1C,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAChD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACT,IAAI,CAAC,EAAE,IAAI,KAAK,MAAM;gBAAE,OAAO,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;YAC5C,IAAI,CAAC,EAAE,IAAI,KAAK,UAAU;gBAAE,OAAO,UAAU,CAAC,CAAC,IAAI,IAAI,SAAS,GAAG,CAAC;YACpE,IAAI,CAAC,EAAE,IAAI,KAAK,aAAa;gBAAE,OAAO,eAAe,CAAC;YACtD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC;aACD,MAAM,CAAC,OAAO,CAAC;aACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,GAAG,GAAsC,EAAE,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,EAAE,IAAI,KAAK,UAAU,EAAE,CAAC;YAC3B,GAAG,CAAC,IAAI,CAAC;gBACP,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS;gBACzB,KAAK,EAAE,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;aAC5D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAoBD,SAAS,SAAS,CAChB,EAAgB,EAChB,QAAgB,EAChB,OAAe;IAEf,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACtC,CAAC;IAED,yEAAyE;IACzE,uCAAuC;IACvC,aAAa,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;IAElE,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,OAA2B,CAAC;IAChC,IAAI,MAA0B,CAAC;IAC/B,IAAI,WAAW,GAAG,KAAK,CAAC;IAExB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,GAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAqB,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,+CAA+C;QAC3D,CAAC;QACD,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAC9D,IAAI,CAAC,GAAG,CAAC,IAAI;YAAE,SAAS;QACxB,IAAI,GAAG,CAAC,WAAW;YAAE,WAAW,GAAG,IAAI,CAAC;QAExC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;QACxB,MAAM,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;QACzB,IAAI,EAAE,EAAE,CAAC;YACP,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,EAAE,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,EAAE,EAAE;YAC9B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;YACrC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,EAAE,IAAI;YACf,OAAO,EAAE,WAAW,CAAC,GAAG,EAAE,OAAO,CAAC;YAClC,KAAK,EAAE,GAAG,EAAE,KAAK;YACjB,WAAW,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY;YACrC,YAAY,EAAE,GAAG,EAAE,KAAK,EAAE,aAAa;YACvC,SAAS,EAAE,EAAE;YACb,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,EAAE,CAAC;YACX,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;gBACjD,aAAa,CAAC,EAAE,EAAE;oBAChB,WAAW,EAAE,GAAG,CAAC,IAAI;oBACrB,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;oBACrC,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,KAAK;oBACrB,SAAS,EAAE,EAAE;iBACd,CAAC,CAAC;gBACH,QAAQ,EAAE,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,aAAa,CAAC,EAAE,EAAE;QAChB,SAAS;QACT,OAAO,EAAE,aAAa;QACtB,OAAO;QACP,cAAc,EAAE,OAAO;QACvB,aAAa,EAAE,MAAM;QACrB,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,sBAAsB,CAAC,EAAgB;IACrD,MAAM,WAAW,GAAG,oBAAoB,EAAE,CAAC;IAC3C,MAAM,MAAM,GAAgB,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IAChF,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,MAAM,CAAC;IAE5C,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QACnD,IAAI,KAAK,GAAG,KAAK,CAAC;QAClB,IAAI,CAAC;YACH,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,SAAS;YACxC,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;YACnC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;QACrC,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/memory/project 2.d.ts

@@ -0,0 +1 @@
+export declare function getCurrentProjectRoot(cwd?: string): string;

package/dist/memory/project 2.js

@@ -0,0 +1,24 @@
+/**
+ * kit memory — current-project resolution.
+ *
+ * Memory search defaults to the current project (relevance + blast-radius
+ * containment); the repo root is the project boundary. Falls back to cwd when not
+ * inside a git repo. Pure read — no model calls, no writes.
+ */
+import { execFileSync } from "node:child_process";
+export function getCurrentProjectRoot(cwd = process.cwd()) {
+    try {
+        const root = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+            cwd,
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (root)
+            return root;
+    }
+    catch {
+        // not a git repo (or git unavailable) — fall back to cwd
+    }
+    return cwd;
+}
+//# sourceMappingURL=project%202.js.map

package/dist/memory/project 2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project 2.js","sourceRoot":"","sources":["../../src/memory/project 2.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,UAAU,qBAAqB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE;YACjE,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/memory/project.d.ts

@@ -0,0 +1 @@
+export declare function getCurrentProjectRoot(cwd?: string): string;

package/dist/memory/project.js

@@ -0,0 +1,24 @@
+/**
+ * kit memory — current-project resolution.
+ *
+ * Memory search defaults to the current project (relevance + blast-radius
+ * containment); the repo root is the project boundary. Falls back to cwd when not
+ * inside a git repo. Pure read — no model calls, no writes.
+ */
+import { execFileSync } from "node:child_process";
+export function getCurrentProjectRoot(cwd = process.cwd()) {
+    try {
+        const root = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+            cwd,
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (root)
+            return root;
+    }
+    catch {
+        // not a git repo (or git unavailable) — fall back to cwd
+    }
+    return cwd;
+}
+//# sourceMappingURL=project.js.map

package/dist/memory/project.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project.js","sourceRoot":"","sources":["../../src/memory/project.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,UAAU,qBAAqB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE;YACjE,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/memory/scan 2.d.ts

@@ -0,0 +1,15 @@
+import type { DatabaseSync } from "node:sqlite";
+export type ScanConfidence = "high" | "heuristic";
+export interface ScanFinding {
+    label: string;
+    preview: string;
+    confidence: ScanConfidence;
+    /** How many cells matched this (label, preview). */
+    count: number;
+    /** One example location, e.g. "messages#23839.content". */
+    sample: string;
+    /** Distinct project hints (which repo the secret leaked in), e.g. ["acme-app"]. */
+    projects: string[];
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export declare function scanDbForSecrets(db: DatabaseSync): ScanFinding[];

package/dist/memory/scan 2.js

@@ -0,0 +1,94 @@
+/**
+ * kit memory — secret scan over the store.
+ *
+ * The memory DB is secret-dense (it indexes raw transcripts). gitleaks and most
+ * scanners only see text files, not SQLite cell contents — so this scans the text
+ * columns directly, reusing kit's SECRET_PATTERNS via findSecrets (DRY). Findings
+ * are MASKED (label + short preview), never the raw secret.
+ *
+ * Findings are DEDUPED by (label, preview) with an occurrence count, split by
+ * CONFIDENCE so the genuinely dangerous keys (sk_live, AIzaSy, AKIA, ghp_, …) are
+ * not buried under the over-eager `KEY=value` heuristic, and ATTRIBUTED to the
+ * project(s) they leaked in (via each row's cwd) so you know which provider account
+ * to rotate. Only high-confidence findings make `kit memory scan` exit non-zero.
+ */
+import { basename } from "node:path";
+import { findSecrets } from "../utils/redactSecrets.js";
+const TARGETS = [
+    {
+        table: "messages",
+        idCol: "id",
+        columns: ["content"],
+        select: "SELECT id, content, cwd AS __project FROM messages",
+    },
+    {
+        table: "tool_uses",
+        idCol: "id",
+        columns: ["tool_input"],
+        select: "SELECT tool_uses.id AS id, tool_uses.tool_input AS tool_input, m.cwd AS __project " +
+            "FROM tool_uses LEFT JOIN messages m ON m.uuid = tool_uses.message_uuid",
+    },
+    {
+        table: "pending_actions",
+        idCol: "id",
+        columns: ["title", "detail", "verify_cmd"],
+        select: "SELECT id, title, detail, verify_cmd, scope AS __project FROM pending_actions",
+    },
+    {
+        table: "saved_threads",
+        idCol: "name",
+        columns: ["summary"],
+        select: "SELECT name, summary, project_path AS __project FROM saved_threads",
+    },
+];
+// Heuristic labels are pattern-based guesses (KEY=value, tfstate blobs) that
+// frequently match benign env vars / file paths. Everything else is a structured,
+// high-confidence credential pattern.
+const HEURISTIC_LABELS = new Set(["kv-secret", "tfstate-value"]);
+function projectName(raw) {
+    if (typeof raw !== "string" || !raw)
+        return null;
+    return raw.includes("/") ? basename(raw) : raw;
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export function scanDbForSecrets(db) {
+    const byKey = new Map();
+    for (const target of TARGETS) {
+        const rows = db.prepare(target.select).all();
+        for (const row of rows) {
+            const proj = projectName(row.__project);
+            for (const col of target.columns) {
+                const val = row[col];
+                if (typeof val !== "string" || !val)
+                    continue;
+                for (const f of findSecrets(val)) {
+                    const key = `${f.label} ${f.preview}`;
+                    let entry = byKey.get(key);
+                    if (!entry) {
+                        entry = {
+                            label: f.label,
+                            preview: f.preview,
+                            confidence: HEURISTIC_LABELS.has(f.label) ? "heuristic" : "high",
+                            count: 0,
+                            sample: `${target.table}#${row[target.idCol]}.${col}`,
+                            projects: [],
+                            _projects: new Set(),
+                        };
+                        byKey.set(key, entry);
+                    }
+                    entry.count++;
+                    if (proj)
+                        entry._projects.add(proj);
+                }
+            }
+        }
+    }
+    return [...byKey.values()]
+        .map(({ _projects, ...f }) => ({ ...f, projects: [..._projects].sort() }))
+        .sort((a, b) => {
+        if (a.confidence !== b.confidence)
+            return a.confidence === "high" ? -1 : 1;
+        return b.count - a.count;
+    });
+}
+//# sourceMappingURL=scan%202.js.map

package/dist/memory/scan 2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan 2.js","sourceRoot":"","sources":["../../src/memory/scan 2.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAwBxD,MAAM,OAAO,GAAa;IACxB;QACE,KAAK,EAAE,UAAU;QACjB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,SAAS,CAAC;QACpB,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,KAAK,EAAE,WAAW;QAClB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,YAAY,CAAC;QACvB,MAAM,EACJ,oFAAoF;YACpF,wEAAwE;KAC3E;IACD;QACE,KAAK,EAAE,iBAAiB;QACxB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC;QAC1C,MAAM,EAAE,+EAA+E;KACxF;IACD;QACE,KAAK,EAAE,eAAe;QACtB,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,CAAC,SAAS,CAAC;QACpB,MAAM,EAAE,oEAAoE;KAC7E;CACF,CAAC;AAEF,6EAA6E;AAC7E,kFAAkF;AAClF,sCAAsC;AACtC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC,CAAC;AAEjE,SAAS,WAAW,CAAC,GAAY;IAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACjD,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACjD,CAAC;AAED,+FAA+F;AAC/F,MAAM,UAAU,gBAAgB,CAAC,EAAgB;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAoD,CAAC;IAC1E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAA+B,CAAC;QAC1E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;gBACrB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG;oBAAE,SAAS;gBAC9C,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;oBACtC,IAAI,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAC3B,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,KAAK,GAAG;4BACN,KAAK,EAAE,CAAC,CAAC,KAAK;4BACd,OAAO,EAAE,CAAC,CAAC,OAAO;4BAClB,UAAU,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM;4BAChE,KAAK,EAAE,CAAC;4BACR,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE;4BACrD,QAAQ,EAAE,EAAE;4BACZ,SAAS,EAAE,IAAI,GAAG,EAAU;yBAC7B,CAAC;wBACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBACxB,CAAC;oBACD,KAAK,CAAC,KAAK,EAAE,CAAC;oBACd,IAAI,IAAI;wBAAE,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;SACvB,GAAG,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACzE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,IAAI,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,UAAU;YAAE,OAAO,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/memory/scan.d.ts

@@ -0,0 +1,15 @@
+import type { DatabaseSync } from "node:sqlite";
+export type ScanConfidence = "high" | "heuristic";
+export interface ScanFinding {
+    label: string;
+    preview: string;
+    confidence: ScanConfidence;
+    /** How many cells matched this (label, preview). */
+    count: number;
+    /** One example location, e.g. "messages#23839.content". */
+    sample: string;
+    /** Distinct project hints (which repo the secret leaked in), e.g. ["acme-app"]. */
+    projects: string[];
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export declare function scanDbForSecrets(db: DatabaseSync): ScanFinding[];

package/dist/memory/scan.js

@@ -0,0 +1,94 @@
+/**
+ * kit memory — secret scan over the store.
+ *
+ * The memory DB is secret-dense (it indexes raw transcripts). gitleaks and most
+ * scanners only see text files, not SQLite cell contents — so this scans the text
+ * columns directly, reusing kit's SECRET_PATTERNS via findSecrets (DRY). Findings
+ * are MASKED (label + short preview), never the raw secret.
+ *
+ * Findings are DEDUPED by (label, preview) with an occurrence count, split by
+ * CONFIDENCE so the genuinely dangerous keys (sk_live, AIzaSy, AKIA, ghp_, …) are
+ * not buried under the over-eager `KEY=value` heuristic, and ATTRIBUTED to the
+ * project(s) they leaked in (via each row's cwd) so you know which provider account
+ * to rotate. Only high-confidence findings make `kit memory scan` exit non-zero.
+ */
+import { basename } from "node:path";
+import { findSecrets } from "../utils/redactSecrets.js";
+const TARGETS = [
+    {
+        table: "messages",
+        idCol: "id",
+        columns: ["content"],
+        select: "SELECT id, content, cwd AS __project FROM messages",
+    },
+    {
+        table: "tool_uses",
+        idCol: "id",
+        columns: ["tool_input"],
+        select: "SELECT tool_uses.id AS id, tool_uses.tool_input AS tool_input, m.cwd AS __project " +
+            "FROM tool_uses LEFT JOIN messages m ON m.uuid = tool_uses.message_uuid",
+    },
+    {
+        table: "pending_actions",
+        idCol: "id",
+        columns: ["title", "detail", "verify_cmd"],
+        select: "SELECT id, title, detail, verify_cmd, scope AS __project FROM pending_actions",
+    },
+    {
+        table: "saved_threads",
+        idCol: "name",
+        columns: ["summary"],
+        select: "SELECT name, summary, project_path AS __project FROM saved_threads",
+    },
+];
+// Heuristic labels are pattern-based guesses (KEY=value, tfstate blobs) that
+// frequently match benign env vars / file paths. Everything else is a structured,
+// high-confidence credential pattern.
+const HEURISTIC_LABELS = new Set(["kv-secret", "tfstate-value"]);
+function projectName(raw) {
+    if (typeof raw !== "string" || !raw)
+        return null;
+    return raw.includes("/") ? basename(raw) : raw;
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export function scanDbForSecrets(db) {
+    const byKey = new Map();
+    for (const target of TARGETS) {
+        const rows = db.prepare(target.select).all();
+        for (const row of rows) {
+            const proj = projectName(row.__project);
+            for (const col of target.columns) {
+                const val = row[col];
+                if (typeof val !== "string" || !val)
+                    continue;
+                for (const f of findSecrets(val)) {
+                    const key = `${f.label} ${f.preview}`;
+                    let entry = byKey.get(key);
+                    if (!entry) {
+                        entry = {
+                            label: f.label,
+                            preview: f.preview,
+                            confidence: HEURISTIC_LABELS.has(f.label) ? "heuristic" : "high",
+                            count: 0,
+                            sample: `${target.table}#${row[target.idCol]}.${col}`,
+                            projects: [],
+                            _projects: new Set(),
+                        };
+                        byKey.set(key, entry);
+                    }
+                    entry.count++;
+                    if (proj)
+                        entry._projects.add(proj);
+                }
+            }
+        }
+    }
+    return [...byKey.values()]
+        .map(({ _projects, ...f }) => ({ ...f, projects: [..._projects].sort() }))
+        .sort((a, b) => {
+        if (a.confidence !== b.confidence)
+            return a.confidence === "high" ? -1 : 1;
+        return b.count - a.count;
+    });
+}
+//# sourceMappingURL=scan.js.map

package/dist/memory/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/memory/scan.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAwBxD,MAAM,OAAO,GAAa;IACxB;QACE,KAAK,EAAE,UAAU;QACjB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,SAAS,CAAC;QACpB,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,KAAK,EAAE,WAAW;QAClB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,YAAY,CAAC;QACvB,MAAM,EACJ,oFAAoF;YACpF,wEAAwE;KAC3E;IACD;QACE,KAAK,EAAE,iBAAiB;QACxB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC;QAC1C,MAAM,EAAE,+EAA+E;KACxF;IACD;QACE,KAAK,EAAE,eAAe;QACtB,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,CAAC,SAAS,CAAC;QACpB,MAAM,EAAE,oEAAoE;KAC7E;CACF,CAAC;AAEF,6EAA6E;AAC7E,kFAAkF;AAClF,sCAAsC;AACtC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC,CAAC;AAEjE,SAAS,WAAW,CAAC,GAAY;IAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACjD,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACjD,CAAC;AAED,+FAA+F;AAC/F,MAAM,UAAU,gBAAgB,CAAC,EAAgB;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAoD,CAAC;IAC1E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAA+B,CAAC;QAC1E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;gBACrB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG;oBAAE,SAAS;gBAC9C,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;oBACtC,IAAI,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAC3B,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,KAAK,GAAG;4BACN,KAAK,EAAE,CAAC,CAAC,KAAK;4BACd,OAAO,EAAE,CAAC,CAAC,OAAO;4BAClB,UAAU,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM;4BAChE,KAAK,EAAE,CAAC;4BACR,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE;4BACrD,QAAQ,EAAE,EAAE;4BACZ,SAAS,EAAE,IAAI,GAAG,EAAU;yBAC7B,CAAC;wBACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBACxB,CAAC;oBACD,KAAK,CAAC,KAAK,EAAE,CAAC;oBACd,IAAI,IAAI;wBAAE,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;SACvB,GAAG,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACzE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,IAAI,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,UAAU;YAAE,OAAO,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/memory/scan.test 2.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/memory/scan.test 2.js

@@ -0,0 +1,55 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { openMemoryDb, upsertSession, insertMessage } from "./db.js";
+import { scanDbForSecrets } from "./scan.js";
+describe("memory secret-scan", () => {
+    it("flags a stored secret (masked, high-confidence) and locates it", () => {
+        const db = openMemoryDb(":memory:");
+        upsertSession(db, { sessionId: "s1", harness: "claude-code" });
+        const fake = "sk_live_" + "A".repeat(24); // synthetic, non-real
+        insertMessage(db, { uuid: "u1", sessionId: "s1", type: "user", content: `the key is ${fake}` });
+        insertMessage(db, { uuid: "u2", sessionId: "s1", type: "user", content: "totally clean message" });
+        const findings = scanDbForSecrets(db);
+        assert.equal(findings.length, 1);
+        assert.equal(findings[0]?.label, "stripe-key");
+        assert.equal(findings[0]?.confidence, "high");
+        assert.equal(findings[0]?.count, 1);
+        assert.match(findings[0]?.sample ?? "", /^messages#\d+\.content$/);
+        assert.ok(!findings[0]?.preview.includes("A".repeat(24)), "preview is masked, not the raw secret");
+        db.close();
+    });
+    it("dedupes the same secret across rows with an occurrence count", () => {
+        const db = openMemoryDb(":memory:");
+        upsertSession(db, { sessionId: "s1", harness: "claude-code" });
+        const fake = "sk_live_" + "B".repeat(24);
+        insertMessage(db, { uuid: "u1", sessionId: "s1", type: "user", content: `key ${fake}` });
+        insertMessage(db, { uuid: "u2", sessionId: "s1", type: "user", content: `again ${fake}` });
+        const findings = scanDbForSecrets(db);
+        assert.equal(findings.length, 1, "one unique finding, not two");
+        assert.equal(findings[0]?.count, 2);
+        db.close();
+    });
+    it("attributes a finding to the project it leaked in (via cwd)", () => {
+        const db = openMemoryDb(":memory:");
+        upsertSession(db, { sessionId: "s1", harness: "claude-code" });
+        const fake = "sk_live_" + "C".repeat(24);
+        insertMessage(db, {
+            uuid: "u1",
+            sessionId: "s1",
+            type: "user",
+            content: `key ${fake}`,
+            cwd: "/Users/me/dev/app-a",
+        });
+        const findings = scanDbForSecrets(db);
+        assert.deepEqual(findings[0]?.projects, ["app-a"]);
+        db.close();
+    });
+    it("returns nothing for a clean db", () => {
+        const db = openMemoryDb(":memory:");
+        upsertSession(db, { sessionId: "s1", harness: "claude-code" });
+        insertMessage(db, { uuid: "u1", sessionId: "s1", type: "user", content: "no secrets here" });
+        assert.deepEqual(scanDbForSecrets(db), []);
+        db.close();
+    });
+});
+//# sourceMappingURL=scan.test%202.js.map

package/dist/memory/scan.test 2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.test 2.js","sourceRoot":"","sources":["../../src/memory/scan.test 2.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAE7C,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,EAAE,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QACpC,aAAa,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB;QAChE,aAAa,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,IAAI,EAAE,EAAE,CAAC,CAAC;QAChG,aAAa,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACnG,MAAM,QAAQ,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;QAC/C,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,IAAI,EAAE,EAAE,yBAAyB,CAAC,CAAC;QACnE,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,uCAAuC,CAAC,CAAC;QACnG,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,EAAE,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QACpC,aAAa,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzC,aAAa,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;QACzF,aAAa,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,IAAI,EAAE,EAAE,CAAC,CAAC;QAC3F,MAAM,QAAQ,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,6BAA6B,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QACpC,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,EAAE,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QACpC,aAAa,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzC,aAAa,CAAC,EAAE,EAAE;YAChB,IAAI,EAAE,IAAI;YACV,SAAS,EAAE,IAAI;YACf,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,OAAO,IAAI,EAAE;YACtB,GAAG,EAAE,qBAAqB;SAC3B,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QACnD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,EAAE,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QACpC,aAAa,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;QAC/D,aAAa,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC7F,MAAM,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3C,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/memory/shared 2.d.ts

@@ -0,0 +1,33 @@
+export type SharedKind = "decision" | "convention" | "how-built" | "status" | "security" | "note";
+export interface SharedEntry {
+    id: string;
+    area: string;
+    kind: SharedKind;
+    title: string;
+    body: string;
+    refs: string[];
+    author: string;
+    ts: string;
+    source_ref?: string;
+}
+export interface ShareInput {
+    area: string;
+    kind: SharedKind;
+    title: string;
+    body: string;
+    refs?: string[];
+}
+export declare function getSharedPath(root: string): string;
+export declare function readShared(root: string): SharedEntry[];
+/**
+ * Promote one entry into the shared store. Fail-closed: refuses (throws) if any
+ * text field contains a secret. Only allow-listed fields are persisted — no raw
+ * tool output / env dumps can sneak in. Author + source_ref give provenance.
+ */
+export declare function shareEntry(root: string, input: ShareInput, now: string): SharedEntry;
+export declare function listAreas(root: string): {
+    area: string;
+    count: number;
+}[];
+export declare function queryArea(root: string, area: string): SharedEntry[];
+export declare function searchShared(root: string, query: string): SharedEntry[];