sandstream-kit 1.0.1 → 1.2.0

package/dist/memory/pal.d.ts

@@ -0,0 +1,47 @@
+import type { DatabaseSync } from "node:sqlite";
+export interface PendingAction {
+    id: string;
+    status: string;
+    title: string;
+    detail: string | null;
+    scope: string | null;
+    kind: string;
+    verify_cmd: string | null;
+    created_at: string | null;
+    next_check: string | null;
+    snooze_until: string | null;
+    closed_at: string | null;
+    verify_passes: number;
+}
+export interface PalAddInput {
+    title: string;
+    detail?: string;
+    scope?: string;
+    kind?: "manual" | "auto";
+    verifyCmd?: string;
+}
+export declare function palAdd(db: DatabaseSync, input: PalAddInput): string;
+export interface PalListOptions {
+    status?: string;
+    /** Restrict to this scope plus globally-scoped (NULL) items. Omit = every scope. */
+    scope?: string;
+}
+export declare function palList(db: DatabaseSync, opts?: PalListOptions): PendingAction[];
+export declare function palDone(db: DatabaseSync, id: string): boolean;
+export declare function palSnooze(db: DatabaseSync, id: string, days: number): boolean;
+export interface AutoVerifyResult {
+    checked: number;
+    closed: string[];
+    reopened: string[];
+}
+/**
+ * Auto-verify `auto` items. An OPEN item that passes `confirmPasses` consecutive
+ * times is closed (a pass increments the streak, a fail resets it). A CLOSED item
+ * whose verify now FAILS is reopened (reopen-on-regress). No-info leaves it alone.
+ */
+export declare function palAutoVerify(db: DatabaseSync, confirmPasses?: number): AutoVerifyResult;
+export declare function getLegacyLedgerPath(): string;
+/** Import the old `~/.claude/pal/ledger.jsonl` into pending_actions. Idempotent (by id). */
+export declare function importLegacyLedger(db: DatabaseSync, path?: string): {
+    imported: number;
+};

package/dist/memory/pal.js

@@ -0,0 +1,154 @@
+/**
+ * kit memory — PAL (Pending Action Ledger), folded into the memory store.
+ *
+ * PAL is the STRUCTURED, actionable layer on top of raw conversation memory:
+ * "blocked-on-you" items that survive sessions and auto-close when their verify
+ * command starts passing. It lives in the `pending_actions` table of the same
+ * SQLite store. Deterministic; the only side effect is running operator-defined
+ * verify commands (local shell, with a timeout). Fail-open / no-info aware.
+ */
+import { randomBytes } from "node:crypto";
+import { execSync } from "node:child_process";
+import { readFileSync, existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+function newId(db) {
+    for (let i = 0; i < 100; i++) {
+        const id = randomBytes(2).toString("hex"); // 4 hex chars, e.g. "ec95"
+        if (!db.prepare("SELECT 1 FROM pending_actions WHERE id = ?").get(id))
+            return id;
+    }
+    throw new Error("could not allocate a unique pending-action id");
+}
+export function palAdd(db, input) {
+    const id = newId(db);
+    const kind = input.kind ?? (input.verifyCmd ? "auto" : "manual");
+    db.prepare(`INSERT INTO pending_actions (id, status, title, detail, scope, kind, verify_cmd)
+     VALUES (?, 'open', ?, ?, ?, ?, ?)`).run(id, input.title, input.detail ?? null, input.scope ?? null, kind, input.verifyCmd ?? null);
+    return id;
+}
+export function palList(db, opts = {}) {
+    const status = opts.status ?? "open";
+    if (opts.scope !== undefined) {
+        return db
+            .prepare("SELECT * FROM pending_actions WHERE status = ? AND (scope = ? OR scope IS NULL) ORDER BY created_at, id")
+            .all(status, opts.scope);
+    }
+    return db
+        .prepare("SELECT * FROM pending_actions WHERE status = ? ORDER BY created_at, id")
+        .all(status);
+}
+export function palDone(db, id) {
+    const res = db
+        .prepare("UPDATE pending_actions SET status='closed', closed_at=datetime('now') WHERE id=? AND status!='closed'")
+        .run(id);
+    return Number(res.changes) > 0;
+}
+export function palSnooze(db, id, days) {
+    const d = Math.max(1, Math.floor(days));
+    const res = db
+        .prepare("UPDATE pending_actions SET status='snoozed', snooze_until=datetime('now', ?) WHERE id=?")
+        .run(`+${d} days`, id);
+    return Number(res.changes) > 0;
+}
+/**
+ * Run a verify command. true = pass (exit 0), false = ran but failed, null = no-info.
+ *
+ * SECURITY: this runs `cmd` through a shell on purpose — verify commands routinely
+ * need pipes / `&&` (e.g. `curl -fsS … | grep 200`). The trust boundary: `verify_cmd`
+ * is OPERATOR-AUTHORED and lives only in the PERSONAL store (~/.kit/memory.db); running
+ * it is equivalent to the operator running their own command — no untrusted data is
+ * interpolated, so this is not a command-injection sink. INVARIANT for Track D (shared
+ * memory): shared/synced items must NEVER carry an executable `verify_cmd` that runs
+ * unreviewed — only manual items or review-gated verifies cross the sharing boundary.
+ */
+function runVerify(cmd) {
+    try {
+        execSync(cmd, { stdio: "ignore", timeout: 15_000 });
+        return true;
+    }
+    catch (err) {
+        const status = err.status;
+        if (typeof status === "number")
+            return false; // ran, non-zero exit
+        return null; // spawn error / timeout → no-info, leave state unchanged
+    }
+}
+/**
+ * Auto-verify `auto` items. An OPEN item that passes `confirmPasses` consecutive
+ * times is closed (a pass increments the streak, a fail resets it). A CLOSED item
+ * whose verify now FAILS is reopened (reopen-on-regress). No-info leaves it alone.
+ */
+export function palAutoVerify(db, confirmPasses = 2) {
+    const out = { checked: 0, closed: [], reopened: [] };
+    const rows = db
+        .prepare("SELECT * FROM pending_actions WHERE kind='auto' AND verify_cmd IS NOT NULL AND status IN ('open','closed')")
+        .all();
+    for (const r of rows) {
+        const result = runVerify(r.verify_cmd);
+        if (result === null)
+            continue; // no-info
+        out.checked++;
+        if (r.status === "open") {
+            if (result) {
+                const passes = r.verify_passes + 1;
+                if (passes >= confirmPasses) {
+                    db.prepare("UPDATE pending_actions SET status='closed', closed_at=datetime('now'), verify_passes=? WHERE id=?").run(passes, r.id);
+                    out.closed.push(r.id);
+                }
+                else {
+                    db.prepare("UPDATE pending_actions SET verify_passes=? WHERE id=?").run(passes, r.id);
+                }
+            }
+            else if (r.verify_passes !== 0) {
+                db.prepare("UPDATE pending_actions SET verify_passes=0 WHERE id=?").run(r.id);
+            }
+        }
+        else if (r.status === "closed" && !result) {
+            db.prepare("UPDATE pending_actions SET status='open', verify_passes=0, closed_at=NULL WHERE id=?").run(r.id);
+            out.reopened.push(r.id);
+        }
+    }
+    return out;
+}
+// ── Migration from the legacy python PAL ledger ───────────────────────────────
+export function getLegacyLedgerPath() {
+    return process.env.KIT_PAL_LEDGER ?? join(homedir(), ".claude", "pal", "ledger.jsonl");
+}
+/** Import the old `~/.claude/pal/ledger.jsonl` into pending_actions. Idempotent (by id). */
+export function importLegacyLedger(db, path = getLegacyLedgerPath()) {
+    if (!existsSync(path))
+        return { imported: 0 };
+    let raw;
+    try {
+        raw = readFileSync(path, "utf8");
+    }
+    catch {
+        return { imported: 0 };
+    }
+    const insert = db.prepare(`INSERT OR IGNORE INTO pending_actions
+     (id, status, title, detail, scope, kind, verify_cmd, created_at, next_check, verify_passes)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`);
+    let imported = 0;
+    for (const line of raw.split("\n")) {
+        const t = line.trim();
+        if (!t)
+            continue;
+        let e;
+        try {
+            e = JSON.parse(t);
+        }
+        catch {
+            continue;
+        }
+        if (!e.id || !e.title)
+            continue;
+        const status = e.status === "done" ? "closed" : (e.status ?? "open");
+        const kind = e.verify ? "auto" : "manual";
+        const res = insert.run(e.id, status, e.title, e.why ?? null, e.repo ?? null, kind, e.verify ?? null, e.ts ?? null, e.next_check ?? null, e.pass_streak ?? 0);
+        if (Number(res.changes) > 0)
+            imported++;
+    }
+    return { imported };
+}
+//# sourceMappingURL=pal.js.map

package/dist/memory/pal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pal.js","sourceRoot":"","sources":["../../src/memory/pal.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AA0BjC,SAAS,KAAK,CAAC,EAAgB;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,2BAA2B;QACtE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,OAAO,EAAE,CAAC;IACnF,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,EAAgB,EAAE,KAAkB;IACzD,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IACrB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACjE,EAAE,CAAC,OAAO,CACR;uCACmC,CACpC,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC;IACjG,OAAO,EAAE,CAAC;AACZ,CAAC;AAQD,MAAM,UAAU,OAAO,CAAC,EAAgB,EAAE,OAAuB,EAAE;IACjE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC;IACrC,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,EAAE;aACN,OAAO,CACN,yGAAyG,CAC1G;aACA,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAA+B,CAAC;IAC3D,CAAC;IACD,OAAO,EAAE;SACN,OAAO,CAAC,wEAAwE,CAAC;SACjF,GAAG,CAAC,MAAM,CAA+B,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,EAAgB,EAAE,EAAU;IAClD,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CACN,uGAAuG,CACxG;SACA,GAAG,CAAC,EAAE,CAAC,CAAC;IACX,OAAO,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,EAAgB,EAAE,EAAU,EAAE,IAAY;IAClE,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CACN,yFAAyF,CAC1F;SACA,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACjC,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,CAAC;QACH,QAAQ,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAI,GAAkC,CAAC,MAAM,CAAC;QAC1D,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC,CAAC,qBAAqB;QACnE,OAAO,IAAI,CAAC,CAAC,yDAAyD;IACxE,CAAC;AACH,CAAC;AAQD;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,EAAgB,EAAE,aAAa,GAAG,CAAC;IAC/D,MAAM,GAAG,GAAqB,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IACvE,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN,4GAA4G,CAC7G;SACA,GAAG,EAAgC,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,UAAoB,CAAC,CAAC;QACjD,IAAI,MAAM,KAAK,IAAI;YAAE,SAAS,CAAC,UAAU;QACzC,GAAG,CAAC,OAAO,EAAE,CAAC;QACd,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACxB,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,GAAG,CAAC,CAAC;gBACnC,IAAI,MAAM,IAAI,aAAa,EAAE,CAAC;oBAC5B,EAAE,CAAC,OAAO,CACR,mGAAmG,CACpG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;oBACpB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,EAAE,CAAC,OAAO,CAAC,uDAAuD,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxF,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,CAAC,aAAa,KAAK,CAAC,EAAE,CAAC;gBACjC,EAAE,CAAC,OAAO,CAAC,uDAAuD,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YAC5C,EAAE,CAAC,OAAO,CACR,sFAAsF,CACvF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACZ,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,iFAAiF;AAEjF,MAAM,UAAU,mBAAmB;IACjC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;AACzF,CAAC;AAcD,4FAA4F;AAC5F,MAAM,UAAU,kBAAkB,CAChC,EAAgB,EAChB,OAAe,mBAAmB,EAAE;IAEpC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IAC9C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CACvB;;2CAEuC,CACxC,CAAC;IACF,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,IAAI,CAAc,CAAC;QACnB,IAAI,CAAC;YACH,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAgB,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK;YAAE,SAAS;QAChC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC1C,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,EACJ,MAAM,EACN,CAAC,CAAC,KAAK,EACP,CAAC,CAAC,GAAG,IAAI,IAAI,EACb,CAAC,CAAC,IAAI,IAAI,IAAI,EACd,IAAI,EACJ,CAAC,CAAC,MAAM,IAAI,IAAI,EAChB,CAAC,CAAC,EAAE,IAAI,IAAI,EACZ,CAAC,CAAC,UAAU,IAAI,IAAI,EACpB,CAAC,CAAC,WAAW,IAAI,CAAC,CACnB,CAAC;QACF,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;YAAE,QAAQ,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC"}

package/dist/memory/parser.d.ts

@@ -0,0 +1,34 @@
+import type { DatabaseSync } from "node:sqlite";
+export interface IndexResult {
+    files: number;
+    sessions: number;
+    messages: number;
+    toolUses: number;
+    /** Files skipped because they were unchanged since the last index (incremental). */
+    filesSkipped: number;
+}
+export declare function getClaudeProjectsDir(): string;
+interface ContentBlock {
+    type?: string;
+    text?: string;
+    name?: string;
+    input?: unknown;
+}
+type Content = string | ContentBlock[] | undefined;
+/** Flatten transcript content (string or block array) into searchable plain text. */
+export declare function extractText(content: Content): string;
+/** Extract tool_use blocks from a message's content. */
+export declare function extractToolUses(content: Content): {
+    name: string;
+    input: string;
+}[];
+/** Walk ~/.claude/projects and index every transcript. Idempotent. */
+export declare function indexClaudeTranscripts(db: DatabaseSync): IndexResult;
+/** Per-harness index results, keyed by harness name. */
+export type HarnessResults = Record<string, IndexResult>;
+/**
+ * Index every supported harness's transcripts into the store. Returns per-harness
+ * counts. Adding a harness = one more parser here (Copilot, Gemini, Aider, Cursor…).
+ */
+export declare function indexAllHarnesses(db: DatabaseSync): HarnessResults;
+export {};

package/dist/memory/parser.js

@@ -0,0 +1,195 @@
+/**
+ * kit memory — Claude Code transcript parser.
+ *
+ * Reads raw session transcripts from ~/.claude/projects/<project>/<session>.jsonl
+ * and indexes them into the memory store. RAW + idempotent: one row per message
+ * (deduped by uuid), no summarisation. Re-running is safe — already-seen messages
+ * are ignored. Field mapping mirrors the Claude Code transcript format (also used
+ * by cloudctx, MIT). Other harnesses (Codex/Cursor) get their own parser later;
+ * sessions carry a `harness` tag so the store stays multi-harness.
+ */
+import { readFileSync, readdirSync, existsSync, statSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, basename } from "node:path";
+import { insertMessage, insertToolUse, upsertSession, isFileIndexed, markFileIndexed, } from "./db.js";
+import { indexCodexSessions } from "./codex.js";
+import { indexGeminiSessions } from "./gemini.js";
+import { indexContinueSessions } from "./continue.js";
+export function getClaudeProjectsDir() {
+    const base = process.env.KIT_CLAUDE_DIR ?? join(homedir(), ".claude");
+    return join(base, "projects");
+}
+/** Flatten transcript content (string or block array) into searchable plain text. */
+export function extractText(content) {
+    if (typeof content === "string")
+        return content;
+    if (Array.isArray(content)) {
+        return content
+            .map((b) => {
+            if (b?.type === "text")
+                return b.text ?? "";
+            if (b?.type === "tool_use")
+                return `[Tool: ${b.name ?? "unknown"}]`;
+            if (b?.type === "tool_result")
+                return "[Tool Result]";
+            return "";
+        })
+            .filter(Boolean)
+            .join("\n");
+    }
+    return "";
+}
+/** Extract tool_use blocks from a message's content. */
+export function extractToolUses(content) {
+    if (!Array.isArray(content))
+        return [];
+    const out = [];
+    for (const b of content) {
+        if (b?.type === "tool_use") {
+            out.push({
+                name: b.name ?? "unknown",
+                input: b.input === undefined ? "" : JSON.stringify(b.input),
+            });
+        }
+    }
+    return out;
+}
+function indexFile(db, filepath, project) {
+    const sessionId = basename(filepath, ".jsonl");
+    let raw;
+    try {
+        raw = readFileSync(filepath, "utf8");
+    }
+    catch {
+        return { messages: 0, toolUses: 0 };
+    }
+    // Ensure the session row exists before inserting messages so per-message
+    // counters resolve against a real row.
+    upsertSession(db, { sessionId, harness: "claude-code", project });
+    let messages = 0;
+    let toolUses = 0;
+    let firstTs;
+    let lastTs;
+    let isSidechain = false;
+    for (const line of raw.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        let rec;
+        try {
+            rec = JSON.parse(trimmed);
+        }
+        catch {
+            continue; // skip malformed lines, keep indexing the rest
+        }
+        if (rec.type !== "user" && rec.type !== "assistant")
+            continue;
+        if (!rec.uuid)
+            continue;
+        if (rec.isSidechain)
+            isSidechain = true;
+        const msg = rec.message;
+        const ts = rec.timestamp;
+        if (ts) {
+            if (!firstTs)
+                firstTs = ts;
+            lastTs = ts;
+        }
+        const added = insertMessage(db, {
+            uuid: rec.uuid,
+            sessionId: rec.sessionId ?? sessionId,
+            parentUuid: rec.parentUuid,
+            type: rec.type,
+            role: msg?.role,
+            content: extractText(msg?.content),
+            model: msg?.model,
+            inputTokens: msg?.usage?.input_tokens,
+            outputTokens: msg?.usage?.output_tokens,
+            timestamp: ts,
+            cwd: rec.cwd,
+            gitBranch: rec.gitBranch,
+            version: rec.version,
+        });
+        if (added) {
+            messages++;
+            for (const tool of extractToolUses(msg?.content)) {
+                insertToolUse(db, {
+                    messageUuid: rec.uuid,
+                    sessionId: rec.sessionId ?? sessionId,
+                    toolName: tool.name,
+                    toolInput: tool.input,
+                    timestamp: ts,
+                });
+                toolUses++;
+            }
+        }
+    }
+    // Final upsert records the session's time bounds + sidechain flag.
+    upsertSession(db, {
+        sessionId,
+        harness: "claude-code",
+        project,
+        firstMessageAt: firstTs,
+        lastMessageAt: lastTs,
+        isAgentSidechain: isSidechain,
+    });
+    return { messages, toolUses };
+}
+/** Walk ~/.claude/projects and index every transcript. Idempotent. */
+export function indexClaudeTranscripts(db) {
+    const projectsDir = getClaudeProjectsDir();
+    const result = { files: 0, sessions: 0, messages: 0, toolUses: 0, filesSkipped: 0 };
+    if (!existsSync(projectsDir))
+        return result;
+    for (const projectName of readdirSync(projectsDir).sort()) {
+        const projectPath = join(projectsDir, projectName);
+        let isDir = false;
+        try {
+            isDir = statSync(projectPath).isDirectory();
+        }
+        catch {
+            continue;
+        }
+        if (!isDir)
+            continue;
+        for (const entry of readdirSync(projectPath).sort()) {
+            if (!entry.endsWith(".jsonl"))
+                continue;
+            const filePath = join(projectPath, entry);
+            let st;
+            try {
+                st = statSync(filePath);
+            }
+            catch {
+                continue;
+            }
+            // Skip files unchanged since the last index (incremental — avoids re-reading
+            // every transcript each run; the per-message uuid dedup still backstops it).
+            const mtimeMs = Math.floor(st.mtimeMs);
+            if (isFileIndexed(db, filePath, mtimeMs, st.size)) {
+                result.filesSkipped++;
+                continue;
+            }
+            const counts = indexFile(db, filePath, projectName);
+            markFileIndexed(db, filePath, mtimeMs, st.size);
+            result.files++;
+            result.sessions++;
+            result.messages += counts.messages;
+            result.toolUses += counts.toolUses;
+        }
+    }
+    return result;
+}
+/**
+ * Index every supported harness's transcripts into the store. Returns per-harness
+ * counts. Adding a harness = one more parser here (Copilot, Gemini, Aider, Cursor…).
+ */
+export function indexAllHarnesses(db) {
+    return {
+        "claude-code": indexClaudeTranscripts(db),
+        codex: indexCodexSessions(db),
+        gemini: indexGeminiSessions(db),
+        continue: indexContinueSessions(db),
+    };
+}
+//# sourceMappingURL=parser.js.map

package/dist/memory/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../../src/memory/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAE3C,OAAO,EACL,aAAa,EACb,aAAa,EACb,aAAa,EACb,aAAa,EACb,eAAe,GAChB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAWtD,MAAM,UAAU,oBAAoB;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AAChC,CAAC;AAUD,qFAAqF;AACrF,MAAM,UAAU,WAAW,CAAC,OAAgB;IAC1C,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAChD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACT,IAAI,CAAC,EAAE,IAAI,KAAK,MAAM;gBAAE,OAAO,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;YAC5C,IAAI,CAAC,EAAE,IAAI,KAAK,UAAU;gBAAE,OAAO,UAAU,CAAC,CAAC,IAAI,IAAI,SAAS,GAAG,CAAC;YACpE,IAAI,CAAC,EAAE,IAAI,KAAK,aAAa;gBAAE,OAAO,eAAe,CAAC;YACtD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC;aACD,MAAM,CAAC,OAAO,CAAC;aACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,GAAG,GAAsC,EAAE,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,EAAE,IAAI,KAAK,UAAU,EAAE,CAAC;YAC3B,GAAG,CAAC,IAAI,CAAC;gBACP,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS;gBACzB,KAAK,EAAE,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;aAC5D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAoBD,SAAS,SAAS,CAChB,EAAgB,EAChB,QAAgB,EAChB,OAAe;IAEf,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACtC,CAAC;IAED,yEAAyE;IACzE,uCAAuC;IACvC,aAAa,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;IAElE,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,OAA2B,CAAC;IAChC,IAAI,MAA0B,CAAC;IAC/B,IAAI,WAAW,GAAG,KAAK,CAAC;IAExB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,GAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAqB,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,+CAA+C;QAC3D,CAAC;QACD,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAC9D,IAAI,CAAC,GAAG,CAAC,IAAI;YAAE,SAAS;QACxB,IAAI,GAAG,CAAC,WAAW;YAAE,WAAW,GAAG,IAAI,CAAC;QAExC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;QACxB,MAAM,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;QACzB,IAAI,EAAE,EAAE,CAAC;YACP,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,EAAE,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,EAAE,EAAE;YAC9B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;YACrC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,EAAE,IAAI;YACf,OAAO,EAAE,WAAW,CAAC,GAAG,EAAE,OAAO,CAAC;YAClC,KAAK,EAAE,GAAG,EAAE,KAAK;YACjB,WAAW,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY;YACrC,YAAY,EAAE,GAAG,EAAE,KAAK,EAAE,aAAa;YACvC,SAAS,EAAE,EAAE;YACb,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,EAAE,CAAC;YACX,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;gBACjD,aAAa,CAAC,EAAE,EAAE;oBAChB,WAAW,EAAE,GAAG,CAAC,IAAI;oBACrB,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;oBACrC,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,KAAK;oBACrB,SAAS,EAAE,EAAE;iBACd,CAAC,CAAC;gBACH,QAAQ,EAAE,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,aAAa,CAAC,EAAE,EAAE;QAChB,SAAS;QACT,OAAO,EAAE,aAAa;QACtB,OAAO;QACP,cAAc,EAAE,OAAO;QACvB,aAAa,EAAE,MAAM;QACrB,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,sBAAsB,CAAC,EAAgB;IACrD,MAAM,WAAW,GAAG,oBAAoB,EAAE,CAAC;IAC3C,MAAM,MAAM,GAAgB,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IACjG,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,MAAM,CAAC;IAE5C,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QACnD,IAAI,KAAK,GAAG,KAAK,CAAC;QAClB,IAAI,CAAC;YACH,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,SAAS;YACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC1C,IAAI,EAAE,CAAC;YACP,IAAI,CAAC;gBACH,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,6EAA6E;YAC7E,6EAA6E;YAC7E,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;YACvC,IAAI,aAAa,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClD,MAAM,CAAC,YAAY,EAAE,CAAC;gBACtB,SAAS;YACX,CAAC;YACD,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;YACpD,eAAe,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;YACnC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;QACrC,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAKD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAgB;IAChD,OAAO;QACL,aAAa,EAAE,sBAAsB,CAAC,EAAE,CAAC;QACzC,KAAK,EAAE,kBAAkB,CAAC,EAAE,CAAC;QAC7B,MAAM,EAAE,mBAAmB,CAAC,EAAE,CAAC;QAC/B,QAAQ,EAAE,qBAAqB,CAAC,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC"}

package/dist/memory/project 2.d.ts

@@ -0,0 +1 @@
+export declare function getCurrentProjectRoot(cwd?: string): string;

package/dist/memory/project 2.js

@@ -0,0 +1,24 @@
+/**
+ * kit memory — current-project resolution.
+ *
+ * Memory search defaults to the current project (relevance + blast-radius
+ * containment); the repo root is the project boundary. Falls back to cwd when not
+ * inside a git repo. Pure read — no model calls, no writes.
+ */
+import { execFileSync } from "node:child_process";
+export function getCurrentProjectRoot(cwd = process.cwd()) {
+    try {
+        const root = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+            cwd,
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (root)
+            return root;
+    }
+    catch {
+        // not a git repo (or git unavailable) — fall back to cwd
+    }
+    return cwd;
+}
+//# sourceMappingURL=project%202.js.map

package/dist/memory/project 2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project 2.js","sourceRoot":"","sources":["../../src/memory/project 2.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,UAAU,qBAAqB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE;YACjE,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/memory/project.d.ts

@@ -0,0 +1 @@
+export declare function getCurrentProjectRoot(cwd?: string): string;

package/dist/memory/project.js

@@ -0,0 +1,24 @@
+/**
+ * kit memory — current-project resolution.
+ *
+ * Memory search defaults to the current project (relevance + blast-radius
+ * containment); the repo root is the project boundary. Falls back to cwd when not
+ * inside a git repo. Pure read — no model calls, no writes.
+ */
+import { execFileSync } from "node:child_process";
+export function getCurrentProjectRoot(cwd = process.cwd()) {
+    try {
+        const root = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+            cwd,
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (root)
+            return root;
+    }
+    catch {
+        // not a git repo (or git unavailable) — fall back to cwd
+    }
+    return cwd;
+}
+//# sourceMappingURL=project.js.map

package/dist/memory/project.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project.js","sourceRoot":"","sources":["../../src/memory/project.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,UAAU,qBAAqB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE;YACjE,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/memory/scan 2.d.ts

@@ -0,0 +1,15 @@
+import type { DatabaseSync } from "node:sqlite";
+export type ScanConfidence = "high" | "heuristic";
+export interface ScanFinding {
+    label: string;
+    preview: string;
+    confidence: ScanConfidence;
+    /** How many cells matched this (label, preview). */
+    count: number;
+    /** One example location, e.g. "messages#23839.content". */
+    sample: string;
+    /** Distinct project hints (which repo the secret leaked in), e.g. ["acme-app"]. */
+    projects: string[];
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export declare function scanDbForSecrets(db: DatabaseSync): ScanFinding[];

package/dist/memory/scan 2.js

@@ -0,0 +1,94 @@
+/**
+ * kit memory — secret scan over the store.
+ *
+ * The memory DB is secret-dense (it indexes raw transcripts). gitleaks and most
+ * scanners only see text files, not SQLite cell contents — so this scans the text
+ * columns directly, reusing kit's SECRET_PATTERNS via findSecrets (DRY). Findings
+ * are MASKED (label + short preview), never the raw secret.
+ *
+ * Findings are DEDUPED by (label, preview) with an occurrence count, split by
+ * CONFIDENCE so the genuinely dangerous keys (sk_live, AIzaSy, AKIA, ghp_, …) are
+ * not buried under the over-eager `KEY=value` heuristic, and ATTRIBUTED to the
+ * project(s) they leaked in (via each row's cwd) so you know which provider account
+ * to rotate. Only high-confidence findings make `kit memory scan` exit non-zero.
+ */
+import { basename } from "node:path";
+import { findSecrets } from "../utils/redactSecrets.js";
+const TARGETS = [
+    {
+        table: "messages",
+        idCol: "id",
+        columns: ["content"],
+        select: "SELECT id, content, cwd AS __project FROM messages",
+    },
+    {
+        table: "tool_uses",
+        idCol: "id",
+        columns: ["tool_input"],
+        select: "SELECT tool_uses.id AS id, tool_uses.tool_input AS tool_input, m.cwd AS __project " +
+            "FROM tool_uses LEFT JOIN messages m ON m.uuid = tool_uses.message_uuid",
+    },
+    {
+        table: "pending_actions",
+        idCol: "id",
+        columns: ["title", "detail", "verify_cmd"],
+        select: "SELECT id, title, detail, verify_cmd, scope AS __project FROM pending_actions",
+    },
+    {
+        table: "saved_threads",
+        idCol: "name",
+        columns: ["summary"],
+        select: "SELECT name, summary, project_path AS __project FROM saved_threads",
+    },
+];
+// Heuristic labels are pattern-based guesses (KEY=value, tfstate blobs) that
+// frequently match benign env vars / file paths. Everything else is a structured,
+// high-confidence credential pattern.
+const HEURISTIC_LABELS = new Set(["kv-secret", "tfstate-value"]);
+function projectName(raw) {
+    if (typeof raw !== "string" || !raw)
+        return null;
+    return raw.includes("/") ? basename(raw) : raw;
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export function scanDbForSecrets(db) {
+    const byKey = new Map();
+    for (const target of TARGETS) {
+        const rows = db.prepare(target.select).all();
+        for (const row of rows) {
+            const proj = projectName(row.__project);
+            for (const col of target.columns) {
+                const val = row[col];
+                if (typeof val !== "string" || !val)
+                    continue;
+                for (const f of findSecrets(val)) {
+                    const key = `${f.label} ${f.preview}`;
+                    let entry = byKey.get(key);
+                    if (!entry) {
+                        entry = {
+                            label: f.label,
+                            preview: f.preview,
+                            confidence: HEURISTIC_LABELS.has(f.label) ? "heuristic" : "high",
+                            count: 0,
+                            sample: `${target.table}#${row[target.idCol]}.${col}`,
+                            projects: [],
+                            _projects: new Set(),
+                        };
+                        byKey.set(key, entry);
+                    }
+                    entry.count++;
+                    if (proj)
+                        entry._projects.add(proj);
+                }
+            }
+        }
+    }
+    return [...byKey.values()]
+        .map(({ _projects, ...f }) => ({ ...f, projects: [..._projects].sort() }))
+        .sort((a, b) => {
+        if (a.confidence !== b.confidence)
+            return a.confidence === "high" ? -1 : 1;
+        return b.count - a.count;
+    });
+}
+//# sourceMappingURL=scan%202.js.map

package/dist/memory/scan 2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan 2.js","sourceRoot":"","sources":["../../src/memory/scan 2.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAwBxD,MAAM,OAAO,GAAa;IACxB;QACE,KAAK,EAAE,UAAU;QACjB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,SAAS,CAAC;QACpB,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,KAAK,EAAE,WAAW;QAClB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,YAAY,CAAC;QACvB,MAAM,EACJ,oFAAoF;YACpF,wEAAwE;KAC3E;IACD;QACE,KAAK,EAAE,iBAAiB;QACxB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC;QAC1C,MAAM,EAAE,+EAA+E;KACxF;IACD;QACE,KAAK,EAAE,eAAe;QACtB,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,CAAC,SAAS,CAAC;QACpB,MAAM,EAAE,oEAAoE;KAC7E;CACF,CAAC;AAEF,6EAA6E;AAC7E,kFAAkF;AAClF,sCAAsC;AACtC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC,CAAC;AAEjE,SAAS,WAAW,CAAC,GAAY;IAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACjD,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACjD,CAAC;AAED,+FAA+F;AAC/F,MAAM,UAAU,gBAAgB,CAAC,EAAgB;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAoD,CAAC;IAC1E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAA+B,CAAC;QAC1E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;gBACrB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG;oBAAE,SAAS;gBAC9C,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;oBACtC,IAAI,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAC3B,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,KAAK,GAAG;4BACN,KAAK,EAAE,CAAC,CAAC,KAAK;4BACd,OAAO,EAAE,CAAC,CAAC,OAAO;4BAClB,UAAU,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM;4BAChE,KAAK,EAAE,CAAC;4BACR,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE;4BACrD,QAAQ,EAAE,EAAE;4BACZ,SAAS,EAAE,IAAI,GAAG,EAAU;yBAC7B,CAAC;wBACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBACxB,CAAC;oBACD,KAAK,CAAC,KAAK,EAAE,CAAC;oBACd,IAAI,IAAI;wBAAE,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;SACvB,GAAG,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACzE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,IAAI,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,UAAU;YAAE,OAAO,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/memory/scan.d.ts

@@ -0,0 +1,15 @@
+import type { DatabaseSync } from "node:sqlite";
+export type ScanConfidence = "high" | "heuristic";
+export interface ScanFinding {
+    label: string;
+    preview: string;
+    confidence: ScanConfidence;
+    /** How many cells matched this (label, preview). */
+    count: number;
+    /** One example location, e.g. "messages#23839.content". */
+    sample: string;
+    /** Distinct project hints (which repo the secret leaked in), e.g. ["acme-app"]. */
+    projects: string[];
+}
+/** Scan every text cell for stored secrets. Deduped, confidence-tiered, project-attributed. */
+export declare function scanDbForSecrets(db: DatabaseSync): ScanFinding[];