sessionmem 1.0.0

package/dist/adapters/ide/cline.js

@@ -0,0 +1,20 @@
+import { join } from "path";
+import { homedir } from "os";
+import { GenericMCPAdapter } from "../generic.js";
+import { IDEInstaller } from "./installer.js";
+export class ClineAdapter extends GenericMCPAdapter {
+    name = "Cline";
+    capabilities = {
+        supportsPrompts: true,
+        supportsResources: true,
+        supportsTools: true,
+    };
+    async install() {
+        const configPath = join(homedir(), ".cline", "config.json");
+        return IDEInstaller.injectMcpConfig(configPath, "sessionmem", "sessionmem", ["run"]);
+    }
+    async uninstall() {
+        const configPath = join(homedir(), ".cline", "config.json");
+        return IDEInstaller.removeMcpConfig(configPath, "sessionmem");
+    }
+}

package/dist/adapters/ide/cursor.js

@@ -0,0 +1,28 @@
+import { join } from "path";
+import { homedir } from "os";
+import { GenericMCPAdapter } from "../generic.js";
+import { IDEInstaller } from "./installer.js";
+export class CursorAdapter extends GenericMCPAdapter {
+    name = "Cursor";
+    capabilities = {
+        supportsPrompts: false,
+        supportsResources: false,
+        supportsTools: true,
+    };
+    get configPath() {
+        const home = homedir();
+        if (process.platform === "win32") {
+            return join(process.env.APPDATA ?? home, "Cursor", "User", "settings.json");
+        }
+        if (process.platform === "darwin") {
+            return join(home, "Library", "Application Support", "Cursor", "User", "settings.json");
+        }
+        return join(home, ".config", "Cursor", "User", "settings.json");
+    }
+    async install() {
+        return IDEInstaller.injectMcpConfig(this.configPath, "sessionmem", "sessionmem", ["run"]);
+    }
+    async uninstall() {
+        return IDEInstaller.removeMcpConfig(this.configPath, "sessionmem");
+    }
+}

package/dist/adapters/ide/installer.js

@@ -0,0 +1,57 @@
+export class IDEInstaller {
+    static parseJsonc(content) {
+        const stripped = content
+            .replace(/\/\/[^\n]*/g, "")
+            .replace(/,(\s*[}\]])/g, "$1");
+        return JSON.parse(stripped);
+    }
+    static injectMcpBlock(content, serverName, command, args) {
+        const config = content.trim()
+            ? this.parseJsonc(content)
+            : {};
+        if (!config.mcpServers)
+            config.mcpServers = {};
+        config.mcpServers[serverName] = {
+            command,
+            args,
+        };
+        return JSON.stringify(config, null, 2);
+    }
+    static removeMcpBlock(content, serverName) {
+        const config = content.trim()
+            ? this.parseJsonc(content)
+            : {};
+        if (config.mcpServers) {
+            delete config.mcpServers[serverName];
+        }
+        return JSON.stringify(config, null, 2);
+    }
+    static async injectMcpConfig(filePath, serverName, command, args) {
+        try {
+            const { readFileSync, writeFileSync, existsSync } = await import("fs");
+            const existing = existsSync(filePath)
+                ? readFileSync(filePath, "utf-8")
+                : "{}";
+            const updated = this.injectMcpBlock(existing, serverName, command, args);
+            writeFileSync(filePath, updated, "utf-8");
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    static async removeMcpConfig(filePath, serverName) {
+        try {
+            const { readFileSync, writeFileSync, existsSync } = await import("fs");
+            if (!existsSync(filePath))
+                return true;
+            const existing = readFileSync(filePath, "utf-8");
+            const updated = this.removeMcpBlock(existing, serverName);
+            writeFileSync(filePath, updated, "utf-8");
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}

package/dist/adapters/ide/windsurf.js

@@ -0,0 +1,28 @@
+import { join } from "path";
+import { homedir } from "os";
+import { GenericMCPAdapter } from "../generic.js";
+import { IDEInstaller } from "./installer.js";
+export class WindsurfAdapter extends GenericMCPAdapter {
+    name = "Windsurf";
+    capabilities = {
+        supportsPrompts: true,
+        supportsResources: true,
+        supportsTools: true,
+    };
+    get configPath() {
+        const home = homedir();
+        if (process.platform === "win32") {
+            return join(process.env.APPDATA ?? home, "Windsurf", "User", "settings.json");
+        }
+        if (process.platform === "darwin") {
+            return join(home, "Library", "Application Support", "Windsurf", "User", "settings.json");
+        }
+        return join(home, ".config", "Windsurf", "User", "settings.json");
+    }
+    async install() {
+        return IDEInstaller.injectMcpConfig(this.configPath, "sessionmem", "sessionmem", ["run"]);
+    }
+    async uninstall() {
+        return IDEInstaller.removeMcpConfig(this.configPath, "sessionmem");
+    }
+}

package/dist/adapters/tools/ping.js

@@ -0,0 +1,15 @@
+export const pingTool = {
+    name: "sessionmem_ping",
+    description: "Ping the sessionmem MCP server to verify it is running correctly.",
+    schema: {
+        type: "object",
+        properties: {},
+    },
+    execute: async () => {
+        return {
+            status: "ok",
+            version: "0.1.0",
+            message: "sessionmem MCP server is operational.",
+        };
+    }
+};

package/dist/cli/commands/config.js

@@ -0,0 +1,79 @@
+import { configFilePath, readPolicyConfig, writePolicyConfig, } from "../../core/config/policyConfig.js";
+function coerceInt(raw) {
+    // Reject anything that is not a clean integer so we never persist NaN or
+    // partial garbage (e.g. "30abc" -> 30 from parseInt is rejected here).
+    if (!/^-?\d+$/.test(raw.trim())) {
+        throw new Error(`expected an integer, got "${raw}"`);
+    }
+    return Number.parseInt(raw.trim(), 10);
+}
+// 100 years (in days). Far beyond any realistic retention window, and keeps
+// `Date.now() - retentionDays * 24 * 60 * 60 * 1000` well within the safe
+// Date range so `pruneMemories`'s cutoff computation never throws RangeError.
+// Exported so `retention prune --days` enforces the same
+// bound as `config set retentionDays`.
+export const MAX_RETENTION_DAYS = 36500;
+function coerceRetentionDays(raw) {
+    const n = coerceInt(raw);
+    if (n > MAX_RETENTION_DAYS) {
+        throw new Error(`retentionDays must be <= ${MAX_RETENTION_DAYS}, got "${raw}"`);
+    }
+    return n;
+}
+function coerceBool(raw) {
+    const v = raw.trim().toLowerCase();
+    if (v === "true")
+        return true;
+    if (v === "false")
+        return false;
+    throw new Error(`expected "true" or "false", got "${raw}"`);
+}
+// Accept both the dotted operator key (retention.days) and the raw policyConfig
+// field name (retentionDays) so CLI and policyConfig stay consistent (plan note).
+const CONFIG_KEYS = {
+    "retention.days": { field: "retentionDays", coerce: coerceRetentionDays },
+    retentionDays: { field: "retentionDays", coerce: coerceRetentionDays },
+    redactionEnabled: { field: "redactionEnabled", coerce: coerceBool },
+};
+function resolvePath(options) {
+    return options?.configPath ?? configFilePath();
+}
+/**
+ * `sessionmem config get <key>` — print the effective value for a known key.
+ * Unknown key -> error + exit 1.
+ */
+export function configGetCommand(key, options) {
+    const def = CONFIG_KEYS[key];
+    if (!def) {
+        console.error(`Unknown config key "${key}". Known keys: ${Object.keys(CONFIG_KEYS).join(", ")}`);
+        process.exit(1);
+        return;
+    }
+    const config = readPolicyConfig(resolvePath(options));
+    console.log(String(config[def.field]));
+}
+/**
+ * `sessionmem config set <key> <value>` — coerce and persist to config.json.
+ * Unknown key or invalid value -> error + exit 1 with NO file write.
+ */
+export function configSetCommand(key, value, options) {
+    const def = CONFIG_KEYS[key];
+    if (!def) {
+        console.error(`Unknown config key "${key}". Known keys: ${Object.keys(CONFIG_KEYS).join(", ")}`);
+        process.exit(1);
+        return;
+    }
+    let coerced;
+    try {
+        coerced = def.coerce(value);
+    }
+    catch (err) {
+        console.error(`Invalid value for "${key}": ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+        return;
+    }
+    writePolicyConfig(resolvePath(options), {
+        [def.field]: coerced,
+    });
+    console.log(`Set ${key} = ${String(coerced)}`);
+}

package/dist/cli/commands/export.js

@@ -0,0 +1,28 @@
+import { homedir } from "os";
+import { join, dirname } from "path";
+import { resolve } from "path";
+import { mkdirSync, writeFileSync } from "fs";
+import { createCliContext } from "../context.js";
+export async function exportCommand(pathArg, ctx) {
+    const context = ctx ?? createCliContext();
+    const res = await context.service.call("exportMemories", {
+        projectId: context.projectId,
+    });
+    if (!res.ok) {
+        console.error(res.error.message);
+        process.exit(1);
+    }
+    // Default to an ISO-dated path; resolve user-supplied path otherwise.
+    // Path comes from the local CLI invoker's own argv (same trust level as
+    // the process itself), not from a remote/network-facing input, so
+    // resolving it to an absolute path is not a path-traversal vector.
+    const outPath = pathArg
+        ? resolve(pathArg) // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+        : join(homedir(), ".sessionmem", `export-${new Date().toISOString().slice(0, 10)}.json`);
+    // Ensure the target directory exists (the default ~/.sessionmem dir may not
+    // have been created yet in this context, e.g. a test-supplied CliContext).
+    mkdirSync(dirname(outPath), { recursive: true });
+    // Write as a pretty-printed JSON array
+    writeFileSync(outPath, JSON.stringify(res.memories, null, 2), "utf8");
+    console.log(`Exported ${res.memories.length} memories to ${outPath}`);
+}

package/dist/cli/commands/forget.js

@@ -0,0 +1,28 @@
+import { createCliContext } from "../context.js";
+export async function forgetCommand(id, options, ctx) {
+    const context = ctx ?? createCliContext();
+    const getResult = await context.service.call("getMemory", {
+        projectId: context.projectId,
+        memoryId: id,
+    });
+    if (!getResult.ok) {
+        console.error(getResult.error.message);
+        process.exit(1);
+    }
+    if (!options.force) {
+        // Dry-run: preview and exit 0 without deleting
+        const preview = getResult.memory.content.replace(/\s+/g, " ").slice(0, 60);
+        console.log(`Would delete: ${preview}. Pass --force to confirm.`);
+        return;
+    }
+    // --force path: actually delete
+    const deleteResult = await context.service.call("forgetMemory", {
+        projectId: context.projectId,
+        memoryId: id,
+    });
+    if (!deleteResult.ok) {
+        console.error(deleteResult.error.message);
+        process.exit(1);
+    }
+    console.log(`Deleted ${id}.`);
+}

package/dist/cli/commands/import.js

@@ -0,0 +1,112 @@
+import { resolve } from "path";
+import { readFileSync } from "fs";
+import { listAllMemoryIds } from "../../core/storage/memoryRepo.js";
+import { createCliContext } from "../context.js";
+import { importMemoryRecordSchema } from "../../core/api/contracts.js";
+export async function importCommand(pathArg, options, ctx) {
+    const context = ctx ?? createCliContext();
+    // V12: resolve user-supplied path.
+    // Path comes from the local CLI invoker's own argv (same trust level as
+    // the process itself), not from a remote/network-facing input, so
+    // resolving it to an absolute path is not a path-traversal vector.
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+    const inPath = resolve(pathArg);
+    // Read and parse the JSON file
+    let parsed;
+    try {
+        const raw = readFileSync(inPath, "utf8");
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`Failed to read or parse import file: ${message}`);
+        process.exit(1);
+    }
+    // Must be an array
+    if (!Array.isArray(parsed)) {
+        console.error("Import file must be a JSON array of memory records.");
+        process.exit(1);
+    }
+    const records = parsed;
+    let toImport = records;
+    let skippedCount = 0;
+    if (!options.merge) {
+        // By default, skip existing IDs (pre-filter). `id` is a
+        // globally-unique PRIMARY KEY (not scoped by project), so the duplicate
+        // check must consider every project's ids -- otherwise a record whose id
+        // collides with another project's memory would not be pre-filtered here
+        // and could fall through to the service's ON CONFLICT(id) upsert.
+        const existingIds = listAllMemoryIds(context.db);
+        const filtered = records.filter((r) => {
+            const id = typeof r.id === "string" ? r.id : undefined;
+            return id === undefined || !existingIds.has(id);
+        });
+        skippedCount = records.length - filtered.length;
+        toImport = filtered;
+    }
+    if (toImport.length === 0 && skippedCount > 0) {
+        console.log(`Imported 0, skipped ${skippedCount} duplicates.`);
+        return;
+    }
+    // Map to the expected shape, then validate each record before sending to the service
+    const mapped = toImport.map((r) => ({
+        id: r.id,
+        projectId: r.projectId ?? context.projectId,
+        sessionId: r.sessionId,
+        sourceAdapter: r.sourceAdapter,
+        kind: r.kind,
+        content: r.content,
+        importance: r.importance,
+        createdAt: r.createdAt,
+        updatedAt: r.updatedAt,
+    }));
+    // Validate each record but skip-and-warn on individual invalid
+    // records (consistent with the duplicate-skip UX) instead of aborting the
+    // entire import on the first invalid record, which would discard earlier
+    // valid records with no partial import.
+    const validMemories = [];
+    let invalidCount = 0;
+    for (let i = 0; i < mapped.length; i++) {
+        const check = importMemoryRecordSchema.safeParse(mapped[i]);
+        if (!check.success) {
+            console.error(`Record at index ${i} is invalid, skipping: ${check.error.message}`);
+            invalidCount += 1;
+            continue;
+        }
+        validMemories.push(mapped[i]);
+    }
+    if (validMemories.length === 0) {
+        if (invalidCount > 0) {
+            console.log(`Imported 0, skipped ${invalidCount} invalid record(s).`);
+        }
+        else if (skippedCount > 0) {
+            console.log(`Imported 0, skipped ${skippedCount} duplicates.`);
+        }
+        return;
+    }
+    const result = await context.service.call("importMemories", {
+        projectId: context.projectId,
+        // No explicit redactionEnabled here: the service resolves the effective
+        // value from ~/.sessionmem/config.json (override > config > default),
+        // so `sessionmem config set redactionEnabled false` governs the
+        // import write path too.
+        memories: validMemories,
+    });
+    if (!result.ok) {
+        console.error(result.error.message);
+        process.exit(1);
+    }
+    const importedCount = result.imported;
+    let suffix = result.skippedCrossProject > 0
+        ? ` (${result.skippedCrossProject} skipped: id belongs to another project)`
+        : "";
+    if (invalidCount > 0) {
+        suffix += ` (${invalidCount} invalid record(s) skipped)`;
+    }
+    if (options.merge) {
+        console.log(`Imported (merged) ${importedCount} memories.${suffix}`);
+    }
+    else {
+        console.log(`Imported ${importedCount}, skipped ${skippedCount} duplicates.${suffix}`);
+    }
+}

package/dist/cli/commands/install.js

@@ -0,0 +1,57 @@
+import { existsSync } from "fs";
+import { AdapterFactory } from "../../adapters/factory.js";
+import { createCliContext } from "../context.js";
+import { configFilePath, writePolicyConfig, DEFAULT_POLICY_CONFIG, } from "../../core/config/policyConfig.js";
+export const MANUAL_CONFIG_BLOCK = JSON.stringify({
+    mcpServers: {
+        sessionmem: {
+            command: "sessionmem",
+            args: ["run"],
+        },
+    },
+}, null, 2);
+export function printManualFallback(adapterName) {
+    console.error(`Auto-config for ${adapterName} failed. Add this block to your MCP config manually:`);
+    console.log(MANUAL_CONFIG_BLOCK);
+}
+export async function installCommand(_options, contextOverrides) {
+    // Step 1: DB init — run migrations and confirm DB init
+    let dbPath;
+    try {
+        const ctx = createCliContext(contextOverrides);
+        dbPath = ctx.dbPath;
+    }
+    catch (err) {
+        console.error(`✗ DB init failed (~/.sessionmem/memories.db): ${err instanceof Error ? err.message : String(err)}`);
+        console.error("Hint: ensure ~/.sessionmem directory is writable and run `sessionmem install` again.");
+        process.exit(1);
+    }
+    console.log(`✓ DB initialized (${dbPath})`);
+    // Step 1b: Config defaults — write config.json with defaults only when absent.
+    // An existing config is preserved byte-for-byte so user settings are
+    // never clobbered.
+    const configPath = contextOverrides?.configPath ?? configFilePath();
+    if (existsSync(configPath)) {
+        console.log(`✓ config.json preserved (${configPath})`);
+    }
+    else {
+        writePolicyConfig(configPath, { ...DEFAULT_POLICY_CONFIG });
+        console.log(`✓ config.json initialized (${configPath})`);
+    }
+    // Step 2: Adapter config — detect adapter and install
+    const adapter = AdapterFactory.detectAdapter();
+    if (!adapter.install) {
+        console.error(`✗ ${adapter.name} config update failed`);
+        printManualFallback(adapter.name);
+        process.exit(1);
+    }
+    const success = await adapter.install();
+    if (!success) {
+        console.error(`✗ ${adapter.name} config update failed`);
+        printManualFallback(adapter.name);
+        process.exit(1);
+    }
+    console.log(`✓ ${adapter.name} config updated`);
+    // Step 3: Full success checklist
+    console.log("✓ sessionmem ready");
+}

package/dist/cli/commands/list.js

@@ -0,0 +1,13 @@
+import { createCliContext } from "../context.js";
+import { formatTable } from "../output.js";
+export async function listCommand(ctx) {
+    const context = ctx ?? createCliContext();
+    const result = await context.service.call("listMemories", {
+        projectId: context.projectId,
+    });
+    if (!result.ok) {
+        console.error(result.error.message);
+        process.exit(1);
+    }
+    console.log(formatTable(result.memories));
+}

package/dist/cli/commands/ping.js

@@ -0,0 +1,12 @@
+import { pingTool } from "../../adapters/tools/ping.js";
+export async function pingCommand() {
+    const result = await pingTool.execute();
+    console.log(`status: ${result.status}`);
+    console.log(`version: ${result.version}`);
+    console.log(`message: ${result.message}`);
+    if (result.status !== "ok") {
+        console.error(`sessionmem ping failed: ${result.message}`);
+        process.exit(1);
+    }
+    // exit 0 on success (implicit)
+}

package/dist/cli/commands/redactScan.js

@@ -0,0 +1,40 @@
+import { createCliContext } from "../context.js";
+/**
+ * `sessionmem redact-scan [--apply]`.
+ *
+ * Scan-by-default one-time scrub over pre-existing memories: with no
+ * flags it reports `Found N memories with potential secrets` plus truncated,
+ * already-redacted previews and writes nothing. `--apply` redacts matching rows
+ * in place and prints a summary count.
+ *
+ * The underlying `redactExisting` service builds previews from the REDACTED text
+ * (never the raw secret) and length-bounds them, so printing them as-is cannot
+ * leak a full secret. Scan always calls with apply:false so a missing
+ * --apply can never mutate data.
+ */
+export async function redactScanCommand(options, ctx) {
+    const context = ctx ?? createCliContext();
+    const apply = !!options.apply;
+    const result = await context.service.call("redactExisting", {
+        projectId: context.projectId,
+        apply,
+    });
+    if (!result.ok) {
+        console.error(result.error.message);
+        process.exit(1);
+    }
+    if (apply) {
+        if (result.skipped > 0) {
+            console.log(`Redacted ${result.updated} memories; ${result.skipped} skipped (not found).`);
+        }
+        else {
+            console.log(`Redacted ${result.updated} memories.`);
+        }
+        return;
+    }
+    // Scan (non-destructive): report match count and print the safe previews.
+    console.log(`Found ${result.matched} memories with potential secrets`);
+    for (const preview of result.previews) {
+        console.log(`  ${preview}`);
+    }
+}

package/dist/cli/commands/retention.js

@@ -0,0 +1,54 @@
+import { createCliContext } from "../context.js";
+import { configFilePath, readPolicyConfig, resolvePolicySettings, } from "../../core/config/policyConfig.js";
+import { MAX_RETENTION_DAYS } from "./config.js";
+/**
+ * `sessionmem retention prune [--force] [--days <n>]`.
+ *
+ * Dry-run by default: prints the eligible count and exits 0 without
+ * deleting. `--force` hard-deletes eligible memories and prints a summary count.
+ *
+ * Effective retentionDays follows precedence CLI flag > config.json > default
+ * via {@link resolvePolicySettings}. The dry-run path always calls
+ * pruneMemories with dryRun:true so a missing --force can never delete.
+ */
+export async function retentionPruneCommand(options, ctx) {
+    const context = ctx ?? createCliContext();
+    // --days override must be a clean integer, matching `config set
+    // retention.days`'s validation: Number.parseInt("30abc", 10) === 30
+    // would otherwise silently accept trailing garbage. Also enforce the same
+    // upper bound as `config set` so an out-of-range --days can't
+    // produce an Invalid Date / RangeError when computing the prune cutoff.
+    let override;
+    if (options.days !== undefined) {
+        const trimmed = options.days.trim();
+        if (!/^-?\d+$/.test(trimmed)) {
+            console.error(`Invalid --days value "${options.days}": expected an integer.`);
+            process.exit(1);
+        }
+        const parsed = Number.parseInt(trimmed, 10);
+        if (parsed > MAX_RETENTION_DAYS) {
+            console.error(`Invalid --days value "${options.days}": must be <= ${MAX_RETENTION_DAYS}.`);
+            process.exit(1);
+        }
+        override = { retentionDays: parsed };
+    }
+    const { retentionDays } = resolvePolicySettings({
+        override,
+        config: readPolicyConfig(configFilePath()),
+    });
+    const dryRun = !options.force;
+    const result = await context.service.call("pruneMemories", {
+        projectId: context.projectId,
+        retentionDays,
+        dryRun,
+    });
+    if (!result.ok) {
+        console.error(result.error.message);
+        process.exit(1);
+    }
+    if (dryRun) {
+        console.log(`Would delete ${result.eligible} memories older than ${retentionDays} days. Pass --force to confirm.`);
+        return;
+    }
+    console.log(`Deleted ${result.deleted} memories.`);
+}

package/dist/cli/commands/run.js

@@ -0,0 +1,26 @@
+import { AdapterFactory } from "../../adapters/factory.js";
+import { mkdirSync, writeFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+export async function runMcpServer() {
+    const adapter = AdapterFactory.detectAdapter();
+    // Setup rudimentary log for debugging manual configs
+    const logDir = join(homedir(), ".sessionmem", "logs");
+    const logPath = join(logDir, "mcp.log");
+    const logMessage = `[${new Date().toISOString()}] Started sessionmem via ${adapter.name}\n`;
+    try {
+        mkdirSync(logDir, { recursive: true });
+        writeFileSync(logPath, logMessage, { flag: "a" });
+    }
+    catch {
+        // best-effort logging; ignore failures
+    }
+    // Start the server
+    if (adapter.startMcpServer) {
+        await adapter.startMcpServer();
+    }
+    else {
+        console.error(`Adapter ${adapter.name} does not implement startMcpServer.`);
+        process.exit(1);
+    }
+}

package/dist/cli/commands/search.js

@@ -0,0 +1,29 @@
+import { createCliContext } from "../context.js";
+import { formatTable } from "../output.js";
+const DEFAULT_LIMIT = 20;
+function coerceLimit(value) {
+    if (value === undefined)
+        return DEFAULT_LIMIT;
+    const parsed = Number.parseInt(String(value), 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : DEFAULT_LIMIT;
+}
+export async function searchCommand(query, options = {}, ctx) {
+    const context = ctx ?? createCliContext();
+    const result = await context.service.call("retrieveMemories", {
+        projectId: context.projectId,
+        query,
+        limit: coerceLimit(options.limit),
+        mode: "auto",
+        depth: "default",
+    });
+    if (!result.ok) {
+        console.error(result.error.message);
+        process.exit(1);
+    }
+    console.log(formatTable(result.memories));
+    // Surface the pre-rendered startup-injection block so the
+    // `author:` provenance annotation for teammate-authored memories is
+    // observable in real `search` output. Already a rendered string; no ANSI
+    // color.
+    console.log(result.startupInjection);
+}

package/dist/cli/commands/show.js

@@ -0,0 +1,15 @@
+import { createCliContext } from "../context.js";
+import { formatKeyValue } from "../output.js";
+export async function showCommand(id, ctx) {
+    const context = ctx ?? createCliContext();
+    // Use call() to get the envelope (catches DomainError for NOT_FOUND)
+    const result = await context.service.call("getMemory", {
+        projectId: context.projectId,
+        memoryId: id,
+    });
+    if (!result.ok) {
+        console.error(result.error.message);
+        process.exit(1);
+    }
+    process.stdout.write(formatKeyValue(result.memory) + "\n");
+}