sessionmem 1.0.5 → 1.1.0

package/dist/core/storage/summarizationFailuresRepo.js

@@ -1,12 +1,10 @@
-function toParams(input) {
-    return {
-        ...input,
-        created_at: input.created_at ?? null,
-        updated_at: input.updated_at ?? null,
-    };
-}
-export function insertSummarizationFailure(db, input) {
-    const stmt = db.prepare(`
+const sumFailStmtCache = new WeakMap();
+function getSumFailStatements(db) {
+    let stmts = sumFailStmtCache.get(db);
+    if (stmts)
+        return stmts;
+    stmts = {
+        insertFailure: db.prepare(`
     INSERT INTO summarization_failures (
       id, project_id, session_id, source_adapter, reason, attempt_count, last_error_json, created_at, updated_at
     ) VALUES (
@@ -14,26 +12,38 @@ export function insertSummarizationFailure(db, input) {
       COALESCE(@created_at, strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
       COALESCE(@updated_at, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
     )
-  `);
-    stmt.run(toParams(input));
-}
-export function listSummarizationFailures(db, projectId, sessionId) {
-    if (sessionId) {
-        const stmt = db.prepare(`
-      SELECT
-        id, project_id, session_id, source_adapter, reason, attempt_count, last_error_json, created_at, updated_at
-      FROM summarization_failures
-      WHERE project_id = ? AND session_id = ?
-      ORDER BY updated_at DESC
-    `);
-        return stmt.all(projectId, sessionId);
-    }
-    const stmt = db.prepare(`
+  `),
+        listByProjectAndSession: db.prepare(`
+    SELECT
+      id, project_id, session_id, source_adapter, reason, attempt_count, last_error_json, created_at, updated_at
+    FROM summarization_failures
+    WHERE project_id = ? AND session_id = ?
+    ORDER BY updated_at DESC
+  `),
+        listByProject: db.prepare(`
     SELECT
       id, project_id, session_id, source_adapter, reason, attempt_count, last_error_json, created_at, updated_at
     FROM summarization_failures
     WHERE project_id = ?
     ORDER BY updated_at DESC
-  `);
-    return stmt.all(projectId);
+  `),
+    };
+    sumFailStmtCache.set(db, stmts);
+    return stmts;
+}
+function toParams(input) {
+    return {
+        ...input,
+        created_at: input.created_at ?? null,
+        updated_at: input.updated_at ?? null,
+    };
+}
+export function insertSummarizationFailure(db, input) {
+    getSumFailStatements(db).insertFailure.run(toParams(input));
+}
+export function listSummarizationFailures(db, projectId, sessionId) {
+    if (sessionId) {
+        return getSumFailStatements(db).listByProjectAndSession.all(projectId, sessionId);
+    }
+    return getSumFailStatements(db).listByProject.all(projectId);
 }

package/dist/core/storage/tokenSavingsRepo.js

@@ -0,0 +1,20 @@
+const tokenSavingsStmtCache = new WeakMap();
+function getTokenSavingsStatements(db) {
+    let stmts = tokenSavingsStmtCache.get(db);
+    if (stmts)
+        return stmts;
+    stmts = {
+        countDistinctSessions: db.prepare("SELECT COUNT(DISTINCT session_id) AS count FROM session_events WHERE project_id = ?"),
+        listPayloads: db.prepare("SELECT payload_json FROM session_events WHERE project_id = ?"),
+    };
+    tokenSavingsStmtCache.set(db, stmts);
+    return stmts;
+}
+export function countDistinctSessions(db, projectId) {
+    const row = getTokenSavingsStatements(db).countDistinctSessions.get(projectId);
+    return row.count;
+}
+export function listEventPayloads(db, projectId) {
+    const rows = getTokenSavingsStatements(db).listPayloads.all(projectId);
+    return rows.map(r => r.payload_json);
+}

package/dist/core/summarize/cloudSummarizer.js

@@ -1,19 +1,48 @@
+import Anthropic from "@anthropic-ai/sdk";
 import { summarizeLocalSessionEvents } from "./localSummarizer.js";
-const DEFAULT_CLOUD_MODEL = "claude-sonnet-4-20250514";
+import { DEFAULT_SUMMARIZER_MODEL } from "../config/policyConfig.js";
+const CLOUD_SYSTEM_PROMPT = "You are a memory compressor for AI coding sessions. Given this session transcript summary, produce a compact, high-signal list of facts, decisions, and context that should be remembered. Be extremely concise.";
 export async function summarizeWithCloud(input) {
     if (!input.anthropicApiKey.trim()) {
         throw new Error("Missing anthropicApiKey");
     }
-    const result = await summarizeLocalSessionEvents({
+    // Step 1: Preprocess via local summarizer (extract, redact, structure)
+    const localResult = await summarizeLocalSessionEvents({
         events: input.events,
         summaryTokenCap: input.summaryTokenCap,
         redactionEnabled: input.redactionEnabled,
         factMode: input.factMode,
         redactionRules: input.redactionRules,
     });
-    const modelTag = input.model ?? DEFAULT_CLOUD_MODEL;
+    // Step 2: Send preprocessed summary to Claude for compression
+    const model = input.model ?? DEFAULT_SUMMARIZER_MODEL;
+    const client = new Anthropic({ apiKey: input.anthropicApiKey });
+    const response = await client.messages.create({
+        model,
+        // Cap the per-response token budget so a large summaryTokenCap cannot pass
+        // an out-of-range max_tokens to the API (which would error).
+        max_tokens: Math.min(Math.floor((input.summaryTokenCap ?? 4000) * 1.5), 8192),
+        system: CLOUD_SYSTEM_PROMPT,
+        messages: [{ role: "user", content: localResult.summary }],
+    });
+    // Extract text from response content blocks
+    let text = response.content
+        .filter((block) => block.type === "text")
+        .map((block) => block.text)
+        .join("\n");
+    // Throw on an empty response rather than storing an empty memory; the
+    // session-lifecycle retry/fallback-to-local path handles the failure.
+    if (!text || text.trim().length === 0) {
+        throw new Error("Cloud summarizer returned empty response");
+    }
+    // Cap cloud output to summaryTokenCap (rough token→char ratio) for parity
+    // with the local summarizer, so a verbose cloud response cannot blow past the
+    // configured budget.
+    if (input.summaryTokenCap && text.length > input.summaryTokenCap * 4) {
+        text = text.slice(0, input.summaryTokenCap * 4);
+    }
     return {
-        summary: `[model:${modelTag}] ${result.summary}`,
-        warningCodes: result.warningCodes,
+        summary: text,
+        warningCodes: localResult.warningCodes,
     };
 }

package/dist/core/summarize/localSummarizer.js

@@ -1,16 +1,7 @@
 import { normalizeEmbeddingText } from "../embed/textNormalize.js";
+import { capTokens, countTokens } from "../injection/tokenBudget.js";
 import { applyRedaction } from "./redaction.js";
 import { buildStructuredSummary } from "./summaryShape.js";
-function countTokens(text) {
-    return text.trim().split(/\s+/).filter(Boolean).length;
-}
-function capTokens(text, cap) {
-    const tokens = text.trim().split(/\s+/).filter(Boolean);
-    if (tokens.length <= cap) {
-        return text;
-    }
-    return `${tokens.slice(0, cap).join(" ")} ...`;
-}
 export async function summarizeLocalSessionEvents(input) {
     const structured = buildStructuredSummary(input.events, {
         factMode: input.factMode,

package/dist/core/summarize/redaction.js

@@ -3,8 +3,20 @@
 // a fragment of a larger secret and leave a partial body behind. All patterns are
 // anchored with explicit literal prefixes/markers and use bounded quantifiers to
 // avoid catastrophic backtracking (ReDoS).
-function defaultRules() {
+//
+// The rule set is allocated once at module load (not per call): the rules are
+// pure, stateless closures, so hoisting avoids re-allocating 8 closures on every
+// applyRedaction invocation — a measurable saving in batch/import/pull loops.
+// The regex literals carry no `lastIndex` state because every pattern is used
+// with String.prototype.replace (not stateful .test()/.exec() on a shared regex).
+const DEFAULT_RULES = createDefaultRules();
+function createDefaultRules() {
     return [
+        // URL-embedded credentials: scheme://user:password@host. Run BEFORE the
+        // email rule so the `password@host` segment is collapsed here rather than
+        // partially matched as an email. Scheme + host are preserved; the
+        // user:password pair is redacted. Bounded quantifiers stay ReDoS-safe.
+        (input) => input.replace(/\b([a-z][a-z0-9+.-]{0,20}:\/\/)[^\s:/@]{1,256}:[^\s/@]{1,256}@/gi, "$1[REDACTED_CREDENTIALS]@"),
         // Email (original rule — unchanged).
         (input) => input.replace(/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, "[REDACTED_EMAIL]"),
         // PEM private key block: ----BEGIN <type> PRIVATE KEY---- ... ----END ... ----.
@@ -14,14 +26,39 @@ function defaultRules() {
         (input) => input.replace(/\beyJ[A-Za-z0-9_-]{5,}\.[A-Za-z0-9_-]{5,}\.[A-Za-z0-9_-]{5,}\b/g, "[REDACTED_JWT]"),
         // AWS access key id: AKIA + 16 uppercase alphanumerics.
         (input) => input.replace(/\bAKIA[A-Z0-9]{16}\b/g, "[REDACTED_AWS_KEY]"),
-        // GitHub tokens: ghp_/gho_/ghu_/ghs_/ghr_ + 36 alphanumerics.
-        (input) => input.replace(/\bgh[poushr]_[A-Za-z0-9]{36}\b/g, "[REDACTED_GITHUB_TOKEN]"),
-        // OpenAI-style API key (original rule — unchanged).
-        (input) => input.replace(/sk-[a-zA-Z0-9]{12,}/g, "[REDACTED_API_KEY]"),
+        // AWS temporary credentials access key id: ASIA + 16 uppercase alphanumerics.
+        (input) => input.replace(/\bASIA[A-Z0-9]{16}\b/g, "[REDACTED_AWS_KEY]"),
+        // GitHub tokens: ghp_/gho_/ghu_/ghs_/ghr_ + 36 OR MORE alphanumerics
+        // (GitHub has lengthened tokens over time; `{36,}` future-proofs the rule).
+        (input) => input.replace(/\bgh[poushr]_[A-Za-z0-9]{36,}\b/g, "[REDACTED_GITHUB_TOKEN]"),
+        // GitHub fine-grained personal access tokens: github_pat_ + long body.
+        (input) => input.replace(/\bgithub_pat_[A-Za-z0-9_]{20,}\b/g, "[REDACTED_GITHUB_TOKEN]"),
+        // Slack tokens: xoxb-/xoxp-/xoxa-/xoxr-/xoxs-/xoxe-/xoxc-/xoxt- and the
+        // app-level xapp- prefix + dash-delimited segments.
+        (input) => input.replace(/\b(?:xox[baprsect]|xapp)-[A-Za-z0-9-]{10,256}\b/g, "[REDACTED_SLACK_TOKEN]"),
+        // Stripe live keys: secret (sk_live_), restricted (rk_live_), and
+        // publishable (pk_live_) + 24 or more alphanumerics.
+        (input) => input.replace(/\b[srp]k_live_[A-Za-z0-9]{24,}\b/g, "[REDACTED_STRIPE_KEY]"),
+        // npm access tokens: npm_ + 36 alphanumerics.
+        (input) => input.replace(/\bnpm_[A-Za-z0-9]{36}\b/g, "[REDACTED_NPM_TOKEN]"),
+        // Google API keys: AIza + 35 url-safe chars (39 total).
+        (input) => input.replace(/\bAIza[0-9A-Za-z_-]{35}\b/g, "[REDACTED_GOOGLE_API_KEY]"),
+        // OpenAI-style API key. Allow an optional internal dash segment so
+        // project-scoped keys (sk-proj-...) are fully redacted rather than leaving
+        // the project segment behind. Bounded quantifiers stay ReDoS-safe.
+        (input) => input.replace(/\bsk-(?:[a-zA-Z0-9]{1,32}-){0,4}[a-zA-Z0-9]{12,200}\b/g, "[REDACTED_API_KEY]"),
         // Bearer token header value: "Bearer <token>" (case-insensitive), token redacted.
         (input) => input.replace(/\bBearer\s+[A-Za-z0-9._~+/-]{8,}=*/gi, "Bearer [REDACTED_BEARER_TOKEN]"),
-        // Connection-string assignment: password=/secret= value -> key kept, value redacted.
-        (input) => input.replace(/\b(password|secret)=([^\s"'&;]+)/gi, "$1=[REDACTED]"),
+        // Config/connection-string assignments: key=value where key is a known
+        // secret-bearing name. The key is kept and the value redacted. Covers
+        // password/secret plus api_key/apikey/token/access_token/pwd in URL query
+        // strings and config files. The `=` separator may carry surrounding spaces.
+        (input) => input.replace(/\b(password|passwd|pwd|secret|api[_-]?key|access[_-]?token|token)\s*=\s*([^\s"'&;]+)/gi, "$1=[REDACTED]"),
+        // JSON-form secret assignments: "key": "value" for known secret-bearing
+        // keys. Complements the key=value rule above so secrets embedded in JSON
+        // payloads (config files, logged request bodies) are redacted too. The key
+        // is preserved; the quoted value is collapsed.
+        (input) => input.replace(/"(password|secret|api_key|token|access_token|auth_token|client_secret|private_key|pwd|passwd)"\s*:\s*"[^"]{4,}"/gi, '"$1": "[REDACTED]"'),
     ];
 }
 export function applyRedaction(input, options) {
@@ -33,7 +70,7 @@ export function applyRedaction(input, options) {
     }
     let text = input;
     const warningCodes = [];
-    for (const rule of options.rules ?? defaultRules()) {
+    for (const rule of options.rules ?? DEFAULT_RULES) {
         try {
             text = rule(text);
         }

package/package.json

@@ -1,48 +1,50 @@
-{
-  "name": "sessionmem",
-  "version": "1.0.5",
-  "private": false,
-  "type": "module",
-  "description": "Local-first MCP memory layer for coding agents across Claude Code, Codex, Cursor, Cline, Windsurf, and other MCP-compatible hosts.",
-  "license": "MIT",
-  "author": "kavishdua",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/catfish-1234/sessionmem.git"
-  },
-  "mcpName": "io.github.catfish-1234/sessionmem",
-  "files": [
-    "dist"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "bin": {
-    "sessionmem": "./dist/cli/index.js"
-  },
-  "scripts": {
-    "build": "tsc && node scripts/copy-migrations.mjs",
-    "prepack": "npm run build",
-    "test": "vitest run --reporter=dot",
-    "test:schema": "vitest run tests/integration/storage/schema.spec.ts --reporter=dot",
-    "lint": "eslint .",
-    "typecheck": "tsc --noEmit",
-    "benchmark": "node scripts/benchmark.mjs"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.29.0",
-    "better-sqlite3": "^12.4.1",
-    "commander": "^15.0.0",
-    "js-tiktoken": "^1.0.21",
-    "zod": "^4.4.3"
-  },
-  "devDependencies": {
-    "@eslint/js": "^10.0.1",
-    "@types/better-sqlite3": "^7.6.13",
-    "eslint": "^10.4.1",
-    "globals": "^17.6.0",
-    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.61.0",
-    "vitest": "^4.1.8"
-  }
-}
+{
+  "name": "sessionmem",
+  "version": "1.1.0",
+  "private": false,
+  "type": "module",
+  "description": "Local-first MCP memory layer for coding agents across Claude Code, Codex, Cursor, Cline, Windsurf, and other MCP-compatible hosts.",
+  "license": "MIT",
+  "author": "kavishdua",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/catfish-1234/sessionmem.git"
+  },
+  "mcpName": "io.github.catfish-1234/sessionmem",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "bin": {
+    "sessionmem": "./dist/cli/index.js"
+  },
+  "scripts": {
+    "build": "tsc && node scripts/copy-migrations.mjs",
+    "prepack": "npm run build",
+    "test": "vitest run --reporter=dot",
+    "test:schema": "vitest run tests/integration/storage/schema.spec.ts --reporter=dot",
+    "lint": "eslint .",
+    "typecheck": "tsc --noEmit",
+    "benchmark": "node scripts/benchmark.mjs",
+    "postversion": "node -e \"const v=require('./package.json').version; ['package/package.json','.claude-plugin/plugin.json','server.json'].forEach(f=>{const o=require('./'+f);o.version=v;if(o.packages&&o.packages[0])o.packages[0].version=v;require('fs').writeFileSync('./'+f,JSON.stringify(o,null,2)+'\\n')})\" && npm run build"
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.105.0",
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "better-sqlite3": "^12.4.1",
+    "commander": "^15.0.0",
+    "js-tiktoken": "^1.0.21",
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@types/better-sqlite3": "^7.6.13",
+    "eslint": "^10.4.1",
+    "globals": "^17.6.0",
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.61.0",
+    "vitest": "^4.1.8"
+  }
+}