sessionmem 1.0.6 → 1.1.1

package/dist/core/api/sessionLifecycleService.js

@@ -111,6 +111,14 @@ export function createSessionLifecycleService(deps) {
      * Hard-deletes memories older than the effective retentionDays for this
      * project. retentionDays<=0 disables pruning. Any failure is swallowed
      * so it can never block or fail summarization.
+     *
+     * IMPORTANT: retention pruning fires INDEPENDENTLY of summarization. It runs
+     * on every handleSessionEnd path — including the `skipped_disabled`
+     * (autoSummarize=false) and `skipped_threshold` (too few events) early
+     * returns — because retention is a time-based policy that must apply whether
+     * or not a summary was produced this session. It is gated only by the
+     * retentionDays config (retentionDays<=0 disables it), not by whether the
+     * lifecycle proceeded past the summarization threshold.
      */
     function runLightPrune(projectId) {
         try {

package/dist/core/config/policyConfig.js

@@ -1,7 +1,7 @@
 import { z } from "zod";
 import { homedir } from "os";
 import { join, dirname } from "path";
-import { mkdirSync, readFileSync, writeFileSync } from "fs";
+import { mkdirSync, readFileSync, writeFileSync, renameSync } from "fs";
 /** Lower bound of the 1-10 importance scale. */
 export const MIN_IMPORTANCE = 1;
 /** Upper bound of the 1-10 importance scale. */
@@ -47,8 +47,12 @@ const teamConfigShape = z
  * built-in defaults.
  */
 const policyConfigShape = {
-    retentionDays: z.number().int().default(DEFAULT_POLICY_CONFIG.retentionDays),
+    retentionDays: z.number().int().min(0).default(DEFAULT_POLICY_CONFIG.retentionDays),
     redactionEnabled: z.boolean().default(DEFAULT_POLICY_CONFIG.redactionEnabled),
+    // Optional per-session startup-injection token cap. When set, it overrides the
+    // built-in DEFAULT_INJECTION_CAP used by formatStartupInjection and the
+    // `savings` analytics. Omitted by default so existing configs keep the default.
+    injectionCap: z.number().int().min(100).max(10000).optional(),
     team: teamConfigShape.default({ enabled: false }),
 };
 /**
@@ -80,14 +84,32 @@ export function configFilePath() {
  * are merged over defaults via the schema's per-field `.default()`.
  */
 export function readPolicyConfig(filePath) {
+    let raw;
+    let obj;
     try {
-        const raw = readFileSync(filePath, "utf8");
-        const parsed = JSON.parse(raw);
-        return policyConfigReadSchema.parse(parsed);
+        raw = readFileSync(filePath, "utf8");
+        obj = JSON.parse(raw);
     }
     catch {
         return { ...DEFAULT_POLICY_CONFIG };
     }
+    // Fast path: strict parse succeeds (the common case).
+    const strict = policyConfigReadSchema.safeParse(obj);
+    if (strict.success)
+        return strict.data;
+    // Lenient fallback: salvage valid individual fields so a single bad value
+    // (e.g. injectionCap: 50, below min 100) doesn't wipe out retentionDays etc.
+    const s = policyConfigShape;
+    const rd = s.retentionDays.safeParse(obj.retentionDays);
+    const re = s.redactionEnabled.safeParse(obj.redactionEnabled);
+    const ic = s.injectionCap.safeParse(obj.injectionCap);
+    const tm = s.team.safeParse(obj.team);
+    return {
+        retentionDays: rd.success ? rd.data : DEFAULT_POLICY_CONFIG.retentionDays,
+        redactionEnabled: re.success ? re.data : DEFAULT_POLICY_CONFIG.redactionEnabled,
+        injectionCap: ic.success ? ic.data : undefined,
+        team: tm.success ? tm.data : { ...DEFAULT_POLICY_CONFIG.team },
+    };
 }
 /**
  * Persist a partial policy config, merged over the current on-disk values (or
@@ -104,7 +126,12 @@ export function writePolicyConfig(filePath, partial) {
     const current = readPolicyConfig(filePath);
     const merged = policyConfigSchema.parse({ ...current, ...validatedPartial });
     mkdirSync(dirname(filePath), { recursive: true });
-    writeFileSync(filePath, `${JSON.stringify(merged, null, 2)}\n`, "utf8");
+    // Atomic write: write to a temp file then rename over the target so a crash
+    // mid-write can't leave a truncated/corrupt config. On Windows, renameSync
+    // over an existing file works (Node wraps it via MoveFileExW).
+    const tmpPath = `${filePath}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(merged, null, 2)}\n`, "utf8");
+    renameSync(tmpPath, filePath);
     return merged;
 }
 /**

package/dist/core/injection/formatStartupInjection.js

@@ -2,6 +2,29 @@ import { CRITICAL_WARNING_IMPORTANCE_THRESHOLD } from "../config/policyConfig.js
 import { countTokens, trimLowestPriorityContent } from "./tokenBudget.js";
 const DEFAULT_TOKEN_CAP = 450;
 const HEADER = "Relevant prior context";
+// At most this many preserved (critical-warning) entries may bypass trimming.
+// Critical warnings rarely need more, and an unbounded count would let
+// preserved entries dominate the injection block past the token cap.
+const MAX_PRESERVED = 5;
+// Strip control characters and hard-cap per-entry content before it is rendered
+// into the injection block. Prevents a single memory from breaking out of the
+// block (newlines/control chars) or dominating it (length). The full content
+// remains retrievable via retrieveMemories — this only affects startup display.
+const safeContent = (content) => 
+// eslint-disable-next-line no-control-regex -- intentional control-char strip
+content.replace(/[\n\r\x00-\x08\x0e-\x1f\x7f]/g, " ").slice(0, 500);
+// Sanitize source_adapter before it is rendered verbatim onto the metadata
+// line. Like `author`, a malformed row could otherwise smuggle newlines/control
+// chars (and thus a prompt-injection payload) into the injection block.
+const safeSourceAdapter = (s) => 
+// eslint-disable-next-line no-control-regex -- intentional control-char strip
+(s ?? "").replace(/[\n\r\x00-\x08\x0e-\x1f\x7f]/g, "").slice(0, 100);
+// Allow-list of known kinds. Any unrecognized kind renders as "memory" so a
+// malformed row cannot inject arbitrary text into the rendered `[kind]` label.
+const KNOWN_KINDS = new Set(["fact", "decision", "preference", "warning", "summary", "memory", "context"]);
+function safeKind(kind) {
+    return KNOWN_KINDS.has(kind) ? kind : "memory";
+}
 const KIND_ORDER = ["warning", "decision", "fact", "summary", "preference"];
 const KIND_RANK = new Map(KIND_ORDER.map((kind, index) => [kind, index]));
 function kindRank(kind) {
@@ -36,7 +59,12 @@ function authorPrefix(memory, localUsername) {
     if (memory.author &&
         localUsername &&
         memory.author !== localUsername) {
-        return `${memory.author}: `;
+        // Defense in depth: even though `author` is constrained at the contract
+        // boundary, strip any control characters before rendering so a malformed
+        // row cannot break out of the injection block.
+        // eslint-disable-next-line no-control-regex -- intentional control-char strip
+        const safeAuthor = memory.author.replace(/[\n\r\x00-\x1f\x7f]/g, "");
+        return `${safeAuthor}: `;
     }
     return "";
 }
@@ -45,8 +73,8 @@ function formatLine(entry, localUsername) {
     const score = memory.score;
     const prefix = authorPrefix(memory, localUsername);
     return [
-        `- [${memory.kind}] ${prefix}${entry.content}`,
-        `(score total=${formatScore(score.total)}, semantic=${formatScore(score.raw.semantic)}, recency=${formatScore(score.raw.recency)}, importance=${formatScore(score.raw.importance)}; source=${memory.source_adapter}; date=${memory.updated_at})`,
+        `- [${safeKind(memory.kind)}] ${prefix}${safeContent(entry.content)}`,
+        `(score total=${formatScore(score.total)}, semantic=${formatScore(score.raw.semantic)}, recency=${formatScore(score.raw.recency)}, importance=${formatScore(score.raw.importance)}; source=${safeSourceAdapter(memory.source_adapter)}; date=${memory.updated_at})`,
     ].join(" ");
 }
 function render(entries, localUsername) {
@@ -73,12 +101,28 @@ function lowestDroppableIndex(entries) {
 export function formatStartupInjection(rankedMemories, options = {}) {
     const tokenCap = options.tokenCap ?? DEFAULT_TOKEN_CAP;
     const localUsername = options.localUsername;
-    let included = sortMemories(rankedMemories).map((memory) => ({
-        memory,
-        content: memory.content,
-        priority: KIND_ORDER.length - kindRank(memory.kind),
-        preserve: isCriticalWarning(memory),
-    }));
+    // Cap how many entries may be marked `preserve`. Excess critical warnings
+    // beyond MAX_PRESERVED become droppable so they cannot bypass the trim/drop
+    // loop and blow past the token cap. Sorting first keeps the highest-ranked
+    // warnings preserved.
+    let preservedCount = 0;
+    let included = sortMemories(rankedMemories).map((memory) => {
+        let preserve = isCriticalWarning(memory);
+        if (preserve) {
+            if (preservedCount >= MAX_PRESERVED) {
+                preserve = false;
+            }
+            else {
+                preservedCount += 1;
+            }
+        }
+        return {
+            memory,
+            content: memory.content,
+            priority: KIND_ORDER.length - kindRank(memory.kind),
+            preserve,
+        };
+    });
     let output = render(included, localUsername);
     while (included.length > 0 && countTokens(output) > tokenCap) {
         const trimmed = trimLowestPriorityContent(included);

package/dist/core/retrieve/recencyBands.js

@@ -4,7 +4,10 @@ function toDate(value) {
 }
 export function getRecencyBandScore(updatedAt, now = new Date()) {
     const updatedDate = toDate(updatedAt);
-    const ageDays = Math.max(0, (now.getTime() - updatedDate.getTime()) / DAY_IN_MS);
+    const ageDays = (now.getTime() - updatedDate.getTime()) / DAY_IN_MS;
+    if (!Number.isFinite(ageDays) || ageDays < 0) {
+        return 0.05; // invalid/future date -> treat as max age (lowest recency score)
+    }
     const HALF_LIFE_DAYS = 14;
     const lambda = Math.LN2 / HALF_LIFE_DAYS;
     return Math.max(0.05, Math.exp(-lambda * ageDays));

package/dist/core/retrieve/retrieveMemories.js

@@ -1,7 +1,7 @@
 import { deterministicEmbed } from "../embed/deterministicEmbed.js";
 import { decayOldBoosts } from "./decay.js";
 import { scoreMemoryCandidate, } from "./score.js";
-import { searchMemoryCandidates, searchMemoryCandidatesFTS, } from "../storage/memorySearchRepo.js";
+import { searchMemoryCandidatesFTS, } from "../storage/memorySearchRepo.js";
 const DEFAULT_EMBEDDING_DIMENSION = 32;
 function resolveEmbeddingDimension(candidates) {
     for (const candidate of candidates) {
@@ -41,19 +41,21 @@ export function retrieveMemories(input) {
     }
     const topK = input.topK ?? input.limit ?? 20;
     const now = input.now ?? new Date();
-    // Use FTS5 pre-filtering when a semantic query is present to limit
-    // cosine similarity computation to ~50 candidates instead of all.
-    const candidates = queryText
-        ? searchMemoryCandidatesFTS(input.db, input.projectId, queryText)
-        : searchMemoryCandidates(input.db, input.projectId);
+    // Use FTS5 pre-filtering to limit cosine similarity computation to ~50 candidates.
+    // queryText is guaranteed non-empty by the Zod schema (z.string().min(1)) upstream.
+    const candidates = searchMemoryCandidatesFTS(input.db, input.projectId, queryText);
     const decayedCandidates = decayOldBoosts(candidates, now);
     const dimension = resolveEmbeddingDimension(candidates);
     const queryVector = deterministicEmbed(queryText, dimension).vector;
     const ranked = decayedCandidates
         .map((candidate) => {
         // When embedding is null (version mismatch or missing), use a neutral
-        // score of 0.5 so the memory is neither penalized nor boosted.
-        const semantic = candidate.embedding === null
+        // score of 0.5 so the memory is neither penalized nor boosted. A non-null
+        // embedding whose length differs from the query vector (a stored
+        // embedding from a different dimension) is treated the same way: passing
+        // it to cosineSimilarity would return 0 and actively penalize the row.
+        const semantic = candidate.embedding === null ||
+            candidate.embedding.length !== queryVector.length
             ? 0.5
             : cosineSimilarity(queryVector, candidate.embedding);
         const score = scoreMemoryCandidate({

package/dist/core/schema/migrations/005_team_provenance.sql

@@ -5,5 +5,10 @@
 -- NOT NULL ADD COLUMN requires a default and the local OS username is not
 -- available inside static SQL. `origin_project_id` is nullable and
 -- only set on rows pulled in from another project's store.
+--
+-- Idempotency: SQLite has no `ADD COLUMN IF NOT EXISTS`. Re-running this
+-- migration (only possible if the _migrations record was lost) throws
+-- "duplicate column name", which runMigrations catches and treats as
+-- already-applied. See src/core/schema/runMigrations.ts.
 ALTER TABLE memories ADD COLUMN author TEXT NOT NULL DEFAULT '';
 ALTER TABLE memories ADD COLUMN origin_project_id TEXT;

package/dist/core/schema/migrations/006_access_pattern_boosting.sql

@@ -1,5 +1,10 @@
 -- Access-pattern boosting: track how often each memory is included in
 -- retrieval output. access_count drives a read-time effective_importance
 -- boost without mutating the stored importance score.
+--
+-- Idempotency: SQLite has no `ADD COLUMN IF NOT EXISTS`. Re-running this
+-- migration (only possible if the _migrations record was lost) throws
+-- "duplicate column name", which runMigrations catches and treats as
+-- already-applied. See src/core/schema/runMigrations.ts.
 ALTER TABLE memories ADD COLUMN access_count INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE memories ADD COLUMN last_accessed TEXT;

package/dist/core/schema/migrations/008_fts5_search.sql

@@ -8,9 +8,13 @@ CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
   content_rowid='rowid'
 );
 
--- Populate FTS index from existing rows
+-- Populate FTS index from existing rows. Guard against double-backfill: if this
+-- migration is re-run on a DB that already has FTS data (e.g. after the
+-- _migrations record was lost), re-inserting every row would duplicate the
+-- index entries. Only backfill when the FTS table is empty.
 INSERT INTO memories_fts(rowid, content, normalized_content)
-  SELECT rowid, content, normalized_content FROM memories;
+  SELECT rowid, content, normalized_content FROM memories
+  WHERE NOT EXISTS (SELECT 1 FROM memories_fts LIMIT 1);
 
 -- Keep FTS index in sync: INSERT trigger
 CREATE TRIGGER IF NOT EXISTS memories_fts_insert AFTER INSERT ON memories BEGIN

package/dist/core/schema/migrations/009_session_events_unique.sql

@@ -0,0 +1,24 @@
+-- Deduplicate session events by their logical key.
+--
+-- `ingestSessionEvents` is now reachable from agents (MCP tool) and CLI, so it
+-- can be called more than once for the same session. The original index on
+-- (project_id, session_id, event_index) was NOT unique, so re-ingesting the
+-- same logical event with a fresh `id` silently created duplicate rows — which
+-- then inflated session-event counts and the local-summarizer input.
+--
+-- Replace it with a UNIQUE index so `INSERT OR IGNORE` makes re-ingestion a
+-- no-op. session_events has no production writer before this migration, so there
+-- are no pre-existing duplicates to reconcile.
+DROP INDEX IF EXISTS idx_session_events_project_session_event_index;
+
+-- Remove duplicate rows before adding unique constraint.
+-- Keep the row with the smallest rowid for each logical key.
+DELETE FROM session_events
+WHERE rowid NOT IN (
+  SELECT MIN(rowid)
+  FROM session_events
+  GROUP BY project_id, session_id, event_index
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_session_events_project_session_event_index
+  ON session_events(project_id, session_id, event_index);

package/dist/core/schema/runMigrations.js

@@ -1,6 +1,7 @@
 import fs from "node:fs";
 import path from "node:path";
-const DEFAULT_MIGRATIONS_DIR = path.resolve(process.cwd(), "src/core/schema/migrations");
+import { fileURLToPath } from "node:url";
+const DEFAULT_MIGRATIONS_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "migrations");
 function ensureMigrationsTable(db) {
     db.exec(`
     CREATE TABLE IF NOT EXISTS _migrations (
@@ -18,6 +19,38 @@ function listMigrationFiles(migrationsDir) {
         .filter((fileName) => fileName.endsWith(".sql"))
         .sort((left, right) => left.localeCompare(right));
 }
+/**
+ * Verify that every column an ADD COLUMN migration declares already exists in
+ * its target table. Parses `ALTER TABLE <table> ADD COLUMN <name>` statements
+ * from the migration SQL and checks each against `PRAGMA table_info`. Returns
+ * false the moment a declared column is missing (or its table doesn't exist),
+ * so a partially-applied migration is never marked complete.
+ */
+function allAddedColumnsExist(db, sql) {
+    const addColumnRe = /ALTER\s+TABLE\s+(\w+)\s+ADD\s+COLUMN\s+(\w+)/gi;
+    const byTable = new Map();
+    let match;
+    while ((match = addColumnRe.exec(sql)) !== null) {
+        const [, table, column] = match;
+        const cols = byTable.get(table) ?? [];
+        cols.push(column);
+        byTable.set(table, cols);
+    }
+    // No ADD COLUMN statements parsed → we cannot prove the schema is consistent,
+    // so treat it as unsafe and let the caller re-throw.
+    if (byTable.size === 0) {
+        return false;
+    }
+    for (const [table, columns] of byTable) {
+        const existing = new Set(db.prepare(`PRAGMA table_info(${table})`).all().map((row) => row.name));
+        for (const column of columns) {
+            if (!existing.has(column)) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
 export function runMigrations(db, migrationsDir = DEFAULT_MIGRATIONS_DIR) {
     ensureMigrationsTable(db);
     const files = listMigrationFiles(migrationsDir);
@@ -31,8 +64,37 @@ export function runMigrations(db, migrationsDir = DEFAULT_MIGRATIONS_DIR) {
     });
     for (const fileName of files) {
         const existing = hasMigrationStmt.get(fileName);
-        if (!existing) {
+        if (existing) {
+            continue;
+        }
+        try {
             runMigration(fileName);
         }
+        catch (err) {
+            // Idempotency guard for ALTER TABLE ADD COLUMN migrations (005/006).
+            // SQLite has no `ADD COLUMN IF NOT EXISTS`, so re-running a column-adding
+            // migration on a DB that already has the column throws "duplicate column
+            // name". This only happens when the _migrations record was lost (e.g. the
+            // table was dropped) while the schema change survived.
+            //
+            // Each migration runs in a transaction (all-or-nothing), so the duplicate
+            // error rolls the whole body back. Migrations 005/006 add TWO columns
+            // each: if only the FIRST already exists, the throw fires on the first
+            // ALTER and the second column is never added. Blindly marking the
+            // migration applied would leave that second column permanently missing.
+            //
+            // So instead of trusting the error, verify that EVERY column this
+            // migration was supposed to add actually exists. Only then is it safe to
+            // record as applied; otherwise re-throw so the failure surfaces.
+            if (err instanceof Error && /duplicate column name/i.test(err.message)) {
+                const filePath = path.join(migrationsDir, fileName);
+                const sql = fs.readFileSync(filePath, "utf8");
+                if (allAddedColumnsExist(db, sql)) {
+                    insertMigrationStmt.run(fileName);
+                    continue;
+                }
+            }
+            throw err;
+        }
     }
 }

package/dist/core/storage/memoryRepo.js

@@ -1,3 +1,34 @@
+// Shared INSERT ... ON CONFLICT(id) upsert column lists. The import and team-pull
+// paths differ only in how they resolve `importance` on conflict (import takes the
+// incoming value; pull preserves MAX(local, incoming)), so the surrounding SQL is
+// factored out to keep the two prepared statements byte-for-byte aligned.
+const UPSERT_INSERT_HEAD = `
+  INSERT INTO memories (
+    id, project_id, session_id, source_adapter, kind, content, normalized_content,
+    importance, embedding, embedding_dim, embedding_version, author, origin_project_id,
+    created_at, updated_at
+  ) VALUES (
+    @id, @project_id, @session_id, @source_adapter, @kind, @content, @normalized_content,
+    @importance, @embedding, @embedding_dim, @embedding_version, @author, @origin_project_id,
+    COALESCE(@created_at, strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    COALESCE(@updated_at, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+  )
+  ON CONFLICT(id) DO UPDATE SET
+    project_id = excluded.project_id,
+    session_id = excluded.session_id,
+    source_adapter = excluded.source_adapter,
+    kind = excluded.kind,
+    content = excluded.content,
+    normalized_content = excluded.normalized_content,`;
+const UPSERT_INSERT_TAIL = `
+    embedding = excluded.embedding,
+    embedding_dim = excluded.embedding_dim,
+    embedding_version = excluded.embedding_version,
+    author = excluded.author,
+    origin_project_id = excluded.origin_project_id,
+    created_at = excluded.created_at,
+    updated_at = excluded.updated_at
+`;
 const stmtCache = new WeakMap();
 function getStatements(db) {
     let stmts = stmtCache.get(db);
@@ -40,6 +71,20 @@ function getStatements(db) {
       author = excluded.author,
       origin_project_id = excluded.origin_project_id,
       updated_at = COALESCE(excluded.updated_at, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+    ON CONFLICT(id)
+    DO UPDATE SET
+      project_id = excluded.project_id,
+      session_id = excluded.session_id,
+      source_adapter = excluded.source_adapter,
+      content = excluded.content,
+      normalized_content = excluded.normalized_content,
+      importance = excluded.importance,
+      embedding = excluded.embedding,
+      embedding_dim = excluded.embedding_dim,
+      embedding_version = excluded.embedding_version,
+      author = excluded.author,
+      origin_project_id = excluded.origin_project_id,
+      updated_at = COALESCE(excluded.updated_at, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
   `),
         listByProject: db.prepare(`
     SELECT
@@ -50,7 +95,28 @@ function getStatements(db) {
     WHERE project_id = ?
     ORDER BY updated_at DESC
   `),
+        // Lightweight projection for token-savings accounting: only `content` is
+        // needed to count tokens, so we deliberately avoid pulling the (potentially
+        // multi-KB) embedding JSON and normalized_content for every row. Matters for
+        // large projects where `savings` would otherwise load the whole table.
+        listContentByProject: db.prepare("SELECT content FROM memories WHERE project_id = ?"),
+        importUpsert: db.prepare(`${UPSERT_INSERT_HEAD}\n    importance = excluded.importance,${UPSERT_INSERT_TAIL}`),
+        // Importance-preserving merge for team pulls: a teammate can never lower a
+        // locally-boosted importance. better-sqlite3@12 bundles a SQLite that accepts
+        // the two-arg scalar MAX() inside DO UPDATE.
+        pullUpsert: db.prepare(`${UPSERT_INSERT_HEAD}\n    importance = MAX(memories.importance, excluded.importance),${UPSERT_INSERT_TAIL}`),
         listAllIds: db.prepare("SELECT id FROM memories"),
+        selectById: db.prepare(`
+      SELECT
+        id, project_id, session_id, source_adapter, kind, content, normalized_content,
+        importance, embedding, embedding_dim, embedding_version, author, origin_project_id,
+        access_count, last_accessed, created_at, updated_at
+      FROM memories
+      WHERE project_id = ? AND id = ?
+      LIMIT 1
+    `),
+        selectOwner: db.prepare("SELECT project_id FROM memories WHERE id = ?"),
+        deleteById: db.prepare("DELETE FROM memories WHERE project_id = ? AND id = ?"),
         countOlderThan: db.prepare(`
       SELECT COUNT(*) AS count
       FROM memories
@@ -72,6 +138,9 @@ function getStatements(db) {
       SET
         content = ?,
         normalized_content = COALESCE(?, normalized_content),
+        embedding = COALESCE(?, embedding),
+        embedding_dim = COALESCE(?, embedding_dim),
+        embedding_version = COALESCE(?, embedding_version),
         updated_at = strftime('%Y-%m-%dT%H:%M:%fZ', 'now')
       WHERE project_id = ? AND id = ?
     `),
@@ -96,7 +165,17 @@ function getStatements(db) {
         countBySession: db.prepare(`
       SELECT COUNT(*) AS count
       FROM memories
-      WHERE session_id = ?
+      WHERE session_id = ? AND project_id = ?
+    `),
+        countAll: db.prepare("SELECT COUNT(*) AS count FROM memories WHERE project_id = ?"),
+        // Memories whose stored embedding does not match the supplied current
+        // embedding version (NULL counts as stale). Used to surface a re-embed
+        // hint; the actual re-embed is the `sessionmem re-embed` command.
+        countStaleEmbeddings: db.prepare(`
+      SELECT COUNT(*) AS count
+      FROM memories
+      WHERE project_id = ?
+        AND (embedding_version IS NULL OR embedding_version != ?)
     `),
     };
     stmtCache.set(db, stmts);
@@ -127,9 +206,62 @@ export function upsertSessionSummaryMemory(db, input) {
     assertImportance(input.importance);
     getStatements(db).upsertSessionSummary.run(toParams({ ...input, kind: "summary" }));
 }
+/**
+ * Upsert a memory imported from an external export. On `id` conflict the incoming
+ * record wins on every column (including importance). Cross-project ownership
+ * collisions are filtered by the caller via {@link getMemoryOwnerProjectId} before
+ * this runs, so this never reassigns another project's row.
+ */
+export function upsertImportedMemory(db, input) {
+    assertImportance(input.importance);
+    getStatements(db).importUpsert.run(toParams(input));
+}
+/**
+ * Upsert a memory pulled from a teammate. Identical to {@link upsertImportedMemory}
+ * except importance is merged as MAX(local, incoming) so a pull can never lower a
+ * locally-boosted importance.
+ */
+export function upsertPulledMemory(db, input) {
+    assertImportance(input.importance);
+    getStatements(db).pullUpsert.run(toParams(input));
+}
 export function listMemoriesByProject(db, projectId) {
     return getStatements(db).listByProject.all(projectId);
 }
+/**
+ * Return just the `content` of every memory in a project. Used by the
+ * token-savings command, which only needs `content` to count tokens and must
+ * not pay to load embedding JSON / normalized_content for the whole table.
+ */
+export function listMemoryContentsByProject(db, projectId) {
+    const rows = getStatements(db).listContentByProject.all(projectId);
+    return rows.map((r) => r.content);
+}
+/**
+ * Fetch a single memory row scoped to a project. Returns undefined when no row
+ * matches (caller maps that to NOT_FOUND). Uses a WeakMap-cached prepared
+ * statement — this is a high-frequency path (every store/get/forget and each
+ * batch item re-reads the inserted row).
+ */
+export function getMemoryRecordById(db, projectId, memoryId) {
+    return getStatements(db).selectById.get(projectId, memoryId);
+}
+/**
+ * Resolve the project that currently owns a globally-unique memory `id`, or
+ * undefined when the id is unused. Import/pull use this to skip (never overwrite)
+ * an id already owned by a different project.
+ */
+export function getMemoryOwnerProjectId(db, memoryId) {
+    const row = getStatements(db).selectOwner.get(memoryId);
+    return row?.project_id;
+}
+/**
+ * Hard-delete a single memory scoped to a project. Returns the number of rows
+ * removed (0 when the id does not exist in this project).
+ */
+export function deleteMemoryById(db, projectId, memoryId) {
+    return getStatements(db).deleteById.run(projectId, memoryId).changes;
+}
 /**
  * All memory ids across every project. `id` is a globally-unique
  * PRIMARY KEY, so duplicate-skip checks in `import` must consider every
@@ -153,6 +285,12 @@ export function deleteMemoriesOlderThan(db, projectId, cutoffIso) {
     const result = getStatements(db).deleteOlderThan.run(projectId, cutoffIso);
     return result.changes;
 }
+// NOTE: no MCP tool, CLI command, or service method currently calls this. It is
+// retained as intentional repository API surface (the importance-update
+// counterpart to updateMemoryContent) for a future importance-adjustment tool,
+// not forgotten code. The `updateImportance` prepared statement above is wired
+// solely for this function. Keep or remove deliberately — do not delete on a
+// "looks unused" pass.
 export function updateMemoryImportance(db, projectId, memoryId, nextImportance, usedAt) {
     assertImportance(nextImportance);
     const result = getStatements(db).updateImportance.run(nextImportance, usedAt ?? null, projectId, memoryId);
@@ -161,17 +299,36 @@ export function updateMemoryImportance(db, projectId, memoryId, nextImportance,
     }
 }
 /**
- * Count the number of memories stored under a given session_id across all
- * projects. Used to enforce per-session write soft limits — the count is
+ * Count all memories stored in a project. Used to enforce per-session write
+ * soft limits — the count is
  * checked before each storeMemory call and a warning is surfaced when the
  * threshold is reached.
  */
-export function countMemoriesBySession(db, sessionId) {
-    const row = getStatements(db).countBySession.get(sessionId);
+export function countAllMemoriesByProject(db, projectId) {
+    const row = getStatements(db).countAll.get(projectId);
+    return row.count;
+}
+export function countMemoriesBySession(db, sessionId, projectId) {
+    const row = getStatements(db).countBySession.get(sessionId, projectId);
+    return row.count;
+}
+/**
+ * Count memories in a project whose embedding version differs from
+ * `currentVersion` (NULL counts as stale). Drives the startup re-embed hint;
+ * the fix is the `sessionmem re-embed` command.
+ */
+export function countStaleEmbeddings(db, projectId, currentVersion) {
+    const row = getStatements(db).countStaleEmbeddings.get(projectId, currentVersion);
     return row.count;
 }
-export function updateMemoryContent(db, projectId, memoryId, newContent, newNormalizedContent) {
-    const result = getStatements(db).updateContent.run(newContent, newNormalizedContent ?? null, projectId, memoryId);
+export function updateMemoryContent(db, projectId, memoryId, newContent, newNormalizedContent, 
+// Optional re-embedding: when content is rewritten (e.g. a redactExisting
+// scrub) the stored embedding vector — computed from the PRE-edit text —
+// becomes stale and inconsistent with the new normalized_content. Pass the
+// recomputed embedding so the vector tracks the redacted text; omit to leave
+// the existing embedding untouched (COALESCE keeps the prior value on null).
+newEmbedding) {
+    const result = getStatements(db).updateContent.run(newContent, newNormalizedContent ?? null, newEmbedding ? JSON.stringify(newEmbedding.vector) : null, newEmbedding?.dimension ?? null, newEmbedding?.embeddingVersion ?? null, projectId, memoryId);
     if (result.changes === 0) {
         throw new Error(`Memory not found: ${memoryId}`);
     }