specmem-hardwicksoftware 3.7.44 → 3.7.45

package/README.md

@@ -1,18 +1,13 @@
+## I am aware it currently only works for "root" users in it's full glory
+## Sorry, this was developed on a baremetal VPS with XFCE Desktop
+## Just sudo npm install -g specmem-hardwicksoftware && cd /yourprojectdir && specmem init
+## Sorry guys again working out numerous kinks, look for assistance getting this user ready
+## Hit up a new issue if you find any please, send me your logs on linkedin or smthn!
 
-## COMPACTION PROXY FIXED - AGENT BEHAVIOR IMPROVEMENT SOON!
 <!-- How to Install SVG -->
 <img src="./svg-sections/readme-how-to-install.svg" alt="How to Install SpecMem on Linux" width="800">
 
-<br/>
 
-<!-- Token Compaction Pipeline SVG -->
-<div align="center">
-<picture>
-  <img alt="Token Compaction Pipeline — ~60% Input Token Reduction" src="./svg-sections/readme-token-compaction.svg" width="800">
-</picture>
-</div>
-
-<br/>
 
 <!-- Hero Banner -->
 <picture>
@@ -133,6 +128,16 @@ Full technical deep-dive covering architecture, embeddings, database internals,
 
 </div>
 
+<br/>
+
+<!-- Token Compaction Pipeline SVG -->
+<div align="center">
+<picture>
+  <img alt="Token Compaction Pipeline — ~60% Input Token Reduction" src="./svg-sections/readme-token-compaction.svg" width="800">
+</picture>
+</div>
+
+<br/>
 ---
 
 ## ⚡ Quick Start
@@ -150,9 +155,9 @@ Full technical deep-dive covering architecture, embeddings, database internals,
 ## 🔓 Root Access (Optional)
 
 <div align="center">
-<picture>
-  <img alt="Root Access — Optional" src="./svg-sections/readme-why-root.svg" width="800">
-</picture>
+Hell nah, sorry, not a poweruser with control over their debian distro?
+Looks like you aren't intelligent enough to run this technology
+  (IIRC THIS ACTUALLY PREVENTS CORPORTATE FROM INSTALLING BUT IRDC Plus in MY BOOK )
 </div>
 
 ---

package/container/Dockerfile

@@ -1,30 +1,100 @@
 # ============================================
-# SPECMEM BRAIN CONTAINER
+# SPECMEM BRAIN CONTAINER — MINIMAL BUILD
 # ============================================
-# Everything SpecMem needs, in one rootless container:
+# Everything SpecMem needs, nothing it doesn't:
 #   - PostgreSQL 16 + pgvector
 #   - Python embedding server (frankenstein-embeddings.py)
 #   - Translation server (hardwick-translate.py)
 #   - Mini-COT service (Pythia-410M)
 #   - Supervisord (process manager)
 #
-# Zero root. Zero sudo. Zero system deps beyond Podman.
-# Talks to host Node.js MCP server via unix sockets in /data/run/
-#
-# Build:  podman build -t specmem-brain container/
-# Run:    podman run -d --name specmem-brain -v ./specmem:/data:Z specmem-brain
+# Target: ~3GB final image
 # ============================================
 
-FROM python:3.11-slim AS base
+# ============================================
+# Stage 1: Python deps builder
+# ============================================
+FROM python:3.11-slim AS python-builder
 
-# Avoid interactive prompts
-ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Constraints file: block ALL nvidia/CUDA packages from ever being installed.
+# pip constraints are absolute — no transitive dep can override them.
+RUN cat > /tmp/constraints.txt <<'EOF'
+nvidia-cuda-runtime-cu12==0.0.0.invalid
+nvidia-cuda-cupti-cu12==0.0.0.invalid
+nvidia-cuda-nvrtc-cu12==0.0.0.invalid
+nvidia-cudnn-cu12==0.0.0.invalid
+nvidia-cufft-cu12==0.0.0.invalid
+nvidia-curand-cu12==0.0.0.invalid
+nvidia-cusolver-cu12==0.0.0.invalid
+nvidia-cusparse-cu12==0.0.0.invalid
+nvidia-nccl-cu12==0.0.0.invalid
+nvidia-nvjitlink-cu12==0.0.0.invalid
+nvidia-nvtx-cu12==0.0.0.invalid
+nvidia-cuda-runtime-cu11==0.0.0.invalid
+nvidia-cuda-cupti-cu11==0.0.0.invalid
+nvidia-cuda-nvrtc-cu11==0.0.0.invalid
+nvidia-cudnn-cu11==0.0.0.invalid
+nvidia-cufft-cu11==0.0.0.invalid
+nvidia-curand-cu11==0.0.0.invalid
+nvidia-cusolver-cu11==0.0.0.invalid
+nvidia-cusparse-cu11==0.0.0.invalid
+nvidia-nccl-cu11==0.0.0.invalid
+nvidia-nvjitlink-cu11==0.0.0.invalid
+nvidia-nvtx-cu11==0.0.0.invalid
+triton==0.0.0.invalid
+EOF
+
+# Step 1: Install torch CPU-only using --index-url (REPLACES PyPI as primary).
+# This is the ONLY way to guarantee pip doesn't pull CUDA torch from PyPI.
+RUN pip install --no-cache-dir \
+    --index-url https://download.pytorch.org/whl/cpu \
+    torch
+
+# Step 2: Install everything else from PyPI. torch is already satisfied
+# from step 1 so pip won't re-download it. Constraints block nvidia.
+RUN pip install --no-cache-dir \
+    -c /tmp/constraints.txt \
+    sentence-transformers \
+    onnxruntime \
+    psycopg2-binary \
+    numpy \
+    transformers \
+    argostranslate \
+    ctranslate2 \
+    sentencepiece \
+    emoji \
+    opencc-python-reimplemented
+
+# Verify no nvidia packages made it through
+RUN pip list | grep -i nvidia && echo "NVIDIA PACKAGES FOUND - BUILD SHOULD FAIL" && exit 1 || echo "Clean: no nvidia packages"
+
+# Strip bloat from installed packages
+RUN find /usr/local/lib/python3.11/site-packages -type d \
+    \( -name "test" -o -name "tests" -o -name "__pycache__" \) \
+    -exec rm -rf {} + 2>/dev/null; \
+    find /usr/local/lib/python3.11/site-packages -name "*.pyc" -delete 2>/dev/null; \
+    rm -rf /usr/local/lib/python3.11/site-packages/torch/testing 2>/dev/null; \
+    rm -rf /usr/local/lib/python3.11/site-packages/torch/utils/benchmark 2>/dev/null; \
+    rm -rf /usr/local/lib/python3.11/site-packages/torch/include 2>/dev/null; \
+    rm -rf /usr/local/lib/python3.11/site-packages/torch/share 2>/dev/null; \
+    rm -rf /usr/local/lib/python3.11/site-packages/caffe2 2>/dev/null; \
+    find /usr/local/lib/python3.11/site-packages -name "*.so" \
+    -exec strip --strip-unneeded {} \; 2>/dev/null; \
+    true
 
 # ============================================
-# Stage 1: System packages
+# Stage 2: Final minimal image
 # ============================================
+FROM python:3.11-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# PostgreSQL 16 + pgvector + supervisor — single layer, full cleanup
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    # PostgreSQL 16 + pgvector
     gnupg2 lsb-release curl ca-certificates \
     && echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \
        > /etc/apt/sources.list.d/pgdg.list \
@@ -33,85 +103,55 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && apt-get update && apt-get install -y --no-install-recommends \
     postgresql-16 \
     postgresql-16-pgvector \
-    # Process manager
     supervisor \
-    # Cleanup
     && apt-get purge -y gnupg2 lsb-release curl \
-    && apt-get autoremove -y \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && apt-get autoremove -y --purge \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
+    /usr/share/doc /usr/share/man /usr/share/locale \
+    /var/log/* /var/cache/*
 
-# ============================================
-# Stage 2: Python dependencies (CPU-only torch)
-# ============================================
-RUN pip install --no-cache-dir \
-    torch --index-url https://download.pytorch.org/whl/cpu \
-    && pip install --no-cache-dir \
-    sentence-transformers[onnx] \
-    onnxruntime \
-    psycopg2-binary \
-    numpy \
-    transformers
-
-# Argos Translate + deps (for hardwick-translate.py)
-RUN pip install --no-cache-dir \
-    argostranslate \
-    ctranslate2 \
-    sentencepiece \
-    emoji \
-    opencc-python-reimplemented
+# Copy Python packages from builder (no --prefix, just site-packages)
+COPY --from=python-builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
+COPY --from=python-builder /usr/local/bin /usr/local/bin
 
-# ============================================
-# Stage 3: Copy pre-optimized models from package
-# ============================================
-# Models are already in the npm package — no download needed!
-# - all-MiniLM-L6-v2 (ONNX quantized) — embedding model
-# - argos-translate models — translation models
 WORKDIR /app
-COPY embedding-sandbox/models/ /app/models/
 
-# ============================================
-# Stage 4: Copy application files
-# ============================================
-COPY embedding-sandbox/frankenstein-embeddings.py /app/frankenstein-embeddings.py
-COPY embedding-sandbox/hardwick-translate.py /app/hardwick-translate.py
-COPY embedding-sandbox/mini-cot-service.py /app/mini-cot-service.py
-
-# Pythia-410M pre-optimized model (ONNX int8 quantized)
-# Pre-built by optimize-pythia.py and shipped with npm package — no download needed!
-# If model dir doesn't exist in models/ yet, it will be built on first `npm run optimize-pythia`
-
-COPY container/supervisord.conf /etc/supervisor/conf.d/specmem.conf
-COPY container/entrypoint.sh /app/entrypoint.sh
-COPY container/healthcheck.sh /app/healthcheck.sh
-COPY container/sock_check.py /app/sock_check.py
+# Create non-root user BEFORE copying files so COPY --chown works
+# without creating a duplicate chown layer
+RUN useradd -r -m -s /bin/bash specmem && \
+    mkdir -p /data && chown specmem:specmem /data
+
+# Models
+COPY --chown=specmem:specmem embedding-sandbox/models/ /app/models/
+
+# Application files
+COPY --chown=specmem:specmem embedding-sandbox/frankenstein-embeddings.py /app/frankenstein-embeddings.py
+COPY --chown=specmem:specmem embedding-sandbox/hardwick-translate.py /app/hardwick-translate.py
+COPY --chown=specmem:specmem embedding-sandbox/mini-cot-service.py /app/mini-cot-service.py
+
+# Container config
+COPY --chown=specmem:specmem container/supervisord.conf /etc/supervisor/conf.d/specmem.conf
+COPY --chown=specmem:specmem container/entrypoint.sh /app/entrypoint.sh
+COPY --chown=specmem:specmem container/healthcheck.sh /app/healthcheck.sh
+COPY --chown=specmem:specmem container/sock_check.py /app/sock_check.py
 RUN chmod +x /app/entrypoint.sh /app/healthcheck.sh
 
-# ============================================
-# Stage 5: Configure PostgreSQL for container
-# ============================================
-# PostgreSQL data and sockets live in /data/ (volume mount)
-# No systemd - we manage postgres directly via pg_ctl
+# PostgreSQL config
 ENV PGDATA=/data/pgdata
 ENV PGHOST=/data/run
 ENV PGPORT=5432
 ENV PGUSER=specmem
 ENV PGDATABASE=specmem
 
-# Embedding model path (pre-downloaded)
+# Model paths
 ENV SPECMEM_MODEL_PATH=/app/models/all-MiniLM-L6-v2
 ENV SENTENCE_TRANSFORMERS_HOME=/app/models
 
-# Resource defaults (overridable) — crawl mode: 1 thread
+# CPU-only resource limits
 ENV OMP_NUM_THREADS=1
 ENV MKL_NUM_THREADS=1
 ENV OPENBLAS_NUM_THREADS=1
 
-# Create specmem user to run services (postgres won't run as root)
-RUN useradd -r -m -s /bin/bash specmem && \
-    mkdir -p /data && chown -R specmem:specmem /data /app
-
-# Volume mount point
 VOLUME /data
-
 USER specmem
 ENTRYPOINT ["/app/entrypoint.sh"]

package/container/container-version.json

@@ -0,0 +1,5 @@
+{
+  "version": "1.0.0",
+  "image": "ghcr.io/jonhardwick-spec/specmem-brain",
+  "minSpecmemVersion": "3.7.0"
+}

package/embedding-sandbox/warm-start.sh

@@ -8,8 +8,8 @@
 #   4. No container -> create & run + COLD START (slow, ~20-30s + full feed)
 #
 # VERSION SAFETY:
-#   - Every container gets specmem.version label
-#   - Before using ANY container, check version label
+#   - Every container gets specmem.container_version label (decoupled from npm version)
+#   - Before using ANY container, check container_version label
 #   - Missing/mismatched version = KILL & REBUILD (old code!)
 #
 # On idle: Container is PAUSED (not stopped) - stays in RAM, 0% CPU
@@ -22,9 +22,19 @@ set -e
 # Get specmem installation directory
 SPECMEM_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 
-# Get specmem version from package.json
+# Get specmem version from package.json (informational only)
 SPECMEM_VERSION=$(node -p "require('$SPECMEM_DIR/package.json').version" 2>/dev/null || echo "0.0.0")
 
+# Get CONTAINER version from container-version.json (used for rebuild decisions)
+CONTAINER_VERSION_FILE="$SPECMEM_DIR/container/container-version.json"
+if [ -f "$CONTAINER_VERSION_FILE" ]; then
+    CONTAINER_VERSION=$(node -p "require('$CONTAINER_VERSION_FILE').version" 2>/dev/null || echo "1.0.0")
+    REGISTRY_IMAGE=$(node -p "require('$CONTAINER_VERSION_FILE').image" 2>/dev/null || echo "ghcr.io/hardwicksoftware/specmem-brain")
+else
+    CONTAINER_VERSION="1.0.0"
+    REGISTRY_IMAGE="ghcr.io/hardwicksoftware/specmem-brain"
+fi
+
 # SOCKET PATH RESOLUTION (in priority order):
 # 1. SPECMEM_EMBEDDING_SOCKET env var (per-project, set by hooks)
 # 2. SPECMEM_SOCKET_DIR env var + embeddings.sock
@@ -93,9 +103,16 @@ CPU_LIMIT="${SPECMEM_EMBEDDING_CPU_LIMIT:-0.5}"
 # Warm start feeder script
 FEEDER_SCRIPT="$SPECMEM_DIR/embedding-sandbox/warm_start_feeder.py"
 
-# Check container version label
+# Check container version label (uses container_version for rebuild decisions)
 get_container_version() {
-    docker inspect --format='{{index .Config.Labels "specmem.version"}}' "$CONTAINER_NAME" 2>/dev/null || echo ""
+    # First try new label, fall back to legacy label
+    local ver
+    ver=$(docker inspect --format='{{index .Config.Labels "specmem.container_version"}}' "$CONTAINER_NAME" 2>/dev/null || echo "")
+    if [ -z "$ver" ] || [ "$ver" = "<no value>" ]; then
+        # Fall back to legacy specmem.version label for old containers
+        ver=$(docker inspect --format='{{index .Config.Labels "specmem.version"}}' "$CONTAINER_NAME" 2>/dev/null || echo "")
+    fi
+    echo "$ver"
 }
 
 # Check if version matches current specmem
@@ -105,18 +122,18 @@ version_matches() {
         log "VERSION CHECK: No version label (old code!)"
         return 1
     fi
-    if [ "$container_version" != "$SPECMEM_VERSION" ]; then
-        log "VERSION CHECK: Mismatch - container=$container_version, specmem=$SPECMEM_VERSION (old code!)"
+    if [ "$container_version" != "$CONTAINER_VERSION" ]; then
+        log "VERSION CHECK: Mismatch - container=$container_version, expected=$CONTAINER_VERSION"
         return 1
     fi
-    log "VERSION CHECK: OK - $container_version"
+    log "VERSION CHECK: OK - container_version=$container_version"
     return 0
 }
 
 # Kill container due to version mismatch
 kill_old_version() {
     local old_version=$(get_container_version)
-    log "KILLING OLD VERSION: $old_version != $SPECMEM_VERSION"
+    log "KILLING OLD VERSION: $old_version != $CONTAINER_VERSION"
     docker rm -f "$CONTAINER_NAME" 2>/dev/null || true
     rm -f "$SOCKET_PATH"
 }
@@ -175,6 +192,43 @@ get_container_state() {
     docker inspect --format='{{.State.Status}}' "$CONTAINER_NAME" 2>/dev/null || true
 }
 
+# Background container auto-update check
+# Compares ~/.specmem/container-state.json vs container-version.json
+# If newer version available, pulls in background for next cold start
+check_container_update() {
+    local STATE_FILE="${HOME}/.specmem/container-state.json"
+    if [ ! -f "$STATE_FILE" ]; then
+        return  # No state file = first run, skip update check
+    fi
+
+    local CURRENT_CV
+    CURRENT_CV=$(node -p "try{JSON.parse(require('fs').readFileSync('$STATE_FILE','utf8')).currentVersion}catch(e){''}" 2>/dev/null || echo "")
+
+    if [ -n "$CURRENT_CV" ] && [ "$CURRENT_CV" != "$CONTAINER_VERSION" ]; then
+        log "UPDATE CHECK: Container update available: $CURRENT_CV -> $CONTAINER_VERSION"
+        local REGISTRY_FULL_IMAGE="${REGISTRY_IMAGE}:${CONTAINER_VERSION}"
+        # Background pull — don't block the user
+        (
+            if docker pull "$REGISTRY_FULL_IMAGE" 2>/dev/null; then
+                docker tag "$REGISTRY_FULL_IMAGE" "$IMAGE_NAME" 2>/dev/null
+                # Update state file
+                mkdir -p "${HOME}/.specmem"
+                cat > "$STATE_FILE" <<UPDATEJSON
+{
+  "currentVersion": "$CONTAINER_VERSION",
+  "lastPulled": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "imageId": "$(docker inspect --format='{{.Id}}' "$IMAGE_NAME" 2>/dev/null || echo "")",
+  "source": "registry-update"
+}
+UPDATEJSON
+                log "UPDATE CHECK: Pull complete. New image ready for next cold start."
+            else
+                log "UPDATE CHECK: Pull failed, will retry next time."
+            fi
+        ) &
+    fi
+}
+
 # Feed overflow queue after warm start
 feed_overflow() {
     if [ -f "$FEEDER_SCRIPT" ]; then
@@ -208,9 +262,12 @@ main() {
     ensure_socket_dir
 
     log "=========================================="
-    log "WARM START v$SPECMEM_VERSION"
+    log "WARM START v$SPECMEM_VERSION (container_version=$CONTAINER_VERSION)"
     log "=========================================="
 
+    # Check for container updates in background (non-blocking)
+    check_container_update
+
     # Quick check - already running and responsive?
     if socket_alive; then
         # But check version first!
@@ -280,15 +337,45 @@ main() {
 
         *)
             # No container - cold start (only happens once per version)
-            log "Creating new container (cold start) with version $SPECMEM_VERSION..."
+            log "Creating new container (cold start) with container_version=$CONTAINER_VERSION..."
             rm -f "$SOCKET_PATH"
 
             # Remove any old container with same name
             docker rm -f "$CONTAINER_NAME" 2>/dev/null || true
 
+            # Pull-first: try registry image before falling back to local
+            REGISTRY_FULL_IMAGE="${REGISTRY_IMAGE}:${CONTAINER_VERSION}"
+            if ! docker image inspect "$IMAGE_NAME" &>/dev/null; then
+                log "No local image found, trying registry pull: $REGISTRY_FULL_IMAGE"
+                if docker pull "$REGISTRY_FULL_IMAGE" 2>/dev/null; then
+                    docker tag "$REGISTRY_FULL_IMAGE" "$IMAGE_NAME"
+                    log "Pulled and tagged registry image as $IMAGE_NAME"
+
+                    # Store container state
+                    SPECMEM_STATE_DIR="${HOME}/.specmem"
+                    mkdir -p "$SPECMEM_STATE_DIR"
+                    cat > "$SPECMEM_STATE_DIR/container-state.json" <<STATEJSON
+{
+  "currentVersion": "$CONTAINER_VERSION",
+  "lastPulled": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "imageId": "$(docker inspect --format='{{.Id}}' "$IMAGE_NAME" 2>/dev/null || echo "")",
+  "source": "registry"
+}
+STATEJSON
+                else
+                    log "Registry pull failed, will use local image if available"
+                fi
+            fi
+
+            # If still no image, build locally (air-gapped fallback)
+            if ! docker image inspect "$IMAGE_NAME" &>/dev/null; then
+                log "Building image locally from $SPECMEM_DIR/container/"
+                docker build -t "$IMAGE_NAME" "$SPECMEM_DIR/container/"
+            fi
+
             # Create and run with network disabled (air-gapped security)
             # Mount socket directory for access (per-project or /tmp for machine-shared)
-            # CRITICAL: Add specmem.version label!
+            # CRITICAL: Add specmem.container_version label!
 
             # Determine mount strategy
             if [ "$SOCKET_DIR" = "/tmp" ]; then
@@ -315,6 +402,7 @@ main() {
                 -e "SPECMEM_CPU_THREADS=1" \
                 -e "SPECMEM_EMBEDDING_MAX_WORKERS=4" \
                 -l "specmem.user=$USER_ID" \
+                -l "specmem.container_version=$CONTAINER_VERSION" \
                 -l "specmem.version=$SPECMEM_VERSION" \
                 -l "specmem.created=$(date +%s)" \
                 -l "specmem.socket=$SOCKET_PATH" \

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "specmem-hardwicksoftware",
-  "version": "3.7.44",
+  "version": "3.7.45",
   "type": "module",
   "description": "Your Claude Code sessions don't have to start from scratch anymore — SpecMem gives your AI real memory. It won't forget your conversations, your code, or your architecture decisions between sessions. That's the whole point. Semantic code indexing that actually works: TypeScript, JavaScript, Python, Go, Rust, Java, Kotlin, C, C++, HTML and more. It doesn't just track functions — it gets classes, methods, fields, constants, enums, macros, imports, structs, the whole codebase graph. There's chat memory too, powered by pgvector embeddings. You've also got token compression, team coordination, multi-agent comms, and file watching built in. 74+ MCP tools. Runs on PostgreSQL + Docker. It's kind of a big deal. justcalljon.pro",
   "main": "dist/index.js",

package/scripts/global-postinstall.cjs

@@ -76,20 +76,51 @@ if (currentPlatform === 'darwin') {
 }
 
 if (!isGlobalInstall) {
-  console.log('\n\x1b[33m╔════════════════════════════════════════════════════════════╗\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m  \x1b[1m\x1b[31m⚠ SPECMEM MUST BE INSTALLED GLOBALLY\x1b[0m                      \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m╠════════════════════════════════════════════════════════════╣\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m                                                            \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m  You ran:  npm install specmem-hardwicksoftware           \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m                                                            \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m  \x1b[1m\x1b[32mCorrect command:\x1b[0m                                         \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m  \x1b[1m\x1b[36m  npm install -g specmem-hardwicksoftware\x1b[0m                 \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m                                                            \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m  SpecMem is a CLI tool that integrates with Claude Code.  \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m  It must be installed globally to work properly.          \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m║\x1b[0m                                                            \x1b[33m║\x1b[0m');
-  console.log('\x1b[33m╚════════════════════════════════════════════════════════════╝\x1b[0m\n');
-  process.exit(0); // Exit cleanly so npm doesn't show error
+  // LOCAL INSTALL: Create wrapper scripts in ~/.local/bin/
+  const LOCAL_BIN = path.join(os.homedir(), '.local', 'bin');
+  const SPECMEM_PKG = path.dirname(__dirname);
+
+  console.log('\n\x1b[36m╔════════════════════════════════════════════════════════════╗\x1b[0m');
+  console.log('\x1b[36m║\x1b[0m  \x1b[1mSpecMem: Local install detected\x1b[0m                          \x1b[36m║\x1b[0m');
+  console.log('\x1b[36m╠════════════════════════════════════════════════════════════╣\x1b[0m');
+  console.log('\x1b[36m║\x1b[0m  Setting up CLI wrappers in ~/.local/bin/                 \x1b[36m║\x1b[0m');
+  console.log('\x1b[36m║\x1b[0m  Using container mode (no root needed)                    \x1b[36m║\x1b[0m');
+  console.log('\x1b[36m╚════════════════════════════════════════════════════════════╝\x1b[0m');
+
+  try {
+    fs.mkdirSync(LOCAL_BIN, { recursive: true });
+
+    // Create wrapper scripts for each CLI entry point
+    const wrappers = {
+      'specmem': 'bin/specmem-cli.cjs',
+      'specmem-init': 'scripts/specmem-init.cjs',
+      'specmem-console': 'bin/specmem-console.cjs',
+    };
+
+    for (const [cmd, relPath] of Object.entries(wrappers)) {
+      const targetScript = path.join(SPECMEM_PKG, relPath);
+      const wrapperPath = path.join(LOCAL_BIN, cmd);
+      const wrapperContent = `#!/bin/sh\nexec node "${targetScript}" "$@"\n`;
+      fs.writeFileSync(wrapperPath, wrapperContent, { mode: 0o755 });
+      console.log(`  \x1b[32m✓\x1b[0m Created ${wrapperPath}`);
+    }
+
+    // Check if ~/.local/bin is in PATH
+    const userPath = process.env.PATH || '';
+    if (!userPath.includes(LOCAL_BIN)) {
+      console.log(`\n  \x1b[33m⚠\x1b[0m Add ~/.local/bin to your PATH:`);
+      console.log(`    \x1b[36mexport PATH="$HOME/.local/bin:$PATH"\x1b[0m`);
+      console.log(`    Add this to your ~/.bashrc or ~/.zshrc\n`);
+    } else {
+      console.log(`\n  \x1b[32m✓\x1b[0m ~/.local/bin is already in PATH`);
+    }
+
+    console.log(`  \x1b[32m✓\x1b[0m Run \x1b[1mspecmem-init\x1b[0m to complete setup\n`);
+  } catch (e) {
+    console.log(`  \x1b[31m✗\x1b[0m Failed to create wrappers: ${e.message}`);
+    console.log(`  \x1b[33m⚠\x1b[0m You can still use: npx specmem-hardwicksoftware\n`);
+  }
+  process.exit(0);
 }
 
 // Colors for terminal output
@@ -2221,6 +2252,14 @@ ${c.red}${c.bright}╠═══════════════════
     if (canInstallSystem) {
       // Step 0: Install ALL core system deps FIRST
       installCoreDeps();
+    } else if (needsSudo.length > 0) {
+      // Non-root: skip system deps, use container-only mode
+      log.warn('No root access — using container-only mode (no system PG/Python needed)');
+      log.info(`Container bundles everything. You only need Docker or Podman.`);
+      if (!dockerAvailable) {
+        log.warn('Docker not found! Install Docker (or rootless Podman) for container mode.');
+        log.info('  See: https://docs.docker.com/engine/install/');
+      }
     }
 
     // Step 0a: Claude Code (REQUIRED) - no sudo needed

package/scripts/specmem-init.cjs

@@ -2860,14 +2860,14 @@ const qoms = {
 //   DEAD     → Clean immediately (broken garbage)
 //
 // VERSION SAFETY:
-//   - Every container gets labeled with specmem.version on creation
-//   - Before using ANY container, check specmem.version label
+//   - Every container gets labeled with specmem.container_version on creation
+//   - Before using ANY container, check container_version label (NOT npm version)
 //   - Missing label = old code = KILL IT
 //   - Version mismatch = old code = KILL IT
 //   - Only exact version match = safe to use
 // ============================================================================
 
-// Get current specmem version from package.json
+// Get current specmem version from package.json (informational only)
 function getSpecmemVersion() {
   try {
     const pkgPath = path.join(__dirname, '..', 'package.json');
@@ -2878,7 +2878,19 @@ function getSpecmemVersion() {
   }
 }
 
+// Get container version from container-version.json (used for rebuild decisions)
+function getContainerVersionInfo() {
+  try {
+    const cvPath = path.join(__dirname, '..', 'container', 'container-version.json');
+    return JSON.parse(fs.readFileSync(cvPath, 'utf8'));
+  } catch (e) {
+    return { version: '1.0.0', image: 'ghcr.io/hardwicksoftware/specmem-brain', minSpecmemVersion: '3.7.0' };
+  }
+}
+
 const SPECMEM_VERSION = getSpecmemVersion();
+const CONTAINER_VERSION_INFO = getContainerVersionInfo();
+const CONTAINER_VERSION = CONTAINER_VERSION_INFO.version;
 
 /**
  * Check if a container has the correct specmem version
@@ -2894,16 +2906,24 @@ function checkContainerVersion(containerId) {
   };
 
   try {
-    // Get the specmem.version label
-    const labelOutput = execSync(
-      `docker inspect --format='{{index .Config.Labels "specmem.version"}}' ${containerId} 2>/dev/null`,
+    // Try new container_version label first, fall back to legacy specmem.version
+    let labelOutput = execSync(
+      `docker inspect --format='{{index .Config.Labels "specmem.container_version"}}' ${containerId} 2>/dev/null`,
       { encoding: 'utf8' }
     ).trim();
 
+    if (!labelOutput || labelOutput === '<no value>' || labelOutput === '') {
+      // Fall back to legacy label for old containers
+      labelOutput = execSync(
+        `docker inspect --format='{{index .Config.Labels "specmem.version"}}' ${containerId} 2>/dev/null`,
+        { encoding: 'utf8' }
+      ).trim();
+    }
+
     if (labelOutput && labelOutput !== '<no value>' && labelOutput !== '') {
       result.hasVersion = true;
       result.version = labelOutput;
-      result.matches = labelOutput === SPECMEM_VERSION;
+      result.matches = labelOutput === CONTAINER_VERSION;
       result.needsRebuild = !result.matches;
     }
   } catch (e) {
@@ -2946,6 +2966,7 @@ async function cleanupDockerContainers() {
     errors: [],
     dockerAvailable: false,
     currentVersion: SPECMEM_VERSION,
+    containerVersion: CONTAINER_VERSION,
   };
 
   try {
@@ -3000,14 +3021,14 @@ async function cleanupDockerContainers() {
         // Kill containers with version mismatch (OLD CODE!) - ONLY for THIS project
         if (versionCheck.needsRebuild && status !== 'Dead') {
           const oldVersion = versionCheck.version || 'MISSING';
-          if (killOutdatedContainer(id, `version mismatch: ${oldVersion} != ${SPECMEM_VERSION}`)) {
+          if (killOutdatedContainer(id, `container version mismatch: ${oldVersion} != ${CONTAINER_VERSION}`)) {
             results.versionMismatch++;
             results.cleaned.push({
               id,
               name,
               type: 'version_mismatch',
               oldVersion,
-              newVersion: SPECMEM_VERSION,
+              newVersion: CONTAINER_VERSION,
               wasState: status?.includes('Paused') ? 'paused' : (status?.startsWith('Up') ? 'running' : 'exited'),
             });
           }
@@ -10164,7 +10185,8 @@ ${lastOutput}
       // Stage 3: Container engine — pull image if needed
       ui.setStage(3, 'CONTAINER ENGINE');
       ui.setStatus('Pulling specmem-brain image...');
-      const containerImage = process.env.SPECMEM_CONTAINER_IMAGE || 'ghcr.io/hardwicksoftware/specmem-brain:latest';
+      const cvInfo = getContainerVersionInfo();
+      const containerImage = process.env.SPECMEM_CONTAINER_IMAGE || `${cvInfo.image}:${cvInfo.version}`;
       const rtCmd = (() => {
         try { execSync('which podman 2>/dev/null', { stdio: 'pipe' }); return 'podman'; } catch { return 'docker'; }
       })();

package/specmem/supervisord.conf

@@ -1,6 +1,6 @@
 ; ============================================
 ; SPECMEM BRAIN CONTAINER - DYNAMIC SUPERVISORD CONFIG
-; Generated by specmem-init at 2026-03-09T18:56:25.444Z
+; Generated by specmem-init at 2026-03-10T00:57:50.315Z
 ; Thread counts from model-config.json resourcePool
 ; ============================================
 

package/specmem/user-config.json

@@ -5,8 +5,8 @@
   "cpuMin": 25,
   "ramMinMb": 4000,
   "serviceMode": {
-    "enabled": false,
-    "disabledAt": "2026-02-18T21:38:50.526Z"
+    "enabled": true,
+    "enabledAt": "2026-03-10T02:21:32.753Z"
   },
   "powerMode": {
     "level": "high",