vektor-slipstream 1.4.4 → 1.4.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vektor-slipstream",
-  "version": "1.4.4",
+  "version": "1.4.5",
   "description": "Hardware-accelerated persistent memory for AI agents. Local-first, zero cloud dependency, $0 embedding cost.",
   "main": "slipstream-core-extended.js",
   "types": "./types/index.d.ts",
@@ -72,7 +72,7 @@
   "dependencies": {
     "better-sqlite3": "^12.8.0",
     "onnxruntime-node": "^1.17.3",
-    "vektor-slipstream": "^1.4.4"
+    "vektor-slipstream": "^1.4.5"
   },
   "optionalDependencies": {
     "@anthropic-ai/sdk": "^0.82.0",

package/CHANGELOG.md

@@ -1,139 +0,0 @@
-# VEKTOR v1.3.7 — Changelog
-
-Released: 2026-04-05
-
-## New features
-
-### memory.forget(id)
-Hard-deletes a memory and cascades to all graph edges. Throws if memory is pinned — must unpin first.
-```js
-await memory.forget('mem_abc123');
-// → { deleted: true, edgesRemoved: 4 }
-```
-
-### memory.forgetWhere(query, opts)
-Semantic bulk-delete. Preview with `dryRun: true` before committing.
-```js
-await memory.forgetWhere('Project Atlas', { dryRun: true });
-await memory.forgetWhere('Project Atlas', { minScore: 0.9, limit: 5 });
-```
-
-### memory.pin(id) / memory.unpin(id) / memory.listPinned()
-Mark memories as permanent — REM cycle will never compress or delete them.
-```js
-const { id } = await memory.remember('User is allergic to peanuts');
-await memory.pin(id);
-await memory.listPinned(); // → all pinned memories
-```
-
-### memory.inspect()
-Full diagnostic snapshot — no more raw SQLite queries to debug state.
-```js
-const state = memory.inspect();
-state.counts       // → { memories: 247, pinned: 3, edges: 7180 }
-state.rem          // → { totalDreams: 11, compressionRatio: '0.06' }
-state.graph.topNodes  // → 5 most-connected memories
-```
-
-### memory.auditLog(opts) / memory.auditStats()
-Full AUDN decision history. Nothing disappears silently.
-```js
-memory.auditLog({ action: 'DELETE', since: '7d' });
-// → [{ action, memory_id, content, reason, similarity, ran_at }]
-```
-
-### memory.briefing({ since }) — scoped date filtering
-```js
-await memory.briefing({ since: '7d' });
-await memory.briefing({ since: '12h', minImportance: 0.7 });
-await memory.briefing({ since: '2026-01-01', raw: true });
-```
-
-### memory.export() / memory.import()
-Full graph serialisation with checksum integrity.
-```js
-const bundle = memory.export();
-fs.writeFileSync('backup.vektor.json', JSON.stringify(bundle));
-
-memory.import(bundle);
-// → { imported: 244, skipped: 3, edgesAdded: 7100 }
-
-memory.import(bundle, { dryRun: true });    // preview
-memory.import(bundle, { mode: 'replace' }); // wipe and restore
-```
-
-### Namespace support
-Scope all reads/writes to prevent project bleed.
-```js
-const memory = await createMemory({ agentId: 'my-agent', namespace: 'project-atlas' });
-memory.listNamespaces();
-// → [{ namespace: 'project-atlas', memories: 18 }, ...]
-```
-
-### TypeScript types
-Full `.d.ts` declarations for all public API methods. No more flying blind in your IDE.
-Add to `tsconfig.json`: `"types": ["vektor-slipstream"]`
-
-### Structured error codes
-Replace string catch blocks with reliable `VektorError.code` switching.
-```js
-import { VektorError, ERR } from 'vektor-slipstream/errors';
-
-try {
-  await memory.remember(...)
-} catch (e) {
-  if (e instanceof VektorError) {
-    switch (e.code) {
-      case ERR.LICENCE_INVALID: // handle
-      case ERR.EMBED_FAILED:    // retry
-    }
-  }
-}
-```
-
-## Schema changes
-Run `npx vektor migrate` after updating, or migration runs automatically on startup.
-
-New columns:
-- `memories.pinned` INTEGER DEFAULT 0
-- `memories.namespace` TEXT DEFAULT 'default'
-- `memories.updated_at` INTEGER
-
-New tables:
-- `audn_log` — AUDN decision audit trail
-- `rem_log` — REM cycle run history (if not already present)
-- `vektor_meta` — schema version tracking
-
-## Bug fixes
-- REM cycle now skips pinned memories (previously could compress critical facts)
-- AUDN deletions now logged before execution (previously silent)
-- briefing() no longer returns stale summary when no memories exist in window
-
-## Breaking changes
-None. All new methods are additive. Existing code works unchanged.
-Migration is backward-compatible — new columns have safe defaults.
-
-## Gemini security review fixes (round 1 — applied)
-- `briefing.js` — pinned memory query now has LIMIT 50 (context bomb prevention)
-- `briefing.js` — `parseSince()` guards against `Date.now()` ms being passed as unix seconds
-- `forget.js` — `forgetWhere()` selective error catching — infra errors re-thrown, only expected skips swallowed
-- `namespace.js` — O(N) JS delete loop replaced with bulk SQL subquery (2 statements vs N*2)
-- `inspect.js` — all `SUM()` aggregations wrapped in `IFNULL(..., 0)` — no more `null` in charts
-- `migrate-137.js` — `PRAGMA table_info()` replaces brittle error-message string matching
-
-## Gemini security review fixes (round 2 — applied)
-- `export-import.js` — Fix 1: `IN (...memIds)` placeholders replaced with SQL subqueries — no more 32,766 param limit crash on large exports
-- `export-import.js` — Fix 2: O(N) loop in `replace` mode replaced with bulk subquery deletes
-- `export-import.js` — Fix 3: checksum now hashes full memories payload — content/importance tampering now detectable
-- `export-import.js` — Fix 4: dangling edge guard — edges only inserted if both source and target exist in destination (`WHERE EXISTS`)
-- `export-import.js` — `edgesSkipped` added to import return value with console.warn for partial imports
-
-## Gemini security review fixes (round 3 — applied)
-- `forget.js` — pinned edge orphan guard: blocks deleting a memory that shares
-  a graph edge with a pinned memory — prevents silent MAGMA traversal corruption
-- `namespace.js` — SQLITE_BUSY retry loop: 3 attempts × 100ms using
-  `Atomics.wait` (correct sync sleep for better-sqlite3) before propagating error
-- `export-import.js` — confirmed: empty bundle guard (line 103) already sits
-  before checksum computation (line 107) — correct order, no change needed
-
-## Total fixes across 3 Gemini review rounds: 13

package/LICENSE

@@ -1,33 +0,0 @@
-VEKTOR SLIPSTREAM — COMMERCIAL LICENCE
-
-Copyright (c) 2026 VEKTOR Memory (vektormemory.com)
-
-This software is licensed, not sold. Purchase of a Vektor Slipstream licence
-grants you a non-exclusive, non-transferable right to use this software in
-accordance with the following terms:
-
-PERMITTED:
-- Use in personal, commercial, and client projects
-- Embed in products you sell or SaaS platforms
-- Deploy on up to 3 machines per licence key
-- Modify for your own use (modifications are not redistributable)
-
-NOT PERMITTED:
-- Redistribute, resell, or sublicense this software
-- Remove or modify licence enforcement mechanisms
-- Share your licence key with others
-- Use in projects that compete directly with VEKTOR Memory
-
-LICENCE ENFORCEMENT:
-This software requires a valid licence key from vektormemory.com.
-Licence keys are validated via Polar (polar.sh) and cached locally.
-Each key activates on up to 3 machines.
-
-SOVEREIGNTY GUARANTEE:
-Core SDK functionality remains a one-time purchase permanently.
-No mandatory subscription will ever be required for the memory core,
-AUDN loop, REM cycle, or integration adapters included in this package.
-
-Purchase: https://vektormemory.com/product#pricing
-Support:  hello@vektormemory.com
-Docs:     https://vektormemory.com/docs

package/TENETS.md

@@ -1,189 +0,0 @@
-# The 8 Sovereign Laws of Vektor Slipstream
-
-Vektor Slipstream is built on a two-tier trust framework.
-
-**Tier 1 — Architectural Laws** are enforced by the code itself.
-You can verify every one of them by inspecting the source.
-
-**Tier 2 — Design Commitments** are the principles that shaped every
-engineering decision. They are auditable in how the system behaves,
-not enforced at runtime (except Law VIII, which is opt-in).
-
----
-
-## Tier 1 — Architectural Laws
-*Enforced by the code. Verifiable by inspection.*
-
-### Law I — Locality
-**Data never leaves your machine.**
-
-All memory operations read and write to a local SQLite file.
-No outbound network calls are made for memory storage, retrieval,
-or embedding. LLM inference uses the provider you configure under
-your own API key.
-
-**Verify it:**
-```bash
-grep -r "fetch\|axios\|http\|https" src/slipstream-core.js | grep -v "provider"
-# Returns nothing — no outbound memory calls exist
-```
-
-**In the code:** `createMemory({ dbPath })` — the only write path
-is the SQLite adapter. There is no cloud sync path in the codebase.
-
----
-
-### Law II — Epistemological Hygiene
-**Every write passes through AUDN curation. No exceptions.**
-
-Every call to `memory.remember()` routes through the AUDN loop
-before writing. The system decides: ADD new info, UPDATE an existing
-node, DELETE a contradiction, or NO_OP if already known.
-Duplicates and drift are structurally impossible.
-
-**Verify it:**
-```bash
-grep -n "remember" src/slipstream-core.js
-# Every path leads through audn() before any db.run()
-```
-
-**In the code:** `memory.remember(text)` → `audn(text)` → `ADD | UPDATE | DELETE | NO_OP` → SQLite write
-
----
-
-### Law III — Continual Synthesis
-**The REM cycle compresses. It never injects.**
-
-The 7-phase REM cycle only removes or consolidates existing memories.
-It never adds new information from external sources. Compression is
-one-way: fragments collapse into insights. The graph grows wiser,
-not larger.
-
-**Verify it:**
-```bash
-grep -n "INSERT\|remember" src/rem.js
-# All INSERTs are rewrites of existing nodes — no external data source
-```
-
-**In the code:** `memory.dream()` — reads the fragment pool, writes
-consolidated insights, tombstones the originals. No external fetch.
-
----
-
-### Law IV — Object Permanence
-**Memory survives all session resets.**
-
-The SQLite graph persists across process restarts, provider changes,
-and agent redeployments. The `.db` file is the complete state.
-Backup is a file copy. Migration is a file move.
-
-**Verify it:**
-```bash
-ls -lh ./your-agent.db
-# Kill the process. Restart. Memory is intact.
-```
-
-**In the code:** `createMemory({ dbPath: './agent.db' })` —
-no in-memory-only state path exists. SQLite is the only store.
-
----
-
-## Tier 2 — Design Commitments
-*Principles that shaped every engineering decision.
-Auditable in how the system behaves, not enforced at runtime.*
-
----
-
-### Law V — Signal Purity
-**Retrieval returns relevance, not recency.**
-
-Recall is ranked by combined importance score and cosine similarity —
-not insertion order or timestamp. A memory from six months ago
-surfaces if it is more relevant than one from yesterday.
-
-**Auditable in:** `memory.recall()` ranking logic —
-`ORDER BY (importance_score * cos_similarity) DESC`,
-never `ORDER BY created_at DESC`.
-
----
-
-### Law VI — Separation of Concerns
-**Memory and identity are separate systems.**
-
-The MAGMA graph holds what the agent knows.
-The Cloak vault holds who the agent is.
-These are separate storage systems with separate access paths.
-Compromising one does not compromise the other.
-
-**Auditable in:** `slipstream-memory.db` ≠ `vault.enc` —
-different files, different encryption keys, different access methods.
-
----
-
-### Law VII — Harm Avoidance
-**No code path knowingly facilitates harm.**
-
-No feature in Vektor Slipstream is designed to enable surveillance,
-manipulation, or harm. This is a design commitment, not runtime
-enforcement. Operators are accountable for what their agents do
-with persistent memory.
-
-**Auditable in:** codebase review — no profiling, tracking, or
-behavioural manipulation primitives exist in the SDK.
-
----
-
-### Law VIII — Injection Resistance *(opt-in enforcement)*
-**Prompt injection surface is minimised by design.
-Full enforcement is available on request.**
-
-AUDN prompt inputs are delimited before LLM evaluation.
-Recalled memories are clearly bounded in context to prevent
-bleed into system instructions.
-
-Full injection-shield screening is available as an opt-in flag
-for operators who require it. It adds approximately 80ms per write.
-
-```js
-const memory = await createMemory({
-  agentId: 'my-agent',
-  licenceKey: process.env.VEKTOR_KEY,
-  dbPath: './agent.db',
-  sovereign: true  // enables Law VIII enforcement
-});
-```
-
-**Auditable in:** `sovereign.js` — input screening wrapper,
-loaded only when `sovereign: true` is passed to `createMemory()`.
-
----
-
-## Boot confirmation
-
-When Vektor Slipstream initialises, the following is logged to confirm
-the laws are active:
-
-```
-[vektor] Sovereign Agent active
-[vektor] Law I   ✓ locality     — no cloud sync path
-[vektor] Law II  ✓ hygiene      — AUDN on every write
-[vektor] Law III ✓ synthesis    — REM compress-only
-[vektor] Law IV  ✓ permanence   — SQLite persists
-[vektor] Law VIII  sovereign: true — injection shield active
-```
-
-Laws V–VII are design commitments and are not logged at boot.
-Law VIII boot line only appears when `sovereign: true` is set.
-
----
-
-## The contract
-
-Tier 1 laws are signed by the architecture.
-If any of them are ever violated by a future version of Vektor,
-that is a breaking change and will be documented as such in CHANGELOG.md.
-
-Tier 2 laws are signed by the team.
-They are the principles we will not compromise in future development.
-
-*Version: Slipstream 1.0.2 · Last updated: 2026-04-03*

package/audn-log.js

@@ -1,143 +0,0 @@
-/**
- * VEKTOR AUDN audit log — v1.3.7
- * Records every ADD/UPDATE/DELETE/NO_OP decision AUDN makes
- * before acting on it. Full transparency — nothing disappears silently.
- *
- * Schema additions required:
- *   CREATE TABLE IF NOT EXISTS audn_log (
- *     id          INTEGER PRIMARY KEY AUTOINCREMENT,
- *     agent_id    TEXT NOT NULL,
- *     namespace   TEXT NOT NULL,
- *     action      TEXT NOT NULL,  -- ADD | UPDATE | DELETE | NO_OP
- *     memory_id   TEXT,           -- affected memory id (null for ADD before insert)
- *     content     TEXT,           -- snapshot of content at time of action
- *     reason      TEXT,           -- why AUDN made this decision
- *     similarity  REAL,           -- similarity score that triggered the decision
- *     ran_at      INTEGER DEFAULT (unixepoch())
- *   );
- *   CREATE INDEX IF NOT EXISTS idx_audn_log_agent ON audn_log(agent_id, namespace, ran_at);
- */
-
-/**
- * logAudn — call this inside AUDN before executing each decision
- *
- * @param {object} db
- * @param {string} agentId
- * @param {string} namespace
- * @param {object} entry
- * @param {string} entry.action      - ADD | UPDATE | DELETE | NO_OP
- * @param {string} entry.memoryId    - memory id (if known)
- * @param {string} entry.content     - content snapshot
- * @param {string} entry.reason      - human-readable reason
- * @param {number} entry.similarity  - cosine score that triggered this
- */
-export function logAudn(db, agentId, namespace, entry) {
-  db.prepare(`
-    INSERT INTO audn_log (agent_id, namespace, action, memory_id, content, reason, similarity)
-    VALUES (?, ?, ?, ?, ?, ?, ?)
-  `).run(
-    agentId,
-    namespace,
-    entry.action,
-    entry.memoryId || null,
-    entry.content ? entry.content.slice(0, 500) : null,
-    entry.reason || null,
-    entry.similarity || null
-  );
-}
-
-/**
- * auditLog(opts) — retrieve AUDN decision history
- *
- * @param {object} db
- * @param {string} agentId
- * @param {string} namespace
- * @param {object} opts
- * @param {number}  opts.limit   - max rows (default 50)
- * @param {string}  opts.action  - filter to specific action (ADD|UPDATE|DELETE|NO_OP)
- * @param {string}  opts.since   - time filter — '7d', '24h', ISO date
- * @returns {object[]}
- */
-export function auditLog(db, agentId, namespace, opts = {}) {
-  const { limit = 50, action = null, since = null } = opts;
-
-  let sinceTs = null;
-  if (since) {
-    const rel = String(since).match(/^(\d+)(d|h|m)$/);
-    if (rel) {
-      const n = parseInt(rel[1]);
-      const unit = rel[2];
-      const seconds = unit === 'd' ? n * 86400 : unit === 'h' ? n * 3600 : n * 60;
-      sinceTs = Math.floor(Date.now() / 1000) - seconds;
-    } else {
-      sinceTs = Math.floor(Date.parse(since) / 1000);
-    }
-  }
-
-  const actionClause = action ? `AND action = '${action.toUpperCase()}'` : '';
-  const sinceClause = sinceTs ? `AND ran_at >= ${sinceTs}` : '';
-
-  return db.prepare(`
-    SELECT id, action, memory_id, content, reason, similarity, ran_at
-    FROM audn_log
-    WHERE agent_id = ? AND namespace = ?
-    ${actionClause}
-    ${sinceClause}
-    ORDER BY ran_at DESC
-    LIMIT ?
-  `).all(agentId, namespace, limit);
-}
-
-/**
- * auditStats() — summary counts by action type
- */
-export function auditStats(db, agentId, namespace) {
-  return db.prepare(`
-    SELECT
-      action,
-      COUNT(*) as count,
-      MAX(ran_at) as last_at
-    FROM audn_log
-    WHERE agent_id = ? AND namespace = ?
-    GROUP BY action
-    ORDER BY count DESC
-  `).all(agentId, namespace);
-}
-
-/**
- * pruneAuditLog(days) — keep log from growing forever
- * Call from REM cycle or a scheduled job
- */
-export function pruneAuditLog(db, agentId, namespace, keepDays = 30) {
-  const cutoff = Math.floor(Date.now() / 1000) - keepDays * 86400;
-  const result = db.prepare(
-    `DELETE FROM audn_log WHERE agent_id = ? AND namespace = ? AND ran_at < ?`
-  ).run(agentId, namespace, cutoff);
-  return { pruned: result.changes };
-}
-
-/**
- * Integration into Memory class / AUDN loop:
- *
- * // Inside AUDN decision logic:
- * logAudn(this.db, this.agentId, this.namespace, {
- *   action: 'DELETE',
- *   memoryId: existing.id,
- *   content: existing.content,
- *   reason: 'Contradicts newer memory with score 0.94',
- *   similarity: 0.94
- * });
- * // then execute the delete
- *
- * // Expose on Memory class:
- * auditLog(opts = {}) {
- *   return auditLog(this.db, this.agentId, this.namespace, opts);
- * }
- *
- * Usage:
- *   memory.auditLog({ action: 'DELETE', since: '7d' });
- *   // → [{ id, action:'DELETE', content:'...', reason:'...', ran_at }]
- *
- *   memory.auditLog({ limit: 100 });
- *   // → last 100 AUDN decisions
- */