Lines 298-351javascript
298 .prepare('INSERT INTO raw_memory (content, namespace, timestamp) VALUES (?, ?, ?)')
299 .run(fallbackOnlyContent, 'prose', new Date().toISOString());
300 const fallbackResults = await fallbackLoaded.service.recall('raw-only memory fragment');
301 assert.ok(fallbackResults.some(item => item.id === Number(fallbackInsert.lastInsertRowid)), 'FTS fallback did not surface the raw-only memory row');
302 assert.ok(fallbackResults.some(item => item.match_source === 'fts'), 'FTS fallback should label trigram-based matches');
304 console.log('1a. Testing P0 namespace isolation ...');
305 const nsDb = primaryLoaded.db.getDb();
306 assert.ok(primaryLoaded.db.tableExists(nsDb, 'raw_memory_fts'), 'raw_memory_fts table should exist after first remember');
307 const proseRowCount = nsDb.prepare("SELECT COUNT(*) AS c FROM raw_memory WHERE namespace = 'prose'").get().c;
308 assert.ok(proseRowCount > 0, 'prose namespace should contain the remembered record');
309 primaryLoaded.db.ensureNamespaceTables(nsDb, 'code', primaryLoaded.models.getActiveEngineInfo().model, primaryLoaded.models.getActiveEngineInfo().dims);
310 const namespaceCounts = primaryLoaded.db.getNamespaceCounts(nsDb);
311 assert.ok(namespaceCounts.code.present, 'code namespace should be registered after ensureNamespaceTables');
312 const codeRowCount = nsDb.prepare("SELECT COUNT(*) AS c FROM raw_memory WHERE namespace = 'code'").get().c;
313 assert.strictEqual(codeRowCount, 0, 'code namespace should start empty');
314 const proseRowCountAfter = nsDb.prepare("SELECT COUNT(*) AS c FROM raw_memory WHERE namespace = 'prose'").get().c;
315 assert.strictEqual(proseRowCountAfter, proseRowCount, 'creating code ns must not disturb prose ns');
317 console.log('1b. Testing P1 safety scanner blocks well-known secret prefixes ...'); const safety = require(path.join(CLI_DIR, 'safety.js'));
318 const blockScan = safety.scanForSecrets('GitHub token: ghp_abcdefghij1234567890abcdefghij123456 here');
CriticalCritical Secret
Package contains a critical-looking secret pattern.
templates/cli/test/integration.jsView on unpkg · L318 CriticalSecret Pattern
GitHub personal access token in templates/cli/test/integration.js
templates/cli/test/integration.jsView on unpkg · L318 319 assert.strictEqual(blockScan.severity, 'block', 'GitHub token should be classified as block');
320 assert.ok(blockScan.hits.some(h => h.kind === 'github_token'), 'GitHub token kind should appear in hits');
321 const akiaScan = safety.scanForSecrets('config = AKIAIOSFODNN7EXAMPLE');
CriticalSecret Pattern
AWS access key ID in templates/cli/test/integration.js
templates/cli/test/integration.jsView on unpkg · L321 322 assert.strictEqual(akiaScan.severity, 'block', 'AWS access key should be classified as block');
323 // Memorize must reject content with secrets unless allowSecrets is set.
324 await assert.rejects(
325 primaryLoaded.service.memorize('My ssh key looks like ghp_abcdefghij1234567890abcdefghij123456 in this trace, which is long enough.'),
CriticalSecret Pattern
GitHub personal access token in templates/cli/test/integration.js
templates/cli/test/integration.jsView on unpkg · L325 327 'memorize must throw when content contains a known secret prefix'
329 // archive() also must reject the same content.
330 await assert.rejects(
331 primaryLoaded.service.archive('Here is my ssh key ghp_abcdefghij1234567890abcdefghij123456 captured during debugging the deploy step.'),
CriticalSecret Pattern
GitHub personal access token in templates/cli/test/integration.js
templates/cli/test/integration.jsView on unpkg · L331 333 'archive must throw when content contains a known secret prefix'
335 // No new raw archive file should have been written for the rejected payload.
336 const rawDirAfterReject = fs.existsSync(path.join(primary.runtimeRoot, 'raw_memory'))
337 ? fs.readdirSync(path.join(primary.runtimeRoot, 'raw_memory'))
339 assert.ok(!rawDirAfterReject.some(f => f.includes('ghp_')), 'rejected secrets must never produce a raw archive file');
340 // The summarizeHits helper must not include the matched bytes (privacy).
341 const summary = safety.summarizeHits(blockScan.hits);
342 assert.ok(!summary.includes('ghp_'), 'safety summary must not leak the matched secret bytes');
343 // Warn-tier (email PII) is redacted but written.
344 const beforeId = primaryLoaded.service.list().length;
345 await primaryLoaded.service.memorize('Contact me at alice@example.com for follow-up; this trace is long enough to satisfy the quality guard rules.');
346 const afterRows = primaryLoaded.service.list();
347 assert.ok(afterRows.length > beforeId, 'warn-tier content should be persisted (redacted)');
348 const lastRow = afterRows[afterRows.length - 1];
349 assert.ok(!lastRow.content.includes('alice@example.com'), 'warn-tier email should have been redacted in stored content');
350 assert.ok(lastRow.content.includes('<REDACTED:email>'), 'warn-tier email should be replaced with a redaction marker');