[upstream PR 1] f<!-- -->ix: system audit -- 10 bugs fix<!-- -->ed across hooks, triggers, and core

[wbugitlab1]

Source repository: rohitg00/agentmemory
Source pull request number: 1
Source URL: intentionally omitted to avoid GitHub cross-references
Title: fix: system audit -- 10 bugs fixed across hooks, triggers, and core
Author: rohitg00
State: closed
Draft: no
Merged: yes
Head: rohitg00/agentmemory:audit/system-review @ 77b161f
Base: main @ b5ea36e
Labels: (none)
Changed files: 0
Commits: 0
Created: 2026-02-25T08:22:06Z
Updated: 2026-02-25T08:22:38Z
Closed: 2026-02-25T08:22:34Z
Merged at: 2026-02-25T08:22:34Z

Original PR body:

Summary

Full system audit of agentmemory. Read every source file, identified 10 bugs across 17 files, fixed all of them.

Critical

• Event triggers bypassed auth -- events.ts was calling api:: functions that require ApiRequest shape + auth headers. When AGENTMEMORY_SECRET is set, every event trigger got 401. Rewrote to call core KV/functions directly.
• All 5 hooks missing auth -- None of the hook scripts sent Authorization: Bearer header. Every hook POST would fail silently when secret is configured.

High

• observe.ts JSON.parse crash -- stripPrivateData() on a JSON string could break JSON structure (e.g., removing <private> inside a string value). Added try/catch with fallback.
• post-tool-use.ts invalid truncation -- JSON.parse(str.slice(0, max-1) + '}') produces invalid JSON for nested objects. Returns truncated string instead.

Medium

• compress.ts unbounded importance -- LLM could return importance outside 1-10 range or NaN. Added Math.max(1, Math.min(10, ...)) with NaN fallback.
• compress.ts invalid observation types -- LLM could return types not in ObservationType. Added VALID_TYPES set validation with "other" fallback.

Low

• context.ts token undercount -- Token estimate missed the header text of observation blocks, causing budget overshoot.
• viewer/index.html hardcoded WS port -- WebSocket port now configurable via ?wsPort= query param.

Code simplification (second commit)

• Removed redundant getContext()/logger from event triggers (targets already log)
• Collapsed trivial delegate functions to one-liners
• Removed unnecessary as const casts
• Extracted shared viewer response headers

Test plan

• npx tsc --noEmit -- zero type errors
• npm test -- 45/45 tests pass (242ms)
• Integration test with AGENTMEMORY_SECRET set to verify hooks authenticate
• Verify viewer loads with custom ?wsPort= param

Local branch:
Fork PR:
Fork decision:
Verification:
Notes:

[wbugitlab1]

Closing as already fixed in this fork's main branch. Local validation in /Users/A1538552/.codex/worktrees/ebcc/agentmemory shows HEAD and origin/main at 3cee91d, and the upstream PR 1 fix commit 4c334b0 ("fix: system audit -- 10 bugs found and resolved") is reachable from origin/main ( returned 0). A read-only subagent independently confirmed the original hook/trigger/core fixes are present, including hook bearer auth, event triggers calling core functions, observe sanitization fallback, post-tool-use truncation, compression validation/clamping, context token accounting, and viewer wsPort support. No remaining actionable gap found for #914.