feat(diffmem): add DiffMem integration for long-term user memory

- Add DiffMemClient for communicating with DiffMem server API
- Add MCP tool handlers: diffmem_get_user_context, diffmem_store_learning,
  diffmem_search, diffmem_status
- Add session hooks for auto-fetch on start and sync on end
- Add UnifiedContextAssembler with token budget management
- Add PrivacyFilter with strict/standard/permissive modes
- Update initialization script with --with-diffmem flag
- Add npm scripts: diffmem:start, diffmem:setup

Two-layer architecture:
- DiffMem: long-term user knowledge (preferences, expertise, patterns)
- StackMemory: session/task context (frames, decisions, tool calls)

Token budget allocation: 20% user knowledge, 70% task context, 10% system

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: jonathanpeterwu

.gitignore

@@ -115,3 +115,7 @@ service-account.json
 # Claude settings with secrets
 .claude/settings.local.json
 external/
+
+# DiffMem subpackage (cloned repo)
+packages/diffmem/
+.env.diffmem

package.json

@@ -79,6 +79,8 @@
     "daemons:stop": "node scripts/claude-sm-autostart.js stop",
     "daemon:session": "node dist/daemon/session-daemon.js",
     "daemon:session:start": "node dist/daemon/session-daemon.js --session-id",
+    "diffmem:start": "PYTHONPATH=packages/diffmem/src packages/diffmem/.venv/bin/uvicorn diffmem.server:app --host 127.0.0.1 --port 8000",
+    "diffmem:setup": "cd packages/diffmem && python3 -m venv .venv && .venv/bin/pip install -r requirements-server.txt -e .",
     "daemon:start": "node dist/daemon/unified-daemon.js",
     "daemon:stop": "node dist/cli/index.js daemon stop",
     "daemon:status": "node dist/cli/index.js daemon status",

scripts/initialize.ts

@@ -13,6 +13,9 @@ import {
 import { join } from 'path';
 import { execSync } from 'child_process';
 import chalk from 'chalk';
+
+// Parse CLI args for --with-diffmem flag
+const enableDiffMem = process.argv.includes('--with-diffmem');
 // Type-safe environment variable access
 function getEnv(key: string, defaultValue?: string): string {
   const value = process.env[key];
@@ -125,14 +128,93 @@ try {
   console.log(chalk.yellow('⚠') + ' Build failed - run npm run build manually');
 }
 
+// 7. Optional: Initialize DiffMem for long-term user memory
+if (enableDiffMem) {
+  console.log(chalk.blue('\n🧠 Setting up DiffMem integration...\n'));
+
+  const diffmemDir = join(stackDir, 'diffmem');
+  const diffmemStorageDir = join(diffmemDir, 'storage');
+  const diffmemWorktreesDir = join(diffmemDir, 'worktrees');
+
+  // Create DiffMem directories
+  mkdirSync(diffmemStorageDir, { recursive: true });
+  mkdirSync(diffmemWorktreesDir, { recursive: true });
+
+  // Initialize git repo for storage
+  if (!existsSync(join(diffmemStorageDir, '.git'))) {
+    try {
+      execSync('git init', { cwd: diffmemStorageDir, stdio: 'pipe' });
+      execSync('git commit --allow-empty -m "Initialize DiffMem storage"', {
+        cwd: diffmemStorageDir,
+        stdio: 'pipe',
+      });
+      console.log(chalk.green('✓') + ' Initialized DiffMem storage repository');
+    } catch {
+      console.log(
+        chalk.yellow('⚠') + ' Failed to initialize git repo for DiffMem'
+      );
+    }
+  }
+
+  // Create DiffMem config
+  const diffmemConfigPath = join(diffmemDir, 'config.json');
+  const diffmemConfig = {
+    enabled: true,
+    endpoint: 'http://localhost:8000',
+    userId: process.env['USER'] || 'default',
+    storagePath: diffmemStorageDir,
+    worktreePath: diffmemWorktreesDir,
+  };
+  writeFileSync(diffmemConfigPath, JSON.stringify(diffmemConfig, null, 2));
+  console.log(chalk.green('✓') + ' Created DiffMem configuration');
+
+  // Add DiffMem env vars to .env file
+  const envPath = join(projectRoot, '.env');
+  const diffmemEnvVars = `
+# DiffMem Configuration (Long-term User Memory)
+DIFFMEM_ENABLED=true
+DIFFMEM_ENDPOINT=http://localhost:8000
+DIFFMEM_USER_ID=${process.env['USER'] || 'default'}
+DIFFMEM_STORAGE_PATH=${diffmemStorageDir}
+DIFFMEM_WORKTREE_PATH=${diffmemWorktreesDir}
+`;
+
+  if (existsSync(envPath)) {
+    const envContent = readFileSync(envPath, 'utf-8');
+    if (!envContent.includes('DIFFMEM_')) {
+      appendFileSync(envPath, diffmemEnvVars);
+      console.log(chalk.green('✓') + ' Added DiffMem configuration to .env');
+    }
+  } else {
+    writeFileSync(envPath, diffmemEnvVars.trim() + '\n');
+    console.log(chalk.green('✓') + ' Created .env with DiffMem configuration');
+  }
+
+  console.log(chalk.green('✓') + ' DiffMem integration configured');
+  console.log(
+    chalk.gray(
+      '  Note: DiffMem server must be running for user memory features'
+    )
+  );
+}
+
 console.log(chalk.green.bold('\n✅ StackMemory initialized successfully!\n'));
 console.log(chalk.gray('Next steps:'));
 console.log(chalk.gray('1. Add the MCP configuration above to Claude Code'));
 console.log(chalk.gray('2. Restart Claude Code'));
 console.log(chalk.gray('3. Start using context tracking!'));
+if (enableDiffMem) {
+  console.log(chalk.gray('4. Start DiffMem server: npm run diffmem:start'));
+}
 console.log(chalk.gray('\nUseful commands:'));
 console.log(
   chalk.cyan('  npm run mcp:dev') + ' - Start MCP server in dev mode'
 );
 console.log(chalk.cyan('  npm run status') + ' - Check StackMemory status');
-console.log(chalk.cyan('  npm run analyze') + ' - Analyze context usage\n');
+console.log(chalk.cyan('  npm run analyze') + ' - Analyze context usage');
+if (enableDiffMem) {
+  console.log(
+    chalk.cyan('  npm run diffmem:start') + ' - Start DiffMem server'
+  );
+}
+console.log();

src/core/retrieval/index.ts

@@ -6,3 +6,5 @@
 export * from './types.js';
 export * from './summary-generator.js';
 export * from './llm-context-retrieval.js';
+export * from './privacy-filter.js';
+export * from './unified-context-assembler.js';

src/core/retrieval/privacy-filter.ts

@@ -0,0 +1,176 @@
+/**
+ * Privacy Filter for Unified Context Assembly
+ * Filters sensitive patterns from content before including in context
+ */
+
+import { SENSITIVE_PATTERNS } from '../security/input-sanitizer.js';
+
+export type PrivacyMode = 'strict' | 'standard' | 'permissive';
+
+export interface PrivacyFilterConfig {
+  mode: PrivacyMode;
+}
+
+export interface FilterResult {
+  filtered: string;
+  redactedCount: number;
+}
+
+/**
+ * Additional patterns for privacy filtering beyond security patterns
+ * Organized by strictness level
+ */
+const PRIVACY_PATTERNS: Record<PrivacyMode, RegExp[]> = {
+  // Permissive: Only critical secrets
+  permissive: [],
+
+  // Standard: Secrets + PII basics
+  standard: [
+    // Email addresses
+    /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
+    // Phone numbers (various formats)
+    /\b(?:\+?1[-.\s]?)?(?:\(?\d{3}\)?[-.\s]?)?\d{3}[-.\s]?\d{4}\b/g,
+    // SSN-like patterns
+    /\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g,
+    // IP addresses (v4)
+    /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g,
+  ],
+
+  // Strict: All standard + additional PII
+  strict: [
+    // Credit card-like numbers (13-19 digits, optionally separated)
+    /\b(?:\d{4}[-.\s]?){3,4}\d{1,4}\b/g,
+    // Date of birth patterns (various formats)
+    /\b(?:0?[1-9]|1[0-2])[-/](?:0?[1-9]|[12][0-9]|3[01])[-/](?:19|20)\d{2}\b/g,
+    // AWS-style keys
+    /\b(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}\b/g,
+    // Private key markers
+    /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    // JWT tokens
+    /\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/g,
+    // URLs with credentials
+    /(?:https?|ftp):\/\/[^\s:@]+:[^\s:@]+@[^\s]+/gi,
+    // MAC addresses
+    /\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b/g,
+    // UUID-like patterns that might be sensitive
+    /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/gi,
+  ],
+};
+
+/**
+ * Privacy Filter class for filtering sensitive content
+ */
+export class PrivacyFilter {
+  private config: PrivacyFilterConfig;
+  private patterns: RegExp[];
+
+  constructor(config: PrivacyFilterConfig) {
+    this.config = config;
+    this.patterns = this.buildPatternList();
+  }
+
+  /**
+   * Build the complete list of patterns based on privacy mode
+   */
+  private buildPatternList(): RegExp[] {
+    const patterns: RegExp[] = [];
+
+    // Always include security patterns (API keys, tokens, etc.)
+    patterns.push(...SENSITIVE_PATTERNS);
+
+    // Add mode-specific patterns
+    switch (this.config.mode) {
+      case 'strict':
+        patterns.push(...PRIVACY_PATTERNS.strict);
+        patterns.push(...PRIVACY_PATTERNS.standard);
+        break;
+      case 'standard':
+        patterns.push(...PRIVACY_PATTERNS.standard);
+        break;
+      case 'permissive':
+        // Only security patterns (already added above)
+        break;
+    }
+
+    return patterns;
+  }
+
+  /**
+   * Filter sensitive patterns from content
+   * @param content The content to filter
+   * @returns Filtered content and count of redactions
+   */
+  filter(content: string): FilterResult {
+    if (!content) {
+      return { filtered: '', redactedCount: 0 };
+    }
+
+    let filtered = content;
+    let redactedCount = 0;
+
+    for (const pattern of this.patterns) {
+      // Reset regex state for global patterns
+      pattern.lastIndex = 0;
+
+      // Count matches before replacing
+      const matches = content.match(pattern);
+      if (matches) {
+        redactedCount += matches.length;
+      }
+
+      // Replace sensitive content
+      filtered = filtered.replace(pattern, '[REDACTED]');
+    }
+
+    return { filtered, redactedCount };
+  }
+
+  /**
+   * Check if content contains sensitive data without modifying it
+   * @param content The content to check
+   * @returns True if sensitive data is detected
+   */
+  containsSensitive(content: string): boolean {
+    if (!content) return false;
+
+    for (const pattern of this.patterns) {
+      pattern.lastIndex = 0;
+      if (pattern.test(content)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Get the current privacy mode
+   */
+  getMode(): PrivacyMode {
+    return this.config.mode;
+  }
+
+  /**
+   * Update the privacy mode and rebuild patterns
+   */
+  setMode(mode: PrivacyMode): void {
+    this.config.mode = mode;
+    this.patterns = this.buildPatternList();
+  }
+
+  /**
+   * Get the count of active patterns
+   */
+  getPatternCount(): number {
+    return this.patterns.length;
+  }
+}
+
+/**
+ * Create a privacy filter with default config
+ */
+export function createPrivacyFilter(
+  mode: PrivacyMode = 'standard'
+): PrivacyFilter {
+  return new PrivacyFilter({ mode });
+}