release: v2026.10224.10619

.github/workflows/release-gui.yml

@@ -29,12 +29,25 @@ jobs:
           - platform: 'macos-14'
             args: '--target universal-apple-darwin'
             rust_targets: 'aarch64-apple-darwin,x86_64-apple-darwin'
+            artifact_globs: |
+              gui/src-tauri/target/*/release/bundle/**/*.dmg
+              gui/src-tauri/target/release/bundle/**/*.dmg
           - platform: 'ubuntu-24.04'
             args: ''
             rust_targets: ''
+            artifact_globs: |
+              gui/src-tauri/target/*/release/bundle/**/*.AppImage
+              gui/src-tauri/target/release/bundle/**/*.AppImage
+              gui/src-tauri/target/*/release/bundle/**/*.deb
+              gui/src-tauri/target/release/bundle/**/*.deb
+              gui/src-tauri/target/*/release/bundle/**/*.rpm
+              gui/src-tauri/target/release/bundle/**/*.rpm
           - platform: 'windows-latest'
             args: ''
             rust_targets: ''
+            artifact_globs: |
+              gui/src-tauri/target/*/release/bundle/**/*.exe
+              gui/src-tauri/target/release/bundle/**/*.exe
 
     runs-on: ${{ matrix.platform }}
     steps:
@@ -137,17 +150,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: gui-${{ matrix.platform }}
-          path: |
-            gui/src-tauri/target/*/release/bundle/**/*.dmg
-            gui/src-tauri/target/release/bundle/**/*.dmg
-            gui/src-tauri/target/*/release/bundle/**/*.exe
-            gui/src-tauri/target/release/bundle/**/*.exe
-            gui/src-tauri/target/*/release/bundle/**/*.AppImage
-            gui/src-tauri/target/release/bundle/**/*.AppImage
-            gui/src-tauri/target/*/release/bundle/**/*.deb
-            gui/src-tauri/target/release/bundle/**/*.deb
-            gui/src-tauri/target/*/release/bundle/**/*.rpm
-            gui/src-tauri/target/release/bundle/**/*.rpm
+          path: ${{ matrix.artifact_globs }}
           if-no-files-found: error
 
   publish-release:

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Code of Conduct
+
+## Who We Are
+
+The `memory-sync` community consists of developers surviving in an environment of extreme resource inequality.
+We are not an elite club, not a big-corp-backed open-source project, nor anyone's career stepping stone.
+
+We are rats. We accept that.
+
+---
+
+## What We Welcome
+
+- **Marginal developers**: No stable income, no corporate budget, scraping by on free tiers and trial credits
+- **Solo developers**: Carrying an entire project alone — no team, no PM, no QA
+- **Students and beginners**: Genuinely willing to learn and get hands dirty, not here to beg for ready-made answers
+- **Anyone, any language, any region**: If you use this tool, you are part of the community
+- **AI Agents**: Automation pipelines, Agent workflows, LLM-driven toolchains — as long as behaviour complies with this code, Issues and PRs from Agents are treated equally
+
+We welcome Issues, PRs, discussions, rants — as long as you are serious, regardless of whether the author is human or Agent.
+
+---
+
+## What We Do Not Welcome
+
+The following behaviours result in immediate Issue closure / PR rejection / account ban — no warning, no explanation:
+
+- **Freeloaders**: Want everything ready-made, won't even touch a terminal, open with "set it up for me"
+- **Blame-shifters after freeloading**: Use the tool, hit a problem, first reaction is to lash out instead of providing repro steps
+- **Malicious competitors**: Repackage this project's code or ideas as your own commercial product, circumventing AGPL-3.0
+- **Resource predators**: Stable income, corporate budget, yet competing with marginal developers for free resources and community attention
+- **Harassment**: Personal attacks, discrimination, stalking, harassing maintainers or other contributors
+- **Hustle-culture pushers**: Glorify overwork, promote 996, or use this tool to exploit other developers
+
+---
+
+## Contributor Obligations
+
+If you submit an Issue (human or Agent):
+
+- Provide a minimal reproducible example
+- State your OS, Node.js version, and tool version
+- Agent submissions must include trigger context (call chain, input params, error stack)
+- Do not rush maintainers — they are humans, not customer support
+
+If you submit a PR (human or Agent):
+
+- Open an Issue first to discuss, avoid wasted effort
+- Follow existing code style (TypeScript strict, functional, immutable-first)
+- Do not sneak unrelated changes into a PR
+- Agent-generated PRs must declare the generation tool and prompt source in the description; do not disguise as hand-written
+
+---
+
+## Maintainer Rights
+
+Maintainers may:
+
+- Close any Issue or PR without explanation
+- Ban any account violating this code
+- Amend this code at any time
+
+Maintainers are not obligated to:
+
+- Respond to every Issue
+- Accept every PR
+- Be responsible for anyone's commercial needs
+
+---
+
+## Licence and Enforcement
+
+This project is licensed under [AGPL-3.0](LICENSE).
+Commercial use violating the licence will be subject to legal action.
+
+Enforcement of this code of conduct is at the maintainers' sole discretion; final interpretation rests with [@TrueNine](https://github.com/TrueNine).

Cargo.toml

@@ -20,6 +20,7 @@ repository = "https://github.com/TrueNine/memory-sync"
 
 [workspace.dependencies]
 # Internal crates
+tnmsc = { path = "cli" }
 tnmsc-logger = { path = "libraries/logger" }
 tnmsc-md-compiler = { path = "libraries/md-compiler" }
 tnmsc-config = { path = "libraries/config" }

SECURITY.md

@@ -0,0 +1,61 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest release receives security fixes. No backport patches for older versions.
+
+| Version | Supported |
+|---------|-----------|
+| Latest | ✅ |
+| Older | ❌ |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, **do not** report it in a public Issue.
+
+Contact the maintainer privately via:
+
+- GitHub Security Advisory: submit a private report under the repository's **Security** tab
+- Email: contact [@TrueNine](https://github.com/TrueNine) directly
+
+Please include:
+
+- Vulnerability description and impact scope
+- Reproduction steps (minimal example)
+- Your OS, Node.js version, and `memory-sync` version
+- Suggested fix if any
+
+## Response Timeline
+
+The maintainer is a person, not a security team. No SLA, no 24-hour response guarantee.
+
+- Will acknowledge receipt as soon as possible
+- Will release a patch within a reasonable timeframe after confirmation
+- Will publicly disclose vulnerability details after the fix is released
+
+Don't rush.
+
+## Scope
+
+`memory-sync` is a CLI tool that **reads source files only and writes target configs only**. Its security boundary:
+
+- **Reads**: user `.cn.mdx` source files, project config files (`.tnmsc.json`)
+- **Writes**: target tool config directories (`.cursor/`, `.claude/`, `.kiro/`, etc.)
+- **Cleans**: removes stale files from target directories during sync
+
+The following are **out of scope**:
+
+- Security vulnerabilities in target AI tools themselves
+- Compliance of user prompt content
+- Supply chain security of third-party plugins (`packages/`) — all plugins are `private` and not published to npm
+
+## Design Principles
+
+- **Never modifies source files**: read-only on source; writes only to target
+- **Full clean mode**: after sync, only explicitly authorised content remains in target directories — no hidden residue
+- **No network requests**: CLI core makes no outbound network requests (version check excepted, and times out gracefully)
+- **No telemetry**: no user data collected or reported
+
+## License
+
+This project is licensed under [AGPL-3.0](LICENSE). Unauthorised commercial use in violation of the licence will be pursued legally.

cli/Cargo.toml

@@ -7,6 +7,10 @@ license.workspace = true
 authors.workspace = true
 repository.workspace = true
 
+[lib]
+name = "tnmsc"
+path = "src/lib.rs"
+
 [[bin]]
 name = "tnmsc"
 path = "src/main.rs"
@@ -24,6 +28,12 @@ tnmsc-input-plugins = { workspace = true }
 tnmsc-init-bundle = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+thiserror = "2"
 clap = { workspace = true }
 dirs = { workspace = true }
 reqwest = { version = "0.13", default-features = false, features = ["blocking", "json", "rustls", "rustls-native-certs"] }
+
+[dev-dependencies]
+proptest = "1"
+tempfile = "3"
+tnmsc-config = { workspace = true }

cli/npm/darwin-arm64/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@truenine/memory-sync-cli-darwin-arm64",
-  "version": "2026.10223.10952",
+  "version": "2026.10224.10619",
   "os": [
     "darwin"
   ],