donDinDonDev/agent-project-memory

GitHub: donDinDonDev/agent-project-memory

为 Java/Spring 代码库生成本地、带证据支撑的项目记忆文件,帮助开发者和 AI 代理在改动代码前快速理解遗留项目结构。

Stars: 0 | Forks: 0

# agent-project-memory `agent-project-memory` is a local-first CLI/devtool for generating evidence-backed project memory for Java/Spring codebases. The goal is to help developers and AI coding agents understand a legacy Java/Spring project before changing it. The tool scans local Java source, standard Maven and bounded static Gradle Java/Spring layouts, standard Maven or Gradle test roots, and bounded local API-surface inputs, extracts deterministic facts, attaches evidence references, and writes Markdown/JSON artifacts that can be reviewed, versioned, and reused. The current product focus is intentionally narrow: - Java/Spring codebases first. - Local repository analysis first. - Maven projects first, with bounded static Gradle Java/Spring layout support. - Deterministic source analysis as the source of truth. - Optional AI assistance later, outside the core analyzer. The supported product line is a local-first CLI. Source code must not be sent to external services by default. ## Security And Sensitive Data `agent-project-memory` treats repository contents as local, untrusted input and keeps generated project memory local by default. It is not a SaaS scanner, vulnerability scanner, general-purpose secret scanner, or secret inventory tool. The current output contracts avoid serializing known sensitive surfaces such as raw config values, document bodies, generated-source contents, command logs, local absolute paths, credentials, tokens, and secret-looking values. The v1.7.0 release adds bounded deterministic redaction for obvious secret-looking values that may otherwise appear in generated excerpts or rendered query output, while explicitly preserving evidence IDs, normalized repository-relative paths, symbols, line ranges, confidence, uncertainty, and claim categories. The v3.0.0 release keeps that boundary and adds defense-in-depth checks around set-level artifact metadata, OpenAPI operation IDs, connector source URLs, local structured source identities, query-rendered path/ID text, and workspace sample evidence IDs. These checks protect generated-output and provenance boundaries; they are not vulnerability scanning, complete secret discovery, security correctness proof, or a guarantee that every sensitive value in a repository will be detected. The v3.3.0 release keeps the same security boundary while adding package, workspace-map, and adapter full-output regression coverage for the current generated artifact and provenance contracts. It does not add security scanning, security proof, release automation, network behavior, provider AI, or source upload. The v3.4.0 release keeps the same security boundary while improving deterministic query verification wording. It does not change generated artifact schemas, evidence semantics, adapter behavior, query grammar, distribution channels, network behavior, provider AI, or source upload. See [SECURITY.md](SECURITY.md) for vulnerability reporting and [docs/development/THREAT_MODEL.md](docs/development/THREAT_MODEL.md) for the public product threat model and security limitations. ## Requirements - Java 21. - Apache Maven 3.x. ## Download Published release artifacts are available on the [GitHub Releases page](https://github.com/donDinDonDev/agent-project-memory/releases). The latest published release is `v3.4.0`. Its release artifact is `agent-project-memory-3.4.0.jar`; release assets use `SHA256SUMS` for optional checksum verification. shasum -a 256 -c SHA256SUMS java -jar agent-project-memory-3.4.0.jar scan /path/to/java-spring-project For published releases, the supported installation path is the executable jar from GitHub Releases: download the jar, optionally verify `SHA256SUMS`, and run it with `java -jar`. The public release line keeps this release-jar path as the minimum planned distribution path. Package-manager installs and a first-party installed `agent-project-memory` command are future distribution work and should not be assumed available until a release note documents them. ## Build And Test Run the test suite: mvn test Build the packaged CLI jar: mvn package `mvn package` produces an executable shaded jar with dependencies and a CLI manifest at: target/agent-project-memory-3.4.0.jar Local build examples below use the current v3.4.0 release version. Release artifact and checksum verification expectations are documented in [docs/development/RELEASE_PROCESS.md](docs/development/RELEASE_PROCESS.md). ## Quick Start After `mvn package`, run a scan with the packaged CLI jar: java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project A supported scan writes `.project-memory/` inside the scanned repository. For a first read, open these surfaces in this order: 1. `.project-memory/artifact-set.json` for the generated artifact inventory and evidence-authority labels. 2. `.project-memory/agent-guide.md` for deterministic human/agent orientation when the file is small enough for the task. 3. `.project-memory/endpoints.md` for API-surface review tasks. 4. `.project-memory/project-map.json` and `.project-memory/project-graph.json` only when structured fact or relation lookup is needed. 5. `.project-memory/evidence-index.jsonl` when an important generated fact needs source-backed verification. For compact coding-agent handoff, give the agent `artifact-set.json` first and ask it to respect the authority labels. For small outputs, add `agent-guide.md` and any task-relevant Markdown such as `endpoints.md`. For larger outputs, prefer the read-only `query agent-context` command as the first compact context view, then use targeted query commands for exact evidence, fact, symbol, relation, or impact lookup. This recipe is a conservative reading order, not evidence of user outcomes. Trust legend for generated output: - Trust as source-backed evidence: records in `.project-memory/evidence-index.jsonl` and the repository source locations they reference. - Treat as structured facts that must resolve to evidence for important decisions: `.project-memory/project-map.json`. - Treat as navigation or presentation, not evidence: `artifact-set.json`, `project-graph.json`, `endpoints.md`, `agent-guide.md`, `query` output, `agent-context` output, `impact` output, profile Markdown, AI presentation artifacts, cache metadata, workspace output, adapter provenance, release metadata, and downstream coding-agent output. - Verify important claims against `evidence-index.jsonl` and source files before using generated output to guide code changes. The packaged CLI also supports help and version commands without scanning: java -jar target/agent-project-memory-3.4.0.jar --help java -jar target/agent-project-memory-3.4.0.jar help java -jar target/agent-project-memory-3.4.0.jar scan --help java -jar target/agent-project-memory-3.4.0.jar --version java -jar target/agent-project-memory-3.4.0.jar version Current builds also support opt-in local policy profile selection: java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --policy-profile guarded-local java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --policy-profile docs-focused java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --policy-profile adapter-local Supported policy profiles are `guarded-local`, `docs-focused`, and `adapter-local`. The same profile may also be selected with root-local config key `policy_profile: `. A scan without a policy profile keeps the compatibility baseline and does not emit default policy metadata. When a policy profile is selected, the scan records bounded execution metadata under `project-map.json` `scan.policy_profile`; that metadata is not evidence and must not be treated as a security or compliance claim. Selected profiles fail closed on unsafe combinations such as AI presentation with policy profiles, adapter enablement outside `adapter-local`, document path-rule expansion under `guarded-local`, and reserved generated-source or symlink modes. Current builds also support opt-in agent profile artifact selection: java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --agent-profile codex java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --agent-profile all Supported profile selectors are `codex`, `claude`, `cursor`, `generic`, and `all`. `--agent-profile` may be repeated, and duplicate selectors are idempotent. Profile selection is optional; a scan without `--agent-profile` keeps the default output set. Profile selection writes a generated-profile manifest and selected deterministic profile Markdown files under `.project-memory/agent-profiles/`. Profile Markdown is generated only from existing structured project facts and existing evidence references; it does not add project facts or evidence records. Current builds also support explicitly enabled mock/no-network AI presentation artifacts: java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --ai-presentation mock_no_network Default scans do not create AI presentation artifacts. When enabled, the mock/no-network slice writes `.project-memory/ai-presentations/manifest.json` and `.project-memory/ai-presentations/brief.md` from the already generated `project-map.json`, `evidence-index.jsonl`, and `project-graph.json` artifacts. These files are non-authoritative presentation only: they do not add project facts, evidence records, connector truth, security findings, runtime claims, source/spec agreement claims, documentation-freshness claims, release evidence, or code-change authority. The mock provider performs no network access, credential lookup, telemetry, source upload, prompt logging, prompt transcript serialization, embeddings, vector search, repository chat, or real provider calls. When combined with `--incremental`, the current AI presentation slice runs a full scan and skips incremental cache metadata refresh. Current builds also support opt-in incremental scan mode: java -jar target/agent-project-memory-3.4.0.jar scan /path/to/java-spring-project --incremental `--incremental` reuses the existing generated output set only after validating cache schema, tool version, selected CLI options, selected config, selected agent profiles, input fingerprints, and current generated output fingerprints. The first incremental scan for a repository state is a cache miss: it runs the normal full analysis path and refreshes metadata-only cache files under `.project-memory/cache/v1/` after successful output generation. Missing, stale, unsafe, corrupted, or mismatched cache state fails closed to normal full analysis. Scans without `--incremental` ignore persistent cache state and do not read, write, delete, or trust cache files. For untrusted repositories or pre-existing generated outputs, run a normal scan without `--incremental` first so the output set is regenerated from current source inputs. Current builds also include read-only query commands over existing no-adapter generated artifacts: java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project list modules java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project list endpoints java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project list api-operations java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project list entities java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project list tests java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project explain evidence java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project find fact java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project find symbol java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project relations java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project relations --direction incoming java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project agent-context java -jar target/agent-project-memory-3.4.0.jar query /path/to/java-spring-project impact --files src/main/java/com/example/Foo.java `query ...` accepts either a repository directory containing `.project-memory/` or the `.project-memory/` directory itself. These commands read the existing `project-map.json` and `evidence-index.jsonl` artifacts, and read `artifact-set.json` for set-level validation when the manifest is present. They print deterministic human text and do not run scans, create `.project-memory/`, refresh cache/profile artifacts, read repository source files, or write repository files. Current query support remains focused on no-adapter `project-map.json` `schema_version: "1.0"` artifact sets; adapter-enabled `schema_version: "2.0"` outputs and `source-registry.json` are not query input sources in this slice. Legacy no-manifest no-adapter artifact sets keep the earlier behavior: non-graph query commands do not require or parse `project-graph.json`, and a missing or malformed graph artifact is ignored unless the command needs graph-backed lookup. When `artifact-set.json` is present, the reader validates the coherent generated set before rendering query output and fails closed on unsupported manifest schema markers, mixed manifest/file state, mixed artifact schemas, or stale optional artifacts such as a `source-registry.json` that the manifest does not include. The migration action for mixed or unsupported artifact sets is to regenerate the complete `.project-memory/` output set from source and from the same explicitly configured local adapter exports, not to edit or copy individual generated files in place. Source-visible endpoint rows and spec-backed declared API operation rows stay separate; entity rows and embeddable rows stay separate. Query artifact loading fails closed when evidence paths are unsafe, project-map evidence references do not resolve to `evidence-index.jsonl`, or required artifact files are unsafe local files. `explain evidence ` resolves exact evidence IDs from `evidence-index.jsonl`. `find fact ` and `find symbol ` are exact and case-sensitive; they do not perform substring, fuzzy, regex, semantic, natural-language, or embedding search. `find fact ` uses `project-graph.json` only for graph ID-shaped terms such as `node:`, `edge:`, `relation-status:`, and `graph-warning:` when graph output is present and valid. `relations ` requires a valid `project-graph.json`, accepts either a graph node ID or a generated fact ID that maps through node `source_ref`, and renders only one-hop incoming, outgoing, or default `both` graph neighbors while keeping graph edges separate from `relation_statuses[]`. Graph `source_ref` and `derivation` fields are navigation metadata, not evidence. Stable JSON query output remains future work and is not included in the current build line. `impact --files [...]` renders conservative direct mapping and one-hop projection for explicit repository-relative changed-file paths over existing no-adapter `project-map.json`, `evidence-index.jsonl`, and `project-graph.json` artifacts. It reports direct matches to existing evidence paths, generated fact source references, generated fact IDs, or graph nodes; one-hop `graph_neighbor` rows; tied `relation_status` rows; low-confidence `planning_hint` rows from existing `quality.change_risk_signals`; explicit `not_represented` rows for valid files with no accepted artifact reference; and bounded diagnostics such as duplicate or capped inputs. It does not parse raw diffs, inspect Git state, require changed files to exist, read source files, refresh scans, create or mutate generated artifacts, write an impact report, traverse graph neighbors beyond one hop, use adapter/source-registry context, or claim complete runtime, call-graph, vulnerability, business-priority, or production impact. `agent-context` renders a bounded read-only context view for agent/editor consumption over existing no-adapter `project-map.json` schema `1.0` and `evidence-index.jsonl` artifacts, with optional valid `project-graph.json` navigation metadata when present. The command writes deterministic stdout only; it does not create generated artifacts, open referenced source files to expand evidence, parse generated Markdown, profiles, AI presentation, cache metadata, adapter context, connector records, or `source-registry.json` as fact inputs, and it does not add MCP/server/API/editor/plugin, network, credential, telemetry, source-upload, repository-chat, semantic-search, or automatic code-modification behavior. Agent-context output is navigation and presentation only, not project evidence. Current builds also include workspace map aggregation over explicitly configured local member roots: java -jar target/agent-project-memory-3.4.0.jar workspace scan /path/to/workspace/agent-project-memory-workspace.yml The accepted workspace config shape is an explicit local YAML file: version: 1 members: - repo_id: orders root: services/orders `workspace scan ` treats the config file directory as the workspace root, requires each member to declare one unique logical `repo_id`, and accepts only workspace-relative member roots such as `services/orders`. The command validates config grammar and root safety, then writes the workspace-root `.project-memory/workspace-map.json` from existing per-repo `.project-memory/` artifacts. It does not run child repository scans, does not refresh or mutate member `.project-memory/` directories, does not copy full member evidence records, does not emit cross-repo relations, and does not add workspace query or workspace `agent-context` behavior. Members with missing or invalid per-repo artifacts remain listed with bounded workspace diagnostics. Member evidence navigation uses composite `repo_id` plus existing per-repo `evidence_id` sample references. CLI exit codes are stable for automation: - `0`: success, help, or version. - `1`: unexpected internal error. - `2`: usage error, such as an unknown command, unknown flag, or malformed command. - `3`: scan/query input or artifact error, such as a missing scan path, missing query path, missing directory, unsafe output path, missing query artifact, malformed query artifact, or invalid graph artifact for relation lookup. - `4`: invalid scan or workspace config. - `5`: output generation or write error. - `6`: query no-result, such as an absent evidence ID, absent exact fact/symbol match, or absent relation subject ID. Normal scan stdout is concise and deterministic: it reports `.project-memory` preparation, generated file names with stable fact counts when outputs are written, and a bounded diagnostics summary. `scan ` validates that the path exists and is a directory, then creates or reuses: /.project-memory/ Existing unrelated contents inside `.project-memory/` are preserved. Generated files are rewritten deterministically when supported Maven module roots, source-visible Maven metadata from module POMs, supported Gradle build files or static settings includes, supported root source, test, or resource roots, supported config files, local OpenAPI/Swagger spec files, safe default-scope local Markdown documents, Spring repository signals, Spring configuration surface signals, Spring behavior or messaging listener signals, or Maven/Gradle module warnings are detected. When the scanned path has a root `pom.xml`, the current implementation discovers the scan root and root-declared Maven child modules, then runs the Spring MVC endpoint, Spring component, Spring repository signal, Spring configuration surface, Spring behavior/messaging signal, Spring Security configuration warning, JPA entity, hidden HTTP surface warning, and tests inventory analyzers per supported module. For Gradle inputs, the current implementation discovers accepted root Gradle build files, simple static `settings.gradle` or `settings.gradle.kts` include declarations, and standard Gradle Java/source/test/resource roots without executing Gradle or resolving an effective Gradle model. For compatibility with earlier local source-root scans, a repository without a root `pom.xml` but with supported root source, test, or resource roots is represented as the scan-root module with module discovery marked `not_detected`. The analyzer extracts Spring MVC controllers and source-visible interface-declared Spring MVC mappings that can be uniquely bound to concrete handlers, direct Spring stereotype components on classes and interfaces, deterministic hidden HTTP surface warnings, direct JPA entity annotations with conservative source-visible mapped-superclass identifier fields, standard Maven or Gradle test-root classes with conservative helper filtering, direct source-visible Maven metadata from module POMs, direct source-visible Maven dependency and plugin declarations from module POMs, and bounded Gradle build layout observations, plus path-only standard resource-root and supported application/logging config-file inventory. It also emits direct source-visible `@Repository` repository surface facts and inferred source-visible Spring Data repository interface extension signals in a separate Spring application surface section, with conservative inferred repository/entity links when a supported Spring Data generic type matches exactly one emitted entity fact, plus direct source-visible `@Configuration` class, `@ConfigurationProperties` type, and `@Bean` method signals without runtime bean graph or binding claims, direct source-visible `@Transactional`, `@Scheduled`, and `@EventListener` signals, and common source-visible Kafka/Rabbit listener annotation signals without runtime transaction, scheduler, event delivery, message topology, or broker behavior claims, plus source-visible Spring Security configuration warnings for supported security annotations and `SecurityFilterChain` `@Bean` methods without security policy, endpoint protection, authentication, authorization, filter-chain ordering, vulnerability, or correctness claims. It also discovers common local OpenAPI/Swagger spec filenames as declared API inputs, extracts minimal spec-backed declared OpenAPI/Swagger operations, discovers generated-source/codegen root metadata without reading generated source contents, and discovers safe default-scope local Markdown document inventory with deterministic ATX heading references and bounded chunk references, with resolving document evidence for file, heading, chunk, and bounded reconciliation mention observations, plus conservative `documents.reconciliation` inspection hints for document-only endpoint-like path mentions, document-only module references, and source-backed API/module facts with no obvious default-scope document mention, plus compact local-document guide rendering from structured document inventory, bounded heading/chunk references, and uncertain reconciliation hints. Supported scans also emit a bounded deterministic lightweight relation graph over existing facts, with direct/structural nodes and `owns`/`declares` edges, conservative inferred repository/entity and tested-subject relation edges, and status-only or uncertain relation rows kept separate from edges, then write: /.project-memory/artifact-set.json /.project-memory/project-map.json /.project-memory/project-graph.json /.project-memory/endpoints.md /.project-memory/evidence-index.jsonl /.project-memory/agent-guide.md When `--agent-profile` is selected and the scan writes the base output files, the scan also writes: /.project-memory/agent-profiles/manifest.json /.project-memory/agent-profiles/.md Only selected profile Markdown files are written. Unsupported directories that only prepare `.project-memory/` do not create orphan profile artifacts. When `--incremental` is selected and the scan writes the base output files, the scan also writes cache metadata: /.project-memory/cache/v1/manifest.json /.project-memory/cache/v1/inputs.jsonl /.project-memory/cache/v1/outputs.jsonl These cache files are execution metadata, not evidence. They store bounded repository-relative paths, SHA-256 fingerprints, byte counts, schema/tool metadata, selected profile names, and redacted option/config matching metadata only. They do not add fields to `project-map.json`, do not create `evidence-index.jsonl` records, and do not store source bodies, local document bodies, config contents, generated-source contents, generated Markdown bodies, local absolute paths, command logs, timing measurements, credentials, tokens, or secret-looking values. `artifact-set.json` is the deterministic set-level manifest for generated single-repo scan output. It inventories the required base artifacts plus optional adapter, profile, AI presentation, cache, and workspace-related surfaces without making those surfaces evidence. It is contract/provenance metadata only, keeps `artifact_root` relative as `.project-memory`, and does not serialize local absolute paths, command transcripts, credentials, tokens, raw source bodies, or environment values. Its artifact inventory marks only `evidence-index.jsonl` as authoritative source-backed evidence; every other listed surface remains non-evidence. The initial manifest uses `artifact_set_schema_version: "1.0"` and does not bump `project-map.json` to `schema_version: "3.0"`. `project-map.json` is the minimal stable machine-readable project map. No-adapter current development output uses `schema_version: "1.0"` and includes redacted scan metadata for safe root-local config selection, detected root `pom.xml` build metadata when present, accepted Gradle build-file summary fields when present, Maven or Gradle module inventory, module-owned source-visible Maven metadata under `project.modules.items[].build_config.maven.metadata`, module-owned source-visible Maven dependency inventory under `project.modules.items[].build_config.maven.dependencies` and `dependency_management`, module-owned source-visible Maven plugin inventory under `project.modules.items[].build_config.maven.plugins` and `plugin_management`, module-owned bounded Gradle build-file orientation under `project.modules.items[].build_config.gradle`, compatibility source and test root summaries, module-owned standard resource-root inventory under `project.modules.items[].build_config.resources`, module-owned path-only supported application/logging config-file inventory under `project.modules.items[].build_config.config_files`, module-owned direct source-visible Spring Boot application signals under `project.modules.items[].build_config.spring_boot_applications`, API surface categories for source-visible endpoint facts, local OpenAPI/Swagger spec file facts under `api_surface.openapi.spec_files`, minimal declared operation facts under `api_surface.openapi.operations`, top-level generated-source/codegen policy and metadata-only root inventory under `generated_sources`, direct `module_id` fields on module-owned facts, Spring MVC endpoint facts, hidden HTTP surface, generated-source, and Maven module warnings that are not expanded into endpoint/API facts, direct component inventory, direct JPA entity facts with bounded source-visible field metadata, partial embedded/identifier signals, relationship metadata, and repository/entity relation statuses for the current JPA/domain slice, a bounded source-visible tests inventory with stable test IDs, module ownership, direct framework signal classifications, supported JUnit test method annotations, direct Spring test slice annotations, conservative mock annotation signals, and conservative tested-subject relation/status rows, a top-level `quality` object with conservative test-gap and change-risk planning hints, the staged `spring_application_surface.repositories` repository signal inventory, the staged `spring_application_surface.configuration` configuration class, configuration-properties, and bean method inventories, `spring_application_surface.behavior` transaction, scheduled, and event listener inventories, `spring_application_surface.messaging.listener_signals` inventories, and `spring_application_surface.security.configuration_warnings` warning-ID references, a top-level `scan` object with redacted config, feature, path-policy, and diagnostic metadata, and a top-level `documents` object with deterministic default-scope local Markdown discovery policy metadata, document inventory, ATX heading references, and bounded chunk references, conservative low-confidence reconciliation hints, and evidence ID references. The current Spring application surface implementation emits repository, configuration-surface, behavior, and messaging facts, plus Spring Security configuration warning references when bounded source-visible signals are detected. The current v0.6 JPA/domain implementation emits field metadata for direct field-level `@Column`, `@Enumerated`, `@GeneratedValue`, and `@Version` annotations, direct `@Embeddable` facts, direct field-level `@Embedded`/`@EmbeddedId` signals, and direct class-level `@IdClass` composite-id signals, direct source-visible relationship metadata, conservative Spring Data repository/entity inferred relations, and quiet no-domain guide rendering without runtime schema, access-strategy, generated-identifier, optimistic-locking, composite-key, relationship target-resolution, repository runtime, or provider-default claims. `endpoints.md` is a deterministic API surface Markdown inventory that keeps source-visible Spring MVC endpoints, declared OpenAPI operations, generated-source API signals, repository-rest warnings, and hidden HTTP warnings in separate sections. `evidence-index.jsonl` contains source-backed evidence records referenced by generated facts. `agent-guide.md` is a deterministic orientation guide generated only from the structured project-map facts and evidence index. Compatibility and migration notes: - The v0.9-to-v1.0 output migration is limited to the normal generated `project-map.json` marker moving from `schema_version: "0.9"` to `"1.0"`. The current JSON shape and evidence semantics are preserved. - The v1.1 Gradle expansion keeps `schema_version: "1.0"` and adds Gradle and mixed Maven/Gradle fields only where Gradle inputs are detected. Existing Maven fields and evidence semantics are preserved. - The v1.2 generated-source/codegen expansion keeps `schema_version: "1.0"` and adds top-level `generated_sources` policy and root metadata with `content_status: "not_scanned"`. Generated-source content scanning remains unavailable, and `features.generated_sources: true` remains invalid config. - The v1.4 incremental cache mode keeps `schema_version: "1.0"` and adds only opt-in `.project-memory/cache/v1/` execution metadata. Validated cache hits reuse the existing generated output set without adding cache fields to `project-map.json`, and normal scans without `--incremental` preserve full-scan behavior. - The v1.5 graph expansion keeps `project-map.json` on `schema_version: "1.0"` and adds `.project-memory/project-graph.json` with `graph_schema_version: "1.0"` as a separate navigation artifact over existing facts and evidence references. - The v1.6 query expansion keeps generated artifact schemas unchanged. Query commands read existing `project-map.json`, `project-graph.json` when graph lookup is needed, and `evidence-index.jsonl` artifacts without scanning source, writing repository files, or treating query output as evidence. - The v2.0 local structured import release keeps no-adapter scans v1-compatible: `project-map.json` remains on `schema_version: "1.0"` and `.project-memory/source-registry.json` is not emitted. When the local structured import adapter is explicitly enabled and an import file is accepted, the scan emits `.project-memory/source-registry.json` and uses `project-map.json` `schema_version: "2.0"` for adapter context. Treat that as a v2 artifact set: regenerate the base artifacts and source registry together, and do not mix `project-map.json`, `project-graph.json`, `evidence-index.jsonl`, `source-registry.json`, or generated Markdown from different scans. - The v2.1 release also supports disabled-by-default GitHub/GitLab local export imports through `adapters.git_hosting_import`. Accepted records use `.project-memory/source-registry.json` schema `1.1` for Git hosting provenance and the existing `project-map.json` `schema_version: "2.0"` adapter context. The import remains local JSON only: no API calls, network access, credentials, adapter-aware query behavior, raw issue/PR/MR bodies, comments, review notes, configured import paths, or local absolute paths are serialized by default. - The v2.2 release also supports disabled-by-default Jira/YouTrack/Confluence local export imports through `adapters.connector_import`. Accepted records use `.project-memory/source-registry.json` schema `1.2` for connector provenance and the existing `project-map.json` `schema_version: "2.0"` adapter context. The import remains local JSON only: no API calls, network access, credentials, adapter-aware query behavior, raw issue/page/article bodies, comments, rendered HTML, attachment details, configured import paths, or local absolute paths are serialized by default. - The v3.0.0 release adds `.project-memory/artifact-set.json` with `artifact_set_schema_version: "1.0"` as a set-level generated-output manifest. No-adapter `project-map.json` remains on `schema_version: "1.0"`, adapter-enabled `project-map.json` remains on `schema_version: "2.0"`, and `evidence-index.jsonl` remains the source-backed evidence artifact. Current query, `agent-context`, and impact loading validate the manifest when it is present, accept only coherent no-adapter `schema_version: "1.0"` query input sets, and fail closed on unsupported or mixed artifact-set state. - The v3.3.0 release keeps those generated artifact schemas and evidence semantics unchanged while strengthening package-phase, workspace-map, and local structured import full-output regression coverage for the current artifact and provenance boundaries. - The v3.4.0 release keeps generated artifact schemas and evidence semantics unchanged while improving deterministic query presentation: evidence lookup names `evidence-index.jsonl` as the source-backed authority, evidence-bearing navigation outputs point readers to exact evidence lookup, and `agent-context` includes the path-first impact query in its compact verification loop. - Downstream consumers that are not v2-adapter-aware should keep consuming no-adapter `schema_version: "1.0"` outputs. Consumers that encounter `schema_version: "2.0"` or `source-registry.json` should explicitly handle or reject adapter context and provenance joins instead of treating adapter-backed rows as Java/Spring facts. Current query support remains focused on no-adapter v1 artifact sets unless later release notes and architecture docs document adapter-aware query behavior. - Consumers that accept only known schema markers should add `"1.0"` for the preserved v0.9 shape. Regenerate the base `.project-memory/` files together so JSON facts, graph nodes, evidence IDs, and Markdown evidence references stay aligned. - `project-map.json`, `project-graph.json`, and `evidence-index.jsonl` are the stable machine-readable outputs. `endpoints.md` and `agent-guide.md` are deterministic human-readable presentations; their filenames, cautious categories, and evidence visibility are documented expectations, while exact Markdown wording or layout may evolve. - Future breaking changes, deprecations, and required migration steps are documented in the architecture contract, changelog, and release notes for the release that changes behavior. ## Future Installed Usage The current supported path is the release jar documented above. The command forms below describe the intended installed-command UX for a future distribution channel; no first-party shell wrapper, Homebrew formula, JBang catalog, Maven Central CLI installation, SDKMAN/asdf plugin, native image, or container image is currently published. Future installed command: agent-project-memory scan . Future installed help and version command forms: agent-project-memory --help agent-project-memory help agent-project-memory scan --help agent-project-memory --version agent-project-memory version The same output files: .project-memory/artifact-set.json .project-memory/project-map.json .project-memory/project-graph.json .project-memory/evidence-index.jsonl .project-memory/endpoints.md .project-memory/agent-guide.md These files are meant to give humans and coding agents a compact, evidence-backed map of the project plus a bounded relation graph: detected build layout, Spring MVC endpoints, generated-source/codegen metadata, important components, structural graph navigation, and references back to the source files that support each fact. ## Public Documentation Map Start here: - Contributor and coding-agent route: for implementation work, read [AGENTS.md](AGENTS.md) first, then this README and the task-relevant product, roadmap, output, and evidence docs below. - Latest release: [docs/product/V3_4_RELEASE_NOTES.md](docs/product/V3_4_RELEASE_NOTES.md). - Release history: [CHANGELOG.md](CHANGELOG.md). Detailed historical release notes live under `docs/product/`, and public evaluation summaries are linked from the relevant release notes. - Generated-output example: [examples/stage3-project-map/README.md](examples/stage3-project-map/README.md). - Product scope and boundaries: [docs/product/MVP_SPEC.md](docs/product/MVP_SPEC.md) and [docs/product/NON_GOALS.md](docs/product/NON_GOALS.md). - Product direction and release tracks: [docs/product/POST_V0_1_STRATEGY.md](docs/product/POST_V0_1_STRATEGY.md) and [docs/product/ROADMAP.md](docs/product/ROADMAP.md). - Output and evidence contracts: [docs/architecture/OUTPUT_CONTRACT.md](docs/architecture/OUTPUT_CONTRACT.md) and [docs/architecture/EVIDENCE_MODEL.md](docs/architecture/EVIDENCE_MODEL.md). - Architecture overview: [docs/architecture/ARCHITECTURE_OVERVIEW.md](docs/architecture/ARCHITECTURE_OVERVIEW.md) and [docs/architecture/INGESTION_ARCHITECTURE.md](docs/architecture/INGESTION_ARCHITECTURE.md). - Contributing, release process, and security: [CONTRIBUTING.md](CONTRIBUTING.md), [docs/development/RELEASE_PROCESS.md](docs/development/RELEASE_PROCESS.md), and [SECURITY.md](SECURITY.md). ## What This Is Not `agent-project-memory` is not: - a generic AI documentation generator, - a repository chatbot, - a RAG system, - a SaaS product, - a hosted codebase wiki, - a tool that treats LLM output as the source of truth, - an automatic code modification system. AI is optional presentation, grouping, or summarization only; the core project memory must come from deterministic analysis, explicit output contracts, and evidence references. Any AI output must be labeled as non-evidence, must not create project facts or security findings, and must not require source upload, network access, provider credentials, repository chat, generic RAG, or automatic code modification by default. The current product line includes only explicitly enabled mock/no-network AI presentation plumbing and no real AI provider integration. ## Project Status The latest published release is `v3.4.0`. The `v3.4.0` tag, GitHub Release, executable jar, and `SHA256SUMS` assets are published. The supported public distribution remains the GitHub Release executable jar plus `SHA256SUMS`; signing, SBOM publication, package-manager channels, native images, container images, release automation, and automatic publication are not included. The v3.3.0 release added validation and regression hardening for package smoke, workspace-map, and local structured import full-output coverage without changing JSON/JSONL schema markers, evidence semantics, adapter behavior, query authority, or the supported public distribution channel. The v3.4.0 release improves query verification wording while keeping query output as deterministic navigation and presentation, not evidence. It does not change generated JSON/JSONL schema markers, evidence fields, evidence semantics, adapter behavior, query grammar, or the supported public distribution channel. The current implementation is a local Java 21 CLI for Java/Spring repositories. It scans local source and configuration inputs, then writes deterministic `.project-memory/` artifacts with explicit source-backed evidence. The current output set includes `artifact-set.json`, `project-map.json`, `project-graph.json`, `evidence-index.jsonl`, `endpoints.md`, and `agent-guide.md`, with optional local-only adapter, profile, AI presentation, cache, and workspace surfaces when explicitly selected by supported workflows. The current compatibility baseline keeps normal no-adapter `project-map.json` output on `schema_version: "1.0"`. Explicit adapter-enabled scans use `schema_version: "2.0"` with `source-registry.json` provenance. The v3.0.0 release adds the `.project-memory/artifact-set.json` manifest and manifest-present reader/query validation without bumping `project-map.json` to `schema_version: "3.0"`, adding adapter-aware query behavior, or changing evidence semantics. For authoritative details, use the owner documents: - Product scope and non-goals: [docs/product/MVP_SPEC.md](docs/product/MVP_SPEC.md) and [docs/product/NON_GOALS.md](docs/product/NON_GOALS.md). - Current roadmap and release-track history: [docs/product/ROADMAP.md](docs/product/ROADMAP.md) and [CHANGELOG.md](CHANGELOG.md). - Generated output semantics: [docs/architecture/OUTPUT_CONTRACT.md](docs/architecture/OUTPUT_CONTRACT.md). - Evidence semantics: [docs/architecture/EVIDENCE_MODEL.md](docs/architecture/EVIDENCE_MODEL.md). - Latest release scope, validation, and asset status: [docs/product/V3_0_RELEASE_NOTES.md](docs/product/V3_0_RELEASE_NOTES.md). ## License Apache-2.0. See [LICENSE](LICENSE). Runtime dependency notices are summarized in [THIRD-PARTY-NOTICES.md](THIRD-PARTY-NOTICES.md).
标签:AI编程辅助, Homebrew安装, SOC Prime, Spring, 代码分析, 代码图谱, 凭证管理, 域名枚举, 开发工具, 文档结构分析, 防御加固