fix(api): enforce scope-safe viewer and CLI memory access

[kunickiaj]

Description

Threads the central scope-visibility gate through every viewer-server route and CLI command that exposes memory content:

• Viewer routes (`/api/memory`, `/api/observations`, `/api/summaries`, `/api/sessions`, `/api/projects`, `/api/session`, `/api/artifacts`, `/api/usage`, `/api/memories/*`) gate by visible memory scopes.
• `/api/usage` is filtered as a memory-exposure surface; aggregates are recomputed from visible rows and memory-id metadata is sanitized.
• `/api/artifacts` requires every active memory in a session to be visible before returning artifact data.
• `MemoryStore.stats()` scopes memory-related counters (sessions, memory items, vector rows, tag coverage).
• CLI `memory forget` and `memory remember` go through scope-filtered store paths; manual remember rolls back (memory + vectors + ops) and only after scope visibility is confirmed.

Implements codemem-ov4g.5.5.

Type of Change

• 🐛 Bug fix (fixes an issue)

Testing

• Relevant checks pass locally (`pnpm run tsc`, `pnpm run lint`, `pnpm run test`)
• Added/updated tests for changes
• Manually verified changes work as expected

Coverage: viewer route integration tests, CLI memory remember/forget scope safety, stats counters scoped, manual remember stores vectors and rolls back cleanly on unauthorized scope.

Checklist

• Code follows project style (`pnpm run lint` passes for touched files)
• Self-review completed
• Documentation updated (if needed)
• No new warnings introduced

[kunickiaj]

• test(core): add retrieval leakage regression suite #1038
• fix(core): enforce scope-aware export import #1037
• fix(api): enforce scope-safe viewer and CLI memory access #1036 👈 (View in Graphite)
• fix(mcp): enforce scope-safe memory tools #1035
• test(plugin): guard scoped OpenCode context injection #1034
• fix(core): harden memory pack scope assembly #1033
• fix(core): scope sqlite-vec semantic retrieval #1032
• fix(core): enforce scope visibility in memory retrieval #1031
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cb2c44b2fe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[kunickiaj]

Merge activity

• May 5, 2:59 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 5, 3:15 PM UTC: Graphite rebased this pull request as part of a merge.
• May 5, 3:16 PM UTC: @kunickiaj merged this pull request with Graphite.