Add opt-in privacy-safe auto-memory receipts

[caioribeiroclw-pixel]

Summary

Adds opt-in, privacy-safe JSONL receipts for auto-memory refreshes.

When users set:

{
  "receipts": true
}

Stop/SubagentStop hooks append .claude/auto-memory/receipts.jsonl entries for:

• auto_memory.update.requested
• auto_memory.update.completed

The receipts include counts, short SHA-256 hashes, trigger mode, session hash, active memory file, and auto-commit/push outcome. They intentionally do not log raw changed file paths, commit messages, prompts, or CLAUDE.md/AGENTS.md content (raw_paths_included=false, raw_memory_included=false).

Why

Auto-memory is already doing the useful thing: keeping CLAUDE.md/AGENTS.md fresh without spending the main context window. The next trust boundary is auditability for teams: “did a memory refresh get requested/completed?” without dumping the changed files or memory body into logs.

This keeps the default zero-output/zero-receipt behavior unchanged and makes receipts explicit opt-in.

Checks

• python3 -m py_compile scripts/trigger.py scripts/post-tool-use.py
• manual receipt smoke for requested/completed events, hashing, and no raw path/session leakage
• git diff --check

Note: I could not run the full pytest suite in this checkout because the environment does not have pytest/pip installed.

[caioribeiroclw-pixel]

Updated the receipts patch based on the privacy lesson from memory-engine review: predictable IDs/paths should not use plain SHA-256 in shareable receipts.

Changes in this branch:

• use AUTO_MEMORY_RECEIPT_HMAC_KEY / receiptHmacKeyEnv for keyed short HMAC-SHA256 session/file identifiers
• if no key is set, still emit counts/outcomes but omit session/file hashes instead of falling back to guessable hashes
• add explicit hash_algorithm, hmac_key_env, and hashes_omitted_reason fields
• keep raw_paths_included=false and raw_memory_included=false

Checks run:

• python3 -m py_compile scripts/trigger.py scripts/post-tool-use.py
• manual receipt smoke with and without HMAC key, verifying raw paths/session/key are absent
• git diff --check

I kept receipts opt-in and default-safe: enabling receipts without a key gives audit counts without stable path/session identifiers.