@agfpd/iapeer-memory-core 0.2.4 → 0.2.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agfpd/iapeer-memory-core",
-  "version": "0.2.4",
+  "version": "0.2.6",
   "description": "iapeer-memory core — host-neutral TypeScript memory primitive: vault schema/taxonomy config, search engine, memoryd, context renderer, role contracts. Consumed by the @agfpd/iapeer-memory facade; version kept in lockstep by its release flow (docs/10-distribution.md).",
   "license": "MIT",
   "type": "module",

package/src/frontmatter-fill.ts

@@ -16,9 +16,14 @@
  * - **identity = peer personality** (нюанс 10): `resolveAgentName` prefers
  *   `PEER_PERSONALITY`, falling back to `IAPEER_MEMORY_AGENT_NAME`.
  *
- * Zone behaviour (parity with the reference):
+ * Zone behaviour (parity with the reference, one deliberate deviation):
  * - inbox:     idempotent fill of the 4-field draft frontmatter +
- *              needs_review (unless curator).
+ *              needs_review (unless curator) + UPSERT of the stamp pair
+ *              (last_edited_by, updated) — a deviation from the reference,
+ *              load-bearing for the unstamped detector: its inbox branch
+ *              discriminates by «the stamp pair did not move», which is
+ *              only a signal when hook edits DO move it (false-positive
+ *              incident 11.06, boris's Write+Edit repro).
  * - permanent: upsert of service fields (last_edited_by, updated,
  *              needs_review).
  * - memory:    PERMANENT service-field semantics + idempotent fill of the
@@ -162,9 +167,19 @@ export function resolveZone(
 
 export function fillInbox(
   fmBlock: string,
-  opts: { path: string; agent: string; today: string; ctx: FillContext },
+  opts: { path: string; agent: string; today: string; nowStamp: string; ctx: FillContext },
 ): string {
   const { taxonomy } = opts.ctx;
+  // STAMP PAIR (дефект-репро boris 11.06, ложный unstamped): upsert как в
+  // fillPermanent/fillMemory. Без неё у inbox-черновиков пара тождественно
+  // (null, null) — «штамп не двинулся» детектора немых записей выполняется
+  // на ЛЮБОЙ легитимной хук-правке, и inbox-ветка вырождается в «hash
+  // двинулся → unstamped» (7 ложных ре-стампов за день 11.06). Оба поля
+  // сервисные для smart-hash → семантический hash и INBOX_NEW-диффы не
+  // двигаются, эхо невозможно. Побочный выигрыш: source-фильтр кураторов
+  // INBOX_NEW впервые получает живой last_edited_by.
+  fmBlock = upsert(fmBlock, "last_edited_by", opts.agent);
+  fmBlock = upsert(fmBlock, "updated", opts.nowStamp);
   fmBlock = setIfMissing(fmBlock, "title", basenameNoExt(opts.path));
   fmBlock = setIfMissing(fmBlock, "status", taxonomy.statusTokens.draft);
   fmBlock = setIfMissing(fmBlock, "created", opts.today);
@@ -495,7 +510,7 @@ export function processFile(filePath: string, opts: ProcessOptions): boolean {
 
   let newFm: string | null;
   if (zone === "inbox") {
-    newFm = fillInbox(fmBlock, { path: filePath, agent: opts.agent, today, ctx });
+    newFm = fillInbox(fmBlock, { path: filePath, agent: opts.agent, today, nowStamp, ctx });
   } else if (zone === "permanent") {
     newFm = fillPermanent(fmBlock, { agent: opts.agent, nowStamp, ctx });
   } else {

package/src/fs-guard.ts

@@ -21,6 +21,10 @@
  *
  * Deliberately NOT guarded in v1: `mkdirSync` (creates empty dirs — no data
  * loss / no content leak; the write that would fill them refuses) and reads.
+ * v2 (boris GO 11.06 evening) narrows both exceptions where they fed the
+ * residual lane: the segment rule refuses writes into harness trees outside
+ * the sandbox roots, and `sandboxBlocksProdRead` gates the prod reads that
+ * NAME live cwds (fleet.json, the provider slot).
  */
 
 import fs from "node:fs";
@@ -56,7 +60,70 @@ export function isUnderProdAnchor(filePath: string): boolean {
   );
 }
 
-/** Throws under an armed sandbox env when the path targets a prod anchor.
+/**
+ * v2 segment rule (accepted by boris 11.06 evening — residual lane of the
+ * incident-№4 class): a `.iapeer`, `.claude` or `.codex` directory ANYWHERE
+ * on disk is a session surface of some peer — peer cwds live in
+ * `~/Projects/*`, `~/Peers/*`, OUTSIDE every prod anchor (probe 11.06:
+ * 24/29 fleet cwds; a fragments/surfaces write into a live tree passed the
+ * v1 anchor belt). Under the sandbox, a write that crosses a harness
+ * segment must sit inside a sandbox root: tmp, or an EXPLICIT
+ * IAPEER_ROOT / IAPEER_MEMORY_*_DIR override (an explicit override IS the
+ * authorisation — same semantics as the egress hub's `--iapeer-bin`
+ * allowance).
+ */
+const HARNESS_SEGMENTS = new Set([".iapeer", ".claude", ".codex"]);
+
+function realpathOrSelf(p: string): string {
+  try {
+    return fs.realpathSync(p);
+  } catch {
+    return p;
+  }
+}
+
+/** Roots a sandboxed test may legitimately write harness trees under.
+ *  `/tmp` is listed besides os.tmpdir(): on macOS os.tmpdir() is the
+ *  per-process $TMPDIR (/var/folders/…) while fixtures commonly use a
+ *  literal /tmp; the realpath twins cover the /var → /private/var symlink. */
+function sandboxRoots(): string[] {
+  const roots = [os.tmpdir(), realpathOrSelf(os.tmpdir()), "/tmp", realpathOrSelf("/tmp")];
+  for (const key of [
+    "IAPEER_ROOT",
+    "IAPEER_MEMORY_STATE_DIR",
+    "IAPEER_MEMORY_CACHE_DIR",
+    "IAPEER_MEMORY_LOGS_DIR",
+  ]) {
+    const v = process.env[key];
+    if (v) roots.push(v);
+  }
+  const cfg = process.env.IAPEER_MEMORY_CONFIG_FILE;
+  if (cfg) roots.push(path.dirname(path.resolve(cfg)));
+  return roots.map((r) => path.resolve(r));
+}
+
+/** True when the path crosses a harness-surface segment OUTSIDE every
+ *  sandbox root. Exported for tests (predicate-level, no write armed). */
+export function isHarnessTreeOutsideSandbox(filePath: string): boolean {
+  const resolved = path.resolve(filePath);
+  if (!resolved.split(path.sep).some((seg) => HARNESS_SEGMENTS.has(seg))) return false;
+  const roots = sandboxRoots();
+  return !roots.some((r) => resolved === r || resolved.startsWith(r + path.sep));
+}
+
+/**
+ * Read-as-egress parity for prod STATE (the И4 precedent — live config.env
+ * skip in cli.ts): data that NAMES live peer cwds (fleet.json, the
+ * memory-provider slot) must not flow into a sandboxed process from the
+ * prod store — it is the SOURCE feeding the residual write lane above.
+ * Callers treat a blocked read as «file absent» and report honestly.
+ */
+export function sandboxBlocksProdRead(filePath: string): boolean {
+  return sandboxEnvArmed() && isUnderProdAnchor(filePath);
+}
+
+/** Throws under an armed sandbox env when the path targets a prod anchor
+ *  (v1) or a harness tree outside the sandbox roots (v2 segment rule).
  *  The op name makes the refusal teach: WHICH write was stopped. */
 export function assertSandboxWritablePath(filePath: string, op: string): void {
   if (!sandboxEnvArmed()) return;
@@ -67,6 +134,14 @@ export function assertSandboxWritablePath(filePath: string, op: string): void {
         "inside its own tmp root; if the path came from the env ladder, the ladder drifted.",
     );
   }
+  if (isHarnessTreeOutsideSandbox(filePath)) {
+    throw new Error(
+      `fs-guard: ${op} refused under the test sandbox — "${filePath}" crosses a .iapeer/.claude/.codex ` +
+        "segment OUTSIDE the sandbox roots (tmp, IAPEER_ROOT, IAPEER_MEMORY_*_DIR). Harness surfaces " +
+        "of live peers live in arbitrary cwds — a test may only touch such trees inside its own sandbox; " +
+        "if the cwd came from fleet.json/the registry, the sandbox read-gate drifted.",
+    );
+  }
 }
 
 export function guardedWriteFileSync(

package/src/index.ts

@@ -74,6 +74,8 @@ export { makeLogger, type Logger } from "./log.js";
 export {
   sandboxEnvArmed,
   isUnderProdAnchor,
+  isHarnessTreeOutsideSandbox,
+  sandboxBlocksProdRead,
   assertSandboxWritablePath,
   guardedWriteFileSync,
   guardedUnlinkSync,

package/src/memoryd.ts

@@ -58,7 +58,7 @@ import {
   type RenderContext,
 } from "./index-render.js";
 import { renderPeerFragment, type FragmentEnv } from "./context-render.js";
-import { guardedWriteFileSync, guardedUnlinkSync } from "./fs-guard.js";
+import { guardedWriteFileSync, guardedUnlinkSync, sandboxBlocksProdRead } from "./fs-guard.js";
 import {
   isSilentEdit,
   readStampRecord,
@@ -659,11 +659,23 @@ export async function startMemoryd(opts: MemorydOptions): Promise<MemorydHandle>
   // ── per-peer fragments (docs/05: свежесть за секунды от FS-изменений) ──
   const fragments = opts.fragments ?? null;
   let fleetCache: { mtimeMs: number; peers: FleetPeer[] } | null = null;
+  let warnedFleetReadBlocked = false;
 
   /** Fail-open fleet map reader with an mtime cache: missing/malformed file
    *  → empty fleet (rendering quietly off), never throws. */
   function readFleetMap(): FleetPeer[] {
     if (!fragments) return [];
+    // Read-as-egress (И4 parity): the prod fleet map NAMES live cwds — a
+    // sandboxed process must not learn them. Empty fleet = rendering off.
+    if (sandboxBlocksProdRead(fragments.fleetMapPath)) {
+      if (!warnedFleetReadBlocked) {
+        warnedFleetReadBlocked = true;
+        logger.warn(
+          `fragments: live fleet map skipped under the test sandbox (${fragments.fleetMapPath}) — set IAPEER_MEMORY_STATE_DIR/IAPEER_ROOT`,
+        );
+      }
+      return [];
+    }
     try {
       const st = fs.statSync(fragments.fleetMapPath);
       if (fleetCache && fleetCache.mtimeMs === st.mtimeMs) return fleetCache.peers;

package/src/silent-edit-detect.ts

@@ -22,7 +22,11 @@
  *   inbox — UNCONDITIONAL: humanEditPass does not cover the agent inbox at
  *     all, human edits there are marginal, and the curator-masquerade
  *     (memoryd's 822-suppress) plus the silent author edit are both closed
- *     by one branch.
+ *     by one branch. PRECONDITION (the 11.06 false-positive lesson, boris's
+ *     Write+Edit repro): the rule is only a discriminator because fillInbox
+ *     UPSERTS the stamp pair on every hook edit — before that fix the pair
+ *     was identically (null, null) for author drafts, «stamp unmoved» held
+ *     vacuously and every second legitimate edit re-stamped as unstamped.
  *
  * Attribution token: `unstamped` — NEUTRAL on purpose (the mechanism
  * cannot tell a Bash agent from a human outside Obsidian; a false «agent»