@agfpd/iapeer-memory 0.1.13 → 0.2.0

package/src/commands/update.ts

@@ -12,14 +12,20 @@
  *   3. doctrines  — re-render every role from the roles manifest with the
  *                   fresh version marker; roles pick it up on their next
  *                   cold wake (ADR-007), no restarts;
- *   4. slot       — re-declare with the new version (contract obligation);
- *   5. launcher   — regenerate (in case the binary path moved);
- *   6. memoryd    — MANAGED restart: verified SIGTERM via the pid file →
+ *   4. fleet      — re-write the fleet map from `iapeer list --json`;
+ *   5. surfaces   — direct per-peer session surfaces sweep over the map
+ *                   (ADR-009 v1.2: the «всё на местах у подключённых пиров»
+ *                   duty — both runtimes, idempotent, repairs drift);
+ *   6. plugin-off — v1.1→v1.2 migration: when the on-disk slot still
+ *                   carries a plugin block, sweep the legacy plugin off the
+ *                   fleet (while the old declaration is STILL readable by
+ *                   the core verb) — only after surfaces landed cleanly;
+ *   7. slot       — re-declare in the v1.2 form (provision command blocks,
+ *                   new version — contract obligation);
+ *   8. launcher + triggers + guide — regenerate;
+ *   9. memoryd    — MANAGED restart: verified SIGTERM via the pid file →
  *                   the notifier watcher relaunches through the launcher
- *                   with the NEW binary (exit-detect is unconditional —
- *                   notifier fact). Not running → nothing to do;
- *   7. plugin     — the harness's native plugin update flow (printed hint;
- *                   the package never reaches into harness internals).
+ *                   with the NEW binary. Not running → nothing to do.
  *
  * Idempotent: same version re-run → identical/no-op on every surface.
  */
@@ -34,10 +40,13 @@ import {
   type LocaleId,
 } from "@agfpd/iapeer-memory-core";
 import { installBinary } from "../binary.js";
-import { writeFleetMap } from "../fleet.js";
+import { readFleetMap, writeFleetMap } from "../fleet.js";
 import { memoryPaths } from "../paths.js";
 import { readRolesManifest } from "../roles.js";
-import { writeSlot } from "../slot.js";
+import { applyMemoryPlugin, readSlot, writeSlot, SLOT_PROVIDER } from "../slot.js";
+import { withProvisionLock } from "../surfaces/lock.js";
+import { sweepProvision } from "../surfaces/sweep.js";
+import { mcpPort } from "./provision-peer.js";
 import { guideText, materialiseTemplates } from "../templates/index.js";
 import { packageVersion } from "../version.js";
 import {
@@ -52,8 +61,11 @@ import { stopMemorydByPidFile } from "./uninstall.js";
 
 export function cmdUpdate(argv: string[]): number {
   let skipBinary = false;
-  for (const a of argv) {
+  let iapeerBin: string | undefined;
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
     if (a === "--skip-binary") skipBinary = true;
+    else if (a === "--iapeer-bin") iapeerBin = argv[++i];
     else {
       console.error(`iapeer-memory update: unknown flag: ${a}`);
       return 2;
@@ -123,24 +135,103 @@ export function cmdUpdate(argv: string[]): number {
     );
   }
 
-  // 4. slot version (contract obligation)
-  const slot = writeSlot({
-    slotPath: paths.slotPath,
-    version,
-    heartbeat: paths.heartbeatPath,
-  });
-  step(
-    "slot",
-    slot.action === "refused-foreign"
-      ? `slot held by foreign provider "${slot.existing?.provider}" — not ours to update`
-      : `${slot.action} (v${version})`,
-    slot.action !== "refused-foreign",
-  );
+  // 4. fleet map — personality → cwd × runtimes (the joint of the surfaces
+  // sweep below AND memoryd's fragment renderer, docs/05). BEFORE surfaces
+  // and BEFORE the memoryd restart: both consume the fresh map.
+  {
+    const fleet = writeFleetMap({ fleetMapPath: paths.fleetMapPath, iapeerBin });
+    step(
+      "fleet",
+      fleet.action === "written"
+        ? fleet.detail
+        : `fleet map not written (${fleet.detail}) — surfaces sweep runs on the LAST map; fragments stay stale until verify --repair`,
+      fleet.action === "written",
+    );
+  }
 
-  // 5. launcher
+  // 5. direct session surfaces sweep (ADR-009 v1.2) — the update duty:
+  // «всё на местах у подключённых пиров, что codex, что claude».
+  const existingSlot = readSlot(paths.slotPath);
+  const slotForeign = existingSlot !== null && existingSlot.provider !== SLOT_PROVIDER;
+  let surfacesOk = false;
+  if (slotForeign) {
+    step("surfaces", "skipped (foreign slot — not our host)");
+  } else {
+    const fleet = readFleetMap(paths.fleetMapPath) ?? [];
+    const locked = withProvisionLock({
+      stateDir: paths.stateDir,
+      fn: () => sweepProvision({ fleet, hooksDir: paths.hooksDir, port: mcpPort() }),
+    });
+    if (!locked.acquired) {
+      step("surfaces", locked.detail, false);
+    } else {
+      const { results, skipped } = locked.result;
+      const failed = results.filter((r) => !r.ok);
+      surfacesOk = failed.length === 0;
+      step(
+        "surfaces",
+        `${results.length - failed.length}/${results.length} peer-runtime(s) in place` +
+          (skipped.length ? `, ${skipped.length} skipped` : "") +
+          " — live sessions pick changes up on next restart",
+        surfacesOk,
+      );
+      for (const f of failed) {
+        console.log(
+          `      surfaces    FAIL ${f.personality}:${f.runtime} — ${f.outcomes
+            .filter((o) => o.action === "failed")
+            .map((o) => `${o.surface}: ${o.detail ?? "failed"}`)
+            .join("; ")}`,
+        );
+      }
+    }
+  }
+
+  // 6. v1.1 → v1.2 migration (one-shot per host): the on-disk slot still
+  // carries a plugin block — sweep the legacy plugin off the fleet WHILE the
+  // old declaration is still readable (the core verb derives the identity
+  // from it), and ONLY after the direct surfaces landed cleanly.
+  let migrationBlocked = false;
+  if (!slotForeign && existingSlot?.plugin) {
+    if (!surfacesOk) {
+      migrationBlocked = true;
+      step(
+        "plugin-off",
+        "POSTPONED: direct surfaces did not land cleanly — legacy plugin and v1.1 slot kept (fix and re-run update)",
+        false,
+      );
+    } else {
+      const off = applyMemoryPlugin({ mode: "off" });
+      step(
+        "plugin-off",
+        off.suppressed
+          ? "skipped (test sandbox — core calls suppressed)"
+          : off.ok
+            ? "legacy v1.1 session plugin swept off the fleet (memory-plugin off --all)"
+            : `legacy plugin off failed (${off.detail.slice(0, 120)}) — manual: iapeer memory-plugin off --all`,
+      );
+    }
+  }
+
+  // 7. slot version + v1.2 form (contract obligation). Kept v1.1 while the
+  // migration is blocked — the legacy channel stays derivable.
+  if (slotForeign) {
+    step("slot", `slot held by foreign provider "${existingSlot?.provider}" — not ours to update`, false);
+  } else if (migrationBlocked) {
+    step("slot", "kept v1.1 declaration (migration postponed — see plugin-off)", false);
+  } else {
+    const slot = writeSlot({
+      slotPath: paths.slotPath,
+      version,
+      binaryPath: paths.binaryPath,
+      heartbeat: paths.heartbeatPath,
+    });
+    step("slot", `${slot.action} (v${version}, provision-command declared)`, slot.action !== "refused-foreign");
+  }
+
+  // 8. launcher
   step("launcher", writeLauncherScript({ launcherPath: paths.launcherPath, binaryPath: paths.binaryPath }));
 
-  // 5b. notifier wiring (ADR-015): same-id re-send REPLACES the trigger —
+  // 8b. notifier wiring (ADR-015): same-id re-send REPLACES the trigger —
   // the idempotent re-target path (old hosts with target=index migrate to
   // target=scriber by this very step).
   {
@@ -173,7 +264,7 @@ export function cmdUpdate(argv: string[]): number {
     );
   }
 
-  // 5c. host-wide guide — update an ALREADY-ROLLED-OUT guide only
+  // 8c. host-wide guide — update an ALREADY-ROLLED-OUT guide only
   // (presence = the rollout sanction; init --skip-guide hosts stay
   // untouched). Vault substituted into {{VAULT_PATH}} (дыра 10.06: the
   // literal placeholder left peers without the write path).
@@ -190,29 +281,9 @@ export function cmdUpdate(argv: string[]): number {
     }
   }
 
-  // 5d. fleet map — personality → cwd for memoryd's fragment renderer
-  // (docs/05; дыра 10.06). BEFORE the memoryd restart below: the fresh
-  // daemon renders the whole fleet at startup from this very map.
-  {
-    const fleet = writeFleetMap({ fleetMapPath: paths.fleetMapPath });
-    step(
-      "fleet",
-      fleet.action === "written"
-        ? fleet.detail
-        : `fleet map not written (${fleet.detail}) — fragments stay stale until verify --repair`,
-      fleet.action === "written",
-    );
-  }
-
-  // 6. memoryd managed restart (the watcher relaunches with the new binary)
+  // 9. memoryd managed restart (the watcher relaunches with the new binary)
   step("memoryd", `${stopMemorydByPidFile(paths.pidPath)} — the notifier watcher relaunches it with the new binary`);
 
-  // 7. plugin — harness-owned surface
-  console.log(
-    "      plugin      update via the harness's native plugin flow " +
-      "(claude/codex plugin manager); the package never reaches into harness internals",
-  );
-
   console.log(
     failures
       ? `\nupdate finished with ${failures} problem(s) — iapeer-memory verify --repair`

package/src/commands/verify.ts

@@ -25,10 +25,13 @@ import {
   renderDoctrine,
   renderedVersion,
 } from "@agfpd/iapeer-memory-core";
-import { writeFleetMap } from "../fleet.js";
+import { readFleetMap, writeFleetMap } from "../fleet.js";
 import { memoryPaths, type MemoryPaths } from "../paths.js";
 import { readRolesManifest } from "../roles.js";
-import { readSlot, writeSlot, SLOT_PROVIDER } from "../slot.js";
+import { readSlot, slotProvisionBlocks, writeSlot, SLOT_PROVIDER } from "../slot.js";
+import { withProvisionLock } from "../surfaces/lock.js";
+import { checkFleetSurfaces, sweepProvision } from "../surfaces/sweep.js";
+import { mcpPort } from "./provision-peer.js";
 import { packageVersion } from "../version.js";
 import {
   dreamTimerMessage,
@@ -95,6 +98,11 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
 
   // 1b. memory-provider slot (iapeer memory-slot contract): a provisioned
   // host must declare the slot; a FOREIGN slot is never repaired over.
+  // A v1.1 slot (plugin block) is NEVER migrated here — the migration is
+  // update's job (plugin off --all must run while the old declaration is
+  // readable; a SessionStart-kicked repair racing ahead of update would
+  // strand the legacy plugin on the whole fleet).
+  let slotIsLegacyV11 = false;
   if (!configOk) {
     results.push({
       name: "memory-slot",
@@ -103,17 +111,37 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
     });
   } else {
     const slot = readSlot(paths.slotPath);
+    const expectedBlocks = slotProvisionBlocks(paths.binaryPath);
+    const formOk =
+      slot !== null &&
+      slot.plugin === undefined &&
+      JSON.stringify(slot.provision) === JSON.stringify(expectedBlocks.provision) &&
+      JSON.stringify(slot.unprovision) === JSON.stringify(expectedBlocks.unprovision);
     if (slot && slot.provider !== SLOT_PROVIDER) {
       results.push({
         name: "memory-slot",
         status: "fail",
         detail: `slot held by foreign provider "${slot.provider}" — refusing to touch (uninstall it first)`,
       });
-    } else if (slot && slot.version === version) {
-      results.push({ name: "memory-slot", status: "ok", detail: `declared v${slot.version}` });
+    } else if (slot?.plugin) {
+      slotIsLegacyV11 = true;
+      results.push({
+        name: "memory-slot",
+        status: "fail",
+        detail:
+          "slot is the legacy v1.1 form (plugin block) — migrate via `iapeer-memory update` (verify never migrates: the plugin-off order is update's duty)",
+      });
+    } else if (slot && slot.version === version && formOk) {
+      results.push({
+        name: "memory-slot",
+        status: "ok",
+        detail: `declared v${slot.version}, provision-command in place`,
+      });
     } else {
       const problem = slot
-        ? `slot declares v${slot.version}, package is v${version}`
+        ? slot.version !== version
+          ? `slot declares v${slot.version}, package is v${version}`
+          : "provision-command block missing/drifted"
         : `slot declaration missing at ${paths.slotPath}`;
       if (!repair) {
         results.push({ name: "memory-slot", status: "fail", detail: problem });
@@ -121,6 +149,7 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
         const w = writeSlot({
           slotPath: paths.slotPath,
           version,
+          binaryPath: paths.binaryPath,
           heartbeat: paths.heartbeatPath,
         });
         results.push(
@@ -169,6 +198,82 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
     }
   }
 
+  // 1d. direct per-peer session surfaces (ADR-009 v1.2) across the fleet
+  // map — the self-healing loop for newborns on hosts where the core's
+  // birth-hook lagged AND the drift-repair duty (требование №2). Skipped on
+  // a legacy v1.1 host: the plugin is still the live channel there, direct
+  // surfaces land via update's migration.
+  if (!configOk) {
+    results.push({ name: "peer-surfaces", status: "skip", detail: "not provisioned (config check failed)" });
+  } else if (slotIsLegacyV11) {
+    results.push({
+      name: "peer-surfaces",
+      status: "skip",
+      detail: "legacy v1.1 host (plugin channel) — direct surfaces land via `iapeer-memory update`",
+    });
+  } else {
+    const fleet = readFleetMap(paths.fleetMapPath);
+    if (!fleet) {
+      results.push({
+        name: "peer-surfaces",
+        status: "skip",
+        detail: "fleet map unreadable — see fleet-map check",
+      });
+    } else {
+      const { checks, skipped } = checkFleetSurfaces({
+        fleet,
+        hooksDir: paths.hooksDir,
+        port: mcpPort(),
+      });
+      const bad = checks.filter((c) => !c.ok);
+      if (bad.length === 0) {
+        results.push({
+          name: "peer-surfaces",
+          status: "ok",
+          detail:
+            `${checks.length} peer-runtime(s) in place` +
+            (skipped.length ? ` (${skipped.length} skipped: no session runtime / missing cwd)` : ""),
+        });
+      } else if (!repair) {
+        for (const b of bad) {
+          results.push({
+            name: `peer-surfaces[${b.personality}:${b.runtime}]`,
+            status: "fail",
+            detail: b.problems.join("; "),
+          });
+        }
+      } else {
+        const badPeers = fleet.filter((p) => bad.some((b) => b.cwd === p.cwd));
+        const locked = withProvisionLock({
+          stateDir: paths.stateDir,
+          fn: () => sweepProvision({ fleet: badPeers, hooksDir: paths.hooksDir, port: mcpPort() }),
+        });
+        if (!locked.acquired) {
+          results.push({ name: "peer-surfaces", status: "fail", detail: locked.detail });
+        } else {
+          const stillBad = locked.result.results.filter((r) => !r.ok);
+          results.push(
+            stillBad.length === 0
+              ? {
+                  name: "peer-surfaces",
+                  status: "repaired",
+                  detail: `${bad.length} drifted peer-runtime(s) re-provisioned (${bad
+                    .map((b) => `${b.personality}:${b.runtime}`)
+                    .join(", ")})`,
+                }
+              : {
+                  name: "peer-surfaces",
+                  status: "fail",
+                  detail: `repair failed for ${stillBad
+                    .map((r) => `${r.personality}:${r.runtime}`)
+                    .join(", ")}`,
+                },
+          );
+        }
+      }
+    }
+  }
+
   // 2. memoryd heartbeat
   try {
     const stat = fs.statSync(paths.heartbeatPath);

package/src/fleet.ts

@@ -7,9 +7,14 @@
  * new peer wakes → SessionStart kick → `verify --repair` re-writes the
  * map → memoryd renders the newcomer's fragment within a tick.
  *
- * `iapeer list` is READ-ONLY on the host — no test fuse needed here
- * (the fuse class guards host MUTATIONS); deterministic tests pass a
- * fake `iapeerBin` instead.
+ * TEST FUSE (incident 11.06, the FOURTH of its class — first FILE-path one):
+ * `iapeer list` is read-only, but its RESULT is the target list of the
+ * surfaces sweep — a sandboxed `verify --repair` with no fleet map repaired
+ * the map from the LIVE registry and then swept the LIVE peers' cwds with
+ * direct surfaces (the send-fuse never saw it: no IAP send involved).
+ * Querying the live registry from a test IS the leak — so the default
+ * binary is refused under the sandbox fuse; tests that need a fleet pass a
+ * fake `iapeerBin` (as before) or write the map file directly.
  */
 
 import fs from "node:fs";
@@ -21,7 +26,46 @@ export type FleetMapResult = {
   detail: string;
 };
 
-type ListedPeer = { personality?: unknown; cwd?: unknown };
+type ListedPeer = {
+  personality?: unknown;
+  cwd?: unknown;
+  /** iapeer registry: `[{runtime: "claude"|"codex"|…, status}]`. */
+  runtimes?: Array<{ runtime?: unknown }>;
+};
+
+/** Fleet-map entry. `runtimes` (ADR-009 v1.2) names the peer's session
+ *  runtimes from the registry — the surfaces sweep keys its per-runtime
+ *  forms on it (claude: hooks+mcp+skills; codex: project-local MCP).
+ *  Core's memoryd reader takes personality/cwd only — additive, fail-open. */
+export type FleetPeer = { personality: string; cwd: string; runtimes: string[] };
+
+/** Fail-open fleet-map reader (the package side: the surfaces sweep and
+ *  verify's per-peer checks). Missing/unreadable map → null — callers report
+ *  honestly instead of guessing the fleet. Entries without a runtimes array
+ *  (pre-v1.2 maps) read as `runtimes: []` — the sweep skips them until the
+ *  next map re-write (init/update/verify --repair). */
+export function readFleetMap(fleetMapPath: string): FleetPeer[] | null {
+  try {
+    const raw = JSON.parse(fs.readFileSync(fleetMapPath, "utf-8")) as {
+      peers?: Array<{ personality?: unknown; cwd?: unknown; runtimes?: unknown }>;
+    };
+    if (!Array.isArray(raw?.peers)) return null;
+    return raw.peers
+      .filter(
+        (p): p is { personality: string; cwd: string; runtimes?: unknown } =>
+          typeof p?.personality === "string" && typeof p?.cwd === "string",
+      )
+      .map((p) => ({
+        personality: p.personality,
+        cwd: p.cwd,
+        runtimes: Array.isArray(p.runtimes)
+          ? p.runtimes.filter((r): r is string => typeof r === "string")
+          : [],
+      }));
+  } catch {
+    return null;
+  }
+}
 
 export function writeFleetMap(opts: {
   fleetMapPath: string;
@@ -29,6 +73,17 @@ export function writeFleetMap(opts: {
   /** Injectable for tests. */
   nowIso?: string;
 }): FleetMapResult {
+  if (
+    opts.iapeerBin === undefined &&
+    (process.env.IAPEER_MEMORY_SUPPRESS_IAP_SEND === "1" ||
+      process.env.IAPEER_TEST_SANDBOX === "1")
+  ) {
+    return {
+      action: "failed",
+      count: 0,
+      detail: "live-registry query suppressed (test sandbox) — pass a fake iapeerBin",
+    };
+  }
   const bin = opts.iapeerBin ?? "iapeer";
   let stdout: string;
   try {
@@ -57,15 +112,25 @@ export function writeFleetMap(opts: {
     return { action: "failed", count: 0, detail: "iapeer list --json: unparsable output" };
   }
 
-  const peers = listed
+  const peers: FleetPeer[] = listed
     .filter(
-      (p): p is { personality: string; cwd: string } =>
+      (p): p is ListedPeer & { personality: string; cwd: string } =>
         typeof p.personality === "string" &&
         p.personality.trim() !== "" &&
         typeof p.cwd === "string" &&
         p.cwd.trim() !== "",
     )
-    .map((p) => ({ personality: p.personality.trim(), cwd: p.cwd.trim() }));
+    .map((p) => ({
+      personality: p.personality.trim(),
+      cwd: p.cwd.trim(),
+      runtimes: [
+        ...new Set(
+          (Array.isArray(p.runtimes) ? p.runtimes : [])
+            .map((r) => (typeof r?.runtime === "string" ? r.runtime.trim() : ""))
+            .filter(Boolean),
+        ),
+      ],
+    }));
 
   const body =
     JSON.stringify(

package/src/paths.ts

@@ -48,6 +48,10 @@ export type MemoryPaths = {
   binaryPath: string;
   /** Materialised package-owned templates (roles, guide) — see templates/index.ts. */
   templatesDir: string;
+  /** Materialised hook shims (fail-open bash, 3 lines) — the ABSOLUTE command
+   *  paths merged into peers' `.claude/settings.json` (ownership lives IN THE
+   *  DATA: the command path is the identity of our entries — ADR-009 v1.2). */
+  hooksDir: string;
   /** memoryd launcher — the notifier watcher's script (wraps the stable binary). */
   launcherPath: string;
   /** Sweep check-script — gates the fail-open inbox sweep (ADR-015). */
@@ -92,6 +96,7 @@ export function memoryPaths(
     binaryPath:
       env.IAPEER_MEMORY_BINARY_PATH || path.join(home, ".local", "bin", "iapeer-memory"),
     templatesDir: path.join(path.dirname(configFile), "templates"),
+    hooksDir: path.join(path.dirname(configFile), "hooks"),
     launcherPath: path.join(path.dirname(configFile), "memoryd-launcher.sh"),
     checkScriptPath: path.join(path.dirname(configFile), "inbox-stale-check.sh"),
     fleetMapPath: path.join(stateDir, "fleet.json"),

package/src/slot.ts

@@ -1,8 +1,8 @@
 /**
- * Memory-provider slot declaration — the iapeer memory-slot contract (FINAL,
- * iapeer docs fc68c54/e2195a7/c968219). The slot file tells the core that
- * the three public surfaces (layer-5 fragments / MCP tools / daemon under a
- * notifier watcher) are occupied:
+ * Memory-provider slot declaration — the iapeer memory-slot contract (FINAL
+ * base, iapeer docs fc68c54/e2195a7/c968219; v1.2 revision agreed 11.06).
+ * The slot file tells the core that the three public surfaces (layer-5
+ * fragments / MCP tools / daemon under a notifier watcher) are occupied:
  *
  * - the PROVIDER writes and removes the file (our init/uninstall), atomic
  *   temp+rename; the core only reads it (absent/unreadable = empty slot);
@@ -12,14 +12,21 @@
  *   marker, ADR-010); our `update` re-writes it (P4 obligation);
  * - `heartbeat` (optional) = the absolute path whose mtime memoryd touches —
  *   the core may show staleness in `iapeer status`, never acts on it;
- * - `plugin` (v1.1, agreed 10.06 + live in iapeer 0.2.25) = the marketplace
- *   identity of the session plugin. The core DERIVES installs from this block:
- *   birth-hook installs for new peers, `iapeer memory-plugin on|off (--peer|
- *   --all)` is the operator verb (built-in marketplace ensure + stale-cache
- *   retry). Reference reader: iapeer src/status/index.ts parsePluginBlock —
- *   all three fields required non-empty, anything less = treated as a v1
- *   declaration (no install). marketplaceRef matches iapeer onboard's
- *   MARKETPLACE_REF for the distribution default.
+ * - `provision`/`unprovision` (v1.2, ADR-009 v1.2 — boris's birth-joint
+ *   inversion, schema fixed with the core 11.06): the PROVIDER's OWN command
+ *   the core shells into at peer birth / verb sweeps / peer removal. The
+ *   core never learns the surface forms; placeholders {cwd} {runtime}
+ *   {personality} {occasion} substitute PER-ARGUMENT (argv spawn, no shell,
+ *   120s timeout, best-effort + loud warn). Precedence at the core:
+ *   provision > plugin with NO runtime fallback;
+ * - `plugin` (v1.1, deprecated by v1.2): we no longer WRITE it — holding
+ *   both blocks would make an old core re-install the plugin we swept
+ *   (agreed 11.06). An old core reads our v1.2 slot as «provider without a
+ *   plugin» and honestly skips the birth install; the newborn is picked up
+ *   by the verify --repair sweep. RELEASE ORDER closes even that window on
+ *   this host: the core ships its v1.2 parser FIRST, our release follows.
+ *   The type keeps the field so uninstall/update can MIGRATE old slots
+ *   (plugin off --all while the block is still readable).
  */
 
 import fs from "node:fs";
@@ -28,7 +35,8 @@ import path from "node:path";
 export const SLOT_PROVIDER = "iapeer-memory";
 export const SLOT_PACKAGE = "@agfpd/iapeer-memory";
 
-/** Mirror of iapeer's MemoryProviderPlugin (src/status/index.ts). */
+/** Mirror of iapeer's MemoryProviderPlugin (src/status/index.ts). v1.1
+ *  legacy: READ-only here (migration off-path); v1.2 slots no longer carry it. */
 export type MemoryProviderPlugin = {
   /** Plugin id in the marketplace (forms `<name>@<marketplace>`). */
   name: string;
@@ -38,19 +46,54 @@ export type MemoryProviderPlugin = {
   marketplaceRef: string;
 };
 
-export const SLOT_PLUGIN: MemoryProviderPlugin = {
-  name: "iapeer-memory",
-  marketplace: "agfpd",
-  marketplaceRef: "agfpd/agfpd-marketplace",
+/** v1.2 provision command block — argv form (§7 req 1: per-argument
+ *  placeholder substitution, spawn without a shell). */
+export type MemoryProviderCommand = {
+  /** Absolute path (§7 req 2: birth-hooks live in a minimal launchd PATH). */
+  command: string;
+  args: string[];
 };
 
+/** The provision/unprovision blocks of OUR slot — built around the stable
+ *  installed binary (the same path the hooks/watcher rely on). */
+export function slotProvisionBlocks(binaryPath: string): {
+  provision: MemoryProviderCommand;
+  unprovision: MemoryProviderCommand;
+} {
+  return {
+    provision: {
+      command: binaryPath,
+      args: [
+        "provision-peer",
+        "--cwd", "{cwd}",
+        "--runtime", "{runtime}",
+        "--personality", "{personality}",
+        "--occasion", "{occasion}",
+      ],
+    },
+    unprovision: {
+      command: binaryPath,
+      args: [
+        "unprovision-peer",
+        "--cwd", "{cwd}",
+        "--runtime", "{runtime}",
+        "--occasion", "{occasion}",
+      ],
+    },
+  };
+}
+
 export type MemoryProviderSlot = {
   provider: string;
   package: string;
   version: string;
   registeredAt: string;
   heartbeat?: string;
+  /** v1.1 legacy (read for migration; never written by v1.2 code). */
   plugin?: MemoryProviderPlugin;
+  /** v1.2 (ADR-009 v1.2). */
+  provision?: MemoryProviderCommand;
+  unprovision?: MemoryProviderCommand;
 };
 
 /** Never throws: missing / unreadable / malformed → null (empty slot). */
@@ -72,6 +115,8 @@ export type SlotWriteResult = {
 export function writeSlot(opts: {
   slotPath: string;
   version: string;
+  /** Absolute path of the installed binary — the provision command carrier. */
+  binaryPath: string;
   heartbeat?: string;
   /** Injectable for tests. */
   nowIso?: string;
@@ -80,15 +125,15 @@ export function writeSlot(opts: {
   if (existing && existing.provider !== SLOT_PROVIDER) {
     return { action: "refused-foreign", existing };
   }
+  const blocks = slotProvisionBlocks(opts.binaryPath);
   if (
     existing &&
     existing.version === opts.version &&
     existing.heartbeat === opts.heartbeat &&
     existing.package === SLOT_PACKAGE &&
-    existing.plugin &&
-    existing.plugin.name === SLOT_PLUGIN.name &&
-    existing.plugin.marketplace === SLOT_PLUGIN.marketplace &&
-    existing.plugin.marketplaceRef === SLOT_PLUGIN.marketplaceRef
+    existing.plugin === undefined && // a v1.1 slot (plugin block) must MIGRATE to the v1.2 form
+    JSON.stringify(existing.provision) === JSON.stringify(blocks.provision) &&
+    JSON.stringify(existing.unprovision) === JSON.stringify(blocks.unprovision)
   ) {
     return { action: "identical", existing }; // idempotent re-init: no churn
   }
@@ -98,7 +143,7 @@ export function writeSlot(opts: {
     version: opts.version,
     registeredAt: opts.nowIso ?? new Date().toISOString(),
     ...(opts.heartbeat ? { heartbeat: opts.heartbeat } : {}),
-    plugin: SLOT_PLUGIN,
+    ...blocks,
   };
   fs.mkdirSync(path.dirname(opts.slotPath), { recursive: true });
   const tmp = `${opts.slotPath}.tmp`;