@agfpd/iapeer-memory 0.2.0 → 0.2.1

package/src/commands/update.ts

@@ -40,6 +40,7 @@ import {
   type LocaleId,
 } from "@agfpd/iapeer-memory-core";
 import { installBinary } from "../binary.js";
+import type { Egress } from "../egress.js";
 import { readFleetMap, writeFleetMap } from "../fleet.js";
 import { memoryPaths } from "../paths.js";
 import { readRolesManifest } from "../roles.js";
@@ -59,7 +60,7 @@ import {
 } from "../watcher.js";
 import { stopMemorydByPidFile } from "./uninstall.js";
 
-export function cmdUpdate(argv: string[]): number {
+export function cmdUpdate(argv: string[], egress: Egress): number {
   let skipBinary = false;
   let iapeerBin: string | undefined;
   for (let i = 0; i < argv.length; i++) {
@@ -92,7 +93,7 @@ export function cmdUpdate(argv: string[]): number {
   if (skipBinary) {
     step("binary", "skipped (--skip-binary)");
   } else {
-    const bin = installBinary({ outPath: paths.binaryPath });
+    const bin = installBinary(egress, { outPath: paths.binaryPath });
     step(
       "binary",
       bin.action === "compiled"
@@ -139,7 +140,7 @@ export function cmdUpdate(argv: string[]): number {
   // sweep below AND memoryd's fragment renderer, docs/05). BEFORE surfaces
   // and BEFORE the memoryd restart: both consume the fresh map.
   {
-    const fleet = writeFleetMap({ fleetMapPath: paths.fleetMapPath, iapeerBin });
+    const fleet = writeFleetMap(egress, { fleetMapPath: paths.fleetMapPath, iapeerBin });
     step(
       "fleet",
       fleet.action === "written"
@@ -200,7 +201,7 @@ export function cmdUpdate(argv: string[]): number {
         false,
       );
     } else {
-      const off = applyMemoryPlugin({ mode: "off" });
+      const off = applyMemoryPlugin(egress, { mode: "off" });
       step(
         "plugin-off",
         off.suppressed
@@ -247,11 +248,11 @@ export function cmdUpdate(argv: string[]): number {
     } catch {
       // unprovisioned env — registrations below still re-target
     }
-    const w = registerWatcher({ launcherPath: paths.launcherPath });
-    const s = registerTimer({
+    const w = registerWatcher(egress, { launcherPath: paths.launcherPath });
+    const s = registerTimer(egress, {
       message: sweepTimerMessage({ checkScriptPath: paths.checkScriptPath }),
     });
-    const d = registerTimer({ message: dreamTimerMessage() });
+    const d = registerTimer(egress, { message: dreamTimerMessage() });
     const sandboxed = w.suppressed && s.suppressed && d.suppressed;
     step(
       "triggers",
@@ -282,7 +283,7 @@ export function cmdUpdate(argv: string[]): number {
   }
 
   // 9. memoryd managed restart (the watcher relaunches with the new binary)
-  step("memoryd", `${stopMemorydByPidFile(paths.pidPath)} — the notifier watcher relaunches it with the new binary`);
+  step("memoryd", `${stopMemorydByPidFile(egress, paths.pidPath)} — the notifier watcher relaunches it with the new binary`);
 
   console.log(
     failures

package/src/commands/verify.ts

@@ -25,6 +25,7 @@ import {
   renderDoctrine,
   renderedVersion,
 } from "@agfpd/iapeer-memory-core";
+import type { Egress } from "../egress.js";
 import { readFleetMap, writeFleetMap } from "../fleet.js";
 import { memoryPaths, type MemoryPaths } from "../paths.js";
 import { readRolesManifest } from "../roles.js";
@@ -68,7 +69,7 @@ type RolesManifest = {
   roles: Array<{ role: string; peerCwd: string; template: string }>;
 };
 
-export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
+export function runVerify(egress: Egress, opts: VerifyOptions = {}): CheckResult[] {
   const repair = opts.repair ?? false;
   const paths = opts.paths ?? memoryPaths();
   const version = opts.version ?? packageVersion();
@@ -188,7 +189,7 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
       if (!repair) {
         results.push({ name: "fleet-map", status: "fail", detail: problem });
       } else {
-        const w = writeFleetMap({ fleetMapPath: paths.fleetMapPath, iapeerBin: opts.iapeerBin });
+        const w = writeFleetMap(egress, { fleetMapPath: paths.fleetMapPath, iapeerBin: opts.iapeerBin });
         results.push(
           w.action === "written"
             ? { name: "fleet-map", status: "repaired", detail: `${problem} — ${w.detail}` }
@@ -343,7 +344,7 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
               launcherPath: paths.launcherPath,
               binaryPath: paths.binaryPath,
             });
-            return registerWatcher({
+            return registerWatcher(egress, {
               launcherPath: paths.launcherPath,
               iapeerBin: opts.iapeerBin,
             });
@@ -373,7 +374,7 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
             } catch {
               // unprovisioned env — the registration alone still heals the trigger
             }
-            return registerTimer({
+            return registerTimer(egress, {
               message: sweepTimerMessage({ checkScriptPath: paths.checkScriptPath }),
               iapeerBin: opts.iapeerBin,
             });
@@ -386,7 +387,7 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
           expect: (t) =>
             t.target !== "index" ? `target is ${t.target ?? "?"}, expected index` : null,
           repairSend: () =>
-            registerTimer({ message: dreamTimerMessage(), iapeerBin: opts.iapeerBin }),
+            registerTimer(egress, { message: dreamTimerMessage(), iapeerBin: opts.iapeerBin }),
         },
       ];
       for (const c of checks) {
@@ -499,17 +500,23 @@ export function runVerify(opts: VerifyOptions = {}): CheckResult[] {
   return results;
 }
 
-export function cmdVerify(argv: string[]): number {
+export function cmdVerify(argv: string[], egress: Egress): number {
   let repair = false;
-  for (const a of argv) {
+  let iapeerBin: string | undefined;
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
     if (a === "--repair") repair = true;
+    // Mirror of `update --iapeer-bin` (fb662ed): the hermetic CLI test class
+    // needs an explicitly named core binary — the egress explicit-bin
+    // allowance keys on it.
+    else if (a === "--iapeer-bin") iapeerBin = argv[++i];
     else {
       console.error(`iapeer-memory verify: unknown flag: ${a}`);
       return 2;
     }
   }
 
-  const results = runVerify({ repair });
+  const results = runVerify(egress, { repair, iapeerBin });
   const width = Math.max(...results.map((r) => r.name.length));
   for (const r of results) {
     const mark =

package/src/egress.ts

@@ -0,0 +1,181 @@
+/**
+ * Egress hub — the ONE doorway from this package to the live host
+ * (docs/_planning/DENY_BY_DEFAULT_DESIGN.md §4, accepted by boris 11.06).
+ *
+ * Topology, not another fuse: four incidents («тест дотянулся до прода»)
+ * shared one root — outbound channels were allowed by default and refused
+ * only under a test flag each call site had to remember. This module
+ * inverts the default. Modules never spawn/kill/probe the host themselves
+ * and never PATH-resolve an external binary — they take an explicit
+ * {@link Egress} handle. The single live constructor, {@link liveEgress},
+ * is called from `cli.ts main()`; while a test-sandbox env is armed it
+ * hands back a REFUSING handle instead, and every channel reports refusal
+ * (callers map it to their SKIP semantics — the iapeer `skipped-sandbox`
+ * precedent). A module imported directly by a test has no doorway to the
+ * host by construction: there is nothing to forget.
+ *
+ * The grep invariant (И3) pins the topology: no `Bun.spawn*`/`process.kill`
+ * outside this file in src/.
+ *
+ * EXPLICIT ALLOWANCES of the refusing handle — each narrow, each here, all
+ * in one place (deny by DEFAULT, authorized consciously):
+ *
+ * 1. `explicitBin` spawns — argv[0] was NAMED by the operator/test via a
+ *    flag (`--iapeer-bin <path>`). Same safety class as the sanctioned
+ *    fake-bin test pattern: a consciously named binary is an authorization,
+ *    a PATH-resolved default is not. (Closes the old env-juggling dance:
+ *    fake-bin tests no longer clear the sandbox vars.)
+ * 2. Self-runtime spawns — argv[0] === process.execPath (bun): the binary
+ *    compile (`bun build --compile` to a path-conventioned target) and the
+ *    hook kick (self `verify --repair`). A child process re-enters through
+ *    its OWN main() and inherits the sandbox env → its egress refuses too;
+ *    nothing transitively reaches the host.
+ * 3. `ps` probes — read-only process-table lookup feeding the verified-kill
+ *    guard (`pidLooksLikeOurs`). Refusing it would break the guard whose
+ *    whole job is to make kill() safe.
+ * 4. Loopback fetch — status' own-daemon probes in sandboxed e2e. The
+ *    host-daemon collision is closed by test port isolation (И3), not by
+ *    refusing the probe. Non-loopback fetch refuses.
+ *
+ * kill() stays guarded by the verified-kill contract (owner verification
+ * before signalling — accepted at the P3c review), not by refusal: the pid
+ * PROVENANCE (sandbox pid file vs prod pid file) is the FS-belt's question
+ * (И2), and refusing kill would orphan sandbox daemons in e2e.
+ */
+
+export type EgressSpawnResult = {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+  /** Set when the spawn itself failed (binary missing) or the egress
+   *  refused the channel — exitCode is 127 by convention then. */
+  spawnError?: string;
+  /** True when the refusing egress (test sandbox) blocked the channel. */
+  refused?: boolean;
+};
+
+export type EgressSpawnOpts = {
+  timeoutMs?: number;
+  /** argv[0] was explicitly named by the operator/test (a `--*-bin` flag) —
+   *  allowance 1 of the refusing handle. */
+  explicitBin?: boolean;
+};
+
+export interface Egress {
+  /** True for the refusing handle — callers may report a SKIP up front. */
+  readonly refused: boolean;
+  /** External binary, synchronous (iapeer, ps, openssl, security, codesign,
+   *  bun). Never throws — a missing binary is a result, not a crash. */
+  spawnSync(argv: string[], opts?: EgressSpawnOpts): EgressSpawnResult;
+  /** Fire-and-forget detached spawn (hook kick → self `verify --repair`). */
+  spawnDetached(argv: string[]): { started: boolean; detail?: string };
+  /** Signal a live process. Never throws; `delivered: false` = process gone. */
+  kill(pid: number, signal: NodeJS.Signals): { delivered: boolean };
+  /** HTTP probe (status' loopback checks) — read-as-egress (П5). */
+  fetch(url: string, init?: RequestInit): Promise<Response>;
+}
+
+/** Default name of the ecosystem CLI — the ONE place it lives (П2: no
+ *  scattered `?? "iapeer"` defaults; the danger moved into the handle). */
+export const IAPEER_BIN = "iapeer";
+
+/** The ONE definition of the sandbox-env check lives in core's fs-guard
+ *  (the FS belt uses it too) — re-exported here for the constructor and
+ *  its tests. */
+import { sandboxEnvArmed } from "@agfpd/iapeer-memory-core";
+export { sandboxEnvArmed };
+
+function rawSpawnSync(argv: string[], opts?: EgressSpawnOpts): EgressSpawnResult {
+  try {
+    const proc = Bun.spawnSync(argv, {
+      stdout: "pipe",
+      stderr: "pipe",
+      ...(opts?.timeoutMs !== undefined ? { timeout: opts.timeoutMs } : {}),
+    });
+    return {
+      exitCode: proc.exitCode,
+      stdout: proc.stdout.toString(),
+      stderr: proc.stderr.toString(),
+    };
+  } catch (err) {
+    return { exitCode: 127, stdout: "", stderr: "", spawnError: String(err) };
+  }
+}
+
+function rawSpawnDetached(argv: string[]): { started: boolean; detail?: string } {
+  try {
+    const proc = Bun.spawn(argv, {
+      stdout: "ignore",
+      stderr: "ignore",
+      stdin: "ignore",
+    });
+    proc.unref();
+    return { started: true };
+  } catch (err) {
+    return { started: false, detail: String(err) };
+  }
+}
+
+function rawKill(pid: number, signal: NodeJS.Signals): { delivered: boolean } {
+  try {
+    process.kill(pid, signal);
+    return { delivered: true };
+  } catch {
+    return { delivered: false };
+  }
+}
+
+function isLoopback(url: string): boolean {
+  try {
+    const host = new URL(url).hostname;
+    return host === "127.0.0.1" || host === "localhost" || host === "::1";
+  } catch {
+    return false;
+  }
+}
+
+const REFUSAL = "egress refused (test sandbox) — pass a fake egress";
+
+function refusedResult(): EgressSpawnResult {
+  return { exitCode: 127, stdout: "", stderr: "", spawnError: REFUSAL, refused: true };
+}
+
+function refusingEgress(): Egress {
+  return {
+    refused: true,
+    spawnSync(argv, opts) {
+      if (opts?.explicitBin) return rawSpawnSync(argv, opts); // allowance 1
+      if (argv[0] === process.execPath) return rawSpawnSync(argv, opts); // allowance 2
+      if (argv[0] === "ps") return rawSpawnSync(argv, opts); // allowance 3
+      return refusedResult();
+    },
+    spawnDetached(argv) {
+      if (argv[0] === process.execPath) return rawSpawnDetached(argv); // allowance 2
+      return { started: false, detail: REFUSAL };
+    },
+    kill: rawKill, // verified-kill contract guards this, not refusal (header)
+    fetch(url, init) {
+      if (isLoopback(url)) return fetch(url, init); // allowance 4
+      return Promise.reject(new Error(REFUSAL));
+    },
+  };
+}
+
+function realEgress(): Egress {
+  return {
+    refused: false,
+    spawnSync: rawSpawnSync,
+    spawnDetached: rawSpawnDetached,
+    kill: rawKill,
+    fetch: (url, init) => fetch(url, init),
+  };
+}
+
+/**
+ * The ONE live constructor — called from `cli.ts main()` only. Refuses
+ * (hands back the refusing handle) while a test-sandbox env is armed; the
+ * decision is taken ONCE here, never re-checked at call sites.
+ */
+export function liveEgress(): Egress {
+  return sandboxEnvArmed() ? refusingEgress() : realEgress();
+}

package/src/fleet.ts

@@ -7,18 +7,21 @@
  * new peer wakes → SessionStart kick → `verify --repair` re-writes the
  * map → memoryd renders the newcomer's fragment within a tick.
  *
- * TEST FUSE (incident 11.06, the FOURTH of its class — first FILE-path one):
- * `iapeer list` is read-only, but its RESULT is the target list of the
+ * READ-AS-EGRESS (incident 11.06, the FOURTH of its class — first FILE-path
+ * one): `iapeer list` is read-only, but its RESULT is the target list of the
  * surfaces sweep — a sandboxed `verify --repair` with no fleet map repaired
  * the map from the LIVE registry and then swept the LIVE peers' cwds with
  * direct surfaces (the send-fuse never saw it: no IAP send involved).
- * Querying the live registry from a test IS the leak — so the default
- * binary is refused under the sandbox fuse; tests that need a fleet pass a
- * fake `iapeerBin` (as before) or write the map file directly.
+ * Querying the live registry from a test IS the leak — the query now goes
+ * through the egress handle (deny-by-default §4 П5): a refusing handle
+ * blocks the default binary; tests pass a fake `iapeerBin` (explicit-bin
+ * allowance) or write the map file directly.
  */
 
 import fs from "node:fs";
 import path from "node:path";
+import { IAPEER_BIN, type Egress } from "./egress.js";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
 export type FleetMapResult = {
   action: "written" | "failed";
@@ -67,42 +70,37 @@ export function readFleetMap(fleetMapPath: string): FleetPeer[] | null {
   }
 }
 
-export function writeFleetMap(opts: {
-  fleetMapPath: string;
-  iapeerBin?: string;
-  /** Injectable for tests. */
-  nowIso?: string;
-}): FleetMapResult {
-  if (
-    opts.iapeerBin === undefined &&
-    (process.env.IAPEER_MEMORY_SUPPRESS_IAP_SEND === "1" ||
-      process.env.IAPEER_TEST_SANDBOX === "1")
-  ) {
+export function writeFleetMap(
+  egress: Egress,
+  opts: {
+    fleetMapPath: string;
+    iapeerBin?: string;
+    /** Injectable for tests. */
+    nowIso?: string;
+  },
+): FleetMapResult {
+  const bin = opts.iapeerBin ?? IAPEER_BIN;
+  const proc = egress.spawnSync([bin, "list", "--json"], {
+    explicitBin: opts.iapeerBin !== undefined,
+  });
+  if (proc.refused) {
     return {
       action: "failed",
       count: 0,
       detail: "live-registry query suppressed (test sandbox) — pass a fake iapeerBin",
     };
   }
-  const bin = opts.iapeerBin ?? "iapeer";
-  let stdout: string;
-  try {
-    const proc = Bun.spawnSync([bin, "list", "--json"], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
-    if (proc.exitCode !== 0) {
-      return {
-        action: "failed",
-        count: 0,
-        detail:
-          (proc.stderr.toString().trim() || `iapeer list exited ${proc.exitCode}`).slice(0, 160),
-      };
-    }
-    stdout = proc.stdout.toString();
-  } catch (err) {
-    return { action: "failed", count: 0, detail: `${bin} unavailable: ${String(err)}` };
+  if (proc.spawnError) {
+    return { action: "failed", count: 0, detail: `${bin} unavailable: ${proc.spawnError}` };
+  }
+  if (proc.exitCode !== 0) {
+    return {
+      action: "failed",
+      count: 0,
+      detail: (proc.stderr.trim() || `iapeer list exited ${proc.exitCode}`).slice(0, 160),
+    };
   }
+  const stdout = proc.stdout;
 
   let listed: ListedPeer[];
   try {
@@ -140,7 +138,7 @@ export function writeFleetMap(opts: {
     ) + "\n";
   fs.mkdirSync(path.dirname(opts.fleetMapPath), { recursive: true });
   const tmp = `${opts.fleetMapPath}.tmp`;
-  fs.writeFileSync(tmp, body, "utf-8");
+  guardedWriteFileSync(tmp, body, "utf-8");
   fs.renameSync(tmp, opts.fleetMapPath); // atomic — memoryd may race a read
   return {
     action: "written",

package/src/provision.ts

@@ -13,6 +13,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import type { LocaleId, TaxonomyPreset } from "@agfpd/iapeer-memory-core";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
 export type ProvisionResult = {
   createdDirs: string[];
@@ -129,7 +130,7 @@ export function provisionVault(opts: {
       continue;
     }
     fs.mkdirSync(path.dirname(file), { recursive: true });
-    fs.writeFileSync(file, content, "utf-8");
+    guardedWriteFileSync(file, content, "utf-8");
     createdFiles.push(rel);
   }
 
@@ -183,6 +184,6 @@ export function writeDefaultConfig(
 ): "written" | "exists" {
   if (fs.existsSync(opts.configFile)) return "exists";
   fs.mkdirSync(path.dirname(opts.configFile), { recursive: true });
-  fs.writeFileSync(opts.configFile, defaultConfigContent(opts), "utf-8");
+  guardedWriteFileSync(opts.configFile, defaultConfigContent(opts), "utf-8");
   return "written";
 }

package/src/roles.ts

@@ -12,6 +12,7 @@
 
 import fs from "node:fs";
 import path from "node:path";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
 export type RoleEntry = { role: string; peerCwd: string; template: string };
 
@@ -23,7 +24,7 @@ export function writeRolesManifest(opts: {
 }): void {
   fs.mkdirSync(path.dirname(opts.rolesManifestPath), { recursive: true });
   const tmp = `${opts.rolesManifestPath}.tmp`;
-  fs.writeFileSync(
+  guardedWriteFileSync(
     tmp,
     JSON.stringify({ roles: opts.roles } satisfies RolesManifest, null, 2) + "\n",
     "utf-8",

package/src/signing.ts

@@ -38,6 +38,8 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
+import type { Egress } from "./egress.js";
+import { guardedRmSync } from "@agfpd/iapeer-memory-core";
 
 export const SIGNING_IDENTITY_CN = "iapeer Local Codesign";
 export const SIGNING_IDENTIFIER = "com.agfpd.iapeer-memory";
@@ -53,22 +55,16 @@ export type SigningRunner = (
   args: string[],
 ) => { status: number | null; stdout: string; stderr: string };
 
-const defaultRunner: SigningRunner = (cmd, args) => {
-  try {
-    const r = Bun.spawnSync([cmd, ...args], {
-      stdout: "pipe",
-      stderr: "pipe",
-      timeout: 90_000,
-    });
-    return {
-      status: r.exitCode,
-      stdout: r.stdout.toString(),
-      stderr: r.stderr.toString(),
-    };
-  } catch (err) {
-    return { status: null, stdout: "", stderr: String(err) };
-  }
-};
+/** The keychain trio (security/openssl/codesign) goes out through the
+ *  egress handle — 90 s ceiling so an unanswered keychain prompt can't
+ *  wedge an unattended update. */
+function egressRunner(egress: Egress): SigningRunner {
+  return (cmd, args) => {
+    const r = egress.spawnSync([cmd, ...args], { timeoutMs: 90_000 });
+    if (r.spawnError) return { status: null, stdout: "", stderr: r.spawnError };
+    return { status: r.exitCode, stdout: r.stdout, stderr: r.stderr };
+  };
+}
 
 export type SigningOutcome = {
   state:
@@ -120,7 +116,7 @@ function createIdentity(run: SigningRunner): { ok: boolean; detail?: string } {
     return { ok: true };
   } finally {
     try {
-      fs.rmSync(dir, { recursive: true, force: true });
+      guardedRmSync(dir, { recursive: true, force: true });
     } catch {
       // best-effort cleanup of the throwaway key material
     }
@@ -134,14 +130,14 @@ function createIdentity(run: SigningRunner): { ok: boolean; detail?: string } {
  * grant) stays constant while the bytes change.
  */
 export function signInstalledBinary(
+  egress: Egress,
   binPath: string,
-  run: SigningRunner = defaultRunner,
+  run: SigningRunner = egressRunner(egress),
 ): SigningOutcome {
-  // Both test belts (keychain is HOST-GLOBAL, same class as live sends).
-  if (
-    process.env.IAPEER_TEST_SANDBOX === "1" ||
-    process.env.IAPEER_MEMORY_SUPPRESS_IAP_SEND === "1"
-  ) {
+  // The keychain is HOST-GLOBAL — same class as live sends. The sandbox
+  // decision lives in the egress constructor (deny-by-default §4); a
+  // refusing handle maps to the historical skipped-sandbox outcome.
+  if (egress.refused) {
     return { state: "skipped-sandbox", detail: "test sandbox — not touching the real keychain" };
   }
   let created = false;

package/src/slot.ts

@@ -31,6 +31,8 @@
 
 import fs from "node:fs";
 import path from "node:path";
+import { IAPEER_BIN, type Egress } from "./egress.js";
+import { guardedWriteFileSync, guardedUnlinkSync } from "@agfpd/iapeer-memory-core";
 
 export const SLOT_PROVIDER = "iapeer-memory";
 export const SLOT_PACKAGE = "@agfpd/iapeer-memory";
@@ -147,7 +149,7 @@ export function writeSlot(opts: {
   };
   fs.mkdirSync(path.dirname(opts.slotPath), { recursive: true });
   const tmp = `${opts.slotPath}.tmp`;
-  fs.writeFileSync(tmp, JSON.stringify(slot, null, 2) + "\n", "utf-8");
+  guardedWriteFileSync(tmp, JSON.stringify(slot, null, 2) + "\n", "utf-8");
   fs.renameSync(tmp, opts.slotPath);
   return { action: "written", existing };
 }
@@ -159,7 +161,7 @@ export function removeSlot(slotPath: string): SlotRemoveResult {
   const existing = readSlot(slotPath);
   if (!existing) return "absent";
   if (existing.provider !== SLOT_PROVIDER) return "refused-foreign";
-  fs.unlinkSync(slotPath);
+  guardedUnlinkSync(slotPath);
   return "removed";
 }
 
@@ -179,40 +181,38 @@ export type MemoryPluginApplyResult = {
  * and `off` runs BEFORE removeSlot (agreed order, auto-removal: a dead
  * provider's plugin must not keep injecting).
  *
- * Hard fuse first (same class as iapSend, incident 10.06): `on --all`
- * mutates the HOST fleet — no sandbox env contains it, tests must never
- * reach the live core. Both belts honoured.
+ * The hard fuse of incident 10.06 (`on --all` mutates the HOST fleet — no
+ * sandbox env contains it) lives in the egress constructor now
+ * (deny-by-default §4): a refusing handle blocks the spawn here.
  */
-export function applyMemoryPlugin(opts: {
-  mode: "on" | "off";
-  iapeerBin?: string;
-}): MemoryPluginApplyResult {
-  if (
-    process.env.IAPEER_MEMORY_SUPPRESS_IAP_SEND === "1" ||
-    process.env.IAPEER_TEST_SANDBOX === "1"
-  ) {
+export function applyMemoryPlugin(
+  egress: Egress,
+  opts: {
+    mode: "on" | "off";
+    iapeerBin?: string;
+  },
+): MemoryPluginApplyResult {
+  const bin = opts.iapeerBin ?? IAPEER_BIN;
+  const proc = egress.spawnSync([bin, "memory-plugin", opts.mode, "--all"], {
+    explicitBin: opts.iapeerBin !== undefined,
+  });
+  if (proc.refused) {
     return {
       ok: false,
       suppressed: true,
       detail: "memory-plugin call suppressed (test sandbox)",
     };
   }
-  const bin = opts.iapeerBin ?? "iapeer";
-  try {
-    const proc = Bun.spawnSync([bin, "memory-plugin", opts.mode, "--all"], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
-    if (proc.exitCode !== 0) {
-      return {
-        ok: false,
-        detail:
-          (proc.stderr.toString().trim() || proc.stdout.toString().trim() || "").slice(0, 200) ||
-          `iapeer memory-plugin exited ${proc.exitCode}`,
-      };
-    }
-    return { ok: true, detail: proc.stdout.toString().trim() };
-  } catch (err) {
-    return { ok: false, detail: `${bin} unavailable: ${String(err)}` };
+  if (proc.spawnError) {
+    return { ok: false, detail: `${bin} unavailable: ${proc.spawnError}` };
+  }
+  if (proc.exitCode !== 0) {
+    return {
+      ok: false,
+      detail:
+        (proc.stderr.trim() || proc.stdout.trim() || "").slice(0, 200) ||
+        `iapeer memory-plugin exited ${proc.exitCode}`,
+    };
   }
+  return { ok: true, detail: proc.stdout.trim() };
 }