@agfpd/iapeer-memory 0.2.0 → 0.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agfpd/iapeer-memory",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "iapeer-memory — peer memory for the iapeer ecosystem: vault, memoryd (index/search/MCP-http), layer-5 context fragments, role doctrines. The package IS the system; the claude/codex plugins are thin session sockets (docs/10-distribution.md, ADR-009).",
   "license": "MIT",
   "type": "module",
@@ -27,7 +27,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@agfpd/iapeer-memory-core": "0.2.0"
+    "@agfpd/iapeer-memory-core": "0.2.2"
   },
   "devDependencies": {
     "@types/bun": "^1.2.0",

package/src/binary.ts

@@ -23,7 +23,9 @@
 
 import fs from "node:fs";
 import path from "node:path";
+import type { Egress } from "./egress.js";
 import { signInstalledBinary, type SigningOutcome } from "./signing.js";
+import { guardedUnlinkSync } from "@agfpd/iapeer-memory-core";
 
 export function isCompiledRuntime(): boolean {
   return import.meta.url.includes("/$bunfs/");
@@ -34,7 +36,10 @@ export type InstallBinaryOutcome =
   | { action: "skipped-compiled"; outPath: string }
   | { action: "failed"; outPath: string; detail: string };
 
-export function installBinary(opts: { outPath: string }): InstallBinaryOutcome {
+export function installBinary(
+  egress: Egress,
+  opts: { outPath: string },
+): InstallBinaryOutcome {
   const { outPath } = opts;
   if (isCompiledRuntime()) {
     return { action: "skipped-compiled", outPath };
@@ -47,20 +52,22 @@ export function installBinary(opts: { outPath: string }): InstallBinaryOutcome {
     `.${path.basename(outPath)}.build.tmp`,
   );
 
-  const proc = Bun.spawnSync(
-    [process.execPath, "build", "--compile", cliPath, "--outfile", tmp],
-    { stdout: "pipe", stderr: "pipe" },
-  );
-  if (proc.exitCode !== 0 || !fs.existsSync(tmp)) {
+  // Self-runtime spawn (egress allowance 2): compiling OUR cli with OUR bun
+  // to a path-conventioned target — works in sandboxed e2e by design.
+  const proc = egress.spawnSync([
+    process.execPath, "build", "--compile", cliPath, "--outfile", tmp,
+  ]);
+  if (proc.spawnError || proc.exitCode !== 0 || !fs.existsSync(tmp)) {
     try {
-      if (fs.existsSync(tmp)) fs.unlinkSync(tmp);
+      if (fs.existsSync(tmp)) guardedUnlinkSync(tmp);
     } catch {
       // best effort
     }
     return {
       action: "failed",
       outPath,
-      detail: proc.stderr.toString().trim() || `bun build exited ${proc.exitCode}`,
+      detail:
+        proc.spawnError || proc.stderr.trim() || `bun build exited ${proc.exitCode}`,
     };
   }
 
@@ -68,12 +75,12 @@ export function installBinary(opts: { outPath: string }): InstallBinaryOutcome {
   fs.renameSync(tmp, outPath); // atomic swap — safe over a running binary on macOS
   // Stable-identity re-sign on EVERY compile path (TCC grants survive
   // updates — contract with iapeer, see signing.ts). Soft-fail by design.
-  const signing = signInstalledBinary(outPath);
+  const signing = signInstalledBinary(egress, outPath);
   return { action: "compiled", outPath, bytes: fs.statSync(outPath).size, signing };
 }
 
 export function removeBinary(outPath: string): "removed" | "absent" {
   if (!fs.existsSync(outPath)) return "absent";
-  fs.unlinkSync(outPath);
+  guardedUnlinkSync(outPath);
   return "removed";
 }

package/src/cli.ts

@@ -13,7 +13,9 @@
  * verify found problems, 2 usage error or not-yet-implemented stage.
  */
 
+import { isUnderProdAnchor, sandboxEnvArmed } from "@agfpd/iapeer-memory-core";
 import { loadConfigFile } from "./config-env.js";
+import { liveEgress } from "./egress.js";
 import { memoryPaths } from "./paths.js";
 import { packageVersion } from "./version.js";
 import { cmdFmUpdate } from "./commands/fm-update.js";
@@ -78,10 +80,26 @@ export async function main(argv: string[]): Promise<number> {
 
   // The config file is the env context of every command (except pure
   // help/version, where a broken file must not block the output).
+  // Deny-by-default §7.2 (accepted): under a test sandbox the LIVE host's
+  // config.env is never read — it would pull the live vault path, the
+  // embedding/reranker endpoints and the production port into a sandboxed
+  // process. A test must pass ITS OWN IAPEER_MEMORY_CONFIG_FILE.
   if (cmd && !["help", "--help", "-h", "version", "--version", "-V"].includes(cmd)) {
-    loadConfigFile(memoryPaths().configFile);
+    const configFile = memoryPaths().configFile;
+    if (sandboxEnvArmed() && isUnderProdAnchor(configFile)) {
+      console.error(
+        `iapeer-memory: live config.env skipped under the test sandbox (${configFile}) — pass IAPEER_MEMORY_CONFIG_FILE`,
+      );
+    } else {
+      loadConfigFile(configFile);
+    }
   }
 
+  // The ONE egress construction point (deny-by-default §4 П2): under a
+  // test-sandbox env this is a refusing handle — commands degrade to their
+  // SKIP semantics; nothing below re-checks the env.
+  const egress = liveEgress();
+
   switch (cmd) {
     case undefined:
     case "help":
@@ -95,17 +113,17 @@ export async function main(argv: string[]): Promise<number> {
       console.log(packageVersion());
       return 0;
     case "init":
-      return cmdInit(rest);
+      return cmdInit(rest, egress);
     case "uninstall":
-      return cmdUninstall(rest);
+      return cmdUninstall(rest, egress);
     case "status":
-      return cmdStatus(rest);
+      return cmdStatus(rest, egress);
     case "verify":
-      return cmdVerify(rest);
+      return cmdVerify(rest, egress);
     case "update":
-      return cmdUpdate(rest);
+      return cmdUpdate(rest, egress);
     case "install-binary":
-      return cmdInstallBinary(rest);
+      return cmdInstallBinary(rest, egress);
     case "provision-peer":
       return cmdProvisionPeer(rest);
     case "unprovision-peer":
@@ -119,7 +137,7 @@ export async function main(argv: string[]): Promise<number> {
     case "memoryd":
       return cmdMemoryd(rest);
     case "hook":
-      return cmdHook(rest);
+      return cmdHook(rest, egress);
     default:
       console.error(`iapeer-memory: unknown command: ${cmd}\n`);
       console.error(USAGE);

package/src/commands/hook.ts

@@ -32,6 +32,7 @@
 
 import fs from "node:fs";
 import path from "node:path";
+import type { Egress } from "../egress.js";
 import {
   DEFAULT_CURATOR_SET,
   fmUpdate,
@@ -41,6 +42,7 @@ import {
 } from "@agfpd/iapeer-memory-core";
 import { memoryPaths, type MemoryPaths } from "../paths.js";
 import { DEFAULT_HEARTBEAT_STALE_MS } from "./verify.js";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
 /** Tools whose writes stamp frontmatter. P5 adds "apply_patch" (codex). */
 export const POST_WRITE_TOOLS: ReadonlySet<string> = new Set([
@@ -193,7 +195,7 @@ export function runSessionStart(opts: {
   if (!recentKick) {
     try {
       fs.mkdirSync(paths.stateDir, { recursive: true });
-      fs.writeFileSync(stamp, `${new Date(nowMs).toISOString()}\n`);
+      guardedWriteFileSync(stamp, `${new Date(nowMs).toISOString()}\n`);
       opts.kick?.();
       kicked = true;
     } catch {
@@ -227,7 +229,7 @@ function logHookError(err: unknown): void {
   }
 }
 
-export async function cmdHook(argv: string[]): Promise<number> {
+export async function cmdHook(argv: string[], egress: Egress): Promise<number> {
   const [event] = argv;
   try {
     switch (event) {
@@ -239,13 +241,10 @@ export async function cmdHook(argv: string[]): Promise<number> {
       case "session-start": {
         const result = runSessionStart({
           kick: () => {
+            // Self-runtime detached spawn (egress allowance 2): the child
+            // re-enters main() with its own egress — sandbox env inherits.
             const cli = new URL("../cli.ts", import.meta.url).pathname;
-            const proc = Bun.spawn([process.execPath, cli, "verify", "--repair"], {
-              stdout: "ignore",
-              stderr: "ignore",
-              stdin: "ignore",
-            });
-            proc.unref();
+            egress.spawnDetached([process.execPath, cli, "verify", "--repair"]);
           },
         });
         if (result.output) console.log(result.output);

package/src/commands/init.ts

@@ -32,6 +32,7 @@ import {
   type LocaleId,
 } from "@agfpd/iapeer-memory-core";
 import { installBinary } from "../binary.js";
+import { IAPEER_BIN, type Egress } from "../egress.js";
 import { memoryPaths } from "../paths.js";
 import { provisionVault, writeDefaultConfig } from "../provision.js";
 import { writeRolesManifest, type RoleEntry } from "../roles.js";
@@ -73,7 +74,9 @@ type InitFlags = {
    *  the fleet may still carry the predecessor's guide; ours lands by a separate
    *  decision after the plugin swap). */
   skipGuide: boolean;
-  iapeerBin: string;
+  /** Explicitly named core binary (--iapeer-bin) — undefined means the PATH
+   *  default; the distinction feeds the egress explicit-bin allowance. */
+  iapeerBin?: string;
 };
 
 function parseFlags(argv: string[]): InitFlags | null {
@@ -83,7 +86,6 @@ function parseFlags(argv: string[]): InitFlags | null {
     skipEcosystem: false,
     skipBinary: false,
     skipGuide: false,
-    iapeerBin: "iapeer",
   };
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
@@ -99,7 +101,7 @@ function parseFlags(argv: string[]): InitFlags | null {
       case "--skip-ecosystem": f.skipEcosystem = true; break;
       case "--skip-binary": f.skipBinary = true; break;
       case "--skip-guide": f.skipGuide = true; break;
-      case "--iapeer-bin": f.iapeerBin = take() ?? "iapeer"; break;
+      case "--iapeer-bin": f.iapeerBin = take(); break;
       default:
         console.error(`iapeer-memory init: unknown flag: ${a}`);
         return null;
@@ -114,22 +116,23 @@ type PeerInfo = { personality: string; intelligence?: string; cwd?: string };
 
 type RunResult = { exitCode: number; stdout: string; stderr: string };
 
-/** spawnSync that never throws — a missing binary is a result, not a crash. */
-function run(cmd: string[]): RunResult {
-  try {
-    const proc = Bun.spawnSync(cmd, { stdout: "pipe", stderr: "pipe" });
-    return {
-      exitCode: proc.exitCode,
-      stdout: proc.stdout.toString(),
-      stderr: proc.stderr.toString(),
-    };
-  } catch (err) {
-    return { exitCode: 127, stdout: "", stderr: String(err) };
-  }
+/** Egress spawn that never throws — a missing binary (and a refusing test
+ *  egress) is a result, not a crash: the ecosystem half degrades to the
+ *  same skip path as «iapeer not on this host». */
+function run(
+  egress: Egress,
+  cmd: string[],
+  opts?: { explicitBin?: boolean },
+): RunResult {
+  const proc = egress.spawnSync(cmd, { explicitBin: opts?.explicitBin });
+  if (proc.spawnError) return { exitCode: 127, stdout: "", stderr: proc.spawnError };
+  return { exitCode: proc.exitCode, stdout: proc.stdout, stderr: proc.stderr };
 }
 
-function listPeers(iapeerBin: string): PeerInfo[] | null {
-  const proc = run([iapeerBin, "list", "--json"]);
+function listPeers(egress: Egress, iapeerBin?: string): PeerInfo[] | null {
+  const proc = run(egress, [iapeerBin ?? IAPEER_BIN, "list", "--json"], {
+    explicitBin: iapeerBin !== undefined,
+  });
   if (proc.exitCode !== 0) return null;
   try {
     return JSON.parse(proc.stdout) as PeerInfo[];
@@ -155,7 +158,7 @@ function ask(question: string, fallback: string): string {
 
 // ── the command ──────────────────────────────────────────────────────────────
 
-export async function cmdInit(argv: string[]): Promise<number> {
+export async function cmdInit(argv: string[], egress: Egress): Promise<number> {
   const flags = parseFlags(argv);
   if (!flags) return 2;
 
@@ -169,7 +172,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
   let embeddingEndpoint = flags.embeddingEndpoint ?? "";
   const rerankerEndpoint = flags.rerankerEndpoint ?? "";
 
-  const peers = flags.skipEcosystem ? null : listPeers(flags.iapeerBin);
+  const peers = flags.skipEcosystem ? null : listPeers(egress, flags.iapeerBin);
   const humanDefault = flags.human ?? naturalPeerDefault(peers) ?? "";
 
   if (!vault) {
@@ -215,7 +218,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
   if (flags.skipDeps) {
     step("deps", "skipped (--skip-deps)");
   } else {
-    const ver = run([flags.iapeerBin, "version"]);
+    const ver = run(egress, [flags.iapeerBin ?? IAPEER_BIN, "version"], { explicitBin: flags.iapeerBin !== undefined });
     if (ver.exitCode !== 0) {
       step("deps", "iapeer foundation not found on PATH — install it first (npx @agfpd/iapeer)", false);
     } else {
@@ -259,7 +262,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
   if (flags.skipBinary) {
     step("binary", "skipped (--skip-binary)");
   } else {
-    const bin = installBinary({ outPath: paths.binaryPath });
+    const bin = installBinary(egress, { outPath: paths.binaryPath });
     step(
       "binary",
       bin.action === "compiled"
@@ -290,7 +293,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
       const personality = rolePersonality(role);
       const exists = (peers ?? []).some((p) => p.personality === personality);
       if (!exists) {
-        const created = run([flags.iapeerBin, "create", personality]);
+        const created = run(egress, [flags.iapeerBin ?? IAPEER_BIN, "create", personality], { explicitBin: flags.iapeerBin !== undefined });
         if (created.exitCode !== 0) {
           rolesOk = false;
           console.log(`      roles       create ${personality} failed: ${created.stderr.trim()}`);
@@ -303,7 +306,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
     // `iapeer list --json` — iapeer 0.2.14), otherwise the core's
     // DOCUMENTED create default (no --path — требование Артура;
     // IAPEER_ROOT-aware).
-    const freshPeers = createdAny ? listPeers(flags.iapeerBin) : peers;
+    const freshPeers = createdAny ? listPeers(egress, flags.iapeerBin) : peers;
     for (const role of ROLE_NAMES) {
       const personality = rolePersonality(role);
       const registryCwd = (freshPeers ?? []).find((p) => p.personality === personality)?.cwd;
@@ -354,7 +357,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
   if (flags.skipEcosystem) {
     step("fleet", "skipped (--skip-ecosystem)");
   } else {
-    const fleet = writeFleetMap({
+    const fleet = writeFleetMap(egress, {
       fleetMapPath: paths.fleetMapPath,
       iapeerBin: flags.iapeerBin,
     });
@@ -376,7 +379,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
     step("timers", "skipped (--skip-ecosystem)");
   } else {
     writeLauncherScript({ launcherPath: paths.launcherPath, binaryPath: paths.binaryPath });
-    const sent = registerWatcher({
+    const sent = registerWatcher(egress, {
       launcherPath: paths.launcherPath,
       iapeerBin: flags.iapeerBin,
     });
@@ -395,11 +398,11 @@ export async function cmdInit(argv: string[]): Promise<number> {
       vaultPath: vault,
       inboxFolders: [getTaxonomy(locale).folders.inbox, getTaxonomy(locale).folders.inboxHuman],
     });
-    const sweep = registerTimer({
+    const sweep = registerTimer(egress, {
       message: sweepTimerMessage({ checkScriptPath: paths.checkScriptPath }),
       iapeerBin: flags.iapeerBin,
     });
-    const dream = registerTimer({
+    const dream = registerTimer(egress, {
       message: dreamTimerMessage(),
       iapeerBin: flags.iapeerBin,
     });
@@ -480,7 +483,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
           false,
         );
       } else {
-        const off = applyMemoryPlugin({ mode: "off", iapeerBin: flags.iapeerBin });
+        const off = applyMemoryPlugin(egress, { mode: "off", iapeerBin: flags.iapeerBin });
         step(
           "plugin-off",
           off.suppressed
@@ -517,7 +520,7 @@ export async function cmdInit(argv: string[]): Promise<number> {
   if (flags.skipEcosystem) {
     step("sweep", "skipped (--skip-ecosystem)");
   } else {
-    const sweep = run([flags.iapeerBin, "native-memory", "off", "--all"]);
+    const sweep = run(egress, [flags.iapeerBin ?? IAPEER_BIN, "native-memory", "off", "--all"], { explicitBin: flags.iapeerBin !== undefined });
     // One line per peer-runtime — summarise ALL peers, not the last line
     // (e2e §A finding: ".pop()" named one peer while three were swept).
     const sweepLines = sweep.stdout.trim().split("\n").filter(Boolean);

package/src/commands/install-binary.ts

@@ -6,9 +6,10 @@
  */
 
 import { installBinary } from "../binary.js";
+import type { Egress } from "../egress.js";
 import { memoryPaths } from "../paths.js";
 
-export function cmdInstallBinary(argv: string[]): number {
+export function cmdInstallBinary(argv: string[], egress: Egress): number {
   let outPath = memoryPaths().binaryPath;
   for (let i = 0; i < argv.length; i++) {
     if (argv[i] === "--out") {
@@ -24,7 +25,7 @@ export function cmdInstallBinary(argv: string[]): number {
     }
   }
 
-  const outcome = installBinary({ outPath });
+  const outcome = installBinary(egress, { outPath });
   switch (outcome.action) {
     case "compiled":
       console.log(

package/src/commands/memoryd.ts

@@ -19,6 +19,7 @@
 import fs from "node:fs";
 import { configFromEnv, startMemoryd } from "@agfpd/iapeer-memory-core";
 import { authorIndexPath, memoryPaths } from "../paths.js";
+import { guardedWriteFileSync, guardedUnlinkSync } from "@agfpd/iapeer-memory-core";
 
 export async function cmdMemoryd(argv: string[]): Promise<number> {
   let mcpPort: number | undefined;
@@ -56,7 +57,7 @@ export async function cmdMemoryd(argv: string[]): Promise<number> {
   }
   // pid file — uninstall's stop handle (best-effort; stale files are
   // harmless: the reader checks liveness before signalling).
-  fs.writeFileSync(paths.pidPath, `${process.pid}\n`);
+  guardedWriteFileSync(paths.pidPath, `${process.pid}\n`);
 
   const freshEditWindowRaw = process.env.IAPEER_MEMORY_FRESH_EDIT_WINDOW_S;
   const freshEditWindowS =
@@ -101,7 +102,7 @@ export async function cmdMemoryd(argv: string[]): Promise<number> {
         .close()
         .then(() => {
           try {
-            fs.unlinkSync(paths.pidPath);
+            guardedUnlinkSync(paths.pidPath);
           } catch {
             // best effort
           }

package/src/commands/status.ts

@@ -14,6 +14,7 @@ import {
   isLocaleId,
   prepareSqliteRuntime,
 } from "@agfpd/iapeer-memory-core";
+import type { Egress } from "../egress.js";
 import { memoryPaths } from "../paths.js";
 import { readSlot } from "../slot.js";
 import { packageVersion } from "../version.js";
@@ -50,10 +51,13 @@ export function searchPipelineLine(env: Record<string, string | undefined>): str
 
 /** Live pipeline from the running memoryd — the same per-component statuses
  * every vault_search returns. Null when memoryd is unreachable. */
-export async function probeSearchPipeline(port: number): Promise<string | null> {
+export async function probeSearchPipeline(
+  egress: Egress,
+  port: number,
+): Promise<string | null> {
   ensureLoopbackNotProxied(); // fleet-class: proxy-env lies about live loopback ports
   try {
-    const res = await fetch(`http://127.0.0.1:${port}/mcp`, {
+    const res = await egress.fetch(`http://127.0.0.1:${port}/mcp`, {
       method: "POST",
       headers: {
         "content-type": "application/json",
@@ -85,10 +89,13 @@ export async function probeSearchPipeline(port: number): Promise<string | null>
   }
 }
 
-async function probeMcp(port: number): Promise<{ line: string; alive: boolean }> {
+async function probeMcp(
+  egress: Egress,
+  port: number,
+): Promise<{ line: string; alive: boolean }> {
   ensureLoopbackNotProxied(); // fleet-class: proxy-env lies about live loopback ports
   try {
-    const res = await fetch(`http://127.0.0.1:${port}/mcp`, {
+    const res = await egress.fetch(`http://127.0.0.1:${port}/mcp`, {
       method: "POST",
       headers: { "content-type": "application/json" },
       body: "{}",
@@ -102,7 +109,7 @@ async function probeMcp(port: number): Promise<{ line: string; alive: boolean }>
   }
 }
 
-export async function cmdStatus(argv: string[]): Promise<number> {
+export async function cmdStatus(argv: string[], egress: Egress): Promise<number> {
   if (argv.length) {
     console.error(`iapeer-memory status: unknown flag: ${argv[0]}`);
     return 2;
@@ -111,7 +118,7 @@ export async function cmdStatus(argv: string[]): Promise<number> {
   const version = packageVersion();
   console.log(`iapeer-memory v${version}`);
 
-  const results = runVerify({ repair: false });
+  const results = runVerify(egress, { repair: false });
   const width = Math.max(...results.map((r) => r.name.length), 12);
   for (const r of results) {
     const mark =
@@ -128,11 +135,11 @@ export async function cmdStatus(argv: string[]): Promise<number> {
   );
 
   const port = Number(process.env.IAPEER_MEMORY_MCP_PORT || "") || 8766;
-  const mcp = await probeMcp(port);
+  const mcp = await probeMcp(egress, port);
   console.log(`      ${"mcp-endpoint".padEnd(width)}  ${mcp.line}`);
   // The live pipeline is only probed when the endpoint is alive — a dead
   // port already told us everything (and the static view says the rest).
-  const livePipeline = mcp.alive ? await probeSearchPipeline(port) : null;
+  const livePipeline = mcp.alive ? await probeSearchPipeline(egress, port) : null;
   console.log(
     `      ${"search".padEnd(width)}  ` +
       (livePipeline ?? `${searchPipelineLine(process.env)} (memoryd down — static view)`),

package/src/commands/uninstall.ts

@@ -17,12 +17,14 @@
  */
 
 import fs from "node:fs";
+import type { Egress } from "../egress.js";
 import { memoryPaths } from "../paths.js";
 import { removeBinary } from "../binary.js";
 import { readFleetMap } from "../fleet.js";
 import { applyMemoryPlugin, readSlot, removeSlot, SLOT_PROVIDER } from "../slot.js";
 import { withProvisionLock } from "../surfaces/lock.js";
 import { sweepUnprovision } from "../surfaces/sweep.js";
+import { guardedUnlinkSync } from "@agfpd/iapeer-memory-core";
 import {
   DREAM_TRIGGER_ID,
   SWEEP_TRIGGER_ID,
@@ -38,18 +40,12 @@ import {
  * the command closes the "signal a stranger" class. Probe failure → false
  * (never signal on uncertainty).
  */
-export function pidLooksLikeOurs(pid: number): boolean {
-  try {
-    const proc = Bun.spawnSync(["ps", "-o", "command=", "-p", String(pid)], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
-    if (proc.exitCode !== 0) return false;
-    const command = proc.stdout.toString().trim();
-    return command.includes("memoryd");
-  } catch {
-    return false;
-  }
+export function pidLooksLikeOurs(egress: Egress, pid: number): boolean {
+  // `ps` probe — egress allowance 3 (read-only lookup FEEDING the verified
+  // kill; refusing it would break the guard itself). Never throws.
+  const proc = egress.spawnSync(["ps", "-o", "command=", "-p", String(pid)]);
+  if (proc.spawnError || proc.exitCode !== 0) return false;
+  return proc.stdout.trim().includes("memoryd");
 }
 
 /**
@@ -60,30 +56,27 @@ export function pidLooksLikeOurs(pid: number): boolean {
  * by uninstall (stop) and update (managed restart: SIGTERM → the notifier
  * watcher relaunches via the launcher with the fresh binary, ADR-010).
  */
-export function stopMemorydByPidFile(pidPath: string): string {
+export function stopMemorydByPidFile(egress: Egress, pidPath: string): string {
   let line = "not running (no pid file)";
   try {
     const pid = Number(fs.readFileSync(pidPath, "utf-8").trim());
     if (Number.isInteger(pid) && pid > 1) {
-      if (!pidLooksLikeOurs(pid)) {
+      if (!pidLooksLikeOurs(egress, pid)) {
         line = `pid file points at a non-memoryd process (${pid}) — NOT signalling; stale file removed`;
       } else {
-        try {
-          process.kill(pid, "SIGTERM");
-          line = `SIGTERM sent to pid ${pid} (command verified)`;
-        } catch {
-          line = `stale pid file (process ${pid} gone) — removed`;
-        }
+        line = egress.kill(pid, "SIGTERM").delivered
+          ? `SIGTERM sent to pid ${pid} (command verified)`
+          : `stale pid file (process ${pid} gone) — removed`;
       }
     }
-    fs.unlinkSync(pidPath);
+    guardedUnlinkSync(pidPath);
   } catch {
     // no pid file — nothing to stop
   }
   return line;
 }
 
-export function cmdUninstall(argv: string[]): number {
+export function cmdUninstall(argv: string[], egress: Egress): number {
   let keepBinary = false;
   let iapeerBin = "iapeer";
   for (let i = 0; i < argv.length; i++) {
@@ -141,7 +134,7 @@ export function cmdUninstall(argv: string[]): number {
     // session plugin off via the core verb WHILE the declaration is alive
     // (it derives the identity from it; agreed order, auto-removal).
     if (declared.plugin) {
-      const off = applyMemoryPlugin({ mode: "off", iapeerBin });
+      const off = applyMemoryPlugin(egress, { mode: "off", iapeerBin });
       console.log(
         `plugin    : ${
           off.suppressed
@@ -164,7 +157,7 @@ export function cmdUninstall(argv: string[]): number {
 
   // notifier wiring: best-effort unregister of all three triggers (not-found
   // is soft on the notifier side; teaching replies go to the index session).
-  const unreg = unregisterWatcher({ iapeerBin });
+  const unreg = unregisterWatcher(egress, { iapeerBin });
   console.log(
     `watcher   : ${
       unreg.ok
@@ -173,7 +166,7 @@ export function cmdUninstall(argv: string[]): number {
     }`,
   );
   for (const id of [SWEEP_TRIGGER_ID, DREAM_TRIGGER_ID]) {
-    const t = unregisterTimer({ id, iapeerBin });
+    const t = unregisterTimer(egress, { id, iapeerBin });
     console.log(
       `timer     : ${
         t.ok
@@ -183,7 +176,7 @@ export function cmdUninstall(argv: string[]): number {
     );
   }
 
-  console.log(`memoryd   : ${stopMemorydByPidFile(paths.pidPath)}`);
+  console.log(`memoryd   : ${stopMemorydByPidFile(egress, paths.pidPath)}`);
 
   if (keepBinary) {
     console.log(`binary    : kept (${paths.binaryPath})`);