@agfpd/iapeer-memory 0.2.0 → 0.2.2

package/src/surfaces/claude.ts

@@ -24,9 +24,11 @@
  *               (embedded bodies, bytes-compare; the directory prefix is OUR
  *               namespace — unprovision removes every match).
  *
- * Pickup semantics (documented, boris design input): a live session does NOT
- * re-read these files — surfaces land on the peer's NEXT session start
- * (same semantics the plugin form had).
+ * Pickup semantics (documented, boris design input): hooks and MCP land on
+ * the peer's NEXT session start — a live session does not re-read them (same
+ * semantics the plugin form had). Skills are picked up HOT by live sessions
+ * (live observation, боевой E2E 11.06) — «next restart» is the conservative
+ * guarantee for all three, exact for hooks/MCP.
  *
  * Idempotent by construction: same version re-run → `already` on every
  * surface; drift (a mangled/deleted entry) → re-written. The remove path is
@@ -38,6 +40,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import { SKILL_BODIES, SKILL_DIR_PREFIX, SKILL_NAMES } from "../templates/skills.js";
+import { guardedWriteFileSync, guardedUnlinkSync, guardedRmSync } from "@agfpd/iapeer-memory-core";
 
 export const MCP_SERVER_KEY = "iapeer-memory";
 /**
@@ -87,7 +90,7 @@ function shimContent(verb: "post-write" | "session-start"): string {
 function writeFileAtomic(filePath: string, content: string, mode?: number): void {
   fs.mkdirSync(path.dirname(filePath), { recursive: true });
   const tmp = `${filePath}.tmp`;
-  fs.writeFileSync(tmp, content, "utf-8");
+  guardedWriteFileSync(tmp, content, "utf-8");
   if (mode !== undefined) fs.chmodSync(tmp, mode);
   fs.renameSync(tmp, filePath);
 }
@@ -352,7 +355,7 @@ export function removeClaudeMcp(opts: { cwd: string }): SurfaceOutcome {
   if (serversEmpty && onlyServersKey) {
     // semantically empty file — with our key gone it says nothing; a file we
     // most likely created. Removing it leaves the cwd exactly as found.
-    fs.unlinkSync(mcpPath);
+    guardedUnlinkSync(mcpPath);
     return { surface: "mcp", action: "removed", path: mcpPath, detail: "file removed (empty after our key)" };
   }
   writeFileAtomic(mcpPath, `${JSON.stringify(current, null, 2)}\n`);
@@ -399,7 +402,7 @@ export function removeClaudeSkills(opts: { cwd: string }): SurfaceOutcome {
     return { surface: "skills", action: "absent", path: skillsDir };
   }
   for (const e of ours) {
-    fs.rmSync(path.join(skillsDir, e), { recursive: true, force: true });
+    guardedRmSync(path.join(skillsDir, e), { recursive: true, force: true });
   }
   // sweep empty containers we may have created (skills/ then .claude/)
   for (const dir of [skillsDir, path.dirname(skillsDir)]) {

package/src/surfaces/codex.ts

@@ -36,6 +36,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import type { SurfaceOutcome } from "./claude.js";
+import { guardedWriteFileSync, guardedUnlinkSync } from "@agfpd/iapeer-memory-core";
 
 export const CODEX_MCP_SECTION = "mcp_servers.iapeer-memory";
 const SECTION_HEADER_RE = /^\s*\[/;
@@ -61,7 +62,7 @@ export function expectedCodexBlock(port: number): string {
 function writeFileAtomic(filePath: string, content: string): void {
   fs.mkdirSync(path.dirname(filePath), { recursive: true });
   const tmp = `${filePath}.tmp`;
-  fs.writeFileSync(tmp, content, "utf-8");
+  guardedWriteFileSync(tmp, content, "utf-8");
   fs.renameSync(tmp, filePath);
 }
 
@@ -115,7 +116,7 @@ export function removeCodexMcp(opts: { cwd: string }): SurfaceOutcome {
   const foreign = withoutOurSections(text.split("\n"));
   if (foreign.every((l) => l.trim() === "")) {
     // nothing but our block lived here — leave the cwd exactly as found
-    fs.unlinkSync(configPath);
+    guardedUnlinkSync(configPath);
     return { surface: "mcp", action: "removed", path: configPath, detail: "file removed (empty after our block)" };
   }
   writeFileAtomic(configPath, `${foreign.join("\n")}\n`);

package/src/sync-versions.ts

@@ -13,6 +13,7 @@
 
 import fs from "node:fs";
 import path from "node:path";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
 export type SyncOutcome = { file: string; action: "updated" | "identical" | "missing" };
 
@@ -46,7 +47,7 @@ export function syncVersions(opts: {
     }
     manifest.version = opts.version;
     // 2-space indent + trailing newline — the repo's manifest style.
-    fs.writeFileSync(file, JSON.stringify(manifest, null, 2) + "\n", "utf-8");
+    guardedWriteFileSync(file, JSON.stringify(manifest, null, 2) + "\n", "utf-8");
     outcomes.push({ file: rel, action: "updated" });
   }
   return outcomes;
@@ -81,7 +82,7 @@ export function syncCoreDependencyPin(opts: {
   }
   deps["@agfpd/iapeer-memory-core"] = opts.version;
   manifest.dependencies = deps;
-  fs.writeFileSync(
+  guardedWriteFileSync(
     opts.packageManifestPath,
     JSON.stringify(manifest, null, 2) + "\n",
     "utf-8",

package/src/templates/index.ts

@@ -16,6 +16,7 @@ import path from "node:path";
 import type { LocaleId } from "@agfpd/iapeer-memory-core";
 import { GUIDE_EN } from "./guide-en.js";
 import { GUIDE_RU } from "./guide-ru.js";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 import {
   SCRIBER_DOCTRINE_EN,
   DREAMWEAVER_DOCTRINE_EN,
@@ -152,7 +153,7 @@ export function materialiseTemplates(opts: {
     }
     fs.mkdirSync(path.dirname(file), { recursive: true });
     const tmp = `${file}.tmp`;
-    fs.writeFileSync(tmp, content, "utf-8");
+    guardedWriteFileSync(tmp, content, "utf-8");
     fs.renameSync(tmp, file);
     written.push(file);
   }

package/src/templates/roles-en.ts

@@ -69,6 +69,12 @@ step, when ALL THREE hold: the Scriber processed the note + the links
 section is complete + no open questions remain (no unanswered author
 pings). Nobody sets it by decision; nobody else clears it.
 
+\`last_edited_by: unstamped\` — the write BYPASSED the hook (a Bash write,
+an external editor): memoryd's detector honestly says «writer unknown»
+instead of a silently inherited attribution. Resolve it by context (the
+content, git, asking the writers); \`needs_review\` is already set — clear
+it under the usual three conditions.
+
 ## Agent-memory curation (light, no Scriber)
 
 1. \`status\` is final → move to the archive subfolder; stop.

package/src/templates/roles-ru.ts

@@ -62,6 +62,12 @@ locale: ru
 дополнена + открытых вопросов нет (все пинги авторам закрыты). Никто не
 ставит флаг решением; никто кроме тебя не снимает.
 
+\`last_edited_by: unstamped\` — запись прошла МИМО хука (Bash-запись,
+внешний редактор): детектор memoryd честно говорит «писатель неизвестен»
+вместо тихо унаследованной атрибуции. Разбирайся по контексту (содержание,
+git, вопрос писателям); needs_review при этом уже стоит — снимаешь по
+обычным трём условиям.
+
 ## Курирование оперативки (лёгкое, без Scriber'а)
 
 1. Финальный \`status\` → move в архивную подпапку; дальше не обрабатывай.

package/src/watcher.ts

@@ -35,6 +35,8 @@
 
 import fs from "node:fs";
 import path from "node:path";
+import { IAPEER_BIN, type Egress } from "./egress.js";
+import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
 export const WATCHER_TRIGGER_ID = "iapeer-memory-memoryd";
 /** Fail-open sweep (инверсия, ADR-015): check-gated hourly timer → index. */
@@ -69,7 +71,7 @@ function writeExecutable(filePath: string, content: string): "written" | "identi
   }
   fs.mkdirSync(path.dirname(filePath), { recursive: true });
   const tmp = `${filePath}.tmp`;
-  fs.writeFileSync(tmp, content, "utf-8");
+  guardedWriteFileSync(tmp, content, "utf-8");
   fs.chmodSync(tmp, 0o755);
   fs.renameSync(tmp, filePath);
   return "written";
@@ -152,7 +154,7 @@ export function patchWakePolicyEphemeral(
   if (profile.wake_policy === "ephemeral") return "identical";
   profile.wake_policy = "ephemeral";
   const tmp = `${profilePath}.tmp`;
-  fs.writeFileSync(tmp, `${JSON.stringify(profile, null, 2)}\n`, "utf-8");
+  guardedWriteFileSync(tmp, `${JSON.stringify(profile, null, 2)}\n`, "utf-8");
   fs.renameSync(tmp, profilePath);
   return "written";
 }
@@ -225,45 +227,35 @@ export function fromIdentity(personality: string, runtime = DEFAULT_FROM_RUNTIME
   return `${runtime}-${personality}`;
 }
 
-function iapSend(opts: {
-  message: string;
-  fromIdentity: string;
-  /** Notifier peer to address: `watcher` (events) or `timer` (cron/sweep). */
-  to?: "watcher" | "timer";
-  iapeerBin?: string;
-}): IapSendResult {
-  // Hard fuse (incident 10.06, prod Index): verify-repair tests reached the
-  // LIVE watcher peer and registered crashlooping temp-path triggers — /tmp
-  // tmux sockets are host-global, no sandbox env can contain a real send.
-  // Test scripts set this env (package.json), mirroring IAPEER_TEST_SANDBOX.
-  // BOTH vars honoured (belt and braces): a test helper once stripped all
-  // IAPEER_MEMORY_* env before spawning the CLI — the ecosystem-wide
-  // IAPEER_TEST_SANDBOX survives generic prefix-stripping.
-  if (
-    process.env.IAPEER_MEMORY_SUPPRESS_IAP_SEND === "1" ||
-    process.env.IAPEER_TEST_SANDBOX === "1"
-  ) {
-    return {
-      ok: false,
-      suppressed: true,
-      detail: "iap send suppressed (test sandbox)",
-    };
+function iapSend(
+  egress: Egress,
+  opts: {
+    message: string;
+    fromIdentity: string;
+    /** Notifier peer to address: `watcher` (events) or `timer` (cron/sweep). */
+    to?: "watcher" | "timer";
+    iapeerBin?: string;
+  },
+): IapSendResult {
+  // The hard fuse of incident 10.06 (prod Index: crashlooping temp-path
+  // triggers; /tmp tmux sockets are host-global, no sandbox env contains a
+  // real send) lives in the EGRESS CONSTRUCTOR now (deny-by-default §4):
+  // under a test sandbox this handle refuses the spawn before it happens.
+  const bin = opts.iapeerBin ?? IAPEER_BIN;
+  const proc = egress.spawnSync(
+    [bin, "send", opts.to ?? "watcher", "--from", opts.fromIdentity, "--message", opts.message],
+    { explicitBin: opts.iapeerBin !== undefined },
+  );
+  if (proc.refused) {
+    return { ok: false, suppressed: true, detail: "iap send suppressed (test sandbox)" };
   }
-  const bin = opts.iapeerBin ?? "iapeer";
-  let proc: ReturnType<typeof Bun.spawnSync>;
-  try {
-    proc = Bun.spawnSync(
-      [bin, "send", opts.to ?? "watcher", "--from", opts.fromIdentity, "--message", opts.message],
-      { stdout: "pipe", stderr: "pipe" },
-    );
-  } catch (err) {
-    return { ok: false, detail: `${bin} unavailable: ${String(err)}` };
+  if (proc.spawnError) {
+    return { ok: false, detail: `${bin} unavailable: ${proc.spawnError}` };
   }
   if (proc.exitCode !== 0) {
     return {
       ok: false,
-      detail:
-        (proc.stderr?.toString().trim() || "") || `iapeer send exited ${proc.exitCode}`,
+      detail: proc.stderr.trim() || `iapeer send exited ${proc.exitCode}`,
     };
   }
   // NB: a 0 exit code means DELIVERED, not "registration valid" — the
@@ -272,18 +264,21 @@ function iapSend(opts: {
   return { ok: true, detail: "delivered (confirm via the registrant's profile)" };
 }
 
-export function registerWatcher(opts: {
-  launcherPath: string;
-  /** Registrant PERSONALITY (owner of the durable trigger + default target). */
-  registrant?: string;
-  /** Runtime prefix of the registrant's identity (claude for role peers). */
-  runtime?: string;
-  target?: string;
-  id?: string;
-  iapeerBin?: string;
-}): IapSendResult {
+export function registerWatcher(
+  egress: Egress,
+  opts: {
+    launcherPath: string;
+    /** Registrant PERSONALITY (owner of the durable trigger + default target). */
+    registrant?: string;
+    /** Runtime prefix of the registrant's identity (claude for role peers). */
+    runtime?: string;
+    target?: string;
+    id?: string;
+    iapeerBin?: string;
+  },
+): IapSendResult {
   const registrant = opts.registrant ?? DEFAULT_REGISTRANT;
-  return iapSend({
+  return iapSend(egress, {
     fromIdentity: fromIdentity(registrant, opts.runtime),
     iapeerBin: opts.iapeerBin,
     message: registrationMessage({
@@ -296,13 +291,16 @@ export function registerWatcher(opts: {
   });
 }
 
-export function unregisterWatcher(opts: {
-  registrant?: string;
-  runtime?: string;
-  id?: string;
-  iapeerBin?: string;
-}): IapSendResult {
-  return iapSend({
+export function unregisterWatcher(
+  egress: Egress,
+  opts: {
+    registrant?: string;
+    runtime?: string;
+    id?: string;
+    iapeerBin?: string;
+  },
+): IapSendResult {
+  return iapSend(egress, {
     fromIdentity: fromIdentity(opts.registrant ?? DEFAULT_REGISTRANT, opts.runtime),
     iapeerBin: opts.iapeerBin,
     message: JSON.stringify({ cmd: "unregister", id: opts.id ?? WATCHER_TRIGGER_ID }),
@@ -310,13 +308,16 @@ export function unregisterWatcher(opts: {
 }
 
 /** Register a timer trigger (sweep/dream) — body built by *TimerMessage(). */
-export function registerTimer(opts: {
-  message: string;
-  registrant?: string;
-  runtime?: string;
-  iapeerBin?: string;
-}): IapSendResult {
-  return iapSend({
+export function registerTimer(
+  egress: Egress,
+  opts: {
+    message: string;
+    registrant?: string;
+    runtime?: string;
+    iapeerBin?: string;
+  },
+): IapSendResult {
+  return iapSend(egress, {
     to: "timer",
     fromIdentity: fromIdentity(opts.registrant ?? DEFAULT_REGISTRANT, opts.runtime),
     iapeerBin: opts.iapeerBin,
@@ -324,13 +325,16 @@ export function registerTimer(opts: {
   });
 }
 
-export function unregisterTimer(opts: {
-  id: string;
-  registrant?: string;
-  runtime?: string;
-  iapeerBin?: string;
-}): IapSendResult {
-  return iapSend({
+export function unregisterTimer(
+  egress: Egress,
+  opts: {
+    id: string;
+    registrant?: string;
+    runtime?: string;
+    iapeerBin?: string;
+  },
+): IapSendResult {
+  return iapSend(egress, {
     to: "timer",
     fromIdentity: fromIdentity(opts.registrant ?? DEFAULT_REGISTRANT, opts.runtime),
     iapeerBin: opts.iapeerBin,