@gcunharodrigues/wrxn 0.4.0 → 0.5.0

package/manifest.json

@@ -98,6 +98,11 @@
       "class": "managed",
       "profile": "project"
     },
+    {
+      "path": ".claude/skills/dream/SKILL.md",
+      "class": "managed",
+      "profile": "project"
+    },
     {
       "path": ".claude/skills/grill-me/SKILL.md",
       "class": "managed",
@@ -408,6 +413,16 @@
       "class": "state",
       "profile": "project"
     },
+    {
+      "path": ".wrxn/dream.cjs",
+      "class": "managed",
+      "profile": "project"
+    },
+    {
+      "path": ".wrxn/dream/.gitkeep",
+      "class": "state",
+      "profile": "project"
+    },
     {
       "path": ".wrxn/wiki.cjs",
       "class": "managed",
@@ -438,6 +453,16 @@
       "class": "state",
       "profile": "project"
     },
+    {
+      "path": ".wrxn/wiki/_rules/.gitkeep",
+      "class": "state",
+      "profile": "project"
+    },
+    {
+      "path": ".wrxn/wiki/_slots/.gitkeep",
+      "class": "state",
+      "profile": "project"
+    },
     {
       "path": "docs/agents/domain.md",
       "class": "seeded",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gcunharodrigues/wrxn",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "WRXN Kernel — installable AI operating system. Two profiles (project | workspace), pull-based updates, managed/seeded/state file classes.",
   "bin": {
     "wrxn": "bin/wrxn.cjs"

package/payload/.claude/hooks/synapse-engine.cjs

@@ -257,6 +257,7 @@ function handoffDirective(consumed, pct) {
     '  1. Finish the current request.',
     '  2. Run the handoff skill to write the baton (a compact handoff document).',
     '  3. Tell the operator to /clear and open a fresh session, where the baton injects on resume.',
+    '  Suggestion (optional, before step 2): run the dream skill to consolidate this session\'s durable learnings into wiki memory — a suggestion only; dream never auto-runs, it acts only when you invoke it.',
   ].join('\n');
 }
 

package/payload/.claude/hooks/wiki-lint.cjs

@@ -15,6 +15,9 @@
 const fs = require('fs');
 const path = require('path');
 
+// The human-prose tiers only. The `_`-prefixed tiers (`_rules` and `_slots`) are machine-written by the
+// dream adapter through wiki.cjs — they are deliberately OUTSIDE this human-prose frontmatter lint, not
+// an omission (dream-03: no silent divergence).
 const TIERS = ['concepts', 'decisions', 'gotchas', 'sessions'];
 const REQUIRED_KEYS = ['name', 'description', 'tier'];
 const MAX_FLAGGED = 20;

package/payload/.claude/skills/dream/SKILL.md

@@ -0,0 +1,210 @@
+---
+name: dream
+description: Consolidate the live session into durable wiki memory — reflect on this conversation, draft evidence-backed Proposals (concept/decision/gotcha/rule), gate each through the dream adapter, and on your confirmation write net-new pages the Brain will recall next time. Use when someone says "dream", "consolidate this session", "save what we learned", or wants to capture durable memory before a handoff.
+user-invocable: true
+---
+
+# dream — session consolidation
+
+dream turns what you learned in **this session** into durable wiki pages the **Brain** will recall in
+future sessions. You **propose**; the deterministic adapter **judges**. Every page must quote the
+session that justifies it, and **nothing is written without the operator's confirmation** — so a bad
+proposal can never poison recall. "Bad memory is worse than no memory."
+
+## Indirection contract (MUST)
+
+> Drive the adapters. NEVER write wiki files directly and NEVER re-implement the gate.
+
+- Validate / stage / commit go through **`.wrxn/dream.cjs`** (the Validation gate + audit + writer).
+- Wiki reads (to check what already exists, or to confirm recall) go through **`.wrxn/wiki.cjs`**.
+- The skill is the **semantic** filter (you don't even draft junk); the adapter is the **mechanical**
+  backstop (it rejects what slips through). Run a proposal the gate rejected? It is never written.
+
+## The loop
+
+1. **Reflect** on the live conversation already in your context. Do NOT read transcripts or stored
+   session pages — reflect on what is in front of you, this session only.
+2. **Draft** candidate Proposals (see schema + rubric below), each grounded in a **verbatim quote**
+   from THIS session. If the session yields no durable insight, **abstain** — propose nothing.
+3. **check** the batch through the adapter; drop or fix anything it rejects (never carry a reject
+   forward).
+4. **stage** the validated batch — records it to the audit trail, outside the recalled wiki.
+5. **Present** the staged batch to the operator and wait for confirmation.
+6. **commit** only the operator-approved subset — net-new pages, additively, into their tiers.
+
+If reflection surfaces nothing durable, or the gate rejects every proposal, **stop**: say so, stage
+nothing, commit nothing. Restraint is a success, not a failure.
+
+## FAITHFULNESS — the most important rule
+
+The wiki records *what happened in this project, this session* — not what you know about the topic in
+general. You are not writing tutorials, documentation, or reference material. Every claim in every
+page MUST trace to the session in front of you.
+
+Do NOT:
+- Invent dates, version numbers, commit hashes, author names, file paths, function names, line
+  numbers, or error codes that did not appear in the session.
+- Add "When to use" / "Best practices" / "Alternatives" / "See also" sections that weren't grounded in
+  the session — those are reference-material patterns, not memory.
+- Enumerate options that weren't actually considered, or expand a terse operator comment into an essay.
+- Fabricate code or speculate about consequences the session itself didn't raise.
+- **Write a session secret into a page.** Redact any credential (API key, token, private key) that
+  surfaced in the session — a durable page is recalled forever. The gate also rejects `contains_secret`,
+  but you are the first filter.
+
+Do:
+- Compress the session into well-titled pages with the right `kind`.
+- **Preserve the operator's actual phrasing** for decisions and rules — it is load-bearing.
+- Write each page at the length the session actually warrants — dense fact, no padding, no truncation.
+- If the session yields no durable insight, **abstain**. Resist the urge to manufacture content.
+
+## What to propose — the `kind` rubric
+
+Exactly one kind per Proposal; `tier` must agree with `kind`.
+
+| kind       | tier         | propose when the session produced…                                            |
+|------------|--------------|-------------------------------------------------------------------------------|
+| `decision` | `decisions`  | a choice of X over Y, with its rationale and consequences (why the project is the way it is) |
+| `gotcha`   | `gotchas`    | a reproducible pitfall / failure mode, its root cause, and the mitigation     |
+| `concept`  | `concepts`   | stable architecture or domain knowledge (synthesis, not a task chronology)    |
+| `rule`     | `_rules`     | an always/never project convention the session established — a standing rule, recalled like a concept (NOT a SYNAPSE always-on rule; see Boundaries) |
+
+Two unrelated insights stay **two** pages — never merge them into one. Small pages, stable
+kebab-case names (Karpathy LLM-wiki style). Cap a run at **≤ 5** proposals.
+
+## What NOT to propose — anti-superstition
+
+Do not even draft these. A transient or false "memory", once recalled, hardens into a permanent false
+constraint on every future session. (The adapter rejects them too — but you are the first filter.)
+
+| Reject                          | Why                                                                  |
+|---------------------------------|----------------------------------------------------------------------|
+| "tool X is broken"              | A broad negative tool claim hardens into a permanent false refusal after the tool is fixed. |
+| Transient env / setup failures  | ENOENT, connection refused, timeouts, flaky/intermittent, rate-limits, a missing binary — stale false constraints, not durable truth. |
+| Smoke / sanity / happy-path checks | Operational evidence, not reusable knowledge.                     |
+| Release / version markers       | A one-time event (a version bump, a changelog, an npm publish), not a lesson. |
+| One-off task narratives         | "Renamed a file", "fixed a typo", a trivial chore — episodic, already captured. |
+| **wrxn itself**                 | Never memorialize wrxn's own routing / skills / synapse / hooks / constitution / adapters — the memory system must not pollute itself. |
+
+## Proposal schema
+
+A Proposal is one JSON object. A run is a JSON **array** of them (the batch).
+
+```jsonc
+{
+  "kind":  "concept" | "decision" | "gotcha" | "rule",      // pick one
+  "tier":  "concepts" | "decisions" | "gotchas" | "_rules", // = f(kind); MUST agree
+  "slug":  "kebab-case-page-name",                  // stable name
+  "title": "One-line page title",
+  "body":  "# Title\n\n…markdown… ",                // MUST start with '# '
+  "confidence": 0.0,                                 // honest 0–1; the gate floor is 0.75
+  "rationale": "Why this is durable.",
+  "evidence": [                                      // >= 1, each a VERBATIM quote from THIS session
+    { "quote": "exact words from the session", "source": "file:line | commit | turn-N" }  // source optional
+  ]
+}
+```
+
+## Driving the adapter
+
+Run from inside the install (the adapter walks up to `wrxn.install.json` to find the root — no
+`--root` needed). Write each batch to a **throwaway temp file** (it is scratch input, not a wiki page;
+only the adapter's own `.wrxn/dream/*.jsonl` audit files persist).
+
+**1 — check** (the gate; PROPOSE, then let it JUDGE):
+
+```bash
+node .wrxn/dream.cjs check /tmp/dream-batch.json
+```
+
+A batch returns `{ abstained, accepted[], rejected[ {index, slug, reason} ] }`. Each `reason` is a
+machine code — `confidence_below_threshold`, `missing_evidence`, `missing_rationale`,
+`body_missing_h1`, `body_too_large`, `invalid_slug`, `missing_title`, `invalid_title`,
+`unsupported_tier`, `kind_tier_mismatch`, `contains_secret`, `duplicate_existing_path`,
+`duplicate_existing_title`, `max_proposals_exceeded`, or a `negative_filter_*`. Fix or drop every
+rejected proposal; re-check until the batch is clean. If it returns `{ abstained: true }` (or every
+proposal is rejected), **stop** — write nothing.
+
+If the gate rejects a genuinely durable insight on a `negative_filter_*` **false positive** (e.g. a real
+decision that merely mentions "transient", "synapse", or "release"), **rephrase** the page to drop the
+transient/operational wording — state the durable decision, not the episodic event — then re-check.
+Never write around the gate.
+
+**2 — stage** (record the validated batch to the audit trail; nothing reaches the wiki yet):
+
+```bash
+node .wrxn/dream.cjs stage /tmp/dream-batch.json
+```
+
+**3 — present, then confirm.** Show the operator each staged proposal — its **tier/slug**, **title**,
+**confidence**, the **verbatim evidence quote**, and the one-line rationale — and ask which to approve.
+Never skip this step. If the operator approves none, you are done: commit nothing.
+
+**4 — commit** (write ONLY the operator-approved subset, **by reference**). Build a JSON array of the
+approved **slugs** — NOT a rebuilt Proposal array — and commit it:
+
+```bash
+node .wrxn/dream.cjs commit /tmp/dream-approved.json   # ["slug-a","slug-b"]  (or {"approved":["slug-a",…]})
+```
+
+`commit` reads `.wrxn/dream/staged.jsonl`, finds each approved slug's **staged** proposal, **re-runs the
+gate** on it (confidence, evidence, body H1, kind↔tier, secret-scan, negative filters, identity, dedup —
+everything `check` ran), and writes ONLY the ones that still pass — net-new pages, additively, via
+`wiki.cjs`. It **dedup-skips** any whose path already exists (never clobbers a curated page); a slug not
+staged (`not_staged`) or one that fails re-validation is recorded skipped with the reason. Returns
+`{ written[], skipped[] }`. This binds *committed == staged == presented*: a proposal the gate would
+reject can never be written, even if its slug is force-approved.
+
+**5 — confirm recall (optional).** The committed pages are plain `.md` in the wiki, so the Brain
+recalls them automatically next session. Spot-check with a wiki query:
+
+```bash
+node .wrxn/wiki.cjs query "<a phrase from a page you just wrote>"
+```
+
+## Refreshing the focus slot
+
+`_slots/current-focus.md` is the project's **durable standing focus** — a short statement of what the
+project is centered on right now, recall-surfaced like any other page. It is the **lone updatable wiki
+page**: every knowledge page is additive + dedup-skip, but the focus slot may be **overwritten in
+place**.
+
+This is **not** the knowledge-proposal loop — do not run a focus update through `check` / `stage` /
+`commit` (those are for evidence-backed concept/decision/gotcha/rule pages). The slot has its **own op**:
+
+1. Draft a short standing-focus statement (a few lines of markdown, body starting with `# `).
+2. **Present it to the operator and wait for confirmation** — like every dream write.
+3. On approval, write it via the dedicated op — it overwrites the slot in place:
+
+```bash
+node .wrxn/dream.cjs set-focus /tmp/dream-focus.json   # { "title": "Current focus", "body": "# Current focus\n\n…" }
+```
+
+The focus slot is **gated** too: `set-focus` runs the anti-superstition negative filters and the
+credential secret-scan over the focus body and **refuses** (writing nothing) if either fires. Redact
+secrets and pin durable standing context, not a transient note.
+
+**Continuity doctrine — do not cross these wires.** The focus slot is **disjoint** from the handoff
+**baton** (`.wrxn/continuity/latest.md`): different path, different writer. `set-focus` NEVER reads or
+writes the baton, and the **handoff** skill remains its sole writer. The baton is ephemeral cross-session
+resume; the focus slot is durable standing context. Keeping their paths and writers separate is the
+structural fix that stops a deliberate handoff from being clobbered.
+
+## Boundaries
+
+- **Current session only.** No transcript mining, no cross-session backlog.
+- **Additive only, save one slot.** dream creates net-new knowledge pages; merging or refreshing an
+  existing page is out of scope (that is harvest, a later phase). The **lone exception** is the focus
+  slot `_slots/current-focus.md`, which `set-focus` overwrites in place (see *Refreshing the focus slot*).
+- **Never autonomous.** dream is a deliberate, attended, operator-confirmed skill — never a background
+  run, never a write without confirmation.
+- **`_rules` ≠ SYNAPSE.** A `rule` page is *recalled knowledge* — the Brain surfaces it like a concept
+  or gotcha. It is NOT a SYNAPSE always-on rule. Promoting a `_rules` page into SYNAPSE's curated
+  always-injected set (`.synapse/`) is a separate, deliberate act — **dream NEVER edits `.synapse/`**.
+
+## Source
+
+WRXN Kernel issue dream-02. Adapter: `.wrxn/dream.cjs` (dream-01). Prompts adapted from
+`akitaonrails/ai-memory` (`auto_improve` system prompt, the `batch_consolidate` FAITHFULNESS block,
+the `kind` rubric, the `docs/auto-improvement-loop.md` negative-filter list). ADR 0003; PRD
+`dream-prd`.

package/payload/.claude/skills/handoff/SKILL.md

@@ -6,6 +6,8 @@ argument-hint: "What will the next session be used for?"
 
 Write a handoff document summarising the current conversation so a fresh agent can continue the work.
 
+Before writing the baton, OFFER to run the `dream` skill to consolidate this session's durable learnings into wiki memory (concept/decision/gotcha/rule pages the Brain recalls next session). This is an offer only — run `dream` solely if the operator agrees; never auto-run it. `dream` writes additive wiki pages (and may refresh its own `_slots/current-focus.md`), while this skill remains the SOLE writer of `.wrxn/continuity/latest.md` — the two are disjoint, so neither clobbers the other.
+
 Save it to the install's continuity slot: `.wrxn/continuity/latest.md` (resolve the install root by walking up to the `wrxn.install.json` receipt; create the `.wrxn/continuity/` directory if absent). This slot is the deliberate, intent-carrying baton — the NEXT session's `session-start` hook injects its contents as the resume surface, taking precedence over the automatic episodic session page.
 
 CONTINUITY DOCTRINE: this skill is the SINGLE writer of `.wrxn/continuity/latest.md`. The automatic `session-end` hook writes ONLY dated session pages under `.wrxn/wiki/sessions/` and NEVER touches the baton — so a deliberate handoff is never clobbered by the automatic episodic record. Overwrite the previous baton (the latest deliberate handoff is the live one).

package/payload/.wrxn/dream.cjs

@@ -0,0 +1,468 @@
+#!/usr/bin/env node
+'use strict';
+
+// WRXN dream adapter — the install-local Validation gate + audit/commit CLI.
+// Sibling to wiki.cjs. Self-contained: this ships INTO an install and MUST NOT import the kernel lib
+// (node stdlib only). The dream SKILL (the LLM, dream-02) PROPOSES; THIS adapter JUDGES (a
+// deterministic gate) and records — "bad memory is worse than no memory".
+//
+// In THIS slice the adapter is driven by hand-fed proposal JSON (no LLM). Four subcommands:
+//   check  <proposal.json | batch.json>   run the Validation gate.
+//          · a single Proposal object  → a single Verdict { ok, reason? }.
+//          · an array / { proposals:[…] } / { abstain:true } → a batch result
+//            { abstained, accepted[], rejected[{index,slug,reason}] } (applies the ≤5 run cap + restraint).
+//   stage  <batch.json>                   record the VALIDATED (accepted) batch into the audit trail
+//          under .wrxn/dream/ as .jsonl (NEVER .md, so recon's prose ingestion never recalls a
+//          staged-but-unapproved proposal). Nothing is written to the wiki.
+//   commit <approved.json>                write the operator-approved subset additively to their tiers,
+//          BY REFERENCE: approved.json is the approved SLUG list (["slug-a",…] or { approved:[…] }). For
+//          each slug we look up its staged proposal in staged.jsonl and RE-RUN the gate (validateProposal)
+//          at the write boundary, writing ONLY those that still pass — VIA the wiki.cjs adapter (the
+//          indirection contract). This binds committed == staged == presented: a gate-rejected proposal
+//          can never reach recall even if its slug is force-approved. Additive + dedup-SKIP; a slug not
+//          staged (not_staged) or one that fails re-validation is recorded skipped with the reason, and
+//          the rest of the batch still writes. Then the outcome is appended to the .wrxn/dream/ audit log.
+//   set-focus <focus.json>                write/OVERWRITE the durable standing-focus slot
+//          `_slots/current-focus.md` (input { title?, body }) via the wiki adapter's --force path, then
+//          log it. This is the LONE update-exception: only the focus slot may be overwritten; the
+//          knowledge gate/commit above stay additive + dedup-skip. The focus slot is DISJOINT from the
+//          continuity baton (`.wrxn/continuity/latest.md`, single-writer = the handoff skill) — set-focus
+//          NEVER reads or writes that baton (different path, different writer: the continuity doctrine).
+//
+// Flag: --root <dir> (override the install-root walk-up; mainly for tests).
+//
+// Proposal { kind:"concept"|"decision"|"gotcha"|"rule"; tier:"concepts"|"decisions"|"gotchas"|"_rules";
+//            slug; title; body /* starts "# " */; confidence /*0–1*/; rationale; evidence:[{quote,source?}] }
+// Verdict  { ok:boolean; reason?:string /* machine code on reject */ }
+// NOTE: `_slots` is NOT a knowledge-gate tier — KIND_TIER stays {concepts,decisions,gotchas,_rules}; a
+//       knowledge proposal targeting `_slots` is rejected `unsupported_tier`. The slot is reached ONLY
+//       via set-focus.
+
+const fs = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+// kind → tier is the contract; the tier must agree with the kind. `rule → _rules` (dream-03) joins the
+// three semantic tiers — this single map auto-extends the tier allowlist (TIERS) and the kind↔tier gate.
+const KIND_TIER = { concept: 'concepts', decision: 'decisions', gotcha: 'gotchas', rule: '_rules' };
+const TIERS = Object.values(KIND_TIER);
+const CONFIDENCE_FLOOR = 0.75;
+const BODY_MAX = 32000; // size cap (chars) — a durable page, not a transcript dump.
+const MAX_ACCEPTED = 5; // one run can't flood the wiki.
+const DREAM_DIR = ['.wrxn', 'dream'];
+const STAGED_FILE = 'staged.jsonl'; // the validated-but-unapproved batch (full proposals).
+const AUDIT_FILE = 'audit.jsonl'; // the append-only outcome log (stage + commit + set-focus events).
+
+// The durable standing-focus slot — a FIXED wiki path (tier + slug). set-focus is its ONLY writer and
+// overwrites it in place (the lone update-exception). `_slots` is deliberately ABSENT from KIND_TIER /
+// TIERS above: it is not a knowledge-gate tier, so the additive + dedup-skip knowledge gate is untouched.
+const FOCUS_TIER = '_slots';
+const FOCUS_SLUG = 'current-focus';
+
+// ── install-root resolution (mirrors wiki.cjs / enforce-managed-guard.cjs) ─────
+function findInstallRoot(start) {
+  let dir = start || process.env.CLAUDE_PROJECT_DIR || process.cwd();
+  for (let i = 0; i < 12; i++) {
+    if (fs.existsSync(path.join(dir, 'wrxn.install.json'))) return dir;
+    const up = path.dirname(dir);
+    if (up === dir) break;
+    dir = up;
+  }
+  return null;
+}
+
+function flag(name) {
+  const i = process.argv.indexOf(`--${name}`);
+  return i > -1 ? process.argv[i + 1] : undefined;
+}
+
+function installRoot() {
+  const root = flag('root') || findInstallRoot();
+  if (!root) {
+    fail('cannot resolve the install root — run inside a wrxn install (no wrxn.install.json found walking up) or pass --root <dir>');
+  }
+  return root;
+}
+
+function fail(msg) {
+  process.stderr.write(`dream: ${msg}\n`);
+  process.exit(2);
+}
+
+function print(obj) {
+  process.stdout.write(JSON.stringify(obj, null, 2) + '\n');
+}
+
+// The first positional after the subcommand (the JSON file path), up to the first --flag.
+function positionalFile() {
+  for (let i = 3; i < process.argv.length; i++) {
+    if (process.argv[i].startsWith('--')) break;
+    return process.argv[i];
+  }
+  fail('missing <file.json> argument');
+  return undefined;
+}
+
+// ── the wiki adapter (the indirection contract — we never read/write wiki .md files directly) ──
+function wikiAdapter() {
+  return path.join(__dirname, 'wiki.cjs'); // sibling in the same install .wrxn/ dir
+}
+
+// Guard the dream→wiki bridge against argv flag-injection (security M3): a user-controlled value
+// beginning with `--` would be parsed by wiki.cjs's flag()/positionals() scan as a flag (e.g. a title
+// "--root" redirects the write out of the wiki). The gate already rejects a `--`-leading slug
+// (invalid_slug) and title (invalid_title); this is the defense-in-depth backstop at the exec boundary.
+function guardArgv(values) {
+  for (const v of values) {
+    if (typeof v === 'string' && v.startsWith('--')) {
+      throw new Error(`flag-injection guard: refusing a --leading value at the wiki bridge: ${JSON.stringify(v.slice(0, 32))}`);
+    }
+  }
+}
+
+function wikiQuery(root, terms, opts) {
+  const o = opts || {};
+  guardArgv(terms.map(String));
+  const args = [wikiAdapter(), 'query', ...terms.map(String), '--root', root, '--limit', String(o.limit || 5000)];
+  if (o.tier) args.push('--tier', o.tier);
+  return JSON.parse(execFileSync('node', args, { encoding: 'utf8' }));
+}
+
+function wikiWritePage(root, tier, slug, description, body) {
+  guardArgv([slug, String(description || ''), String(body || '')]);
+  const args = [wikiAdapter(), 'write-page', tier, slug, '--description', String(description || ''), '--body', String(body || ''), '--root', root];
+  return JSON.parse(execFileSync('node', args, { encoding: 'utf8' }));
+}
+
+// Overwrite a page in place via the wiki adapter's --force path (the indirection contract — never a
+// direct .md write). wiki.cjs restricts --force to the `_slots` tier, so only the focus slot is reachable.
+function wikiForceWritePage(root, tier, slug, description, body) {
+  guardArgv([slug, String(description || ''), String(body || '')]);
+  const args = [wikiAdapter(), 'write-page', tier, slug, '--description', String(description || ''), '--body', String(body || ''), '--force', '--root', root];
+  return JSON.parse(execFileSync('node', args, { encoding: 'utf8' }));
+}
+
+function normalizeTitle(t) {
+  return String(t == null ? '' : t).toLowerCase().replace(/\s+/g, ' ').trim();
+}
+
+// ── anti-superstition negative filters ────────────────────────────────────────
+// A mechanical backstop to the dream skill's prompt (the skill is the primary semantic filter; this is
+// "reinforced where mechanical"). Each pattern catches a class of transient/false "memory" that, if
+// hardened into a recalled page, would poison future sessions. Matched over the proposal's AUTHORED
+// text (title + body + rationale) ONLY — never the verbatim evidence quotes, which legitimately may
+// contain the very failure phrasing a durable gotcha records.
+const NEGATIVE_FILTERS = [
+  // "tool X is broken" — a broad negative tool claim hardens into a permanent false refusal.
+  { reason: 'negative_filter_tool_broken', re: /\bis (currently |completely |totally |again |now )?broken\b|\b(are|was|were) broken\b|\b(does|do|did)(n['’‛]t| not) work\b|\bnot working\b|\bis (down|unusable|busted|borked|useless)\b|\b(always|constantly|keeps?|forever) (fail(s|ing)?|break(s|ing)?|crash(es|ing)?)\b/ },
+  // a transient environment / setup failure — not a durable property of the system. (The bare adjectives
+  // `transient`/`intermittent` are intentionally NOT here: they false-positive on DI-lifetime decisions
+  // like "services are registered transient" — the concrete error codes below carry the failure intent.)
+  { reason: 'negative_filter_transient_failure', re: /\b(econnrefused|enoent|eaddrinuse|etimedout|connection refused|connection reset|timed out|time-?out|flak(e|y|ey)|rate[- ]?limit(ed)?|http 5\d\d|50[234]|port (already )?in use|address already in use|network (error|issue|glitch)|dns (error|failure))\b/ },
+  // a smoke / sanity / happy-path RESULT — proves nothing durable. Gated on a result word so a forward
+  // decision ("we adopt smoke tests", "the happy path must stay fast") is NOT a false positive.
+  { reason: 'negative_filter_smoke_test', re: /\bhello[- ]?world\b|\b(smoke[- ]?tests?|sanity[- ]?checks?|happy path)\s+(pass(ed|es|ing)?|ran|run|succeed(ed|s)?|works?|worked|green)\b/ },
+  // a release / version EVENT — a one-time act, not durable knowledge. (Bare nouns `released`/`changelog`/
+  // `version bump` are intentionally NOT here: they false-positive on release-POLICY decisions.)
+  { reason: 'negative_filter_release_marker', re: /\b(release notes?|bump(ed|ing)? (the )?version|tagged v\d|published to npm|npm publish|cut (a|the) release)\b/ },
+  // a one-off task narrative — "today I renamed/fixed-a-typo" is episodic, not semantic.
+  { reason: 'negative_filter_one_off', re: /\b(one[- ]?off|just this once|one[- ]?time only|fixed a typo|typo fix|renamed (the )?(file|variable|function|method)|moved (the )?file|trivial (chore|fix|task)|quick chore)\b/ },
+  // never memorialize wrxn itself (its own routing / skill / engine text) — the memory system must not
+  // pollute itself. (The bare word `synapse` is intentionally NOT here — it false-positives on "Azure
+  // Synapse" / "Matrix Synapse"; wrxn's OWN synapse is still caught by the qualified `wrxn…synapse` clause.)
+  { reason: 'negative_filter_wrxn_self', re: /\bsynapse-engine\b|\.claude\/(skills|hooks)\b|\bskill\.md\b|\bwiki\.cjs\b|\bdream\.cjs\b|\bconstitution\.md\b|\b(routing|keyword[- ]?recall) domain\b|\bwrxn['’‛]?s?\s+(own|routing|skill|synapse|hook|constitution|manifest|payload|kernel|adapter)\b/ },
+];
+
+function negativeFilter(text) {
+  const lc = String(text || '').toLowerCase();
+  for (const f of NEGATIVE_FILTERS) if (f.re.test(lc)) return f.reason;
+  return null;
+}
+
+// ── credential / secret scan (security M2) ────────────────────────────────────
+// A durable page must never harden a session secret into recalled memory. Scanned over the AUTHORED
+// text (title + body + rationale) — the same scope as the negative filters, and CASE-SENSITIVE (these
+// token shapes are case-specific). Evidence quotes are audit-only (never written to a page) so they
+// stay out of scope here, like the negative filters.
+const SECRET_PATTERNS = [
+  /AKIA[0-9A-Z]{16}/,                    // AWS access key id
+  /gh[pousr]_[A-Za-z0-9]{36}/,           // GitHub token (ghp_/gho_/ghu_/ghs_/ghr_)
+  /npm_[A-Za-z0-9]{36}/,                 // npm automation token
+  /sk-[A-Za-z0-9]{20,}/,                 // OpenAI-style secret key
+  /-----BEGIN [A-Z ]*PRIVATE KEY-----/,  // PEM private-key header
+];
+
+function secretScan(text) {
+  const s = String(text || ''); // NOT lowercased — the token shapes are case-sensitive.
+  for (const re of SECRET_PATTERNS) if (re.test(s)) return 'contains_secret';
+  return null;
+}
+
+// ── the pure per-proposal gate ────────────────────────────────────────────────
+// Deterministic given (proposal, io). `io` injects the dedup IO so the gate stays a pure, unit-testable
+// function (mirrors Phase-2 decideRecall): io.pathExists(tier,slug) / io.titleExists(title,tier,slug).
+// Precedence: routing validity → quality → content safety → dedup (the last, most-expensive check).
+function validateProposal(p, io) {
+  if (!p || typeof p !== 'object' || Array.isArray(p)) return { ok: false, reason: 'invalid_proposal' };
+  if (!TIERS.includes(p.tier)) return { ok: false, reason: 'unsupported_tier' };
+  if (KIND_TIER[p.kind] !== p.tier) return { ok: false, reason: 'kind_tier_mismatch' };
+  if (typeof p.confidence !== 'number' || p.confidence < CONFIDENCE_FLOOR) return { ok: false, reason: 'confidence_below_threshold' };
+  if (!Array.isArray(p.evidence) || p.evidence.length === 0 ||
+      !p.evidence.every((e) => e && typeof e.quote === 'string' && e.quote.trim().length > 0)) {
+    return { ok: false, reason: 'missing_evidence' };
+  }
+  if (typeof p.rationale !== 'string' || p.rationale.trim().length === 0) return { ok: false, reason: 'missing_rationale' };
+  if (typeof p.body !== 'string' || !p.body.startsWith('# ')) return { ok: false, reason: 'body_missing_h1' };
+  if (p.body.length > BODY_MAX) return { ok: false, reason: 'body_too_large' };
+  const authored = `${p.title || ''}\n${p.body}\n${p.rationale}`;
+  const neg = negativeFilter(authored);
+  if (neg) return { ok: false, reason: neg };
+  const sec = secretScan(authored);
+  if (sec) return { ok: false, reason: sec };
+  // identity fields — gated BEFORE the (expensive) dedup IO so a bad/missing slug or a flag-injecting
+  // title can never reach the wiki bridge (a no-slug proposal otherwise passes check then drops at commit).
+  if (typeof p.slug !== 'string' || !/^[a-z0-9][a-z0-9-]*$/.test(p.slug)) return { ok: false, reason: 'invalid_slug' };
+  if (typeof p.title !== 'string' || p.title.trim().length === 0) return { ok: false, reason: 'missing_title' };
+  if (p.title.startsWith('--')) return { ok: false, reason: 'invalid_title' };
+  if (io.pathExists(p.tier, p.slug)) return { ok: false, reason: 'duplicate_existing_path' };
+  if (io.titleExists(p.title, p.tier, p.slug)) return { ok: false, reason: 'duplicate_existing_title' };
+  return { ok: true };
+}
+
+// Run-level gate: restraint (empty/abstain ⇒ write nothing) + the ≤5 accepted cap.
+function validateRun(proposals, io) {
+  const accepted = [];
+  const rejected = [];
+  let acceptedCount = 0;
+  for (let i = 0; i < proposals.length; i++) {
+    const p = proposals[i];
+    const v = validateProposal(p, io);
+    if (v.ok) {
+      acceptedCount += 1;
+      if (acceptedCount > MAX_ACCEPTED) {
+        rejected.push({ index: i, slug: p && p.slug, reason: 'max_proposals_exceeded' });
+      } else {
+        accepted.push(p);
+      }
+    } else {
+      rejected.push({ index: i, slug: p && p.slug, reason: v.reason });
+    }
+  }
+  return { abstained: false, accepted, rejected };
+}
+
+// Dedup IO backed by the wiki adapter's query (lazy — only fires for an otherwise-valid proposal).
+function makeIo(root) {
+  return {
+    pathExists(tier, slug) {
+      if (!slug || !TIERS.includes(tier)) return false;
+      try {
+        const res = wikiQuery(root, [slug], { tier, limit: 5000 });
+        const page = `${tier}/${slug}.md`;
+        return (res.hits || []).some((h) => h.file === page);
+      } catch {
+        return false;
+      }
+    },
+    titleExists(title, tier, slug) {
+      const want = normalizeTitle(title);
+      if (!want) return false;
+      try {
+        const res = wikiQuery(root, [String(title)], { limit: 5000 });
+        const ownPage = `${tier}/${slug}.md`;
+        return (res.hits || []).some((h) => {
+          const m = /^description:\s*(.*)$/i.exec(h.snippet || '');
+          return m && normalizeTitle(m[1]) === want && h.file !== ownPage;
+        });
+      } catch {
+        return false;
+      }
+    },
+  };
+}
+
+// Normalize any check/stage/commit input into { proposals[], abstain }.
+function normalizeBatch(input) {
+  if (input && typeof input === 'object' && input.abstain === true) return { proposals: [], abstain: true };
+  if (Array.isArray(input)) return { proposals: input, abstain: input.length === 0 };
+  if (input && typeof input === 'object' && Array.isArray(input.proposals)) {
+    return { proposals: input.proposals, abstain: input.proposals.length === 0 };
+  }
+  return { proposals: [input], abstain: false }; // a bare single proposal
+}
+
+function isBatchInput(input) {
+  return Array.isArray(input) ||
+    (input && typeof input === 'object' && (Array.isArray(input.proposals) || input.abstain === true));
+}
+
+function readJson(file) {
+  try {
+    return JSON.parse(fs.readFileSync(file, 'utf8'));
+  } catch (err) {
+    fail(`cannot read JSON from "${file}": ${err.message}`);
+    return undefined;
+  }
+}
+
+function appendLine(file, obj) {
+  fs.appendFileSync(file, JSON.stringify(obj) + '\n');
+}
+
+function dreamDir(root) {
+  const dir = path.join(root, ...DREAM_DIR);
+  fs.mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+// ── subcommands ───────────────────────────────────────────────────────────────
+function runCheck() {
+  const input = readJson(positionalFile());
+  const root = installRoot();
+  const io = makeIo(root);
+  if (isBatchInput(input)) {
+    const { proposals, abstain } = normalizeBatch(input);
+    if (abstain) return print({ abstained: true, accepted: [], rejected: [] });
+    return print(validateRun(proposals, io));
+  }
+  return print(validateProposal(input, io)); // single proposal → single Verdict
+}
+
+function runStage() {
+  const input = readJson(positionalFile());
+  const root = installRoot();
+  const { proposals, abstain } = normalizeBatch(input);
+  if (abstain) return print({ abstained: true, staged: 0 }); // restraint: write nothing
+
+  const res = validateRun(proposals, makeIo(root));
+  const dir = dreamDir(root);
+  const ts = new Date().toISOString();
+  const stagedPath = path.join(dir, STAGED_FILE);
+  // staged.jsonl — the validated-but-unapproved proposals, full content, one JSON line each. NEVER .md
+  // (recon walks all of .wrxn/ and prose-ingests *.md, so the audit trail must stay non-markdown).
+  for (const p of res.accepted) appendLine(stagedPath, { ts, op: 'stage', slug: p.slug, tier: p.tier, proposal: p });
+  // audit.jsonl — the append-only outcome log (accepted slugs + the rejection reasons).
+  appendLine(path.join(dir, AUDIT_FILE), { ts, op: 'stage', accepted: res.accepted.map((p) => p.slug), rejected: res.rejected });
+  return print({
+    abstained: false,
+    staged: res.accepted.length,
+    rejected: res.rejected.length,
+    stagedFile: res.accepted.length ? path.relative(root, stagedPath) : null,
+  });
+}
+
+// Normalize commit input into the operator-approved SLUG list (["slug-a",…] or { approved:[…] }).
+function approvedSlugs(input) {
+  if (Array.isArray(input)) return input.map(String);
+  if (input && typeof input === 'object' && Array.isArray(input.approved)) return input.approved.map(String);
+  return [];
+}
+
+// Read staged.jsonl into a slug → staged-proposal map (last staged wins). Malformed lines are skipped.
+function readStaged(root) {
+  const map = new Map();
+  let txt;
+  try {
+    txt = fs.readFileSync(path.join(root, ...DREAM_DIR, STAGED_FILE), 'utf8');
+  } catch {
+    return map; // no staged trail yet → nothing to commit by reference
+  }
+  for (const line of txt.split('\n')) {
+    const s = line.trim();
+    if (!s) continue;
+    try {
+      const rec = JSON.parse(s);
+      if (rec && rec.slug && rec.proposal) map.set(rec.slug, rec.proposal);
+    } catch {
+      /* skip a malformed audit line */
+    }
+  }
+  return map;
+}
+
+// commit BY REFERENCE: bind committed == staged == presented. For each operator-approved slug we look up
+// its staged proposal and RE-RUN the full gate (validateProposal) at the write boundary — so a proposal
+// the gate would reject can never reach recall, even if its slug is force-approved. A slug not staged, or
+// one that fails re-validation (confidence, evidence, body H1, kind↔tier, secret-scan, negative filters,
+// identity, dedup — all re-checked), is recorded skipped with the reason; the rest of the batch still writes.
+function runCommit() {
+  const input = readJson(positionalFile());
+  const root = installRoot();
+  const approved = approvedSlugs(input);
+  const io = makeIo(root);
+  const staged = readStaged(root);
+  const written = [];
+  const skipped = [];
+  for (const slug of approved) {
+    const key = String(slug);
+    const p = staged.get(key);
+    if (!p) {
+      skipped.push({ slug: key, reason: 'not_staged' });
+      continue;
+    }
+    const v = validateProposal(p, io); // the re-gate — additive + dedup-skip + every quality/safety check
+    if (!v.ok) {
+      skipped.push({ slug: key, reason: v.reason });
+      continue;
+    }
+    try {
+      const r = wikiWritePage(root, p.tier, p.slug, p.title, p.body);
+      written.push({ slug: p.slug, tier: p.tier, file: r.written });
+    } catch (err) {
+      // wiki.cjs write-page does process.exit(2) on an existing page — catch the non-zero exit so a
+      // TOCTOU collision (or any single write failure) is recorded and the rest of the batch STILL writes.
+      const stderr = String((err && err.stderr) || '');
+      const reason = /already exists/i.test(stderr) ? 'duplicate_existing_path' : 'skipped_error';
+      skipped.push({ slug: key, reason });
+    }
+  }
+  appendLine(path.join(dreamDir(root), AUDIT_FILE), { ts: new Date().toISOString(), op: 'commit', written: written.map((w) => w.slug), skipped });
+  return print({ written, skipped });
+}
+
+// set-focus — write/overwrite the durable standing-focus slot. The LONE update-exception: it is the
+// only op that overwrites a wiki page, and only ever `_slots/current-focus.md`. It is NOT a knowledge
+// proposal (no gate, no dedup) — the skill drafts a short standing-focus statement, the operator
+// confirms, then this writes it via the wiki --force path. DISJOINT from the continuity baton:
+// set-focus never reads or writes `.wrxn/continuity/latest.md` (single-writer = the handoff skill).
+function runSetFocus() {
+  const input = readJson(positionalFile());
+  const root = installRoot();
+  const obj = input && typeof input === 'object' && !Array.isArray(input) ? input : {};
+  const title = obj.title ? String(obj.title) : 'Current focus';
+  const body = obj.body;
+  if (typeof body !== 'string' || body.trim().length === 0) {
+    fail('set-focus needs a non-empty "body" — the standing-focus statement to pin');
+  }
+  // Gate the focus slot too (security M1): it is an ungated --force write, so run the same content-safety
+  // checks the knowledge gate runs — the anti-superstition negative filters + the credential secret-scan
+  // — over the focus title+body, and refuse a `--`-leading flag-injection value. Reject ⇒ nothing written.
+  const scan = `${title}\n${body}`;
+  const neg = negativeFilter(scan);
+  if (neg) fail(`set-focus rejected — the focus body trips a negative filter (${neg}); state durable standing context, not a transient note`);
+  const sec = secretScan(scan);
+  if (sec) fail(`set-focus rejected — the focus body contains a credential (${sec}); never pin a session secret`);
+  if (title.startsWith('--') || body.startsWith('--')) fail('set-focus rejected — a --leading title/body is refused (flag-injection guard)');
+  const r = wikiForceWritePage(root, FOCUS_TIER, FOCUS_SLUG, title, body);
+  appendLine(path.join(dreamDir(root), AUDIT_FILE), { ts: new Date().toISOString(), op: 'set-focus', file: r.written });
+  return print({ focus: r.written });
+}
+
+function main() {
+  const cmd = process.argv[2];
+  switch (cmd) {
+    case 'check':
+      return runCheck();
+    case 'stage':
+      return runStage();
+    case 'commit':
+      return runCommit();
+    case 'set-focus':
+      return runSetFocus();
+    default:
+      process.stdout.write('Usage: node .wrxn/dream.cjs <check|stage|commit|set-focus> <file.json> [--root <dir>]\n');
+      process.exit(cmd ? 2 : 0);
+  }
+}
+
+main();

package/payload/.wrxn/wiki.cjs

@@ -4,22 +4,29 @@
 // WRXN memory-wiki adapter — the install-local CLI over the file-based memory tiers.
 // Self-contained: this ships INTO an install and MUST NOT import the kernel lib (node stdlib only).
 //
-// Tiers live under <installRoot>/.wrxn/wiki/<tier>/ where tier ∈ {concepts, decisions, gotchas, sessions}.
+// Tiers live under <installRoot>/.wrxn/wiki/<tier>/ where tier ∈ {concepts, decisions, gotchas, sessions, _rules, _slots}.
 // Each page is a plain markdown file. Empty tiers are the fresh-install default — every read path
 // must return cleanly (no crash) over an empty wiki.
 //
 // Subcommands:
 //   query <text...>              grep-style substring search → JSON {query, tier, total, hits[]}
 //   recall <text...>             alias of query (page-level recall; same substring engine)
-//   write-page <tier> <slug>     create <tier>/<slug>.md (refuses to overwrite); prints the path
+//   write-page <tier> <slug>     create <tier>/<slug>.md (refuses to overwrite); prints the path.
+//                                --force overwrites in place, but ONLY for the `_slots` focus slot.
 //
-// Flags: --tier <concepts|decisions|gotchas|sessions|all> (default all) · --limit <N> (default 20)
-//        --root <dir> (override the install-root walk-up; mainly for tests)
+// Flags: --tier <concepts|decisions|gotchas|sessions|_rules|_slots|all> (default all) · --limit <N> (default 20)
+//        --force (write-page only; overwrite the `_slots` slot in place) · --root <dir> (test override)
 
 const fs = require('fs');
 const path = require('path');
 
-const TIERS = ['concepts', 'decisions', 'gotchas', 'sessions'];
+// `_rules` is the dream-written tier (durable always/never project conventions) — recalled like the
+// prose tiers, but machine-written by the dream adapter (dream-03), hence the `_` prefix.
+// `_slots` (dream-04) holds the durable standing-focus page (`_slots/current-focus.md`) — the LONE
+// wiki page that may be overwritten in place, and only via `write-page --force`.
+const TIERS = ['concepts', 'decisions', 'gotchas', 'sessions', '_rules', '_slots'];
+// The one tier whose pages `--force` may overwrite — every other tier stays create-only / refuse-overwrite.
+const OVERWRITABLE_TIER = '_slots';
 
 // ── install-root resolution (walk up to the wrxn.install.json receipt) ────────
 // Mirrors payload/.claude/hooks/enforce-managed-guard.cjs findInstallRoot.
@@ -83,7 +90,7 @@ function listPages(dir) {
 function runQuery() {
   const terms = positionals();
   if (terms.length === 0) {
-    process.stdout.write('Usage: node .wrxn/wiki.cjs query <search-term...> [--tier all|concepts|decisions|gotchas|sessions] [--limit N]\n');
+    process.stdout.write('Usage: node .wrxn/wiki.cjs query <search-term...> [--tier all|concepts|decisions|gotchas|sessions|_rules|_slots] [--limit N]\n');
     process.exit(2);
   }
   const needle = terms.join(' ').toLowerCase();
@@ -115,20 +122,32 @@ function runQuery() {
 function runWritePage() {
   const [tier, slug] = positionals();
   if (!tier || !slug) {
-    process.stdout.write('Usage: node .wrxn/wiki.cjs write-page <tier> <slug> [--description "..."] [--body "..."]\n');
+    process.stdout.write('Usage: node .wrxn/wiki.cjs write-page <tier> <slug> [--description "..."] [--body "..."] [--force]\n');
     process.exit(2);
   }
   if (!TIERS.includes(tier)) fail(`unknown tier "${tier}" — one of ${TIERS.join(', ')}`);
   if (!/^[a-z0-9][a-z0-9-]*$/.test(slug)) fail(`slug must be kebab-case ([a-z0-9-]): "${slug}"`);
 
+  // `--force` is the LONE overwrite-exception (dream-04): it overwrites a page in place, and ONLY for
+  // the `_slots` focus slot. Every normal write-page (no `--force`, any other tier) still refuses to
+  // clobber — so the wiki stays additive/curated and only the standing-focus slot may be updated.
+  const force = process.argv.includes('--force');
+  if (force && tier !== OVERWRITABLE_TIER) {
+    fail(`--force overwrite is only permitted for the ${OVERWRITABLE_TIER} focus slot (the lone update-exception), not "${tier}"`);
+  }
+
   const root = wikiRoot();
   const dir = path.join(root, tier);
   fs.mkdirSync(dir, { recursive: true });
   const dest = path.join(dir, `${slug}.md`);
-  if (fs.existsSync(dest)) fail(`page already exists, refusing to overwrite: ${path.relative(root, dest)}`);
+  if (fs.existsSync(dest) && !force) fail(`page already exists, refusing to overwrite: ${path.relative(root, dest)}`);
 
   const description = flag('description') || '';
   const body = flag('body') || '';
+  // Prepend the `# <slug>` heading ONLY when the body does not already open with its own H1. The dream
+  // gate mandates every proposal body start with `# Title`, so an always-prepend would stack two H1s on
+  // committed pages (qa-finding dream-06). A heading-less or empty body still gets `# <slug>` (backward-compat).
+  const heading = body.trimStart().startsWith('# ') ? [] : [`# ${slug}`, ''];
   const page = [
     '---',
     `name: ${slug}`,
@@ -137,8 +156,7 @@ function runWritePage() {
     'source: wiki-cli-write-page',
     '---',
     '',
-    `# ${slug}`,
-    '',
+    ...heading,
     body,
     '',
   ].join('\n');