@haaaiawd/second-nature 0.1.16 → 0.1.18

package/runtime/storage/quiet/quiet-artifact-writer.js

@@ -1,56 +1,56 @@
-/**
- * Quiet artifact validation + source coverage gate (T4.4.1 / ADR-003).
- * Returns artifact identity for persistence layers; does not write FS/SQLite here.
- */
-import * as crypto from "node:crypto";
-const DEFAULT_MIN_COVERAGE_RATIO = 0.51;
-export function calculateQuietSourceCoverage(claims) {
-    const factual = claims.filter((c) => c.claimType === "fact");
-    const claimCoverage = claims.map((c) => {
-        const backed = c.claimType !== "fact" || c.sourceRefs.length > 0;
-        return { claimId: c.id, backed, sourceRefs: [...c.sourceRefs] };
-    });
-    const unsupportedClaims = claimCoverage.filter((x) => !x.backed).map((x) => x.claimId);
-    const coverageRatio = factual.length === 0 ? 1 : factual.filter((c) => c.sourceRefs.length > 0).length / factual.length;
-    return { coverageRatio, unsupportedClaims, claimCoverage };
-}
-/** Ratio of factual claims whose refs intersect the artifact's evidence bundle (T4.4.1). */
-export function evidenceGroundingRatio(input) {
-    const allowedIds = new Set(input.sourceRefs.map((s) => s.id));
-    const facts = input.claims.filter((c) => c.claimType === "fact");
-    if (facts.length === 0)
-        return 1;
-    let grounded = 0;
-    for (const f of facts) {
-        if (f.sourceRefs.length === 0)
-            continue;
-        if (f.sourceRefs.some((r) => allowedIds.has(r.id)))
-            grounded += 1;
-    }
-    return grounded / facts.length;
-}
-export function writeQuietArtifact(input, opts) {
-    const minCov = opts?.minimumCoverageRatio ?? DEFAULT_MIN_COVERAGE_RATIO;
-    if (input.sourceRefs.length === 0 && input.kind !== "empty_state") {
-        throw new Error("quiet_artifact_requires_source_refs");
-    }
-    const localCoverage = calculateQuietSourceCoverage(input.claims);
-    if (input.kind !== "empty_state" && localCoverage.unsupportedClaims.length > 0) {
-        throw new Error("quiet_artifact_unsupported_factual_claim");
-    }
-    const grounding = evidenceGroundingRatio(input);
-    if (input.kind !== "empty_state" && grounding < minCov) {
-        throw new Error("quiet_artifact_source_coverage_too_low");
-    }
-    const artifactId = crypto.randomUUID();
-    const artifactRef = {
-        id: `quiet:${artifactId}`,
-        kind: "workspace_artifact",
-        uri: `urn:second-nature:quiet:${input.day}:${input.kind}:${artifactId}`,
-    };
-    const sourceCoverage = {
-        ...localCoverage,
-        coverageRatio: input.kind === "empty_state" ? 1 : grounding,
-    };
-    return { artifactId, artifactRef, sourceCoverage };
-}
+/**
+ * Quiet artifact validation + source coverage gate (T4.4.1 / ADR-003).
+ * Returns artifact identity for persistence layers; does not write FS/SQLite here.
+ */
+import * as crypto from "node:crypto";
+const DEFAULT_MIN_COVERAGE_RATIO = 0.51;
+export function calculateQuietSourceCoverage(claims) {
+    const factual = claims.filter((c) => c.claimType === "fact");
+    const claimCoverage = claims.map((c) => {
+        const backed = c.claimType !== "fact" || c.sourceRefs.length > 0;
+        return { claimId: c.id, backed, sourceRefs: [...c.sourceRefs] };
+    });
+    const unsupportedClaims = claimCoverage.filter((x) => !x.backed).map((x) => x.claimId);
+    const coverageRatio = factual.length === 0 ? 1 : factual.filter((c) => c.sourceRefs.length > 0).length / factual.length;
+    return { coverageRatio, unsupportedClaims, claimCoverage };
+}
+/** Ratio of factual claims whose refs intersect the artifact's evidence bundle (T4.4.1). */
+export function evidenceGroundingRatio(input) {
+    const allowedIds = new Set(input.sourceRefs.map((s) => s.id));
+    const facts = input.claims.filter((c) => c.claimType === "fact");
+    if (facts.length === 0)
+        return 1;
+    let grounded = 0;
+    for (const f of facts) {
+        if (f.sourceRefs.length === 0)
+            continue;
+        if (f.sourceRefs.some((r) => allowedIds.has(r.id)))
+            grounded += 1;
+    }
+    return grounded / facts.length;
+}
+export function writeQuietArtifact(input, opts) {
+    const minCov = opts?.minimumCoverageRatio ?? DEFAULT_MIN_COVERAGE_RATIO;
+    if (input.sourceRefs.length === 0 && input.kind !== "empty_state") {
+        throw new Error("quiet_artifact_requires_source_refs");
+    }
+    const localCoverage = calculateQuietSourceCoverage(input.claims);
+    if (input.kind !== "empty_state" && localCoverage.unsupportedClaims.length > 0) {
+        throw new Error("quiet_artifact_unsupported_factual_claim");
+    }
+    const grounding = evidenceGroundingRatio(input);
+    if (input.kind !== "empty_state" && grounding < minCov) {
+        throw new Error("quiet_artifact_source_coverage_too_low");
+    }
+    const artifactId = crypto.randomUUID();
+    const artifactRef = {
+        id: `quiet:${artifactId}`,
+        kind: "workspace_artifact",
+        uri: `urn:second-nature:quiet:${input.day}:${input.kind}:${artifactId}`,
+    };
+    const sourceCoverage = {
+        ...localCoverage,
+        coverageRatio: input.kind === "empty_state" ? 1 : grounding,
+    };
+    return { artifactId, artifactRef, sourceCoverage };
+}

package/runtime/storage/repositories/credential-repository.js

@@ -1,30 +1,30 @@
-import { eq } from "drizzle-orm";
-import { credentialRecords } from "../db/schema/index.js";
-export class CredentialRepository {
-    database;
-    constructor(database) {
-        this.database = database;
-    }
-    async upsert(record) {
-        await this.database.db.insert(credentialRecords).values(record).onConflictDoUpdate({
-            target: credentialRecords.platformId,
-            set: record,
-        });
-    }
-    async findByPlatformId(platformId) {
-        const row = await this.database.db.query.credentialRecords.findFirst({
-            where: eq(credentialRecords.platformId, platformId),
-        });
-        if (row == null) {
-            return undefined;
-        }
-        const r = row;
-        const pid = (r.platformId ?? r.platform_id);
-        const enc = (r.encryptedValue ?? r.encrypted_value);
-        // sql.js + Drizzle: no-match can still return a "shell" row (keys present, values undefined).
-        if (pid == null || pid === "" || enc == null || enc === "") {
-            return undefined;
-        }
-        return row;
-    }
-}
+import { eq } from "drizzle-orm";
+import { credentialRecords } from "../db/schema/index.js";
+export class CredentialRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async upsert(record) {
+        await this.database.db.insert(credentialRecords).values(record).onConflictDoUpdate({
+            target: credentialRecords.platformId,
+            set: record,
+        });
+    }
+    async findByPlatformId(platformId) {
+        const row = await this.database.db.query.credentialRecords.findFirst({
+            where: eq(credentialRecords.platformId, platformId),
+        });
+        if (row == null) {
+            return undefined;
+        }
+        const r = row;
+        const pid = (r.platformId ?? r.platform_id);
+        const enc = (r.encryptedValue ?? r.encrypted_value);
+        // sql.js + Drizzle: no-match can still return a "shell" row (keys present, values undefined).
+        if (pid == null || pid === "" || enc == null || enc === "") {
+            return undefined;
+        }
+        return row;
+    }
+}

package/runtime/storage/rhythm/rhythm-policy-snapshot.d.ts

@@ -1,10 +1,10 @@
-import type { StateDatabase } from "../db/index.js";
-export interface RhythmPolicySnapshot {
-    snapshotId: string;
-    generatedAt: string;
-    quietEnabled: boolean;
-    socialDailyLimit: number;
-    outreachDailyBudget: number;
-    updatedAt: string;
-}
-export declare function loadRhythmPolicySnapshot(db: StateDatabase): Promise<RhythmPolicySnapshot>;
+import type { StateDatabase } from "../db/index.js";
+export interface RhythmPolicySnapshot {
+    snapshotId: string;
+    generatedAt: string;
+    quietEnabled: boolean;
+    socialDailyLimit: number;
+    outreachDailyBudget: number;
+    updatedAt: string;
+}
+export declare function loadRhythmPolicySnapshot(db: StateDatabase): Promise<RhythmPolicySnapshot>;

package/runtime/storage/rhythm/rhythm-policy-snapshot.js

@@ -1,34 +1,34 @@
-/**
- * Rhythm policy read model: state produces policy fields only (T4.1.2 owner boundary).
- *
- * Core logic: load workspace-scoped policy row or defaults; never emit control-plane decision fields.
- *
- * Test coverage: tests/unit/storage/rhythm-policy-snapshot.test.ts
- */
-import * as crypto from "node:crypto";
-import { eq } from "drizzle-orm";
-import { policyRecords } from "../db/schema/policies.js";
-const WORKSPACE_SCOPE = "workspace";
-export async function loadRhythmPolicySnapshot(db) {
-    const scoped = await db.db.select().from(policyRecords).where(eq(policyRecords.platformId, WORKSPACE_SCOPE)).limit(1);
-    const row = scoped[0] ?? (await db.db.select().from(policyRecords).limit(1))[0];
-    const generatedAt = new Date().toISOString();
-    if (!row) {
-        return {
-            snapshotId: crypto.randomUUID(),
-            generatedAt,
-            quietEnabled: true,
-            socialDailyLimit: 5,
-            outreachDailyBudget: 2,
-            updatedAt: generatedAt,
-        };
-    }
-    return {
-        snapshotId: crypto.randomUUID(),
-        generatedAt,
-        quietEnabled: row.quietEnabled,
-        socialDailyLimit: row.socialDailyLimit,
-        outreachDailyBudget: row.outreachDailyBudget ?? 2,
-        updatedAt: row.updatedAt,
-    };
-}
+/**
+ * Rhythm policy read model: state produces policy fields only (T4.1.2 owner boundary).
+ *
+ * Core logic: load workspace-scoped policy row or defaults; never emit control-plane decision fields.
+ *
+ * Test coverage: tests/unit/storage/rhythm-policy-snapshot.test.ts
+ */
+import * as crypto from "node:crypto";
+import { eq } from "drizzle-orm";
+import { policyRecords } from "../db/schema/policies.js";
+const WORKSPACE_SCOPE = "workspace";
+export async function loadRhythmPolicySnapshot(db) {
+    const scoped = await db.db.select().from(policyRecords).where(eq(policyRecords.platformId, WORKSPACE_SCOPE)).limit(1);
+    const row = scoped[0] ?? (await db.db.select().from(policyRecords).limit(1))[0];
+    const generatedAt = new Date().toISOString();
+    if (!row) {
+        return {
+            snapshotId: crypto.randomUUID(),
+            generatedAt,
+            quietEnabled: true,
+            socialDailyLimit: 5,
+            outreachDailyBudget: 2,
+            updatedAt: generatedAt,
+        };
+    }
+    return {
+        snapshotId: crypto.randomUUID(),
+        generatedAt,
+        quietEnabled: row.quietEnabled,
+        socialDailyLimit: row.socialDailyLimit,
+        outreachDailyBudget: row.outreachDailyBudget ?? 2,
+        updatedAt: row.updatedAt,
+    };
+}

package/runtime/storage/services/credential-vault.d.ts

@@ -1,13 +1,13 @@
-import type { StateDatabase } from "../db/index.js";
-import type { CredentialContextWrite, CredentialContext, CredentialState } from "../../shared/types/index.js";
-/** Three colon-separated hex segments produced by `encryptCredentialAtRest`. */
-export declare function isCredentialCiphertext(value: string): boolean;
-/** Encrypts non-empty plaintext; empty string returns empty. */
-export declare function encryptCredentialAtRest(plaintext: string): string;
-export declare function decryptCredentialAtRest(ciphertext: string): string;
-export interface CredentialVault {
-    saveCredentialContext(input: CredentialContextWrite): Promise<void>;
-    loadCredentialContext(platformId: string): Promise<CredentialContext | null>;
-    getCredentialState(platformId: string): Promise<CredentialState>;
-}
-export declare function createCredentialVault(db: StateDatabase["db"]): CredentialVault;
+import type { StateDatabase } from "../db/index.js";
+import type { CredentialContextWrite, CredentialContext, CredentialState } from "../../shared/types/index.js";
+/** Three colon-separated hex segments produced by `encryptCredentialAtRest`. */
+export declare function isCredentialCiphertext(value: string): boolean;
+/** Encrypts non-empty plaintext; empty string returns empty. */
+export declare function encryptCredentialAtRest(plaintext: string): string;
+export declare function decryptCredentialAtRest(ciphertext: string): string;
+export interface CredentialVault {
+    saveCredentialContext(input: CredentialContextWrite): Promise<void>;
+    loadCredentialContext(platformId: string): Promise<CredentialContext | null>;
+    getCredentialState(platformId: string): Promise<CredentialState>;
+}
+export declare function createCredentialVault(db: StateDatabase["db"]): CredentialVault;

package/runtime/storage/services/credential-vault.js

@@ -1,116 +1,116 @@
-/**
- * Credential encryption at rest (AES-256-GCM).
- *
- * Key material: `SECOND_NATURE_ENCRYPTION_KEY` (UTF-8, first 32 bytes used). Lazy read so tests can set env before first encrypt.
- * Test coverage: tests/integration/cli/cli-ops-surface.test.ts (credential save path via state-api).
- */
-import * as crypto from "crypto";
-import { eq } from "drizzle-orm";
-import { credentialRecords } from "../db/schema/index.js";
-const ALGORITHM = "aes-256-gcm";
-function resolveKeyBuffer() {
-    const raw = process.env.SECOND_NATURE_ENCRYPTION_KEY?.trim();
-    if (!raw || raw.length < 32) {
-        throw new Error("SECOND_NATURE_ENCRYPTION_KEY is required for credential encryption at rest (min 32 UTF-8 characters)");
-    }
-    return Buffer.from(raw.slice(0, 32), "utf8");
-}
-function encryptInternal(plaintext) {
-    const iv = crypto.randomBytes(16);
-    const key = resolveKeyBuffer();
-    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
-    const authTag = cipher.getAuthTag();
-    return iv.toString("hex") + ":" + authTag.toString("hex") + ":" + encrypted.toString("hex");
-}
-function decryptInternal(ciphertext) {
-    const parts = ciphertext.split(":");
-    if (parts.length !== 3) {
-        throw new Error("credential_ciphertext_invalid_format");
-    }
-    const iv = Buffer.from(parts[0], "hex");
-    const authTag = Buffer.from(parts[1], "hex");
-    const encrypted = Buffer.from(parts[2], "hex");
-    const key = resolveKeyBuffer();
-    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
-    decipher.setAuthTag(authTag);
-    return decipher.update(encrypted) + decipher.final("utf8");
-}
-/** Three colon-separated hex segments produced by `encryptCredentialAtRest`. */
-export function isCredentialCiphertext(value) {
-    const parts = value.split(":");
-    if (parts.length !== 3)
-        return false;
-    return parts.every((p) => /^[0-9a-f]+$/i.test(p));
-}
-/** Encrypts non-empty plaintext; empty string returns empty. */
-export function encryptCredentialAtRest(plaintext) {
-    if (!plaintext)
-        return "";
-    return encryptInternal(plaintext);
-}
-export function decryptCredentialAtRest(ciphertext) {
-    if (!ciphertext)
-        return "";
-    return decryptInternal(ciphertext);
-}
-export function createCredentialVault(db) {
-    return {
-        async saveCredentialContext(input) {
-            const encrypted = input.encryptedValue ? encryptCredentialAtRest(input.encryptedValue) : "";
-            await db.insert(credentialRecords).values({
-                platformId: input.platformId,
-                credentialType: input.credentialType,
-                encryptedValue: encrypted,
-                status: input.status,
-                verificationCode: input.verificationCode ?? null,
-                challengeText: input.challengeText ?? null,
-                expiresAt: input.expiresAt ?? null,
-                attemptsRemaining: input.attemptsRemaining ?? null,
-                updatedAt: new Date().toISOString(),
-            }).onConflictDoUpdate({
-                target: credentialRecords.platformId,
-                set: {
-                    credentialType: input.credentialType,
-                    encryptedValue: encrypted,
-                    status: input.status,
-                    verificationCode: input.verificationCode ?? null,
-                    challengeText: input.challengeText ?? null,
-                    expiresAt: input.expiresAt ?? null,
-                    attemptsRemaining: input.attemptsRemaining ?? null,
-                    updatedAt: new Date().toISOString(),
-                },
-            });
-        },
-        async loadCredentialContext(platformId) {
-            const record = await db.query.credentialRecords.findFirst({
-                where: (tbl) => eq(tbl.platformId, platformId),
-            });
-            if (!record)
-                return null;
-            let plain;
-            if (record.encryptedValue) {
-                if (!isCredentialCiphertext(record.encryptedValue)) {
-                    throw new Error("credential_store_plaintext_or_invalid_legacy_record");
-                }
-                plain = decryptCredentialAtRest(record.encryptedValue);
-            }
-            return {
-                platformId: record.platformId,
-                credentialType: record.credentialType,
-                status: record.status,
-                encryptedValue: plain,
-                verificationCode: record.verificationCode ?? undefined,
-                challengeText: record.challengeText ?? undefined,
-                verificationDeadline: record.expiresAt ?? undefined,
-                attemptsRemaining: record.attemptsRemaining ?? undefined,
-            };
-        },
-        async getCredentialState(platformId) {
-            const record = await db.query.credentialRecords.findFirst({
-                where: (tbl) => eq(tbl.platformId, platformId),
-            });
-            return record?.status || "missing";
-        },
-    };
-}
+/**
+ * Credential encryption at rest (AES-256-GCM).
+ *
+ * Key material: `SECOND_NATURE_ENCRYPTION_KEY` (UTF-8, first 32 bytes used). Lazy read so tests can set env before first encrypt.
+ * Test coverage: tests/integration/cli/cli-ops-surface.test.ts (credential save path via state-api).
+ */
+import * as crypto from "crypto";
+import { eq } from "drizzle-orm";
+import { credentialRecords } from "../db/schema/index.js";
+const ALGORITHM = "aes-256-gcm";
+function resolveKeyBuffer() {
+    const raw = process.env.SECOND_NATURE_ENCRYPTION_KEY?.trim();
+    if (!raw || raw.length < 32) {
+        throw new Error("SECOND_NATURE_ENCRYPTION_KEY is required for credential encryption at rest (min 32 UTF-8 characters)");
+    }
+    return Buffer.from(raw.slice(0, 32), "utf8");
+}
+function encryptInternal(plaintext) {
+    const iv = crypto.randomBytes(16);
+    const key = resolveKeyBuffer();
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return iv.toString("hex") + ":" + authTag.toString("hex") + ":" + encrypted.toString("hex");
+}
+function decryptInternal(ciphertext) {
+    const parts = ciphertext.split(":");
+    if (parts.length !== 3) {
+        throw new Error("credential_ciphertext_invalid_format");
+    }
+    const iv = Buffer.from(parts[0], "hex");
+    const authTag = Buffer.from(parts[1], "hex");
+    const encrypted = Buffer.from(parts[2], "hex");
+    const key = resolveKeyBuffer();
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+}
+/** Three colon-separated hex segments produced by `encryptCredentialAtRest`. */
+export function isCredentialCiphertext(value) {
+    const parts = value.split(":");
+    if (parts.length !== 3)
+        return false;
+    return parts.every((p) => /^[0-9a-f]+$/i.test(p));
+}
+/** Encrypts non-empty plaintext; empty string returns empty. */
+export function encryptCredentialAtRest(plaintext) {
+    if (!plaintext)
+        return "";
+    return encryptInternal(plaintext);
+}
+export function decryptCredentialAtRest(ciphertext) {
+    if (!ciphertext)
+        return "";
+    return decryptInternal(ciphertext);
+}
+export function createCredentialVault(db) {
+    return {
+        async saveCredentialContext(input) {
+            const encrypted = input.encryptedValue ? encryptCredentialAtRest(input.encryptedValue) : "";
+            await db.insert(credentialRecords).values({
+                platformId: input.platformId,
+                credentialType: input.credentialType,
+                encryptedValue: encrypted,
+                status: input.status,
+                verificationCode: input.verificationCode ?? null,
+                challengeText: input.challengeText ?? null,
+                expiresAt: input.expiresAt ?? null,
+                attemptsRemaining: input.attemptsRemaining ?? null,
+                updatedAt: new Date().toISOString(),
+            }).onConflictDoUpdate({
+                target: credentialRecords.platformId,
+                set: {
+                    credentialType: input.credentialType,
+                    encryptedValue: encrypted,
+                    status: input.status,
+                    verificationCode: input.verificationCode ?? null,
+                    challengeText: input.challengeText ?? null,
+                    expiresAt: input.expiresAt ?? null,
+                    attemptsRemaining: input.attemptsRemaining ?? null,
+                    updatedAt: new Date().toISOString(),
+                },
+            });
+        },
+        async loadCredentialContext(platformId) {
+            const record = await db.query.credentialRecords.findFirst({
+                where: (tbl) => eq(tbl.platformId, platformId),
+            });
+            if (!record)
+                return null;
+            let plain;
+            if (record.encryptedValue) {
+                if (!isCredentialCiphertext(record.encryptedValue)) {
+                    throw new Error("credential_store_plaintext_or_invalid_legacy_record");
+                }
+                plain = decryptCredentialAtRest(record.encryptedValue);
+            }
+            return {
+                platformId: record.platformId,
+                credentialType: record.credentialType,
+                status: record.status,
+                encryptedValue: plain,
+                verificationCode: record.verificationCode ?? undefined,
+                challengeText: record.challengeText ?? undefined,
+                verificationDeadline: record.expiresAt ?? undefined,
+                attemptsRemaining: record.attemptsRemaining ?? undefined,
+            };
+        },
+        async getCredentialState(platformId) {
+            const record = await db.query.credentialRecords.findFirst({
+                where: (tbl) => eq(tbl.platformId, platformId),
+            });
+            return record?.status || "missing";
+        },
+    };
+}

package/runtime/storage/snapshots/continuity-snapshot.d.ts

@@ -1,9 +1,9 @@
-import type { ObservabilityDatabase } from "../../observability/db/index.js";
-import type { StateDatabase } from "../db/index.js";
-import type { ContinuitySnapshot } from "./types.js";
-export interface LoadContinuitySnapshotParams {
-    state: StateDatabase;
-    workspaceRoot: string;
-    observability?: ObservabilityDatabase;
-}
-export declare function loadContinuitySnapshot(params: LoadContinuitySnapshotParams): Promise<ContinuitySnapshot>;
+import type { ObservabilityDatabase } from "../../observability/db/index.js";
+import type { StateDatabase } from "../db/index.js";
+import type { ContinuitySnapshot } from "./types.js";
+export interface LoadContinuitySnapshotParams {
+    state: StateDatabase;
+    workspaceRoot: string;
+    observability?: ObservabilityDatabase;
+}
+export declare function loadContinuitySnapshot(params: LoadContinuitySnapshotParams): Promise<ContinuitySnapshot>;

package/runtime/storage/snapshots/continuity-snapshot.js

@@ -1,41 +1,41 @@
-/**
- * Continuity snapshot read model (T4.2.1) — lightweight bridge until full state feeds land.
- */
-import * as crypto from "node:crypto";
-import { desc } from "drizzle-orm";
-import { decisionLedger } from "../../observability/db/schema/index.js";
-import { repairStateIndexes } from "../bootstrap/repair-gate.js";
-import { loadLifeEvidenceSnapshot } from "./life-evidence-snapshot.js";
-export async function loadContinuitySnapshot(params) {
-    await repairStateIndexes(params.state, { startupGate: true, workspaceRoot: params.workspaceRoot });
-    const life = await loadLifeEvidenceSnapshot(params.state, params.workspaceRoot, { limit: 50 }, { runRepairGate: false });
-    let recentDecisionRefs = [];
-    if (params.observability) {
-        const rows = await params.observability.db
-            .select()
-            .from(decisionLedger)
-            .orderBy(desc(decisionLedger.createdAt))
-            .limit(5);
-        recentDecisionRefs = rows.map((r) => ({
-            id: r.id,
-            kind: "decision_record",
-            uri: `sn://decision/${r.id}`,
-        }));
-    }
-    const pendingCount = life.platformEvents.length + life.workEvents.length + life.userInteractionEvents.length;
-    const oldest = [...life.platformEvents, ...life.workEvents, ...life.userInteractionEvents]
-        .map((e) => e.timestamp)
-        .sort()[0];
-    return {
-        snapshotId: crypto.randomUUID(),
-        generatedAt: new Date().toISOString(),
-        recentDecisionRefs,
-        openObligations: [],
-        quietDebt: {
-            hasUnprocessedEvidence: !life.empty,
-            oldestUnprocessedEvidenceAt: oldest,
-            pendingCount,
-        },
-        fallbackRefs: [],
-    };
-}
+/**
+ * Continuity snapshot read model (T4.2.1) — lightweight bridge until full state feeds land.
+ */
+import * as crypto from "node:crypto";
+import { desc } from "drizzle-orm";
+import { decisionLedger } from "../../observability/db/schema/index.js";
+import { repairStateIndexes } from "../bootstrap/repair-gate.js";
+import { loadLifeEvidenceSnapshot } from "./life-evidence-snapshot.js";
+export async function loadContinuitySnapshot(params) {
+    await repairStateIndexes(params.state, { startupGate: true, workspaceRoot: params.workspaceRoot });
+    const life = await loadLifeEvidenceSnapshot(params.state, params.workspaceRoot, { limit: 50 }, { runRepairGate: false });
+    let recentDecisionRefs = [];
+    if (params.observability) {
+        const rows = await params.observability.db
+            .select()
+            .from(decisionLedger)
+            .orderBy(desc(decisionLedger.createdAt))
+            .limit(5);
+        recentDecisionRefs = rows.map((r) => ({
+            id: r.id,
+            kind: "decision_record",
+            uri: `sn://decision/${r.id}`,
+        }));
+    }
+    const pendingCount = life.platformEvents.length + life.workEvents.length + life.userInteractionEvents.length;
+    const oldest = [...life.platformEvents, ...life.workEvents, ...life.userInteractionEvents]
+        .map((e) => e.timestamp)
+        .sort()[0];
+    return {
+        snapshotId: crypto.randomUUID(),
+        generatedAt: new Date().toISOString(),
+        recentDecisionRefs,
+        openObligations: [],
+        quietDebt: {
+            hasUnprocessedEvidence: !life.empty,
+            oldestUnprocessedEvidenceAt: oldest,
+            pendingCount,
+        },
+        fallbackRefs: [],
+    };
+}

package/runtime/storage/snapshots/life-evidence-snapshot.d.ts

@@ -1,6 +1,6 @@
-import type { StateDatabase } from "../db/index.js";
-import type { LifeEvidenceQuery, LifeEvidenceSnapshot } from "./types.js";
-export interface LoadLifeEvidenceSnapshotOptions {
-    runRepairGate?: boolean;
-}
-export declare function loadLifeEvidenceSnapshot(state: StateDatabase, workspaceRoot: string, query: LifeEvidenceQuery, options?: LoadLifeEvidenceSnapshotOptions): Promise<LifeEvidenceSnapshot>;
+import type { StateDatabase } from "../db/index.js";
+import type { LifeEvidenceQuery, LifeEvidenceSnapshot } from "./types.js";
+export interface LoadLifeEvidenceSnapshotOptions {
+    runRepairGate?: boolean;
+}
+export declare function loadLifeEvidenceSnapshot(state: StateDatabase, workspaceRoot: string, query: LifeEvidenceQuery, options?: LoadLifeEvidenceSnapshotOptions): Promise<LifeEvidenceSnapshot>;