@ijfw/memory-server 1.5.0 → 1.5.1

package/src/orchestrator/state-sdk.js

@@ -11,13 +11,16 @@
  * straight off that contract.
  *
  * ───────────────────────────────────────────────────────────────────────────
- * SCOPE BOUNDARY — T2 builds the verb core; three later tasks wrap it:
+ * SCOPE BOUNDARY — T2 built the verb core; three later tasks wrapped it.
+ * All three (T3/T4/T5) are now REALIZED — this section is kept as the design
+ * record, but the seams below are live, not stubs:
  *
- *   T3 (lock hierarchy)   — wraps `_withLocks()`. Today it is a pass-through;
- *                           T3 swaps in `withFsLock` acquisition in the §3
- *                           canonical acquire-order. Handlers already declare
- *                           the ordered lock-target list they touch, so T3
- *                           only has to make `_withLocks` honor it.
+ *   T3 (lock hierarchy)   — `_withLocks()` is NOT a pass-through. It acquires
+ *                           real filesystem locks via `withFsLock`, ordering
+ *                           each verb's declared lock-target list through
+ *                           `canonicalLockOrder` (the §3 canonical acquire
+ *                           order) to prevent deadlock, then runs `fn` while
+ *                           the locks are held and releases on completion.
  *   T4 (intent/commit)    — wraps `_journalBegin()` / `_journalCommit()`.
  *                           Today they are no-ops; T4 makes them write the
  *                           write-ahead `intent-journal.jsonl` records and
@@ -40,6 +43,7 @@ import { join, isAbsolute, dirname, basename } from 'node:path';
 import { homedir } from 'node:os';
 import { randomUUID, createHash } from 'node:crypto';
 import { gunzipSync } from 'node:zlib';
+import { execFileSync } from 'node:child_process';
 
 import { writeAtomic, readSafe } from '../lib/atomic-io.js';
 import { rotateJsonlIfNeeded } from '../lib/jsonl-rotation.js';
@@ -58,6 +62,17 @@ import {
   appendUnderHeldLock as appendEventUnderHeldLock,
   resolveEventLogPath,
 } from './state-events.js';
+// v1.5.1 cleanup C1: S08 incident-driven worktree safety guards. Previously
+// orphan (only importer was the unwired runtime-loop.js). Wired here as
+// preconditions of the LIVE `subagent.dispatch` verb — the genuinely-reachable
+// worktree-isolated spawn path (ijfw_state MCP tool → query → subagent.dispatch).
+// worktree-guards.js has no state-sdk dependency, so a static import is safe.
+import {
+  captureSpawnToplevel,
+  assertPathWithinToplevel,
+  assertNoCwdDrift,
+  assertNotProtectedRef,
+} from '../lib/worktree-guards.js';
 
 // ---------------------------------------------------------------------------
 // Gate-function indirection (T15 — Model 4 testability seam)
@@ -704,6 +719,88 @@ function requireStr(value, field) {
 
 function nowIso() { return new Date().toISOString(); }
 
+/**
+ * v1.5.1 cleanup C1 — S08 worktree-guard preconditions for `subagent.dispatch`.
+ *
+ * Runs the three incident-driven guards (worktree-guards.js) against the
+ * project root a worktree-isolated subagent is about to be dispatched into:
+ *   #3099 — assertPathWithinToplevel  (abs-path / symlink escape)
+ *   #3097 — assertNoCwdDrift          (cwd drifted off the toplevel)
+ *   #2924 — assertNotProtectedRef     (HEAD on main/master/develop/…)
+ *
+ * Semantics — `subagent.dispatch` is a brief-COMPOSITION verb (it produces a
+ * deterministic dispatch brief; the real spawn happens platform-side). The
+ * guards are therefore PRECONDITIONS surfaced on the result, not a hard abort
+ * of brief composition:
+ *   - Project root IS a git repo  → all 3 guards run. A failure is reported on
+ *     `guard.violations[]` and `guard.ok=false`. With IJFW_WORKTREE_GUARD_STRICT=1
+ *     a violation throws (aborts the dispatch before `_withLocks`).
+ *   - Project root is NOT a git repo (or guards can't run) → `guard.ok` stays
+ *     true with `guard.skipped` set; brief composition proceeds. This keeps the
+ *     verb usable from non-git temp dirs (tests, scratch projects).
+ *
+ * Only `'worktree'` isolation is guarded — `'shared'` dispatch spawns no
+ * separate worktree so containment/drift/protected-ref don't apply.
+ *
+ * @param {string} projectRoot   absolute path the subagent dispatches into
+ * @param {'shared'|'worktree'} isolation
+ * @returns {{ok:boolean, skipped?:string, violations:string[], branch?:string}}
+ * @throws {Error} only when IJFW_WORKTREE_GUARD_STRICT=1 and a guard fails
+ */
+function runWorktreeGuards(projectRoot, isolation) {
+  if (isolation !== 'worktree') {
+    return { ok: true, skipped: 'shared-isolation', violations: [] };
+  }
+  // Quiet git-repo pre-check — captureSpawnToplevel would otherwise let git's
+  // own "fatal: not a git repository" hit our stderr on non-git roots (common
+  // in tests / scratch projects). Suppress git stderr here, then run the real
+  // guards only when we know we're inside a work tree.
+  try {
+    const probe = execFileSync(
+      'git', ['rev-parse', '--is-inside-work-tree'],
+      { cwd: projectRoot, encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] },
+    ).trim();
+    if (probe !== 'true') {
+      return { ok: true, skipped: 'not-a-git-repo', violations: [] };
+    }
+  } catch {
+    // Not a git tree — nothing to contain. Brief composition still proceeds.
+    return { ok: true, skipped: 'not-a-git-repo', violations: [] };
+  }
+  let toplevel;
+  try {
+    toplevel = captureSpawnToplevel(projectRoot);
+  } catch {
+    return { ok: true, skipped: 'not-a-git-repo', violations: [] };
+  }
+  const violations = [];
+  let branch;
+  try {
+    assertPathWithinToplevel(projectRoot, toplevel);
+  } catch (e) {
+    violations.push(`path-escape: ${e.message}`);
+  }
+  try {
+    assertNoCwdDrift(toplevel, projectRoot);
+  } catch (e) {
+    violations.push(`cwd-drift: ${e.message}`);
+  }
+  try {
+    branch = assertNotProtectedRef(projectRoot);
+  } catch (e) {
+    violations.push(`protected-ref: ${e.message}`);
+  }
+  const ok = violations.length === 0;
+  if (!ok && process.env.IJFW_WORKTREE_GUARD_STRICT === '1') {
+    throw new Error(
+      `state-sdk: subagent.dispatch S08 worktree guard failed — ${violations.join('; ')}`,
+    );
+  }
+  return ok
+    ? { ok: true, violations: [], branch }
+    : { ok: false, violations };
+}
+
 // ---------------------------------------------------------------------------
 // VERB HANDLERS — one per contract §7 block. Signature: (payload, ctx, env).
 // `env` carries the per-invocation { verbId } so handlers can stamp records.
@@ -1000,6 +1097,13 @@ const handlers = {
     const isolation = payload?.isolation === 'shared' ? 'shared' : 'worktree';
     const role = typeof payload?.role === 'string' && payload.role.length > 0
       ? payload.role : null;
+    // v1.5.1 cleanup C1 — S08 worktree-guard preconditions. Runs the three
+    // incident-driven guards BEFORE the wave-state mutation when isolation is
+    // 'worktree'. This is the production caller worktree-guards.js was missing
+    // (its only prior importer was the unwired runtime-loop.js). With
+    // IJFW_WORKTREE_GUARD_STRICT=1 a guard violation throws here, aborting the
+    // dispatch before `_withLocks`; otherwise it is surfaced on the result.
+    const worktreeGuard = runWorktreeGuards(root, isolation);
     // Caller-supplied env passthrough (object: name → value). Coerce values to
     // strings (env vars are always strings) and drop nullish entries.
     const callerEnv = (payload?.env && typeof payload.env === 'object'
@@ -1078,6 +1182,11 @@ const handlers = {
         isolation,
         inheritedEnv,
         eventLogPath,
+        // v1.5.1 cleanup C1 — S08 guard outcome. `{ok:true}` when guards passed
+        // or were skipped (non-git root / shared isolation); `{ok:false,
+        // violations[]}` when a containment/drift/protected-ref hazard was
+        // detected (non-strict mode — the orchestrator should not spawn).
+        worktreeGuard,
       };
     }, env);
   },
@@ -1127,12 +1236,69 @@ const handlers = {
       process.stderr.write(`[state-sdk] WARN subagent.post-done gate execution-fail: ${e.message}\n`);
       return { ok: true, advisory: true, gate: 'post-done-self-check', reason: e.message };
     }
+    // v1.5.1 cleanup C1 — T20 truncation classification. When the caller hands
+    // us the subagent's `events` stream and/or intent `journal` on the payload,
+    // run `detectTruncation` so a truncated post-DONE is classified on the LIVE
+    // path (ijfw_state MCP tool → query → subagent.post-done). This is the
+    // production caller recovery/truncation.js was missing — its only prior
+    // importer was the unwired runtime-loop.js. Annotation-only: the classifier
+    // never throws and never alters the self-check verdict.
+    let truncation;
+    if (Array.isArray(payload?.events) || Array.isArray(payload?.journal)) {
+      try {
+        const { detectTruncation } = await import('../recovery/truncation.js');
+        const det = detectTruncation({
+          events: payload.events,
+          journal: payload.journal,
+          expectedTerminalVerb: payload.expectedTerminalVerb,
+        });
+        truncation = {
+          truncated: det.truncated,
+          reason: det.reason,
+        };
+      } catch (e) {
+        process.stderr.write(
+          `[state-sdk] WARN subagent.post-done truncation classify failed: ${e.message}\n`,
+        );
+      }
+    }
     if (selfCheck.verdict !== 'PASSED') {
       const reason = `self-check FAILED — ${selfCheck.files_missing.length} missing file(s), `
         + `${selfCheck.commits_missing.length} missing commit(s)`;
+      // v1.5.1: LIVE wiring of debug-trident (T29) onto the production
+      // gate-failure path. When the post-done self-check FAILS this is
+      // exactly the stalled-investigation moment the Trident debug loop
+      // exists for — dispatch codex+gemini to generate competing root-cause
+      // hypotheses against the gate-failure evidence. FIRE-AND-FORGET:
+      // `maybeFireDebugTrident` returns immediately, the campaign runs in a
+      // detached promise — the verb's return value + timing are UNCHANGED so
+      // STATE-SDK-CONTRACT §8 (subagent.post-done is a fast read verb) holds.
+      // Env-gated (IJFW_DEBUG_TRIDENT) + silent no-op on missing deps; never
+      // throws. Dynamic import avoids a static require cycle. Mirrors the
+      // A-Mem auto-linker fire-and-forget pattern in memory/fts5.js.
+      try {
+        import('./debug-trident-trigger.js')
+          .then(({ maybeFireDebugTrident }) => {
+            maybeFireDebugTrident({
+              projectRoot,
+              subagentId: _subagentId,
+              reason,
+              reportText,
+              selfCheck,
+            });
+          })
+          .catch((e) => {
+            try {
+              process.stderr.write(
+                `[state-sdk] WARN subagent.post-done debug-trident dispatch failed: ${e.message}\n`,
+              );
+            } catch { /* never throw */ }
+          });
+      } catch { /* fire-and-forget — never alters the verb verdict */ }
       if (!GATE_BYPASS) {
         return {
           ok: false, refused: true, gate: 'post-done-self-check', reason,
+          ...(truncation ? { truncation } : {}),
         };
       }
       // Bypass masks a would-be refusal — emit a loud WARN + advisory
@@ -1149,6 +1315,7 @@ const handlers = {
           claimedCommits: selfCheck.commits_claimed,
           verified: false,
         },
+        ...(truncation ? { truncation } : {}),
       };
     }
     return {
@@ -1158,6 +1325,7 @@ const handlers = {
         claimedCommits: selfCheck.commits_claimed,
         verified: selfCheck.verdict === 'PASSED',
       },
+      ...(truncation ? { truncation } : {}),
     };
   },
 

package/src/orchestrator/subagent-telemetry.js

@@ -27,6 +27,10 @@ import { query } from './state-sdk.js';
 import { pollEvents } from './state-events.js';
 // v1.5.0 N4.obs M1+M2: trace-id + hierarchical observation path.
 import { getTraceId, composePath } from '../observability/trace-id.js';
+// v1.5.1 W2.F: checkpoint-contract evaluator (N4.obs M3). Validates a final
+// status report carried by a checkpoint envelope against the v1.4.4 N2
+// four-section contract before the envelope is written.
+import { evaluateCheckpointContract } from '../observability/evaluator-checkpoint-contract.js';
 
 // ---------------------------------------------------------------------------
 // Frozen constants — Wave 11-A imports these directly
@@ -123,6 +127,21 @@ export async function recordCheckpoint(waveId, subId, checkpoint, projectRoot) {
     ...checkpoint,
   };
 
+  // v1.5.1 W2.F: contract-validate at emission time. When a checkpoint
+  // envelope carries the subagent's final status report (`checkpoint.report`),
+  // it MUST satisfy the v1.4.4 N2 four-section contract (Status/SHAs/Files/
+  // Tests). Schema drift now fails LOUD here at write — not silently at read.
+  // Progress-only checkpoints (no `report` field) skip this check unchanged.
+  if (typeof checkpoint.report === 'string') {
+    const evalResult = evaluateCheckpointContract(checkpoint.report);
+    if (!evalResult.valid) {
+      throw new Error(
+        `subagent-telemetry: checkpoint report for ${waveId}/${subId} `
+        + `violates checkpoint-contract — ${evalResult.reason}`,
+      );
+    }
+  }
+
   const serialised = JSON.stringify(envelope);
   if (serialised.length > MAX_CHECKPOINT_SIZE) {
     throw new Error(

package/src/override-resolver.js

@@ -65,9 +65,11 @@ import {
  * projectRoot. Used by deployResolvedSkill to know which platforms to write
  * the merged body into.
  *
- * TODO(W2b/t11): replace this with an exported helper from
- * installer/src/install-helpers.js once that module exposes a canonical
- * platform-list getter. Until then this on-disk probe is the contract.
+ * DEFERRED (platform-list consolidation): could be replaced with an exported
+ * helper from installer/src/install-helpers.js once that module exposes a
+ * canonical platform-list getter. Until then this on-disk probe is the
+ * contract — and as an on-disk probe it correctly reflects what is actually
+ * deployed, so the consolidation is a nice-to-have, not a defect.
  *
  * @param {string} projectRoot
  * @returns {string[]} absolute paths to existing platform skill dirs

package/src/recovery/code-fixer.js

@@ -21,12 +21,22 @@
  * pattern — if the process crashes mid-fix the next run prunes the dangling
  * worktree and reports the survivor.
  *
+ * WIRE-UP (v1.5.1 C2): the consensus entry point `runConsensusFix` is invoked
+ * by `cross-orchestrator.js#runPhaseEConverge` when its caller passes
+ * `autoFix: true`. After a non-PASS convergence the orchestrator extracts the
+ * HIGH findings that 2+ lenses agreed on (`consensusHighFindings`) and runs
+ * the atomic per-finding fix loop over them — the "2+ lenses agree → fixer
+ * fires automatically" contract from the T27 brief. This module is therefore
+ * a live, reachable production path, not an orphan.
+ *
  * Zero new prod deps. ESM. Node ≥18.
  */
 
-import { existsSync } from 'node:fs';
+import { existsSync, realpathSync } from 'node:fs';
 import { readFile, writeFile, mkdtemp, rm } from 'node:fs/promises';
-import { join, extname, relative, isAbsolute, resolve as resolvePath } from 'node:path';
+import {
+  join, extname, relative, isAbsolute, resolve as resolvePath, dirname,
+} from 'node:path';
 import { tmpdir } from 'node:os';
 import { execFile, spawnSync } from 'node:child_process';
 import { promisify } from 'node:util';
@@ -35,6 +45,82 @@ import { withRecoverySentinel } from '../lib/worktree-recovery.js';
 
 const execFileAsync = promisify(execFile);
 
+/* ────────────────────── R5-1.10: auto-fix safety boundary ────────────────── */
+
+/**
+ * Default ceiling on the number of distinct files a single `runConsensusFix`
+ * call may write. Auto-fix is opt-in, but even when enabled it must not be
+ * able to mass-rewrite a repository — past this cap the loop stops and
+ * reports the remainder rather than continuing to mutate. Callers can lower
+ * (never silently raise past sanity) this via `maxAutoFixFiles`.
+ */
+export const DEFAULT_MAX_AUTOFIX_FILES = 10;
+// Hard ceiling — a caller cannot pass `maxAutoFixFiles` above this.
+const MAX_AUTOFIX_FILES_CEILING = 50;
+
+/**
+ * isPathContained(filePath, projectRoot) — true iff `filePath` resolves to a
+ * location at or under `projectRoot`. Symlinks are resolved on BOTH sides
+ * (realpath) so a symlink inside the repo that points outside it is rejected.
+ *
+ * Mirrors the containment prior art in cross-project-search.js#isUnder /
+ * safeResolveProjectPath: realpath the root, realpath the entry (falling back
+ * to the un-resolved absolute when the entry doesn't exist yet — e.g. a fix
+ * that would create a file — and in that case realpath the parent dir), then
+ * a trailing-separator boundary check so `/repo-evil` is NOT inside `/repo`.
+ *
+ * Returns { ok, reason, canonical? }.
+ */
+export function isPathContained(filePath, projectRoot) {
+  if (!filePath || typeof filePath !== 'string') {
+    return { ok: false, reason: 'no-file-path' };
+  }
+  if (!projectRoot || typeof projectRoot !== 'string') {
+    return { ok: false, reason: 'no-project-root' };
+  }
+  // Canonicalise the root. If it doesn't resolve, fall back to absolute.
+  let canonRoot;
+  try {
+    canonRoot = realpathSync(resolvePath(projectRoot));
+  } catch {
+    canonRoot = resolvePath(projectRoot);
+  }
+  // Canonicalise the target. The file may not exist yet (a creating fix), so
+  // realpath the deepest existing ancestor and re-join the missing tail.
+  const absTarget = isAbsolute(filePath)
+    ? filePath
+    : resolvePath(canonRoot, filePath);
+  let canonTarget;
+  try {
+    canonTarget = realpathSync(absTarget);
+  } catch {
+    let probe = absTarget;
+    const tail = [];
+    // Walk up until we hit something that exists (or the fs root).
+    while (probe && !existsSync(probe) && dirname(probe) !== probe) {
+      tail.unshift(probe.slice(dirname(probe).length).replace(/^[\\/]/, ''));
+      probe = dirname(probe);
+    }
+    let canonProbe;
+    try { canonProbe = realpathSync(probe); }
+    catch { canonProbe = resolvePath(probe); }
+    canonTarget = tail.length ? join(canonProbe, ...tail) : canonProbe;
+  }
+  // Boundary check with trailing separator so siblings can't impersonate.
+  const rel = relative(canonRoot, canonTarget);
+  const escapes = rel === '..'
+    || rel.startsWith(`..${'/'}`) || rel.startsWith(`..${'\\'}`)
+    || isAbsolute(rel);
+  if (escapes) {
+    return {
+      ok: false,
+      reason: `path escapes project root (${canonTarget} not under ${canonRoot})`,
+      canonical: canonTarget,
+    };
+  }
+  return { ok: true, reason: '', canonical: canonTarget };
+}
+
 /* ────────────────────────────── status codes ────────────────────────────── */
 
 export const STATUS = Object.freeze({
@@ -46,6 +132,12 @@ export const STATUS = Object.freeze({
   FALLBACK_FAIL: 'FALLBACK_FAIL',
   TRIDENT_FAIL:  'TRIDENT_FAIL',
   COMMIT_FAIL:   'COMMIT_FAIL',
+  // R5-1.10 — finding's target file resolves outside the audited project
+  // root. The fixer refuses to touch it (path-containment guard).
+  OUT_OF_ROOT:   'OUT_OF_ROOT',
+  // R5-1.10 — the per-run change cap was reached; this finding (and any
+  // after it) was skipped without being applied.
+  CAP_REACHED:   'CAP_REACHED',
 });
 
 /* ────────────────────────────── logic-bug heuristic ─────────────────────── */
@@ -446,9 +538,27 @@ export async function fixFinding({
   }
 
   // 2. confirm target exists + snapshot
+  const root = projectRoot || process.cwd();
   const filePath = isAbsolute(finding.file)
     ? finding.file
-    : resolvePath(projectRoot || process.cwd(), finding.file);
+    : resolvePath(root, finding.file);
+
+  // R5-1.10 — PATH CONTAINMENT. Auto-fix mutates the working tree; it must
+  // only ever touch files inside the project root being audited. A finding
+  // whose `file` resolves outside the root (absolute escape, `../` traversal,
+  // or a symlink pointing out) is REFUSED before any read/write happens.
+  // This is checked before existsSync so an out-of-root path can't even be
+  // probed for existence.
+  const contained = isPathContained(filePath, root);
+  if (!contained.ok) {
+    return {
+      ...base,
+      status: STATUS.OUT_OF_ROOT,
+      tier_reached: 'n/a',
+      evidence: `auto-fix refused: ${contained.reason}`,
+    };
+  }
+
   if (!existsSync(filePath)) {
     return { ...base, status: STATUS.STALE, tier_reached: 'n/a',
              evidence: `target file does not exist: ${filePath}` };
@@ -583,9 +693,21 @@ export async function fixFinding({
  * the Trident step needs a stable commit range. Parallel fixes would shred
  * the atomicity guarantee.
  *
+ * R5-1.10 — CHANGE CAP. `opts.maxAutoFixFiles` (default
+ * DEFAULT_MAX_AUTOFIX_FILES = 10, hard-ceilinged at 50) bounds the number of
+ * DISTINCT files this batch may successfully apply a fix to. Once that many
+ * files have been touched, every remaining finding that targets a not-yet-
+ * seen file is short-circuited with status CAP_REACHED (no read, no write) —
+ * the loop stops mutating and reports the remainder instead of mass-
+ * rewriting the repo. Findings that re-target an already-fixed file are
+ * still allowed through (they don't grow the blast radius). Statuses that
+ * don't write a file (DEFERRED / STALE / OUT_OF_ROOT / *_FAIL) never count
+ * against the cap.
+ *
  * Returns { results: Array<fixFinding-record>, summary: { verified, deferred,
  *           stale, verify_fail, syntax_fail, fallback_fail, trident_fail,
- *           commit_fail } }.
+ *           commit_fail, out_of_root, cap_reached }, capped: boolean,
+ *           filesTouched: number, maxAutoFixFiles: number }.
  */
 export async function fixFindings(findings, opts = {}) {
   const results = [];
@@ -593,15 +715,198 @@ export async function fixFindings(findings, opts = {}) {
     verified: 0, deferred: 0, stale: 0,
     verify_fail: 0, syntax_fail: 0, fallback_fail: 0,
     trident_fail: 0, commit_fail: 0,
+    out_of_root: 0, cap_reached: 0,
   };
+
+  // Resolve the per-run change cap. Clamp to [1, MAX_AUTOFIX_FILES_CEILING];
+  // a non-positive or non-numeric value falls back to the default.
+  const reqCap = Number(opts.maxAutoFixFiles);
+  const cap = Number.isFinite(reqCap) && reqCap > 0
+    ? Math.min(Math.floor(reqCap), MAX_AUTOFIX_FILES_CEILING)
+    : DEFAULT_MAX_AUTOFIX_FILES;
+
+  // Distinct files this batch has successfully written to. A fix counts as
+  // "touching" a file only if it actually applied an edit — VERIFIED or any
+  // failure mode that happens AFTER applyEdit (VERIFY_FAIL/SYNTAX_FAIL/
+  // FALLBACK_FAIL/TRIDENT_FAIL/COMMIT_FAIL all roll the file back, but the
+  // file WAS written then reverted, so they still count toward blast radius).
+  const APPLIED = new Set([
+    STATUS.VERIFIED, STATUS.VERIFY_FAIL, STATUS.SYNTAX_FAIL,
+    STATUS.FALLBACK_FAIL, STATUS.TRIDENT_FAIL, STATUS.COMMIT_FAIL,
+  ]);
+  const filesTouched = new Set();
+  let capped = false;
+
   for (const finding of (findings || [])) {
+    const targetFile = finding && typeof finding.file === 'string'
+      ? finding.file : null;
+    const alreadyTouched = targetFile && filesTouched.has(targetFile);
+
+    // Cap gate: if we've hit the ceiling AND this finding would touch a NEW
+    // file, refuse it without reading/writing anything.
+    if (filesTouched.size >= cap && !alreadyTouched) {
+      capped = true;
+      results.push({
+        finding_id: finding?.finding_id || finding?.id || 'unknown',
+        file: targetFile,
+        status: STATUS.CAP_REACHED,
+        tier_reached: 'n/a',
+        evidence: `auto-fix change cap reached (${cap} files); skipped without applying`,
+      });
+      summary.cap_reached += 1;
+      continue;
+    }
+
     // eslint-disable-next-line no-await-in-loop -- sequential is the contract
     const r = await fixFinding({ ...opts, finding });
     results.push(r);
     const k = String(r.status || '').toLowerCase();
     if (k in summary) summary[k] += 1;
+
+    // Record blast radius: any status that got past applyEdit touched a file.
+    if (APPLIED.has(r.status) && r.file) {
+      filesTouched.add(r.file);
+    }
+  }
+  return {
+    results,
+    summary,
+    capped,
+    filesTouched: filesTouched.size,
+    maxAutoFixFiles: cap,
+  };
+}
+
+/* ────────────────────── consensus-HIGH extraction (T27 wire-up) ──────────── */
+
+/**
+ * Normalise a finding's severity to a lowercase canonical token.
+ * Auditors emit `high` / `HIGH` / `High` / sometimes `severity: { level }`.
+ */
+function _severityOf(finding) {
+  if (!finding || typeof finding !== 'object') return '';
+  const raw = finding.severity ?? finding.level ?? '';
+  if (raw && typeof raw === 'object') {
+    return String(raw.level || raw.severity || '').toLowerCase().trim();
+  }
+  return String(raw).toLowerCase().trim();
+}
+
+/**
+ * A stable identity key for cross-lens finding agreement. Two lenses "agree"
+ * on the same HIGH when their findings collapse to the same key. We use the
+ * file path + a normalised description prefix (whitespace-folded, lowercased,
+ * first 80 chars) — precise enough to cluster genuine duplicates, loose enough
+ * to survive trivial wording drift between lenses.
+ */
+function _consensusKey(finding) {
+  const file = String(finding.file || finding.location || finding.path || '').trim();
+  const descSource =
+    finding.description || finding.issue || finding.text ||
+    finding.message || finding.finding || finding.detail || '';
+  const desc = String(descSource).toLowerCase().replace(/\s+/g, ' ').trim().slice(0, 80);
+  return `${file}::${desc}`;
+}
+
+/**
+ * consensusHighFindings(perIteration, opts) — given the `perIteration` array
+ * that `runPhaseEConverge` returns, extract the HIGH-severity findings on
+ * which `minLenses` (default 2) or more lenses agree.
+ *
+ * This is the bridge T27 was designed for: "when 2+ lenses agree on the same
+ * HIGH, the fixer fires automatically." The convergence loop produces
+ * `perIteration[*].lensResults[*].findings`; this collapses the final
+ * iteration's findings into per-lens-deduped consensus clusters.
+ *
+ * Returns Array<finding> — each carries `_consensusLenses` (the set of lens
+ * ids that flagged it) and `_consensusCount`. Only the LAST iteration is
+ * considered: convergence already re-evaluated earlier rounds, so the final
+ * round is the swarm's settled position.
+ */
+export function consensusHighFindings(perIteration, opts = {}) {
+  const minLenses = Number.isInteger(opts.minLenses) && opts.minLenses > 0
+    ? opts.minLenses
+    : 2;
+  if (!Array.isArray(perIteration) || perIteration.length === 0) return [];
+  const last = perIteration[perIteration.length - 1];
+  if (!last || !Array.isArray(last.lensResults)) return [];
+
+  // key → { finding, lenses:Set }
+  const clusters = new Map();
+  for (const lr of last.lensResults) {
+    const lens = lr && lr.lens ? lr.lens : 'unknown';
+    const findings = Array.isArray(lr && lr.findings) ? lr.findings : [];
+    // De-dup within a single lens first so one lens flagging the same issue
+    // twice can't manufacture false consensus.
+    const seenThisLens = new Set();
+    for (const f of findings) {
+      if (_severityOf(f) !== 'high' && _severityOf(f) !== 'critical') continue;
+      const key = _consensusKey(f);
+      if (seenThisLens.has(key)) continue;
+      seenThisLens.add(key);
+      if (!clusters.has(key)) clusters.set(key, { finding: f, lenses: new Set() });
+      clusters.get(key).lenses.add(lens);
+    }
   }
-  return { results, summary };
+
+  const out = [];
+  for (const { finding, lenses } of clusters.values()) {
+    if (lenses.size >= minLenses) {
+      out.push({ ...finding, _consensusLenses: [...lenses], _consensusCount: lenses.size });
+    }
+  }
+  return out;
+}
+
+/**
+ * runConsensusFix({ perIteration, projectRoot, dispatch, ...fixOpts }) —
+ * the T27 auto-fix entry point. Extracts consensus HIGHs from a completed
+ * `runPhaseEConverge` run and runs the per-finding atomic fixer loop over
+ * them.
+ *
+ * R5-1.10 SAFETY BOUNDARY — auto-fix mutates code, so two hard guards apply
+ * (both inherited from `fixFindings` / `fixFinding`, surfaced here):
+ *   • Path containment — any finding whose target file resolves outside
+ *     `projectRoot` is REFUSED (status OUT_OF_ROOT); the fixer can never
+ *     write outside the audited project.
+ *   • Change cap — `maxAutoFixFiles` (default 10, ceiling 50) bounds the
+ *     distinct files a single run may touch; beyond it the loop STOPS and
+ *     reports the remainder (status CAP_REACHED) instead of mass-rewriting.
+ * Pass `dryRun: true` for detect-only (reports what it WOULD fix, no edits).
+ *
+ * Returns:
+ *   { triggered: false, reason }                     — nothing to fix
+ *   { triggered: true, consensusCount, results, summary, capped,
+ *     filesTouched, maxAutoFixFiles }                — fixer ran
+ *
+ * `dispatch` is required so each fix's Trident re-verify can run.
+ */
+export async function runConsensusFix({
+  perIteration,
+  projectRoot,
+  dispatch,
+  minLenses = 2,
+  ...fixOpts
+} = {}) {
+  const consensus = consensusHighFindings(perIteration, { minLenses });
+  if (consensus.length === 0) {
+    return { triggered: false, reason: 'no consensus HIGH findings' };
+  }
+  const { results, summary, capped, filesTouched, maxAutoFixFiles } =
+    await fixFindings(consensus, {
+      ...fixOpts,
+      projectRoot,
+      dispatch,
+    });
+  return {
+    triggered: true,
+    consensusCount: consensus.length,
+    results,
+    summary,
+    capped,
+    filesTouched,
+    maxAutoFixFiles,
+  };
 }
 
 /* ────────────────────────────── test helpers ────────────────────────────── */

package/src/runtime-mediator.js

@@ -224,7 +224,6 @@ export function toolNameToActionTarget(toolName, args) {
       return { action: 'write', target: 'memory:write' };
     case 'ijfw_memory_recall':
     case 'ijfw_memory_search':
-    case 'ijfw_memory_status':
     case 'ijfw_memory_prelude':
     case 'ijfw_cross_project_search':
       return { action: 'read', target: 'memory:read' };