@ijfw/memory-server 1.5.4 → 1.5.5

package/src/extension-registry.js

@@ -43,7 +43,11 @@ MCowBQYDK2VwAyEAL2lCdti0bYiFTGUo/hffy+NiBUBXdbDcdaDmjJS27i0=
 -----END PUBLIC KEY-----`;
 
 const DEFAULT_REGISTRY_URL = 'https://registry.ijfw.dev/publishers/v1.json';
-const FALLBACK_REGISTRY_URL = 'https://therealseandonahoe.gitlab.io/ijfw/registry/publishers/v1.json';
+// Secondary fallback. The trust anchor is the embedded IJFW_REGISTRY_META_KEY_PEM
+// (below), NOT the URL — so swapping hosts is safe. GitHub Pages publishes
+// registry/publishers/v1.json from the FerroxLabs/ijfw main branch; the pages
+// job is not yet wired (Phase B), so this URL 404s until the repo is populated.
+const FALLBACK_REGISTRY_URL = 'https://ferroxlabs.github.io/ijfw/registry/publishers/v1.json';
 const MAX_REGISTRY_BYTES = 1024 * 1024; // 1 MiB cap
 const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 h (back-compat alias)
 const PUBLISHER_TTL_MS = 24 * 60 * 60 * 1000; // 24 h — B17 publisher half
@@ -831,7 +835,12 @@ export async function withSourceCache(source, mutator) {
 }
 
 // ---------------------------------------------------------------------------
-// Legacy single-source cache helpers (kept for v1.4.1 back-compat tests).
+// Single-source cache helpers — used by the production trust-store refresh
+// path (`refreshTrustFromRegistry`, ~line 1350) AND by the offline fallback
+// in `dispatch/extension.js:416`. NOT v1.4.1 back-compat scaffolding —
+// V155-058 (v1.5.5) corrects the prior misleading comment that called this
+// "kept for v1.4.1 back-compat tests"; deleting it would silently break the
+// offline trust path on next federated-registry refresh failure.
 // ---------------------------------------------------------------------------
 
 export async function readCachedRegistry() {
@@ -859,8 +868,10 @@ export async function writeCachedRegistry(registry) {
 }
 
 // ---------------------------------------------------------------------------
-// applyRegistry — merge publishers + process revocations
-// (single-source path, retained for v1.4.1 callers + tests)
+// applyRegistry — merge publishers + process revocations.
+// Production callers: `refreshTrustFromRegistry` (this file, ~line 1376) and
+// the offline-fallback path in `dispatch/extension.js:416`. V155-058 (v1.5.5)
+// corrects an earlier "retained for v1.4.1 callers + tests" comment.
 // ---------------------------------------------------------------------------
 
 /**

package/src/handlers/brain-handler.js

@@ -162,9 +162,22 @@ function verbWikiGet(db, repoRoot, args) {
   return { ok: true, slug, path: found.path, type: found.type, markdown: readFileSync(found.path, 'utf8') };
 }
 
-function verbWikiCompile(db, repoRoot, args) {
+// V155-049: wiki.compile `type` allowlist. Without this, an attacker-supplied
+// `type = '../../etc'` would still pass downstream guards (slugify, path-guard
+// containment) but produces confusing error messages because `pluralType()`
+// silently appends 's'. Reject anything not in the documented set up front.
+const WIKI_COMPILE_TYPES = new Set(['entity', 'concept', 'decision', 'milestone']);
+
+async function verbWikiCompile(db, repoRoot, args) {
   if (!args.subject) return { ok: false, error: 'missing-subject' };
-  return compileWikiPage(db, { repoRoot, type: args.type || 'entity', subject: args.subject });
+  // V155-049: type allowlist — defense in depth before path-guard.
+  if (args.type !== undefined && args.type !== null && !WIKI_COMPILE_TYPES.has(args.type)) {
+    return { ok: false, error: 'invalid-type', type: args.type, allowed: [...WIKI_COMPILE_TYPES] };
+  }
+  // V155-015: compileWikiPage is now async (withFsLock is async). Awaited
+  // here so the outer handler's switch returns the resolved verdict, not
+  // a Promise — matching every other verb in this dispatcher.
+  return await compileWikiPage(db, { repoRoot, type: args.type || 'entity', subject: args.subject });
 }
 
 function verbWikiPromote(db, repoRoot, args) {
@@ -173,12 +186,23 @@ function verbWikiPromote(db, repoRoot, args) {
   const slug = slugify(args.slug);
   const found = findPage(paths.wikiDir, slug);
   if (!found) return { ok: false, error: 'page-not-found', slug };
-  const globalDir = join(homedir(), 'IJFW', 'wiki', found.type);
+  const globalRoot = join(homedir(), 'IJFW');
+  const globalDir = join(globalRoot, 'wiki', found.type);
   mkdirSync(globalDir, { recursive: true });
   const dst = join(globalDir, `${slug}.md`);
+  // V155-033: defense-in-depth containment. Today slugify() blocks `..`
+  // traversal in the slug; a future slugify relaxation would re-open the
+  // hole. Reuse the same validator wiki.export uses, anchored at ~/IJFW.
+  const guard = validateSafeRepoPath(globalRoot, dst);
+  if (!guard.ok) return guard;
+  // V155-024/V155-040: capture pre-existence BEFORE the copy. The previous
+  // `existsSync(dst)` after copy was tautological — destination always exists
+  // post-copy — so `overwrote` always equalled `args.force === true`. The
+  // honest semantic is "did this call clobber a pre-existing file?".
+  const dstExistedBefore = existsSync(dst);
   // FLAG-2: refuse to overwrite an existing global page unless force=true.
   // Operator may have hand-curated content there; silent clobber is data loss.
-  if (existsSync(dst) && args.force !== true) {
+  if (dstExistedBefore && args.force !== true) {
     return { ok: false, error: 'global-page-exists', dst, hint: 'pass force:true to overwrite' };
   }
   try {
@@ -189,7 +213,14 @@ function verbWikiPromote(db, repoRoot, args) {
     }
     return { ok: false, error: 'copy-failed', message: e.message };
   }
-  return { ok: true, slug, type: found.type, src: found.path, dst, overwrote: args.force === true && existsSync(dst) };
+  return {
+    ok: true,
+    slug,
+    type: found.type,
+    src: found.path,
+    dst,
+    overwrote: dstExistedBefore && args.force === true,
+  };
 }
 
 function verbWikiExport(db, repoRoot, args) {
@@ -213,6 +244,14 @@ function verbConflictResolve(db, repoRoot, args) {
   if (!args.subject || !args.predicate || args.winnerId == null) {
     return { ok: false, error: 'missing-args' };
   }
+  // V155-065: typecheck winnerId. better-sqlite3 throws when given an array
+  // or object (`{winnerId:[1,2,3]}` → "SQLite3 can only bind numbers, strings,
+  // bigints, buffers, and null"). Previously that throw propagated through
+  // the outer catch as `{ok:false, error:'db-error', message:<stack>}`,
+  // leaking internal contract details. Reject at the boundary instead.
+  if (!Number.isInteger(args.winnerId) && typeof args.winnerId !== 'string') {
+    return { ok: false, error: 'winnerId-must-be-number-or-string', winnerId: args.winnerId };
+  }
   const supersede = args.supersede !== false; // default true
   if (!supersede) {
     // Pre-flight winner verify for the no-supersede path. (For supersede=true,

package/src/lib/atomic-io.js

@@ -181,20 +181,77 @@ function sleepSync(ms) {
 
 // Log rotation -- caller of writeAtomic for log files invokes this first.
 // Each log capped at 1MB; rotate to <name>.log.1, delete <name>.log.2.
+//
+// V155-052 (v1.5.5): the original implementation was destructive-then-might-
+// fail: unlink rot2 (oldest history), then rename rot1→rot2, then rename
+// logPath→rot1. If the third rename failed (Windows AV scanner holds an open
+// handle, e.g.) we'd already have thrown away the oldest history for no
+// benefit while reporting `return true` (rotated). New shape:
+//   1. Pre-check that logPath rename will succeed (renameSync is the most
+//      likely failure point on Windows). Do this by renaming through a tmp
+//      probe inside the same directory — atomic same-FS rename is the only
+//      reliable test short of actually doing the rotation.
+//   2. Only then proceed with the destructive cleanup.
+//   3. Return `{rotated, error?}` so callers can log a structured warning
+//      when rotation fails. Boolean-true legacy path preserved via
+//      `result.rotated`.
 export function rotateLogIfNeeded(logPath, maxBytes = 1024 * 1024) {
-  try {
-    if (!existsSync(logPath)) return false;
-    const st = statSync(logPath);
-    if (st.size < maxBytes) return false;
-    const rot1 = `${logPath}.1`;
-    const rot2 = `${logPath}.2`;
-    try { if (existsSync(rot2)) unlinkSync(rot2); } catch { /* */ }
-    try { if (existsSync(rot1)) renameSync(rot1, rot2); } catch { /* */ }
-    try { renameSync(logPath, rot1); } catch { /* */ }
-    return true;
-  } catch {
-    return false;
+  if (!existsSync(logPath)) return false;
+  let st;
+  try { st = statSync(logPath); }
+  catch (e) { return { rotated: false, error: `stat-failed: ${e?.message || e}` }; }
+  if (st.size < maxBytes) return false;
+  const rot1 = `${logPath}.1`;
+  const rot2 = `${logPath}.2`;
+
+  // V155-052 step 1: try to rename logPath → rot1 directly. On POSIX this is
+  // atomic; on Windows it fails with EBUSY when the file is held. We DON'T
+  // touch rot1 or rot2 yet, so the existing rotation history stays intact
+  // until we know the live-log handoff is going to succeed. We need rot1 to
+  // be free first — but the prior rot1 contents are valuable, so we move
+  // them to rot2 BEFORE the live rename, and only after that succeeds do we
+  // remove the previous rot2.
+  //
+  // Sequence (loud on failure):
+  //   (a) if rot2 exists: keep it for now (we still have a copy until step c)
+  //   (b) rename rot1 → rot2_new (a unique temp name) — preserves both old
+  //       generations while we attempt the live rename
+  //   (c) rename logPath → rot1
+  //   (d) on success: unlink the previous rot2 (which was preserved through
+  //       step b under its temp name); rename rot2_new → rot2
+  //   (e) on failure of (c): roll back step b
+  //
+  // The cost is one extra rename; the benefit is we never destroy oldest
+  // history except after the new history has landed.
+  const rot2Tmp = `${rot2}.tmp.${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 6)}`;
+  const hadRot1 = existsSync(rot1);
+  const hadRot2 = existsSync(rot2);
+
+  if (hadRot1) {
+    try { renameSync(rot1, rot2Tmp); }
+    catch (e) {
+      return { rotated: false, error: `pre-rotate move rot1→rot2.tmp failed: ${e?.message || e}` };
+    }
+  }
+  try { renameSync(logPath, rot1); }
+  catch (e) {
+    // Roll back step (b) so the prior rot1 is preserved.
+    if (hadRot1) {
+      try { renameSync(rot2Tmp, rot1); } catch { /* best-effort rollback */ }
+    }
+    return { rotated: false, error: `rotate logPath→rot1 failed: ${e?.message || e}` };
+  }
+  // Live rename succeeded. Now retire the previous rot2 and commit rot2Tmp
+  // as the new rot2. Both steps are best-effort: if they fail we still have
+  // a successful live rotation plus an over-N tmp file that can be cleaned
+  // out next run.
+  if (hadRot2) {
+    try { unlinkSync(rot2); } catch { /* best-effort */ }
+  }
+  if (hadRot1) {
+    try { renameSync(rot2Tmp, rot2); } catch { /* best-effort */ }
   }
+  return true;
 }
 
 // URL redactor -- strip query strings before logging per v3 sec 15

package/src/lib/shasum-verify.js

@@ -1,20 +1,20 @@
-// shasum-verify.js -- cross-verify a target npm release against the GitLab
+// shasum-verify.js -- cross-verify a target npm release against the GitHub
 // release asset shasum. Second-factor integrity check on top of
 // `npm audit signatures` (F-SEC-7, v1.5.0 audit-H2.2).
 //
 // THREAT MODEL
 //   `npm audit signatures` proves the tarball was signed by the package's
 //   npm registry signing keys. This module independently fetches the
-//   shasum the publisher recorded on the GitLab release page and compares
+//   shasum the publisher recorded on the GitHub release page and compares
 //   it against the npm-reported tarball shasum. A divergence means either
-//   the npm registry is serving a tampered tarball, OR the GitLab release
+//   the npm registry is serving a tampered tarball, OR the GitHub release
 //   was tampered with, OR the publisher made an inconsistent release.
 //   In all cases: refuse to install.
 //
 // MODES
-//   verified -- npm and GitLab shasums both available and match.
+//   verified -- npm and GitHub shasums both available and match.
 //   mismatch -- both available but DIFFER. Fail closed.
-//   advisory -- GitLab side missing (older release, no shasum published,
+//   advisory -- GitHub side missing (older release, no shasum published,
 //               or transient fetch failure). Caller decides whether to
 //               proceed: interactive prompts for confirmation, non-
 //               interactive must abort.
@@ -30,8 +30,15 @@
 
 import { spawnSync } from 'node:child_process';
 
-// Default GitLab project path. Kept here so tests can override.
-export const DEFAULT_GITLAB_PROJECT = 'therealseandonahoe%2Fijfw';
+// Default GitHub repo (owner/name). Kept here so tests can override.
+// NOTE: GitHub Releases API uses an owner/repo path -- NOT URL-encoded
+// like the GitLab equivalent. Old name kept as an alias for backwards
+// compatibility with any external callers that still pass a `project` opt.
+export const DEFAULT_GITHUB_REPO = 'FerroxLabs/ijfw';
+// Back-compat alias: callers passing `project` still resolve via the same
+// option key path; the value semantics changed from URL-encoded
+// "therealseandonahoe%2Fijfw" to "FerroxLabs/ijfw".
+export const DEFAULT_GITLAB_PROJECT = DEFAULT_GITHUB_REPO;
 
 // Hex shasum extractor. Accepts standalone hex lines (sha1=40 hex, sha256=64
 // hex) or the common labelled forms used in release notes:
@@ -81,13 +88,24 @@ const DEFAULT_DEPS = Object.freeze({
     }
     return { ok: true, shasum: raw.toLowerCase() };
   },
-  // (project, version) -> { ok, body, message }
-  fetchGitlabReleaseBody(project, version) {
-    const url = `https://gitlab.com/api/v4/projects/${project}/releases/v${version}`;
-    const r = spawnSync('curl', ['-fsSL', '-H', 'User-Agent: ijfw', url], {
-      encoding: 'utf8',
-      timeout: 10_000,
-    });
+  // (repo, version) -> { ok, body, message }
+  fetchGithubReleaseBody(repo, version) {
+    const url = `https://api.github.com/repos/${repo}/releases/tags/v${version}`;
+    const r = spawnSync(
+      'curl',
+      [
+        '-fsSL',
+        '-H',
+        'User-Agent: ijfw',
+        '-H',
+        'Accept: application/vnd.github+json',
+        url,
+      ],
+      {
+        encoding: 'utf8',
+        timeout: 10_000,
+      },
+    );
     if (r.error) return { ok: false, message: `spawn-${r.error.code || 'unknown'}` };
     if (r.signal) return { ok: false, message: `killed by ${r.signal}` };
     if (r.status !== 0) {
@@ -95,7 +113,8 @@ const DEFAULT_DEPS = Object.freeze({
     }
     try {
       const data = JSON.parse(r.stdout || '{}');
-      return { ok: true, body: data.description || '' };
+      // GitHub release schema uses `body` (GitLab used `description`).
+      return { ok: true, body: data.body || '' };
     } catch {
       return { ok: false, message: 'release JSON parse failed' };
     }
@@ -103,13 +122,18 @@ const DEFAULT_DEPS = Object.freeze({
 });
 
 // version: semver string (validated by caller)
-// opts: { pkg = '@ijfw/install', project = DEFAULT_GITLAB_PROJECT }
-// deps: optional mock injection
+// opts: { pkg = '@ijfw/install', repo = DEFAULT_GITHUB_REPO }
+//   `project` is honored as a back-compat alias for `repo`.
+// deps: optional mock injection. Accepts either `fetchGithubReleaseBody`
+//   (preferred) or the legacy `fetchGitlabReleaseBody` key.
 export function verifyShasumCrossSource(version, opts = {}, deps = DEFAULT_DEPS) {
   const pkg = opts.pkg || '@ijfw/install';
-  const project = opts.project || DEFAULT_GITLAB_PROJECT;
+  const repo = opts.repo || opts.project || DEFAULT_GITHUB_REPO;
   const fetchNpm = deps.fetchNpmShasum || DEFAULT_DEPS.fetchNpmShasum;
-  const fetchRelease = deps.fetchGitlabReleaseBody || DEFAULT_DEPS.fetchGitlabReleaseBody;
+  const fetchRelease =
+    deps.fetchGithubReleaseBody ||
+    deps.fetchGitlabReleaseBody || // back-compat: tests written against the old key still work
+    DEFAULT_DEPS.fetchGithubReleaseBody;
 
   const npmRes = fetchNpm(pkg, version);
   if (!npmRes.ok) {
@@ -123,7 +147,7 @@ export function verifyShasumCrossSource(version, opts = {}, deps = DEFAULT_DEPS)
   }
   const npmShasum = String(npmRes.shasum || '').toLowerCase();
 
-  const releaseRes = fetchRelease(project, version);
+  const releaseRes = fetchRelease(repo, version);
   if (!releaseRes.ok) {
     return {
       ok: true,
@@ -142,7 +166,7 @@ export function verifyShasumCrossSource(version, opts = {}, deps = DEFAULT_DEPS)
       requiresConfirmation: true,
       npmShasum,
       releaseShasum: null,
-      message: 'GitLab release does not list a shasum for this version; proceed only with explicit confirmation',
+      message: 'GitHub release does not list a shasum for this version; proceed only with explicit confirmation',
     };
   }
   if (releaseShasum.toLowerCase() !== npmShasum) {
@@ -159,6 +183,6 @@ export function verifyShasumCrossSource(version, opts = {}, deps = DEFAULT_DEPS)
     mode: 'verified',
     npmShasum,
     releaseShasum: releaseShasum.toLowerCase(),
-    message: 'shasum cross-verified (npm dist.shasum matches GitLab release asset)',
+    message: 'shasum cross-verified (npm dist.shasum matches GitHub release asset)',
   };
 }

package/src/lib/ui-review-runner.js

@@ -26,7 +26,7 @@
 // `peerInputs` and adapts them through the evaluator libs.
 
 import { existsSync, readFileSync, readdirSync, writeFileSync, mkdirSync } from 'node:fs';
-import { join, dirname, extname } from 'node:path';
+import { join, dirname, extname, isAbsolute } from 'node:path';
 import {
   parseUISpec,
   scanCodeForTailwind,
@@ -80,7 +80,12 @@ function walkSourceFiles(scopes, projectRoot, opts = {}) {
   const maxFiles = typeof opts.maxFiles === 'number' ? opts.maxFiles : 2000;
   const out = [];
   for (const scope of scopes) {
-    const abs = scope.startsWith('/') ? scope : join(projectRoot, scope);
+    // V155-044: isAbsolute() so Windows C:\… scopes aren't joined as relative,
+    // which previously yielded a non-existent path and a vacuous "everything
+    // passes" review verdict.
+    // TP-004 (v1.5.5 Trident): re-indented the comment + statement to match
+    // the enclosing for-body scope. Visual-only fix; the file already parsed.
+    const abs = isAbsolute(scope) ? scope : join(projectRoot, scope);
     if (!existsSync(abs)) continue;
     const stack = [abs];
     while (stack.length > 0 && out.length < maxFiles) {

package/src/lib/uispec-drift.js

@@ -13,7 +13,7 @@
 // Pure-stdlib.  Graceful-degrade on every error path.  No external network.
 
 import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
-import { join, extname } from 'node:path';
+import { join, extname, isAbsolute } from 'node:path';
 
 // ---------------------------------------------------------------------------
 // UI-SPEC parser
@@ -103,7 +103,10 @@ export function measureBundleSize(opts = {}) {
         break;
       }
     }
-  } else if (!opts.dir.startsWith('/')) {
+  } else if (!isAbsolute(opts.dir)) {
+    // V155-043: isAbsolute() so Windows absolute paths (C:\…) aren't mistakenly
+    // joined to projectRoot, which produces a garbage mid-string path and a
+    // false "build-dir-missing" verdict.
     dir = join(projectRoot, opts.dir);
   }
 
@@ -195,7 +198,9 @@ export function scanCodeForTailwind(scope, opts = {}) {
   let files = 0;
 
   for (const d of dirs) {
-    const abs = d.startsWith('/') ? d : join(projectRoot, d);
+    // V155-043: isAbsolute() handles Windows C:\… paths correctly; the prior
+    // POSIX-only check silently skipped them.
+    const abs = isAbsolute(d) ? d : join(projectRoot, d);
     if (!existsSync(abs)) continue;
 
     const stack = [abs];

package/src/lib/uispec-intake.js

@@ -37,7 +37,7 @@
 // `advisory` strings rather than throwing.
 
 import { existsSync, readFileSync, statSync } from 'node:fs';
-import { resolve as pathResolve, extname } from 'node:path';
+import { resolve as pathResolve, extname, isAbsolute } from 'node:path';
 
 const IMAGE_EXTS = new Set(['.png', '.jpg', '.jpeg', '.webp', '.gif']);
 const MAX_IMAGE_BYTES = 25 * 1024 * 1024;
@@ -54,7 +54,10 @@ export function fromImage(imagePath, opts = {}) {
   if (typeof imagePath !== 'string' || imagePath.length === 0) {
     return { ok: false, stub: null, error: 'no-path' };
   }
-  const abs = imagePath.startsWith('/')
+  // V155-045: isAbsolute() for portable Windows handling; pathResolve()
+  // happens to be lenient with absolute Windows paths but the explicit check
+  // documents the contract and lets static analysis catch regressions.
+  const abs = isAbsolute(imagePath)
     ? imagePath
     : pathResolve(opts.projectRoot || process.cwd(), imagePath);
 

package/src/memory/layout-migrations/001-visible-layer.js

@@ -16,7 +16,7 @@
 //  - copy-not-move keeps legacy .ijfw/ paths intact for one-version fallback
 
 import {
-  existsSync, mkdirSync, statSync, readdirSync, cpSync,
+  existsSync, mkdirSync, statSync, readdirSync, cpSync, lstatSync,
 } from 'node:fs';
 import { join } from 'node:path';
 import {
@@ -25,6 +25,13 @@ import {
 
 const FRESHNESS_MS = 30_000;
 
+// V155-056 (v1.5.5): bound walkMd recursion + skip symlinks. A same-uid
+// attacker who plants `.ijfw/memory/loop -> ..` would otherwise drive walkMd
+// into an infinite loop (or, worse, a symlink to `/var/log/syslog` could leak
+// external paths into deferral stderr). Cap depth at 8 — real .ijfw trees are
+// only 2-3 deep — and refuse to follow symlinks at directory entries.
+const MAX_WALK_DEPTH = 8;
+
 const SCAFFOLD_DIRS = [
   ['ijfw', 'dump', 'inbox'],
   ['ijfw', 'dump', 'processed'],
@@ -34,24 +41,59 @@ const SCAFFOLD_DIRS = [
   ['ijfw', 'wiki', 'milestones'],
 ];
 
-function walkMd(dir) {
+function walkMd(dir, depth = 0) {
   if (!existsSync(dir)) return [];
+  if (depth > MAX_WALK_DEPTH) return [];
   const out = [];
   for (const entry of readdirSync(dir, { withFileTypes: true })) {
     const p = join(dir, entry.name);
-    if (entry.isDirectory()) out.push(...walkMd(p));
+    // V155-056: skip any symlink entry — both files and dirs. Symlink targets
+    // are NOT walked; this avoids the cycle/loop attack and keeps the report
+    // honest about what's actually inside the .ijfw tree.
+    if (entry.isSymbolicLink && entry.isSymbolicLink()) continue;
+    if (entry.isDirectory()) out.push(...walkMd(p, depth + 1));
     else if (entry.isFile() && entry.name.endsWith('.md')) out.push(p);
   }
   return out;
 }
 
+/**
+ * V155-035 (v1.5.5): pre-scan a source subtree for symlinks. cpSync's Node
+ * default is `dereference:false` (writes are safe — the destination becomes
+ * a symlink), but the subsequent visible-layer reads via `walkMd` follow
+ * symlinks under their feet. Refusing symlinks in the source tree closes
+ * that read-time leak before the migration commits.
+ *
+ * Returns the first symlink path found, or null when the subtree is clean.
+ * Honors MAX_WALK_DEPTH so a malicious deep tree can't burn the call stack.
+ */
+function findSymlinkInTree(dir, depth = 0) {
+  if (!existsSync(dir)) return null;
+  if (depth > MAX_WALK_DEPTH) return null;
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    const p = join(dir, entry.name);
+    let lst;
+    try { lst = lstatSync(p); }
+    catch { continue; }
+    if (lst.isSymbolicLink()) return p;
+    if (entry.isDirectory()) {
+      const found = findSymlinkInTree(p, depth + 1);
+      if (found) return found;
+    }
+  }
+  return null;
+}
+
 function findFreshFiles(repoRoot) {
   const cutoff = Date.now() - FRESHNESS_MS;
   const candidates = [
     ...walkMd(join(repoRoot, '.ijfw', 'memory')),
     ...walkMd(join(repoRoot, '.ijfw', 'sessions')),
   ];
-  return candidates.filter((p) => statSync(p).mtimeMs >= cutoff);
+  return candidates.filter((p) => {
+    try { return statSync(p).mtimeMs >= cutoff; }
+    catch { return false; }
+  });
 }
 
 export const DESCRIPTION =
@@ -108,16 +150,38 @@ export async function up(repoRoot) {
     // means existing destination files cause the COPY of THAT file to skip
     // silently, but the rest of the tree still copies. Behaviour: union of
     // existing visible files (winner) + legacy hidden files (filler).
+    //
+    // V155-035 (v1.5.5): pre-scan each source subtree for symlinks BEFORE
+    // committing the migration. cpSync's default does not follow symlinks
+    // (`dereference:false` per Node docs), so the write itself is safe — but
+    // the visible-layer reads via walkMd would follow them and leak the
+    // target's content into LLM context. We refuse the migration outright
+    // when a symlink is present in the source tree so the operator can
+    // resolve it before the layout flips to v2. `dereference: false` is
+    // also stated explicitly on the cpSync calls for forensic clarity.
     const memorySrc = join(repoRoot, '.ijfw', 'memory');
+    const sessionsSrc = join(repoRoot, '.ijfw', 'sessions');
+    for (const src of [memorySrc, sessionsSrc]) {
+      const sym = findSymlinkInTree(src);
+      if (sym) {
+        try {
+          process.stderr.write(
+            `[ijfw layout-migrate] aborted: symlink in source tree (${sym}) ` +
+            `would leak external content into the visible layer. ` +
+            `Remove or replace with a copy, then re-run.\n`
+          );
+        } catch { /* stderr may be detached */ }
+        return { skipped: true, reason: 'symlink-source-rejected', sample: sym };
+      }
+    }
     if (existsSync(memorySrc)) {
       cpSync(memorySrc, memoryDst,
-             { recursive: true, force: false, errorOnExist: false });
+             { recursive: true, force: false, errorOnExist: false, dereference: false });
       copiedFiles += walkMd(memorySrc).length;
     }
-    const sessionsSrc = join(repoRoot, '.ijfw', 'sessions');
     if (existsSync(sessionsSrc)) {
       cpSync(sessionsSrc, sessionsDst,
-             { recursive: true, force: false, errorOnExist: false });
+             { recursive: true, force: false, errorOnExist: false, dereference: false });
       copiedFiles += walkMd(sessionsSrc).length;
     }
     for (const parts of SCAFFOLD_DIRS) {