@ijfw/memory-server 1.5.5 → 1.6.0

package/src/profile/telemetry.js

@@ -0,0 +1,289 @@
+/**
+ * profile/telemetry.js — Cross-system profile bus, S3 (repeat-correction proof).
+ *
+ * The NO-JUDGE behavioral metric (design spec §"The honest bar", claim 2):
+ * "Repeat-correction-rate drop — how often you re-issue the SAME correction,
+ * bucketed by session age. A working system bends the curve down (3× in week 1
+ * -> 0× by week 4). The most honest single number."
+ *
+ * This module records, per preference SLUG, every time the user RE-ISSUES a
+ * correction that the profile should already have learned, and computes the drop
+ * curve across session-age buckets. If injecting a learned preference works, the
+ * user stops repeating themselves and the curve bends toward zero.
+ *
+ * STORE: an append-only JSON-lines ledger `recorrections.log` (sibling of the
+ * profile, under the same dir). One object per line:
+ *   { ts, slug, session, host, age_days? }
+ * `ts` is the event time; `age_days` (optional) is the age of the slug at the
+ * time of the re-correction — i.e. days since the slug was first learned — and
+ * is what we bucket on. When absent, callers can supply a `learnedAt` map to
+ * `dropCurve`/`bucketByAge` to derive it from `ts`.
+ *
+ * The COMPUTE is pure and IO-free (bucketByAge / dropCurve operate on plain
+ * arrays) so the metric is unit-testable without touching disk; the append/read
+ * helpers mirror egress.js discipline (O_NOFOLLOW, symlink-guarded, size-capped).
+ *
+ * Zero deps, Node built-ins only. NO LLM calls.
+ */
+
+import {
+  openSync,
+  writeFileSync,
+  fsyncSync,
+  closeSync,
+  readFileSync,
+  existsSync,
+  mkdirSync,
+  lstatSync,
+  constants as fsConstants,
+} from 'node:fs';
+import { join } from 'node:path';
+
+import { profileDir } from './store.js';
+
+const RECORRECTIONS_FILE = 'recorrections.log';
+
+/**
+ * Read-size cap (mirrors egress.js): the ledger is one tiny JSON line per
+ * re-correction; a file past this is a corrupt/hand-edited artifact — refuse to
+ * slurp it whole rather than OOM. 8 MiB is far above any realistic ledger.
+ */
+const MAX_RECORRECTIONS_BYTES = 8 * 1024 * 1024;
+
+/** Default bucket width in days (a "week" bucket). */
+export const DEFAULT_BUCKET_DAYS = 7;
+const DAY_MS = 24 * 60 * 60 * 1000;
+
+export function recorrectionsLogPath() {
+  return join(profileDir(), RECORRECTIONS_FILE);
+}
+
+function ensureDir(dir) {
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+}
+
+/** True iff `p` exists AND is a symlink (refuse to read/write through links). */
+function isSymlink(p) {
+  try {
+    return lstatSync(p).isSymbolicLink();
+  } catch {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// IO — append-only ledger (mirrors egress.js).
+// ---------------------------------------------------------------------------
+
+/**
+ * recordRecorrection(entry) -> { ok, entry?, code?, message? }. Appends ONE JSON
+ * line { ts, slug, session, host, age_days? }. `ts` defaults to now (ISO).
+ * Never throws — telemetry must never break the host path; a logging failure is
+ * surfaced via the return shape, not an exception. `slug` is required (a
+ * re-correction with no slug is meaningless and is rejected with EBADSLUG).
+ *
+ * @param {{ slug?:string, session?:string, host?:string, ts?:string, age_days?:number }} entry
+ */
+export function recordRecorrection(entry = {}) {
+  const slug = typeof entry.slug === 'string' ? entry.slug : '';
+  if (!slug) return { ok: false, code: 'EBADSLUG', message: 'recordRecorrection: slug is required' };
+
+  const target = recorrectionsLogPath();
+  if (isSymlink(target)) {
+    return { ok: false, code: 'ERECORR_SYMLINK', message: `refusing symlinked telemetry log: ${target}` };
+  }
+  const rec = {
+    ts: typeof entry.ts === 'string' && entry.ts ? entry.ts : new Date().toISOString(),
+    slug,
+    session: typeof entry.session === 'string' ? entry.session : null,
+    host: typeof entry.host === 'string' ? entry.host : null,
+  };
+  if (Number.isFinite(entry.age_days)) rec.age_days = Number(entry.age_days);
+
+  let fd = null;
+  try {
+    ensureDir(profileDir());
+    // O_NOFOLLOW refuses a symlinked target at the kernel (anti-TOCTOU); O_APPEND
+    // keeps append atomicity; O_CREAT|0o600 creates owner-only if absent.
+    fd = openSync(
+      target,
+      fsConstants.O_WRONLY | fsConstants.O_APPEND | fsConstants.O_CREAT | fsConstants.O_NOFOLLOW,
+      0o600,
+    );
+    writeFileSync(fd, `${JSON.stringify(rec)}\n`, { encoding: 'utf8' });
+    fsyncSync(fd);
+    return { ok: true, entry: rec };
+  } catch (err) {
+    if (err && err.code === 'ELOOP') {
+      return { ok: false, code: 'ERECORR_SYMLINK', message: `refusing symlinked telemetry log: ${target}` };
+    }
+    return { ok: false, code: err.code || 'ERECORR_WRITE', message: err.message };
+  } finally {
+    if (fd != null) { try { closeSync(fd); } catch {} }
+  }
+}
+
+/**
+ * readRecorrections() -> { ok, events:[...] }. Reads + parses every JSON line. A
+ * missing log -> empty list. Unparseable lines are skipped (append-only audit
+ * surface; one bad line must not poison the whole read).
+ */
+export function readRecorrections() {
+  const target = recorrectionsLogPath();
+  if (isSymlink(target)) return { ok: false, code: 'ERECORR_SYMLINK', events: [] };
+  if (!existsSync(target)) return { ok: true, events: [] };
+  try {
+    const st = lstatSync(target);
+    if (st.isFile() && st.size > MAX_RECORRECTIONS_BYTES) {
+      return { ok: false, code: 'ERECORR_TOOBIG', message: `telemetry log exceeds ${MAX_RECORRECTIONS_BYTES} bytes`, events: [] };
+    }
+  } catch {
+    // fall through to read
+  }
+  let raw;
+  try {
+    raw = readFileSync(target, 'utf8');
+  } catch (err) {
+    return { ok: false, code: err.code || 'ERECORR_READ', message: err.message, events: [] };
+  }
+  const events = [];
+  for (const line of raw.split('\n')) {
+    const s = line.trim();
+    if (!s) continue;
+    try {
+      events.push(JSON.parse(s));
+    } catch {
+      // skip a corrupt line — best-effort audit read.
+    }
+  }
+  return { ok: true, events };
+}
+
+// ---------------------------------------------------------------------------
+// COMPUTE — pure, IO-free. Bucket re-corrections by session-age + drop curve.
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve the AGE (in days) of a re-correction event:
+ *   - prefer an explicit `event.age_days` (the recorder already knew the slug's
+ *     age at re-correction time),
+ *   - else derive it from `learnedAt[slug]` -> `event.ts` (days since the slug
+ *     was first learned),
+ *   - else null (cannot be bucketed).
+ */
+function ageDaysFor(event, learnedAt) {
+  if (Number.isFinite(event.age_days)) return Math.max(0, Number(event.age_days));
+  const learned = learnedAt && learnedAt[event.slug];
+  if (learned && typeof event.ts === 'string') {
+    const l = Date.parse(learned);
+    const t = Date.parse(event.ts);
+    if (Number.isFinite(l) && Number.isFinite(t)) {
+      return Math.max(0, (t - l) / DAY_MS);
+    }
+  }
+  return null;
+}
+
+/** The bucket INDEX an age falls into (0 = first window). */
+function bucketIndex(ageDays, bucketDays) {
+  return Math.floor(ageDays / bucketDays);
+}
+
+/**
+ * bucketByAge(events, opts?) -> { perSlug, totals, bucketDays }.
+ *
+ * Buckets re-correction events by SESSION-AGE (how old the slug was when the user
+ * re-issued the correction). Returns, per slug, an array of counts indexed by
+ * age bucket, plus a `totals` array summed across all slugs. Events that can't
+ * be aged (no age_days and no learnedAt entry) are tallied into `undated` and
+ * excluded from the buckets — never silently dropped.
+ *
+ * @param {Array} events  re-correction events { slug, ts, age_days? }
+ * @param {{ bucketDays?:number, learnedAt?:Record<string,string>, maxBuckets?:number }} opts
+ */
+export function bucketByAge(events = [], opts = {}) {
+  const bucketDays = Number.isFinite(opts.bucketDays) && opts.bucketDays > 0 ? opts.bucketDays : DEFAULT_BUCKET_DAYS;
+  const learnedAt = opts.learnedAt || null;
+  const list = Array.isArray(events) ? events : [];
+
+  const perSlug = {};
+  let undated = 0;
+  let maxIdx = -1;
+
+  for (const ev of list) {
+    if (!ev || typeof ev.slug !== 'string' || !ev.slug) continue;
+    const age = ageDaysFor(ev, learnedAt);
+    if (age === null) { undated += 1; continue; }
+    const idx = bucketIndex(age, bucketDays);
+    if (Number.isFinite(opts.maxBuckets) && opts.maxBuckets > 0 && idx >= opts.maxBuckets) continue;
+    if (!perSlug[ev.slug]) perSlug[ev.slug] = [];
+    perSlug[ev.slug][idx] = (perSlug[ev.slug][idx] || 0) + 1;
+    if (idx > maxIdx) maxIdx = idx;
+  }
+
+  // Normalize ragged arrays to a common length (fill holes with 0) so the curve
+  // is dense and comparable across slugs.
+  const length = maxIdx + 1;
+  const totals = Array.from({ length }, () => 0);
+  for (const slug of Object.keys(perSlug)) {
+    const arr = perSlug[slug];
+    for (let i = 0; i < length; i += 1) {
+      const v = Number(arr[i]) || 0;
+      arr[i] = v;
+      totals[i] += v;
+    }
+    perSlug[slug] = arr;
+  }
+
+  return { perSlug, totals, undated, bucketDays };
+}
+
+/**
+ * dropCurve(events, opts?) -> { perSlug, overall, bucketDays }.
+ *
+ * The headline metric. For each slug (and overall), reports the bucketed counts
+ * and a DROP RATIO comparing an early window to a late window:
+ *   drop = (early - late) / early   in [0,1]   (1.0 = re-corrections vanished)
+ * `early` defaults to bucket 0 (week 1); `late` defaults to the LAST non-empty
+ * bucket. A slug with re-corrections in week 1 and none by week 4 yields
+ * drop = 1.0 — the curve bent all the way down. When `early` is 0 the drop is
+ * null (no baseline to improve on). `trend` is 'down' | 'flat' | 'up'.
+ *
+ * @param {Array} events
+ * @param {{ bucketDays?:number, learnedAt?:Record<string,string>, earlyBucket?:number, lateBucket?:number, maxBuckets?:number }} opts
+ */
+export function dropCurve(events = [], opts = {}) {
+  const { perSlug, totals, undated, bucketDays } = bucketByAge(events, opts);
+
+  const summarize = (counts) => {
+    const c = Array.isArray(counts) ? counts.map((x) => Number(x) || 0) : [];
+    const earlyIdx = Number.isFinite(opts.earlyBucket) ? opts.earlyBucket : 0;
+    let lateIdx;
+    if (Number.isFinite(opts.lateBucket)) {
+      lateIdx = opts.lateBucket;
+    } else {
+      // last non-empty bucket; if all-empty, fall back to the last index.
+      lateIdx = c.length - 1;
+      for (let i = c.length - 1; i >= 0; i -= 1) { if (c[i] > 0) { lateIdx = i; break; } }
+    }
+    const early = Number(c[earlyIdx]) || 0;
+    const late = Number(c[lateIdx]) || 0;
+    let drop = null;
+    if (early > 0) drop = (early - late) / early;
+    let trend = 'flat';
+    if (late < early) trend = 'down';
+    else if (late > early) trend = 'up';
+    const total = c.reduce((a, b) => a + b, 0);
+    return { counts: c, early, late, earlyBucket: earlyIdx, lateBucket: lateIdx, drop, trend, total };
+  };
+
+  const perSlugOut = {};
+  for (const slug of Object.keys(perSlug)) perSlugOut[slug] = summarize(perSlug[slug]);
+
+  return {
+    perSlug: perSlugOut,
+    overall: summarize(totals),
+    undated,
+    bucketDays,
+  };
+}

package/src/recovery/checkpoint.js

@@ -50,7 +50,13 @@ export function recoveryStatus(projectRoot = process.cwd()) {
   const team = readTeamAssembly(projectRoot);
   const plan = buildSwarmPlan(projectRoot);
   const tasks = blackboard.tasks.data.tasks || [];
-  const latest = readLatest(paths.latest);
+  // readLatest() returns a wrapper { code, data } — unwrap to the bare
+  // checkpoint object (or null) so consumers can read `.id`/`.ts` directly.
+  // Previously the wrapper leaked through, so `ijfw recover status` printed
+  // "Latest checkpoint: undefined" even when latest.json existed and held a
+  // valid checkpoint (latest.id was on latest.data.id, never latest.id).
+  const latestRead = readLatest(paths.latest);
+  const latest = latestRead.code === 'ok' ? latestRead.data : null;
   return {
     ok: true,
     latest,

package/src/server.js

@@ -326,6 +326,21 @@ function safeProjectDir() {
 const PROJECT_DIR = safeProjectDir();
 const PROJECT_HASH = createHash('sha256').update(PROJECT_DIR).digest('hex').slice(0, 12);
 const IJFW_DIR = join(PROJECT_DIR, '.ijfw');
+
+// Tenant isolation (P4): the current project's tenant gates cross-project search
+// so one tenant's memory never surfaces in another's session. Source of truth:
+// IJFW_TENANT env, else `<project>/.ijfw/tenant` (first non-empty line), else
+// 'default'. Default==default => no behavior change until a user opts in.
+function currentTenant() {
+  const env = (process.env.IJFW_TENANT || '').trim();
+  if (env) return env;
+  try {
+    const raw = readFileSync(join(IJFW_DIR, 'tenant'), 'utf8');
+    const line = raw.split('\n').map((s) => s.trim()).find((s) => s.length > 0);
+    if (line) return line;
+  } catch { /* no tenant declared */ }
+  return 'default';
+}
 // REPO_ROOT is the parent of .ijfw/ — required by resolveBrainPaths.
 const REPO_ROOT = dirname(IJFW_DIR);
 // paths() re-reads the layout sentinel on every call so a long-running server
@@ -871,7 +886,7 @@ async function searchMemory(query, limit = 10, scope = 'project', opts = {}) {
     // crossProjectSearch, not the legacy naive keyword-count scan.
     const projects = readRegistry();
     if (projects.length === 0) return [];
-    return crossProjectSearch(query, projects, readProjectMemory, { limit });
+    return crossProjectSearch(query, projects, readProjectMemory, { limit, tenant: currentTenant() });
   }
 
   const sources = [
@@ -1215,7 +1230,20 @@ const TOOLS = [
 
 // --- Tool Handlers ---
 
-function handleRecall({ context_hint, detail_level = 'standard', from_project }) {
+// v1.6.0 functional-smoke fix — recall is genuinely async: its catch-all
+// natural-language branch calls `searchMemory` (async: opens the embedding-cache
+// db + runs the optional cold-tier vector rerank). The prior signature was
+// synchronous and the branch did `const results = searchMemory(...)` WITHOUT
+// awaiting, so `results` was a Promise: `results.length === 0` was
+// `undefined === 0` (false) and `results.map(...)` threw
+// "results.map is not a function" — making EVERY free-text recall
+// (exact-keyword AND natural-language) fail at runtime while every unit/route
+// test still passed (they only exercise the reserved context_hint branches:
+// session_start / handoff / decisions / facts / design_template, which return
+// synchronously). Making the function async + awaiting the search closes the
+// flagship-recall silent break. The single dispatch site (tools/call) already
+// runs inside an async IIFE, so awaiting the handler is free.
+async function handleRecall({ context_hint, detail_level = 'standard', from_project }) {
   // Cross-project explicit pull. We bypass current-project sources and read
   // the target project's knowledge/handoff/journal directly. Search queries
   // are routed through crossProjectSearch (BM25) via scope:'all' on the
@@ -1357,7 +1385,7 @@ function handleRecall({ context_hint, detail_level = 'standard', from_project })
     }
   }
 
-  const results = searchMemory(context_hint);
+  const results = await searchMemory(context_hint);
   if (results.length === 0) return { text: `No memories matching: ${context_hint}` };
   return { text: results.map(r => `[${r.source}] ${r.content}`).join('\n') };
 }
@@ -1949,7 +1977,7 @@ function handleCrossProjectSearch({ pattern, limit = 10 } = {}) {
   if (projects.length === 0) {
     return { text: 'No other IJFW projects on record. Open one more project to enable cross-project search.' };
   }
-  const hits = crossProjectSearch(pattern, projects, readProjectMemory, { limit });
+  const hits = crossProjectSearch(pattern, projects, readProjectMemory, { limit, tenant: currentTenant() });
   if (hits.length === 0) {
     return { text: `No matches for "${pattern}" across ${projects.length} project${projects.length === 1 ? '' : 's'}.` };
   }
@@ -1988,7 +2016,12 @@ function handleMetrics({ period = '7d', metric = 'tokens' } = {}) {
     return Number.isFinite(t) && t >= cutoff;
   });
   if (within.length === 0) {
-    return { text: `Window ${period}: no sessions yet. Earlier history available -- try period: 'all'.` };
+    // Don't suggest 'all' when the caller is already on 'all' (the rows simply
+    // carry no parseable timestamp in that case).
+    const hint = period === 'all'
+      ? ` ${rows.length} record(s) on disk but none carry a parseable timestamp.`
+      : ` Earlier history available -- try period: 'all'.`;
+    return { text: `Window ${period}: no sessions in range.${hint}` };
   }
 
   if (metric === 'sessions') {
@@ -2059,12 +2092,58 @@ function handleMessage(msg) {
   const { method, params, id } = msg;
 
   switch (method) {
-    case 'initialize':
-      return createResponse(id, {
+    case 'initialize': {
+      // v1.6.0 PERSONALIZATION S1 — OPTIONAL `instructions` field. The MCP
+      // `instructions` string is surfaced by hosts as ambient context the moment
+      // they connect, so it is the cross-tool "it followed me" surface: the same
+      // observed-pattern brief the Resource path serves, delivered without an
+      // explicit read. It is GATED EXACTLY like the passive Resource read
+      // (resources/read above): only when settings.profile.inject === 'on' AND
+      // IJFW_PROFILE_KILL is not engaged, and ALWAYS forceLowOnly (a passive
+      // injection carries no per-read consent, so LOW sensitivity only — the
+      // STYLE + EXPERTISE bands, never preference slugs). Best-effort: any error
+      // omits `instructions` and returns the plain initialize result — the field
+      // is strictly additive and must NEVER break protocol handshake.
+      const base = {
         protocolVersion: '2024-11-05',
         capabilities: { tools: {}, resources: {}, prompts: {} },
         serverInfo: { name: 'ijfw-memory', version: PKG_VERSION, schemaVersion: SCHEMA_VERSION }
-      });
+      };
+      return (async () => {
+        try {
+          // INJECT GATE — identical resolution to resources/read so the consent
+          // semantics are the same across every passive-injection surface.
+          let injectOn = false;
+          try {
+            const fs = await import('node:fs');
+            const path = await import('node:path');
+            const home = process.env.IJFW_HOME || path.join(process.env.HOME || '', '.ijfw');
+            const s = JSON.parse(fs.readFileSync(path.join(home, 'settings.json'), 'utf8'));
+            injectOn = s && s.profile && s.profile.inject === 'on';
+          } catch { injectOn = false; }
+          const kill = String(process.env.IJFW_PROFILE_KILL || '').trim().toLowerCase();
+          const killed = kill !== '' && kill !== '0' && kill !== 'false' && kill !== 'no' && kill !== 'off';
+          if (!injectOn || killed) {
+            return createResponse(id, base);
+          }
+          const { profileBrief } = await import('./profile/serve.js');
+          // forceLowOnly: passive injection => LOW-sensitivity ONLY, always —
+          // no env flag / allowlist entry can elevate a handshake-time brief.
+          const r = profileBrief({
+            context: { host: 'mcp-initialize' },
+            env: process.env,
+            forceLowOnly: true,
+          });
+          const instructions = r && typeof r.brief === 'string' ? r.brief : '';
+          // Empty brief (cold start / nothing earned) => omit the field entirely
+          // so the handshake stays byte-identical to the un-personalized server.
+          if (instructions) base.instructions = instructions;
+          return createResponse(id, base);
+        } catch {
+          return createResponse(id, base);
+        }
+      })();
+    }
 
     case 'notifications/initialized':
     case 'notifications/cancelled':
@@ -2164,8 +2243,22 @@ function handleMessage(msg) {
               // surface `isError: true` so the orchestrator-LLM treats it as a
               // hard stop rather than an advisory note (mirrors the prior
               // ijfw_subagent_post_done `block: true` contract).
+              //
+              // Functional-smoke fix (workflow-state dig): `isError` must also
+              // track the SDK's primary `ok` contract, not just `refused`. Every
+              // query() result carries `ok` (contract §7); a verb can return a
+              // genuine `{ ok:false }` WITHOUT `refused` (e.g. roster.synthesize
+              // on an unknown domain -> `{ ok:false, reason:'domain-template-
+              // missing' }`). Keying `isError` on `refused` alone reported those
+              // real failures to the orchestrator-LLM as SUCCESS — the same
+              // silent-swallow class as the memory-recall regression, and a
+              // cross-surface inconsistency with the CLI (cli-run.js exits
+              // non-zero on any `ok:false`). Widen the trigger to `ok === false
+              // || refused` so the MCP surface, the CLI surface, and the `ok`
+              // contract all agree.
               const refused = r && r.refused === true;
-              result = { text: JSON.stringify(r, null, 2), isError: !!refused };
+              const failed = !r || r.ok === false;
+              result = { text: JSON.stringify(r, null, 2), isError: failed || refused };
             } catch (err) {
               const msg = err && err.message ? err.message : String(err);
               result = { text: JSON.stringify({ ok: false, error: msg }), isError: true };
@@ -2289,7 +2382,7 @@ function handleMessage(msg) {
             break;
           }
           case 'ijfw_memory_recall':
-            result = handleRecall(args || {});
+            result = await handleRecall(args || {});
             emitRecallObservation(args || {});
             break;
           case 'ijfw_memory_store':
@@ -2377,7 +2470,15 @@ function handleMessage(msg) {
             const INLINE_BYTES = 50 * 1024;
 
             if (lines <= INLINE_LINES && bytes <= INLINE_BYTES && !timedOut) {
-              result = { text: stdout || '(no output)', isError: exitCode !== 0 };
+              // On failure, annotate so the human sees WHY even when the command
+              // produced no output (e.g. `exit 7` with empty stdout/stderr). The
+              // isError flag already signals failure to the client; this surfaces
+              // the exit code in the text too.
+              const body = stdout || '(no output)';
+              result = {
+                text: exitCode !== 0 ? `${body}\n[ijfw_run] command exited ${exitCode}` : body,
+                isError: exitCode !== 0,
+              };
               break;
             }
 
@@ -2413,9 +2514,79 @@ function handleMessage(msg) {
     }
 
     case 'resources/list':
-      return createResponse(id, { resources: [] });
-    case 'resources/read':
-      return createError(id, -32601, 'No resources available');
+      // PHASE P4.6 — expose the user-global profile brief as an MCP Resource
+      // for PASSIVE injection. A host that supports resource subscription can
+      // read this without an explicit tool call, surfacing the observed-pattern
+      // brief into context. cacheScope:'session' marks it host-session-cacheable
+      // (the brief changes only at SessionEnd re-derivation). The read path is
+      // ZERO-LLM (serve.js moat).
+      return createResponse(id, {
+        resources: [
+          {
+            uri: 'ijfw://profile/brief',
+            name: 'IJFW user profile brief',
+            description: 'Observed cross-system interaction patterns (informative, not directive). Sensitivity-gated, redaction-honored, zero-LLM.',
+            mimeType: 'text/markdown',
+            cacheScope: 'session',
+          },
+        ],
+      });
+    case 'resources/read': {
+      const uri = params && params.uri;
+      if (uri === 'ijfw://profile/brief') {
+        // ZERO-LLM read: profileBrief reads the store, composes via render-brief
+        // (sensitivity + redaction + kill-switch enforced), and logs egress.
+        // Cold start -> empty brief, never an error. Wrapped in an async IIFE
+        // (handleMessage is sync but may return a Promise — same pattern as
+        // tools/call) because serve.js is dynamically imported.
+        return (async () => {
+          try {
+            // v1.6.0 INJECT GATE — a passive Resource read is an injection, so it
+            // honors the same profile.inject consent the hooks use. Only inject
+            // when the resolved setting is "on" (IJFW_PROFILE_KILL forces off;
+            // "ask"/"off" serve an empty brief). Reading settings here keeps the
+            // gate consistent across the hook path and the MCP-resource path.
+            let injectOn = false;
+            try {
+              const fs = await import('node:fs');
+              const path = await import('node:path');
+              const home = process.env.IJFW_HOME || path.join(process.env.HOME || '', '.ijfw');
+              const s = JSON.parse(fs.readFileSync(path.join(home, 'settings.json'), 'utf8'));
+              injectOn = s && s.profile && s.profile.inject === 'on';
+            } catch { injectOn = false; }
+            const kill = String(process.env.IJFW_PROFILE_KILL || '').trim().toLowerCase();
+            const killed = kill !== '' && kill !== '0' && kill !== 'false' && kill !== 'no' && kill !== 'off';
+            if (!injectOn || killed) {
+              return createResponse(id, {
+                contents: [{ uri, mimeType: 'text/markdown', text: '' }],
+              });
+            }
+            const { profileBrief } = await import('./profile/serve.js');
+            // MED-3: a passive MCP Resource read can carry NO per-read user
+            // consent, so it must serve LOW-sensitivity ONLY — always. We force
+            // it here (forceLowOnly) so no env flag / allowlist entry can ever
+            // elevate a passive injection past the low tier.
+            const r = profileBrief({
+              context: { host: 'mcp-resource' },
+              env: process.env,
+              forceLowOnly: true,
+            });
+            return createResponse(id, {
+              contents: [
+                {
+                  uri,
+                  mimeType: 'text/markdown',
+                  text: String(r && r.brief ? r.brief : ''),
+                },
+              ],
+            });
+          } catch (err) {
+            return createError(id, -32603, `profile brief read failed: ${err.message}`);
+          }
+        })();
+      }
+      return createError(id, -32601, `Unknown resource: ${uri || '(none)'}`);
+    }
     case 'resources/templates/list':
       return createResponse(id, { resourceTemplates: [] });
     case 'prompts/list':

package/src/.registry-meta-key.pem

@@ -1,3 +0,0 @@
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAL2lCdti0bYiFTGUo/hffy+NiBUBXdbDcdaDmjJS27i0=
------END PUBLIC KEY-----