@ijfw/memory-server 1.6.0 → 1.6.2

package/src/memory/fts5.js

@@ -8,7 +8,10 @@
 // Mirrors src/compute/fts5.js patterns:
 //   - WAL journal mode for concurrent readers
 //   - PRAGMA busy_timeout = 5000 + BEGIN IMMEDIATE for racing writers
-//   - PRAGMA quick_check post-write enforces integrity
+//   - PRAGMA quick_check corruption tripwire on a throttled cadence
+//     (first write per db file per process, then every Nth write or
+//     after a time floor -- never on every single-row insert, because
+//     quick_check is a full-database scan)
 //
 // Security model (D-PILLAR-SPEC section 12, real fix-wave C3):
 //   indexEntry runs `redactSecrets()` over `entry.body` AND `entry.source`
@@ -182,9 +185,52 @@ function readUserVersion(db) {
   return Number(row.user_version ?? row.USER_VERSION ?? 0);
 }
 
-// Insert one row into memory_entries inside a BEGIN IMMEDIATE transaction,
-// then run PRAGMA quick_check on the whole db. Throws MemoryIntegrityError
-// on anything other than 'ok'. Returns { id } of the inserted row.
+// Corruption tripwire cadence. PRAGMA quick_check walks every page of the
+// database, so running it inside EVERY single-row insert transaction is
+// O(db size) per write while the RESERVED lock is held -- a quadratic
+// total-cost cliff as the warm tier grows. The tripwire is kept, but on a
+// throttle: the FIRST write per db file per process always checks (so a
+// reopen-after-corruption is caught on the next write), then every Nth
+// write or once the time floor elapses, whichever fires first. State is
+// keyed by filename, NOT by handle, because server.js re-opens the db per
+// store -- a per-open or per-handle check would put the full scan right
+// back on the hot path.
+const QUICK_CHECK_EVERY_N = 100;
+const QUICK_CHECK_MIN_INTERVAL_MS = 5 * 60 * 1000;
+const __quickCheckState = new Map(); // filename -> { writes, lastTs }
+
+function shouldQuickCheck(filename, now = Date.now()) {
+  const key = filename || ':unknown:';
+  let st = __quickCheckState.get(key);
+  if (!st) {
+    st = { writes: 0, lastTs: 0 };
+    __quickCheckState.set(key, st);
+  }
+  st.writes++;
+  if (
+    st.writes === 1 ||
+    st.writes % QUICK_CHECK_EVERY_N === 0 ||
+    (now - st.lastTs) >= QUICK_CHECK_MIN_INTERVAL_MS
+  ) {
+    st.lastTs = now;
+    return true;
+  }
+  return false;
+}
+
+// Test hook -- cadence logic is invisible from outside (it only changes
+// WHEN the scan runs), so tests assert on it directly.
+export const __quickCheck = {
+  shouldQuickCheck,
+  QUICK_CHECK_EVERY_N,
+  QUICK_CHECK_MIN_INTERVAL_MS,
+  reset: () => __quickCheckState.clear(),
+};
+
+// Insert one row into memory_entries inside a BEGIN IMMEDIATE transaction.
+// On the throttled cadence above, runs PRAGMA quick_check inside the same
+// transaction and throws MemoryIntegrityError on anything other than 'ok'
+// (rolling the insert back -- fail-safe). Returns { id } of the inserted row.
 //
 // Caller passes { body, source?, session_id? }. created_at is set here
 // (unix ms) so callers don't have to remember the convention.
@@ -224,12 +270,14 @@ export function indexEntry(db, entry) {
     inserted = {
       id: info && info.lastInsertRowid != null ? Number(info.lastInsertRowid) : null,
     };
-    const qc = db.prepare('PRAGMA quick_check').get();
-    const status = qc && (qc.quick_check ?? qc.QUICK_CHECK);
-    if (status !== 'ok') {
-      throw new MemoryIntegrityError(
-        `PRAGMA quick_check failed after insert into memory_entries: ${status || '(no result)'}.`
-      );
+    if (shouldQuickCheck(db.__ijfw_filename)) {
+      const qc = db.prepare('PRAGMA quick_check').get();
+      const status = qc && (qc.quick_check ?? qc.QUICK_CHECK);
+      if (status !== 'ok') {
+        throw new MemoryIntegrityError(
+          `PRAGMA quick_check failed after insert into memory_entries: ${status || '(no result)'}.`
+        );
+      }
     }
   });
   tx();
@@ -282,6 +330,13 @@ export function indexEntry(db, entry) {
     const ts = row.created_at;
     const sessionId = row.session_id;
     const body = row.body;
+    // Receipt path must belong to the project that owns THIS db, never the
+    // process cwd (MCP hosts commonly spawn servers from $HOME, and openDb
+    // supports an explicit projectRoot distinct from cwd). The db lives at
+    // <root>/.ijfw/index/memory.db, so dirname(filename) IS the index dir.
+    const receiptDir = db.__ijfw_filename
+      ? dirname(db.__ijfw_filename)
+      : join(process.env.IJFW_PROJECT_DIR || process.cwd(), IJFW_DIR_NAME, INDEX_DIR_NAME);
     // v1.5.0 audit-LOW-memory-#14: dead-letter receipt for auto-index failures.
     // Fire-and-forget was already swallowed silently; now we append an
     // append-only JSONL receipt so silent indexer breakage is detectable in
@@ -293,10 +348,10 @@ export function indexEntry(db, entry) {
           // Lazy import; node:fs/promises is always available.
           import('node:fs/promises').then(({ appendFile, mkdir }) => {
             try {
-              const indexDir = '.ijfw/index';
+              const indexDir = receiptDir;
               return mkdir(indexDir, { recursive: true })
                 .then(() => appendFile(
-                  `${indexDir}/graph-errors.jsonl`,
+                  join(indexDir, 'graph-errors.jsonl'),
                   JSON.stringify({
                     ts: new Date().toISOString(),
                     session_id: sessionId || null,

package/src/memory/search.js

@@ -38,6 +38,12 @@ import { loadMigrations } from './migration-runner.js';
 // is imported directly so M1 runs synchronously inside the same txn batch.
 import { indexObsidianRelations } from './obsidian-parser.js';
 import { autoLink } from './auto-linker.js';
+// Ingest scrub gate (D-PILLAR-SPEC section 12) -- the warm-tier rebuild
+// reads raw markdown from disk, which is NOT guaranteed pre-scrubbed
+// (hand-edited notes, hook-written files, imports never went through
+// handleStore's redaction). autoIndex must apply the same redactSecrets
+// pass as fts5.js#indexEntry or secrets land cleartext in memory.db.
+import { redactSecrets } from '../redactor.js';
 
 const MAX_RESULTS  = 50;
 const SNIPPET_HALF = 60;
@@ -259,25 +265,35 @@ function runMemoryMigrationsSync(db, currentVersion, targetVersion) {
 }
 
 function autoIndex(db, files) {
-  let n = 0;
   // v1.5.1 R4-H2 — capture the rowid of every inserted entry so the
   // memory-moat aux indexing (M1 Obsidian relations, M2 auto-link) can run
   // over the warm-tier rebuild, not just the benchmark harness. The bulk
   // INSERT stays in one transaction for FTS write performance; M1/M2 run
   // AFTER commit so a parse/link failure can never abort the rebuild.
+  //
+  // Rollback safety: ids are collected in a transaction-local array and
+  // only published to `inserted` after txfn commits. If the batch rolls
+  // back, the rowids it produced no longer exist (and AUTOINCREMENT will
+  // reuse them), so running M1/M2 over them would attach links/tags/meta
+  // to the WRONG future entries.
   const inserted = [];
   const txfn = db.transaction((batch) => {
     const stmt = db.prepare(
       'INSERT INTO memory_entries (body, source, session_id, created_at) VALUES (?, ?, ?, ?)'
     );
+    const out = [];
     for (const item of batch) {
       const info = stmt.run(item.body, item.source, null, item.created_at);
       const id = info && info.lastInsertRowid != null ? Number(info.lastInsertRowid) : null;
-      inserted.push({ id, body: item.body });
-      n++;
+      out.push({ id, body: item.body });
     }
+    return out;
   });
 
+  // Same ingest scrub gate as fts5.js#indexEntry (IJFW_INGEST_SCRUB=0 is
+  // the only escape hatch, local debugging only). Body AND source are
+  // scrubbed so the FTS index and downstream M1/M2 only see safe text.
+  const scrub = process.env.IJFW_INGEST_SCRUB !== '0';
   const batch = [];
   const now = Date.now();
   for (const f of files) {
@@ -286,10 +302,22 @@ function autoIndex(db, files) {
     let body;
     try { body = readFileSync(f.path, 'utf8'); } catch { continue; }
     if (!body) continue;
-    batch.push({ body, source: f.relpath || f.path, created_at: now });
+    const rawSource = f.relpath || f.path;
+    batch.push({
+      body: scrub ? redactSecrets(body) : body,
+      source: scrub ? redactSecrets(String(rawSource)) : rawSource,
+      created_at: now,
+    });
   }
   if (batch.length === 0) return 0;
-  try { txfn.immediate(batch); } catch { /* one bad batch should not abort the search */ }
+  let n = 0;
+  try {
+    const committed = txfn.immediate(batch);
+    if (Array.isArray(committed)) {
+      inserted.push(...committed);
+      n = committed.length;
+    }
+  } catch { /* one bad batch should not abort the search; rollback discards ids */ }
 
   // v1.5.1 R4-H2 — M1: Obsidian wikilink/tag/meta indexing into
   // memory_links/_tags/_meta. Synchronous + idempotent (indexObsidianRelations

package/src/memory/staleness.js

@@ -169,7 +169,7 @@ export function propagateStaleMemory(memDb, computeDb, supersededNodeId, options
   if (namesToFlag.length > 0) {
     const updateMem = memDb.prepare(
       `UPDATE memory_entries SET stale_candidate = ? ` +
-      `WHERE COALESCE(stale_candidate, 0) < ? AND body LIKE ?`
+      `WHERE COALESCE(stale_candidate, 0) < ? AND body LIKE ? ESCAPE '\\'`
     );
 
     const txWrap = (typeof memDb.transaction === 'function')

package/src/model-refresh.js

@@ -232,9 +232,11 @@ async function probeGoogle(env, fetchImpl) {
   if (!key) return null;
   const { signal, cancel } = makeAbortable();
   try {
+    // Pass the key as a header, not a URL query param, so it never lands in
+    // proxy / CDN / firewall access logs (privacy audit finding).
     const r = await fetchImpl(
-      `https://generativelanguage.googleapis.com/v1beta/models?key=${encodeURIComponent(key)}`,
-      { signal },
+      'https://generativelanguage.googleapis.com/v1beta/models',
+      { signal, headers: { 'x-goog-api-key': key } },
     );
     if (!r.ok) return null;
     const json = await r.json();

package/src/profile/eval/corpus-from-reddit.test.mjs

@@ -42,7 +42,7 @@ function writeJson(rows) {
   return p;
 }
 
-// 10 authors × 6 long docs each — comfortably over the floors.
+// 10 authors x 6 long docs each — comfortably over the floors.
 function tenAuthors() {
   const rows = [];
   for (let a = 0; a < 10; a += 1) rows.push(...makeAuthorRows(`u${a}`, 6));

package/src/profile/eval/gate-b-run.mjs

@@ -218,7 +218,7 @@ export async function runGateBProduction(opts = {}) {
   //     budget-guarded cloud transport here: the allowed-set is the closed set of EVERY brief
   //     the pool's own personas + foreigner-pool produce (baseline '' + derived + fewShotOracle
   //     + register-echo) — foreign prose is never a target, only a fingerprint. The budget is
-  //     sized from arms × pool × probes × (pilot + confirmatory) with headroom.
+  //     sized from arms x pool x probes x (pilot + confirmatory) with headroom.
   const poolForGuard = [...personas, ...foreigners];
   const budget = opts.budget || {
     calls: 0,
@@ -328,7 +328,7 @@ export function buildAllowedSys(personas, cfg = {}) {
   return sys;
 }
 
-// Estimate the cloud-call budget: arms × subjects × probes, per spend phase.
+// Estimate the cloud-call budget: arms x subjects x probes, per spend phase.
 export function estimateCalls({
   nArms = 4, nSubjects, nProbes,
 }) {

package/src/profile/eval/harness.mjs

@@ -225,7 +225,7 @@ export function cohenKappa(raterA = [], raterB = []) {
 
 // ---------------------------------------------------------------------------
 // ECE — Expected Calibration Error on the profile's `confidence` field. Bins
-// (confidence, correctness) pairs and measures |avg-confidence − accuracy| per
+// (confidence, correctness) pairs and measures |avg-confidence - accuracy| per
 // bin, weighted by bin mass. A well-calibrated profile that says "0.7 confident"
 // is right ~70% of the time. This is what makes `confidence` an honest number
 // instead of decoration.

package/src/profile/eval/prereg.mjs

@@ -52,7 +52,7 @@ export function bonferroniAlpha(familyAlpha, verdictArms) {
 }
 
 // Measured-scale floor: the minimum mean margin that counts as a real effect, expressed
-// in the instrument's OWN units = floorK * (betweenMean − withinMean) from validateInstrument.
+// in the instrument's OWN units = floorK * (betweenMean - withinMean) from validateInstrument.
 // This REPLACES the blind absolute constant (the prior attempt's failure class). Frozen
 // before any cloud spend (floorK is hashed; the derived value is recorded in the run).
 export function deriveMinMeanMargin(validation, floorK) {

package/src/profile/eval/wrong-target-control.mjs

@@ -1,7 +1,7 @@
 // wrong-target-control.mjs — Gate B v2, Task T5. THE discriminator.
 //
 // For each subject P and arm, the margin is:
-//     m_P = distance(output, NEAREST same-register foreigner) − distance(output, OWN test)
+//     m_P = distance(output, NEAREST same-register foreigner) - distance(output, OWN test)
 // m_P > 0 means the styled output landed closer to P's OWN held-out fingerprint than to
 // the CLOSEST same-register stranger. A generic register-obeyer is ~equidistant from all
 // same-register targets ⇒ m≈0 ⇒ NULL. Only idiosyncratic voice capture wins.
@@ -118,7 +118,7 @@ export function wrongTargetControl(harnessOut, personas, opts = {}) {
     }
     const ownLoss = margins.map((m) => (m < 0 ? 1 : 0));
     const ci = bootstrapCI(margins, { iters: cfg.bootstrapIters, alpha: cfg.alpha, seed: cfg.seed });
-    // zeros-vs-wins sign test: b = #(margin>0), c = #(margin<0); two-sided p on |b−c|.
+    // zeros-vs-wins sign test: b = #(margin>0), c = #(margin<0); two-sided p on |b-c|.
     const sign = mcnemar(ownLoss, ownWin);
     perArm[arm] = {
       arm,
@@ -141,7 +141,7 @@ export function wrongTargetControl(harnessOut, personas, opts = {}) {
   for (const arm of harnessOut.arms) {
     if (arm === 'baseline' || !perArm.baseline) continue;
     const m = mcnemar(perArm.baseline.ownWin, perArm[arm].ownWin);
-    // mcnemar.pValue is TWO-SIDED (|b−c|), so the direction guard m.b > m.c is mandatory:
+    // mcnemar.pValue is TWO-SIDED (|b-c|), so the direction guard m.b > m.c is mandatory:
     // the arm must FLIP MORE subjects to own-match than baseline does, not merely differ.
     perArm[arm].vsBaseline = {
       b: m.b, c: m.c, pValue: m.pValue, beatsBaseline: significantAt(m.pValue, cfg.perTestAlpha) && m.b > m.c,

package/src/profile/exemplar-store.js

@@ -61,7 +61,7 @@ export const EXEMPLAR_TEXT_MAX = 600;
  * Max bytes we will read from the on-disk JSONL. The store is bounded by
  * MAX_EXEMPLARS short records, so a file larger than this is a corrupt/hand-
  * edited artifact; refusing to slurp it whole avoids an OOM. ~2 MiB is orders
- * of magnitude above any legitimate exemplar set (200 × 600 chars ≈ 120 KiB).
+ * of magnitude above any legitimate exemplar set (200 x 600 chars ≈ 120 KiB).
  */
 const MAX_STORE_BYTES = 2 * 1024 * 1024;
 

package/src/profile/telemetry.js

@@ -3,8 +3,8 @@
  *
  * The NO-JUDGE behavioral metric (design spec §"The honest bar", claim 2):
  * "Repeat-correction-rate drop — how often you re-issue the SAME correction,
- * bucketed by session age. A working system bends the curve down (3× in week 1
- * -> 0× by week 4). The most honest single number."
+ * bucketed by session age. A working system bends the curve down (3x in week 1
+ * -> 0x by week 4). The most honest single number."
  *
  * This module records, per preference SLUG, every time the user RE-ISSUES a
  * correction that the profile should already have learned, and computes the drop

package/src/recovery/code-fixer.js

@@ -286,14 +286,25 @@ export function tier2SyntaxCheckCmd(filePath) {
         ],
       };
     case '.py':
-      return { cmd: 'python3', args: ['-m', 'py_compile', filePath] };
+      // Windows ships python.exe, not python3. If neither exists the spawn
+      // ENOENT is treated as SKIP by verifyTier2, not a syntax failure.
+      return {
+        cmd: process.platform === 'win32' ? 'python' : 'python3',
+        args: ['-m', 'py_compile', filePath],
+      };
     case '.sh':
     case '.bash':
+      // On Windows this only works when a real bash.exe (Git Bash) is on
+      // PATH; otherwise verifyTier2 maps the ENOENT to SKIP.
       return { cmd: 'bash', args: ['-n', filePath] };
     case '.ts':
     case '.tsx': {
       // Only if tsc on PATH. The agent contract says SKIP when absent.
-      const which = spawnSync(process.platform === 'win32' ? 'where' : 'which', ['tsc'], {
+      // On Windows tsc is a .cmd shim which Node cannot spawn without a
+      // shell (CVE-2024-27980), and shelling out with an interpolated
+      // filePath would be an injection vector -- so SKIP honestly there.
+      if (process.platform === 'win32') return null;
+      const which = spawnSync('which', ['tsc'], {
         encoding: 'utf8',
       });
       if (which.status === 0 && which.stdout.trim()) {
@@ -319,6 +330,11 @@ export async function verifyTier2(filePath) {
     await execFileAsync(spec.cmd, spec.args, { timeout: 15_000 });
     return { ok: true, skipped: false };
   } catch (err) {
+    // Checker binary missing/not spawnable (ENOENT, or EINVAL for Windows
+    // .cmd shims) is "cannot verify", not "syntax error" -- honest SKIP.
+    if (err && (err.code === 'ENOENT' || err.code === 'EINVAL')) {
+      return { ok: true, skipped: true };
+    }
     const stderr = err.stderr || err.stdout || err.message || '';
     return {
       ok: false,
@@ -369,10 +385,15 @@ async function resolveProjectVerifyCmd(projectRoot, verifyCmdOverride) {
 export async function verifyTier3(projectRoot, verifyCmdOverride) {
   const cmd = await resolveProjectVerifyCmd(projectRoot, verifyCmdOverride);
   if (!cmd) return { ok: true, skipped: true };
-  // Run the command via `sh -c` so script lines like `npm test --silent` work
-  // verbatim. Timeout is generous (5 min) because real test suites can be slow.
+  // Run the command via the platform shell so script lines like
+  // `npm test --silent` work verbatim: `sh -c` on POSIX, `cmd /d /s /c` on
+  // Windows ('sh' is not on PATH there). Timeout is generous (5 min)
+  // because real test suites can be slow.
+  const [shellBin, shellArgs] = process.platform === 'win32'
+    ? [process.env.ComSpec || 'cmd.exe', ['/d', '/s', '/c', cmd]]
+    : ['sh', ['-c', cmd]];
   return new Promise((resolve) => {
-    execFile('sh', ['-c', cmd], { cwd: projectRoot, timeout: 5 * 60_000 }, (err, stdout, stderr) => {
+    execFile(shellBin, shellArgs, { cwd: projectRoot, timeout: 5 * 60_000 }, (err, stdout, stderr) => {
       const combined = `${String(stdout || '')}\n${String(stderr || '')}`;
       if (err) {
         const evidence = combined.split('\n').slice(0, 20).join('\n');

package/src/runtime-mediator.js

@@ -215,8 +215,11 @@ export async function maybeWarnDivergence(opts = {}) {
 
 /**
  * Map an MCP tool name (+ args) to the (action, target) tuple used for
- * permission checks. Returns null for unrecognised tool names; callers
- * should treat null as "no policy applies, allow" (these are bundled-only).
+ * permission checks. Returns null for unrecognised tool names. Callers MUST
+ * treat null as fail-closed whenever an extension is active: every tool the
+ * server advertises has an explicit mapping here, so a null mapping means a
+ * future tool was added without a policy entry -- denying is the only answer
+ * that keeps the sandbox sound (see gatePermissionAndQuota in server.js).
  */
 export function toolNameToActionTarget(toolName, args) {
   switch (toolName) {
@@ -225,8 +228,23 @@ export function toolNameToActionTarget(toolName, args) {
     case 'ijfw_memory_recall':
     case 'ijfw_memory_search':
     case 'ijfw_memory_prelude':
+    case 'ijfw_memory_facts':
     case 'ijfw_cross_project_search':
       return { action: 'read', target: 'memory:read' };
+    case 'ijfw_brain': {
+      // Brain verbs can write to the facts DB (wiki rebuilds, fact upserts),
+      // so classify the whole facade as a write -- conservative by design.
+      const verb = (args && typeof args.verb === 'string' && args.verb) ? args.verb : '*';
+      return { action: 'write', target: `brain:${verb}` };
+    }
+    case 'ijfw_state': {
+      // state-sdk verbs mutate project orchestration state.
+      const verb = (args && typeof args.verb === 'string' && args.verb) ? args.verb : '*';
+      return { action: 'write', target: `state:${verb}` };
+    }
+    case 'ijfw_cross_audit_converge':
+      // autoFix:true mutates source -- always treat as a write.
+      return { action: 'write', target: 'audit:converge' };
     case 'ijfw_metrics':
       return { action: 'read', target: 'metrics:read' };
     case 'ijfw_update_check':