@ijfw/memory-server 1.6.1 → 1.6.2

package/bin/ijfw-dashboard

@@ -40,10 +40,19 @@ function removePidFiles() {
 
 function openBrowser(url) {
   if (process.env.CI || process.env.NO_OPEN) return;
-  const cmd = process.platform === 'darwin' ? 'open'
-    : process.platform === 'win32' ? 'start'
-    : 'xdg-open';
-  try { spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref(); } catch {}
+  // `start` is a cmd.exe builtin (no start.exe on PATH), so it must be run
+  // through cmd. The empty '' arg is start's window-title slot, which would
+  // otherwise swallow the URL. url is built internally from a parsed port.
+  const [cmd, args] = process.platform === 'darwin' ? ['open', [url]]
+    : process.platform === 'win32' ? ['cmd', ['/c', 'start', '', url]]
+    : ['xdg-open', [url]];
+  try {
+    const child = spawn(cmd, args, { detached: true, stdio: 'ignore' });
+    // Missing opener surfaces as an async 'error' event, not a throw --
+    // swallow it so it can never become an uncaught exception.
+    child.on('error', () => {});
+    child.unref();
+  } catch {}
 }
 
 // Probe a URL for HTTP 200, retrying on connection-refused until timeoutMs elapses.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ijfw/memory-server",
-  "version": "1.6.1",
+  "version": "1.6.2",
   "description": "Cross-platform persistent memory server for IJFW. 14 MCP tools (memory + admin/update + brain). Works with 15 platforms: 14 via MCP (Claude Code, Codex, Gemini CLI, Cursor, Windsurf, Copilot, Hermes, Wayland, OpenCode, QwenCode, Cline, KimiCode, OpenClaw, Antigravity) plus Aider via the rules-only tier.",
   "author": "Sean Donahoe",
   "contributors": [

package/src/audit-roster.js

@@ -281,10 +281,22 @@ export function isInstalled(id) {
   // `[ -x ]` (or be a shell builtin/keyword/function with no filesystem path,
   // which `command -v` reports without a leading slash — those are genuinely
   // runnable). A real installed CLI is an executable file and still passes.
-  const probe = `p=$(command -v ${JSON.stringify(bin)} 2>/dev/null) || exit 1; ` +
-    `case "$p" in /*) [ -x "$p" ] ;; *) : ;; esac`;
-  const r = spawnSync('bash', ['-lc', probe], { timeout: 2000 });
-  const installed = r.status === 0;
+  //
+  // On native Windows `bash` is either absent (probe would mark every auditor
+  // uninstalled) or the WSL launcher (probe would report the Linux distro's
+  // PATH, which the Windows-side invoker cannot run). Use `where` instead:
+  // it resolves .cmd/.exe shims on the real Windows PATH, matching how the
+  // auditors are actually spawned (shell:true on win32).
+  let installed;
+  if (process.platform === 'win32') {
+    const r = spawnSync('where', [bin], { timeout: 2000, encoding: 'utf8', windowsHide: true });
+    installed = r.status === 0 && Boolean((r.stdout || '').trim());
+  } else {
+    const probe = `p=$(command -v ${JSON.stringify(bin)} 2>/dev/null) || exit 1; ` +
+      `case "$p" in /*) [ -x "$p" ] ;; *) : ;; esac`;
+    const r = spawnSync('bash', ['-lc', probe], { timeout: 2000 });
+    installed = r.status === 0;
+  }
   _installedCache.set(id, { value: installed, ts: Date.now() });
   return installed;
 }

package/src/compute/fts5.js

@@ -242,9 +242,34 @@ function readUserVersion(db) {
   return Number(row.user_version ?? row.USER_VERSION ?? 0);
 }
 
+// quick_check throttle state, keyed per db handle. First write per handle
+// always checks; then every Nth write or once the time floor elapses.
+const QUICK_CHECK_EVERY_N = 100;
+const QUICK_CHECK_MIN_INTERVAL_MS = 5 * 60 * 1000;
+const quickCheckState = new WeakMap(); // db handle -> { writes, lastTs }
+
+function shouldQuickCheck(db, now = Date.now()) {
+  let st = quickCheckState.get(db);
+  if (!st) {
+    st = { writes: 0, lastTs: 0 };
+    quickCheckState.set(db, st);
+  }
+  st.writes++;
+  if (
+    st.writes === 1 ||
+    st.writes % QUICK_CHECK_EVERY_N === 0 ||
+    (now - st.lastTs) >= QUICK_CHECK_MIN_INTERVAL_MS
+  ) {
+    st.lastTs = now;
+    return true;
+  }
+  return false;
+}
+
 // Insert one row into a content table inside a transaction, then run
-// PRAGMA quick_check on the whole db. Throws IntegrityError on anything
-// other than 'ok'. Returns { id } of the inserted row.
+// PRAGMA quick_check on the whole db (throttled; see above). Throws
+// IntegrityError on anything other than 'ok'. Returns { id } of the
+// inserted row.
 //
 // Allowed tables: raw, compiled, trident_run, schema_meta. Caller passes a
 // row object whose keys match the table's columns; binding is positional
@@ -291,19 +316,28 @@ export function safeWrite(db, table, row) {
   const sql = `INSERT INTO ${table} (${cols.join(', ')}) VALUES (${placeholders})`;
   const values = cols.map(c => row[c]);
 
-  // Run insert + quick_check inside a single transaction. Rollback on
-  // either failure so we never leave a half-written FTS index behind.
+  // Run insert + (throttled) quick_check inside a single transaction.
+  // Rollback on either failure so we never leave a half-written FTS index
+  // behind. quick_check is a full-database scan, so it can't run on every
+  // insert (O(db size) per write while the lock is held); the corruption
+  // tripwire fires on the FIRST write per handle (compute callers hold
+  // long-lived handles, so reopen-after-corruption is still caught), then
+  // every Nth write or after a time floor, whichever comes first. State is
+  // keyed per HANDLE (WeakMap), unlike memory/fts5.js which keys per
+  // filename because server.js re-opens that db per store.
   let inserted;
   const tx = db.txn(() => {
     const stmt = db.prepare(sql);
     const info = stmt.run(...values);
     inserted = { id: info && info.lastInsertRowid != null ? Number(info.lastInsertRowid) : null };
-    const qc = db.prepare('PRAGMA quick_check').get();
-    const status = qc && (qc.quick_check ?? qc.QUICK_CHECK);
-    if (status !== 'ok') {
-      throw new IntegrityError(
-        `PRAGMA quick_check failed after insert into ${table}: ${status || '(no result)'}.`
-      );
+    if (shouldQuickCheck(db)) {
+      const qc = db.prepare('PRAGMA quick_check').get();
+      const status = qc && (qc.quick_check ?? qc.QUICK_CHECK);
+      if (status !== 'ok') {
+        throw new IntegrityError(
+          `PRAGMA quick_check failed after insert into ${table}: ${status || '(no result)'}.`
+        );
+      }
     }
   });
   tx();

package/src/compute/staleness.js

@@ -166,11 +166,11 @@ export function propagateStale(db, supersededNodeId, options = {}) {
     // timeout in fts5.openDb, so concurrent reads remain unblocked.
     const updateRaw = db.prepare(
       `UPDATE raw SET stale_candidate = ? ` +
-      `WHERE stale_candidate < ? AND body LIKE ?`
+      `WHERE stale_candidate < ? AND body LIKE ? ESCAPE '\\'`
     );
     const updateCompiled = db.prepare(
       `UPDATE compiled SET stale_candidate = ? ` +
-      `WHERE stale_candidate < ? AND (topic LIKE ? OR body LIKE ?)`
+      `WHERE stale_candidate < ? AND (topic LIKE ? ESCAPE '\\' OR body LIKE ? ESCAPE '\\')`
     );
 
     const tx = (typeof db.txn === 'function')
@@ -204,12 +204,13 @@ export function propagateStale(db, supersededNodeId, options = {}) {
   };
 }
 
-// LIKE pattern escape -- our names can contain `%` or `_` (e.g. error
-// codes like `E_BUSY%` -- unlikely but possible). Escape both, plus the
-// backslash escape character. Use `\` as the escape; SQLite needs an
-// explicit ESCAPE clause to honour it, so we add that to the prepared
-// statement above. (Skipped here because in practice kg_node names from
-// our regex extractor never contain `%` or `_` chars.)
+// LIKE pattern escape -- kg_node names routinely contain `_` (the entity
+// extractor's snake_case/UPPER_SNAKE regexes REQUIRE underscores) and can
+// contain `%`. Escape both, plus the backslash escape character. SQLite
+// LIKE has NO default escape character, so every consuming statement above
+// carries an explicit ESCAPE '\' clause -- without it, `\_` matches a
+// literal backslash followed by ANY character and snake_case names
+// silently flag zero rows.
 function escapeLike(s) {
   return String(s).replace(/[\\%_]/g, '\\$&');
 }

package/src/cost/readers/codex.js

@@ -8,7 +8,7 @@
  */
 
 import { readdirSync, readFileSync, existsSync, statSync } from 'node:fs';
-import { join } from 'node:path';
+import { join, basename } from 'node:path';
 import { homedir } from 'node:os';
 
 const CODEX_SESSIONS_DIR = join(homedir(), '.codex', 'sessions');
@@ -63,13 +63,13 @@ function processCodexFile(filePath, turns) {
   }
 
   if (!sessionId) {
-    // Derive session id from filename
-    const base = filePath.split('/').pop().replace('.jsonl', '');
-    sessionId = base;
+    // Derive session id from filename (basename handles both path separators)
+    sessionId = basename(filePath, '.jsonl');
   }
 
-  // Extract timestamp from session path (YYYY/MM/DD/filename)
-  const dateParts = filePath.match(/(\d{4})\/(\d{2})\/(\d{2})/);
+  // Extract timestamp from session path (YYYY/MM/DD/filename); paths are
+  // join()-built, so accept either separator (backslashes on Windows).
+  const dateParts = filePath.match(/(\d{4})[\\/](\d{2})[\\/](\d{2})/);
   const datePrefix = dateParts ? `${dateParts[1]}-${dateParts[2]}-${dateParts[3]}` : null;
 
   // Accumulate per-session totals from response_item/message content

package/src/cross-orchestrator-cli.js

@@ -9,7 +9,7 @@
 
 import { readFileSync, existsSync, writeFileSync, mkdirSync, statSync, openSync, readSync, closeSync, readdirSync, rmSync, realpathSync, copyFileSync } from 'node:fs';
 import { fileURLToPath, pathToFileURL } from 'node:url';
-import { join, dirname, basename, isAbsolute, resolve } from 'node:path';
+import { join, dirname, basename, isAbsolute, resolve, parse as parsePath, sep } from 'node:path';
 import { homedir } from 'node:os';
 import { spawnSync } from 'node:child_process';
 import { writeAtomic } from './lib/atomic-io.js';
@@ -210,7 +210,7 @@ function emitJson(value) {
   process.stdout.write(JSON.stringify(value, null, 2) + '\n');
 }
 
-function parseArgs(argv) {
+export function parseArgs(argv) {
   const args = argv.slice(2); // strip node + script path
 
   // Global --json flag: any command can be forced to JSON output regardless
@@ -508,20 +508,12 @@ function parseArgsInner(args) {
       return { cmd: 'cross-project-audit', rule, dryRun };
     }
 
-    const target = args[2];
-    let only = null;
-    let confirm = false;
-    let expand = false;
-    let chunk = false;
-
-    for (let i = 3; i < args.length; i++) {
-      if (args[i] === '--confirm') { confirm = true; }
-      else if (args[i] === '--expand') { expand = true; }
-      else if (args[i] === '--chunk') { chunk = true; } // v1.5.1 H1.6 — wire chunker
-      else if (args[i] === '--with' && args[i + 1]) { only = args[++i]; }
-    }
-
-    return { cmd: 'cross', mode, target, only, confirm, expand, chunk };
+    // Reuse the alias parser so `ijfw cross <mode>` and `ijfw cross-<mode>`
+    // share one grammar: --with=<id> form, flags-before-target ordering, and
+    // flag tokens never consumed as the target. The old position-rigid parser
+    // (target = args[2], space-separated --with only) silently dropped
+    // --with=<id> and dispatched the full paid roster.
+    return parseCrossAlias(mode, args.slice(1));
   }
 
   return { cmd: 'unknown', raw: args[0] };
@@ -1373,7 +1365,7 @@ async function cmdCross({ mode, target, only, confirm, expand, chunk }) {
       console.log(`Auditors fired (union): ${[...auditorIds].join(', ') || '(none)'}`);
       if (!firedAny) {
         console.log('No auditors fired -- run `ijfw doctor` to see the install hints.');
-        process.exit(2); // r17.1 — degraded exit code
+        process.exit(3); // zero picks contributed -- INCONCLUSIVE, same code as the normal path
       }
       for (const f of merged) {
         const sev = (f.severity || 'note').toUpperCase();
@@ -1401,7 +1393,10 @@ async function cmdCross({ mode, target, only, confirm, expand, chunk }) {
     console.log('Trident is standing by -- no auditors reachable yet.');
     console.log('Wire one in 30 seconds: run `ijfw doctor` for the exact install commands.');
     console.log('Tip: any one of codex / gemini / claude / copilot is enough to start.');
-    process.exit(0);
+    // No audit happened: exit 3 per the documented contract below (zero picks
+    // contributed = INCONCLUSIVE). Exit 0 here let CI gates pass green on a
+    // machine with no auditors installed.
+    process.exit(3);
   }
 
   const projectDir = process.cwd();
@@ -1425,7 +1420,7 @@ async function cmdCross({ mode, target, only, confirm, expand, chunk }) {
   if (picks.length === 0) {
     console.log('\nIJFW has the Trident ready -- install codex or gemini (or set OPENAI_API_KEY / GEMINI_API_KEY), then run `ijfw demo`.');
     console.log('Run `ijfw doctor` to see which auditors are available on this machine.');
-    return;
+    process.exit(3); // zero picks contributed -- INCONCLUSIVE per the exit contract
   }
 
   console.log(`Fired: ${picks.map(p => p.id).join(', ')}`);
@@ -2972,8 +2967,14 @@ function cmdInit(parsed = {}) {
   try { phys = realpathSync(cwd); } catch { phys = resolve(cwd); }
   let homePhys;
   try { homePhys = realpathSync(homedir()); } catch { homePhys = homedir(); }
-  if (phys === '/' || phys === homePhys) {
-    console.error('ijfw init: refusing to bless your home directory or the filesystem root for indexing.');
+  // Refuse any filesystem/drive root (parse().root catches '/', 'C:\\', UNC
+  // roots), the home directory itself, or any ANCESTOR of home (blessing
+  // /Users or /home would let the indexer walk every user's home -- the
+  // issue #16 privacy hole one directory up).
+  const isFsRoot = parsePath(phys).root === phys;
+  const isHomeOrAncestor = phys === homePhys || homePhys.startsWith(phys + sep);
+  if (isFsRoot || isHomeOrAncestor) {
+    console.error('ijfw init: refusing to bless your home directory, its ancestors, or a filesystem root for indexing.');
     console.error('Run `ijfw init` from inside an actual project folder.');
     process.exit(1);
   }
@@ -3007,6 +3008,9 @@ function cmdInstall() {
     process.exit(1);
   }
   const res = spawnSync('bash', [script, ...process.argv.slice(3)], { stdio: 'inherit' });
+  // spawnSync failure (bash missing, EACCES) yields status null + res.error
+  // and stdio:'inherit' prints nothing -- surface it instead of exiting mute.
+  if (res.error) console.error(`ijfw: failed to launch ${script}: ${res.error.message}`);
   process.exit(res.status ?? 1);
 }
 function cmdUninstall() {
@@ -3016,6 +3020,7 @@ function cmdUninstall() {
     process.exit(1);
   }
   const res = spawnSync(process.execPath, [script, ...process.argv.slice(3)], { stdio: 'inherit' });
+  if (res.error) console.error(`ijfw: failed to launch ${script}: ${res.error.message}`);
   process.exit(res.status ?? 1);
 }
 function cmdPreflight() {
@@ -3025,6 +3030,7 @@ function cmdPreflight() {
     process.exit(1);
   }
   const res = spawnSync(process.execPath, [script, ...process.argv.slice(3)], { stdio: 'inherit' });
+  if (res.error) console.error(`ijfw: failed to launch ${script}: ${res.error.message}`);
   process.exit(res.status ?? 1);
 }
 function cmdDashboard(sub) {
@@ -3044,6 +3050,7 @@ function cmdDashboard(sub) {
   // stays authoritative. argv = [node, cli, 'dashboard', <sub>, ...flags].
   const passthrough = process.argv.slice(4);
   const res = spawnSync(process.execPath, [launcher, sub, ...passthrough], { stdio: 'inherit' });
+  if (res.error) console.error(`ijfw: failed to launch ${launcher}: ${res.error.message}`);
   process.exit(res.status ?? 1);
 }
 

package/src/dashboard-server.js

@@ -7,7 +7,7 @@
  */
 
 import { createServer } from 'node:http';
-import { existsSync, readFileSync, watch, writeFileSync, mkdirSync, readdirSync, statSync, realpathSync, renameSync, unlinkSync } from 'node:fs';
+import { existsSync, readFileSync, watch, writeFileSync, mkdirSync, readdirSync, statSync, realpathSync, renameSync, unlinkSync, openSync, readSync, closeSync, chmodSync } from 'node:fs';
 import { readFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { join, dirname, resolve, relative, isAbsolute, basename, sep } from 'node:path';
@@ -178,14 +178,31 @@ function requireLocalhost(req, res) {
 // stamp Sec-Fetch-Site; the dashboard's own page is 'same-origin', direct tools
 // (curl, address bar) send 'none'/nothing. Only same-machine cross-origin pages
 // hit 'cross-site'/'same-site' -- block those on /api.
+//
+// State-changing methods (POST/PUT/PATCH/DELETE) fail CLOSED when Sec-Fetch-Site
+// is absent: a browser cross-origin write always carries an Origin header (even
+// for no-preflight text/plain "simple requests"), so any Origin/Referer that does
+// not match our own Host is rejected. Requests with no browser markers at all
+// (curl, local scripts) carry neither header and stay allowed.
 function rejectCrossSiteApi(req, res, path) {
   if (!path.startsWith('/api')) return false;
-  const sfs = req.headers['sec-fetch-site'];
-  if (sfs === 'cross-site' || sfs === 'same-site') {
+  function reject() {
     res.writeHead(403, { 'Content-Type': 'application/json' });
     res.end('{"error":"cross-origin request rejected"}');
     return true;
   }
+  const sfs = req.headers['sec-fetch-site'];
+  if (sfs === 'cross-site' || sfs === 'same-site') return reject();
+  const method = (req.method || 'GET').toUpperCase();
+  if (method === 'GET' || method === 'HEAD' || method === 'OPTIONS') return false;
+  // Writes: 'same-origin'/'none' are browser-proven safe; otherwise require any
+  // Origin/Referer present to match the host the request was addressed to.
+  if (sfs === 'same-origin' || sfs === 'none') return false;
+  const proof = req.headers['origin'] || req.headers['referer'];
+  if (!proof) return false;
+  let proofHost = null;
+  try { proofHost = new URL(proof).host; } catch {}
+  if (proofHost === null || proofHost !== (req.headers.host || '')) return reject();
   return false;
 }
 
@@ -205,14 +222,43 @@ function route(req, res, routes) {
 }
 
 // ---------- JSONL reader ----------
+// observations.jsonl is append-only with no rotation, so an unbounded
+// synchronous read+parse on every poll would stall the single-threaded server
+// (same hazard tailEvents() was rewritten to avoid). Bound the read to the
+// last OBS_TAIL_BYTES via fd+position, and cache the parsed array keyed on
+// mtime+size so repeated polls of an unchanged file never re-read it.
+const OBS_TAIL_BYTES = 5 * 1024 * 1024; // 5MB
+const obsCache = new Map(); // ledgerPath -> { key, data }
+
 function readObservations(ledgerPath) {
-  if (!existsSync(ledgerPath)) return [];
+  let st;
+  try { st = statSync(ledgerPath); } catch { return []; }
+  const key = `${st.mtimeMs}:${st.size}`;
+  const cached = obsCache.get(ledgerPath);
+  if (cached && cached.key === key) return cached.data;
   try {
-    return readFileSync(ledgerPath, 'utf8')
-      .split('\n')
-      .filter(Boolean)
+    const start = Math.max(0, st.size - OBS_TAIL_BYTES);
+    const len = st.size - start;
+    const buf = Buffer.allocUnsafe(len);
+    const fd = openSync(ledgerPath, 'r');
+    let read = 0;
+    try {
+      while (read < len) {
+        const n = readSync(fd, buf, read, len - read, start + read);
+        if (n === 0) break;
+        read += n;
+      }
+    } finally {
+      closeSync(fd);
+    }
+    let lines = buf.subarray(0, read).toString('utf8').split('\n').filter(Boolean);
+    // If we sliced mid-line, the first element may be truncated -- drop it.
+    if (start > 0) lines = lines.slice(1);
+    const data = lines
       .map(l => { try { return JSON.parse(l); } catch { return null; } })
       .filter(Boolean);
+    obsCache.set(ledgerPath, { key, data });
+    return data;
   } catch {
     return [];
   }
@@ -830,8 +876,11 @@ export async function startServer(options = {}) {
         req.on('end', () => {
           try {
             const parsed = JSON.parse(body);
-            mkdirSync(join(homedir(), '.ijfw'), { recursive: true });
-            writeFileSync(configPath, JSON.stringify(parsed, null, 2), 'utf8');
+            mkdirSync(join(homedir(), '.ijfw'), { recursive: true, mode: 0o700 });
+            // 0o600: config holds account/subscription data; keep it owner-only
+            // (mode only applies on create, so chmod existing files too).
+            writeFileSync(configPath, JSON.stringify(parsed, null, 2), { encoding: 'utf8', mode: 0o600 });
+            try { chmodSync(configPath, 0o600); } catch {}
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({ ok: true }));
           } catch (err) {
@@ -1497,6 +1546,50 @@ if (process.argv.includes('--daemon')) {
   const pidFile  = process.env.IJFW_PID_FILE  || join(homedir(), '.ijfw', 'dashboard.pid');
   const portFile = process.env.IJFW_PORT_FILE || join(homedir(), '.ijfw', 'dashboard.port');
 
+  // Singleton guard: the spawner's pid-check (session-start.sh) is a classic
+  // check-then-act race -- two sessions starting in the same window both see no
+  // live daemon and both spawn --daemon. Without a guard here, the loser walks
+  // to the next port and OVERWRITES the shared pid/port files, orphaning the
+  // winner forever. Acquire the pid file with O_EXCL BEFORE binding: exactly
+  // one starter wins; losers exit 0 without binding or clobbering. A pid file
+  // whose owner is dead is stale and reclaimed once.
+  const ijfwDir = dirname(pidFile);
+  mkdirSync(ijfwDir, { recursive: true });
+
+  function pidAlive(pid) {
+    if (!Number.isInteger(pid) || pid <= 0) return false;
+    try { process.kill(pid, 0); return true; }
+    catch (err) { return err.code === 'EPERM'; }
+  }
+
+  function acquirePidFile() {
+    for (let attempt = 0; attempt < 2; attempt++) {
+      try {
+        writeFileSync(pidFile, String(process.pid), { encoding: 'utf8', flag: 'wx' });
+        return true;
+      } catch (err) {
+        if (err.code !== 'EEXIST') throw err;
+        let holder = NaN;
+        try { holder = Number.parseInt(readFileSync(pidFile, 'utf8').trim(), 10); } catch {}
+        if (pidAlive(holder)) return false; // live daemon already owns it
+        try { unlinkSync(pidFile); } catch {} // stale -- reclaim and retry once
+      }
+    }
+    return false; // lost the reclaim race to another starter; that one serves
+  }
+
+  if (!acquirePidFile()) {
+    process.stderr.write('[ijfw-dashboard] daemon already running -- exiting\n');
+    process.exit(0);
+  }
+
+  function releasePidFile() {
+    // Only remove the pid file if it is still ours.
+    try {
+      if (readFileSync(pidFile, 'utf8').trim() === String(process.pid)) unlinkSync(pidFile);
+    } catch {}
+  }
+
   // Optional preferred-port override (forwarded by the launcher's `--port N`).
   // Unset = default 37891-37900 walk. Invalid values fall back to the default.
   const startOpts = {};
@@ -1504,10 +1597,6 @@ if (process.argv.includes('--daemon')) {
   if (Number.isInteger(envPort) && envPort > 0 && envPort < 65536) startOpts.port = envPort;
 
   startServer(startOpts).then(({ port }) => {
-    const ijfwDir = dirname(pidFile);
-    mkdirSync(ijfwDir, { recursive: true });
-    // PID file: plain write (single writer; pid is meaningless mid-write)
-    writeFileSync(pidFile, String(process.pid), 'utf8');
     // Port file: atomic write via tmp+rename so readers never see a partial value (W4.2).
     // Cleanup tmp on rename failure so it doesn't leak (W9-M1).
     const portTmp = `${portFile}.tmp.${process.pid}.${Date.now()}`;
@@ -1519,6 +1608,7 @@ if (process.argv.includes('--daemon')) {
       throw new Error(`atomic write failed for ${portFile}: ${err.message}`);
     }
   }).catch(err => {
+    releasePidFile();
     process.stderr.write('[ijfw-dashboard] ' + err.message + '\n');
     process.exit(1);
   });

package/src/design/iframe-bridge.js

@@ -99,10 +99,18 @@ export async function createPreviewSandbox({ html, name } = {}) {
   // surface for vercel-sandbox is evolving; we accept any JSON line that
   // contains a `url` field.
   try {
+    // shell:true on Windows so the vercel.cmd npm shim resolves; harmless on
+    // POSIX. sandboxId/tmpFile are internally generated (sanitized name +
+    // uuid under tmpdir), not user input.
     const r = spawnSync('vercel', ['sandbox', 'create', '--file', tmpFile, '--name', sandboxId], {
       encoding: 'utf8',
       timeout: PROVISION_TIMEOUT_MS,
+      shell: process.platform === 'win32',
     });
+    if (r.error) {
+      _advise(`createPreviewSandbox: vercel CLI not spawnable (${r.error.message}) -- falling back to static`);
+      return null;
+    }
     if (r.status !== 0) {
       _advise(`createPreviewSandbox: vercel CLI exit ${r.status} -- falling back to static`);
       return null;
@@ -140,7 +148,11 @@ export async function destroySandbox(sandboxId) {
       return;
     }
     if (entry.mode === 'cli') {
-      spawnSync('vercel', ['sandbox', 'delete', sandboxId], { encoding: 'utf8', timeout: DESTROY_TIMEOUT_MS });
+      spawnSync('vercel', ['sandbox', 'delete', sandboxId], {
+        encoding: 'utf8',
+        timeout: DESTROY_TIMEOUT_MS,
+        shell: process.platform === 'win32',
+      });
       return;
     }
   } catch (err) {

package/src/memory/fts5.js

@@ -8,7 +8,10 @@
 // Mirrors src/compute/fts5.js patterns:
 //   - WAL journal mode for concurrent readers
 //   - PRAGMA busy_timeout = 5000 + BEGIN IMMEDIATE for racing writers
-//   - PRAGMA quick_check post-write enforces integrity
+//   - PRAGMA quick_check corruption tripwire on a throttled cadence
+//     (first write per db file per process, then every Nth write or
+//     after a time floor -- never on every single-row insert, because
+//     quick_check is a full-database scan)
 //
 // Security model (D-PILLAR-SPEC section 12, real fix-wave C3):
 //   indexEntry runs `redactSecrets()` over `entry.body` AND `entry.source`
@@ -182,9 +185,52 @@ function readUserVersion(db) {
   return Number(row.user_version ?? row.USER_VERSION ?? 0);
 }
 
-// Insert one row into memory_entries inside a BEGIN IMMEDIATE transaction,
-// then run PRAGMA quick_check on the whole db. Throws MemoryIntegrityError
-// on anything other than 'ok'. Returns { id } of the inserted row.
+// Corruption tripwire cadence. PRAGMA quick_check walks every page of the
+// database, so running it inside EVERY single-row insert transaction is
+// O(db size) per write while the RESERVED lock is held -- a quadratic
+// total-cost cliff as the warm tier grows. The tripwire is kept, but on a
+// throttle: the FIRST write per db file per process always checks (so a
+// reopen-after-corruption is caught on the next write), then every Nth
+// write or once the time floor elapses, whichever fires first. State is
+// keyed by filename, NOT by handle, because server.js re-opens the db per
+// store -- a per-open or per-handle check would put the full scan right
+// back on the hot path.
+const QUICK_CHECK_EVERY_N = 100;
+const QUICK_CHECK_MIN_INTERVAL_MS = 5 * 60 * 1000;
+const __quickCheckState = new Map(); // filename -> { writes, lastTs }
+
+function shouldQuickCheck(filename, now = Date.now()) {
+  const key = filename || ':unknown:';
+  let st = __quickCheckState.get(key);
+  if (!st) {
+    st = { writes: 0, lastTs: 0 };
+    __quickCheckState.set(key, st);
+  }
+  st.writes++;
+  if (
+    st.writes === 1 ||
+    st.writes % QUICK_CHECK_EVERY_N === 0 ||
+    (now - st.lastTs) >= QUICK_CHECK_MIN_INTERVAL_MS
+  ) {
+    st.lastTs = now;
+    return true;
+  }
+  return false;
+}
+
+// Test hook -- cadence logic is invisible from outside (it only changes
+// WHEN the scan runs), so tests assert on it directly.
+export const __quickCheck = {
+  shouldQuickCheck,
+  QUICK_CHECK_EVERY_N,
+  QUICK_CHECK_MIN_INTERVAL_MS,
+  reset: () => __quickCheckState.clear(),
+};
+
+// Insert one row into memory_entries inside a BEGIN IMMEDIATE transaction.
+// On the throttled cadence above, runs PRAGMA quick_check inside the same
+// transaction and throws MemoryIntegrityError on anything other than 'ok'
+// (rolling the insert back -- fail-safe). Returns { id } of the inserted row.
 //
 // Caller passes { body, source?, session_id? }. created_at is set here
 // (unix ms) so callers don't have to remember the convention.
@@ -224,12 +270,14 @@ export function indexEntry(db, entry) {
     inserted = {
       id: info && info.lastInsertRowid != null ? Number(info.lastInsertRowid) : null,
     };
-    const qc = db.prepare('PRAGMA quick_check').get();
-    const status = qc && (qc.quick_check ?? qc.QUICK_CHECK);
-    if (status !== 'ok') {
-      throw new MemoryIntegrityError(
-        `PRAGMA quick_check failed after insert into memory_entries: ${status || '(no result)'}.`
-      );
+    if (shouldQuickCheck(db.__ijfw_filename)) {
+      const qc = db.prepare('PRAGMA quick_check').get();
+      const status = qc && (qc.quick_check ?? qc.QUICK_CHECK);
+      if (status !== 'ok') {
+        throw new MemoryIntegrityError(
+          `PRAGMA quick_check failed after insert into memory_entries: ${status || '(no result)'}.`
+        );
+      }
     }
   });
   tx();
@@ -282,6 +330,13 @@ export function indexEntry(db, entry) {
     const ts = row.created_at;
     const sessionId = row.session_id;
     const body = row.body;
+    // Receipt path must belong to the project that owns THIS db, never the
+    // process cwd (MCP hosts commonly spawn servers from $HOME, and openDb
+    // supports an explicit projectRoot distinct from cwd). The db lives at
+    // <root>/.ijfw/index/memory.db, so dirname(filename) IS the index dir.
+    const receiptDir = db.__ijfw_filename
+      ? dirname(db.__ijfw_filename)
+      : join(process.env.IJFW_PROJECT_DIR || process.cwd(), IJFW_DIR_NAME, INDEX_DIR_NAME);
     // v1.5.0 audit-LOW-memory-#14: dead-letter receipt for auto-index failures.
     // Fire-and-forget was already swallowed silently; now we append an
     // append-only JSONL receipt so silent indexer breakage is detectable in
@@ -293,10 +348,10 @@ export function indexEntry(db, entry) {
           // Lazy import; node:fs/promises is always available.
           import('node:fs/promises').then(({ appendFile, mkdir }) => {
             try {
-              const indexDir = '.ijfw/index';
+              const indexDir = receiptDir;
               return mkdir(indexDir, { recursive: true })
                 .then(() => appendFile(
-                  `${indexDir}/graph-errors.jsonl`,
+                  join(indexDir, 'graph-errors.jsonl'),
                   JSON.stringify({
                     ts: new Date().toISOString(),
                     session_id: sessionId || null,

package/src/memory/search.js

@@ -38,6 +38,12 @@ import { loadMigrations } from './migration-runner.js';
 // is imported directly so M1 runs synchronously inside the same txn batch.
 import { indexObsidianRelations } from './obsidian-parser.js';
 import { autoLink } from './auto-linker.js';
+// Ingest scrub gate (D-PILLAR-SPEC section 12) -- the warm-tier rebuild
+// reads raw markdown from disk, which is NOT guaranteed pre-scrubbed
+// (hand-edited notes, hook-written files, imports never went through
+// handleStore's redaction). autoIndex must apply the same redactSecrets
+// pass as fts5.js#indexEntry or secrets land cleartext in memory.db.
+import { redactSecrets } from '../redactor.js';
 
 const MAX_RESULTS  = 50;
 const SNIPPET_HALF = 60;
@@ -259,25 +265,35 @@ function runMemoryMigrationsSync(db, currentVersion, targetVersion) {
 }
 
 function autoIndex(db, files) {
-  let n = 0;
   // v1.5.1 R4-H2 — capture the rowid of every inserted entry so the
   // memory-moat aux indexing (M1 Obsidian relations, M2 auto-link) can run
   // over the warm-tier rebuild, not just the benchmark harness. The bulk
   // INSERT stays in one transaction for FTS write performance; M1/M2 run
   // AFTER commit so a parse/link failure can never abort the rebuild.
+  //
+  // Rollback safety: ids are collected in a transaction-local array and
+  // only published to `inserted` after txfn commits. If the batch rolls
+  // back, the rowids it produced no longer exist (and AUTOINCREMENT will
+  // reuse them), so running M1/M2 over them would attach links/tags/meta
+  // to the WRONG future entries.
   const inserted = [];
   const txfn = db.transaction((batch) => {
     const stmt = db.prepare(
       'INSERT INTO memory_entries (body, source, session_id, created_at) VALUES (?, ?, ?, ?)'
     );
+    const out = [];
     for (const item of batch) {
       const info = stmt.run(item.body, item.source, null, item.created_at);
       const id = info && info.lastInsertRowid != null ? Number(info.lastInsertRowid) : null;
-      inserted.push({ id, body: item.body });
-      n++;
+      out.push({ id, body: item.body });
     }
+    return out;
   });
 
+  // Same ingest scrub gate as fts5.js#indexEntry (IJFW_INGEST_SCRUB=0 is
+  // the only escape hatch, local debugging only). Body AND source are
+  // scrubbed so the FTS index and downstream M1/M2 only see safe text.
+  const scrub = process.env.IJFW_INGEST_SCRUB !== '0';
   const batch = [];
   const now = Date.now();
   for (const f of files) {
@@ -286,10 +302,22 @@ function autoIndex(db, files) {
     let body;
     try { body = readFileSync(f.path, 'utf8'); } catch { continue; }
     if (!body) continue;
-    batch.push({ body, source: f.relpath || f.path, created_at: now });
+    const rawSource = f.relpath || f.path;
+    batch.push({
+      body: scrub ? redactSecrets(body) : body,
+      source: scrub ? redactSecrets(String(rawSource)) : rawSource,
+      created_at: now,
+    });
   }
   if (batch.length === 0) return 0;
-  try { txfn.immediate(batch); } catch { /* one bad batch should not abort the search */ }
+  let n = 0;
+  try {
+    const committed = txfn.immediate(batch);
+    if (Array.isArray(committed)) {
+      inserted.push(...committed);
+      n = committed.length;
+    }
+  } catch { /* one bad batch should not abort the search; rollback discards ids */ }
 
   // v1.5.1 R4-H2 — M1: Obsidian wikilink/tag/meta indexing into
   // memory_links/_tags/_meta. Synchronous + idempotent (indexObsidianRelations

package/src/memory/staleness.js

@@ -169,7 +169,7 @@ export function propagateStaleMemory(memDb, computeDb, supersededNodeId, options
   if (namesToFlag.length > 0) {
     const updateMem = memDb.prepare(
       `UPDATE memory_entries SET stale_candidate = ? ` +
-      `WHERE COALESCE(stale_candidate, 0) < ? AND body LIKE ?`
+      `WHERE COALESCE(stale_candidate, 0) < ? AND body LIKE ? ESCAPE '\\'`
     );
 
     const txWrap = (typeof memDb.transaction === 'function')

package/src/profile/eval/corpus-from-reddit.test.mjs

@@ -42,7 +42,7 @@ function writeJson(rows) {
   return p;
 }
 
-// 10 authors × 6 long docs each — comfortably over the floors.
+// 10 authors x 6 long docs each — comfortably over the floors.
 function tenAuthors() {
   const rows = [];
   for (let a = 0; a < 10; a += 1) rows.push(...makeAuthorRows(`u${a}`, 6));

package/src/profile/eval/gate-b-run.mjs

@@ -218,7 +218,7 @@ export async function runGateBProduction(opts = {}) {
   //     budget-guarded cloud transport here: the allowed-set is the closed set of EVERY brief
   //     the pool's own personas + foreigner-pool produce (baseline '' + derived + fewShotOracle
   //     + register-echo) — foreign prose is never a target, only a fingerprint. The budget is
-  //     sized from arms × pool × probes × (pilot + confirmatory) with headroom.
+  //     sized from arms x pool x probes x (pilot + confirmatory) with headroom.
   const poolForGuard = [...personas, ...foreigners];
   const budget = opts.budget || {
     calls: 0,
@@ -328,7 +328,7 @@ export function buildAllowedSys(personas, cfg = {}) {
   return sys;
 }
 
-// Estimate the cloud-call budget: arms × subjects × probes, per spend phase.
+// Estimate the cloud-call budget: arms x subjects x probes, per spend phase.
 export function estimateCalls({
   nArms = 4, nSubjects, nProbes,
 }) {

package/src/profile/eval/harness.mjs

@@ -225,7 +225,7 @@ export function cohenKappa(raterA = [], raterB = []) {
 
 // ---------------------------------------------------------------------------
 // ECE — Expected Calibration Error on the profile's `confidence` field. Bins
-// (confidence, correctness) pairs and measures |avg-confidence − accuracy| per
+// (confidence, correctness) pairs and measures |avg-confidence - accuracy| per
 // bin, weighted by bin mass. A well-calibrated profile that says "0.7 confident"
 // is right ~70% of the time. This is what makes `confidence` an honest number
 // instead of decoration.

package/src/profile/eval/prereg.mjs

@@ -52,7 +52,7 @@ export function bonferroniAlpha(familyAlpha, verdictArms) {
 }
 
 // Measured-scale floor: the minimum mean margin that counts as a real effect, expressed
-// in the instrument's OWN units = floorK * (betweenMean − withinMean) from validateInstrument.
+// in the instrument's OWN units = floorK * (betweenMean - withinMean) from validateInstrument.
 // This REPLACES the blind absolute constant (the prior attempt's failure class). Frozen
 // before any cloud spend (floorK is hashed; the derived value is recorded in the run).
 export function deriveMinMeanMargin(validation, floorK) {

package/src/profile/eval/wrong-target-control.mjs

@@ -1,7 +1,7 @@
 // wrong-target-control.mjs — Gate B v2, Task T5. THE discriminator.
 //
 // For each subject P and arm, the margin is:
-//     m_P = distance(output, NEAREST same-register foreigner) − distance(output, OWN test)
+//     m_P = distance(output, NEAREST same-register foreigner) - distance(output, OWN test)
 // m_P > 0 means the styled output landed closer to P's OWN held-out fingerprint than to
 // the CLOSEST same-register stranger. A generic register-obeyer is ~equidistant from all
 // same-register targets ⇒ m≈0 ⇒ NULL. Only idiosyncratic voice capture wins.
@@ -118,7 +118,7 @@ export function wrongTargetControl(harnessOut, personas, opts = {}) {
     }
     const ownLoss = margins.map((m) => (m < 0 ? 1 : 0));
     const ci = bootstrapCI(margins, { iters: cfg.bootstrapIters, alpha: cfg.alpha, seed: cfg.seed });
-    // zeros-vs-wins sign test: b = #(margin>0), c = #(margin<0); two-sided p on |b−c|.
+    // zeros-vs-wins sign test: b = #(margin>0), c = #(margin<0); two-sided p on |b-c|.
     const sign = mcnemar(ownLoss, ownWin);
     perArm[arm] = {
       arm,
@@ -141,7 +141,7 @@ export function wrongTargetControl(harnessOut, personas, opts = {}) {
   for (const arm of harnessOut.arms) {
     if (arm === 'baseline' || !perArm.baseline) continue;
     const m = mcnemar(perArm.baseline.ownWin, perArm[arm].ownWin);
-    // mcnemar.pValue is TWO-SIDED (|b−c|), so the direction guard m.b > m.c is mandatory:
+    // mcnemar.pValue is TWO-SIDED (|b-c|), so the direction guard m.b > m.c is mandatory:
     // the arm must FLIP MORE subjects to own-match than baseline does, not merely differ.
     perArm[arm].vsBaseline = {
       b: m.b, c: m.c, pValue: m.pValue, beatsBaseline: significantAt(m.pValue, cfg.perTestAlpha) && m.b > m.c,

package/src/profile/exemplar-store.js

@@ -61,7 +61,7 @@ export const EXEMPLAR_TEXT_MAX = 600;
  * Max bytes we will read from the on-disk JSONL. The store is bounded by
  * MAX_EXEMPLARS short records, so a file larger than this is a corrupt/hand-
  * edited artifact; refusing to slurp it whole avoids an OOM. ~2 MiB is orders
- * of magnitude above any legitimate exemplar set (200 × 600 chars ≈ 120 KiB).
+ * of magnitude above any legitimate exemplar set (200 x 600 chars ≈ 120 KiB).
  */
 const MAX_STORE_BYTES = 2 * 1024 * 1024;
 

package/src/profile/telemetry.js

@@ -3,8 +3,8 @@
  *
  * The NO-JUDGE behavioral metric (design spec §"The honest bar", claim 2):
  * "Repeat-correction-rate drop — how often you re-issue the SAME correction,
- * bucketed by session age. A working system bends the curve down (3× in week 1
- * -> 0× by week 4). The most honest single number."
+ * bucketed by session age. A working system bends the curve down (3x in week 1
+ * -> 0x by week 4). The most honest single number."
  *
  * This module records, per preference SLUG, every time the user RE-ISSUES a
  * correction that the profile should already have learned, and computes the drop

package/src/recovery/code-fixer.js

@@ -286,14 +286,25 @@ export function tier2SyntaxCheckCmd(filePath) {
         ],
       };
     case '.py':
-      return { cmd: 'python3', args: ['-m', 'py_compile', filePath] };
+      // Windows ships python.exe, not python3. If neither exists the spawn
+      // ENOENT is treated as SKIP by verifyTier2, not a syntax failure.
+      return {
+        cmd: process.platform === 'win32' ? 'python' : 'python3',
+        args: ['-m', 'py_compile', filePath],
+      };
     case '.sh':
     case '.bash':
+      // On Windows this only works when a real bash.exe (Git Bash) is on
+      // PATH; otherwise verifyTier2 maps the ENOENT to SKIP.
       return { cmd: 'bash', args: ['-n', filePath] };
     case '.ts':
     case '.tsx': {
       // Only if tsc on PATH. The agent contract says SKIP when absent.
-      const which = spawnSync(process.platform === 'win32' ? 'where' : 'which', ['tsc'], {
+      // On Windows tsc is a .cmd shim which Node cannot spawn without a
+      // shell (CVE-2024-27980), and shelling out with an interpolated
+      // filePath would be an injection vector -- so SKIP honestly there.
+      if (process.platform === 'win32') return null;
+      const which = spawnSync('which', ['tsc'], {
         encoding: 'utf8',
       });
       if (which.status === 0 && which.stdout.trim()) {
@@ -319,6 +330,11 @@ export async function verifyTier2(filePath) {
     await execFileAsync(spec.cmd, spec.args, { timeout: 15_000 });
     return { ok: true, skipped: false };
   } catch (err) {
+    // Checker binary missing/not spawnable (ENOENT, or EINVAL for Windows
+    // .cmd shims) is "cannot verify", not "syntax error" -- honest SKIP.
+    if (err && (err.code === 'ENOENT' || err.code === 'EINVAL')) {
+      return { ok: true, skipped: true };
+    }
     const stderr = err.stderr || err.stdout || err.message || '';
     return {
       ok: false,
@@ -369,10 +385,15 @@ async function resolveProjectVerifyCmd(projectRoot, verifyCmdOverride) {
 export async function verifyTier3(projectRoot, verifyCmdOverride) {
   const cmd = await resolveProjectVerifyCmd(projectRoot, verifyCmdOverride);
   if (!cmd) return { ok: true, skipped: true };
-  // Run the command via `sh -c` so script lines like `npm test --silent` work
-  // verbatim. Timeout is generous (5 min) because real test suites can be slow.
+  // Run the command via the platform shell so script lines like
+  // `npm test --silent` work verbatim: `sh -c` on POSIX, `cmd /d /s /c` on
+  // Windows ('sh' is not on PATH there). Timeout is generous (5 min)
+  // because real test suites can be slow.
+  const [shellBin, shellArgs] = process.platform === 'win32'
+    ? [process.env.ComSpec || 'cmd.exe', ['/d', '/s', '/c', cmd]]
+    : ['sh', ['-c', cmd]];
   return new Promise((resolve) => {
-    execFile('sh', ['-c', cmd], { cwd: projectRoot, timeout: 5 * 60_000 }, (err, stdout, stderr) => {
+    execFile(shellBin, shellArgs, { cwd: projectRoot, timeout: 5 * 60_000 }, (err, stdout, stderr) => {
       const combined = `${String(stdout || '')}\n${String(stderr || '')}`;
       if (err) {
         const evidence = combined.split('\n').slice(0, 20).join('\n');

package/src/runtime-mediator.js

@@ -215,8 +215,11 @@ export async function maybeWarnDivergence(opts = {}) {
 
 /**
  * Map an MCP tool name (+ args) to the (action, target) tuple used for
- * permission checks. Returns null for unrecognised tool names; callers
- * should treat null as "no policy applies, allow" (these are bundled-only).
+ * permission checks. Returns null for unrecognised tool names. Callers MUST
+ * treat null as fail-closed whenever an extension is active: every tool the
+ * server advertises has an explicit mapping here, so a null mapping means a
+ * future tool was added without a policy entry -- denying is the only answer
+ * that keeps the sandbox sound (see gatePermissionAndQuota in server.js).
  */
 export function toolNameToActionTarget(toolName, args) {
   switch (toolName) {
@@ -225,8 +228,23 @@ export function toolNameToActionTarget(toolName, args) {
     case 'ijfw_memory_recall':
     case 'ijfw_memory_search':
     case 'ijfw_memory_prelude':
+    case 'ijfw_memory_facts':
     case 'ijfw_cross_project_search':
       return { action: 'read', target: 'memory:read' };
+    case 'ijfw_brain': {
+      // Brain verbs can write to the facts DB (wiki rebuilds, fact upserts),
+      // so classify the whole facade as a write -- conservative by design.
+      const verb = (args && typeof args.verb === 'string' && args.verb) ? args.verb : '*';
+      return { action: 'write', target: `brain:${verb}` };
+    }
+    case 'ijfw_state': {
+      // state-sdk verbs mutate project orchestration state.
+      const verb = (args && typeof args.verb === 'string' && args.verb) ? args.verb : '*';
+      return { action: 'write', target: `state:${verb}` };
+    }
+    case 'ijfw_cross_audit_converge':
+      // autoFix:true mutates source -- always treat as a write.
+      return { action: 'write', target: 'audit:converge' };
     case 'ijfw_metrics':
       return { action: 'read', target: 'metrics:read' };
     case 'ijfw_update_check':

package/src/server.js

@@ -119,7 +119,29 @@ export async function gatePermissionAndQuota({ toolName, args, activeExt, home,
   }
   const mapping = toolNameToActionTarget(toolName, args || {});
   if (!mapping) {
-    return { allowed: true };
+    // Fail-closed: an extension is active (possibly MALFORMED) and this tool
+    // has no policy mapping. Allowing here would let any future tool silently
+    // bypass the sandbox -- and would also defeat the malformed-state deny,
+    // which lives inside checkPermission. Every advertised tool must have an
+    // explicit entry in toolNameToActionTarget (runtime-mediator.js).
+    const reason = `tool "${toolName}" not covered by extension policy`;
+    await logPermissionEvent({
+      tool: toolName,
+      extension: activeExt && activeExt.name ? activeExt.name : null,
+      action: null,
+      target: null,
+      allowed: false,
+      reason,
+      ts: new Date().toISOString(),
+    }).catch(() => {});
+    return {
+      allowed: false,
+      reason,
+      response: {
+        content: [{ type: 'text', text: `extension permission denied: ${reason}` }],
+        isError: true,
+      },
+    };
   }
   const permCheck = checkPermission(mapping.action, mapping.target, activeExt);
   if (!permCheck.allowed) {
@@ -389,12 +411,21 @@ const TEAM_DIR_NAME = 'team';
 const TEAM_FACETS = ['decisions', 'patterns', 'stack', 'members'];
 
 // Claude Code's native auto-memory lives at ~/.claude/projects/<encoded>/memory/
-// where <encoded> is the project path with `/` → `-`. IJFW reads these files
-// and surfaces them via MCP so all platforms (not just Claude) see the same
-// memories -- no fighting Claude's native "Remember X" handler.
+// where <encoded> is the project path with separators replaced by `-`. IJFW
+// reads these files and surfaces them via MCP so all platforms (not just
+// Claude) see the same memories -- no fighting Claude's native "Remember X"
+// handler. On Windows the path is `C:\Users\...` -- strip the drive letter and
+// replace both separator styles so the slug is a single flat dir segment
+// (a bare `\/`-only replace left backslashes + the drive colon in the segment,
+// producing a nonexistent nested path, so this source was silently empty on
+// Windows). Mirrors pathToSlug() in src/memory/reader.js -- keep in sync.
+// Exported for the Windows-encoding regression test.
+export function encodeClaudeProjectSlug(projectPath) {
+  return String(projectPath).replace(/^[A-Za-z]:/, '').replace(/[\\/]/g, '-');
+}
 const NATIVE_CLAUDE_DIR = join(
   homedir(), '.claude', 'projects',
-  PROJECT_DIR.replace(/\//g, '-'),
+  encodeClaudeProjectSlug(PROJECT_DIR),
   'memory'
 );
 
@@ -736,7 +767,11 @@ function appendFactsToSidecar(facts, meta) {
     return { ok: true, written: facts.length };
   } catch (err) {
     // Non-fatal: facts are augmentation, not source-of-truth. Journal already
-    // captured the raw memory.
+    // captured the raw memory. Still surface on stderr so operators see the
+    // degradation -- callers also fold the failure into the store result.
+    try {
+      process.stderr.write(`[ijfw facts] sidecar append failed (${err.code || err.message}); fact extraction degraded\n`);
+    } catch { /* stderr may be detached */ }
     return { ok: false, code: err.code || 'EUNKNOWN', message: err.message };
   }
 }
@@ -1556,26 +1591,30 @@ function handleStore({ content, type, tags = [], summary, why, how_to_apply }) {
     try { console.error('[ijfw memory] FTS5 index dispatch failed:', e?.message || e); } catch { /* never throw */ }
   }
 
+  // Secondary writes (facts + type-specific). Each tracked so we report
+  // partial success accurately rather than lying about "stored."
+  const failures = [];
+
   // H5.5 — Fact extraction AFTER successful append. Best-effort: a failure
-  // here is logged in the return text but does NOT poison the store result.
-  // Memory-id ties facts.jsonl rows back to their journal entry.
+  // here is folded into the partial-failure return text (and stderr) but the
+  // journal write above already succeeded. Memory-id ties facts.jsonl rows
+  // back to their journal entry.
   const factMeta = {
     ts: new Date().toISOString(),
     memory_id: factMemoryIdFor(journalEntry),
     source: `memory_store:${type}`,
   };
   const facts = extractFacts(safeContent);
-  appendFactsToSidecar(facts, factMeta);
+  const factsResult = appendFactsToSidecar(facts, factMeta);
+  if (!factsResult.ok) failures.push(`facts sidecar (${factsResult.code})`);
   // v1.5.0 audit H5.4 — mirror to bi-temporal SQL store. For each fact,
   // closes any prior currently-valid fact with the same (subject, predicate)
   // but different object before inserting. Same-object stores are a no-op.
   // Wrapped in a per-fact transaction inside temporal.js. Best-effort: any
-  // failure is logged to stderr but never breaks the journal-or-JSONL path.
-  writeFactsBitemporal(facts, factMeta);
-
-  // 2. Type-specific secondary writes. Each tracked so we report partial
-  // success accurately rather than lying about "stored."
-  const failures = [];
+  // failure is logged to stderr and never breaks the journal-or-JSONL path,
+  // but an unavailable facts DB is reported honestly in the store result.
+  const bitemporalResult = writeFactsBitemporal(facts, factMeta);
+  if (!bitemporalResult.ok) failures.push(`facts db (${bitemporalResult.code})`);
 
   if (type === 'decision' || type === 'pattern') {
     // Richer frontmatter block for retrieval-quality entries.
@@ -1986,8 +2025,9 @@ function handleCrossProjectSearch({ pattern, limit = 10 } = {}) {
 }
 
 // Phase 3 #6: aggregate session metrics. Reads .ijfw/metrics/sessions.jsonl,
-// tolerates v1 lines (treats missing token/cost fields as 0), groups by day,
-// renders compact text. Positive-framed zero-state when no sessions logged yet.
+// tolerates v1 lines (treats missing token/cost fields as 0), dedupes the
+// per-turn cumulative v5 rows to the latest row per session_id, groups by
+// day, renders compact text. Positive-framed zero-state when nothing logged.
 function handleMetrics({ period = '7d', metric = 'tokens' } = {}) {
   const file = join(IJFW_DIR, 'metrics', 'sessions.jsonl');
   const r = readMarkdownFile(file);
@@ -2024,19 +2064,45 @@ function handleMetrics({ period = '7d', metric = 'tokens' } = {}) {
     return { text: `Window ${period}: no sessions in range.${hint}` };
   }
 
+  // Schema v5: the Stop hook fires after EVERY assistant turn and appends one
+  // row per turn carrying the CUMULATIVE totals for the whole session so far,
+  // tagged with session_id + a monotonic turn counter. Summing every row
+  // therefore overcounts quadratically -- keep only the LATEST row per
+  // session_id (highest turn, falling back to timestamp; ties keep the later
+  // line). Old-format rows without a session_id are treated as one session
+  // per row, exactly as before.
+  const latestBySession = new Map();
+  const sessions = [];
+  for (const row of within) {
+    const sid = row.session_id;
+    if (typeof sid !== 'string' || sid.length === 0) {
+      sessions.push(row);
+      continue;
+    }
+    const prev = latestBySession.get(sid);
+    if (!prev) { latestBySession.set(sid, row); continue; }
+    const rowTurn = typeof row.turn === 'number' ? row.turn : null;
+    const prevTurn = typeof prev.turn === 'number' ? prev.turn : null;
+    const later = (rowTurn !== null && prevTurn !== null && rowTurn !== prevTurn)
+      ? rowTurn > prevTurn
+      : Date.parse(row.timestamp) >= Date.parse(prev.timestamp);
+    if (later) latestBySession.set(sid, row);
+  }
+  for (const row of latestBySession.values()) sessions.push(row);
+
   if (metric === 'sessions') {
-    const handoffs = within.filter(r => r.handoff).length;
-    const memEntries = within.reduce((s, r) => s + (r.memory_stores || 0), 0);
+    const handoffs = sessions.filter(r => r.handoff).length;
+    const memEntries = sessions.reduce((s, r) => s + (r.memory_stores || 0), 0);
     return { text: [
-      `Sessions in ${period}: ${within.length}`,
-      `Handoffs preserved: ${handoffs} (${Math.round(100 * handoffs / within.length)}%)`,
+      `Sessions in ${period}: ${sessions.length}`,
+      `Handoffs preserved: ${handoffs} (${Math.round(100 * handoffs / sessions.length)}%)`,
       `Memory entries logged: ${memEntries}`
     ].join('\n') };
   }
 
   if (metric === 'routing') {
     const counts = {};
-    for (const r of within) counts[r.routing || 'native'] = (counts[r.routing || 'native'] || 0) + 1;
+    for (const r of sessions) counts[r.routing || 'native'] = (counts[r.routing || 'native'] || 0) + 1;
     return { text: ['Routing mix:'].concat(
       Object.entries(counts).map(([k, v]) => `  ${k}: ${v}`)
     ).join('\n') };
@@ -2044,7 +2110,7 @@ function handleMetrics({ period = '7d', metric = 'tokens' } = {}) {
 
   // Group by UTC day for tokens / cost.
   const byDay = {};
-  for (const row of within) {
+  for (const row of sessions) {
     const day = String(row.timestamp).slice(0, 10);
     byDay[day] = byDay[day] || { in: 0, out: 0, cr: 0, cc: 0, cost: 0, n: 0 };
     byDay[day].in   += row.input_tokens || 0;
@@ -2060,7 +2126,7 @@ function handleMetrics({ period = '7d', metric = 'tokens' } = {}) {
     const total = days.reduce((s, d) => s + byDay[d].cost, 0);
     const lines = ['Day        | sessions | cost (USD)'];
     for (const d of days) lines.push(`${d} | ${String(byDay[d].n).padStart(8)} | $${byDay[d].cost.toFixed(4)}`);
-    lines.push(`Total: $${total.toFixed(4)} across ${within.length} session(s) -- clean session-ends only.`);
+    lines.push(`Total: $${total.toFixed(4)} across ${sessions.length} session(s) -- clean session-ends only.`);
     return { text: lines.join('\n') };
   }
 
@@ -2604,7 +2670,10 @@ function handleMessage(msg) {
       return createResponse(id, {});
 
     default:
-      if (id) return createError(id, -32601, `Method not found: ${method}`);
+      // Presence check, not truthiness: id 0 and id "" are valid JSON-RPC
+      // request ids (the MCP TS SDK numbers requests from 0) and MUST get a
+      // response. Only notifications (id absent/null) go unanswered.
+      if (id !== undefined && id !== null) return createError(id, -32601, `Method not found: ${method}`);
       return null;
   }
 }
@@ -2665,7 +2734,9 @@ function __attachStdioTransport() {
         response.then(r => { if (r) process.stdout.write(r + '\n'); }).catch(err => {
           process.stdout.write(JSON.stringify({
             jsonrpc: '2.0',
-            id: msg && msg.id ? msg.id : null,
+            // Presence check: id 0 / "" must round-trip so the client can
+            // correlate the error to its pending request.
+            id: (msg && msg.id !== undefined) ? msg.id : null,
             error: { code: -32603, message: `Internal error: ${err.message}` }
           }) + '\n');
         });
@@ -2675,7 +2746,7 @@ function __attachStdioTransport() {
     } catch (err) {
       process.stdout.write(JSON.stringify({
         jsonrpc: '2.0',
-        id: msg && msg.id ? msg.id : null,
+        id: (msg && msg.id !== undefined) ? msg.id : null,
         error: { code: -32603, message: `Internal error: ${err.message}` }
       }) + '\n');
     }
@@ -2787,6 +2858,7 @@ if (__isServerEntryPoint) {
 export {
   sanitizeContent, atomicWrite, readMarkdownFile, PROJECT_HASH,
   handleStore, handleRecall, handleSearch, handlePrelude,
+  handleMetrics,
   MEMORY_DIR, FACTS_FILE, FACTS_DB_FILE,
   getFactsDb,
   paths,