@jagilber-org/index-server 1.26.5 → 1.27.0

package/dist/config/dashboardConfig.d.ts

@@ -15,10 +15,17 @@ interface DashboardHttpConfig {
     verboseLogging: boolean;
     mutationEnabled: boolean;
     adminApiKey?: string;
-    rateLimitEnabled: boolean;
-    rateLimitWindowMs: number;
-    rateLimitMax: number;
-    rateLimitMutationMax: number;
+    /**
+     * Dashboard HTTP API rate limit, in requests per minute.
+     *
+     * - `0` (default) disables rate limiting entirely (HTTP API + usage tracking).
+     * - Any positive integer N enforces N requests/min globally with a fixed
+     *   60-second window. Bulk import/export/backup/restore routes are
+     *   unconditionally exempt regardless of this value.
+     *
+     * Configured via the `INDEX_SERVER_RATE_LIMIT` environment variable.
+     */
+    rateLimitPerMinute: number;
     tls: DashboardTlsConfig;
 }
 interface DashboardAdminConfig {

package/dist/config/dashboardConfig.js

@@ -36,10 +36,7 @@ function parseDashboardConfig(mutationEnabled, instructionsBaseDir) {
             verboseLogging: (0, envUtils_1.getBooleanEnv)('INDEX_SERVER_VERBOSE_LOGGING'),
             mutationEnabled,
             adminApiKey: process.env.INDEX_SERVER_ADMIN_API_KEY || undefined,
-            rateLimitEnabled: !(0, envUtils_1.getBooleanEnv)('INDEX_SERVER_DISABLE_RATE_LIMIT'),
-            rateLimitWindowMs: Math.max(1, (0, configUtils_1.numberFromEnv)('INDEX_SERVER_RATE_LIMIT_WINDOW_MS', 60_000)),
-            rateLimitMax: Math.max(0, (0, configUtils_1.numberFromEnv)('INDEX_SERVER_RATE_LIMIT_MAX', 100)),
-            rateLimitMutationMax: Math.max(0, (0, configUtils_1.numberFromEnv)('INDEX_SERVER_RATE_LIMIT_MUTATION_MAX', 20)),
+            rateLimitPerMinute: Math.max(0, (0, configUtils_1.numberFromEnv)('INDEX_SERVER_RATE_LIMIT', 0)),
             tls: {
                 enabled: (0, envUtils_1.getBooleanEnv)('INDEX_SERVER_DASHBOARD_TLS'),
                 certPath: process.env.INDEX_SERVER_DASHBOARD_TLS_CERT || undefined,

package/dist/dashboard/client/admin.html

@@ -1,29 +1,29 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-    <meta name="dashboard-build-version" content="1.26.5-9badd8dd">
+    <meta name="dashboard-build-version" content="1.27.0-9badd8dd">
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Index Server Admin</title>
-    <link rel="stylesheet" href="css/admin.css?v=1.26.5-9badd8dd">
-    <script defer src="js/admin.utils.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.auth.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.overview.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.sessions.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.monitor.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.graph.js?v=1.26.5-9badd8dd"></script>
+    <link rel="stylesheet" href="css/admin.css?v=1.27.0-9badd8dd">
+    <script defer src="js/admin.utils.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.auth.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.overview.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.sessions.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.monitor.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.graph.js?v=1.27.0-9badd8dd"></script>
     <script defer src="js/marked.umd.js"></script>
-    <script defer src="js/admin.instructions.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.logs.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.maintenance.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.config.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.performance.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.instances.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.embeddings.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.messaging.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.sqlite.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.boot.js?v=1.26.5-9badd8dd"></script>
-    <script defer src="js/admin.feedback.js?v=1.26.5-9badd8dd"></script>
+    <script defer src="js/admin.instructions.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.logs.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.maintenance.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.config.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.performance.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.instances.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.embeddings.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.messaging.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.sqlite.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.boot.js?v=1.27.0-9badd8dd"></script>
+    <script defer src="js/admin.feedback.js?v=1.27.0-9badd8dd"></script>
 </head>
 <body>
     <div class="admin-container admin-root">
@@ -879,10 +879,10 @@
             }
         }
 
-        // Graph logic was extracted to js/admin.graph.js?v=1.26.5-9badd8dd
+        // Graph logic was extracted to js/admin.graph.js?v=1.27.0-9badd8dd
         // Functions available globally: reloadGraphMermaid, initGraphScopeDefaults, copyMermaidSource, toggleGraphEdit, applyGraphEdit, cancelGraphEdit, refreshDrillCategories, loadDrillInstructions, clearSelections
 
-        <!-- overview functions moved to js/admin.overview.js?v=1.26.5-9badd8dd -->
+        <!-- overview functions moved to js/admin.overview.js?v=1.27.0-9badd8dd -->
 
         // Lightweight overview-level maintenance display (optional)
         // Intentionally minimal to avoid blocking overview rendering.
@@ -1067,7 +1067,7 @@
         }
 
         // --- Backup / Restore ---
-        // Extracted to js/admin.maintenance.js?v=1.26.5-9badd8dd
+        // Extracted to js/admin.maintenance.js?v=1.27.0-9badd8dd
 
         async function performBackup() {
             try {
@@ -1133,7 +1133,7 @@
         }
 
                 async function loadConfiguration() {
-                    // Primary implementation in js/admin.config.js?v=1.26.5-9badd8dd (loaded via defer).
+                    // Primary implementation in js/admin.config.js?v=1.27.0-9badd8dd (loaded via defer).
                     // This inline fallback only fires if the external script failed to load.
                     if (window.__configExternalLoaded) return;
                     try {
@@ -1193,10 +1193,10 @@
                         return false;
                 }
 
-        // Monitoring functions moved to js/admin.monitor.js?v=1.26.5-9badd8dd
+        // Monitoring functions moved to js/admin.monitor.js?v=1.27.0-9badd8dd
 
         // ===== Log Viewer =====
-        // Extracted to js/admin.logs.js?v=1.26.5-9badd8dd
+        // Extracted to js/admin.logs.js?v=1.27.0-9badd8dd
 
         // ===== Instruction Management =====
         let instructionEditing = null;
@@ -1693,7 +1693,7 @@
             setInterval(fetchResourceTrends, 10000);
         })();
 
-        // Instruction management logic extracted to js/admin.instructions.js?v=1.26.5-9badd8dd
+        // Instruction management logic extracted to js/admin.instructions.js?v=1.27.0-9badd8dd
         // Functions exposed globally: loadInstructions, renderInstructionList, editInstruction, saveInstruction, deleteInstruction, etc.
 
         function startAutoRefresh() {

package/dist/dashboard/server/AdminPanelConfig.d.ts

@@ -11,8 +11,7 @@ export interface AdminConfig {
         enableVerboseLogging: boolean;
         enableMutation: boolean;
         rateLimit: {
-            windowMs: number;
-            maxRequests: number;
+            perMinute: number;
         };
     };
     indexSettings: {

package/dist/dashboard/server/AdminPanelConfig.js

@@ -23,8 +23,7 @@ class AdminPanelConfig {
                 enableVerboseLogging: !!serverHttp?.verboseLogging,
                 enableMutation: runtimeConfig.mutation.enabled,
                 rateLimit: {
-                    windowMs: 60000,
-                    maxRequests: 100
+                    perMinute: serverHttp?.rateLimitPerMinute ?? 0
                 }
             },
             indexSettings: {

package/dist/dashboard/server/ApiRoutes.d.ts

@@ -8,10 +8,11 @@
 import { Router } from 'express';
 export interface ApiRoutesOptions {
     enableCors?: boolean;
-    rateLimit?: {
-        windowMs: number;
-        max: number;
-    };
+    /**
+     * Optional override for the rate-limit (requests per 60s window).
+     * `0` disables. When omitted, falls back to `httpCfg.rateLimitPerMinute`.
+     */
+    rateLimitPerMinute?: number;
 }
 export declare function createApiRoutes(options?: ApiRoutesOptions): Router;
 export default createApiRoutes;

package/dist/dashboard/server/ApiRoutes.js

@@ -49,11 +49,41 @@ const runtimeConfig_js_1 = require("../../config/runtimeConfig.js");
 const index_js_1 = require("./routes/index.js");
 const ensureLoadedMiddleware_js_1 = require("./middleware/ensureLoadedMiddleware.js");
 const logger_js_1 = require("../../services/logger.js");
+/**
+ * Path prefixes whose endpoints are *unconditionally* exempt from the dashboard
+ * HTTP rate limiter. These are bulk-shaped, operator-driven operations
+ * (backup, restore, import/export, normalize) where the size of a single
+ * request — not the *frequency* of requests — is the natural cost driver.
+ *
+ * Matching is done with `req.path.startsWith(prefix)` against the path *as
+ * mounted on the /api router* (so prefixes do not include the leading "/api").
+ *
+ * Note: the MCP tool surface (index_import / index_export / promote_from_repo
+ * / restore handlers) is already outside this HTTP limiter, so no entries are
+ * needed for those.
+ */
+const BULK_EXEMPT_PREFIXES = [
+    '/admin/maintenance/normalize',
+    '/admin/maintenance/backup', // covers backup, backup/import, backup/:id, backup/:id/export
+    '/admin/maintenance/backups', // covers backups, backups/prune
+    '/admin/maintenance/restore',
+    '/charts/export',
+    '/sqlite/backup', // covers /sqlite/backup and /sqlite/backups
+    '/sqlite/restore',
+    '/sqlite/export',
+];
+function isBulkExempt(reqPath) {
+    for (const prefix of BULK_EXEMPT_PREFIXES) {
+        if (reqPath === prefix || reqPath.startsWith(prefix + '/'))
+            return true;
+    }
+    return false;
+}
 function createApiRoutes(options = {}) {
     const router = (0, express_1.Router)();
     const metricsCollector = (0, MetricsCollector_js_1.getMetricsCollector)();
     const httpCfg = (0, runtimeConfig_js_1.getRuntimeConfig)().dashboard.http;
-    const rateLimitOpts = options.rateLimit ?? { windowMs: httpCfg.rateLimitWindowMs, max: httpCfg.rateLimitMax };
+    const perMinute = options.rateLimitPerMinute ?? httpCfg.rateLimitPerMinute;
     // CORS middleware (if enabled)
     // Security: only allow loopback origins (localhost, 127.0.0.1, [::1]) to prevent
     // cross-origin attacks. No wildcard (*) origins; credentials are not exposed.
@@ -71,53 +101,28 @@ function createApiRoutes(options = {}) {
     }
     // JSON middleware
     router.use(express_1.default.json());
-    const rateLimitEnabled = httpCfg.rateLimitEnabled;
-    if (rateLimitEnabled && rateLimitOpts.max > 0 && rateLimitOpts.windowMs > 0) {
-        // Global rate limit for all routes (reads + mutations)
+    // Rate limit (single tier, fixed 60s window). Disabled when perMinute === 0.
+    // Bulk routes (backup/restore/import/export/normalize) are unconditionally
+    // exempt via BULK_EXEMPT_PREFIXES — see `skip` below.
+    if (perMinute > 0) {
+        const windowMs = 60_000;
         router.use((0, express_rate_limit_1.default)({
-            windowMs: rateLimitOpts.windowMs,
-            max: rateLimitOpts.max,
+            windowMs,
+            max: perMinute,
             standardHeaders: true,
             legacyHeaders: true,
             validate: { ip: false },
-            skip: (req) => req.method === 'OPTIONS',
+            skip: (req) => req.method === 'OPTIONS' || isBulkExempt(req.path),
             keyGenerator: (req) => {
                 const clientIp = req.ip || req.socket.remoteAddress;
                 return clientIp ? (0, express_rate_limit_1.ipKeyGenerator)(clientIp) : 'unknown';
             },
             handler: (_req, res) => {
-                const retryAfter = Number(res.getHeader('Retry-After') || Math.ceil(rateLimitOpts.windowMs / 1000));
+                const retryAfter = Number(res.getHeader('Retry-After') || Math.ceil(windowMs / 1000));
                 res.status(429).json({
                     error: 'Too Many Requests',
                     message: `Rate limit exceeded. Try again in ${retryAfter} second(s).`,
                     retryAfterSeconds: retryAfter,
-                    tier: 'global',
-                    timestamp: Date.now(),
-                });
-            },
-        }));
-        // Stricter rate limit for mutation endpoints (POST/PUT/PATCH/DELETE).
-        // Defaults to runtimeConfig httpCfg.rateLimitMutationMax (env-configurable),
-        // bounded by the global per-window cap so mutation-tier never exceeds global.
-        const mutationMax = Math.max(1, Math.min(httpCfg.rateLimitMutationMax, rateLimitOpts.max));
-        router.use((0, express_rate_limit_1.default)({
-            windowMs: rateLimitOpts.windowMs,
-            max: mutationMax,
-            standardHeaders: true,
-            legacyHeaders: false,
-            validate: { ip: false },
-            skip: (req) => req.method === 'OPTIONS' || req.method === 'GET' || req.method === 'HEAD',
-            keyGenerator: (req) => {
-                const clientIp = req.ip || req.socket.remoteAddress;
-                return `mutation:${clientIp ? (0, express_rate_limit_1.ipKeyGenerator)(clientIp) : 'unknown'}`;
-            },
-            handler: (_req, res) => {
-                const retryAfter = Number(res.getHeader('Retry-After') || Math.ceil(rateLimitOpts.windowMs / 1000));
-                res.status(429).json({
-                    error: 'Too Many Requests',
-                    message: `Mutation rate limit exceeded. Try again in ${retryAfter} second(s).`,
-                    retryAfterSeconds: retryAfter,
-                    tier: 'mutation',
                     timestamp: Date.now(),
                 });
             },

package/dist/dashboard/server/routes/index.js

@@ -106,19 +106,21 @@ function renderPanelMarkdownHtml(name, markdown) {
  * Called once during DashboardServer construction after middleware is set up.
  */
 function mountDashboardRoutes(app, ctx) {
-    // Build a per-route rate limiter using the same dashboard.http.rateLimit*
-    // configuration as the /api router. Re-uses the same window/max so behavior
-    // is consistent across the dashboard. Disabled if rateLimitEnabled is false.
+    // Build a per-route rate limiter using the same dashboard.http.rateLimit
+    // configuration as the /api router. Re-uses the same per-minute cap so
+    // behavior is consistent across the dashboard. Disabled when
+    // rateLimitPerMinute === 0 (the default).
     const httpCfg = (0, runtimeConfig_js_1.getRuntimeConfig)().dashboard.http;
+    const perMinute = httpCfg.rateLimitPerMinute;
     const dashboardLimiter = (0, express_rate_limit_1.default)({
-        windowMs: Math.max(1, httpCfg.rateLimitWindowMs),
-        max: Math.max(1, httpCfg.rateLimitMax),
+        windowMs: 60_000,
+        max: perMinute > 0 ? perMinute : 1,
         standardHeaders: true,
         legacyHeaders: false,
         validate: { ip: false },
-        skip: () => !httpCfg.rateLimitEnabled,
+        skip: () => perMinute <= 0,
         handler: (_req, res) => {
-            const retryAfter = Number(res.getHeader('Retry-After') || Math.ceil(httpCfg.rateLimitWindowMs / 1000));
+            const retryAfter = Number(res.getHeader('Retry-After') || 60);
             res.status(429).json({
                 error: 'Too Many Requests',
                 message: `Rate limit exceeded. Try again in ${retryAfter} second(s).`,
@@ -222,8 +224,8 @@ function mountDashboardRoutes(app, ctx) {
             res.status(404).send('Screenshot not found');
         }
     });
-    // API sub-routes (mounted at /api). Rate limits sourced from runtimeConfig
-    // (INDEX_SERVER_RATE_LIMIT_*) — see ApiRoutes.createApiRoutes.
+    // API sub-routes (mounted at /api). Rate limit sourced from runtimeConfig
+    // (INDEX_SERVER_RATE_LIMIT) — see ApiRoutes.createApiRoutes.
     app.use('/api', (0, ApiRoutes_js_1.createApiRoutes)({ enableCors: ctx.enableCors }));
     // Back-compat: legacy tests expect /tools.json at dashboard root
     app.get('/tools.json', (_req, res) => {

package/dist/lib/mcpStdioLogging.d.ts

@@ -112,6 +112,7 @@ export declare class McpStdioLogger {
     private readonly _serverName;
     private readonly _maxBufferSize;
     private readonly _inferLevel;
+    private readonly _exitHandler;
     constructor(options?: McpStdioLoggerOptions);
     /**
      * Start intercepting process.stderr.write.
@@ -152,6 +153,17 @@ export declare class McpStdioLogger {
      * without triggering the MCP routing/buffering pipeline.
      */
     writeOriginalStderr(data: string): void;
+    /**
+     * Drain the pre-handshake buffer to the ORIGINAL stderr without requiring
+     * an MCP server activation. Used when the process is about to exit before
+     * the MCP handshake completes (e.g., `--help`, `--init-cert`, or a fatal
+     * startup error). Without this, buffered diagnostic lines would be silently
+     * discarded — see issue #234.
+     *
+     * Safe to call repeatedly; a no-op when the buffer is empty. Does not change
+     * `isActive` and does not require a registered server.
+     */
+    flushToStderr(): void;
     /**
      * Restore original stderr and deactivate the bridge.
      * Useful for testing cleanup or graceful shutdown.

package/dist/lib/mcpStdioLogging.js

@@ -115,6 +115,7 @@ class McpStdioLogger {
     _serverName;
     _maxBufferSize;
     _inferLevel;
+    _exitHandler;
     constructor(options = {}) {
         this._serverName = options.serverName ?? 'mcp-server';
         this._maxBufferSize = options.maxBufferSize ?? 500;
@@ -123,6 +124,16 @@ class McpStdioLogger {
         if (options.interceptImmediately !== false) {
             this.interceptStderr();
         }
+        // Issue #234: if the process exits before the MCP handshake completes
+        // (e.g. --help, --init-cert, fatal startup error), drain buffered stderr
+        // so the user actually sees what was logged. Inactive bridge only —
+        // once activated, the buffer is already replayed via sendLoggingMessage.
+        this._exitHandler = () => {
+            if (!this._active && this._buffer.length > 0) {
+                this.flushToStderr();
+            }
+        };
+        process.on('exit', this._exitHandler);
     }
     // -----------------------------------------------------------------------
     // Public API
@@ -241,6 +252,30 @@ class McpStdioLogger {
         }
         catch { /* ignore */ }
     }
+    /**
+     * Drain the pre-handshake buffer to the ORIGINAL stderr without requiring
+     * an MCP server activation. Used when the process is about to exit before
+     * the MCP handshake completes (e.g., `--help`, `--init-cert`, or a fatal
+     * startup error). Without this, buffered diagnostic lines would be silently
+     * discarded — see issue #234.
+     *
+     * Safe to call repeatedly; a no-op when the buffer is empty. Does not change
+     * `isActive` and does not require a registered server.
+     */
+    flushToStderr() {
+        if (this._buffer.length === 0)
+            return;
+        for (const entry of this._buffer) {
+            const data = entry.data;
+            try {
+                this._originalStderrWrite(data.endsWith('\n') ? data : data + '\n');
+            }
+            catch {
+                /* ignore — best-effort drain */
+            }
+        }
+        this._buffer.length = 0;
+    }
     /**
      * Restore original stderr and deactivate the bridge.
      * Useful for testing cleanup or graceful shutdown.
@@ -250,6 +285,10 @@ class McpStdioLogger {
         this._active = false;
         this._intercepting = false;
         this._buffer.length = 0;
+        try {
+            process.removeListener('exit', this._exitHandler);
+        }
+        catch { /* ignore */ }
     }
     /**
      * Get the number of currently buffered lines (pre-handshake).

package/dist/services/handlers.dashboardConfig.js

@@ -46,8 +46,7 @@ exports.FLAG_REGISTRY = [
     { name: 'INDEX_SERVER_VISIBILITY_DIAG', category: 'tracing', description: 'Force core trace level for visibility diagnostics.', stability: 'diagnostic', default: 'off', type: 'boolean', since: '1.1.1' },
     { name: 'INDEX_SERVER_FILE_TRACE', category: 'tracing', description: 'Promote index file events to trace level (files).', stability: 'diagnostic', default: 'off', type: 'boolean', since: '1.1.1' },
     // Usage & metrics
-    { name: 'INDEX_SERVER_DISABLE_RATE_LIMIT', category: 'usage', description: 'Disable all rate limiting (dashboard HTTP API and usage tracking). Rate limiting is enabled by default.', stability: 'stable', default: 'off', type: 'boolean', since: '1.1.3' },
-    { name: 'INDEX_SERVER_DISABLE_USAGE_RATE_LIMIT', category: 'usage', description: '(Deprecated) Legacy per-subsystem override to disable usage rate limit.', stability: 'diagnostic', default: 'off', type: 'boolean', since: '1.1.1' },
+    { name: 'INDEX_SERVER_RATE_LIMIT', category: 'usage', description: 'Dashboard HTTP API and usage-tracking rate limit, in requests per minute. 0 (default) disables rate limiting. Bulk import/export/backup/restore routes are unconditionally exempt.', stability: 'stable', default: '0', type: 'number', since: '1.27.0' },
     { name: 'INDEX_SERVER_DISABLE_USAGE_CLAMP', category: 'usage', description: 'Disable initial usage count clamp logic.', stability: 'diagnostic', default: 'off', type: 'boolean', since: '1.1.1' },
     { name: 'INDEX_SERVER_USAGE_FLUSH_MS', category: 'usage', description: 'Override usage flush debounce interval.', stability: 'diagnostic', default: '75', type: 'number', since: '1.1.1' },
     // Validation / schema

package/dist/services/indexContext.js

@@ -36,7 +36,6 @@ const features_1 = require("./features");
 const atomicFs_1 = require("./atomicFs");
 const classificationService_1 = require("./classificationService");
 const ownershipService_1 = require("./ownershipService");
-const envUtils_1 = require("../utils/envUtils");
 const runtimeConfig_1 = require("../config/runtimeConfig");
 const factory_1 = require("./storage/factory");
 const migrationEngine_1 = require("./storage/migrationEngine");
@@ -202,11 +201,11 @@ function restoreLastUsedInvariant(e) {
 const USAGE_RATE_LIMIT_PER_SECOND = 10; // max increments per id per second
 const usageRateLimiter = new Map();
 function checkUsageRateLimit(id) {
-    // Rate limiting is enabled by default. Set INDEX_SERVER_DISABLE_RATE_LIMIT=1 to disable all rate limiting.
-    if ((0, envUtils_1.getBooleanEnv)('INDEX_SERVER_DISABLE_RATE_LIMIT'))
-        return true;
-    // Legacy per-subsystem override (backward compat / deterministic tests).
-    if ((0, envUtils_1.getBooleanEnv)('INDEX_SERVER_DISABLE_USAGE_RATE_LIMIT'))
+    // Rate limiting is opt-in. INDEX_SERVER_RATE_LIMIT=0 (default) or unset
+    // disables both the dashboard HTTP limiter and this usage limiter.
+    // Any positive integer enables both.
+    const rl = Number(process.env.INDEX_SERVER_RATE_LIMIT);
+    if (!Number.isFinite(rl) || rl <= 0)
         return true;
     const now = Date.now();
     const windowStart = Math.floor(now / 1000) * 1000; // 1-second windows

package/dist/services/logger.js

@@ -60,6 +60,8 @@ function shouldEmit(level) {
     const recordPriority = LEVEL_PRIORITY[level] ?? LEVEL_PRIORITY.INFO;
     return recordPriority >= threshold;
 }
+// Single exit handler — registered once to avoid listener accumulation on re-init
+let exitHandlerRegistered = false;
 // Initialize file logging if INDEX_SERVER_LOG_FILE is specified
 function initializeFileLogging() {
     const cfg = loggingCfg();
@@ -89,6 +91,16 @@ function initializeFileLogging() {
             encoding: 'utf8'
         });
         logFilePath = logFile;
+        // Graceful fallback: if the stream hits EPERM/EACCES, disable file logging
+        logFileHandle.on('error', (err) => {
+            process.stderr.write(`[logger] File logging error (${err.code ?? err.message}), falling back to stderr-only\n`);
+            try {
+                logFileHandle?.end();
+            }
+            catch { /* ignore */ }
+            logFileHandle = null;
+            logFilePath = undefined;
+        });
         // NDJSON session start record
         const sessionStart = {
             ts: new Date().toISOString(),
@@ -98,19 +110,22 @@ function initializeFileLogging() {
         };
         const startLine = JSON.stringify(sessionStart);
         logFileHandle.write(startLine + '\n');
-        // Cleanup on process exit
-        process.on('exit', () => {
-            if (logFileHandle && !logFileHandle.destroyed) {
-                const sessionEnd = {
-                    ts: new Date().toISOString(),
-                    level: 'INFO',
-                    msg: '[logger] Session ended',
-                    pid: process.pid,
-                };
-                logFileHandle.write(JSON.stringify(sessionEnd) + '\n');
-                logFileHandle.end();
-            }
-        });
+        // Cleanup on process exit — register only once
+        if (!exitHandlerRegistered) {
+            exitHandlerRegistered = true;
+            process.on('exit', () => {
+                if (logFileHandle && !logFileHandle.destroyed) {
+                    const sessionEnd = {
+                        ts: new Date().toISOString(),
+                        level: 'INFO',
+                        msg: '[logger] Session ended',
+                        pid: process.pid,
+                    };
+                    logFileHandle.write(JSON.stringify(sessionEnd) + '\n');
+                    logFileHandle.end();
+                }
+            });
+        }
         // Emit NDJSON init diagnostic
         try {
             const stats = fs_1.default.existsSync(logFile) ? fs_1.default.statSync(logFile) : null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jagilber-org/index-server",
-  "version": "1.26.5",
+  "version": "1.27.0",
   "mcpName": "io.github.jagilber-org/index-server",
   "description": "MCP instruction indexing server for AI assistant governance — search, CRUD, schema validation, usage tracking, and cross-repo knowledge promotion.",
   "publishConfig": {
@@ -50,6 +50,7 @@
     "manifest:generate": "node scripts/generate-manifest.mjs",
     "contract:tools": "node scripts/generate-tools-snapshot.mjs",
     "verify:manifest": "node scripts/verify-manifest.mjs",
+    "check:version-parity": "node scripts/check-version-parity.mjs",
     "test": "npm run test:fast",
     "test:all": "vitest run",
     "test:watch": "vitest",