@jhizzard/termdeck 0.7.1 → 0.7.3

package/config/transcript-migration.sql

@@ -0,0 +1,34 @@
+-- termdeck_transcripts: append-only log of all PTY output
+-- Run with: psql -f config/transcript-migration.sql "$DATABASE_URL"
+-- Idempotent — safe to re-run.
+
+CREATE TABLE IF NOT EXISTS termdeck_transcripts (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  session_id    TEXT NOT NULL,              -- TermDeck session UUID
+  chunk_index   BIGINT NOT NULL,            -- monotonic per session, for ordering
+  content       TEXT NOT NULL,              -- raw PTY output (ANSI stripped)
+  raw_bytes     BIGINT NOT NULL DEFAULT 0,  -- byte count before stripping
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Index for session replay (ordered chunks)
+CREATE INDEX IF NOT EXISTS idx_transcripts_session_order
+  ON termdeck_transcripts (session_id, chunk_index);
+
+-- Index for time-range queries (crash recovery: "what happened in the last hour?")
+CREATE INDEX IF NOT EXISTS idx_transcripts_created
+  ON termdeck_transcripts (created_at DESC);
+
+-- Full-text search for finding specific output across all sessions
+ALTER TABLE termdeck_transcripts
+  ADD COLUMN IF NOT EXISTS fts tsvector
+  GENERATED ALWAYS AS (to_tsvector('english', content)) STORED;
+
+CREATE INDEX IF NOT EXISTS idx_transcripts_fts
+  ON termdeck_transcripts USING GIN (fts);
+
+-- RLS: service-role only (no anon access to raw terminal output)
+ALTER TABLE termdeck_transcripts ENABLE ROW LEVEL SECURITY;
+
+-- Cleanup policy: transcripts older than 30 days get purged
+-- (implement as a pg_cron job or scheduled function, not in this migration)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jhizzard/termdeck",
-  "version": "0.7.1",
+  "version": "0.7.3",
   "description": "Browser-based terminal multiplexer with metadata overlays, panel flashback memory recall, and AI-aware session management",
   "bin": {
     "termdeck": "./packages/cli/src/index.js"
@@ -12,6 +12,7 @@
     "packages/client/public/**",
     "config/config.example.yaml",
     "config/secrets.env.example",
+    "config/transcript-migration.sql",
     "LICENSE",
     "README.md"
   ],

package/packages/cli/src/doctor.js

@@ -1,22 +1,33 @@
-// `termdeck doctor` — Sprint 28 T2.
+// `termdeck doctor` — Sprint 28 T2 + Sprint 35 T3.
 //
-// Compares installed versions of the four TermDeck-stack packages against
-// the npm registry's `dist-tags.latest` and prints a status table. Zero new
-// deps — uses only node:https, node:child_process, and process.stdout.
+// Two-section diagnostic:
+//   Section 1 (Sprint 28) — npm version-check across the four stack packages,
+//     comparing installed (`npm ls -g`) to the registry's `dist-tags.latest`.
+//   Section 2 (Sprint 35) — Supabase schema state. Connects via DATABASE_URL
+//     from ~/.termdeck/secrets.env and verifies the tables / columns / RPCs /
+//     extensions that TermDeck + Mnestra + Rumen depend on.
 //
-// Module contract (per docs/sprint-28-update-signal/STATUS.md):
+// Read-only — no auto-fix. Each fail prints a remediation hint.
+//
+// Module contract:
 //   module.exports = function doctor(argv): Promise<exitCode>
-//     0 = all current
-//     1 = at least one update available
-//     2 = network/registry failure or unrecoverable error
+//     0 = all current and schema clean
+//     1 = at least one update available OR at least one schema gap
+//     2 = network/registry failure or DB-unreachable when --schema requested
+//
+// Flags:
+//   --json        Emit a parseable JSON document (shape extended for Sprint 35:
+//                 `{ exitCode, rows, schema? }` — `rows` retained for back-compat)
+//   --no-color    Strip ANSI codes
+//   --no-schema   Skip the Supabase schema section (used by tests + offline runs)
 //
-// `_detectInstalled` and `_fetchLatest` are exposed as properties on the
-// exported function so tests can monkey-patch the network/process surface
-// without spinning up a real registry. The doctor body calls them via
-// `module.exports.<name>` so monkey-patching takes effect at call time.
+// Test seams (monkey-patchable):
+//   _detectInstalled / _fetchLatest — npm probes (Sprint 28)
+//   _runSchemaCheck — Supabase probe (Sprint 35) — tests stub to `{ skipped: true }`
 
 const https = require('https');
 const { spawn } = require('child_process');
+const path = require('path');
 
 const STACK_PACKAGES = [
   '@jhizzard/termdeck',
@@ -58,7 +69,7 @@ async function _detectInstalled(pkg) {
       child = spawn('npm', ['ls', '-g', pkg, '--depth=0', '--json'], {
         stdio: ['ignore', 'pipe', 'pipe'],
       });
-    } catch {
+    } catch (_err) {
       return resolve(null);
     }
 
@@ -80,7 +91,7 @@ async function _detectInstalled(pkg) {
         const dep = parsed && parsed.dependencies && parsed.dependencies[pkg];
         if (dep && typeof dep.version === 'string') return resolve(dep.version);
         return resolve(null);
-      } catch {
+      } catch (_err) {
         return resolve(null);
       }
     });
@@ -118,13 +129,13 @@ async function _fetchLatest(pkg) {
             const parsed = JSON.parse(body);
             if (parsed && typeof parsed.latest === 'string') return done(parsed.latest);
             return done(null);
-          } catch {
+          } catch (_err) {
             return done(null);
           }
         });
         res.on('error', () => done(null));
       });
-    } catch {
+    } catch (_err) {
       return done(null);
     }
     req.on('timeout', () => {
@@ -200,9 +211,255 @@ function parseArgv(argv) {
   return {
     json: args.includes('--json'),
     noColor: args.includes('--no-color'),
+    noSchema: args.includes('--no-schema'),
+  };
+}
+
+// ── Sprint 35 T3: Supabase schema-check ────────────────────────────────────
+//
+// Connects via DATABASE_URL from ~/.termdeck/secrets.env and runs the schema
+// invariants TermDeck + Mnestra + Rumen depend on. Read-only — no DDL.
+//
+// Returns `{ skipped, sections, passed, total, hasGaps, error? }` where
+// `sections` is an ordered list of `{ name, checks: [{ label, status, hint? }] }`.
+// `status` is one of 'pass' | 'fail'. A `skipped: true` result short-circuits
+// rendering with an informational note.
+
+const SCHEMA_QUERIES = {
+  table: (name) =>
+    `SELECT EXISTS(SELECT 1 FROM information_schema.tables ` +
+    `WHERE table_schema = 'public' AND table_name = '${name}') AS ok`,
+  column: (table, column) =>
+    `SELECT EXISTS(SELECT 1 FROM information_schema.columns ` +
+    `WHERE table_schema = 'public' AND table_name = '${table}' ` +
+    `AND column_name = '${column}') AS ok`,
+  rpc: (name) =>
+    `SELECT EXISTS(SELECT 1 FROM pg_proc WHERE proname = '${name}') AS ok`,
+  extension: (name) =>
+    `SELECT EXISTS(SELECT 1 FROM pg_extension WHERE extname = '${name}') AS ok`,
+};
+
+// pgvector ships under extname 'vector' on Supabase; some older installs
+// or self-hosted boxes use 'pgvector' directly. Accept either.
+async function checkPgVector(client) {
+  try {
+    const r = await client.query(
+      "SELECT EXISTS(SELECT 1 FROM pg_extension WHERE extname IN ('vector', 'pgvector')) AS ok"
+    );
+    return r.rows && r.rows[0] && r.rows[0].ok === true;
+  } catch (_e) {
+    return false;
+  }
+}
+
+async function probeSchema(client, sql) {
+  try {
+    const r = await client.query(sql);
+    return r.rows && r.rows[0] && r.rows[0].ok === true;
+  } catch (_e) {
+    return false;
+  }
+}
+
+async function _runSchemaCheck(opts = {}) {
+  const optsObj = opts || {};
+  // Lazy-require so users running version-check-only never load pg / fs.
+  const fs = require('fs');
+  const os = require('os');
+  const SETUP_DIR = path.join(__dirname, '..', '..', 'server', 'src', 'setup');
+  let pgRunner;
+  let dotenv;
+  try {
+    pgRunner = require(path.join(SETUP_DIR, 'pg-runner'));
+    dotenv = require(path.join(SETUP_DIR, 'dotenv-io'));
+  } catch (err) {
+    return {
+      skipped: true,
+      reason: `setup helpers unavailable: ${err.message}`,
+      sections: [], passed: 0, total: 0, hasGaps: false,
+    };
+  }
+
+  const secretsPath = optsObj.secretsPath ||
+    path.join(os.homedir(), '.termdeck', 'secrets.env');
+  if (!fs.existsSync(secretsPath)) {
+    return {
+      skipped: true,
+      reason: `~/.termdeck/secrets.env not found — run \`termdeck init --mnestra\` first`,
+      sections: [], passed: 0, total: 0, hasGaps: false,
+    };
+  }
+  const secrets = optsObj.secrets || dotenv.readSecrets(secretsPath);
+  if (!secrets.DATABASE_URL) {
+    return {
+      skipped: true,
+      reason: `DATABASE_URL not set in ${secretsPath}`,
+      sections: [], passed: 0, total: 0, hasGaps: false,
+    };
+  }
+
+  let client = optsObj._pgClient || null;
+  let ownsClient = false;
+  if (!client) {
+    try {
+      client = await pgRunner.connect(secrets.DATABASE_URL);
+      ownsClient = true;
+    } catch (err) {
+      return {
+        skipped: false,
+        connectError: err.message,
+        sections: [], passed: 0, total: 0, hasGaps: true,
+      };
+    }
+  }
+
+  const sections = [
+    { name: 'Mnestra modern schema',  checks: [] },
+    { name: 'Mnestra legacy schema',  checks: [] },
+    { name: 'Transcript backup',      checks: [] },
+    { name: 'Rumen schema',           checks: [] },
+    { name: 'Postgres extensions',    checks: [] },
+  ];
+
+  try {
+    // Mnestra modern
+    const modern = sections[0].checks;
+    for (const t of ['memory_items', 'memory_sessions', 'memory_relationships']) {
+      modern.push({
+        label: `${t} table`,
+        status: (await probeSchema(client, SCHEMA_QUERIES.table(t))) ? 'pass' : 'fail',
+        hint: `run: termdeck init --mnestra (applies migrations 001–007)`,
+      });
+    }
+    modern.push({
+      label: `memory_items.source_session_id column (v0.6.5+)`,
+      status: (await probeSchema(client, SCHEMA_QUERIES.column('memory_items', 'source_session_id'))) ? 'pass' : 'fail',
+      hint: `migration 007 adds it — run: npm cache clean --force && npm i -g @jhizzard/termdeck@latest && termdeck init --mnestra --yes`,
+    });
+    for (const fn of ['match_memories', 'search_memories', 'memory_status_aggregation']) {
+      modern.push({
+        label: `${fn}() RPC`,
+        status: (await probeSchema(client, SCHEMA_QUERIES.rpc(fn))) ? 'pass' : 'fail',
+        hint: `migration 005/006 creates it — re-run: termdeck init --mnestra --yes`,
+      });
+    }
+
+    // Mnestra legacy (Sprint 35 T2 ships these via 008_legacy_rag_tables.sql)
+    const legacy = sections[1].checks;
+    for (const t of ['mnestra_session_memory', 'mnestra_project_memory', 'mnestra_developer_memory', 'mnestra_commands']) {
+      legacy.push({
+        label: `${t} table`,
+        status: (await probeSchema(client, SCHEMA_QUERIES.table(t))) ? 'pass' : 'fail',
+        hint: `run: termdeck init --mnestra --yes (applies migration 008 — Sprint 35)`,
+      });
+    }
+
+    // Transcript
+    sections[2].checks.push({
+      label: `termdeck_transcripts table`,
+      status: (await probeSchema(client, SCHEMA_QUERIES.table('termdeck_transcripts'))) ? 'pass' : 'fail',
+      hint: `run: psql "$DATABASE_URL" -f config/transcript-migration.sql`,
+    });
+
+    // Rumen — table existence and the created_at column drift Brad hit
+    const rumen = sections[3].checks;
+    for (const t of ['rumen_jobs', 'rumen_insights', 'rumen_questions']) {
+      const tableOk = await probeSchema(client, SCHEMA_QUERIES.table(t));
+      rumen.push({
+        label: `${t} table`,
+        status: tableOk ? 'pass' : 'fail',
+        hint: `run: termdeck init --rumen (applies rumen migration 001)`,
+      });
+      // Only check the column when the table exists — otherwise the column
+      // line is redundant noise.
+      if (tableOk) {
+        rumen.push({
+          label: `${t}.created_at column`,
+          status: (await probeSchema(client, SCHEMA_QUERIES.column(t, 'created_at'))) ? 'pass' : 'fail',
+          hint: `column drift detected — re-run: termdeck init --rumen`,
+        });
+      }
+    }
+
+    // Extensions — pg_cron / pg_net / pgvector / pg_trgm / pgcrypto
+    const exts = sections[4].checks;
+    const dashboardHint = (() => {
+      if (!secrets.SUPABASE_URL) return `enable in dashboard: Database → Extensions`;
+      const m = String(secrets.SUPABASE_URL).match(/https:\/\/([a-z0-9-]+)\.supabase\.(co|in)/i);
+      if (!m) return `enable in dashboard: Database → Extensions`;
+      return `enable: https://supabase.com/dashboard/project/${m[1]}/database/extensions`;
+    })();
+    for (const ext of ['pg_cron', 'pg_net', 'pg_trgm', 'pgcrypto']) {
+      exts.push({
+        label: `${ext}`,
+        status: (await probeSchema(client, SCHEMA_QUERIES.extension(ext))) ? 'pass' : 'fail',
+        hint: dashboardHint,
+      });
+    }
+    exts.push({
+      label: `pgvector (extname: vector)`,
+      status: (await checkPgVector(client)) ? 'pass' : 'fail',
+      hint: dashboardHint,
+    });
+  } finally {
+    if (ownsClient) {
+      try { await client.end(); } catch (_e) { /* ignore */ }
+    }
+  }
+
+  let passed = 0;
+  let total = 0;
+  for (const s of sections) {
+    for (const c of s.checks) {
+      total += 1;
+      if (c.status === 'pass') passed += 1;
+    }
+  }
+  return {
+    skipped: false,
+    sections,
+    passed,
+    total,
+    hasGaps: passed < total,
   };
 }
 
+function renderSchemaResult(result, c) {
+  const out = [];
+  out.push('');
+  out.push(c.bold('TermDeck stack — Supabase schema check'));
+  out.push('');
+  if (result.skipped) {
+    out.push(`  ${c.dim(`(skipped) ${result.reason}`)}`);
+    return out.join('\n');
+  }
+  if (result.connectError) {
+    out.push(`  ${c.yellow('✗')} could not connect: ${result.connectError}`);
+    out.push(`  ${c.dim('Check DATABASE_URL in ~/.termdeck/secrets.env, then re-run.')}`);
+    return out.join('\n');
+  }
+  for (const section of result.sections) {
+    out.push(`  ${c.bold(section.name)}`);
+    if (section.checks.length === 0) {
+      out.push(`    ${c.dim('(no checks ran)')}`);
+      continue;
+    }
+    for (const check of section.checks) {
+      if (check.status === 'pass') {
+        out.push(`    ${c.green('✓')} ${check.label}`);
+      } else {
+        out.push(`    ${c.yellow('✗')} ${check.label}`);
+        if (check.hint) {
+          out.push(`        ${c.dim(check.hint)}`);
+        }
+      }
+    }
+    out.push('');
+  }
+  out.push(`  ${result.passed}/${result.total} schema checks passed`);
+  return out.join('\n');
+}
+
 async function doctor(argv) {
   const opts = parseArgv(argv);
 
@@ -223,9 +480,24 @@ async function doctor(argv) {
     })
   );
 
-  // Exit-code priority: any network failure → 2; any update available → 1;
-  // else 0. Computed after all rows resolve so a single transient failure
-  // doesn't mask real updates in stdout.
+  // Sprint 35 T3: schema check (skippable for tests / offline runs).
+  let schema = null;
+  if (!opts.noSchema) {
+    try {
+      schema = await module.exports._runSchemaCheck();
+    } catch (err) {
+      schema = {
+        skipped: false,
+        connectError: `unexpected error: ${err && err.message || err}`,
+        sections: [], passed: 0, total: 0, hasGaps: true,
+      };
+    }
+  }
+
+  // Exit-code priority: any network failure → 2; any update available OR
+  // schema gap → 1; else 0. Computed after all rows resolve so a single
+  // transient failure doesn't mask real updates in stdout. A schema connect
+  // error counts as 2 (same class as a registry fetch failure).
   let exitCode = 0;
   for (const r of rows) {
     if (r.status === STATUS.NETWORK_ERROR) {
@@ -234,9 +506,13 @@ async function doctor(argv) {
     }
     if (r.status === STATUS.UPDATE && exitCode < 1) exitCode = 1;
   }
+  if (schema && schema.connectError && exitCode < 2) exitCode = 2;
+  if (schema && !schema.skipped && schema.hasGaps && exitCode < 1) exitCode = 1;
 
   if (opts.json) {
-    process.stdout.write(JSON.stringify({ exitCode, rows }, null, 2) + '\n');
+    const payload = { exitCode, rows };
+    if (schema) payload.schema = schema;
+    process.stdout.write(JSON.stringify(payload, null, 2) + '\n');
     return exitCode;
   }
 
@@ -244,6 +520,9 @@ async function doctor(argv) {
   const c = makeColors(colorEnabled);
   process.stdout.write(renderTable(rows, c) + '\n');
   process.stdout.write(renderFooter(rows, exitCode) + '\n');
+  if (schema) {
+    process.stdout.write(renderSchemaResult(schema, c) + '\n');
+  }
   return exitCode;
 }
 
@@ -251,5 +530,6 @@ module.exports = doctor;
 module.exports._detectInstalled = _detectInstalled;
 module.exports._fetchLatest = _fetchLatest;
 module.exports._compareSemver = _compareSemver;
+module.exports._runSchemaCheck = _runSchemaCheck;
 module.exports.STACK_PACKAGES = STACK_PACKAGES;
 module.exports.STATUS = STATUS;

package/packages/cli/src/index.js

@@ -14,7 +14,75 @@
 const path = require('path');
 const fs = require('fs');
 const os = require('os');
-const { execSync } = require('child_process');
+const { exec, execSync } = require('child_process');
+
+// Sprint 35 T4: stale-port reclaim. If the target port is held by a previous
+// TermDeck instance (crash, runaway, prior `termdeck` left orphaned), kill it
+// and continue. If it's held by something else, print a clear error and exit
+// instead of letting `server.listen()` throw a generic EADDRINUSE.
+// Lifted from scripts/start.sh:127–154 so npm-installed users (who never see
+// start.sh) get the same recovery behavior.
+function reclaimStalePort(port) {
+  let pids = [];
+  try {
+    const out = execSync(`lsof -ti TCP:${port} -sTCP:LISTEN 2>/dev/null`, { encoding: 'utf8' });
+    pids = out.split(/\s+/).filter(Boolean);
+  } catch (_e) {
+    // lsof exits 1 when no PIDs match — empty case, not an error.
+    pids = [];
+  }
+  if (pids.length === 0) {
+    // Linux fallback for systems without lsof
+    try {
+      const out = execSync(`fuser -n tcp ${port} 2>/dev/null`, { encoding: 'utf8' });
+      pids = out.split(/\s+/).filter((s) => /^\d+$/.test(s));
+    } catch (_e) { pids = []; }
+  }
+  if (pids.length === 0) return;
+
+  let isTermDeck = false;
+  for (const pid of pids) {
+    try {
+      const cmd = execSync(`ps -o command= -p ${pid}`, { encoding: 'utf8' });
+      if (/packages\/cli\/src\/index\.js/.test(cmd) || /termdeck/i.test(cmd)) {
+        isTermDeck = true;
+        break;
+      }
+    } catch (_e) { /* PID gone between lsof and ps — ignore */ }
+  }
+
+  if (isTermDeck) {
+    console.log(`  \x1b[2m[port] Reclaiming :${port} from stale TermDeck (PIDs: ${pids.join(' ')})\x1b[0m`);
+    for (const pid of pids) {
+      try { process.kill(parseInt(pid, 10), 'SIGTERM'); } catch (_e) {}
+    }
+    try { execSync('sleep 1'); } catch (_e) {}
+    for (const pid of pids) {
+      try { process.kill(parseInt(pid, 10), 'SIGKILL'); } catch (_e) {}
+    }
+  } else {
+    console.error(`\n  \x1b[31m✗ Port ${port} is in use by a non-TermDeck process (PIDs: ${pids.join(' ')})\x1b[0m`);
+    console.error(`  \x1b[2mTry a different port: termdeck --port ${port + 1}\x1b[0m\n`);
+    process.exit(1);
+  }
+}
+
+// Sprint 35 T4: transcript-table-missing hint. If DATABASE_URL is set and
+// psql is on PATH, probe for termdeck_transcripts. Fire-and-forget so a slow
+// network round-trip to Supabase never blocks boot. Lifted from
+// scripts/start.sh:309–313.
+function checkTranscriptTableHint(databaseUrl) {
+  if (!databaseUrl) return;
+  try { execSync('command -v psql', { stdio: 'ignore' }); } catch (_e) { return; }
+  exec('psql "$DATABASE_URL" -c "SELECT 1 FROM termdeck_transcripts LIMIT 0"', {
+    env: { ...process.env, DATABASE_URL: databaseUrl },
+    timeout: 5000,
+  }, (err) => {
+    if (err) {
+      console.log(`  \x1b[33m[hint]\x1b[0m Transcript backup table missing. Run: \x1b[1mtermdeck doctor\x1b[0m (or psql $DATABASE_URL -f config/transcript-migration.sql)`);
+    }
+  });
+}
 
 // Parse CLI args
 const args = process.argv.slice(2);
@@ -130,7 +198,7 @@ for (let i = 0; i < args.length; i++) {
     termdeck init --mnestra     Configure Tier 2 memory (Supabase + Mnestra)
     termdeck init --rumen       Deploy Tier 3 async learning (Rumen)
     termdeck forge              Generate Claude skills from memories (experimental)
-    termdeck doctor             Check whether the stack packages are up to date
+    termdeck doctor             Diagnose stack — npm versions + Supabase schema (use --no-schema to skip the DB probe)
 
   Keyboard shortcuts (in browser):
     Ctrl+Shift+N                Focus prompt bar
@@ -174,6 +242,11 @@ const port = config.port || 3000;
 const host = config.host || '127.0.0.1';
 const url = `http://${host}:${port}`;
 
+// Sprint 35 T4: reclaim the port if a previous TermDeck is squatting on it,
+// or hard-stop with a useful hint if a non-TermDeck process holds it. Runs
+// before server.listen() so EADDRINUSE never bubbles up.
+reclaimStalePort(port);
+
 // Bind guardrail: refuse non-loopback without auth token
 const LOOPBACK = new Set(['127.0.0.1', 'localhost', '::1']);
 if (!LOOPBACK.has(host)) {
@@ -229,10 +302,23 @@ server.listen(port, host, async () => {
   ╚══════════════════════════════════════╝
   `);
 
+  // Sprint 35 T4: RAG state line. Always-visible indicator of what mode the
+  // user is in — MCP-only (the new default after Sprint 35 T1) or full RAG
+  // writing to mnestra_*_memory tables. Dim line, single sentence.
+  if (config.rag && config.rag.enabled === true) {
+    console.log(`  \x1b[2mRAG: on — events syncing to mnestra_session_memory / mnestra_project_memory / mnestra_developer_memory\x1b[0m\n`);
+  } else {
+    console.log(`  \x1b[2mRAG: off (MCP-only mode) — toggle in dashboard at ${url}/#config to enable session/project/developer memory tables\x1b[0m\n`);
+  }
+
   if (firstRun) {
     console.log("  First run detected. Open http://localhost:3000 and click 'config' to set up.\n");
   }
 
+  // Sprint 35 T4: probe Supabase for the transcript backup table; print a
+  // hint if it's missing. Non-blocking — the result lands after the banner.
+  checkTranscriptTableHint(process.env.DATABASE_URL || (config.rag && config.rag.databaseUrl));
+
   // Run preflight health checks (non-blocking — warn but don't prevent startup)
   runPreflight(config).then((result) => {
     printHealthBanner(result);

package/packages/cli/src/init-mnestra.js

@@ -11,9 +11,10 @@
 //      or migration failure doesn't lose the user's typed-in keys.
 //   3. Connect via `pg` using the direct URL
 //   4. Apply the six bundled Mnestra migrations in order
-//   5. Update ~/.termdeck/config.yaml to enable RAG + point at ${VAR} refs
-//      (only after migrations apply cleanly — otherwise the server would
-//      try to use an incomplete schema on next startup)
+//   5. Update ~/.termdeck/config.yaml — set rag.enabled: false (MCP-only
+//      default; opt into TermDeck-side RAG via dashboard toggle) and point
+//      at ${VAR} refs (only after migrations apply cleanly — otherwise the
+//      server would try to use an incomplete schema on next startup)
 //   6. Verify with a memory_status_aggregation() call
 //
 // Flags:
@@ -74,7 +75,8 @@ const HELP = [
   '  2. Writes ~/.termdeck/secrets.env IMMEDIATELY (merge-aware) so a later',
   '     pg connect or migration failure does not lose what you typed in.',
   '  3. Connects to Postgres and applies the six Mnestra schema + RPC migrations.',
-  '  4. Updates ~/.termdeck/config.yaml to enable RAG and reference ${VAR} keys.',
+  '  4. Updates ~/.termdeck/config.yaml — sets rag.enabled: false (MCP-only',
+  '     default) and references ${VAR} keys for credentials.',
   '  5. Verifies the Mnestra store is reachable via memory_status_aggregation().',
   '',
   'Every secret stays on your machine. Nothing is ever printed once entered.',
@@ -180,7 +182,8 @@ This wizard configures TermDeck's Tier 2 memory layer (Mnestra) by:
   5. Writing ~/.termdeck/secrets.env (before any database work, so a
      pg failure cannot lose what you typed in)
   6. Connecting to Postgres + applying six SQL migrations
-  7. Updating ~/.termdeck/config.yaml to enable RAG (only after
+  7. Updating ~/.termdeck/config.yaml — rag.enabled: false (MCP-only
+     default; toggle in dashboard later) with \${VAR} refs (only after
      migrations apply cleanly)
   8. Verifying the connection with a memory_status call
 
@@ -410,11 +413,27 @@ function writeSecretsFile(inputs, dryRun) {
   ok();
 }
 
+// MCP-only is the default starting v0.7.3. Mnestra's MCP server populates
+// `memory_items` whenever an AI worker calls memory_remember / memory_recall,
+// so the dashboard's Flashback queries work out of the box. The TermDeck-side
+// RAG event tables (mnestra_session_memory / mnestra_project_memory /
+// mnestra_developer_memory / mnestra_commands) stay off until the user opts
+// in via the dashboard or by editing config.yaml. This matches Joshua's
+// daily-driver setup and avoids the v0.7.2-and-earlier asymmetry that hit
+// Brad's box on 2026-04-27 (default `enabled: true` against tables no init
+// path created → 404 cascade → silent RAG drop).
 function writeYamlConfig(dryRun) {
-  step('Updating ~/.termdeck/config.yaml (rag.enabled: true)...');
+  process.stdout.write(
+    '\nSetup mode: MCP-only (default)\n' +
+    '  Mnestra MCP tools fill memory_items via memory_remember / memory_recall.\n' +
+    '  TermDeck event tables (session / project / developer) stay OFF by default.\n' +
+    '  Enable later: toggle in dashboard at http://localhost:3000/#config\n' +
+    '  or set rag.enabled: true in ~/.termdeck/config.yaml.\n\n'
+  );
+  step('Updating ~/.termdeck/config.yaml (rag.enabled: false, MCP-only default)...');
   if (dryRun) { ok('(dry-run)'); return; }
   const r = yaml.updateRagConfig({
-    enabled: true,
+    enabled: false,
     supabaseUrl: '${SUPABASE_URL}',
     supabaseKey: '${SUPABASE_SERVICE_ROLE_KEY}',
     openaiApiKey: '${OPENAI_API_KEY}',
@@ -428,6 +447,11 @@ function printNextSteps() {
   process.stdout.write(`
 Mnestra is configured.
 
+Setup mode: MCP-only (default) — TermDeck-side RAG event tables are off.
+To enable session / project / developer memory tables, toggle in the dashboard
+at http://localhost:3000/#config or set rag.enabled: true in
+~/.termdeck/config.yaml and restart TermDeck.
+
 Next steps:
   1. Restart TermDeck: termdeck
   2. Flashback will fire automatically on panel errors

package/packages/cli/src/update-check.js

@@ -38,7 +38,7 @@ function defaultPackageVersion() {
   try {
     const pkg = require(path.join(__dirname, '..', '..', '..', 'package.json'));
     return pkg && pkg.version ? String(pkg.version) : null;
-  } catch {
+  } catch (_err) {
     return null;
   }
 }
@@ -68,7 +68,7 @@ function readCache(cachePath) {
     if (!parsed || typeof parsed !== 'object') return null;
     if (parsed.version !== CACHE_VERSION) return null;
     return parsed;
-  } catch {
+  } catch (_err) {
     return null;
   }
 }
@@ -77,7 +77,7 @@ function writeCache(cachePath, data) {
   try {
     fs.mkdirSync(path.dirname(cachePath), { recursive: true });
     fs.writeFileSync(cachePath, JSON.stringify(data, null, 2), 'utf8');
-  } catch {
+  } catch (_err) {
     // Read-only home, ENOSPC, race with another process — all benign here.
   }
 }
@@ -91,7 +91,7 @@ async function fetchLatest(registryUrl) {
     const json = await res.json();
     const latest = json && json.latest;
     return isValidSemver(latest) ? latest : null;
-  } catch {
+  } catch (_err) {
     return null;
   } finally {
     clearTimeout(timeout);
@@ -144,7 +144,7 @@ async function checkAndPrintHint(_config, opts) {
       '       Or run `termdeck doctor` for the whole stack. ' +
         'Suppress with TERMDECK_NO_UPDATE_CHECK=1.'
     );
-  } catch {
+  } catch (_err) {
     // Never throw from a fire-and-forget hook.
   }
 }

package/packages/server/src/index.js

@@ -915,6 +915,120 @@ function createServer(config) {
     res.json({ ok: true, bytes: normalized.length, replyCount: session.meta.replyCount });
   });
 
+  // POST /api/sessions/:id/poke - PTY-flush recovery endpoint
+  // Body: { methods?: ('sigcont' | 'bracketed-paste' | 'cr-flood' | 'all')[] }  default ['all']
+  // Used to recover from the post-stop PTY delivery gap where injected input via /input
+  // returns 200 OK but never reaches the running TUI process. Tries multiple flush
+  // mechanisms in sequence and reports per-attempt status plus session state before/after.
+  // Discovered 2026-04-26 / 2026-04-27 during ClaimGuard Sprints 4-6 (TMR 4+1 orchestration);
+  // see ~/.claude/plans/skill-tmr-orchestrate/known-issues/2026-04-27-pty-delivery-gap.md
+  app.post('/api/sessions/:id/poke', async (req, res) => {
+    const session = sessions.get(req.params.id);
+    if (!session) return res.status(404).json({ error: 'Session not found' });
+    if (session.meta.status === 'exited' || !session.pty) {
+      return res.status(404).json({ error: 'Session is exited' });
+    }
+
+    const { methods } = req.body || {};
+    const requested = Array.isArray(methods) && methods.length > 0
+      ? methods
+      : ['all'];
+    const runAll = requested.includes('all');
+    const wants = (m) => runAll || requested.includes(m);
+
+    const before = {
+      status: session.meta.status,
+      statusDetail: session.meta.statusDetail || '',
+      lastActivity: session.meta.lastActivity,
+      pid: session.pty.pid,
+    };
+
+    const attempts = [];
+
+    // Attempt 1: SIGCONT — wakes the child process if it's somehow stopped (job-control state).
+    // Harmless when the process is already running.
+    if (wants('sigcont')) {
+      try {
+        process.kill(session.pty.pid, 'SIGCONT');
+        attempts.push({ method: 'sigcont', ok: true });
+      } catch (err) {
+        attempts.push({ method: 'sigcont', ok: false, error: err.message });
+      }
+    }
+
+    // Attempt 2: bracketed-paste sequence wrapping a single CR.
+    // Some TUIs treat bracketed-paste differently from raw input; this is a documented
+    // (and previously untested) workaround mentioned in the TermDeck API reference.
+    if (wants('bracketed-paste')) {
+      try {
+        session.pty.write('\x1b[200~\r\x1b[201~');
+        attempts.push({ method: 'bracketed-paste', ok: true });
+      } catch (err) {
+        attempts.push({ method: 'bracketed-paste', ok: false, error: err.message });
+      }
+    }
+
+    // Wait briefly between attempts so each one has a chance to take effect
+    // before the next floods the buffer.
+    await new Promise((resolve) => setTimeout(resolve, 200));
+
+    // Attempt 3: triple CR — multiple Enter keypresses in case the TUI needs more
+    // than one to register. Each \r is a literal Enter (zsh/readline submit).
+    if (wants('cr-flood')) {
+      try {
+        session.pty.write('\r\r\r');
+        attempts.push({ method: 'cr-flood', ok: true });
+      } catch (err) {
+        attempts.push({ method: 'cr-flood', ok: false, error: err.message });
+      }
+    }
+
+    // Final settle delay so `after` reflects the result of all attempts.
+    await new Promise((resolve) => setTimeout(resolve, 200));
+
+    const after = {
+      status: session.meta.status,
+      statusDetail: session.meta.statusDetail || '',
+      lastActivity: session.meta.lastActivity,
+    };
+
+    // Heuristic recovery signal: if lastActivity advanced between before and after,
+    // at least one attempt got the TUI to consume input. Not definitive (the TUI
+    // might have advanced for other reasons) but a useful hint to the caller.
+    const advanced = before.lastActivity !== after.lastActivity;
+
+    res.json({
+      ok: true,
+      pid: session.pty.pid,
+      before,
+      after,
+      advanced,
+      attempts,
+    });
+  });
+
+  // GET /api/sessions/:id/buffer - lightweight introspection of recent input writes
+  // Returns the session's recent _inputBuffer state (what the orchestrator has
+  // written via /input that may or may not have been consumed by the TUI yet).
+  // Useful for diagnosing whether bytes are queued vs consumed.
+  app.get('/api/sessions/:id/buffer', (req, res) => {
+    const session = sessions.get(req.params.id);
+    if (!session) return res.status(404).json({ error: 'Session not found' });
+    if (session.meta.status === 'exited' || !session.pty) {
+      return res.status(404).json({ error: 'Session is exited' });
+    }
+    res.json({
+      ok: true,
+      pid: session.pty.pid,
+      inputBufferLength: (session._inputBuffer || '').length,
+      inputBufferPreview: (session._inputBuffer || '').slice(-200),
+      lastActivity: session.meta.lastActivity,
+      status: session.meta.status,
+      statusDetail: session.meta.statusDetail || '',
+      replyCount: session.meta.replyCount || 0,
+    });
+  });
+
   // POST /api/sessions/:id/resize - resize terminal
   app.post('/api/sessions/:id/resize', (req, res) => {
     const session = sessions.get(req.params.id);
@@ -1619,7 +1733,7 @@ if (require.main === module) {
     console.log(`  Terminals:  0 active`);
     console.log(`  Database:   ${Database ? 'SQLite OK' : 'unavailable'}`);
     console.log(`  PTY:        ${pty ? 'node-pty OK' : 'unavailable (install node-pty)'}`);
-    console.log(`  RAG:        ${config.rag?.supabaseUrl ? 'configured' : 'not configured'}`);
+    console.log(`  RAG:        ${config.rag?.enabled === true ? 'on (writing to mnestra_*_memory tables)' : 'off (MCP-only mode)'}`);
     console.log(`  Session logs: ${config.sessionLogs?.enabled ? '~/.termdeck/sessions/ (on exit)' : 'off'}`);
     console.log(`  Transcripts:  ${transcriptWriter ? 'streaming to Supabase' : 'off (no DATABASE_URL)'}`);
     console.log(`\n  WARNING: TermDeck binds to ${host} only.`);

package/packages/server/src/mnestra-bridge/index.js

@@ -231,13 +231,21 @@ function createBridge(config) {
     // back to resolving the session's cwd against config.projects so queries
     // don't leak into unrelated repos via basename collisions.
     let effectiveProject = project;
+    let projectSource = project ? 'explicit' : 'none';
     if (!effectiveProject) {
       const ctxCwd = cwd || (sessionContext && sessionContext.cwd);
       if (ctxCwd) {
         effectiveProject = resolveProjectName(ctxCwd, config);
+        projectSource = effectiveProject ? 'cwd' : 'none';
       }
     }
 
+    // Sprint 34 observability: every Flashback query announces its project tag
+    // and how it was resolved. If the writer chain is ever mis-emitting a tag
+    // (as happened pre-v0.7.2 with the `chopin-nashville` regression from the
+    // out-of-repo session-end hook), the mismatch surfaces here at query time.
+    console.log(`[mnestra-bridge] query project=${effectiveProject ?? 'ALL'} source=${searchAll ? 'searchAll' : projectSource} mode=${mode}`);
+
     switch (mode) {
       case 'webhook':
         return queryWebhook({ question, project: effectiveProject, searchAll });

package/packages/server/src/rag.js

@@ -97,53 +97,80 @@ class RAGIntegration {
 
   // Canonical project tag for a session. Prefers the explicit config.yaml name
   // (set at session creation), falls back to cwd → config.projects resolution.
+  // Returns { tag, source } so callers can audit which resolution path fired —
+  // explicit (session.meta.project), cwd (cwd matched a config.projects entry),
+  // fallback (cwd basename), or null (no cwd, no config). Sprint 34: the
+  // chopin-nashville mis-tag came from an out-of-repo writer, but source
+  // attribution here makes any future TermDeck-side regression visible in logs.
+  _resolveProjectAttribution(session) {
+    if (session.meta.project) return { tag: session.meta.project, source: 'explicit' };
+    const tag = resolveProjectName(session.meta.cwd, this.config);
+    if (!tag) return { tag: null, source: 'none' };
+    const cwdResolved = session.meta.cwd && path.resolve(String(session.meta.cwd).replace(/^~/, os.homedir()));
+    const matchedConfig = !!cwdResolved && Object.values((this.config && this.config.projects) || {}).some((def) => {
+      if (!def || typeof def.path !== 'string') return false;
+      const p = path.resolve(def.path.replace(/^~/, os.homedir()));
+      return cwdResolved === p || cwdResolved.startsWith(p + path.sep);
+    });
+    return { tag, source: matchedConfig ? 'cwd' : 'fallback' };
+  }
+
   _projectFor(session) {
-    if (session.meta.project) return session.meta.project;
-    return resolveProjectName(session.meta.cwd, this.config);
+    return this._resolveProjectAttribution(session).tag;
+  }
+
+  // Single attribution + observability point for session events. Logs once per
+  // record() so future drift in the project-resolution chain (e.g. a writer
+  // that bypasses _projectFor and stamps a raw path segment) is visible in
+  // stdout. Cheap: ~one log line per RAG event, off the hot path.
+  _recordForSession(session, eventType, payload) {
+    const { tag, source } = this._resolveProjectAttribution(session);
+    console.log(`[rag] write project=${tag ?? 'null'} source=${source} session=${session.id} event=${eventType}`);
+    this.record(session.id, eventType, payload, tag);
   }
 
   // Event types to record
   onSessionCreated(session) {
-    this.record(session.id, 'session_created', {
+    this._recordForSession(session, 'session_created', {
       type: session.meta.type,
       command: session.meta.command,
       cwd: session.meta.cwd,
       reason: session.meta.reason
-    }, this._projectFor(session));
+    });
   }
 
   onCommandExecuted(session, command, outputSnippet) {
-    this.record(session.id, 'command_executed', {
+    this._recordForSession(session, 'command_executed', {
       command,
       output_snippet: outputSnippet?.slice(0, 500), // Truncate for storage
       type: session.meta.type
-    }, this._projectFor(session));
+    });
   }
 
   onStatusChanged(session, oldStatus, newStatus) {
-    this.record(session.id, 'status_changed', {
+    this._recordForSession(session, 'status_changed', {
       from: oldStatus,
       to: newStatus,
       detail: session.meta.statusDetail,
       type: session.meta.type
-    }, this._projectFor(session));
+    });
   }
 
   onSessionEnded(session) {
-    this.record(session.id, 'session_ended', {
+    this._recordForSession(session, 'session_ended', {
       type: session.meta.type,
       duration_ms: Date.now() - new Date(session.meta.createdAt).getTime(),
       command_count: session.meta.lastCommands.length,
       exit_code: session.meta.exitCode
-    }, this._projectFor(session));
+    });
   }
 
   onFileEdited(session, filepath, editType) {
-    this.record(session.id, 'file_edited', {
+    this._recordForSession(session, 'file_edited', {
       filepath,
       edit_type: editType,
       type: session.meta.type
-    }, this._projectFor(session));
+    });
   }
 
   // Circuit breaker check — returns true if pushes to this table are disabled.

package/packages/server/src/setup/migration-runner.js

@@ -1,11 +1,18 @@
 // Unified migration runner for the setup wizard and `termdeck init --mnestra`.
 //
-// Applies the full 7-migration bootstrap sequence in order:
-//   1-6. Mnestra schema + RPCs (bundled under ./mnestra-migrations)
-//   7.   termdeck_transcripts table (repo root: config/transcript-migration.sql)
+// Applies the full bootstrap sequence in order:
+//   - Every *.sql file bundled under ./mnestra-migrations, sorted alphabetically
+//     by filename (currently 001…008 — Mnestra schema + RPCs + the legacy RAG
+//     tables that rag.js writes to when rag.enabled is on).
+//   - Then config/transcript-migration.sql (the termdeck_transcripts table).
 //
-// Every migration file is authored with IF NOT EXISTS / CREATE OR REPLACE so
-// re-running the sequence is a no-op on an already-configured database.
+// Migrations are discovered via migrations.listMnestraMigrations(), so adding
+// a new file under ./mnestra-migrations/ is the only step needed to ship it —
+// no edits here required as long as the filename sorts after the previous one.
+//
+// Every migration file is authored with IF NOT EXISTS / CREATE OR REPLACE
+// (and DROP POLICY IF EXISTS where applicable) so re-running the sequence is
+// a no-op on an already-configured database.
 
 const fs = require('fs');
 const path = require('path');

package/packages/server/src/setup/mnestra-migrations/008_legacy_rag_tables.sql

@@ -0,0 +1,122 @@
+-- 008_legacy_rag_tables.sql
+-- Mirror of config/supabase-migration.sql (kept in repo root for reference / manual application).
+-- Auto-applied by packages/server/src/setup/migration-runner.js as the 8th Mnestra migration.
+-- Safe to re-run: all CREATE statements use IF NOT EXISTS guards (and DROP IF EXISTS for policies).
+
+-- Mnestra RAG Tables
+-- Multi-layer memory: session → project → developer (cross-project)
+
+-- pg_trgm enables gin_trgm_ops used by the commands FTS index below.
+-- Must be created before any object that depends on it.
+CREATE EXTENSION IF NOT EXISTS pg_trgm;
+
+-- Session-level memory (per terminal session)
+CREATE TABLE IF NOT EXISTS mnestra_session_memory (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT,
+  developer_id TEXT NOT NULL DEFAULT 'default',
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_session_memory_session ON mnestra_session_memory(session_id);
+CREATE INDEX IF NOT EXISTS idx_session_memory_developer ON mnestra_session_memory(developer_id);
+CREATE INDEX IF NOT EXISTS idx_session_memory_ts ON mnestra_session_memory(timestamp DESC);
+
+-- Project-level memory (shared across sessions within a project)
+CREATE TABLE IF NOT EXISTS mnestra_project_memory (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT NOT NULL,
+  developer_id TEXT NOT NULL DEFAULT 'default',
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_project_memory_project ON mnestra_project_memory(project);
+CREATE INDEX IF NOT EXISTS idx_project_memory_developer ON mnestra_project_memory(developer_id);
+CREATE INDEX IF NOT EXISTS idx_project_memory_ts ON mnestra_project_memory(timestamp DESC);
+
+-- Developer-level memory (cross-project patterns and context)
+CREATE TABLE IF NOT EXISTS mnestra_developer_memory (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT,
+  developer_id TEXT NOT NULL,
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_developer_memory_developer ON mnestra_developer_memory(developer_id);
+CREATE INDEX IF NOT EXISTS idx_developer_memory_ts ON mnestra_developer_memory(timestamp DESC);
+
+-- Command log (full-text searchable command history)
+CREATE TABLE IF NOT EXISTS mnestra_commands (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL DEFAULT 'command_executed',
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT,
+  developer_id TEXT NOT NULL DEFAULT 'default',
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_commands_developer ON mnestra_commands(developer_id);
+CREATE INDEX IF NOT EXISTS idx_commands_project ON mnestra_commands(project);
+CREATE INDEX IF NOT EXISTS idx_commands_ts ON mnestra_commands(timestamp DESC);
+
+-- Enable full-text search on command payloads
+CREATE INDEX IF NOT EXISTS idx_commands_fts ON mnestra_commands
+  USING GIN ((payload->>'command') gin_trgm_ops);
+
+-- RLS policies (enable row-level security for multi-tenant)
+ALTER TABLE mnestra_session_memory ENABLE ROW LEVEL SECURITY;
+ALTER TABLE mnestra_project_memory ENABLE ROW LEVEL SECURITY;
+ALTER TABLE mnestra_developer_memory ENABLE ROW LEVEL SECURITY;
+ALTER TABLE mnestra_commands ENABLE ROW LEVEL SECURITY;
+
+-- Allow insert from anon/authenticated for the sync process.
+-- DROP-then-CREATE pattern keeps the migration re-run safe on Postgres < 15
+-- (which has no CREATE POLICY IF NOT EXISTS).
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_session_memory;
+CREATE POLICY "Allow insert for all" ON mnestra_session_memory FOR INSERT WITH CHECK (true);
+
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_project_memory;
+CREATE POLICY "Allow insert for all" ON mnestra_project_memory FOR INSERT WITH CHECK (true);
+
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_developer_memory;
+CREATE POLICY "Allow insert for all" ON mnestra_developer_memory FOR INSERT WITH CHECK (true);
+
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_commands;
+CREATE POLICY "Allow insert for all" ON mnestra_commands FOR INSERT WITH CHECK (true);
+
+-- Read access scoped to developer_id
+DROP POLICY IF EXISTS "Read own data" ON mnestra_session_memory;
+CREATE POLICY "Read own data" ON mnestra_session_memory FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+DROP POLICY IF EXISTS "Read own data" ON mnestra_project_memory;
+CREATE POLICY "Read own data" ON mnestra_project_memory FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+DROP POLICY IF EXISTS "Read own data" ON mnestra_developer_memory;
+CREATE POLICY "Read own data" ON mnestra_developer_memory FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+DROP POLICY IF EXISTS "Read own data" ON mnestra_commands;
+CREATE POLICY "Read own data" ON mnestra_commands FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+-- Useful view: recent activity across all layers
+CREATE OR REPLACE VIEW mnestra_recent_activity AS
+  SELECT 'session' as layer, * FROM mnestra_session_memory
+  UNION ALL
+  SELECT 'project' as layer, * FROM mnestra_project_memory
+  UNION ALL
+  SELECT 'developer' as layer, * FROM mnestra_developer_memory
+  ORDER BY timestamp DESC
+  LIMIT 100;

package/packages/server/src/setup/preconditions.js

@@ -39,6 +39,18 @@
 
 const { spawnSync } = require('child_process');
 const pgRunner = require('./pg-runner');
+const supabaseUrlHelper = require('./supabase-url');
+
+// Build the project-specific Supabase dashboard URL for the Database →
+// Extensions page when SUPABASE_URL is derivable, else null. Sprint 35 T3:
+// previous hints said "Database → Extensions" with no clickable target —
+// this gives the user a one-click landing page.
+function extensionsDashboardUrl(secrets) {
+  if (!secrets || !secrets.SUPABASE_URL) return null;
+  const parsed = supabaseUrlHelper.parseProjectUrl(secrets.SUPABASE_URL);
+  if (!parsed.ok) return null;
+  return `https://supabase.com/dashboard/project/${parsed.projectRef}/database/extensions`;
+}
 
 // Render a single gap into 2-3 lines of CLI output (one indented hint per
 // non-empty `hint` line). Format aligned with the rest of the wizard's
@@ -144,6 +156,13 @@ async function auditRumenPreconditions({ secrets, env, _pgClient } = {}) {
     return { ok: gaps.length === 0, gaps };
   }
 
+  // Project-specific dashboard URL for missing-extension hints. Falls back
+  // to generic copy when SUPABASE_URL isn't derivable.
+  const dashboardUrl = extensionsDashboardUrl(secrets);
+  const dashboardLine = dashboardUrl
+    ? `  Open: ${dashboardUrl}\n  Search for the extension and toggle it ON.`
+    : '  Database → Extensions → toggle ON';
+
   try {
     // pg_cron extension
     const cron = await safeQuery(client,
@@ -153,8 +172,8 @@ async function auditRumenPreconditions({ secrets, env, _pgClient } = {}) {
         key: 'pg_cron',
         message: 'The pg_cron extension is not enabled on this Supabase project',
         hint:
-          'Enable it in the Supabase dashboard:\n' +
-          '  Database → Extensions → pg_cron → toggle ON\n' +
+          'Enable pg_cron in the Supabase dashboard:\n' +
+          dashboardLine + '\n' +
           '(Without pg_cron, the rumen-tick schedule cannot run.)'
       });
     }
@@ -167,8 +186,8 @@ async function auditRumenPreconditions({ secrets, env, _pgClient } = {}) {
         key: 'pg_net',
         message: 'The pg_net extension is not enabled on this Supabase project',
         hint:
-          'Enable it in the Supabase dashboard:\n' +
-          '  Database → Extensions → pg_net → toggle ON\n' +
+          'Enable pg_net in the Supabase dashboard:\n' +
+          dashboardLine + '\n' +
           '(pg_net is what the cron schedule uses to call the Edge Function.)'
       });
     }
@@ -364,6 +383,7 @@ module.exports = {
   verifyMnestraOutcomes,
   printAuditReport,
   printVerifyReport,
+  extensionsDashboardUrl,
   // Test surface
   _probeSupabaseAuth: probeSupabaseAuth,
   _safeQuery: safeQuery

package/packages/server/src/theme-resolver.js

@@ -40,7 +40,7 @@ function getCurrentConfig() {
     const { loadConfig } = require('./config');
     _configCache = { mtimeMs: stat.mtimeMs, value: loadConfig(), frozen: false };
     return _configCache.value;
-  } catch {
+  } catch (_err) {
     return _configCache.value || {};
   }
 }