@jhizzard/termdeck 0.7.2 → 0.8.0

package/packages/client/public/style.css

@@ -2002,6 +2002,127 @@
       justify-content: center;
     }
     .setup-modal.open { display: flex; }
+
+    /* Settings panel inside the setup modal (Sprint 36 T3 Deliverable A) */
+    .setup-settings {
+      padding: 0 0 16px;
+      margin-bottom: 14px;
+      border-bottom: 1px solid var(--tg-border);
+    }
+    .settings-section {
+      display: flex;
+      flex-direction: column;
+      gap: 6px;
+    }
+    .settings-heading {
+      margin: 0;
+      font-size: 12px;
+      letter-spacing: 0.06em;
+      text-transform: uppercase;
+      color: var(--tg-text-dim);
+      font-family: var(--tg-sans);
+    }
+    .settings-row {
+      display: grid;
+      grid-template-columns: 120px 1fr;
+      gap: 14px;
+      align-items: start;
+    }
+    .settings-copy {
+      margin: 0;
+      font-size: 12px;
+      line-height: 1.45;
+      color: var(--tg-text);
+    }
+    .settings-copy code {
+      font-family: var(--tg-mono);
+      font-size: 11px;
+      background: var(--tg-bg);
+      padding: 1px 5px;
+      border-radius: 3px;
+    }
+    .settings-warn {
+      margin-top: 4px;
+      padding: 8px 10px;
+      font-size: 12px;
+      line-height: 1.4;
+      color: var(--tg-text);
+      background: rgba(224, 175, 104, 0.10);
+      border: 1px solid var(--tg-amber);
+      border-radius: 4px;
+    }
+    .settings-warn code {
+      font-family: var(--tg-mono);
+      font-size: 11px;
+      background: var(--tg-bg);
+      padding: 1px 5px;
+      border-radius: 3px;
+    }
+    /* iOS-style toggle. The native checkbox is visually hidden but stays in
+       the tab order so keyboard + screen reader navigation still work. */
+    .toggle {
+      display: inline-flex;
+      align-items: center;
+      gap: 8px;
+      cursor: pointer;
+      user-select: none;
+    }
+    .toggle input[type="checkbox"] {
+      position: absolute;
+      opacity: 0;
+      width: 1px;
+      height: 1px;
+      pointer-events: none;
+    }
+    .toggle-track {
+      position: relative;
+      display: inline-block;
+      width: 36px;
+      height: 20px;
+      background: var(--tg-border);
+      border-radius: 999px;
+      transition: background 0.15s ease;
+    }
+    .toggle-thumb {
+      position: absolute;
+      top: 2px;
+      left: 2px;
+      width: 16px;
+      height: 16px;
+      background: var(--tg-text-bright);
+      border-radius: 50%;
+      transition: transform 0.15s ease, background 0.15s ease;
+    }
+    .toggle input[type="checkbox"]:checked + .toggle-track {
+      background: var(--tg-green);
+    }
+    .toggle input[type="checkbox"]:checked + .toggle-track .toggle-thumb {
+      transform: translateX(16px);
+      background: var(--tg-bg);
+    }
+    .toggle input[type="checkbox"]:focus-visible + .toggle-track {
+      outline: 2px solid var(--tg-accent);
+      outline-offset: 2px;
+    }
+    .toggle input[type="checkbox"]:disabled + .toggle-track {
+      opacity: 0.5;
+    }
+    .toggle-label {
+      font-size: 12px;
+      color: var(--tg-text);
+      font-family: var(--tg-mono);
+    }
+    /* Topbar #stat-rag — re-purposed as a live RAG state line */
+    .topbar-stat.rag-on {
+      color: var(--tg-green);
+      font-weight: 500;
+    }
+    .topbar-stat.rag-pending {
+      color: var(--tg-amber);
+    }
+    .topbar-stat.rag-off {
+      color: var(--tg-text-dim);
+    }
     .setup-backdrop {
       position: absolute;
       inset: 0;

package/packages/server/src/config.js

@@ -298,11 +298,107 @@ function addProject({ name, path: projectPath, defaultTheme, defaultCommand }) {
   return parsed.projects;
 }
 
+// Apply a structural patch to ~/.termdeck/config.yaml. Sprint 36 introduces
+// this for the dashboard RAG toggle (PATCH /api/config) but the helper is
+// generic — pass a deep partial of the config tree, every leaf in `patch` that
+// matches the whitelist gets written through. Returns the parsed-from-disk
+// post-write tree (NOT post-substitution; we only persist user-authored values
+// here, never substituted secrets).
+//
+// Whitelist deliberately tight. Only fields a UI can safely flip live belong
+// here. Adding a new field is an explicit one-line edit (vs. a freeform writer
+// that would let a buggy/malicious client change `port`, `shell`, or projects).
+//
+// Comments and formatting in config.yaml are NOT preserved — same trade-off
+// as `addProject`. The yaml package's parseDocument API can preserve comments
+// but we'd need to migrate addProject too for consistency; that's a follow-up.
+const UPDATABLE_PATHS = new Set([
+  'rag.enabled'
+]);
+
+function flattenPatch(obj, prefix = '') {
+  const out = [];
+  if (obj == null || typeof obj !== 'object' || Array.isArray(obj)) return out;
+  for (const [k, v] of Object.entries(obj)) {
+    const key = prefix ? `${prefix}.${k}` : k;
+    if (v != null && typeof v === 'object' && !Array.isArray(v)) {
+      out.push(...flattenPatch(v, key));
+    } else {
+      out.push([key, v]);
+    }
+  }
+  return out;
+}
+
+function setPath(obj, segs, value) {
+  let cur = obj;
+  for (let i = 0; i < segs.length - 1; i++) {
+    const s = segs[i];
+    if (cur[s] == null || typeof cur[s] !== 'object') cur[s] = {};
+    cur = cur[s];
+  }
+  cur[segs[segs.length - 1]] = value;
+}
+
+function updateConfig(patch, configPath = CONFIG_PATH) {
+  if (!patch || typeof patch !== 'object' || Array.isArray(patch)) {
+    throw new Error('updateConfig: patch must be a plain object');
+  }
+
+  const flat = flattenPatch(patch);
+  if (flat.length === 0) {
+    throw new Error('updateConfig: patch is empty');
+  }
+
+  for (const [key, val] of flat) {
+    if (!UPDATABLE_PATHS.has(key)) {
+      throw new Error(`updateConfig: ${key} is not in the updatable whitelist`);
+    }
+    if (key === 'rag.enabled' && typeof val !== 'boolean') {
+      throw new Error('updateConfig: rag.enabled must be a boolean');
+    }
+  }
+
+  const yaml = require('yaml');
+  let parsed = {};
+  if (fs.existsSync(configPath)) {
+    const raw = fs.readFileSync(configPath, 'utf-8');
+    try {
+      parsed = yaml.parse(raw) || {};
+    } catch (err) {
+      throw new Error(`config.yaml is not valid YAML — refusing to overwrite: ${err.message}`);
+    }
+  }
+
+  for (const [key, val] of flat) {
+    setPath(parsed, key.split('.'), val);
+  }
+
+  if (fs.existsSync(configPath)) {
+    const ts = new Date().toISOString().replace(/[:.]/g, '-');
+    const bak = `${configPath}.${ts}.bak`;
+    try {
+      fs.copyFileSync(configPath, bak);
+    } catch (err) {
+      console.warn('[config] Could not write backup before updateConfig:', err.message);
+    }
+  }
+
+  const out = yaml.stringify(parsed);
+  fs.writeFileSync(configPath, out, 'utf-8');
+  console.log(`[config] updateConfig wrote ${flat.map(([k]) => k).join(', ')}`);
+
+  return parsed;
+}
+
 module.exports = {
   loadConfig,
   addProject,
+  updateConfig,
   // exported for tests / introspection
   _parseDotenv: parseDotenv,
   _substituteEnv: substituteEnv,
+  _flattenPatch: flattenPatch,
+  _UPDATABLE_PATHS: UPDATABLE_PATHS,
   _paths: { CONFIG_DIR, CONFIG_PATH, SECRETS_PATH }
 };

package/packages/server/src/index.js

@@ -61,7 +61,7 @@ const { TranscriptWriter } = require('./transcripts');
 const { createHealthHandler, runPreflight } = require('./preflight');
 const { getFullHealth } = require('./health');
 const { themes, statusColors } = require('./themes');
-const { loadConfig, addProject } = require('./config');
+const { loadConfig, addProject, updateConfig } = require('./config');
 const { createAuthMiddleware, verifyWebSocketUpgrade, hasAuth } = require('./auth');
 
 function createServer(config) {
@@ -915,6 +915,120 @@ function createServer(config) {
     res.json({ ok: true, bytes: normalized.length, replyCount: session.meta.replyCount });
   });
 
+  // POST /api/sessions/:id/poke - PTY-flush recovery endpoint
+  // Body: { methods?: ('sigcont' | 'bracketed-paste' | 'cr-flood' | 'all')[] }  default ['all']
+  // Used to recover from the post-stop PTY delivery gap where injected input via /input
+  // returns 200 OK but never reaches the running TUI process. Tries multiple flush
+  // mechanisms in sequence and reports per-attempt status plus session state before/after.
+  // Discovered 2026-04-26 / 2026-04-27 during ClaimGuard Sprints 4-6 (TMR 4+1 orchestration);
+  // see ~/.claude/plans/skill-tmr-orchestrate/known-issues/2026-04-27-pty-delivery-gap.md
+  app.post('/api/sessions/:id/poke', async (req, res) => {
+    const session = sessions.get(req.params.id);
+    if (!session) return res.status(404).json({ error: 'Session not found' });
+    if (session.meta.status === 'exited' || !session.pty) {
+      return res.status(404).json({ error: 'Session is exited' });
+    }
+
+    const { methods } = req.body || {};
+    const requested = Array.isArray(methods) && methods.length > 0
+      ? methods
+      : ['all'];
+    const runAll = requested.includes('all');
+    const wants = (m) => runAll || requested.includes(m);
+
+    const before = {
+      status: session.meta.status,
+      statusDetail: session.meta.statusDetail || '',
+      lastActivity: session.meta.lastActivity,
+      pid: session.pty.pid,
+    };
+
+    const attempts = [];
+
+    // Attempt 1: SIGCONT — wakes the child process if it's somehow stopped (job-control state).
+    // Harmless when the process is already running.
+    if (wants('sigcont')) {
+      try {
+        process.kill(session.pty.pid, 'SIGCONT');
+        attempts.push({ method: 'sigcont', ok: true });
+      } catch (err) {
+        attempts.push({ method: 'sigcont', ok: false, error: err.message });
+      }
+    }
+
+    // Attempt 2: bracketed-paste sequence wrapping a single CR.
+    // Some TUIs treat bracketed-paste differently from raw input; this is a documented
+    // (and previously untested) workaround mentioned in the TermDeck API reference.
+    if (wants('bracketed-paste')) {
+      try {
+        session.pty.write('\x1b[200~\r\x1b[201~');
+        attempts.push({ method: 'bracketed-paste', ok: true });
+      } catch (err) {
+        attempts.push({ method: 'bracketed-paste', ok: false, error: err.message });
+      }
+    }
+
+    // Wait briefly between attempts so each one has a chance to take effect
+    // before the next floods the buffer.
+    await new Promise((resolve) => setTimeout(resolve, 200));
+
+    // Attempt 3: triple CR — multiple Enter keypresses in case the TUI needs more
+    // than one to register. Each \r is a literal Enter (zsh/readline submit).
+    if (wants('cr-flood')) {
+      try {
+        session.pty.write('\r\r\r');
+        attempts.push({ method: 'cr-flood', ok: true });
+      } catch (err) {
+        attempts.push({ method: 'cr-flood', ok: false, error: err.message });
+      }
+    }
+
+    // Final settle delay so `after` reflects the result of all attempts.
+    await new Promise((resolve) => setTimeout(resolve, 200));
+
+    const after = {
+      status: session.meta.status,
+      statusDetail: session.meta.statusDetail || '',
+      lastActivity: session.meta.lastActivity,
+    };
+
+    // Heuristic recovery signal: if lastActivity advanced between before and after,
+    // at least one attempt got the TUI to consume input. Not definitive (the TUI
+    // might have advanced for other reasons) but a useful hint to the caller.
+    const advanced = before.lastActivity !== after.lastActivity;
+
+    res.json({
+      ok: true,
+      pid: session.pty.pid,
+      before,
+      after,
+      advanced,
+      attempts,
+    });
+  });
+
+  // GET /api/sessions/:id/buffer - lightweight introspection of recent input writes
+  // Returns the session's recent _inputBuffer state (what the orchestrator has
+  // written via /input that may or may not have been consumed by the TUI yet).
+  // Useful for diagnosing whether bytes are queued vs consumed.
+  app.get('/api/sessions/:id/buffer', (req, res) => {
+    const session = sessions.get(req.params.id);
+    if (!session) return res.status(404).json({ error: 'Session not found' });
+    if (session.meta.status === 'exited' || !session.pty) {
+      return res.status(404).json({ error: 'Session is exited' });
+    }
+    res.json({
+      ok: true,
+      pid: session.pty.pid,
+      inputBufferLength: (session._inputBuffer || '').length,
+      inputBufferPreview: (session._inputBuffer || '').slice(-200),
+      lastActivity: session.meta.lastActivity,
+      status: session.meta.status,
+      statusDetail: session.meta.statusDetail || '',
+      replyCount: session.meta.replyCount || 0,
+    });
+  });
+
   // POST /api/sessions/:id/resize - resize terminal
   app.post('/api/sessions/:id/resize', (req, res) => {
     const session = sessions.get(req.params.id);
@@ -955,16 +1069,64 @@ function createServer(config) {
     res.json(t);
   });
 
-  // GET /api/config - current config (sanitized)
-  app.get('/api/config', (req, res) => {
-    res.json({
+  // Public-shape helper so GET and PATCH return the same envelope.
+  function publicConfigPayload() {
+    return {
       projects: config.projects || {},
       defaultTheme: config.defaultTheme,
+      // ragEnabled is the EFFECTIVE state (after credential eligibility).
+      // ragConfigEnabled is the user's intent from config.yaml. The dashboard
+      // toggle reads ragConfigEnabled (intent) but renders a warning when it
+      // diverges from ragEnabled (e.g. enabled in config but Supabase creds
+      // missing → effective state stays off).
       ragEnabled: rag.enabled,
+      ragConfigEnabled: !!(config.rag && config.rag.enabled),
+      ragSupabaseConfigured: !!(config.rag?.supabaseUrl && config.rag?.supabaseKey),
       aiQueryAvailable: !!(config.rag?.supabaseUrl && config.rag?.supabaseKey && config.rag?.openaiApiKey),
       statusColors,
       firstRun
-    });
+    };
+  }
+
+  // GET /api/config - current config (sanitized)
+  app.get('/api/config', (req, res) => {
+    res.json(publicConfigPayload());
+  });
+
+  // PATCH /api/config - update writable config fields. Sprint 36 T3 Deliverable A.
+  // Body: { rag: { enabled: boolean } } — the only currently writable path.
+  // Persists to ~/.termdeck/config.yaml, live-updates the in-memory integration,
+  // and broadcasts a `config_changed` WS event so all open dashboards re-render
+  // their RAG indicator without a refresh.
+  app.patch('/api/config', (req, res) => {
+    const body = req.body;
+    if (!body || typeof body !== 'object' || Array.isArray(body)) {
+      return res.status(400).json({ error: 'body must be a JSON object' });
+    }
+    try {
+      updateConfig(body);
+    } catch (err) {
+      return res.status(400).json({ error: err.message });
+    }
+
+    if (body.rag && typeof body.rag.enabled === 'boolean') {
+      rag.setEnabled(body.rag.enabled);
+    }
+
+    const payload = publicConfigPayload();
+
+    try {
+      const wsPayload = JSON.stringify({ type: 'config_changed', config: payload });
+      wss.clients.forEach((client) => {
+        if (client.readyState === 1) {
+          try { client.send(wsPayload); } catch (err) { console.error('[ws] config_changed send failed:', err); }
+        }
+      });
+    } catch (err) {
+      console.error('[ws] config_changed broadcast failed:', err);
+    }
+
+    res.json(payload);
   });
 
   // POST /api/projects - add a new project on the fly, persist to config.yaml
@@ -1352,6 +1514,14 @@ function createServer(config) {
 
     ws.on('close', () => {
       console.log(`[ws] Client disconnected from session ${sessionId}`);
+      // Intentional: PTYs survive WS close. The session stays in the manager,
+      // the PTY keeps running, and reconnecting (?session=<id>) re-binds.
+      // PTY teardown happens only via DELETE /api/sessions/:id (user-initiated)
+      // or the PTY's own exit event. Hard-refresh is therefore non-destructive.
+      // Sprint 36 T3 Deliverable C audit (2026-04-27): the briefing predicted
+      // this handler would call pty.kill() — it does not. Joshua's original
+      // hard-refresh-loses-PTYs symptom was the reclaimStalePort SIGKILL chain
+      // (orchestrator hotfix #2, 15:25 ET), not a WS-close cascade.
       if (session.ws === ws) {
         session.ws = null;
       }
@@ -1619,7 +1789,7 @@ if (require.main === module) {
     console.log(`  Terminals:  0 active`);
     console.log(`  Database:   ${Database ? 'SQLite OK' : 'unavailable'}`);
     console.log(`  PTY:        ${pty ? 'node-pty OK' : 'unavailable (install node-pty)'}`);
-    console.log(`  RAG:        ${config.rag?.supabaseUrl ? 'configured' : 'not configured'}`);
+    console.log(`  RAG:        ${config.rag?.enabled === true ? 'on (writing to mnestra_*_memory tables)' : 'off (MCP-only mode)'}`);
     console.log(`  Session logs: ${config.sessionLogs?.enabled ? '~/.termdeck/sessions/ (on exit)' : 'off'}`);
     console.log(`  Transcripts:  ${transcriptWriter ? 'streaming to Supabase' : 'off (no DATABASE_URL)'}`);
     console.log(`\n  WARNING: TermDeck binds to ${host} only.`);

package/packages/server/src/rag.js

@@ -66,6 +66,14 @@ class RAGIntegration {
     this._circuitBreaker = new Map(); // table -> { count, open, openedAt, halfOpen }
     this._halfOpenDelayMs = 5 * 60 * 1000;
 
+    // Status-change debounce: rapid `active ↔ thinking` cycling from busy
+    // Claude Code workers (4+1 sprint lanes) produces dozens of status_changed
+    // events per second. Untreated, this floods stdout and the outbox; on
+    // 2026-04-27 it contributed to two server-kill incidents during Sprint 36.
+    // Drop intra-second status edges; let error transitions always pass.
+    this._statusWriteAt = new Map(); // sessionId -> last write timestamp (ms)
+    this._statusDebounceMs = 1000;
+
     if (this.enabled) {
       this._startSync();
     }
@@ -148,6 +156,16 @@ class RAGIntegration {
   }
 
   onStatusChanged(session, oldStatus, newStatus) {
+    // Always pass through error transitions — those carry signal worth ingesting
+    // every time. Debounce only the active ↔ thinking churn that floods the log
+    // when a worker cycles tool calls rapidly.
+    const isError = newStatus === 'errored' || oldStatus === 'errored';
+    if (!isError) {
+      const now = Date.now();
+      const last = this._statusWriteAt.get(session.id) || 0;
+      if (now - last < this._statusDebounceMs) return;
+      this._statusWriteAt.set(session.id, now);
+    }
     this._recordForSession(session, 'status_changed', {
       from: oldStatus,
       to: newStatus,
@@ -351,7 +369,32 @@ class RAGIntegration {
   stop() {
     if (this._syncTimer) {
       clearInterval(this._syncTimer);
+      this._syncTimer = null;
+    }
+    this._statusWriteAt.clear();
+  }
+
+  // Live-toggle for the dashboard RAG settings panel (Sprint 36 T3 Deliverable A).
+  // Re-evaluates eligibility — flipping `enabled: true` without configured
+  // Supabase creds is a no-op so the live integration never claims to be on
+  // when it can't actually push. Returns the resolved effective flag.
+  setEnabled(value) {
+    const desired = !!value;
+    if (this.config && this.config.rag) {
+      this.config.rag.enabled = desired;
+    }
+    const effective = !!(desired && this.supabaseUrl && this.supabaseKey);
+    if (effective === this.enabled) return effective;
+    this.enabled = effective;
+    if (effective) {
+      if (!this._syncTimer) this._startSync();
+    } else {
+      if (this._syncTimer) {
+        clearInterval(this._syncTimer);
+        this._syncTimer = null;
+      }
     }
+    return effective;
   }
 }
 

package/packages/server/src/setup/migration-runner.js

@@ -1,11 +1,18 @@
 // Unified migration runner for the setup wizard and `termdeck init --mnestra`.
 //
-// Applies the full 7-migration bootstrap sequence in order:
-//   1-6. Mnestra schema + RPCs (bundled under ./mnestra-migrations)
-//   7.   termdeck_transcripts table (repo root: config/transcript-migration.sql)
+// Applies the full bootstrap sequence in order:
+//   - Every *.sql file bundled under ./mnestra-migrations, sorted alphabetically
+//     by filename (currently 001…008 — Mnestra schema + RPCs + the legacy RAG
+//     tables that rag.js writes to when rag.enabled is on).
+//   - Then config/transcript-migration.sql (the termdeck_transcripts table).
 //
-// Every migration file is authored with IF NOT EXISTS / CREATE OR REPLACE so
-// re-running the sequence is a no-op on an already-configured database.
+// Migrations are discovered via migrations.listMnestraMigrations(), so adding
+// a new file under ./mnestra-migrations/ is the only step needed to ship it —
+// no edits here required as long as the filename sorts after the previous one.
+//
+// Every migration file is authored with IF NOT EXISTS / CREATE OR REPLACE
+// (and DROP POLICY IF EXISTS where applicable) so re-running the sequence is
+// a no-op on an already-configured database.
 
 const fs = require('fs');
 const path = require('path');

package/packages/server/src/setup/mnestra-migrations/008_legacy_rag_tables.sql

@@ -0,0 +1,122 @@
+-- 008_legacy_rag_tables.sql
+-- Mirror of config/supabase-migration.sql (kept in repo root for reference / manual application).
+-- Auto-applied by packages/server/src/setup/migration-runner.js as the 8th Mnestra migration.
+-- Safe to re-run: all CREATE statements use IF NOT EXISTS guards (and DROP IF EXISTS for policies).
+
+-- Mnestra RAG Tables
+-- Multi-layer memory: session → project → developer (cross-project)
+
+-- pg_trgm enables gin_trgm_ops used by the commands FTS index below.
+-- Must be created before any object that depends on it.
+CREATE EXTENSION IF NOT EXISTS pg_trgm;
+
+-- Session-level memory (per terminal session)
+CREATE TABLE IF NOT EXISTS mnestra_session_memory (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT,
+  developer_id TEXT NOT NULL DEFAULT 'default',
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_session_memory_session ON mnestra_session_memory(session_id);
+CREATE INDEX IF NOT EXISTS idx_session_memory_developer ON mnestra_session_memory(developer_id);
+CREATE INDEX IF NOT EXISTS idx_session_memory_ts ON mnestra_session_memory(timestamp DESC);
+
+-- Project-level memory (shared across sessions within a project)
+CREATE TABLE IF NOT EXISTS mnestra_project_memory (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT NOT NULL,
+  developer_id TEXT NOT NULL DEFAULT 'default',
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_project_memory_project ON mnestra_project_memory(project);
+CREATE INDEX IF NOT EXISTS idx_project_memory_developer ON mnestra_project_memory(developer_id);
+CREATE INDEX IF NOT EXISTS idx_project_memory_ts ON mnestra_project_memory(timestamp DESC);
+
+-- Developer-level memory (cross-project patterns and context)
+CREATE TABLE IF NOT EXISTS mnestra_developer_memory (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT,
+  developer_id TEXT NOT NULL,
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_developer_memory_developer ON mnestra_developer_memory(developer_id);
+CREATE INDEX IF NOT EXISTS idx_developer_memory_ts ON mnestra_developer_memory(timestamp DESC);
+
+-- Command log (full-text searchable command history)
+CREATE TABLE IF NOT EXISTS mnestra_commands (
+  id BIGSERIAL PRIMARY KEY,
+  session_id TEXT NOT NULL,
+  event_type TEXT NOT NULL DEFAULT 'command_executed',
+  payload JSONB NOT NULL DEFAULT '{}',
+  project TEXT,
+  developer_id TEXT NOT NULL DEFAULT 'default',
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_commands_developer ON mnestra_commands(developer_id);
+CREATE INDEX IF NOT EXISTS idx_commands_project ON mnestra_commands(project);
+CREATE INDEX IF NOT EXISTS idx_commands_ts ON mnestra_commands(timestamp DESC);
+
+-- Enable full-text search on command payloads
+CREATE INDEX IF NOT EXISTS idx_commands_fts ON mnestra_commands
+  USING GIN ((payload->>'command') gin_trgm_ops);
+
+-- RLS policies (enable row-level security for multi-tenant)
+ALTER TABLE mnestra_session_memory ENABLE ROW LEVEL SECURITY;
+ALTER TABLE mnestra_project_memory ENABLE ROW LEVEL SECURITY;
+ALTER TABLE mnestra_developer_memory ENABLE ROW LEVEL SECURITY;
+ALTER TABLE mnestra_commands ENABLE ROW LEVEL SECURITY;
+
+-- Allow insert from anon/authenticated for the sync process.
+-- DROP-then-CREATE pattern keeps the migration re-run safe on Postgres < 15
+-- (which has no CREATE POLICY IF NOT EXISTS).
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_session_memory;
+CREATE POLICY "Allow insert for all" ON mnestra_session_memory FOR INSERT WITH CHECK (true);
+
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_project_memory;
+CREATE POLICY "Allow insert for all" ON mnestra_project_memory FOR INSERT WITH CHECK (true);
+
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_developer_memory;
+CREATE POLICY "Allow insert for all" ON mnestra_developer_memory FOR INSERT WITH CHECK (true);
+
+DROP POLICY IF EXISTS "Allow insert for all" ON mnestra_commands;
+CREATE POLICY "Allow insert for all" ON mnestra_commands FOR INSERT WITH CHECK (true);
+
+-- Read access scoped to developer_id
+DROP POLICY IF EXISTS "Read own data" ON mnestra_session_memory;
+CREATE POLICY "Read own data" ON mnestra_session_memory FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+DROP POLICY IF EXISTS "Read own data" ON mnestra_project_memory;
+CREATE POLICY "Read own data" ON mnestra_project_memory FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+DROP POLICY IF EXISTS "Read own data" ON mnestra_developer_memory;
+CREATE POLICY "Read own data" ON mnestra_developer_memory FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+DROP POLICY IF EXISTS "Read own data" ON mnestra_commands;
+CREATE POLICY "Read own data" ON mnestra_commands FOR SELECT USING (developer_id = current_setting('request.jwt.claims', true)::json->>'sub' OR developer_id = 'default');
+
+-- Useful view: recent activity across all layers
+CREATE OR REPLACE VIEW mnestra_recent_activity AS
+  SELECT 'session' as layer, * FROM mnestra_session_memory
+  UNION ALL
+  SELECT 'project' as layer, * FROM mnestra_project_memory
+  UNION ALL
+  SELECT 'developer' as layer, * FROM mnestra_developer_memory
+  ORDER BY timestamp DESC
+  LIMIT 100;