@jhizzard/termdeck 1.0.0 → 1.0.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jhizzard/termdeck",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Browser-based terminal multiplexer with metadata overlays, panel flashback memory recall, and AI-aware session management",
   "bin": {
     "termdeck": "./packages/cli/src/index.js"

package/packages/cli/src/init-mnestra.js

@@ -45,7 +45,8 @@ const {
   supabaseUrl: urlHelper,
   migrations,
   pgRunner,
-  preconditions
+  preconditions,
+  auditUpgrade: auditUpgradeMod
 } = require(SETUP_DIR);
 
 const HELP = [
@@ -339,6 +340,43 @@ async function applyMigrations(client, dryRun) {
   }
 }
 
+// Sprint 51.5 T1 — schema-introspection audit-upgrade. Runs AFTER the
+// fresh-install applyMigrations() loop completes, but reports separately.
+// On a Sprint-37-era project that pre-dated several mnestra migrations,
+// applyMigrations now has the full bundled set (Sprint 51.5 synced 013-015
+// from canonical engram), so this audit is mostly a belt-and-suspenders
+// confirmation. It still surfaces drift if, e.g., the user manually
+// dropped a column post-install. Mnestra-kind only — rumen cron probes
+// reference vault secrets the user hasn't set up yet at this point. Run
+// init-rumen for the rumen-side audit.
+async function runMnestraAudit(client, projectRef, dryRun) {
+  step('Audit-upgrade: probing for missing mnestra schema artifacts...');
+  if (dryRun) { ok('(dry-run)'); return; }
+  const probes = auditUpgradeMod.PROBES.filter((p) => p.kind === 'mnestra');
+  let result;
+  try {
+    result = await auditUpgradeMod.auditUpgrade({
+      pgClient: client,
+      projectRef,
+      probes
+    });
+  } catch (err) {
+    fail(err.message);
+    return;
+  }
+  if (result.applied.length === 0 && result.errors.length === 0) {
+    ok(`(install up to date — ${result.probed.length} probes all present)`);
+    return;
+  }
+  ok(`(probed ${result.probed.length}, applied ${result.applied.length})`);
+  for (const name of result.applied) {
+    process.stdout.write(`    ✓ applied ${name}\n`);
+  }
+  for (const e of result.errors) {
+    process.stdout.write(`    ! ${e.name}: ${e.error}\n`);
+  }
+}
+
 async function checkExistingStore(client) {
   step('Checking for existing memory_items table...');
   try {
@@ -538,6 +576,7 @@ async function main(argv) {
   try {
     await checkExistingStore(client);
     await applyMigrations(client, false);
+    await runMnestraAudit(client, inputs.projectUrl.projectRef, false);
     writeYamlConfig(false);
     // v0.6.9: post-write outcome verification. Confirms each migration's
     // expected schema bits actually landed — including memory_items.

package/packages/cli/src/init-rumen.js

@@ -20,7 +20,9 @@
 //   4. Apply rumen migration 001 via pg
 //   5. supabase functions deploy rumen-tick AND graph-inference (Sprint 43 T3)
 //      from a single staging dir with multi-function supabase/config.toml
-//   6. supabase secrets set DATABASE_URL=... ANTHROPIC_API_KEY=... [OPENAI_API_KEY=...]
+//   6. supabase secrets set, ONE call per key (DATABASE_URL, ANTHROPIC_API_KEY,
+//      [OPENAI_API_KEY], [GRAPH_LLM_CLASSIFY=1]) — per-secret to avoid the
+//      v2.90.0 multi-arg drop documented in INSTALLER-PITFALLS.md Class J.
 //   7. Test rumen-tick with a manual POST (graph-inference is cron-only)
 //   8. Apply pg_cron schedule migrations 002 (rumen-tick) AND 003 (graph-inference)
 //      with project ref substituted
@@ -38,7 +40,8 @@ const {
   migrations,
   migrationTemplating,
   pgRunner,
-  preconditions
+  preconditions,
+  auditUpgrade: auditUpgradeMod
 } = require(SETUP_DIR);
 
 const {
@@ -303,6 +306,57 @@ async function applyRumenTables(secrets, dryRun) {
   }
 }
 
+// Sprint 51.5 T1 — schema-introspection audit-upgrade. Probes for missing
+// mnestra schema artifacts AND missing rumen cron schedules. Runs before
+// the existing init-rumen flow so the user sees what's about to be applied
+// up front. Idempotent: a re-run on an up-to-date project reports
+// "install up to date" and applies nothing.
+//
+// Brad's 2026-05-02 jizzard-brain report (INSTALLER-PITFALLS.md ledger #13)
+// is the originating motivation: he upgraded npm packages but his database
+// stayed frozen at first-kickstart because no installer code path diffed an
+// existing install against the bundled migration set. After v1.0.1 ships,
+// `npm install -g @jhizzard/termdeck@1.0.1 && termdeck init --rumen` will
+// surface and apply every missing artifact in one pass.
+//
+// Errors are surfaced inline but do NOT abort the wizard — a single
+// failing probe (e.g., pg_cron not enabled when probing for cron.job)
+// shouldn't block the rest of the audit or the rest of the init flow.
+async function runRumenAudit(projectRef, secrets, dryRun) {
+  step('Audit-upgrade: probing for missing schema + cron artifacts...');
+  if (dryRun) { ok('(dry-run)'); return true; }
+  let client;
+  try {
+    client = await pgRunner.connect(secrets.DATABASE_URL);
+  } catch (err) {
+    fail(err.message);
+    return false;
+  }
+  try {
+    const result = await auditUpgradeMod.auditUpgrade({
+      pgClient: client,
+      projectRef
+    });
+    if (result.applied.length === 0 && result.errors.length === 0) {
+      ok(`(install up to date — ${result.probed.length} probes all present)`);
+      return true;
+    }
+    ok(`(probed ${result.probed.length}, applied ${result.applied.length})`);
+    for (const name of result.applied) {
+      process.stdout.write(`    ✓ applied ${name}\n`);
+    }
+    for (const e of result.errors) {
+      process.stdout.write(`    ! ${e.name}: ${e.error}\n`);
+    }
+    return true;
+  } catch (err) {
+    fail(err.message);
+    return true; // non-blocking
+  } finally {
+    try { await client.end(); } catch (_err) { /* ignore */ }
+  }
+}
+
 // Sprint 43 T3: rumen-tick is the only function with a `__RUMEN_VERSION__`
 // placeholder (its `npm:@jhizzard/rumen@<ver>` import is rewritten at deploy
 // time). graph-inference pins its own deps (`npm:postgres@3.4.4`) and is
@@ -400,29 +454,238 @@ ${fnBlocks}`;
   return stage;
 }
 
-function setFunctionSecrets(secrets, dryRun) {
+// Sprint 51.5 T3: per-secret CLI loop. Pre-Sprint-51.5 this issued a single
+// `supabase secrets set KEY1=VAL1 KEY2=VAL2 ...` call with all keys as
+// positional args. Brad's 2026-05-03 4-project install pass observed
+// supabase CLI v2.90.0 silently dropping some args from a multi-arg call —
+// even materializing stray entries from misparsed argv (his email landed as
+// a secret name). Documented as INSTALLER-PITFALLS.md Class J. The
+// deterministic fix is one CLI invocation per secret, exit code checked per
+// call, stderr surfaced with the failing key name. Order is preserved for
+// log readability (DATABASE_URL → ANTHROPIC_API_KEY → optional → optional).
+function setFunctionSecrets(secrets, dryRun, opts = {}) {
+  const orderedKeys = ['DATABASE_URL', 'ANTHROPIC_API_KEY'];
+  if (secrets.OPENAI_API_KEY) orderedKeys.push('OPENAI_API_KEY');
+  if (secrets.GRAPH_LLM_CLASSIFY === '1') orderedKeys.push('GRAPH_LLM_CLASSIFY');
+
   const haveOpenAI = Boolean(secrets.OPENAI_API_KEY);
-  const label = haveOpenAI
-    ? 'DATABASE_URL, ANTHROPIC_API_KEY, OPENAI_API_KEY'
-    : 'DATABASE_URL, ANTHROPIC_API_KEY';
-  step(`Setting function secrets (${label})...`);
+  step(`Setting function secrets per-call (${orderedKeys.join(', ')})...`);
   if (dryRun) { ok('(dry-run)'); return true; }
-  const args = [
-    'secrets', 'set',
-    `DATABASE_URL=${secrets.DATABASE_URL}`,
-    `ANTHROPIC_API_KEY=${secrets.ANTHROPIC_API_KEY}`
+
+  // Test surface: opts.runner is an optional injected function that mimics
+  // runShellCaptured((bin, args) => { ok, code, stdout, stderr }). Production
+  // path passes nothing and shells out to the real supabase CLI.
+  const runner = (typeof opts.runner === 'function') ? opts.runner : runShellCaptured;
+
+  for (const key of orderedKeys) {
+    const value = secrets[key];
+    if (value === undefined || value === null || value === '') {
+      fail(`secret ${key} missing from in-memory secrets map — wizard wiring bug`);
+      return false;
+    }
+    const r = runner('supabase', ['secrets', 'set', `${key}=${value}`]);
+    if (!r || !r.ok) {
+      fail(`supabase secrets set ${key} failed (exit ${r ? r.code : 'no-result'})`);
+      if (r && r.stderr) process.stderr.write(r.stderr + '\n');
+      return false;
+    }
+  }
+  const llmTag = secrets.GRAPH_LLM_CLASSIFY === '1' ? ', graph LLM classify on' : '';
+  ok(`${haveOpenAI ? '(hybrid mode' : '(keyword-only mode — OPENAI_API_KEY not set'}${llmTag})`);
+  return true;
+}
+
+// Sprint 51.5 T3: Build a Supabase SQL-Editor deeplink that pre-fills the
+// vault.create_secret() call for one secret. Used as the fallback when
+// auto-apply via pgRunner can't write to vault.secrets (permission denied,
+// missing extension, etc.) AND as the manual-fix surface in any wizard text
+// that previously instructed users to "click Vault in the dashboard" — the
+// Vault dashboard panel was quietly removed/relocated in current Supabase
+// UIs (Brad 2026-05-03 takeaway #2; INSTALLER-PITFALLS.md Class B).
+//
+// vault.create_secret signature is `(secret text, name text [, description text])`
+// — value-then-name. Both arguments are escaped as Postgres string literals
+// (single-quote doubling). The full URL is roughly:
+//   https://supabase.com/dashboard/project/<ref>/sql/new?content=<encoded SQL>
+// Click → SQL Editor opens with the call pre-filled → user clicks Run.
+function vaultSqlEditorUrl(projectRef, secretName, secretValue) {
+  if (!projectRef || typeof projectRef !== 'string') {
+    throw new Error('vaultSqlEditorUrl: projectRef is required');
+  }
+  const value = String(secretValue == null ? '' : secretValue).replace(/'/g, "''");
+  const name = String(secretName == null ? '' : secretName).replace(/'/g, "''");
+  const sql = `select vault.create_secret('${value}', '${name}');`;
+  return `https://supabase.com/dashboard/project/${projectRef}/sql/new?content=${encodeURIComponent(sql)}`;
+}
+
+// Sprint 51.5 T3: Ensure the two Vault secrets the cron schedules need are
+// present, auto-creating them via the user's pg connection when possible.
+//
+// Required:
+//   - rumen_service_role_key            (used by 002_pg_cron_schedule.sql)
+//   - graph_inference_service_role_key  (used by 003_graph_inference_schedule.sql)
+//
+// Both keys hold the same value (`secrets.SUPABASE_SERVICE_ROLE_KEY`). Brad's
+// 2026-05-02 recovery on jizzard-brain literally cloned rumen → graph_inference
+// in vault.
+//
+// Strategy:
+//   1. Open a pg connection to DATABASE_URL (same path as applyRumenTables).
+//   2. Probe vault.secrets for both names. (Reads vault.secrets, NOT
+//      vault.decrypted_secrets — we don't need the decrypted value, just
+//      presence.)
+//   3. For any missing name, call `vault.create_secret($value, $name)`.
+//   4. On per-secret failure (permission denied, etc.), surface a SQL-Editor
+//      deeplink the user can click; do not fail the wizard hard — the
+//      preconditions audit will catch a still-missing rumen_service_role_key
+//      with its own hint, and the user has the actionable URL in front of
+//      them either way.
+//
+// Returns `{ ok, created: [...], deeplinks: [{ name, url, error }] }`.
+async function ensureVaultSecrets({ projectRef, secrets, dryRun, _pgClient }) {
+  const required = [
+    { name: 'rumen_service_role_key', value: secrets.SUPABASE_SERVICE_ROLE_KEY },
+    { name: 'graph_inference_service_role_key', value: secrets.SUPABASE_SERVICE_ROLE_KEY }
   ];
-  if (haveOpenAI) {
-    args.push(`OPENAI_API_KEY=${secrets.OPENAI_API_KEY}`);
+
+  step('Ensuring Vault secrets (rumen_service_role_key, graph_inference_service_role_key)...');
+  if (dryRun) { ok('(dry-run)'); return { ok: true, created: [], deeplinks: [] }; }
+
+  if (!secrets.SUPABASE_SERVICE_ROLE_KEY) {
+    fail('SUPABASE_SERVICE_ROLE_KEY missing from in-memory secrets — preflight should have rejected');
+    return { ok: false, created: [], deeplinks: [], error: 'service-role-key-missing' };
   }
-  const r = runShellCaptured('supabase', args);
-  if (!r.ok) {
-    fail(`secrets set failed (exit ${r.code})`);
-    if (r.stderr) process.stderr.write(r.stderr + '\n');
-    return false;
+
+  let client = _pgClient;
+  let ownsClient = false;
+  if (!client) {
+    try {
+      client = await pgRunner.connect(secrets.DATABASE_URL);
+      ownsClient = true;
+    } catch (err) {
+      fail(err.message);
+      return { ok: false, created: [], deeplinks: [], error: 'pg-connect-failed' };
+    }
+  }
+
+  let existing = new Set();
+  try {
+    const probe = await client.query(
+      'SELECT name FROM vault.secrets WHERE name = ANY($1::text[])',
+      [required.map((x) => x.name)]
+    );
+    existing = new Set((probe.rows || []).map((r) => r.name));
+  } catch (err) {
+    fail(`vault.secrets probe failed: ${err.message}`);
+    if (ownsClient) { try { await client.end(); } catch (_e) { /* ignore */ } }
+    // Emit deeplinks for both — user can click through manually.
+    const deeplinks = required.map(({ name, value }) => ({
+      name,
+      url: vaultSqlEditorUrl(projectRef, name, value),
+      error: err.message
+    }));
+    printVaultDeeplinks(deeplinks);
+    return { ok: false, created: [], deeplinks, error: 'vault-probe-failed' };
+  }
+
+  const missing = required.filter((x) => !existing.has(x.name));
+  if (missing.length === 0) {
+    if (ownsClient) { try { await client.end(); } catch (_e) { /* ignore */ } }
+    ok('(both already present)');
+    return { ok: true, created: [], deeplinks: [] };
+  }
+
+  const created = [];
+  const deeplinks = [];
+  for (const { name, value } of missing) {
+    try {
+      await client.query('SELECT vault.create_secret($1, $2)', [value, name]);
+      created.push(name);
+    } catch (err) {
+      deeplinks.push({
+        name,
+        url: vaultSqlEditorUrl(projectRef, name, value),
+        error: err && err.message ? err.message : String(err)
+      });
+    }
+  }
+  if (ownsClient) { try { await client.end(); } catch (_e) { /* ignore */ } }
+
+  if (deeplinks.length > 0) {
+    fail(`auto-created ${created.length} of ${missing.length}; ${deeplinks.length} need a manual SQL Editor click`);
+    printVaultDeeplinks(deeplinks);
+    return { ok: false, created, deeplinks };
+  }
+
+  ok(`(created ${created.length}: ${created.map((n) => n).join(', ')})`);
+  return { ok: true, created, deeplinks: [] };
+}
+
+function printVaultDeeplinks(deeplinks) {
+  process.stderr.write(
+    '\nThe Supabase Vault dashboard panel has been removed in current Supabase UIs.\n' +
+    'Open each link below and click Run in SQL Editor to create the secret:\n\n'
+  );
+  for (const d of deeplinks) {
+    process.stderr.write(`  ${d.name}\n    ${d.url}\n`);
+    if (d.error) process.stderr.write(`    (auto-apply error: ${d.error})\n`);
+    process.stderr.write('\n');
   }
-  ok(haveOpenAI ? '(hybrid mode)' : '(keyword-only mode — OPENAI_API_KEY not set)');
-  return true;
+}
+
+// Sprint 51.5 T3: Install-time prompt for the GRAPH_LLM_CLASSIFY toggle.
+//
+// graph-inference (the daily cron Edge Function) defaults every new edge to
+// `relates_to` unless GRAPH_LLM_CLASSIFY=1 AND ANTHROPIC_API_KEY are set as
+// Edge Function secrets. Pre-Sprint-51.5, no install path covered this — the
+// wizard set ANTHROPIC_API_KEY (already required) but never set
+// GRAPH_LLM_CLASSIFY, leaving the LLM classifier off by default. This is
+// INSTALLER-PITFALLS.md Class F (default-vs-runtime asymmetry — Joshua may
+// or may not have set the flag manually; new installs definitely don't).
+//
+// Side-effect: mutates `secrets.GRAPH_LLM_CLASSIFY` to '1' on Y-path. The
+// per-secret loop in setFunctionSecrets reads that key and pushes it into
+// the supabase secrets set sequence. On N-path the key is left undefined
+// and the loop skips it; the wizard prints the manual flip command so the
+// user can opt in later without re-running the whole wizard.
+//
+// --yes accepts the default (Y). --dry-run reports the plan and assumes Y.
+async function promptGraphLlmClassify({ secrets, flags }) {
+  const explainer =
+    '\nGraph edge classification\n' +
+    '─────────────────────────\n' +
+    'When enabled, the daily graph-inference cron uses Claude Haiku 4.5 to label\n' +
+    'each new edge with a relationship type (supersedes, contradicts, elaborates,\n' +
+    'caused_by, blocks, inspired_by, cross_project_link, relates_to).\n' +
+    '\n' +
+    'Cost: ~$0.003 per 1k edges classified (a typical project sees a few hundred\n' +
+    'new edges per day). Disabled = every edge is typed "relates_to".\n\n';
+
+  if (flags.dryRun) {
+    process.stdout.write(explainer);
+    process.stdout.write('? Enable AI-classified graph edges? [Y/n] (dry-run, defaulting Y)\n');
+    secrets.GRAPH_LLM_CLASSIFY = '1';
+    return { enabled: true, source: 'dry-run' };
+  }
+  if (flags.yes) {
+    process.stdout.write(explainer);
+    process.stdout.write('? Enable AI-classified graph edges? [Y/n] (--yes, defaulting Y)\n');
+    secrets.GRAPH_LLM_CLASSIFY = '1';
+    return { enabled: true, source: '--yes' };
+  }
+
+  process.stdout.write(explainer);
+  const yes = await prompts.confirm('? Enable AI-classified graph edges?', { defaultYes: true });
+  if (yes) {
+    secrets.GRAPH_LLM_CLASSIFY = '1';
+    process.stdout.write('  → Will set GRAPH_LLM_CLASSIFY=1 + ANTHROPIC_API_KEY in Edge Function secrets.\n\n');
+    return { enabled: true, source: 'prompt' };
+  }
+  process.stdout.write(
+    '  → GRAPH_LLM_CLASSIFY left unset. Edges will default to "relates_to".\n' +
+    '    To enable later: supabase secrets set GRAPH_LLM_CLASSIFY=1\n\n'
+  );
+  return { enabled: false, source: 'prompt' };
 }
 
 async function testFunction(projectRef, secrets, dryRun) {
@@ -601,13 +864,22 @@ function wireAccessTokenInMcpJson({ token, mcpJsonPath, _testFs } = {}) {
   return { status: 'updated', path: targetPath };
 }
 
-function printNextSteps(projectRef) {
+function printNextSteps(projectRef, vaultResult, llmResult) {
   const rumenTickUrl = `https://${projectRef}.supabase.co/functions/v1/rumen-tick`;
   const graphInferenceUrl = `https://${projectRef}.supabase.co/functions/v1/graph-inference`;
   const now = new Date();
   // Round up to the next 15-minute mark so the hint is accurate.
   const next = new Date(now.getTime());
   next.setUTCMinutes(Math.ceil((now.getUTCMinutes() + 1) / 15) * 15, 0, 0);
+
+  const vaultLine = (vaultResult && vaultResult.ok)
+    ? '  Vault secrets: rumen_service_role_key + graph_inference_service_role_key in place.'
+    : '  Vault secrets: open the SQL Editor URLs above and click Run for any deeplinks shown.';
+
+  const llmLine = llmResult && llmResult.enabled
+    ? '  Graph edges: classified by Claude Haiku 4.5 (GRAPH_LLM_CLASSIFY=1).'
+    : '  Graph edges: untyped (relates_to). To enable: supabase secrets set GRAPH_LLM_CLASSIFY=1';
+
   process.stdout.write(`
 Rumen is deployed.
 
@@ -618,13 +890,12 @@ Edge Functions:
                     ${graphInferenceUrl}
 
 Next steps:
-  1. Monitor rumen jobs: psql "$DATABASE_URL" -c "SELECT * FROM rumen_jobs ORDER BY started_at DESC LIMIT 5"
-  2. Store service_role keys in Supabase Vault — required for both cron schedules:
-       rumen_service_role_key            (used by 002_pg_cron_schedule.sql)
-       graph_inference_service_role_key  (used by 003_graph_inference_schedule.sql)
-  3. Rumen insights flow back into Mnestra's memory_items via rumen_insights.
-  4. graph-inference fills memory_relationships edges nightly (cosine similarity ≥ 0.85).
-  5. TermDeck's Flashback will surface cross-project patterns automatically.
+${vaultLine}
+${llmLine}
+  Monitor rumen jobs: psql "$DATABASE_URL" -c "SELECT * FROM rumen_jobs ORDER BY started_at DESC LIMIT 5"
+  Rumen insights flow back into Mnestra's memory_items via rumen_insights.
+  graph-inference fills memory_relationships edges nightly (cosine similarity ≥ 0.85).
+  TermDeck's Flashback will surface cross-project patterns automatically.
 `);
 }
 
@@ -658,6 +929,22 @@ async function main(argv) {
     }
   }
 
+  // Sprint 51.5 T3: ensure both Vault secrets are present BEFORE the
+  // precondition audit (which checks vault.decrypted_secrets for
+  // rumen_service_role_key). Auto-applies via pgRunner; on permission
+  // failure prints SQL-Editor deeplinks and lets the audit's own hint
+  // catch the still-missing secret. The Vault dashboard panel was quietly
+  // removed in current Supabase UIs (Brad 2026-05-03 takeaway #2;
+  // INSTALLER-PITFALLS.md Class B), which is why we no longer instruct
+  // users to "click Vault."
+  let vaultResult = { ok: true, created: [], deeplinks: [] };
+  if (!flags.dryRun) {
+    vaultResult = await ensureVaultSecrets({ projectRef, secrets, dryRun: false });
+    // Continue regardless — preconditions audit will catch a still-missing
+    // secret with its own hint, and the user already has the deeplinks if
+    // any auto-apply failed.
+  }
+
   // v0.6.9: front-loaded precondition audit. Runs BEFORE link so we don't
   // create state (function deploy, function secrets, schedule SQL) that the
   // user would have to manually clean up if a precondition is missing. Every
@@ -691,6 +978,14 @@ async function main(argv) {
     // already-set) are silent — they're all expected paths.
   }
 
+  // Sprint 51.5 T1 — audit-upgrade BEFORE the rest of the flow. Surfaces
+  // and applies any drift between the bundled artifact set and what's
+  // actually live on the user's project. Non-blocking on failure (probe
+  // errors get logged inline; main flow continues).
+  if (!flags.dryRun) {
+    await runRumenAudit(projectRef, secrets, flags.dryRun);
+  }
+
   if (!(await applyRumenTables(secrets, flags.dryRun))) return 5;
 
   step('Resolving @jhizzard/rumen version from npm registry...');
@@ -703,6 +998,12 @@ async function main(argv) {
   }
 
   if (!deployFunctions(resolved.version, flags.dryRun)) return 6;
+
+  // Sprint 51.5 T3: install-time prompt for AI edge classification. Sets
+  // secrets.GRAPH_LLM_CLASSIFY in-memory; the per-secret loop below picks
+  // it up. On --yes / --dry-run defaults to enabled (Y).
+  const llmResult = await promptGraphLlmClassify({ secrets, flags });
+
   if (!setFunctionSecrets(secrets, flags.dryRun)) return 7;
   if (!(await testFunction(projectRef, secrets, flags.dryRun))) return 8;
   if (!flags.skipSchedule) {
@@ -720,7 +1021,7 @@ async function main(argv) {
     process.stdout.write('→ Skipping pg_cron schedule (per --skip-schedule) ✓\n');
   }
 
-  printNextSteps(projectRef);
+  printNextSteps(projectRef, vaultResult, llmResult);
   return 0;
 }
 
@@ -741,3 +1042,10 @@ module.exports._wireAccessTokenInMcpJson = wireAccessTokenInMcpJson;
 // Sprint 43 T3: stage helper exposed so init-rumen-deploy.test.js can pin
 // the multi-function staging contract without shelling out to `supabase`.
 module.exports._stageRumenFunctions = stageRumenFunctions;
+// Sprint 51.5 T3: per-secret CLI loop, Vault SQL-Editor URL builder, and
+// Vault-secret ensure helper exposed for tests/init-rumen-secrets-per-call,
+// init-rumen-graph-llm, and init-rumen-vault-deeplinks.
+module.exports._setFunctionSecrets = setFunctionSecrets;
+module.exports._vaultSqlEditorUrl = vaultSqlEditorUrl;
+module.exports._ensureVaultSecrets = ensureVaultSecrets;
+module.exports._promptGraphLlmClassify = promptGraphLlmClassify;

package/packages/server/src/setup/audit-upgrade.js

@@ -0,0 +1,302 @@
+// Sprint 51.5 T1 — schema-introspection audit-upgrade.
+//
+// Brad's 2026-05-02 jizzard-brain report (INSTALLER-PITFALLS.md ledger #13)
+// surfaced Class A — schema drift. The user upgraded npm packages but the
+// database stayed frozen at first-kickstart: graph-inference Edge Function
+// never deployed, vault key never created, Mnestra migrations 009-015 + TD
+// Rumen 003 never applied. Both init wizards correctly apply their bundled
+// migrations on a fresh install, but neither one diffs an existing install
+// against the bundled migration set. After `npm install -g @latest`, the
+// npm packages are current and the database is whatever it was the day the
+// project was first kickstarted.
+//
+// auditUpgrade() runs at the top of `termdeck init --mnestra` and
+// `termdeck init --rumen` re-runs. For each known schema artifact it:
+//   1. Probes for presence via a single information_schema / pg_catalog query.
+//   2. If absent, applies the bundled migration that creates that artifact.
+//   3. Logs every probe + apply result so the wizard can report what changed.
+//
+// `dryRun: true` returns the missing[] list without applying — exposed so
+// `mnestra doctor` (Sprint 51.5 T2) can render the same drift detection
+// without committing changes.
+//
+// What this file IS: a cheap, additive, idempotent diff applier. Every probe
+// is a single SQL statement. Every applied migration is idempotent
+// (`ADD COLUMN IF NOT EXISTS`, `CREATE INDEX IF NOT EXISTS`,
+// `ALTER ... SCHEDULE`, `cron.unschedule + cron.schedule`).
+//
+// What this file is NOT: a migration-tracking-table approach. That's the
+// durable answer (deferred to Sprint 52+) — it self-heals all future drift
+// but requires a backfill pass for existing installs. v1.0.1 takes the
+// cheap path: probe-as-source-of-truth.
+//
+// Out of scope for v1.0.1: Edge Function deploy via Management API, vault
+// secret creation. The bundled `init-rumen.js::deployFunctions` already
+// re-deploys both rumen-tick and graph-inference on every `init --rumen`
+// re-run, so a user who runs the v1.0.1 hotfix instructions
+// (`npm install -g @jhizzard/termdeck@1.0.1 && termdeck init --rumen`)
+// gets the function deploys + vault clone via the existing flow. This
+// module's job is to land the SQL artifacts cheaply, on either re-run path.
+
+'use strict';
+
+const path = require('path');
+
+const migrations = require('./migrations');
+const { applyTemplating } = require('./migration-templating');
+
+// Probe → apply mapping. Order matters: dependencies (e.g., M-013 audit
+// columns) come after the tables they touch. Cron schedule probes go last
+// because they need pg_cron + pg_net which migration 002 takes for granted.
+//
+// Migration 012 (project_tag_re_taxonomy) is intentionally NOT in this set:
+// it is pure DML (UPDATE rows WHERE project='chopin-nashville') with no
+// schema artifact to introspect. Re-applying is safe (idempotent on already-
+// retagged rows) but auto-applying every audit cycle would scan memory_items
+// 8 times for no schema benefit. Migration 012 still ships in the bundled
+// set and is applied by the existing init-mnestra `applyMigrations` loop on
+// any wizard re-run.
+//
+// Migration 011 (project_tag_backfill) is similarly out of scope (DML).
+// Migration 008 (legacy_rag_tables) is opt-in (rag.enabled toggle) and
+// already creates schema with IF NOT EXISTS guards in the fresh-install
+// path — not a drift candidate.
+const PROBES = Object.freeze([
+  {
+    name: 'memory_relationships.weight',
+    kind: 'mnestra',
+    migrationFile: '009_memory_relationship_metadata.sql',
+    probeSql:
+      "select 1 as present from information_schema.columns " +
+      "where table_schema = 'public' " +
+      "  and table_name = 'memory_relationships' " +
+      "  and column_name = 'weight' limit 1",
+    presentWhen: 'rowReturned'
+  },
+  {
+    name: 'memory_recall_graph rpc',
+    kind: 'mnestra',
+    migrationFile: '010_memory_recall_graph.sql',
+    probeSql:
+      "select 1 as present from pg_proc " +
+      "where proname = 'memory_recall_graph' limit 1",
+    presentWhen: 'rowReturned'
+  },
+  {
+    name: 'memory_items.reclassified_by',
+    kind: 'mnestra',
+    migrationFile: '013_reclassify_uncertain.sql',
+    probeSql:
+      "select 1 as present from information_schema.columns " +
+      "where table_schema = 'public' " +
+      "  and table_name = 'memory_items' " +
+      "  and column_name = 'reclassified_by' limit 1",
+    presentWhen: 'rowReturned'
+  },
+  {
+    // Brad's 2026-04-28 incident: service_role had no INSERT on memory_items
+    // because the project's default-privileges-in-schema-public defaults had
+    // been tightened (Supabase auto-grants didn't fire). Migration 014 lays
+    // down explicit grants. Re-applying on a project where auto-grants did
+    // fire is a no-op.
+    name: 'service_role explicit grant on memory_items',
+    kind: 'mnestra',
+    migrationFile: '014_explicit_grants.sql',
+    probeSql:
+      "select has_table_privilege('service_role', 'public.memory_items', 'INSERT') as present",
+    presentWhen: 'boolColumnTrue'
+  },
+  {
+    name: 'memory_items.source_agent',
+    kind: 'mnestra',
+    migrationFile: '015_source_agent.sql',
+    probeSql:
+      "select 1 as present from information_schema.columns " +
+      "where table_schema = 'public' " +
+      "  and table_name = 'memory_items' " +
+      "  and column_name = 'source_agent' limit 1",
+    presentWhen: 'rowReturned'
+  },
+  {
+    name: 'rumen-tick cron schedule',
+    kind: 'rumen',
+    migrationFile: '002_pg_cron_schedule.sql',
+    templated: true,
+    probeSql:
+      "select 1 as present from cron.job where jobname = 'rumen-tick' limit 1",
+    presentWhen: 'rowReturned'
+  },
+  {
+    name: 'graph-inference-tick cron schedule',
+    kind: 'rumen',
+    migrationFile: '003_graph_inference_schedule.sql',
+    templated: true,
+    probeSql:
+      "select 1 as present from cron.job where jobname = 'graph-inference-tick' limit 1",
+    presentWhen: 'rowReturned'
+  }
+]);
+
+// Find the bundled migration file for a probe target. Returns the absolute
+// path or null. `mnestra` looks under bundled mnestra-migrations; `rumen`
+// looks under bundled rumen/migrations. Both kinds prefer the bundled copy
+// (matches the listMnestraMigrations / listRumenMigrations convention from
+// v0.6.8 — bundled FIRST, then the @jhizzard/<pkg> node_modules fallback).
+function resolveMigrationFile(target, files) {
+  const wanted = target.migrationFile;
+  return files.find((f) => path.basename(f) === wanted) || null;
+}
+
+// Run a probe and decide present/absent based on the probe's contract.
+async function probeOne(pgClient, target) {
+  let result;
+  try {
+    result = await pgClient.query(target.probeSql);
+  } catch (err) {
+    // A probe failure (e.g., schema doesn't exist yet — `cron.job` on a
+    // project without pg_cron) means the artifact is absent. Record the
+    // raw error so a caller can distinguish "absent because never installed"
+    // from "absent because we can't even check." Either way the right
+    // response is to attempt apply — which will surface the real error
+    // (e.g., "extension pg_cron is not installed") with full context.
+    return { present: false, probeError: err.message };
+  }
+  const rows = (result && result.rows) || [];
+  if (target.presentWhen === 'rowReturned') {
+    return { present: rows.length > 0 };
+  }
+  if (target.presentWhen === 'boolColumnTrue') {
+    return { present: Boolean(rows[0] && rows[0].present === true) };
+  }
+  // Defensive default: any returned row counts as present.
+  return { present: rows.length > 0 };
+}
+
+// Apply a single migration file. Templated migrations route through
+// applyTemplating() so the cron schedule body never sees the raw
+// `<project-ref>` placeholder. Brad 2026-05-03 takeaway #5 (bonus): the
+// fresh-install path at init-rumen.js:472-505 already does this; the
+// audit-upgrade path MUST mirror it. Tests in audit-upgrade.test.js guard
+// against future bypass.
+async function applyOne(pgClient, target, files, { projectRef, readFileImpl }) {
+  const file = resolveMigrationFile(target, files);
+  if (!file) {
+    throw new Error(
+      `audit-upgrade: bundled migration file not found for ${target.name} ` +
+      `(expected ${target.migrationFile}). The bundled migration set may be ` +
+      `out of sync — re-publish the package or run scripts/sync-rumen-functions.sh.`
+    );
+  }
+  const raw = readFileImpl(file);
+  const sql = target.templated
+    ? applyTemplating(raw, { projectRef })
+    : raw;
+  await pgClient.query(sql);
+  return { file: path.basename(file) };
+}
+
+// Public API.
+//
+// Inputs:
+//   pgClient    — open node-postgres Client (caller owns the lifecycle).
+//   projectRef  — required when any templated migration is in the probe set
+//                 (i.e., the rumen cron schedules). The applyTemplating
+//                 helper will throw if it sees a `<project-ref>` placeholder
+//                 and projectRef is missing — surfaced via errors[].
+//   dryRun      — when true, probes only; skips apply. applied stays empty.
+//   probes      — optional override for the probe set (test injection point).
+//                 Defaults to PROBES.
+//   _migrations — optional override for the migrations module (test
+//                 injection). Lets tests stub listMnestraMigrations /
+//                 listRumenMigrations / readFile.
+//
+// Returns:
+//   {
+//     probed:  string[]   — every target name we tried to probe
+//     present: string[]   — targets whose probe came back present
+//     missing: string[]   — targets whose probe came back absent
+//     applied: string[]   — targets the audit applied this run
+//                            (empty when dryRun=true)
+//     skipped: string[]   — targets we couldn't apply (e.g., missing
+//                            projectRef on a templated migration)
+//     errors:  Array<{ name, error }> — apply or probe errors (probe errors
+//                                       only surface here when subsequent
+//                                       apply ALSO fails)
+//   }
+//
+// Idempotent: a second run reports `applied=[]` because every probe will
+// come back present. All shipped migrations are themselves idempotent
+// (ADD COLUMN IF NOT EXISTS, CREATE INDEX IF NOT EXISTS,
+// cron.unschedule + cron.schedule, GRANT … TO service_role).
+async function auditUpgrade({
+  pgClient,
+  projectRef,
+  dryRun = false,
+  probes,
+  _migrations
+} = {}) {
+  if (!pgClient || typeof pgClient.query !== 'function') {
+    throw new Error('auditUpgrade: pgClient with .query() is required');
+  }
+  const targets = probes || PROBES;
+  const mig = _migrations || migrations;
+
+  // Resolve once: the bundled migration sets stay constant for the duration
+  // of a single audit run.
+  const mnestraFiles = mig.listMnestraMigrations();
+  const rumenFiles = mig.listRumenMigrations();
+
+  const probed = [];
+  const present = [];
+  const missing = [];
+  const applied = [];
+  const skipped = [];
+  const errors = [];
+
+  for (const target of targets) {
+    probed.push(target.name);
+    const probeResult = await probeOne(pgClient, target);
+    if (probeResult.present) {
+      present.push(target.name);
+      continue;
+    }
+    missing.push(target.name);
+
+    if (dryRun) continue;
+
+    const files = target.kind === 'rumen' ? rumenFiles : mnestraFiles;
+
+    try {
+      await applyOne(pgClient, target, files, {
+        projectRef,
+        readFileImpl: mig.readFile
+      });
+      applied.push(target.name);
+    } catch (err) {
+      // Surface but don't abort. One missing artifact failing to apply (e.g.,
+      // pg_cron extension not enabled) shouldn't block the rest of the audit
+      // from running. The wizard will report the whole audit summary at the
+      // end so the user can address each failure individually.
+      errors.push({
+        name: target.name,
+        error: err && err.message ? err.message : String(err)
+      });
+    }
+  }
+
+  // skipped[] reserved for v1.0.2: targets the audit deliberately doesn't
+  // attempt (e.g., when projectRef is missing for a templated migration we
+  // currently let applyTemplating throw → errors[]; future versions may
+  // pre-skip those into skipped[]).
+  return { probed, present, missing, applied, skipped, errors };
+}
+
+module.exports = {
+  auditUpgrade,
+  PROBES,
+  // Test surface — kept exported so audit-upgrade.test.js can pin probe
+  // selection / apply pathway behavior without needing a live pg client.
+  _probeOne: probeOne,
+  _applyOne: applyOne,
+  _resolveMigrationFile: resolveMigrationFile
+};

package/packages/server/src/setup/index.js

@@ -13,5 +13,6 @@ module.exports = {
   migrationTemplating: require('./migration-templating'),
   pgRunner: require('./pg-runner'),
   migrationRunner: require('./migration-runner'),
-  preconditions: require('./preconditions')
+  preconditions: require('./preconditions'),
+  auditUpgrade: require('./audit-upgrade')
 };

package/packages/server/src/setup/mnestra-migrations/013_reclassify_uncertain.sql

@@ -0,0 +1,39 @@
+-- 013_reclassify_uncertain.sql
+--
+-- Sprint 41 (T4) — Audit-trail columns for the LLM-classification pass that
+-- finishes the chopin-nashville taxonomy cleanup.
+--
+-- Background:
+--   Sprint 41 T2's deterministic re-tag (`012_project_tag_re_taxonomy.sql`)
+--   handles every chopin-nashville row whose content has a clear keyword or
+--   path signal. The residue — rows with no clear signal — gets classified
+--   by `scripts/reclassify-chopin-nashville.js` which calls Haiku 4.5 in
+--   batches of 20 and writes back per-row tag decisions.
+--
+--   Some of those LLM decisions will be "this row really IS chopin-nashville
+--   competition work — leave the tag." Without an audit stamp the script
+--   can't distinguish "row the LLM voted to keep" from "row the LLM hasn't
+--   seen yet" — every re-run would re-ask Haiku about the same rows
+--   indefinitely. The stamp also gives a one-line audit trail
+--   (`SELECT count(*) FROM memory_items WHERE reclassified_by = '...'`).
+--
+-- Idempotent: safe to re-run. ADD COLUMN IF NOT EXISTS — no-op if already
+-- applied.
+--
+-- Constraints:
+--   Both columns nullable. Only rows the script touches get stamped; every
+--   other row stays untouched. There is no foreign key, no NOT NULL, no
+--   default — these are pure audit metadata.
+
+alter table memory_items
+  add column if not exists reclassified_by text,
+  add column if not exists reclassified_at timestamptz;
+
+-- Lightweight partial index — useful for `count(*) WHERE reclassified_by = ...`
+-- audit queries and for the script's own idempotency filter. Keeps the index
+-- small (only stamped rows are indexed) so it doesn't cost anything on the
+-- vast majority of memory_items rows that stay untouched.
+
+create index if not exists memory_items_reclassified_by_idx
+  on memory_items(reclassified_by)
+  where reclassified_by is not null;

package/packages/server/src/setup/mnestra-migrations/014_explicit_grants.sql

@@ -0,0 +1,46 @@
+-- Mnestra v0.3.2 — explicit GRANTs to make installs deterministic
+--
+-- Prior migrations relied on Supabase's auto-grant default, which
+-- auto-grants public-schema privileges to service_role / authenticated /
+-- anon when (a) the creating role is `postgres` AND (b) the project's
+-- default privileges in schema public haven't been tightened. On any
+-- Supabase project where one of those preconditions failed, every
+-- Mnestra install landed in the same broken state:
+--
+--   memory_remember(...)  → "Memory skipped: ..."   (silent — see remember.ts)
+--   memory_status         → Total active memories: 0
+--   memory_recall(...)    → "Search error: permission denied for table memory_items"
+--
+-- Root cause: `service_role` had no SELECT/INSERT/UPDATE/DELETE on
+-- memory_items, memory_sessions, memory_relationships, and no EXECUTE
+-- on match_memories / memory_hybrid_search / expand_memory_neighborhood.
+-- PostgREST checks table-level privileges before evaluating RLS, so
+-- service_role's bypassrls attribute does not help.
+--
+-- Reported and root-caused by Brad Heath 2026-04-28 against project
+-- ref rrzkceirgciiqgeefvbe; fix verified end-to-end on his install
+-- before being upstreamed here.
+--
+-- This migration is idempotent and safe on greenfield projects where
+-- the auto-grant default already fired (the GRANTs become no-ops).
+
+-- ── Tables: service_role is Mnestra's only direct connection role.
+
+grant select, insert, update, delete on all tables in schema public
+  to service_role;
+
+-- ── Functions / RPCs: convention from migrations 006 and 010 is to
+--    grant execute to all three Supabase roles. Apply schema-wide so
+--    future RPCs inherit without another migration.
+
+grant execute on all functions in schema public
+  to service_role, authenticated, anon;
+
+-- ── Default privileges: any future tables/functions created in
+--    schema public automatically inherit the same grants.
+
+alter default privileges in schema public
+  grant select, insert, update, delete on tables to service_role;
+
+alter default privileges in schema public
+  grant execute on functions to service_role, authenticated, anon;

package/packages/server/src/setup/mnestra-migrations/015_source_agent.sql

@@ -0,0 +1,51 @@
+-- Mnestra v0.4.0 — source_agent provenance column on memory_items
+--
+-- Sprint 50 T2 (TermDeck). Adds an LLM-provenance tag to every memory row
+-- so future memory_recall callers can filter or trust-weight by the agent
+-- that produced the row (Claude / Codex / Gemini / Grok / orchestrator).
+--
+-- Why now:
+--   Sprint 49 (mixed-agent dogfood, 2026-05-02) surfaced a trust-fundamental
+--   gap. Each lane's panel produced real work; only Claude's hook wrote to
+--   Mnestra. Sprint 50 closes both halves of that gap — T1 fires the hook
+--   for every adapter at panel close (write-side); T2 (this migration) adds
+--   the read-side ability to filter by source. Without this column,
+--   memory_recall returns a careful Claude observation alongside (e.g.) a
+--   Gemini-produced timestamp claim, with no way to tell them apart at the
+--   recall consumer. See docs/MULTI-AGENT-MEMORY-ARCHITECTURE.md
+--   § Deliverable 2 in the TermDeck repo for the full design.
+--
+-- Backwards compatibility:
+--   Historical rows stay NULL (no destructive default backfill on archived
+--   data). The recall filter treats NULL as "unknown agent" — rows with
+--   NULL source_agent are excluded from a filtered recall and included in
+--   an unfiltered one.
+--
+--   Exception: pre-Sprint-50 session_summary rows came exclusively from
+--   Claude Code's SessionEnd hook (only Claude shipped a hook system before
+--   Sprint 50 T1 added per-agent triggers). Backfill those to 'claude' so
+--   they remain reachable via source_agents=['claude']. Other source_types
+--   (fact / decision / preference / bug_fix / architecture / code_context)
+--   came from a mix of MCP tools and the rag-system extractor — no clean
+--   single-agent attribution exists for them, so they stay NULL.
+--
+-- Idempotent: ADD COLUMN IF NOT EXISTS, CREATE INDEX IF NOT EXISTS,
+-- and the backfill UPDATE skips rows already populated.
+
+alter table memory_items
+  add column if not exists source_agent text;
+
+create index if not exists idx_memory_items_source_agent
+  on memory_items (source_agent)
+  where source_agent is not null;
+
+comment on column memory_items.source_agent is
+  'Agent that produced this memory: claude|codex|gemini|grok|orchestrator|NULL (historical or unknown). Populated by the SessionEnd hook from Sprint 50 onward; NULL for pre-Sprint-50 rows except session_summary which were always Claude (backfilled).';
+
+-- Backfill historical session_summary rows. These came from Claude Code's
+-- SessionEnd hook (only Claude shipped a hook system before Sprint 50 T1).
+-- Idempotent — re-running this UPDATE on already-tagged rows is a no-op.
+update memory_items
+  set source_agent = 'claude'
+  where source_type = 'session_summary'
+    and source_agent is null;

package/packages/server/src/setup/mnestra-migrations/016_mnestra_doctor_probes.sql

@@ -0,0 +1,117 @@
+-- Mnestra v0.4.1 — `mnestra doctor` SECURITY DEFINER probe wrappers
+--
+-- Sprint 51.5 T2 (TermDeck). Adds five SECURITY DEFINER helper functions
+-- so the `mnestra doctor` subcommand (running under the supabase
+-- service_role) can probe `cron.job_run_details`, `cron.job`, `vault.secrets`,
+-- `information_schema.columns`, and `pg_proc` without granting raw schema
+-- access to service_role.
+--
+-- Why SECURITY DEFINER: by default `cron.*` and `vault.*` are owned by
+-- the `postgres` role and unreadable from service_role. The classical
+-- alternative is to `grant usage on schema cron to service_role; grant
+-- select on cron.job_run_details to service_role; …` — broader privilege
+-- expansion than this lane needs. SECURITY DEFINER lets us read exactly
+-- what the doctor needs without exposing the entire cron/vault surface.
+--
+-- Idempotent: every function uses CREATE OR REPLACE; every GRANT is
+-- safe to re-run. No data mutation. Safe to re-apply on every install.
+
+-- ── 1. cron.job_run_details lookup ───────────────────────────────────────
+--
+-- Returns the most recent N runs of a named cron job, projecting only
+-- the columns the doctor needs (status, start/end timestamps, return
+-- message). The doctor parses `return_message` for the rumen-tick /
+-- graph-inference all-zeros pattern.
+
+create or replace function mnestra_doctor_cron_runs(
+  p_jobname text,
+  p_limit   int default 10
+)
+returns table (
+  jobname        text,
+  status         text,
+  start_time     timestamptz,
+  end_time       timestamptz,
+  return_message text
+)
+language sql
+security definer
+set search_path = cron, public
+as $$
+  select j.jobname, d.status, d.start_time, d.end_time, d.return_message
+  from cron.job_run_details d
+  join cron.job j on j.jobid = d.jobid
+  where j.jobname = p_jobname
+  order by d.start_time desc
+  limit greatest(coalesce(p_limit, 10), 1);
+$$;
+
+-- ── 2. column existence probe (public schema only) ───────────────────────
+
+create or replace function mnestra_doctor_column_exists(
+  p_table  text,
+  p_column text
+)
+returns boolean
+language sql
+security definer
+set search_path = public
+as $$
+  select exists (
+    select 1
+    from information_schema.columns
+    where table_schema = 'public'
+      and table_name   = p_table
+      and column_name  = p_column
+  );
+$$;
+
+-- ── 3. RPC / function existence probe ────────────────────────────────────
+
+create or replace function mnestra_doctor_rpc_exists(p_name text)
+returns boolean
+language sql
+security definer
+set search_path = public
+as $$
+  select exists (
+    select 1
+    from pg_proc p
+    join pg_namespace n on n.oid = p.pronamespace
+    where p.proname = p_name
+      and n.nspname = 'public'
+  );
+$$;
+
+-- ── 4. cron.job existence probe (does the named job exist at all) ───────
+
+create or replace function mnestra_doctor_cron_job_exists(p_jobname text)
+returns boolean
+language sql
+security definer
+set search_path = cron, public
+as $$
+  select exists (select 1 from cron.job where jobname = p_jobname);
+$$;
+
+-- ── 5. vault.secrets existence probe (no value disclosure) ──────────────
+--
+-- Existence-only — never returns the secret value. The doctor only needs
+-- to know whether the named vault entry was created during stack install.
+
+create or replace function mnestra_doctor_vault_secret_exists(p_name text)
+returns boolean
+language sql
+security definer
+set search_path = vault, public
+as $$
+  select exists (select 1 from vault.secrets where name = p_name);
+$$;
+
+-- ── 6. Grants ────────────────────────────────────────────────────────────
+
+grant execute on function mnestra_doctor_cron_runs(text, int)             to service_role;
+grant execute on function mnestra_doctor_column_exists(text, text)        to service_role;
+grant execute on function mnestra_doctor_rpc_exists(text)                 to service_role;
+grant execute on function mnestra_doctor_cron_job_exists(text)            to service_role;
+grant execute on function mnestra_doctor_vault_secret_exists(text)        to service_role;

package/packages/server/src/setup/preconditions.js

@@ -52,6 +52,23 @@ function extensionsDashboardUrl(secrets) {
   return `https://supabase.com/dashboard/project/${parsed.projectRef}/database/extensions`;
 }
 
+// Sprint 51.5 T3: Build a SQL-Editor deeplink that pre-fills a
+// vault.create_secret() call. Used when the audit's vault probe finds the
+// secret missing and the wizard's auto-apply step (init-rumen.js
+// `ensureVaultSecrets`) was unable to create it via pgRunner. The Vault
+// dashboard panel was quietly removed/relocated in current Supabase UIs
+// (Brad 2026-05-03 takeaway #2; INSTALLER-PITFALLS.md Class B), so SQL
+// Editor is the working manual surface.
+function vaultSqlEditorUrl(secrets, secretName, secretValue) {
+  if (!secrets || !secrets.SUPABASE_URL) return null;
+  const parsed = supabaseUrlHelper.parseProjectUrl(secrets.SUPABASE_URL);
+  if (!parsed.ok) return null;
+  const value = String(secretValue == null ? '' : secretValue).replace(/'/g, "''");
+  const name = String(secretName == null ? '' : secretName).replace(/'/g, "''");
+  const sql = `select vault.create_secret('${value}', '${name}');`;
+  return `https://supabase.com/dashboard/project/${parsed.projectRef}/sql/new?content=${encodeURIComponent(sql)}`;
+}
+
 // Render a single gap into 2-3 lines of CLI output (one indented hint per
 // non-empty `hint` line). Format aligned with the rest of the wizard's
 // step lines.
@@ -206,14 +223,28 @@ async function auditRumenPreconditions({ secrets, env, _pgClient } = {}) {
           'If permission is denied, the Vault is not accessible to this connection — double-check secrets.env.'
       });
     } else if (!vault.ok) {
+      // Sprint 51.5 T3: the Supabase Vault dashboard panel was quietly removed
+      // / relocated in current Supabase UIs (Brad 2026-05-03 takeaway #2;
+      // INSTALLER-PITFALLS.md Class B). The wizard's `ensureVaultSecrets`
+      // step (init-rumen.js) auto-creates this key via pgRunner when the
+      // user's connection has vault.create_secret privileges; this hint only
+      // fires when auto-apply also failed, in which case the SQL Editor is
+      // the working manual surface. Build a project-specific deeplink when
+      // we can derive the project ref so the user gets one click instead of
+      // a "find the SQL Editor yourself" instruction.
+      const sqlEditorUrl = vaultSqlEditorUrl(secrets, 'rumen_service_role_key',
+        '<paste your service_role JWT from Project Settings → API>');
+      const sqlEditorLine = sqlEditorUrl
+        ? `  Open: ${sqlEditorUrl}\n  Replace the placeholder with your service_role key from Project Settings → API, then click Run.`
+        : '  Open the Supabase SQL Editor and run:\n' +
+          "    select vault.create_secret('<service_role JWT>', 'rumen_service_role_key');";
       gaps.push({
         key: 'rumen_service_role_key',
         message: 'Vault secret "rumen_service_role_key" is missing',
         hint:
-          'Create it in the Supabase dashboard:\n' +
-          '  Project Settings → Vault → New secret\n' +
-          '  Name: rumen_service_role_key  (exact, case-sensitive)\n' +
-          '  Value: your service_role key from Project Settings → API\n' +
+          "The wizard tries to auto-create this via vault.create_secret() and only surfaces this hint when auto-apply also failed.\n" +
+          'Create it manually via the SQL Editor (the Vault dashboard panel was removed in current Supabase UIs):\n' +
+          sqlEditorLine + '\n' +
           '(The pg_cron schedule calls the Edge Function with this key as the bearer token.)'
       });
     }
@@ -384,6 +415,7 @@ module.exports = {
   printAuditReport,
   printVerifyReport,
   extensionsDashboardUrl,
+  vaultSqlEditorUrl,
   // Test surface
   _probeSupabaseAuth: probeSupabaseAuth,
   _safeQuery: safeQuery

package/packages/server/src/setup/rumen/functions/graph-inference/index.ts

@@ -343,9 +343,13 @@ export async function runGraphInference(sql: Sql): Promise<InferenceSummary> {
 }
 
 serve(async (_req: Request) => {
-  const url = Deno.env.get('DATABASE_URL');
+  // Supabase Edge Runtime auto-injects SUPABASE_DB_URL as a built-in env var.
+  // Falling back to it removes one whole category of "where do I get the DB
+  // connection string" from the install wizard. Brad surfaced this 2026-05-03
+  // after hand-patching all four of his deployed copies.
+  const url = Deno.env.get('DATABASE_URL') ?? Deno.env.get('SUPABASE_DB_URL');
   if (!url) {
-    console.error('[graph-inference] DATABASE_URL not set in Edge Function secrets');
+    console.error('[graph-inference] DATABASE_URL / SUPABASE_DB_URL not set in Edge Function secrets');
     return new Response(
       JSON.stringify({ ok: false, error: 'DATABASE_URL not set' }),
       { status: 500, headers: { 'Content-Type': 'application/json' } },

package/packages/server/src/setup/rumen/functions/rumen-tick/index.ts

@@ -31,9 +31,13 @@ import { runRumenJob, createPoolFromUrl } from 'npm:@jhizzard/rumen@__RUMEN_VERS
 declare const Deno: { env: { get: (k: string) => string | undefined } };
 
 serve(async (_req: Request) => {
-  const url = Deno.env.get('DATABASE_URL');
+  // Supabase Edge Runtime auto-injects SUPABASE_DB_URL as a built-in env var.
+  // Falling back to it removes one whole category of "where do I get the DB
+  // connection string" from the install wizard. Brad surfaced this 2026-05-03
+  // after hand-patching all four of his deployed copies.
+  const url = Deno.env.get('DATABASE_URL') ?? Deno.env.get('SUPABASE_DB_URL');
   if (!url) {
-    console.error('[rumen] DATABASE_URL not set in Edge Function secrets');
+    console.error('[rumen] DATABASE_URL / SUPABASE_DB_URL not set in Edge Function secrets');
     return new Response(
       JSON.stringify({
         ok: false,