@memtensor/memos-local-openclaw-plugin 1.0.5 → 1.0.6-beta.10

package/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "MemOS Local Memory",
   "description": "Full-write local conversation memory with hybrid search (RRF + MMR + recency), task summarization, skill evolution, and team sharing (Hub-Client). Provides memory_search, memory_get, task_summary, skill_search, task_share, network_skill_pull, network_team_info, memory_viewer for layered retrieval and team collaboration.",
   "kind": "memory",
-  "version": "0.1.12",
+  "version": "1.0.6-beta.10",
   "skills": [
     "skill/memos-memory-guide"
   ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@memtensor/memos-local-openclaw-plugin",
-  "version": "1.0.5",
+  "version": "1.0.6-beta.10",
   "description": "MemOS Local memory plugin for OpenClaw — full-write, hybrid-recall, progressive retrieval",
   "type": "module",
   "main": "index.ts",
@@ -11,6 +11,7 @@
     "dist",
     "skill",
     "prebuilds",
+    "scripts/native-binding.cjs",
     "scripts/postinstall.cjs",
     "openclaw.plugin.json",
     "telemetry.credentials.json",

package/scripts/native-binding.cjs

@@ -0,0 +1,32 @@
+"use strict";
+
+function errorMessage(error) {
+  if (error && typeof error.message === "string") return error.message;
+  return String(error || "Unknown native binding error");
+}
+
+function defaultLoadBinding(bindingPath) {
+  process.dlopen({ exports: {} }, bindingPath);
+}
+
+function validateNativeBinding(bindingPath, loadBinding = defaultLoadBinding) {
+  if (!bindingPath) {
+    return { ok: false, reason: "missing", message: "Native binding path not found" };
+  }
+
+  try {
+    loadBinding(bindingPath);
+    return { ok: true, reason: "ok", message: "" };
+  } catch (error) {
+    const message = errorMessage(error);
+    if (/NODE_MODULE_VERSION/.test(message)) {
+      return { ok: false, reason: "node-module-version", message };
+    }
+    return { ok: false, reason: "load-error", message };
+  }
+}
+
+module.exports = {
+  defaultLoadBinding,
+  validateNativeBinding,
+};

package/scripts/postinstall.cjs

@@ -4,6 +4,7 @@
 const { spawnSync } = require("child_process");
 const path = require("path");
 const fs = require("fs");
+const { validateNativeBinding } = require("./native-binding.cjs");
 
 const RESET = "\x1b[0m";
 const GREEN = "\x1b[32m";
@@ -23,6 +24,11 @@ function phase(n, title) {
 }
 
 const pluginDir = path.resolve(__dirname, "..");
+const npmCmd = process.platform === "win32" ? "npm.cmd" : "npm";
+
+function normalizePathForMatch(p) {
+  return path.resolve(p).replace(/^\\\\\?\\/, "").replace(/\\/g, "/").toLowerCase();
+}
 
 console.log(`
 ${CYAN}${BOLD}┌──────────────────────────────────────────────────┐
@@ -42,7 +48,8 @@ log(`Node: ${process.version}  Platform: ${process.platform}-${process.arch}`);
  * ═══════════════════════════════════════════════════════════ */
 
 function cleanStaleArtifacts() {
-  const isExtensionsDir = pluginDir.includes(path.join(".openclaw", "extensions"));
+  const pluginDirNorm = normalizePathForMatch(pluginDir);
+  const isExtensionsDir = pluginDirNorm.includes("/.openclaw/extensions/");
   if (!isExtensionsDir) return;
 
   const pkgPath = path.join(pluginDir, "package.json");
@@ -133,10 +140,10 @@ function ensureDependencies() {
   log("Running: npm install --omit=dev ...");
 
   const startMs = Date.now();
-  const result = spawnSync("npm", ["install", "--omit=dev"], {
+  const result = spawnSync(npmCmd, ["install", "--omit=dev"], {
     cwd: pluginDir,
     stdio: "pipe",
-    shell: true,
+    shell: false,
     timeout: 120_000,
   });
   const elapsed = ((Date.now() - startMs) / 1000).toFixed(1);
@@ -223,8 +230,8 @@ function cleanupLegacy() {
             newEntry.source = oldSource
               .replace(/memos-lite-openclaw-plugin/g, "memos-local-openclaw-plugin")
               .replace(/memos-lite/g, "memos-local-openclaw-plugin")
-              .replace(/\/memos-local\//g, "/memos-local-openclaw-plugin/")
-              .replace(/\/memos-local$/g, "/memos-local-openclaw-plugin");
+              .replace(/[\\/]memos-local[\\/]/g, `${path.sep}memos-local-openclaw-plugin${path.sep}`)
+              .replace(/[\\/]memos-local$/g, `${path.sep}memos-local-openclaw-plugin`);
             if (newEntry.source !== oldSource) {
               log(`Updated source path: ${DIM}${oldSource}${RESET} → ${GREEN}${newEntry.source}${RESET}`);
               cfgChanged = true;
@@ -371,25 +378,31 @@ function findSqliteBinding() {
 
 function sqliteBindingsExist() {
   const found = findSqliteBinding();
-  if (found) {
-    log(`Native binding found: ${DIM}${found}${RESET}`);
-    return true;
+  if (!found) return false;
+  log(`Native binding found: ${DIM}${found}${RESET}`);
+  const status = validateNativeBinding(found);
+  if (status.ok) return true;
+  if (status.reason === "node-module-version") {
+    warn("Native binding exists but was compiled for a different Node.js version.");
+  } else {
+    warn("Native binding exists but failed to load.");
   }
+  warn(`${DIM}${status.message}${RESET}`);
   return false;
 }
 
 if (sqliteBindingsExist()) {
   ok("better-sqlite3 is ready.");
 } else {
-  warn("better-sqlite3 native bindings not found in plugin dir.");
+  warn("better-sqlite3 native bindings are missing or not loadable.");
   log(`Searched in: ${DIM}${sqliteModulePath}/build/${RESET}`);
   log("Running: npm rebuild better-sqlite3 (may take 30-60s)...");
 
   const startMs = Date.now();
-  const result = spawnSync("npm", ["rebuild", "better-sqlite3"], {
+  const result = spawnSync(npmCmd, ["rebuild", "better-sqlite3"], {
     cwd: pluginDir,
     stdio: "pipe",
-    shell: true,
+    shell: false,
     timeout: 180_000,
   });
   const elapsed = ((Date.now() - startMs) / 1000).toFixed(1);

package/src/capture/index.ts

@@ -4,6 +4,17 @@ const SKIP_ROLES: Set<Role> = new Set(["system"]);
 
 const SYSTEM_BOILERPLATE_RE = /^A new session was started via \/new or \/reset\b/;
 
+// Boot-check / memory-system injection patterns that should never be stored.
+const BOOT_CHECK_RE = /^(?:You are running a boot check|Read HEARTBEAT\.md if it exists|## Memory system — ACTION REQUIRED)/;
+
+/**
+ * Returns true for sentinel reply values that carry no user-facing content.
+ */
+function isSentinelReply(text: string): boolean {
+  const t = text.trim();
+  return t === "NO_REPLY" || t === "HEARTBEAT_OK" || t === "HEARTBEAT_CHECK";
+}
+
 const SELF_TOOLS = new Set([
   "memory_search",
   "memory_timeline",
@@ -61,6 +72,16 @@ export function captureMessages(
     if (SKIP_ROLES.has(role)) continue;
     if (!msg.content || msg.content.trim().length === 0) continue;
 
+    // Skip sentinel replies and boot-check prompts for ALL roles.
+    if (isSentinelReply(msg.content)) {
+      log.debug(`Skipping sentinel reply`);
+      continue;
+    }
+    if (BOOT_CHECK_RE.test(msg.content.trim())) {
+      log.debug(`Skipping boot-check injection: ${msg.content.slice(0, 60)}...`);
+      continue;
+    }
+
     if (role === "tool" && msg.toolName && SELF_TOOLS.has(msg.toolName)) {
       log.debug(`Skipping self-tool result: ${msg.toolName}`);
       continue;
@@ -232,6 +253,21 @@ function stripMemoryInjection(text: string): string {
     "",
   ).trim();
 
+  // ## Memory system — ACTION REQUIRED\n...
+  cleaned = cleaned.replace(
+    /## Memory system — ACTION REQUIRED[\s\S]*?(?=\n\[(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s+\d{4}-\d{2}-\d{2}|\n\[Subagent)/,
+    "",
+  ).trim();
+
+  // You are running a boot check. Follow BOOT.md instructions exactly.\n...
+  cleaned = cleaned.replace(
+    /^You are running a boot check[\s\S]*?(?=\n\[(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s+\d{4}-\d{2}-\d{2}|\n\[Subagent)/m,
+    "",
+  ).trim();
+
+  // Standalone NO_REPLY / HEARTBEAT_OK that leaked into user messages
+  cleaned = cleaned.replace(/^\s*(?:NO_REPLY|HEARTBEAT_OK|HEARTBEAT_CHECK)\s*$/gm, "").trim();
+
   // Old format: ## Retrieved memories from past conversations\n\nCRITICAL INSTRUCTION:...
   const recallIdx = cleaned.indexOf("## Retrieved memories from past conversations");
   if (recallIdx !== -1) {

package/src/client/connector.ts

@@ -49,6 +49,13 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
         }) as any;
         if (result.status === "active" && result.userToken) {
           log.info(`Pending user approved! Connecting with token. userId=${persisted.userId}`);
+          let approvedHubInstanceId = persisted.hubInstanceId || "";
+          if (!approvedHubInstanceId) {
+            try {
+              const info = await hubRequestJson(hubUrl, "", "/api/v1/hub/info", { method: "GET" }) as any;
+              approvedHubInstanceId = String(info?.hubInstanceId ?? "");
+            } catch { /* best-effort */ }
+          }
           store.setClientHubConnection({
             hubUrl,
             userId: persisted.userId,
@@ -58,6 +65,7 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
             connectedAt: Date.now(),
             identityKey: persisted.identityKey || "",
             lastKnownStatus: "active",
+            hubInstanceId: approvedHubInstanceId,
           });
           return store.getClientHubConnection()!;
         }
@@ -87,7 +95,10 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
   }
 
   const hubUrl = normalizeHubUrl(hubAddress);
-  const me = await hubRequestJson(hubUrl, userToken, "/api/v1/hub/me", { method: "GET" }) as any;
+  const [me, info] = await Promise.all([
+    hubRequestJson(hubUrl, userToken, "/api/v1/hub/me", { method: "GET" }),
+    hubRequestJson(hubUrl, "", "/api/v1/hub/info", { method: "GET" }).catch(() => null),
+  ]) as [any, any];
   const persisted = store.getClientHubConnection();
   store.setClientHubConnection({
     hubUrl,
@@ -98,6 +109,7 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
     connectedAt: Date.now(),
     identityKey: persisted?.identityKey || String(me.identityKey ?? ""),
     lastKnownStatus: "active",
+    hubInstanceId: String(info?.hubInstanceId ?? persisted?.hubInstanceId ?? ""),
   });
   return store.getClientHubConnection()!;
 }
@@ -148,6 +160,7 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
             connectedAt: Date.now(),
             identityKey: conn.identityKey || "",
             lastKnownStatus: "active",
+            hubInstanceId: conn.hubInstanceId || "",
           });
           const me = await hubRequestJson(normalizeHubUrl(hubAddress), result.userToken, "/api/v1/hub/me", { method: "GET" }) as any;
           return {
@@ -216,22 +229,28 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
             body: JSON.stringify({ teamToken, userId: conn.userId }),
           }) as any;
           if (regResult.status === "active" && regResult.userToken) {
-            store.setClientHubConnection({
+            const updatedConn = {
               ...conn,
               hubUrl: normalizeHubUrl(hubAddress),
               userToken: regResult.userToken,
               connectedAt: Date.now(),
               lastKnownStatus: "active",
-            });
+            };
+            store.setClientHubConnection(updatedConn);
             try {
               const me = await hubRequestJson(normalizeHubUrl(hubAddress), regResult.userToken, "/api/v1/hub/me", { method: "GET" }) as any;
+              const latestUsername = String(me.username ?? "");
+              const latestRole = String(me.role ?? "member") as UserRole;
+              if (latestUsername !== conn.username || latestRole !== conn.role) {
+                store.setClientHubConnection({ ...updatedConn, username: latestUsername, role: latestRole });
+              }
               return {
                 connected: true,
                 hubUrl: normalizeHubUrl(hubAddress),
                 user: {
                   id: String(me.id),
-                  username: String(me.username ?? ""),
-                  role: String(me.role ?? "member") as UserRole,
+                  username: latestUsername,
+                  role: latestRole,
                   status: String(me.status ?? "active"),
                   groups: Array.isArray(me.groups) ? me.groups : [],
                 },
@@ -293,6 +312,12 @@ export async function autoJoinHub(
   const existingIdentityKey = persisted?.identityKey || "";
 
   log.info(`Joining Hub at ${hubUrl} as "${username}"...`);
+  let hubInstanceId = "";
+  try {
+    const info = await hubRequestJson(hubUrl, "", "/api/v1/hub/info", { method: "GET" }) as any;
+    hubInstanceId = String(info?.hubInstanceId ?? "");
+  } catch { /* best-effort */ }
+
   const result = await hubRequestJson(hubUrl, "", "/api/v1/hub/join", {
     method: "POST",
     body: JSON.stringify({ teamToken, username, deviceName: hostname, clientIp, identityKey: existingIdentityKey }),
@@ -311,6 +336,7 @@ export async function autoJoinHub(
       connectedAt: Date.now(),
       identityKey: returnedIdentityKey,
       lastKnownStatus: "pending",
+      hubInstanceId,
     });
     throw new PendingApprovalError(result.userId);
   }
@@ -337,6 +363,7 @@ export async function autoJoinHub(
     connectedAt: Date.now(),
     identityKey: returnedIdentityKey,
     lastKnownStatus: "active",
+    hubInstanceId,
   });
   return store.getClientHubConnection()!;
 }

package/src/client/hub.ts

@@ -140,6 +140,7 @@ export async function hubUpdateUsername(
   newUsername: string,
 ): Promise<{ ok: boolean; username: string; userToken: string }> {
   const client = await resolveHubClient(store, ctx);
+  const persisted = store.getClientHubConnection();
   const result = await hubRequestJson(client.hubUrl, client.userToken, "/api/v1/hub/me/update-profile", {
     method: "POST",
     body: JSON.stringify({ username: newUsername }),
@@ -152,6 +153,9 @@ export async function hubUpdateUsername(
       userToken: result.userToken,
       role: client.role as "admin" | "member",
       connectedAt: Date.now(),
+      identityKey: persisted?.identityKey || "",
+      lastKnownStatus: "active",
+      hubInstanceId: persisted?.hubInstanceId || "",
     });
   }
   return result;

package/src/hub/server.ts

@@ -21,6 +21,7 @@ type HubAuthState = {
   authSecret: string;
   bootstrapAdminUserId?: string;
   bootstrapAdminToken?: string;
+  hubInstanceId?: string;
 };
 
 export class HubServer {
@@ -123,6 +124,8 @@ export class HubServer {
     this.initOnlineTracking();
     this.offlineCheckTimer = setInterval(() => this.checkOfflineUsers(), HubServer.OFFLINE_CHECK_INTERVAL_MS);
 
+    this.backfillMemoryEmbeddings();
+
     return `http://127.0.0.1:${hubPort}`;
   }
 
@@ -168,13 +171,23 @@ export class HubServer {
     return this.authState.authSecret;
   }
 
+  get hubInstanceId(): string {
+    return this.authState.hubInstanceId ?? "";
+  }
+
   private loadAuthState(): HubAuthState {
     try {
       const raw = fs.readFileSync(this.authStatePath, "utf8");
       const parsed = JSON.parse(raw) as HubAuthState;
-      if (parsed.authSecret) return parsed;
+      if (parsed.authSecret) {
+        if (!parsed.hubInstanceId) {
+          parsed.hubInstanceId = randomUUID();
+          fs.writeFileSync(this.authStatePath, JSON.stringify(parsed, null, 2), "utf8");
+        }
+        return parsed;
+      }
     } catch {}
-    const initial = { authSecret: randomBytes(32).toString("hex") } as HubAuthState;
+    const initial: HubAuthState = { authSecret: randomBytes(32).toString("hex"), hubInstanceId: randomUUID() };
     fs.mkdirSync(path.dirname(this.authStatePath), { recursive: true });
     fs.writeFileSync(this.authStatePath, JSON.stringify(initial, null, 2), "utf8");
     return initial;
@@ -215,10 +228,38 @@ export class HubServer {
     });
   }
 
+  private backfillMemoryEmbeddings(): void {
+    if (!this.opts.embedder) return;
+    try {
+      const all = this.opts.store.listHubMemories({ limit: 500 });
+      const missing = all.filter(m => {
+        try { return !this.opts.store.getHubMemoryEmbedding(m.id); } catch { return true; }
+      });
+      if (missing.length === 0) return;
+      this.opts.log.info(`hub: backfilling embeddings for ${missing.length} hub memories`);
+      const texts = missing.map(m => (m.summary || m.content || "").slice(0, 500));
+      this.opts.embedder.embed(texts).then((vectors) => {
+        let count = 0;
+        for (let i = 0; i < vectors.length; i++) {
+          if (vectors[i]) {
+            this.opts.store.upsertHubMemoryEmbedding(missing[i].id, new Float32Array(vectors[i]));
+            count++;
+          }
+        }
+        this.opts.log.info(`hub: backfilled ${count}/${missing.length} memory embeddings`);
+      }).catch((err) => {
+        this.opts.log.warn(`hub: backfill memory embeddings failed: ${err}`);
+      });
+    } catch (err) {
+      this.opts.log.warn(`hub: backfill memory embeddings error: ${err}`);
+    }
+  }
+
   private embedMemoryAsync(memoryId: string, summary: string, content: string): void {
     const embedder = this.opts.embedder;
     if (!embedder) return;
-    const text = summary || content.slice(0, 500);
+    const text = (summary || content || "").slice(0, 500);
+    if (!text) return;
     embedder.embed([text]).then((vectors) => {
       if (vectors[0]) {
         this.opts.store.upsertHubMemoryEmbedding(memoryId, new Float32Array(vectors[0]));
@@ -238,6 +279,7 @@ export class HubServer {
         teamName: this.teamName,
         version: "0.0.0",
         apiVersion: "v1",
+        hubInstanceId: this.hubInstanceId,
       });
     }
 
@@ -252,59 +294,64 @@ export class HubServer {
         || (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim()
         || req.socket.remoteAddress || "";
       const identityKey = typeof body.identityKey === "string" ? body.identityKey.trim() : "";
+      const dryRun = body.dryRun === true;
 
-      let existingUser = identityKey
+      const identityMatch = identityKey
         ? this.userManager.findByIdentityKey(identityKey)
         : null;
-      if (!existingUser) {
-        const existingUsers = this.opts.store.listHubUsers();
-        existingUser = existingUsers.find(u => u.username === username && u.status !== "left" && u.status !== "removed") ?? null;
-      }
 
-      if (existingUser) {
-        try { this.opts.store.updateHubUserActivity(existingUser.id, joinIp); } catch { /* best-effort */ }
+      if (identityMatch) {
+        if (!dryRun) {
+          try { this.opts.store.updateHubUserActivity(identityMatch.id, joinIp); } catch { /* best-effort */ }
+        }
 
-        if (existingUser.status === "active") {
+        if (identityMatch.status === "active") {
+          if (dryRun) return this.json(res, 200, { status: "active", dryRun: true });
           const token = issueUserToken(
-            { userId: existingUser.id, username: existingUser.username, role: existingUser.role, status: "active" },
+            { userId: identityMatch.id, username: identityMatch.username, role: identityMatch.role, status: "active" },
             this.authSecret,
           );
-          this.userManager.approveUser(existingUser.id, token);
-          if (identityKey && !existingUser.identityKey) {
-            this.opts.store.upsertHubUser({ ...existingUser, identityKey });
-          }
-          return this.json(res, 200, { status: "active", userId: existingUser.id, userToken: token, identityKey: existingUser.identityKey || identityKey });
+          this.userManager.approveUser(identityMatch.id, token);
+          return this.json(res, 200, { status: "active", userId: identityMatch.id, userToken: token, identityKey: identityMatch.identityKey || identityKey });
         }
-        if (existingUser.status === "pending") {
-          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
-          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+        if (identityMatch.status === "pending") {
+          if (dryRun) return this.json(res, 200, { status: "pending", dryRun: true });
+          this.notifyAdmins("user_join_request", "user", identityMatch.username, "", { dedup: true });
+          return this.json(res, 200, { status: "pending", userId: identityMatch.id, identityKey: identityMatch.identityKey || identityKey });
         }
-        if (existingUser.status === "rejected") {
+        if (identityMatch.status === "rejected") {
+          if (dryRun) return this.json(res, 200, { status: "rejected", dryRun: true });
           if (body.reapply === true) {
-            this.userManager.resetToPending(existingUser.id);
-            this.notifyAdmins("user_join_request", "user", username, "");
-            this.opts.log.info(`Hub: rejected user "${username}" (${existingUser.id}) re-applied, reset to pending`);
-            return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+            this.userManager.resetToPending(identityMatch.id);
+            this.notifyAdmins("user_join_request", "user", identityMatch.username, "");
+            this.opts.log.info(`Hub: rejected user "${identityMatch.username}" (${identityMatch.id}) re-applied, reset to pending`);
+            return this.json(res, 200, { status: "pending", userId: identityMatch.id, identityKey: identityMatch.identityKey || identityKey });
           }
-          return this.json(res, 200, { status: "rejected", userId: existingUser.id });
-        }
-        if (existingUser.status === "removed") {
-          this.userManager.rejoinUser(existingUser.id);
-          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
-          this.opts.log.info(`Hub: removed user "${username}" (${existingUser.id}) re-applied via rejoin, reset to pending`);
-          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+          return this.json(res, 200, { status: "rejected", userId: identityMatch.id });
         }
-        if (existingUser.status === "left") {
-          this.userManager.rejoinUser(existingUser.id);
-          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
-          this.opts.log.info(`Hub: left user "${username}" (${existingUser.id}) re-applied via rejoin, reset to pending`);
-          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+        if (identityMatch.status === "removed" || identityMatch.status === "left") {
+          if (dryRun) return this.json(res, 200, { status: "can_rejoin", dryRun: true });
+          this.userManager.rejoinUser(identityMatch.id);
+          this.notifyAdmins("user_join_request", "user", identityMatch.username, "", { dedup: true });
+          this.opts.log.info(`Hub: ${identityMatch.status} user "${identityMatch.username}" (${identityMatch.id}) re-applied via rejoin, reset to pending`);
+          return this.json(res, 200, { status: "pending", userId: identityMatch.id, identityKey: identityMatch.identityKey || identityKey });
         }
-        if (existingUser.status === "blocked") {
-          return this.json(res, 200, { status: "blocked", userId: existingUser.id });
+        if (identityMatch.status === "blocked") {
+          return this.json(res, 200, { status: "blocked", userId: identityMatch.id });
         }
       }
 
+      const existingUsers = this.opts.store.listHubUsers();
+      const nameConflict = existingUsers.find(u => u.username === username);
+      if (nameConflict) {
+        this.opts.log.info(`Hub: join rejected — username "${username}" already taken by user ${nameConflict.id} (status=${nameConflict.status})`);
+        return this.json(res, 409, { error: "username_taken", message: `Username "${username}" is already in use. Please choose a different nickname.` });
+      }
+
+      if (dryRun) {
+        return this.json(res, 200, { status: "ok", dryRun: true });
+      }
+
       const generatedIdentityKey = identityKey || randomUUID();
       const user = this.userManager.createPendingUser({
         username,
@@ -382,10 +429,13 @@ export class HubServer {
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/leave") {
+      this.opts.store.deleteHubMemoriesByUser(auth.userId);
+      this.opts.store.deleteHubTasksByUser(auth.userId);
+      this.opts.store.deleteHubSkillsByUser(auth.userId);
       this.userManager.markUserLeft(auth.userId);
       this.knownOnlineUsers.delete(auth.userId);
       this.notifyAdmins("user_left", "user", auth.username, auth.userId);
-      this.opts.log.info(`Hub: user "${auth.username}" (${auth.userId}) left voluntarily, status set to "left"`);
+      this.opts.log.info(`Hub: user "${auth.username}" (${auth.userId}) left voluntarily, resources cleaned, status set to "left"`);
       return this.json(res, 200, { ok: true });
     }
 
@@ -530,6 +580,12 @@ export class HubServer {
         this.authState.bootstrapAdminToken = newToken;
         this.saveAuthState();
       }
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "username_renamed",
+          resource: "user", title: `Your nickname has been changed from "${user.username}" to "${newUsername}" by the admin.`,
+        });
+      } catch { /* best-effort */ }
       this.opts.log.info(`Hub: admin "${auth.userId}" renamed user "${userId}" to "${newUsername}"`);
       return this.json(res, 200, { ok: true, username: newUsername });
     }
@@ -611,9 +667,7 @@ export class HubServer {
         createdAt: existing?.createdAt ?? now,
         updatedAt: now,
       });
-      if (this.opts.embedder) {
-        this.embedMemoryAsync(memoryId, String(m.summary || ""), String(m.content || ""));
-      }
+      this.embedMemoryAsync(memoryId, String(m.summary || ""), String(m.content || ""));
       if (!existing) {
         this.notifyAdmins("resource_shared", "memory", String(m.summary || m.content?.slice(0, 60) || memoryId), auth.userId);
       }
@@ -660,24 +714,30 @@ export class HubServer {
       // Track which IDs are memories vs chunks
       const memoryIdSet = new Set(memFtsHits.map(({ hit }) => hit.id));
 
-      // Attempt vector search and RRF merge if embedder is available
+      // Two-stage retrieval: FTS candidates first, then embed + cosine rerank
       let mergedIds: string[];
       if (this.opts.embedder) {
         try {
           const [queryVec] = await this.opts.embedder.embed([query]);
           if (queryVec) {
             const allEmb = this.opts.store.getVisibleHubEmbeddings(auth.userId);
-            const memEmb = this.opts.store.getVisibleHubMemoryEmbeddings(auth.userId);
             const scored: Array<{ id: string; score: number }> = [];
-            const cosineSim = (vec: Float32Array) => {
+            const cosineSim = (a: Float32Array | number[], b: number[]) => {
               let dot = 0, nA = 0, nB = 0;
-              for (let i = 0; i < queryVec.length && i < vec.length; i++) {
-                dot += queryVec[i] * vec[i]; nA += queryVec[i] * queryVec[i]; nB += vec[i] * vec[i];
+              const len = Math.min(a.length, b.length);
+              for (let i = 0; i < len; i++) {
+                dot += a[i] * b[i]; nA += a[i] * a[i]; nB += b[i] * b[i];
               }
               return nA > 0 && nB > 0 ? dot / (Math.sqrt(nA) * Math.sqrt(nB)) : 0;
             };
-            for (const e of allEmb) scored.push({ id: e.chunkId, score: cosineSim(e.vector) });
-            for (const e of memEmb) { scored.push({ id: e.memoryId, score: cosineSim(e.vector) }); memoryIdSet.add(e.memoryId); }
+            for (const e of allEmb) scored.push({ id: e.chunkId, score: cosineSim(e.vector, queryVec) });
+
+            const memEmb = this.opts.store.getVisibleHubMemoryEmbeddings(auth.userId);
+            for (const e of memEmb) {
+              scored.push({ id: e.memoryId, score: cosineSim(e.vector, queryVec) });
+              memoryIdSet.add(e.memoryId);
+            }
+
             scored.sort((a, b) => b.score - a.score);
             const topScored = scored.slice(0, maxResults * 2);