@neurodock/cli 0.6.2 → 0.7.1

package/CHANGELOG.md

@@ -1,5 +1,78 @@
 # @neurodock/cli changelog
 
+## 0.7.1
+
+### Fixed — Windows: daemon autostart no longer flashes a black console window
+
+The 0.7.0 HKCU Run entry used `python.exe` (console subsystem) which
+flashed a visible terminal window on every Windows login. Switched to
+`pythonw.exe` (windows subsystem — same interpreter, no console).
+The post-install detached spawn in `install-hooks` does the same and
+also passes `windowsHide: true` on the spawn options. No behavioural
+change on macOS or Linux. Existing 0.7.0 installs should re-run
+`neurodock install-hooks --install-daemon` to refresh the Run entry.
+
+## 0.7.0
+
+### Fixed — proactive-guardrail wiring after 2026-05-26 silent-failure incident
+
+The user spent 6 hours coding without a single break warning from the
+substrate. Diagnosis: the Phase 1 hook was writing a degraded session
+shape (`{tool_count: N}` with no `started_at`), and the Phase 3 daemon
+had never been started on the machine — only registered for autostart,
+which would have fired at next login (i.e. never, in a long session).
+Three plumbing fixes, no new heuristics or severity tiers (clinical
+ETHICS contract honoured — `mcp-guardrail` unchanged):
+
+- **Phase 1 hook defensive bootstrap**: on `PreToolUse`, if
+  `started_at` is missing from session state, set it to `now()`
+  rather than silently degrade. Adds `last_active_at` on each
+  PreToolUse for the same reason. The existing elapsed-time
+  heuristic can finally compute against a real anchor.
+- **`neurodock install-hooks --install-daemon` now actually starts
+  the daemon** after registering autostart, via a detached + unref'd
+  spawn. Previously it only set up the HKCU Run / LaunchAgent /
+  systemd-user entry, which means the user had to log out + back in
+  to see the first daemon tick.
+- **`neurodock guardrail status`**: new read-only diagnostic
+  subcommand that prints which pieces of the wiring are present
+  (hook registered? session shape healthy? daemon script on disk?
+  autostart registered? daemon alive in last 15 min?) so the user
+  can see at a glance which piece is missing before another long
+  session goes silent.
+
+No heuristic thresholds touched. No clinical sign-off required.
+
+### Security — atomic writes for CLI scaffolding (TOCTOU defence)
+
+`neurodock init`, `neurodock install-hooks`, and `neurodock plugin enable` previously
+used an `existsSync` check followed by a separate `writeFileSync`, leaving a
+TOCTOU (time-of-check / time-of-use) window in which a local attacker could swap the
+target path for a symlink between the two calls. All three sites now use atomic
+write primitives: new-file creation uses `O_CREAT | O_EXCL` (one kernel operation
+that makes the check-and-create atomic), while update-in-place sites write to a
+unique `.pid.ts.tmp` sibling and rename it into place — rename is atomic on POSIX
+and best-effort on Windows. A shared helper `src/util/atomic-write.ts` encapsulates
+both patterns.
+
+### Fixed — Python hooks no longer swallow exceptions silently
+
+Seven `except …: pass` blocks in `proactive_guardrail.py` and `neurodock_daemon.py`
+were changed to `except Exception as exc:` with structured logging. The affected
+sites are session-end timestamp parsing, session-file saves, prompt-file saves, log
+writes, and the daemon dedup-timestamp parse. `KeyboardInterrupt` and `SystemExit`
+continue to propagate because `except Exception` excludes them by design. The log
+write itself falls back to a minimal `sys.stderr` line to avoid infinite recursion.
+
+### Fixed — notification-text escape hardened (M5)
+
+`_escape()` in `neurodock_daemon.py` was split into two context-aware functions,
+`_escape_ps()` (PowerShell) and `_escape_as()` (AppleScript). Both strip the full
+set of shell-metacharacters that the original single-function omitted: backtick,
+`$(){}`, `;&|<>`, and backslash for PowerShell; `\\&|;\`` for AppleScript.
+Unit tests in `packages/cli/src/assets/hooks/test_daemon_escape.py` assert that
+injection payloads containing all dangerous characters produce literal-text output.
+
 ## 0.6.2
 
 ### Fixed — `neurodock --version` was hardcoded and stale (read package.json instead)

package/README.md

@@ -2,7 +2,7 @@
 
 The `neurodock` installer and diagnostic CLI for [NeuroDock](https://neurodock.org/) — a local-first cognitive substrate for neurodivergent professionals.
 
-Status: **v0.6.0**.
+Status: **v0.6.2**.
 
 ## Quickstart
 
@@ -32,26 +32,26 @@ install, `install-all` runs the `pip install` step automatically.
 
 ## Commands
 
-| Command                      | What it does                                                                                                               |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
-| `neurodock install-all`      | One-command first-time install: pip-install the six servers, wire every detected client, copy the starter profile.         |
-| `neurodock init`             | Install MCP servers into Claude Desktop / Claude Code / Cursor (the wiring half of `install-all`).                         |
-| `neurodock doctor`           | Diagnose your install — profile validity, client wiring, tool availability.                                                |
-| `neurodock validate`         | Schema-validate a profile file (`~/.neurodock/profile.yaml` by default).                                                   |
-| `neurodock update`           | Upgrade NeuroDock to the latest version — re-installs the six MCP servers via pip/uv and re-wires client configs.          |
-| `neurodock sync`             | Re-shape stale NeuroDock MCP entries in existing client configs. No package upgrade. Non-NeuroDock entries are preserved.  |
-| `neurodock uninstall`        | Reverse `init` — remove NeuroDock MCP entries from each client config. Optionally purge `~/.neurodock/`.                   |
-| `neurodock examples`         | Print a copy-pasteable prompt cheat-sheet that exercises every wired NeuroDock MCP tool.                                   |
-| `neurodock host install`     | Register the optional Chrome Native Messaging host so the browser extension can read `~/.neurodock/profile.yaml` directly. |
-| `neurodock host uninstall`   | Remove all NeuroDock native-host manifests and registry pointers.                                                          |
-| `neurodock profile show`     | Print the resolved profile with loader defaults applied.                                                                   |
-| `neurodock profile validate` | Validate `~/.neurodock/profile.yaml` against the v0.1 schema.                                                              |
-| `neurodock plugin add`       | Install a plugin from a local directory into `~/.neurodock/plugins/`.                                                      |
-| `neurodock plugin remove`    | Uninstall a plugin (alias: `plugin uninstall`).                                                                            |
-| `neurodock plugin list`      | List installed plugins and their enabled state. `--json` for scripting.                                                    |
-| `neurodock plugin enable`    | Activate an installed plugin (writes a `.enabled` marker file).                                                            |
-| `neurodock plugin disable`   | Deactivate an installed plugin without deleting its files.                                                                 |
-| `neurodock plugin validate`  | Schema-validate a plugin manifest without installing.                                                                      |
+| Command                      | What it does                                                                                                                                                    |
+| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `neurodock install-all`      | One-command first-time install: pip-install the six servers, wire every detected client, copy the starter profile.                                              |
+| `neurodock init`             | Install MCP servers into Claude Desktop / Claude Code / Cursor (the wiring half of `install-all`).                                                              |
+| `neurodock doctor`           | Diagnose your install — profile validity, client wiring, tool availability.                                                                                     |
+| `neurodock validate`         | Schema-validate a profile file (`~/.neurodock/profile.yaml` by default).                                                                                        |
+| `neurodock update`           | Upgrade NeuroDock to the latest version — re-installs the six MCP servers via pip/uv and re-wires client configs.                                               |
+| `neurodock sync`             | Re-shape stale NeuroDock MCP entries in existing client configs. No package upgrade. Non-NeuroDock entries are preserved.                                       |
+| `neurodock uninstall`        | Reverse `init` — remove NeuroDock MCP entries from each client config. Optionally purge `~/.neurodock/`.                                                        |
+| `neurodock examples`         | Print a copy-pasteable prompt cheat-sheet that exercises every wired NeuroDock MCP tool.                                                                        |
+| `neurodock host install`     | Register the optional Chrome Native Messaging host so the browser extension can read `~/.neurodock/profile.yaml` directly.                                      |
+| `neurodock host uninstall`   | Remove all NeuroDock native-host manifests and registry pointers.                                                                                               |
+| `neurodock profile show`     | Print the resolved profile with loader defaults applied.                                                                                                        |
+| `neurodock profile validate` | Validate `~/.neurodock/profile.yaml` against the v0.1 schema.                                                                                                   |
+| `neurodock plugin add`       | Install a plugin from a local directory into `~/.neurodock/plugins/`.                                                                                           |
+| `neurodock plugin remove`    | Uninstall a plugin (alias: `plugin uninstall`).                                                                                                                 |
+| `neurodock plugin list`      | List installed plugins and their enabled state. `--json` for scripting.                                                                                         |
+| `neurodock plugin enable`    | Activate an installed plugin (writes a `.enabled` marker file).                                                                                                 |
+| `neurodock plugin disable`   | Deactivate an installed plugin without deleting its files.                                                                                                      |
+| `neurodock plugin validate`  | Schema-validate a plugin manifest without installing.                                                                                                           |
 | `neurodock install-hooks`    | Wire the proactive-guardrail hook into Claude Code, optionally autostart the Phase 3 daemon. See `--self-test`, `--install-daemon`, `--uninstall`, `--dry-run`. |
 
 ### `neurodock install-all`

package/dist/assets/hooks/neurodock_daemon.py

@@ -46,7 +46,7 @@ import platform
 import subprocess
 import sys
 import time
-from datetime import datetime, timedelta, timezone
+from datetime import UTC, datetime, timedelta
 from pathlib import Path
 from typing import Any
 
@@ -67,8 +67,8 @@ DEDUP_SECONDS = 30 * 60
 # Heuristic thresholds — mirror the Phase 1 hook so the user gets a
 # consistent experience whether they're in Claude Code or not.
 HYPERFOCUS_BREAK_MINUTES = 90
-DEEP_NIGHT_HOURS = range(0, 6)   # 00:00..05:59 local
-LATE_NIGHT_HOURS = range(22, 24) # 22:00..23:59 local
+DEEP_NIGHT_HOURS = range(0, 6)  # 00:00..05:59 local
+LATE_NIGHT_HOURS = range(22, 24)  # 22:00..23:59 local
 
 
 def main() -> int:
@@ -117,7 +117,7 @@ def _run_forever() -> int:
     except KeyboardInterrupt:
         _log("daemon-stop", {"reason": "sigint"})
         return 0
-    except Exception as exc:  # noqa: BLE001 — must not crash autostart
+    except Exception as exc:  # broad-except: must not crash autostart
         _log("daemon-error", {"error": str(exc)})
         return 1
 
@@ -133,16 +133,13 @@ def _run_one_tick() -> int:
     last = state.get("last_surfaced", {})
     last_kind = last.get("kind")
     last_at = last.get("at")
-    if (
-        last_kind == signal["kind"]
-        and isinstance(last_at, str)
-    ):
+    if last_kind == signal["kind"] and isinstance(last_at, str):
         try:
             elapsed = (now - datetime.fromisoformat(last_at)).total_seconds()
             if elapsed < DEDUP_SECONDS:
                 return 0
-        except ValueError:
-            pass
+        except Exception as exc:
+            _log("daemon-dedup-parse-error", {"error": str(exc)})
     _surface(signal)
     state["last_surfaced"] = {
         "kind": signal["kind"],
@@ -217,7 +214,7 @@ def _surface(signal: dict[str, Any]) -> None:
             _notify_macos(title, message)
         else:
             _notify_linux(title, message)
-    except Exception as exc:  # noqa: BLE001 — never crash on a notify failure
+    except Exception as exc:
         _log("notify-error", {"error": str(exc)})
 
 
@@ -225,14 +222,18 @@ def _notify_windows(title: str, message: str) -> None:
     # Use PowerShell BurntToast-free approach: New-BurntToastNotification
     # isn't always present. Use the built-in toast API via XML through
     # the Windows Runtime instead. Falls back to msg.exe on failure.
+    #
+    # Security: title and message come from hardcoded daemon logic today,
+    # but _escape_ps() defensively strips shell-metacharacters so future
+    # callers cannot inject PowerShell via the notification body.
     ps_script = (
-        '[Windows.UI.Notifications.ToastNotificationManager,Windows.UI.Notifications,ContentType=WindowsRuntime] | Out-Null;'
-        '$template = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent('
-        '[Windows.UI.Notifications.ToastTemplateType]::ToastText02);'
-        f'$template.GetElementsByTagName("text").Item(0).AppendChild($template.CreateTextNode("{_escape(title)}")) | Out-Null;'
-        f'$template.GetElementsByTagName("text").Item(1).AppendChild($template.CreateTextNode("{_escape(message)}")) | Out-Null;'
+        "[Windows.UI.Notifications.ToastNotificationManager,Windows.UI.Notifications,ContentType=WindowsRuntime] | Out-Null;"
+        "$template = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent("
+        "[Windows.UI.Notifications.ToastTemplateType]::ToastText02);"
+        f'$template.GetElementsByTagName("text").Item(0).AppendChild($template.CreateTextNode("{_escape_ps(title)}")) | Out-Null;'
+        f'$template.GetElementsByTagName("text").Item(1).AppendChild($template.CreateTextNode("{_escape_ps(message)}")) | Out-Null;'
         '$notify = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier("NeuroDock");'
-        '$notify.Show([Windows.UI.Notifications.ToastNotification]::new($template));'
+        "$notify.Show([Windows.UI.Notifications.ToastNotification]::new($template));"
     )
     subprocess.run(
         ["powershell", "-NoProfile", "-NonInteractive", "-Command", ps_script],
@@ -243,9 +244,10 @@ def _notify_windows(title: str, message: str) -> None:
 
 
 def _notify_macos(title: str, message: str) -> None:
-    script = (
-        f'display notification "{_escape(message)}" with title "{_escape(title)}"'
-    )
+    # Security: osascript -e interpolates title/message into the AppleScript
+    # source.  _escape_as() strips characters that would break out of the
+    # quoted string context inside the AppleScript literal.
+    script = f'display notification "{_escape_as(message)}" with title "{_escape_as(title)}"'
     subprocess.run(
         ["osascript", "-e", script],
         check=False,
@@ -258,6 +260,8 @@ def _notify_linux(title: str, message: str) -> None:
     # Most desktop environments have notify-send. We don't fail loud if
     # it's absent — Linux server users without a display server will
     # see the daemon log entries but no toast.
+    # Security: title and message are passed as separate argv elements —
+    # no shell interpolation, no escaping required.
     subprocess.run(
         ["notify-send", "-a", "NeuroDock", title, message],
         check=False,
@@ -266,8 +270,45 @@ def _notify_linux(title: str, message: str) -> None:
     )
 
 
-def _escape(s: str) -> str:
-    return s.replace('"', '\\"').replace("\n", " ").replace("\r", " ")
+# Characters to STRIP from PowerShell double-quoted string interpolation.
+# Note: double-quote itself is NOT in this set — it is backslash-escaped
+# by _escape_ps() instead of being stripped, so the text node value is
+# preserved.  Backtick is the PS escape character, so it must be stripped.
+_PS_STRIP = str.maketrans(
+    "",
+    "",
+    "`$(){};&|<>\\\n\r",
+)
+
+# Characters to STRIP from AppleScript double-quoted string interpolation.
+# AppleScript has no reliable backslash escape for double-quote inside a
+# quoted string (the behaviour is interpreter-version-dependent), so both
+# double-quote and backslash are stripped rather than escaped.
+_AS_STRIP = str.maketrans(
+    "",
+    "",
+    '"\\&|;`\n\r',
+)
+
+
+def _escape_ps(s: str) -> str:
+    """Strip PS-dangerous chars; backslash-escape remaining double-quotes.
+
+    The double-quote is backslash-escaped (not stripped) so that the XML
+    text node still receives the literal quote character.
+    """
+    stripped = s.translate(_PS_STRIP)
+    return stripped.replace('"', '\\"')
+
+
+def _escape_as(s: str) -> str:
+    """Strip AppleScript-dangerous chars including double-quote.
+
+    AppleScript double-quoted literals cannot reliably escape a quote via
+    backslash on all macOS versions, so the double-quote is stripped
+    entirely rather than kept.
+    """
+    return s.translate(_AS_STRIP)
 
 
 # ── Autostart wiring ─────────────────────────────────────────────────────
@@ -279,8 +320,7 @@ def _install_autostart() -> int:
     daemon_script = (HOOK_DIR / "neurodock_daemon.py").resolve()
     if not daemon_script.exists():
         sys.stderr.write(
-            f"daemon script not found at {daemon_script} — run "
-            "`neurodock install-hooks` first.\n"
+            f"daemon script not found at {daemon_script} — run `neurodock install-hooks` first.\n"
         )
         return 1
     if system == "Windows":
@@ -302,25 +342,33 @@ def _uninstall_autostart() -> int:
 def _install_windows_autostart(daemon_script: Path) -> int:
     # Register an HKCU Run entry so the daemon launches at user logon.
     # No admin rights required.
-    cmd = (
-        f'python "{str(daemon_script).replace(chr(92), "/")}" run'
-    )
+    #
+    # Use `pythonw.exe` (windows-subsystem) not `python.exe` (console-
+    # subsystem) so the daemon runs invisibly. With `python.exe` the
+    # Run-key launch flashes a black console window on every login
+    # because the binary is linked against the console subsystem.
+    # `pythonw.exe` ships alongside `python.exe` in every Windows
+    # Python install — same interpreter, same site-packages, no console.
+    cmd = f'pythonw "{str(daemon_script).replace(chr(92), "/")}" run'
     try:
         subprocess.run(
             [
-                "reg", "add", r"HKCU\Software\Microsoft\Windows\CurrentVersion\Run",
-                "/v", "NeuroDockGuardrail",
-                "/t", "REG_SZ",
-                "/d", cmd,
+                "reg",
+                "add",
+                r"HKCU\Software\Microsoft\Windows\CurrentVersion\Run",
+                "/v",
+                "NeuroDockGuardrail",
+                "/t",
+                "REG_SZ",
+                "/d",
+                cmd,
                 "/f",
             ],
             check=True,
             capture_output=True,
             timeout=10,
         )
-        sys.stdout.write(
-            "Registered HKCU Run entry. Daemon will launch at next logon.\n"
-        )
+        sys.stdout.write("Registered HKCU Run entry. Daemon will launch at next logon.\n")
         return 0
     except subprocess.CalledProcessError as exc:
         sys.stderr.write(f"reg add failed: {exc.stderr.decode(errors='ignore')}\n")
@@ -331,8 +379,11 @@ def _uninstall_windows_autostart() -> int:
     try:
         subprocess.run(
             [
-                "reg", "delete", r"HKCU\Software\Microsoft\Windows\CurrentVersion\Run",
-                "/v", "NeuroDockGuardrail",
+                "reg",
+                "delete",
+                r"HKCU\Software\Microsoft\Windows\CurrentVersion\Run",
+                "/v",
+                "NeuroDockGuardrail",
                 "/f",
             ],
             check=True,
@@ -410,9 +461,7 @@ WantedBy=default.target
 
 
 def _uninstall_linux_systemd_user_unit() -> int:
-    unit = (
-        Path.home() / ".config" / "systemd" / "user" / "neurodock-guardrail.service"
-    )
+    unit = Path.home() / ".config" / "systemd" / "user" / "neurodock-guardrail.service"
     subprocess.run(
         ["systemctl", "--user", "disable", "--now", "neurodock-guardrail.service"],
         check=False,
@@ -449,8 +498,8 @@ def _save_daemon_state(state: dict[str, Any]) -> None:
     try:
         with DAEMON_STATE_FILE.open("w", encoding="utf-8") as fh:
             json.dump(state, fh)
-    except OSError:
-        pass
+    except Exception as exc:
+        _log("daemon-state-save-error", {"error": str(exc)})
 
 
 def _log(event: str, data: dict[str, Any]) -> None:
@@ -463,12 +512,13 @@ def _log(event: str, data: dict[str, Any]) -> None:
         }
         with LOG_FILE.open("a", encoding="utf-8") as fh:
             fh.write(json.dumps(entry) + "\n")
-    except OSError:
-        pass
+    except Exception as exc:
+        # Cannot recurse into _log here; write minimally to stderr.
+        sys.stderr.write(f"[neurodock-daemon] log-write-error: {exc}\n")
 
 
 def _now() -> datetime:
-    return datetime.now(timezone.utc).astimezone()
+    return datetime.now(UTC).astimezone()
 
 
 # ── Self-test ────────────────────────────────────────────────────────────

package/dist/assets/hooks/proactive_guardrail.py

@@ -56,8 +56,7 @@ import json
 import os
 import re
 import sys
-from dataclasses import dataclass
-from datetime import datetime, time, timedelta, timezone
+from datetime import UTC, datetime, timedelta
 from pathlib import Path
 from typing import Any
 
@@ -71,9 +70,9 @@ PROMPTS_FILE = STATE_DIR / "guardrail-prompts.json"
 
 # Hyperfocus heuristic — mirrors packages/mcp-guardrail/heuristics/hyperfocus.py
 HYPERFOCUS_BREAK_MINUTES_DEFAULT = 90
-HYPERFOCUS_GENTLE_RATIO = 0.60      # 54 min
-HYPERFOCUS_NUDGE_RATIO = 1.00       # 90 min
-HYPERFOCUS_HARD_RATIO = 4.0 / 3.0   # 120 min
+HYPERFOCUS_GENTLE_RATIO = 0.60  # 54 min
+HYPERFOCUS_NUDGE_RATIO = 1.00  # 90 min
+HYPERFOCUS_HARD_RATIO = 4.0 / 3.0  # 120 min
 
 # Rumination heuristic — Jaccard similarity over normalised word sets.
 RUMINATION_WINDOW_MINUTES_DEFAULT = 90
@@ -89,8 +88,8 @@ MAX_PROMPT_HISTORY = 200
 
 # Deep-night / late-night clock bands trigger an early-warning banner
 # at session-start. End-of-day defaults align with `profile.example.yaml`.
-DEEP_NIGHT_HOURS = range(0, 6)       # 00:00..05:59 local
-LATE_NIGHT_HOURS = range(22, 24)     # 22:00..23:59 local
+DEEP_NIGHT_HOURS = range(0, 6)  # 00:00..05:59 local
+LATE_NIGHT_HOURS = range(22, 24)  # 22:00..23:59 local
 
 
 # ── Main dispatch ────────────────────────────────────────────────────────
@@ -118,7 +117,7 @@ def main() -> int:
             _on_stop(payload)
         elif kind == "self-test":
             return _self_test()
-    except Exception as exc:  # noqa: BLE001 — must never block the user
+    except Exception as exc:
         _log("error", {"kind": kind, "error": str(exc)})
     return 0
 
@@ -144,7 +143,17 @@ def _on_session_start(_payload: dict[str, Any]) -> None:
 
 def _on_pre_tool(payload: dict[str, Any]) -> None:
     state = _load_session()
+    # Defensive bootstrap: if SessionStart never fired (e.g. hook installed
+    # mid-session, or the Claude Code event is suppressed in a given client),
+    # the elapsed-time heuristics need an anchor. Set started_at on the first
+    # PreToolUse rather than silently degrade. The user's 2026-05-26 silent-
+    # failure incident hit exactly this path — state had {tool_count: N} with
+    # no started_at, so _evaluate_hyperfocus returned None forever.
+    if not isinstance(state.get("started_at"), str):
+        state["started_at"] = _now().isoformat()
+        _log("session-bootstrap", {"reason": "missing-started_at"})
     state["tool_count"] = int(state.get("tool_count", 0)) + 1
+    state["last_active_at"] = _now().isoformat()
     _save_session(state)
 
     prompt = _extract_user_prompt(payload)
@@ -179,8 +188,8 @@ def _on_stop(_payload: dict[str, Any]) -> None:
         try:
             elapsed = _now() - datetime.fromisoformat(started)
             duration_min = int(elapsed.total_seconds() // 60)
-        except ValueError:
-            pass
+        except Exception as exc:
+            _log("session-end-parse-error", {"error": str(exc)})
     _save_session({})  # clear
     _log("session-end", {"duration_min": duration_min})
 
@@ -249,10 +258,7 @@ def _evaluate_rumination() -> str | None:
     if len(prompts) < RUMINATION_THRESHOLD_DEFAULT:
         return None
     window_start = _now() - timedelta(minutes=RUMINATION_WINDOW_MINUTES_DEFAULT)
-    recent = [
-        p for p in prompts
-        if _parse_iso(p.get("at", "")) >= window_start
-    ]
+    recent = [p for p in prompts if _parse_iso(p.get("at", "")) >= window_start]
     if len(recent) < RUMINATION_THRESHOLD_DEFAULT:
         return None
     # Compare the latest prompt to the others.
@@ -278,17 +284,30 @@ def _evaluate_sycophancy(response: str) -> str | None:
         return None
     opener = response.lstrip()[:200].lower()
     absolutes = [
-        "absolutely", "exactly right", "you're right",
-        "you are right", "great point", "excellent point",
-        "perfect", "spot on", "100%", "100 percent",
+        "absolutely",
+        "exactly right",
+        "you're right",
+        "you are right",
+        "great point",
+        "excellent point",
+        "perfect",
+        "spot on",
+        "100%",
+        "100 percent",
     ]
     hits = [phrase for phrase in absolutes if phrase in opener]
     if not hits:
         return None
     # If the response contains a trade-off marker, treat it as balanced.
     tradeoff_markers = [
-        "however", "trade-off", "tradeoff", "downside",
-        "but ", "although", "the cost is", "the risk is",
+        "however",
+        "trade-off",
+        "tradeoff",
+        "downside",
+        "but ",
+        "although",
+        "the cost is",
+        "the risk is",
     ]
     if any(marker in response.lower() for marker in tradeoff_markers):
         return None
@@ -308,16 +327,80 @@ def _jaccard_similarity(a: str, b: str) -> float:
     return intersection / union if union > 0 else 0.0
 
 
-_STOP_WORDS = frozenset({
-    "the", "a", "an", "and", "or", "but", "is", "are", "was", "were",
-    "be", "been", "being", "have", "has", "had", "do", "does", "did",
-    "will", "would", "could", "should", "may", "might", "must",
-    "shall", "can", "of", "in", "on", "at", "to", "for", "with",
-    "by", "from", "as", "if", "then", "else", "when", "where", "why",
-    "how", "what", "which", "who", "this", "that", "these", "those",
-    "i", "you", "he", "she", "it", "we", "they", "me", "him", "her",
-    "us", "them", "my", "your", "his", "its", "our", "their",
-})
+_STOP_WORDS = frozenset(
+    {
+        "the",
+        "a",
+        "an",
+        "and",
+        "or",
+        "but",
+        "is",
+        "are",
+        "was",
+        "were",
+        "be",
+        "been",
+        "being",
+        "have",
+        "has",
+        "had",
+        "do",
+        "does",
+        "did",
+        "will",
+        "would",
+        "could",
+        "should",
+        "may",
+        "might",
+        "must",
+        "shall",
+        "can",
+        "of",
+        "in",
+        "on",
+        "at",
+        "to",
+        "for",
+        "with",
+        "by",
+        "from",
+        "as",
+        "if",
+        "then",
+        "else",
+        "when",
+        "where",
+        "why",
+        "how",
+        "what",
+        "which",
+        "who",
+        "this",
+        "that",
+        "these",
+        "those",
+        "i",
+        "you",
+        "he",
+        "she",
+        "it",
+        "we",
+        "they",
+        "me",
+        "him",
+        "her",
+        "us",
+        "them",
+        "my",
+        "your",
+        "his",
+        "its",
+        "our",
+        "their",
+    }
+)
 
 
 def _normalise_for_similarity(text: str) -> set[str]:
@@ -342,7 +425,7 @@ def _clock_band(now: datetime) -> str:
 
 
 def _now() -> datetime:
-    return datetime.now(timezone.utc).astimezone()
+    return datetime.now(UTC).astimezone()
 
 
 # ── Payload extraction (best-effort against Claude Code shape) ───────────
@@ -394,8 +477,8 @@ def _save_session(state: dict[str, Any]) -> None:
     try:
         with SESSION_FILE.open("w", encoding="utf-8") as fh:
             json.dump(state, fh)
-    except OSError:
-        pass
+    except Exception as exc:
+        _log("session-save-error", {"error": str(exc)})
 
 
 def _load_prompts() -> list[dict[str, Any]]:
@@ -415,15 +498,15 @@ def _record_prompt(text: str) -> None:
     try:
         with PROMPTS_FILE.open("w", encoding="utf-8") as fh:
             json.dump(prompts, fh)
-    except OSError:
-        pass
+    except Exception as exc:
+        _log("prompt-save-error", {"error": str(exc)})
 
 
 def _parse_iso(value: str) -> datetime:
     try:
         return datetime.fromisoformat(value)
     except ValueError:
-        return datetime.min.replace(tzinfo=timezone.utc)
+        return datetime.min.replace(tzinfo=UTC)
 
 
 # ── Output ───────────────────────────────────────────────────────────────
@@ -446,8 +529,9 @@ def _log(event: str, data: dict[str, Any]) -> None:
         }
         with LOG_FILE.open("a", encoding="utf-8") as fh:
             fh.write(json.dumps(entry) + "\n")
-    except OSError:
-        pass
+    except Exception as exc:
+        # Cannot recurse into _log here; write minimally to stderr.
+        sys.stderr.write(f"[neurodock-guardrail] log-write-error: {exc}\n")
 
 
 def _read_stdin_payload() -> dict[str, Any]: