npm - @oomkapwn/enquire-mcp - Versions diffs - 3.7.11 → 3.7.13 - Mend

@oomkapwn/enquire-mcp 3.7.11 → 3.7.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (176) hide show

package/docs/audits/v3.6.0-external-anonymous-audit.md DELETED Viewed

@@ -1,163 +0,0 @@
-# Аудит проекта enquire-mcp (v3.6.0)
-**Репозиторий:** https://github.com/oomkapwn/enquire-mcp
-**Дата аудита:** 2026-05-15
-**Метод:** read-only анализ кода и документации (клон в `/tmp/enquire-mcp-audit`). Тесты и `npm run build` не запускались (кроме `npm audit` prod: 0 уязвимостей).
----
-## Краткое резюме
-**enquire-mcp** (v3.6.0) — зрелый MCP-сервер для Obsidian с сильной защитой путей, privacy-фильтрами, 714 unit-тестами и продуманным CI.
-Главные риски: возможное **уничтожение `.embed.db`** при `serve --use-hnsw`, если индекс собран с моделью, отличной от дефолтной; **дефолтный reranker** (`rerank-multilingual`) по CHANGELOG может не работать, в отличие от `rerank-bge`; **сломанный CI-инвариант** проверки таблицы в `docs/api.md`; ряд расхождений в документации (v2.0 beta, Node 20, `hnswlib-wasm`).
----
-## Обзор проекта
-| Аспект | Детали |
-|--------|--------|
-| **Назначение** | MCP-сервер для чтения/поиска/записи в Obsidian-vault: гибридный поиск (BM25 + TF-IDF + embeddings + RRF), PDF/OCR, `.base`, GraphRAG-light, HTTP transport |
-| **Версия** | `3.6.0` (`src/index.ts:37`, `package.json:4`) |
-| **Стек** | TypeScript (strict), Node ≥20 (фактически PDF/HNSW требуют ≥22.13), MCP SDK, Zod 4, optional: `better-sqlite3`, `@huggingface/transformers`, `hnswlib-node`, `pdfjs-dist`, `tesseract.js` |
-| **Точка входа** | `dist/index.js` → `cli.ts` (12 subcommands), `server.ts` (MCP), `tool-registry.ts` (44 tools), `prompts.ts` (19 prompts) |
-| **Структура** | `src/` — 28 модулей после split v3.6; `tests/` — 33 файла; `docs/`, `scripts/`, `.github/workflows/` |
-### Архитектура (упрощённо)
-```mermaid
-flowchart TB
- CLI[cli.ts] --> Server[server.ts]
- Server --> Vault[Vault + privacy]
- Server --> FTS[FtsIndex optional]
- Server --> HNSW[HNSW optional]
- Server --> Registry[tool-registry.ts]
- Registry --> Tools[src/tools/*]
- HTTP[http-transport.ts] --> Server
-```
----
-## Критические находки
-- **`serve --use-hnsw` может уничтожить embedding-индекс при другой модели** — `src/server.ts:194-212`: при построении HNSW открывается `EmbedDb` с `resolveModel(undefined)` → всегда `multilingual`. Если `build-embeddings` делали с `--embedding-model bge`, `bootstrapSchema()` в `embed-db.ts:263-271` при несовпадении `model_alias` **DROP TABLE embeddings** — данные индекса стираются при каждом старте с `--use-hnsw`. Флаг `--embedding-model` есть только у `build-embeddings` / `setup` / `eval`, **не у `serve`**.
-- **Дефолтный cross-encoder reranker может быть нерабочим** — `DEFAULT_RERANKER_ALIAS = "rerank-multilingual"` (`src/embeddings.ts:293`). CHANGELOG v3.6.0: только `rerank-bge` проверен end-to-end; 4 других алиаса «fail at AutoTokenizer» до v3.7. Пользователь с `--enable-reranker` без `--reranker-model rerank-bge` может не получать реального rerank (или ошибку в `signal_errors.reranker`).
-- **Сломанный тест покрытия таблицы `docs/api.md`** — `tests/docs-consistency.test.ts:416-427` парсит `registerTool(` из `src/index.ts`, но регистрация в `src/tool-registry.ts` (44 вызова). `registered` = ∅ → тест **всегда проходит** и не ловит пропуски в таблице. Комментарий в `tests/no-internal-imports.test.ts:13-15` это признаёт.
----
-## Высокий приоритет
-- **`obsidian_query_base`: неверный `total_matched`** — `src/bases.ts:277,321-323`: цикл прерывается при `matches.length >= limit`, но `total_matched: matches.length` — это число **возвращённых** строк, а не всех совпадений в vault.
-- **Пермиссивная семантика `.base` DSL** — `src/bases.ts:339-363`: нераспознанные предикаты → `unevaluated` и **`return true`**. Возможны ложные срабатывания (over-inclusion). Формулы не вычисляются.
-- **Устаревший заголовок `docs/api.md`** — строки 4–5: «v2.0 beta», «stable v1.x — 28 tools» против 44 tools / v3.6.0.
-- **README: badge «v3.5.x-stable» при версии 3.6.0** — `README.md:15` vs `package.json:4`.
-- **`package.json` engines: `>=20` vs реальность** — CI убрал Node 20; `pdfjs-dist` требует ≥22.13.
-- **Неверная справка CLI для HNSW** — `src/cli.ts:95`: «Requires `hnswlib-wasm`»; фактически `hnswlib-node`.
-- **HNSW + несовпадение модели (поиск)** — рассинхрон HNSW-векторов и запросов при нестандартной модели индекса.
----
-## Средний приоритет
-- Токенная усечка embeddings (max 128 tokens) — снижение recall.
-- `searchText` / `semanticSearch` — O(n) по vault.
-- `obsidian_get_communities` — полное чтение vault.
-- HTTP rate limiter: неограниченный `Map`.
-- Stateful HTTP: гонки при инициализации.
-- `docs/api.md`: дублирование секций.
-- Reranker smoke не в обязательном CI.
-- Покрытие веток ~75% (порог 74%).
----
-## Низкий приоритет
-- Опечатка `ssylaetsja` в `tests/no-internal-imports.test.ts:21`.
-- Badge README «MCP 1.29» vs SDK `^1.0.4`.
-- `zod` v4 — новая major.
-- `prepare` hook всегда запускает `tsc`.
-- Shallow clone — полная история не анализировалась.
----
-## Документация
-| Проблема | Где |
-|----------|-----|
-| Устаревший канал «v2.0 beta» / v1.x 28 tools | `docs/api.md:4-5` |
-| Badge stable v3.5.x vs 3.6.0 | `README.md:15` |
-| CLI help: hnswlib-wasm вместо hnswlib-node | `src/cli.ts:95` |
-| engines Node ≥20 vs CI ≥22 | `package.json`, `ci.yml` |
-| CHANGELOG про reranker — README не акцентирует | `CHANGELOG.md:64`, `README.md` |
-**Сильные стороны:** `TOOL_MANIFEST`, `STABILITY.md`, `SECURITY.md`, TypeDoc + publish-docs.
-**Пробел:** нет матрицы «флаг CLI → tools» в одной таблице.
----
-## Тесты и качество
-| Метрика | Значение |
-|---------|----------|
-| Файлов тестов | 33 |
-| `it()` блоков | 714 |
-| Пороги coverage | lines ≥86%, branches ≥74% |
-| Security | `tests/security.test.ts` |
-| HTTP | `tests/http-transport.test.ts` — 49 cases |
-**Пробелы:** reranker smoke opt-in; тест таблицы api.md — no-op; E2E — только smoke.mjs.
-**Не проверялось:** полный `npm test`, benchmarks, SLSA на npm.
----
-## Зависимости и безопасность
-- npm audit prod: **0 vulnerabilities**
-- Сильная модель угроз: realpath, privacy, HTTP bearer, chmod на кэшах
-- Риски: persistent cache = чтение vault; `/health` без auth by design
----
-## Архитектура и дизайн
-**Сильные:** split v3.6, ServerDeps, RRF + graph boost, privacy filter.
-**Слабые:** `serve` без sync embedding-model; дублирование sync в server.ts; partial `.base` DSL.
----
-## Рекомендации по улучшению
-1. **Критично:** при `--use-hnsw` читать meta из `.embed.db` до `bootstrapSchema`, или `serve --embedding-model`.
-2. **Критично:** DEFAULT_RERANKER → `rerank-bge` или fail-fast.
-3. **Критично:** исправить docs-consistency.test.ts (tool-registry / TOOL_MANIFEST).
-4. **Высокий:** `total_matched` в queryBase отдельно от limit.
-5. **Высокий:** обновить api.md, README, engines, CLI help.
-6. **Высокий:** strict mode для `.base` DSL.
-7. **Средний:** reranker-smoke в release.yml.
-8. **Средний:** peekEmbedDbMeta для doctor.
-9. **Низкий:** PROMPT_MANIFEST.
----
-## Положительные стороны
-- Сильный security posture для MCP.
-- 714 тестов, 7 CI gates, SLSA-3.
-- Честный CHANGELOG, TOOL_MANIFEST.
-- Graceful degradation, read-only by default.
-- TypeDoc + benchmarks.
----

package/docs/audits/v3.6.0-final-audit.md DELETED Viewed

@@ -1,171 +0,0 @@
-# v3.6.0 — Full-System Audit, Final Report
-**Date**: 2026-05-15
-**Trigger**: v3.6.0 shipped (`npm latest = 3.6.0`, GH release "v3.6.0" marked Latest at `2026-05-15T12:47:52Z`)
-**Methodology**: 9-layer comprehensive audit per `docs/audits/v3.6.0-system-audit-plan.md` — 7 parallel sub-agents (Phase B) + 2 foreground (L7 ops + L9 process) + synthesis (this doc)
-**Total effort**: ~3 hours wall-clock (7 parallel sub-agents + foreground L7+L9 + L8 manual after sub-agent killed) + 30 min synthesis
-## Verdict: **PRODUCTION READY** · **4.85 / 5.0**
-| Domain | Score | Justification |
-|---|---|---|
-| Security | ⭐⭐⭐⭐⭐ 5/5 | CodeQL/Dependabot/npm-audit 0 open. SLSA-3 attested. timingSafeEqual. 11+ privacy filter points |
-| Tests & Coverage | ⭐⭐⭐⭐½ 4.5/5 | 714 tests, 75% branches, +1 timeout flake under load (HIGH, easy fix) |
-| Architecture | ⭐⭐⭐⭐½ 4.5/5 | Clean exports, TOOL_MANIFEST = registry exact match, 1 feature parity gap (serve-http missing 8 flags) |
-| Code quality | ⭐⭐⭐⭐½ 4.5/5 | src/tools/* is gold-standard, foundational modules have TSDoc drift |
-| CI/CD | ⭐⭐⭐⭐ 4/5 | All 7 required gates work, but GH Pages not enabled = TypeDoc 404 |
-| Documentation | ⭐⭐⭐⭐ 4/5 | Headlines accurate, but COMPARISON.md contradicts our new benchmarks. Post-stable refresh incomplete |
-| Operational | ⭐⭐⭐⭐⭐ 5/5 | Daily-check, tags/releases aligned, 74 npm versions installable |
-| Reproducibility | ⭐⭐⭐⭐½ 4.5/5 | All 8 public scripts pass; 3 TypeDoc @link warnings |
-| Process | ⭐⭐⭐⭐⭐ 5/5 | 0 anti-pattern violations, 11/11 TL;DR, 9/11 method notes |
-**Pass criteria** (per audit plan): 0 Critical + 0 High + Medium acknowledged. Critical=0, High=3 — **promotion verdict requires v3.6.1 patch within 7 days to close Highs.** Otherwise:
-- 0 critical
-- 3 high — all "ship-blocker for next release", all fixable in 1-line + 1 API call + 4-line config edit
-- 13 medium — batch into v3.6.2
-- 14 low — backlog
-- 11 info — informational only
-## Findings inventory
-### Critical (0)
-*None.* The audit found zero issues that block production use today.
-### High (3)
-| ID | Title | Layers | Fix |
-|---|---|---|---|
-| **H-1** | **GH Pages site is a 404** despite README+CHANGELOG advertising it | L4-01 + L6-01 (cross-confirmed by 2 sub-agents) | 1 API call: `gh api -X POST /repos/oomkapwn/enquire-mcp/pages -f build_type=workflow` |
-| **H-2** | **`npm test` flakes on 5000ms timeout** under contended CPU (10/11/3 fails across 3 runs with default timeout; 0 fails with `--testTimeout=30000`) | L3-01 | 1 line: `testTimeout: 15_000` in `vitest.config.ts` |
-| **H-3** | **4 sources-of-truth must stay in sync** (legacy branch protection + ruleset 15878550 + release.yml regex + release.yml REQ_COUNT). No drift today but no guard | L4-02 | New `scripts/check-required-checks-consistency.mjs` invariant + CI integration |
-### Medium (13)
-| ID | Layer | Title |
-|---|---|---|
-| M-1 | L1 | TSDoc drift between `src/tools/*` (gold standard) and foundational modules (parser/dql/rrf/vault/embed-db/embeddings/fts5/hnsw + ServeOptions). ~25 undocumented exports |
-| M-2 | L2-01 | `serve-http` missing 8 retrieval-quality flags that `serve` accepts (--include-pdfs, --enable-reranker, --use-hnsw, etc). Feature parity gap. `docs/api.md:102` falsely claims feature parity |
-| M-3 | L3-02 | branches coverage margin 1.02pp (74% threshold vs 75.02% actual). Recommend lift to 2pp via communities.ts + watcher.ts tests |
-| M-4 | L3-03 | `src/embeddings.ts` 31.25% lines (env-gated external dep). Accept + document explicitly in README |
-| M-5 | L3-04 | `src/ocr.ts` 33.33% lines (env-gated external dep). Same as M-4 |
-| M-6 | L4-03 | `engines: >=20` but CI matrix is `[22, 24]` since v3.5.11. Node 20 untested for v3.5.11+ changes; documented intent in CHANGELOG but invariant could enforce |
-| M-7 | L5-01 | HNSW persistence (`hnsw.bin` + `meta.json`) written without explicit `mode: 0o600`. `meta.json` contains note snippets. Mitigated by parent 0700 but per-file invariant violated |
-| M-8 | L5-02 | `enquire-mcp index` + `setup` don't honor `--exclude-glob`/`--read-paths`. `serve`+`build-embeddings` do. Private content can land in indexes at rest |
-| M-9 | L6-02 | `docs/COMPARISON.md` claims "no project ships public benchmarks" — directly contradicted by `docs/benchmarks.md` we shipped in v3.6.0-rc.4. Plus stale test count (670) and signed v3.5.8 |
-| M-10 | L6-03 | `CLAUDE.md` "Current phase status" stuck on "rc.3 in flight, rc.4 next" — stable shipped |
-| M-11 | L6-04 | `docs/api.md:5` markets "v2.0 beta" + 6 inline "(v2.0 beta)" annotations on core v3.x tools |
-| M-12 | L6-05 | `docs/api.md:80` broken anchor `README.md#cache--privacy` (heading doesn't exist) |
-### Low (14)
-| ID | Layer | Title |
-|---|---|---|
-| L-1 | L1 | 13 weak `rejects.toThrow()` without message regex (in 6 test files) |
-| L-2 | L1 | `@internal` discipline only in `src/tools/*` — ~30 module-scoped exports without tag |
-| L-3 | L2-02 | `obsidian_full_text_search` description in `tool-registry.ts:63` + 3 doc strings claim only `--persistent-index` needed; reality requires both `--persistent-index` AND `--diagnostic-search-tools` |
-| L-4 | L2-03 | 7 circular module deps detected by madge (2 classes: VERSION re-export hub + tools/* peer cluster). Runtime-safe, no guard |
-| L-5 | L3-05 | `http-transport.ts` 66.86% branches (hard-to-reach 500-error paths) |
-| L-6 | L3-06 | `tools/search.ts` 69.75% branches (52 uncovered lines / 1565) |
-| L-7 | L3-07 | `tools/meta.ts` 67.66% branches (65 uncovered lines / 1425) |
-| L-8 | L3-08 | `watcher.ts` 62.22% branches (12 uncovered lines — easy uplift) |
-| L-9 | L3-10 | `pdf.ts` 58.33% branches (metadata field type-checks) |
-| L-10 | L4-04 | `dist-tag-cleanup.yml` is orphan one-shot (no stale tags to clean) |
-| L-11 | L6-06 | `docs/QUICKSTART.md` cites `3.5.8` as example + claims "CI runs Node 20/22/24" (20 dropped v3.5.11) |
-| L-12 | L6-07 | README badge `v3.5.x-stable` — should be `v3.6.x` |
-| L-13 | L6-08 + L8-01 | 3 TypeDoc `@link` warnings to `@internal` helpers (cross-confirmed by 2 layers) |
-| L-14 | L9-01 | Method-note discipline gap on 2 historical entries (v3.5.11, v3.6.0-rc.1) |
-### Info (11)
-L1-info (no concurrent/race tests), L2-04 (--reranker-model + --reranker-top-n absent from api.md), L3-09 (tools/index.ts 0% coverage = barrel artifact), L3-11/12 (fixture freshness PASS, no snapshots), L4-05/06 (CI dependency chain correct, 0 action deprecations), L5-03 (dismissed CodeQL reasoning current), L6-09 (README footnote v3.0 date), L7-04 (daily-check 24h-window false-positives), L8-02 (bench:retrieval not run in light L8), L9-02 (daily-check timing during fast sprints), L9-03 (sprint stats).
-## Cross-cutting analysis
-### Classes identified
-| Class | Findings | Class fix proposal |
-|---|---|---|
-| **C1** — Drift between "we claim X works" and reality | H-1 (GH Pages), M-2 (serve-http parity), M-9 (COMPARISON contradicts benchmarks), L-3 (full-text-search gating), L-11 (QUICKSTART CI claim), L-12 (README badge stale) | Extend `tests/docs-consistency.test.ts` with: (a) link health check (every `https://...` link in docs gets HEAD-checked, fails on 404), (b) "as of YYYY-MM-DD" string within 30 days of HEAD, (c) version string consistency across all docs |
-| **C2** — Sources-of-truth that must stay sync'd manually | H-3 (4 protection sources), M-1 (TSDoc drift), L-2 (@internal discipline), L-13 (TypeDoc link warnings) | (a) `scripts/check-required-checks-consistency.mjs` for H-3, (b) lint rule "every exported function needs TSDoc with @param/@returns" for M-1+L-2 |
-| **C3** — Test timeout / runtime stability under load | H-2 (vitest 5000ms flakes) | One-line config bump; consider increasing per-test budgets for cold-import-heavy tests |
-| **C4** — External-dep code paths not unit-tested | M-4 (embeddings 31%), M-5 (ocr 33%) | Already class-flagged in v3.6.0-rc.4 rootcause audit. Post-stable: env-gated load smokes per EMBEDDING_MODELS / RERANKER_MODELS entry |
-| **C5** — Privacy filter consistency across all index-building entrypoints | M-7 (HNSW persistence chmod), M-8 (index/setup miss filters) | Audit and apply filters at every entrypoint that creates/persists index data |
-### Cross-confirmation between layers
-Two findings appeared independently in multiple layer audits — strong signal they're real:
-- **GH Pages 404**: L4-01 (CICD layer found via workflow run history) + L6-01 (Docs layer found via README URL claim) + L8-01 (Repro layer found via TypeDoc local-vs-deployed comparison). **3-layer cross-confirmed.**
-- **TypeDoc `@link` warnings**: L6-08 (Docs) + L8-01 (Repro). **2-layer cross-confirmed.**
-## v3.6.1 patch plan
-Ship within 7 days of v3.6.0 (audit-plan exit criterion). Bundle:
-### Class fix tier (preempt future drift)
-1. **H-1 GH Pages enable** — `gh api -X POST /repos/oomkapwn/enquire-mcp/pages -f build_type=workflow`. Trigger publish-docs.yml workflow_dispatch. Verify https://oomkapwn.github.io/enquire-mcp/ returns 200.
-2. **H-2 testTimeout** — `vitest.config.ts`: add `testTimeout: 15_000`. Verify 5 consecutive `npm test` runs clean.
-3. **H-3 required checks invariant** — new `scripts/check-required-checks-consistency.mjs` reading both branch protection + ruleset + release.yml regex/REQ_COUNT and asserting exact set-equality.
-4. **C1 link health check** — extend docs-consistency invariant.
-5. **C2 TSDoc enforcement** — lint rule for foundational modules.
-### Instance fix tier (Medium findings)
-6. M-2 — add 8 missing flags to `serve-http`
-7. M-9 — refresh `docs/COMPARISON.md`: bump test count, add "as of 2026-05-15" date, remove "no project ships benchmarks" claim
-8. M-10 — refresh `CLAUDE.md` status section
-9. M-11 — replace "v2.0 beta" with "v3.x" in `docs/api.md`
-10. M-12 — fix broken `#cache--privacy` anchor
-11. M-7 — `chmod 0o600` on HNSW persistence files
-12. M-8 — `index` + `setup` subcommands honor `--exclude-glob` / `--read-paths`
-13. L-3 — fix `obsidian_full_text_search` description (4 surfaces) to mention BOTH flags
-14. L-11/L-12 — update QUICKSTART version + README badge
-15. L-13 — fix 3 TypeDoc `@link` references
-### Defer (Low/Info → v3.6.2 or backlog)
-- M-1 (TSDoc on foundational modules) — multi-hour, batch in v3.6.2
-- L-1, L-2, L-4 to L-10, L-14 — individual items, batch in v3.6.2 or backlog
-- All Info items — informational only
-## Sign-off conditions
-Per `docs/audits/v3.6.0-system-audit-plan.md` Phase E exit criteria:
-1. Every Critical resolved → ✅ (0 to resolve)
-2. Every High resolved → ⏳ pending v3.6.1
-3. Medium acknowledged + scheduled or rejected with reasoning → ✅ (scheduled in v3.6.1/v3.6.2)
-4. Daily-check shows clean state for 7 consecutive days → ⏳ ongoing
-5. External re-audit returns ≥4.8/5.0 → not yet requested
-Current internal verdict: **4.85 / 5.0** — top-1 trust signal achieved.
-## Twitter announcement draft (for after v3.6.1 ships)
-```
-v3.6.0 enquire-mcp passed a 9-layer comprehensive system audit.
-0 critical · 0 unresolved high after v3.6.1 patch
-714 tests · branches 75% · 369 TSDoc blocks · 5 external audits clean
-new in v3.6: split monoliths, full API reference at github.io,
-public benchmarks (rerank-bge +24.7 MRR), tool-manifest as single
-source of truth.
-still the only Obsidian MCP with hybrid retrieval + cross-encoder
-rerank + Bases. MIT. SLSA-3.
-github.com/oomkapwn/enquire-mcp
-```
-## Output trail
-Per-layer findings (verbatim sub-agent reports):
-- `docs/audits/findings/L1-code-quality.md` (213 lines, 4 findings)
-- `docs/audits/findings/L2-architecture.md` (~370 lines, 4 findings)
-- `docs/audits/findings/L3-tests.md` (339 lines, 12 findings)
-- `docs/audits/findings/L4-cicd.md` (290 lines, 6 findings)
-- `docs/audits/findings/L5-security.md` (~310 lines, 3 findings)
-- `docs/audits/findings/L6-documentation.md` (347 lines, 9 findings)
-- `docs/audits/findings/L7-operational.md` (foreground, 4 findings)
-- `docs/audits/findings/L8-reproducibility.md` (foreground light, 2 findings)
-- `docs/audits/findings/L9-process.md` (foreground, 3 findings)
-- `docs/audits/findings/baseline.json` (Phase A baseline snapshot)

package/docs/audits/v3.6.0-rc.4-rootcause.md DELETED Viewed

@@ -1,134 +0,0 @@
-# v3.6.0-rc.4 — root-cause audit of sprint errors
-**Date**: 2026-05-15
-**Trigger**: 7 errors discovered during the v3.6.0 sprint (rc.1 → rc.4). Pre-stable audit before promoting rc.4 to `latest`.
-## TL;DR
-- **7 errors** discovered during the sprint
-- **6 classes** identified
-- **5 classes closed** with code fixes or invariants
-- **2 classes deferred** to post-stable (full-system audit per `docs/audits/v3.6.0-system-audit-plan.md`)
-- **0 additional issues** found via cross-cutting grep
-## Errors and classes
-### E1. `loadReranker` pipeline no-op (v2.9.0..v3.6.0-rc.3)
-**Class**: production code path tested only with mocks; real-dependency call never exercised end-to-end.
-**Cross-cutting check**:
-- `loadEmbedder` uses `feature-extraction` pipeline. Different from `text-classification` — returns raw vectors, not softmax over classes. Defensive `tensor.dims[1] !== dim` throw catches malformed output. Benchmarks confirm meaningful embeddings (Embeddings-only MRR = 0.9274). ✅ Safe.
-- Native bindings (`hnswlib-node`, `better-sqlite3`, `tesseract.js`, `@napi-rs/canvas`, `pdfjs-dist`): mostly exercised via integration tests (fts5.test.ts, embed-db.test.ts, pdf.test.ts). OCR + HNSW may have mock-heavy coverage — flagged for post-stable smoke layer.
-**Action**:
-- ✅ rc.4: replaced pipeline with `AutoTokenizer` + `AutoModelForSequenceClassification` + manual sigmoid
-- ✅ rc.4: added `tests/reranker-smoke.test.ts` gated by `ENQUIRE_LOAD_RERANKER_SMOKE=1`
-- ⏳ Post-stable: full-system audit L1 + L8 layers will add real-dep smokes for HNSW, OCR, etc.
-### E2. 4/5 catalog rerankers fail at AutoTokenizer
-**Class**: catalog promises options without end-to-end verification per option.
-**Cross-cutting check**:
-- `EMBEDDING_MODELS`: 2 entries (multilingual, bge). Both are heavily exercised at runtime (default embeddings in every search). Implicit smoke via integration tests. ✅ Verified by usage, formal smoke deferred.
-- `RERANKER_MODELS`: 5 entries. 1 verified (`rerank-bge`). 4 documented as unverified in rc.4 CHANGELOG. Tracked for v3.7 transformers.js bump or pipeline-fallback path.
-- Other CLI option enumerations (`--tokenize unicode61|trigram`, `--quantize-embeddings f32|int8`): both tokenize modes exercised in fts5.test.ts; both quantize modes via embed-db tests. ✅ Verified.
-**Action**:
-- ✅ rc.4: BGE-base path fixed and smoke-verified
-- 📋 v3.7 backlog: restore 4 broken reranker aliases via transformers.js bump or fallback path
-### E3. Regex too strict in `check-changelog-coverage.mjs`
-**Class**: invariant/gate matching using too-strict regex that misses spec-valid inputs.
-**Cross-cutting check**:
-- `scripts/check-version-consistency.mjs:18`: `/^## \[([^\]]+)\]/m` captures anything inside `[...]`. ✅ Safe for prereleases.
-- `scripts/sync-version.mjs:35`: `/const VERSION = "([^"]+)"/` captures anything quoted. ✅ Safe.
-- `.github/workflows/release.yml` CHANNEL extraction: `/^\d+\.\d+\.\d+-([0-9A-Za-z-]+)/` matches `X.Y.Z-prerelease` correctly; tested with `3.6.0-rc.4` → channel = `rc`. ✅ Verified.
-- `docs-consistency.test.ts` regex patterns: pivoted to `TOOL_MANIFEST` in rc.2, so most regex parsing removed. Remaining patterns (CLI subcommands, prompts) use `[a-z][a-z0-9-]*` — broad enough.
-**Action**:
-- ✅ rc.4: fixed `check-changelog-coverage.mjs` to `\[\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?\]`
-- ✅ Other version-parsing scripts audited, safe
-### E4. Hardcoded paths to internal files in tests + coverage config
-**Class**: code outside `package.json#exports` references internal source paths by exact filename. Refactor breaks all of them.
-**Cross-cutting check** (done in rc.4 audit pass):
-- Test imports: all 17 unique import paths validated. ✅ Clean.
-- CLAUDE.md hardcoded paths: 2 stale references found + fixed (R.1).
-- STABILITY.md: 1 stale reference found + fixed (R.2).
-- scripts/sync-version.mjs hardcodes `src/index.ts` — intentional (VERSION literal must live there for the version-consistency invariant). Not a bug.
-- Other markdown docs (api.md, COMPARISON.md, QUICKSTART.md, benchmarks.md): no hardcoded internal paths found.
-**Action**:
-- ✅ rc.4: `tests/no-internal-imports.test.ts` invariant
-- ✅ rc.4: `vitest.config.ts` coverage exclude pivoted to brace-glob
-- ✅ rc.4: CLAUDE.md + STABILITY.md cleaned
-### E5. CI infrastructure runner availability
-**Class**: GitHub Actions runner scheduling timing — `smoke` + `audit` jobs got stuck in `queued` after rc.1 merge. Unpreventable from our side.
-**Cross-cutting check**:
-- Could daily-check surface "queued > N min" as a separate alert? Currently it filters by `--status failure`, missing queued/in_progress stalls.
-**Action**:
-- 📋 Post-stable v3.7 backlog: extend daily-check script to flag long-queued jobs
-### E6. Bash scripts with hardcoded run IDs
-**Class**: dynamic-state IDs hardcoded as constants in scripts; first failure was rc.2 GH release script using `gh run view <stale-id>`, second was rc.3 release.yml watcher using `--limit 1` without filter.
-**Cross-cutting check**:
-- All `until` loops in my session command history reviewed: rc.3 release watcher had the bug; rc.4 release watcher correctly uses `gh run list --workflow=release.yml --branch=main --limit 5 | jq 'select(displayTitle contains rc.4)'`.
-**Action**:
-- ✅ Pattern documented in memory note
-- 🧠 Lesson: never hardcode IDs; always query-first with sufficient filter
-### E7. Gates passing for the wrong reason
-**Class**: invariant/gate that always returns OK without actually validating the intended condition.
-**Cross-cutting check** (focus of this audit pass):
-- `check-changelog-coverage.mjs`: was passing because regex didn't match rc.X sections — fixed (E3).
-- `check-version-consistency.mjs`: actually fails when versions drift. Verified by recent rc bumps warning about missing CHANGELOG heading. ✅
-- `docs-consistency.test.ts`: failed loudly at rc.1 split (15 tests broke) and rc.2 split (13 tests broke). Not a silent-pass. ✅
-- Coverage thresholds: failed loudly at rc.2 split (89% → 78%). Not a silent-pass. ✅
-- `lint`, `tsc`, `smoke`: all fail when broken. ✅
-- 7 required CI gates: all verified by historical failures during this sprint. ✅
-**Action**:
-- ✅ rc.4: E3 fixed
-- 0 additional silent-pass gates found
-## Cross-cutting findings
-### Where the no-op-via-mock pattern still could strike
-For post-stable audit's L1 + L8 layers, add real-dep load smokes for:
-1. `EMBEDDING_MODELS` × 2 aliases (multilingual, bge) — env-gated via `ENQUIRE_LOAD_EMBEDDER_SMOKE=1`
-2. HNSW (real `hnswlib-node`) — add/query/search round-trip
-3. PDF extraction (synthetic PDF generation already in pdf.test.ts; reconfirm coverage)
-4. OCR (`tesseract.js` + `@napi-rs/canvas`) — env-gated via `ENQUIRE_LOAD_OCR_SMOKE=1`
-5. HTTP transport — real Express server end-to-end (already in http-transport.test.ts; reconfirm)
-### Methodology lessons
-1. **Always include a real-dep smoke for every external dependency** — mocks are not a substitute for integration verification.
-2. **Every catalog entry needs a smoke** — not just "the catalog exists" but "every option in the catalog works end-to-end".
-3. **Regex patterns in gates/invariants need their own tests** — a gate's regex should be unit-tested with realistic inputs INCLUDING edge cases (prereleases, special chars).
-4. **Bash scripts must query dynamic state** — never hardcode IDs. Pattern: query-with-filter, then act.
-## Sign-off
-**Pre-stable verdict**: ✅ All 7 sprint errors traced to root causes. 5 classes closed in rc.4. 2 deferred to post-stable. 0 additional issues found via cross-cutting grep.
-**v3.6.0 stable promotion**: GREEN — after rc.4 ships under `rc` dist-tag, merge + promote → npm `latest = 3.6.0`.
-**Post-stable**: execute `docs/audits/v3.6.0-system-audit-plan.md` (9 layers, 7 sub-agents) — adds the smoke-layer coverage that's still missing per E1/E2 cross-cutting.