@remnic/core 1.1.1 → 1.1.3

package/dist/{chunk-F5VP6YCB.js → chunk-DCE6SQLA.js}

@@ -1,22 +1,29 @@
 import {
-  SPECULATIVE_TTL_DAYS,
-  confidenceTier
-} from "./chunk-LTCGGW2D.js";
+  SecureStoreLockedError,
+  isEncryptedFile,
+  readMaybeEncryptedFile,
+  writeMaybeEncryptedFile
+} from "./chunk-YNJHCGDT.js";
 import {
   DEFAULT_CITATION_FORMAT,
   hasCitation,
   stripCitationForTemplate
 } from "./chunk-4KAN3GZ3.js";
+import {
+  SPECULATIVE_TTL_DAYS,
+  confidenceTier
+} from "./chunk-43EKP2UK.js";
 import {
   getCachedEntities,
+  invalidateCachedEntities,
   setCachedEntities
-} from "./chunk-6PFRXT4K.js";
+} from "./chunk-PFV5C235.js";
 import {
   inferMemoryStatus,
   isArchivedMemoryPath,
   sortMemoryLifecycleEvents,
   toMemoryPathRel
-} from "./chunk-TP4FZJIZ.js";
+} from "./chunk-RULE4VG5.js";
 import {
   normalizeProjectionPreview,
   normalizeProjectionTags
@@ -50,7 +57,7 @@ import {
 import {
   isConsolidationOperator,
   isValidDerivedFromEntry
-} from "./chunk-X6GF3FX2.js";
+} from "./chunk-G7D6GZ5J.js";
 import {
   createVersion
 } from "./chunk-FAAFWE4G.js";
@@ -59,7 +66,7 @@ import {
 } from "./chunk-2ODBA7MQ.js";
 
 // src/storage.ts
-import { access, readdir, readFile, stat, writeFile, mkdir, unlink, rename, appendFile } from "fs/promises";
+import { access, readdir, readFile, stat, writeFile, mkdir, unlink, appendFile } from "fs/promises";
 import { appendFileSync, mkdirSync, statSync } from "fs";
 import { createHash } from "crypto";
 import path from "path";
@@ -106,6 +113,88 @@ function assertMemoryWorthCounter(field, value) {
     throw new Error(`${field} must be >= 0, got ${value}`);
   }
 }
+function isErrnoCode(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+function trimTrailingSpacesAndTabs(value) {
+  let end = value.length;
+  while (end > 0 && (value[end - 1] === " " || value[end - 1] === "	")) {
+    end -= 1;
+  }
+  return end === value.length ? value : value.slice(0, end);
+}
+function trimLeadingSpacesAndTabs(value) {
+  let start = 0;
+  while (start < value.length && (value[start] === " " || value[start] === "	")) {
+    start += 1;
+  }
+  return start === 0 ? value : value.slice(start);
+}
+function stripDefaultCitationMarkersWithoutRegex(value) {
+  return stripCitationMarkersForHashRemoval(value, DEFAULT_CITATION_FORMAT);
+}
+function citationTemplateLiteralParts(template) {
+  const parts = [];
+  let cursor = 0;
+  while (cursor < template.length) {
+    const open = template.indexOf("{", cursor);
+    if (open === -1) {
+      parts.push(template.slice(cursor));
+      break;
+    }
+    parts.push(template.slice(cursor, open));
+    const close = template.indexOf("}", open + 1);
+    if (close === -1) {
+      cursor = open + 1;
+    } else {
+      cursor = close + 1;
+    }
+  }
+  return parts.filter((part) => part.length > 0);
+}
+function stripCitationMarkersForHashRemoval(value, template) {
+  const parts = citationTemplateLiteralParts(template);
+  if (parts.length === 0) return value;
+  const first = parts[0];
+  const lowerValue = value.toLowerCase();
+  const lowerFirst = first.toLowerCase();
+  const lowerParts = parts.map((part) => part.toLowerCase());
+  if (!lowerValue.includes(lowerFirst)) return value;
+  let result = "";
+  let cursor = 0;
+  let removed = false;
+  while (cursor < value.length) {
+    const markerStart = lowerValue.indexOf(lowerFirst, cursor);
+    if (markerStart === -1) {
+      result += value.slice(cursor);
+      break;
+    }
+    const boundedEnd = first.startsWith("[") ? value.indexOf("]", markerStart + first.length) : -1;
+    if (first.startsWith("[") && boundedEnd === -1) {
+      result += value.slice(cursor);
+      break;
+    }
+    const searchLimit = boundedEnd === -1 ? value.length : boundedEnd + 1;
+    let markerEnd = markerStart + first.length;
+    let matched = true;
+    for (let i = 1; i < lowerParts.length; i += 1) {
+      const partIndex = lowerValue.indexOf(lowerParts[i], markerEnd);
+      if (partIndex === -1 || partIndex + parts[i].length > searchLimit) {
+        matched = false;
+        break;
+      }
+      markerEnd = partIndex + parts[i].length;
+    }
+    if (!matched) {
+      result += value.slice(cursor);
+      break;
+    }
+    result += trimTrailingSpacesAndTabs(value.slice(cursor, markerStart));
+    cursor = markerEnd;
+    removed = true;
+  }
+  return removed ? trimLeadingSpacesAndTabs(result) : value;
+}
 function serializeFrontmatter(fm) {
   const lines = [
     "---",
@@ -128,6 +217,10 @@ function serializeFrontmatter(fm) {
   if (fm.supersededBy) lines.push(`supersededBy: ${fm.supersededBy}`);
   if (fm.supersededAt) lines.push(`supersededAt: ${fm.supersededAt}`);
   if (fm.archivedAt) lines.push(`archivedAt: ${fm.archivedAt}`);
+  if (fm.valid_at) lines.push(`validAt: ${fm.valid_at}`);
+  if (fm.invalid_at) lines.push(`invalidAt: ${fm.invalid_at}`);
+  if (fm.forgottenAt) lines.push(`forgottenAt: ${fm.forgottenAt}`);
+  if (fm.forgottenReason) lines.push(`forgottenReason: ${JSON.stringify(fm.forgottenReason)}`);
   if (fm.lifecycleState) lines.push(`lifecycleState: ${fm.lifecycleState}`);
   if (fm.verificationState) lines.push(`verificationState: ${fm.verificationState}`);
   if (fm.policyClass) lines.push(`policyClass: ${fm.policyClass}`);
@@ -205,11 +298,22 @@ function serializeFrontmatter(fm) {
   if (fm.derived_via !== void 0) {
     if (!isConsolidationOperator(fm.derived_via)) {
       throw new Error(
-        `serializeFrontmatter: invalid derived_via ${JSON.stringify(fm.derived_via)} \u2014 expected one of "split" | "merge" | "update"`
+        `serializeFrontmatter: invalid derived_via ${JSON.stringify(fm.derived_via)} \u2014 expected one of "split" | "merge" | "update" | "pattern-reinforcement"`
       );
     }
     lines.push(`derived_via: ${fm.derived_via}`);
   }
+  if (fm.reinforcement_count !== void 0) {
+    if (!Number.isInteger(fm.reinforcement_count) || fm.reinforcement_count <= 0) {
+      throw new Error(
+        `serializeFrontmatter: reinforcement_count must be a positive integer (got ${JSON.stringify(fm.reinforcement_count)})`
+      );
+    }
+    lines.push(`reinforcement_count: ${fm.reinforcement_count}`);
+  }
+  if (fm.last_reinforced_at) {
+    lines.push(`last_reinforced_at: ${fm.last_reinforced_at}`);
+  }
   lines.push("---");
   return lines.join("\n");
 }
@@ -242,6 +346,20 @@ function parseLinkReasonValue(rawValue) {
     return legacyValue;
   }
 }
+function parseFrontmatterStringValue(rawValue) {
+  if (rawValue === void 0) return void 0;
+  const trimmed = rawValue.trim();
+  if (trimmed.length === 0) return void 0;
+  if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      return typeof parsed === "string" ? parsed : trimmed;
+    } catch {
+      return trimmed.slice(1, -1).replace(/\\"/g, '"');
+    }
+  }
+  return trimmed;
+}
 function parseMemoryWorthCounterField(raw) {
   if (raw === void 0) return void 0;
   const trimmed = raw.trim();
@@ -250,6 +368,14 @@ function parseMemoryWorthCounterField(raw) {
   if (!Number.isFinite(n) || !Number.isInteger(n) || n < 0) return void 0;
   return n;
 }
+function parseReinforcementCountField(raw) {
+  if (raw === void 0) return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  const n = Number(trimmed);
+  if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0) return void 0;
+  return n;
+}
 function parseFrontmatter(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
   if (!match) return null;
@@ -435,6 +561,11 @@ function parseFrontmatter(raw) {
       supersededBy: fm.supersededBy || void 0,
       supersededAt: fm.supersededAt || void 0,
       archivedAt: fm.archivedAt || void 0,
+      // Issue #680 — explicit fact lifecycle round-trip.
+      valid_at: fm.validAt || void 0,
+      invalid_at: fm.invalidAt || void 0,
+      forgottenAt: fm.forgottenAt || void 0,
+      forgottenReason: parseFrontmatterStringValue(fm.forgottenReason),
       lifecycleState: fm.lifecycleState || void 0,
       verificationState: fm.verificationState || void 0,
       policyClass: fm.policyClass || void 0,
@@ -469,7 +600,14 @@ function parseFrontmatter(raw) {
       // Consolidation provenance (issue #561) — read-through only in this
       // PR; no code produces these fields yet.
       derived_from,
-      derived_via
+      derived_via,
+      // Pattern-reinforcement metadata (issue #687 PR 2/4).  Parse
+      // permissively: invalid values (negative, non-integer, blank
+      // ISO-strings) are dropped to undefined so a corrupt frontmatter
+      // never poisons downstream scoring.  Validation lives on the
+      // write path in serializeFrontmatter.
+      reinforcement_count: parseReinforcementCountField(fm.reinforcement_count),
+      last_reinforced_at: fm.last_reinforced_at || void 0
     },
     content
   };
@@ -580,13 +718,19 @@ var ContentHashIndex = class _ContentHashIndex {
   hashes = /* @__PURE__ */ new Set();
   dirty = false;
   filePath;
-  constructor(stateDir) {
+  secureStoreKeyProvider;
+  secureStoreWriteKeyProvider;
+  memoryDir;
+  constructor(stateDir, secureStoreKeyProvider = () => null, secureStoreWriteKeyProvider = secureStoreKeyProvider, memoryDir = path.dirname(stateDir)) {
     this.filePath = path.join(stateDir, "fact-hashes.txt");
+    this.secureStoreKeyProvider = secureStoreKeyProvider;
+    this.secureStoreWriteKeyProvider = secureStoreWriteKeyProvider;
+    this.memoryDir = memoryDir;
   }
   /** Load existing hashes from disk. Safe to call multiple times. */
   async load() {
     try {
-      const raw = await readFile(this.filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(this.filePath, this.secureStoreKeyProvider(), this.memoryDir);
       for (const line of raw.split("\n")) {
         const trimmed = line.trim();
         if (trimmed.length > 0) {
@@ -594,7 +738,9 @@ var ContentHashIndex = class _ContentHashIndex {
         }
       }
       log.debug(`content-hash index: loaded ${this.hashes.size} hashes`);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug("content-hash index: no existing index \u2014 starting fresh");
     }
   }
@@ -617,7 +763,13 @@ var ContentHashIndex = class _ContentHashIndex {
   async save() {
     if (!this.dirty) return;
     await mkdir(path.dirname(this.filePath), { recursive: true });
-    await writeFile(this.filePath, [...this.hashes].join("\n") + "\n", "utf-8");
+    await writeMaybeEncryptedFile(
+      this.filePath,
+      [...this.hashes].join("\n") + "\n",
+      this.secureStoreWriteKeyProvider(),
+      {},
+      this.memoryDir
+    );
     this.dirty = false;
     log.debug(`content-hash index: saved ${this.hashes.size} hashes`);
   }
@@ -1480,6 +1632,8 @@ var StorageManager = class _StorageManager {
   // 1 minute
   static artifactWriteVersionByDir = /* @__PURE__ */ new Map();
   static memoryStatusVersionByDir = /* @__PURE__ */ new Map();
+  static secureStoreEntityCacheKeyIds = /* @__PURE__ */ new WeakMap();
+  static nextSecureStoreEntityCacheKeyId = 1;
   // In-process fallback for the cold-write sentinel (used when the disk file
   // is not accessible).  The canonical source of truth is state/cold-write.log.
   static coldWriteVersionByDir = /* @__PURE__ */ new Map();
@@ -1527,6 +1681,7 @@ var StorageManager = class _StorageManager {
   factHashIndexLoadPromise = null;
   factHashIndexAuthoritative = null;
   factHashIndexAuthoritativePromise = null;
+  secureAppendChains = /* @__PURE__ */ new Map();
   /** Optional: set by the orchestrator after construction to enable template-aware citation stripping during legacy hash rebuild. */
   citationTemplate = DEFAULT_CITATION_FORMAT;
   /** Page-versioning configuration.  Set by the orchestrator after construction. */
@@ -1535,6 +1690,87 @@ var StorageManager = class _StorageManager {
   setVersioningConfig(config) {
     this._versioningConfig = config;
   }
+  /**
+   * At-rest encryption key (issue #690 PR 3/4).
+   *
+   * When non-null, every memory file read is decrypted and every write
+   * is encrypted using the secure-fs layer.  When null, the storage
+   * layer operates in plain-text mode (legacy/unencrypted store).
+   *
+   * Set by the orchestrator after init/unlock; cleared on lock.
+   * The key buffer is NEVER logged or serialized.
+   */
+  _secureStoreKey = null;
+  /**
+   * When true (and `_secureStoreKey` is non-null), new writes are
+   * encrypted.  Set to false to pause encryption of new writes while
+   * still decrypting existing files.
+   */
+  _secureStoreEncryptOnWrite = true;
+  /**
+   * When true, the secure-store is configured as required — writes
+   * MUST be encrypted and a locked store MUST reject writes rather
+   * than silently falling back to plaintext.  Set by the orchestrator
+   * from `config.secureStoreEnabled`.
+   */
+  _secureStoreRequired = false;
+  /**
+   * Set or clear the at-rest encryption key.
+   *
+   * Pass a 32-byte Buffer to enable encryption; pass null to clear
+   * (lock) the store.  The caller is responsible for key lifecycle —
+   * this method does not zero the buffer on replacement; the keyring
+   * module (`keyring.ts`) owns zeroization.
+   */
+  setSecureStoreKey(key, encryptOnWrite = true) {
+    this._secureStoreKey = key;
+    this._secureStoreEncryptOnWrite = encryptOnWrite;
+    invalidateCachedEntities(this.baseDir);
+    this.invalidateKnowledgeIndexCache();
+  }
+  getEntityCacheSecureStoreKey() {
+    if (!this._secureStoreKey) return "secure-store:locked";
+    let id = _StorageManager.secureStoreEntityCacheKeyIds.get(this._secureStoreKey);
+    if (id === void 0) {
+      id = _StorageManager.nextSecureStoreEntityCacheKeyId++;
+      _StorageManager.secureStoreEntityCacheKeyIds.set(this._secureStoreKey, id);
+    }
+    return `secure-store:key:${id}`;
+  }
+  /**
+   * Mark the secure-store as required for this storage instance.
+   * When required and locked, writes throw SecureStoreLockedError
+   * rather than silently writing plaintext.
+   */
+  setSecureStoreRequired(required) {
+    this._secureStoreRequired = required;
+  }
+  /** Return true iff the secure-store key is currently set (store is unlocked). */
+  isSecureStoreUnlocked() {
+    return this._secureStoreKey !== null;
+  }
+  /**
+   * Resolve the effective write key.
+   *
+   * - If `_secureStoreEncryptOnWrite` is false: returns null (plain write).
+   * - If `_secureStoreEncryptOnWrite` is true AND key is set: returns key.
+   * - If `_secureStoreEncryptOnWrite` is true AND key is null AND
+   *   `_secureStoreRequired` is true: throws SecureStoreLockedError so the
+   *   write fails loudly rather than silently writing plaintext (P1 finding
+   *   from Cursor review of PR #767).
+   * - If `_secureStoreEncryptOnWrite` is true AND key is null AND
+   *   `_secureStoreRequired` is false: returns null (unencrypted store).
+   */
+  resolveWriteKey() {
+    if (!this._secureStoreEncryptOnWrite) return null;
+    if (this._secureStoreKey !== null) return this._secureStoreKey;
+    if (this._secureStoreRequired) {
+      throw new SecureStoreLockedError(
+        "secure-store is locked \u2014 cannot write memory file. Run `remnic secure-store unlock` to decrypt, or restart the daemon after unlocking."
+      );
+    }
+    return null;
+  }
   /**
    * Snapshot the current content of a page before overwriting.
    * No-op when versioning is disabled or the file does not yet exist.
@@ -1542,7 +1778,7 @@ var StorageManager = class _StorageManager {
   async snapshotBeforeWrite(filePath, trigger) {
     if (!this._versioningConfig || !this._versioningConfig.enabled) return;
     try {
-      const existing = await readFile(filePath, "utf-8");
+      const existing = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       await createVersion(filePath, existing, trigger, this._versioningConfig, log, void 0, this.baseDir);
     } catch {
     }
@@ -1565,7 +1801,7 @@ var StorageManager = class _StorageManager {
     if (!this._versioningConfig || !this._versioningConfig.enabled) return null;
     let existing;
     try {
-      existing = await readFile(filePath, "utf-8");
+      existing = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
     } catch {
       return null;
     }
@@ -1651,6 +1887,57 @@ var StorageManager = class _StorageManager {
   get entitiesDir() {
     return path.join(this.baseDir, "entities");
   }
+  readStorageSecureFile(filePath) {
+    return readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
+  }
+  writeStorageSecureFile(filePath, content) {
+    return writeMaybeEncryptedFile(filePath, content, this.resolveWriteKey(), {}, this.baseDir);
+  }
+  createContentHashIndex() {
+    return new ContentHashIndex(
+      this.stateDir,
+      () => this._secureStoreKey,
+      () => this.resolveWriteKey(),
+      this.baseDir
+    );
+  }
+  async appendStorageSecureFile(filePath, content) {
+    const previous = this.secureAppendChains.get(filePath) ?? Promise.resolve();
+    const current = previous.catch(() => void 0).then(() => this.appendStorageSecureFileUnlocked(filePath, content));
+    const next = current.catch(() => void 0);
+    this.secureAppendChains.set(filePath, next);
+    try {
+      await current;
+    } finally {
+      if (this.secureAppendChains.get(filePath) === next) {
+        this.secureAppendChains.delete(filePath);
+      }
+    }
+  }
+  async appendStorageSecureFileUnlocked(filePath, content) {
+    const writeKey = this.resolveWriteKey();
+    await mkdir(path.dirname(filePath), { recursive: true });
+    if (writeKey === null) {
+      try {
+        if (isEncryptedFile(await readFile(filePath))) {
+          const existing2 = await this.readStorageSecureFile(filePath);
+          await writeMaybeEncryptedFile(filePath, `${existing2}${content}`, null, {}, this.baseDir);
+          return;
+        }
+      } catch (err) {
+        if (!isErrnoCode(err, "ENOENT")) throw err;
+      }
+      await appendFile(filePath, content, "utf-8");
+      return;
+    }
+    let existing = "";
+    try {
+      existing = await this.readStorageSecureFile(filePath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
+    }
+    await writeMaybeEncryptedFile(filePath, `${existing}${content}`, writeKey, {}, this.baseDir);
+  }
   get stateDir() {
     return path.join(this.baseDir, "state");
   }
@@ -1665,7 +1952,7 @@ var StorageManager = class _StorageManager {
       return this.factHashIndex;
     }
     if (!this.factHashIndexLoadPromise) {
-      const index = new ContentHashIndex(this.stateDir);
+      const index = this.createContentHashIndex();
       this.factHashIndexLoadPromise = index.load().then(() => {
         this.factHashIndex = index;
         return index;
@@ -1907,7 +2194,7 @@ ${sanitized.text}
       filePath = path.join(this.factsDir, today, `${id}.md`);
     }
     await this.snapshotBeforeWrite(filePath, "write");
-    await writeFile(filePath, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(filePath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.writeMemory", {
       memoryId: id,
@@ -1943,6 +2230,50 @@ ${sanitized.text}
     const sanitized = sanitizeMemoryContent(content);
     return factHashIndex.has(sanitized.text);
   }
+  factContentHashForRemoval(memory) {
+    if (memory.frontmatter.category !== "fact") return null;
+    if (typeof memory.frontmatter.contentHash === "string" && memory.frontmatter.contentHash.length > 0) {
+      return memory.frontmatter.contentHash;
+    }
+    const configuredHashSource = stripCitationMarkersForHashRemoval(memory.content, this.citationTemplate);
+    const hashSource = configuredHashSource !== memory.content ? configuredHashSource : stripDefaultCitationMarkersWithoutRegex(memory.content);
+    return ContentHashIndex.computeHash(sanitizeMemoryContent(hashSource).text);
+  }
+  async removeFactContentHashesForMemories(memories) {
+    await this.ensureFactHashIndexAuthoritative();
+    const factHashIndex = await this.getFactHashIndex();
+    const removedIds = new Set(
+      memories.map((memory) => memory.frontmatter.id).filter((id) => typeof id === "string" && id.length > 0)
+    );
+    const removedHashes = /* @__PURE__ */ new Map();
+    for (const memory of memories) {
+      const hash = this.factContentHashForRemoval(memory);
+      if (hash) {
+        removedHashes.set(memory, hash);
+      }
+    }
+    if (removedHashes.size === 0) return;
+    const remainingActiveHashes = /* @__PURE__ */ new Set();
+    const remainingMemories = [
+      ...await this.readAllMemories(),
+      ...await this.readAllColdMemories()
+    ];
+    for (const memory of remainingMemories) {
+      if (memory.frontmatter.category !== "fact") continue;
+      if (removedIds.has(memory.frontmatter.id)) continue;
+      if (inferMemoryStatus(memory.frontmatter, memory.path) !== "active") continue;
+      const hash = this.factContentHashForRemoval(memory);
+      if (hash) {
+        remainingActiveHashes.add(hash);
+      }
+    }
+    for (const hash of removedHashes.values()) {
+      if (!remainingActiveHashes.has(hash)) {
+        factHashIndex.removeByHash(hash);
+      }
+    }
+    await factHashIndex.save();
+  }
   async isFactContentHashAuthoritative() {
     await this.ensureFactHashIndexAuthoritative();
     return true;
@@ -1976,10 +2307,10 @@ ${sanitized.text}
       return "";
     }
     const filePath = path.join(dir, `${id}.md`);
-    await writeFile(filePath, `${serializeFrontmatter(fm)}
+    await writeMaybeEncryptedFile(filePath, `${serializeFrontmatter(fm)}
 
 ${sanitized.text}
-`, "utf-8");
+`, this.resolveWriteKey(), {}, this.baseDir);
     const actor = typeof options.actor === "string" && options.actor.length > 0 ? options.actor : "storage.writeArtifact";
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.writeArtifact", {
       memoryId: id,
@@ -2088,9 +2419,11 @@ ${sanitized.text}
       aliases: []
     };
     try {
-      const existing = await readFile(filePath, "utf-8");
+      const existing = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(existing, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
     }
     const timestamp = options.timestamp?.trim() || (/* @__PURE__ */ new Date()).toISOString();
     const source = options.source?.trim() || void 0;
@@ -2146,7 +2479,7 @@ ${sanitized.text}
     entity.created = entity.created || timestamp;
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
     await this.snapshotBeforeWrite(filePath, "write");
-    await writeFile(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
     this.bumpMemoryStatusVersion();
     log.debug(`wrote entity ${normalized}`);
@@ -2154,15 +2487,19 @@ ${sanitized.text}
   }
   async readProfile() {
     try {
-      return await readFile(this.profilePath, "utf-8");
-    } catch {
-      return "";
+      return await readMaybeEncryptedFile(this.profilePath, this._secureStoreKey, this.baseDir);
+    } catch (error) {
+      if (error instanceof SecureStoreLockedError) {
+        throw error;
+      }
+      if (isErrnoCode(error, "ENOENT")) return "";
+      throw error;
     }
   }
   async writeProfile(content) {
     await this.ensureDirectories();
     await this.snapshotBeforeWrite(this.profilePath, "consolidation");
-    await writeFile(this.profilePath, content, "utf-8");
+    await writeMaybeEncryptedFile(this.profilePath, content, this.resolveWriteKey(), {}, this.baseDir);
     log.debug("updated profile.md");
   }
   /**
@@ -2245,6 +2582,24 @@ ${sanitized.text}
   invalidateAllMemoriesCacheForDir() {
     this.invalidateAllMemoriesCache();
   }
+  /** Invalidate only the cache layers affected by direct tier file deletes. */
+  invalidateMemoryCachesForTiers(tiers) {
+    let hotChanged = false;
+    let coldChanged = false;
+    for (const tier of tiers) {
+      if (tier === "cold") {
+        coldChanged = true;
+      } else if (tier === "hot" || tier === "archive") {
+        hotChanged = true;
+      }
+    }
+    if (hotChanged) {
+      this.invalidateAllMemoriesCache();
+    }
+    if (coldChanged) {
+      this.invalidateColdMemoriesCache();
+    }
+  }
   /** Clear ALL static caches. Use in tests that write files directly
    *  (bypassing StorageManager.writeMemory) to avoid stale reads. */
   static clearAllStaticCaches() {
@@ -2336,7 +2691,7 @@ ${sanitized.text}
       const results = await Promise.all(
         batch.map(async (fullPath) => {
           try {
-            const raw = await readFile(fullPath, "utf-8");
+            const raw = await readMaybeEncryptedFile(fullPath, this._secureStoreKey, this.baseDir);
             const parsed = parseFrontmatter(raw);
             if (!parsed) return null;
             return {
@@ -2348,7 +2703,8 @@ ${sanitized.text}
               ),
               content: parsed.content
             };
-          } catch {
+          } catch (err) {
+            if (err instanceof SecureStoreLockedError) throw err;
             return null;
           }
         })
@@ -2361,7 +2717,7 @@ ${sanitized.text}
   }
   async readWindowUpdatedMs(filePath) {
     try {
-      const raw = await readFile(filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       const match = raw.match(/^---\n([\s\S]*?)\n---\n?/);
       if (!match) return null;
       const frontmatterBlock = match[1];
@@ -2545,7 +2901,7 @@ ${sanitized.text}
             await readDir(fullPath);
           } else if (entry.name.endsWith(".md")) {
             try {
-              const raw = await readFile(fullPath, "utf-8");
+              const raw = await readMaybeEncryptedFile(fullPath, this._secureStoreKey, this.baseDir);
               const parsed = parseFrontmatter(raw);
               if (parsed) {
                 memories.push({
@@ -2558,7 +2914,8 @@ ${sanitized.text}
                   content: parsed.content
                 });
               }
-            } catch {
+            } catch (err) {
+              if (err instanceof SecureStoreLockedError) throw err;
             }
           }
         }
@@ -2571,7 +2928,7 @@ ${sanitized.text}
   /** Read a single memory file by its absolute path. Returns null if unreadable. */
   async readMemoryByPath(filePath) {
     try {
-      const raw = await readFile(filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       const parsed = parseFrontmatter(raw);
       if (parsed) {
         return {
@@ -2606,7 +2963,8 @@ ${sanitized.text}
         };
       }
       return null;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       return null;
     }
   }
@@ -2644,19 +3002,8 @@ ${sanitized.text}
 
 ${memory.content}
 `;
-    await mkdir(path.dirname(targetPath), { recursive: true });
-    const tempPath = `${targetPath}.tmp-${process.pid}-${Date.now()}`;
-    try {
-      await writeFile(tempPath, fileContent, "utf-8");
-      await rename(tempPath, targetPath);
-      this.invalidateAllMemoriesCache();
-    } catch (err) {
-      try {
-        await unlink(tempPath);
-      } catch {
-      }
-      throw err;
-    }
+    await writeMaybeEncryptedFile(targetPath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
+    this.invalidateAllMemoriesCache();
   }
   async moveMemoryToPath(memory, targetPath) {
     await this.writeMemoryFileAtomic(targetPath, memory);
@@ -2727,7 +3074,7 @@ ${memory.content}
 ${memory.content}
 `;
       const destPath = path.join(destDir, path.basename(memory.path));
-      await writeFile(destPath, fileContent, "utf-8");
+      await writeMaybeEncryptedFile(destPath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
       await unlink(memory.path);
       this.invalidateAllMemoriesCache();
       await this.appendGeneratedMemoryLifecycleEventFailOpen(
@@ -2763,8 +3110,10 @@ ${memory.content}
   }
   async readEntity(name) {
     try {
-      return await readFile(path.join(this.entitiesDir, `${name}.md`), "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(path.join(this.entitiesDir, `${name}.md`));
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return "";
     }
   }
@@ -2848,7 +3197,7 @@ ${memory.content}
 
 ${sanitized.text}
 `;
-    await writeFile(memory.path, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(memory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.updateMemory", {
       memoryId: id,
@@ -2880,7 +3229,7 @@ ${sanitized.text}
 
 ${memory.content}
 `;
-    await writeFile(memory.path, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(memory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     if (memory.path.includes(`${path.sep}cold${path.sep}`)) {
       this.invalidateColdMemoriesCache();
@@ -2945,21 +3294,23 @@ ${memory.content}
   async loadBuffer() {
     const bufferPath = path.join(this.stateDir, "buffer.json");
     try {
-      const raw = await readFile(bufferPath, "utf-8");
+      const raw = await this.readStorageSecureFile(bufferPath);
       return JSON.parse(raw);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return { turns: [], lastExtractionAt: null, extractionCount: 0 };
     }
   }
   async saveBuffer(state) {
     await this.ensureDirectories();
     const bufferPath = path.join(this.stateDir, "buffer.json");
-    await writeFile(bufferPath, JSON.stringify(state, null, 2), "utf-8");
+    await this.writeStorageSecureFile(bufferPath, JSON.stringify(state, null, 2));
   }
   async loadMeta() {
     const metaPath = path.join(this.stateDir, "meta.json");
     try {
-      const raw = await readFile(metaPath, "utf-8");
+      const raw = await this.readStorageSecureFile(metaPath);
       const parsed = JSON.parse(raw);
       return {
         extractionCount: typeof parsed.extractionCount === "number" ? parsed.extractionCount : 0,
@@ -2976,7 +3327,9 @@ ${memory.content}
           observedAt: entry.observedAt
         })) : []
       };
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return {
         extractionCount: 0,
         lastExtractionAt: null,
@@ -2990,7 +3343,7 @@ ${memory.content}
   async saveMeta(state) {
     await this.ensureDirectories();
     const metaPath = path.join(this.stateDir, "meta.json");
-    await writeFile(metaPath, JSON.stringify(state, null, 2), "utf-8");
+    await this.writeStorageSecureFile(metaPath, JSON.stringify(state, null, 2));
   }
   async appendMemoryActionEvents(events) {
     if (events.length === 0) return 0;
@@ -3004,7 +3357,7 @@ ${memory.content}
       return `${JSON.stringify(normalized)}
 `;
     }).join("");
-    await appendFile(this.memoryActionsPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.memoryActionsPath, payload);
     return events.length;
   }
   async appendMemoryLifecycleEvents(events) {
@@ -3019,7 +3372,7 @@ ${memory.content}
       return `${JSON.stringify(normalized)}
 `;
     }).join("");
-    await appendFile(this.memoryLifecycleLedgerPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.memoryLifecycleLedgerPath, payload);
     return events.length;
   }
   /**
@@ -3044,7 +3397,7 @@ ${memory.content}
       return `${JSON.stringify(normalized)}
 `;
     }).join("");
-    await appendFile(this.bufferSurpriseLedgerPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.bufferSurpriseLedgerPath, payload);
     return events.length;
   }
   /**
@@ -3081,8 +3434,9 @@ ${memory.content}
   async readBufferSurpriseEvents(options = {}) {
     let raw;
     try {
-      raw = await readFile(this.bufferSurpriseLedgerPath, "utf-8");
+      raw = await this.readStorageSecureFile(this.bufferSurpriseLedgerPath);
     } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       const code = err.code;
       if (code === "ENOENT") return [];
       throw err;
@@ -3117,7 +3471,7 @@ ${memory.content}
     await this.ensureDirectories();
     let existingKeys = /* @__PURE__ */ new Set();
     try {
-      const raw = await readFile(this.behaviorSignalsPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.behaviorSignalsPath);
       const lines = raw.split("\n");
       for (const line of lines) {
         const row = line.trim();
@@ -3130,7 +3484,9 @@ ${memory.content}
         } catch {
         }
       }
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       existingKeys = /* @__PURE__ */ new Set();
     }
     const nowIso = (/* @__PURE__ */ new Date()).toISOString();
@@ -3147,7 +3503,7 @@ ${memory.content}
     if (deduped.length === 0) return 0;
     const payload = deduped.map((event) => `${JSON.stringify(event)}
 `).join("");
-    await appendFile(this.behaviorSignalsPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.behaviorSignalsPath, payload);
     return deduped.length;
   }
   async appendReextractJobs(events) {
@@ -3156,9 +3512,11 @@ ${memory.content}
     const filePath = path.join(this.stateDir, "reextract-jobs.jsonl");
     const lines = events.map((event) => JSON.stringify(event)).join("\n") + "\n";
     try {
-      await appendFile(filePath, lines, "utf-8");
+      await this.appendStorageSecureFile(filePath, lines);
       return events.length;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return 0;
     }
   }
@@ -3166,7 +3524,7 @@ ${memory.content}
     const safeLimit = Number.isFinite(limit) ? Math.max(1, Math.min(1e3, Math.floor(limit))) : 200;
     const filePath = path.join(this.stateDir, "reextract-jobs.jsonl");
     try {
-      const raw = await readFile(filePath, "utf-8");
+      const raw = await this.readStorageSecureFile(filePath);
       const lines = raw.split("\n").filter((line) => line.trim().length > 0);
       const parsed = [];
       for (const line of lines) {
@@ -3186,7 +3544,9 @@ ${memory.content}
         }
       }
       return parsed.slice(-safeLimit);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -3194,7 +3554,7 @@ ${memory.content}
     const cappedLimit = Math.max(0, Math.floor(limit));
     if (cappedLimit === 0) return [];
     try {
-      const raw = await readFile(this.behaviorSignalsPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.behaviorSignalsPath);
       const out = [];
       const lines = raw.split("\n");
       for (let i = lines.length - 1; i >= 0 && out.length < cappedLimit; i -= 1) {
@@ -3209,15 +3569,20 @@ ${memory.content}
         }
       }
       return out.reverse();
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
   async readMemoryActionEvents(limit = 200) {
+    return (await this.readMemoryActionEventRows(limit)).map((row) => row.event);
+  }
+  async readMemoryActionEventRows(limit = 200) {
     const cappedLimit = Math.max(0, Math.floor(limit));
     if (cappedLimit === 0) return [];
     try {
-      const raw = await readFile(this.memoryActionsPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.memoryActionsPath);
       const out = [];
       const lines = raw.split("\n");
       for (let i = lines.length - 1; i >= 0 && out.length < cappedLimit; i -= 1) {
@@ -3225,20 +3590,29 @@ ${memory.content}
         if (!line) continue;
         try {
           const parsed = JSON.parse(line);
-          if (typeof parsed.timestamp === "string" && typeof parsed.action === "string" && typeof parsed.outcome === "string") {
-            out.push(parsed);
+          const outcome = parsed.outcome === "applied" || parsed.outcome === "skipped" || parsed.outcome === "failed" ? parsed.outcome : null;
+          if (typeof parsed.timestamp === "string" && typeof parsed.action === "string" && outcome !== null) {
+            out.push({
+              line: i + 1,
+              event: {
+                ...parsed,
+                outcome
+              }
+            });
           }
         } catch {
         }
       }
       return out.reverse();
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
   async readAllMemoryLifecycleEvents() {
     try {
-      const raw = await readFile(this.memoryLifecycleLedgerPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.memoryLifecycleLedgerPath);
       const out = [];
       const lines = raw.split("\n");
       for (const line of lines) {
@@ -3253,7 +3627,9 @@ ${memory.content}
         }
       }
       return sortMemoryLifecycleEvents(out);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -3265,35 +3641,39 @@ ${memory.content}
   }
   async writeCompressionGuidelines(content) {
     await this.ensureDirectories();
-    await writeFile(this.compressionGuidelinesPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelinesPath, content);
   }
   async readCompressionGuidelines() {
     try {
-      return await readFile(this.compressionGuidelinesPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.compressionGuidelinesPath);
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeCompressionGuidelineDraft(content) {
     await this.ensureDirectories();
-    await writeFile(this.compressionGuidelineDraftPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelineDraftPath, content);
   }
   async readCompressionGuidelineDraft() {
     try {
-      return await readFile(this.compressionGuidelineDraftPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.compressionGuidelineDraftPath);
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeCompressionGuidelineOptimizerState(state) {
     await this.ensureDirectories();
-    await writeFile(this.compressionGuidelineStatePath, `${JSON.stringify(state, null, 2)}
-`, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelineStatePath, `${JSON.stringify(state, null, 2)}
+`);
   }
   async writeCompressionGuidelineDraftState(state) {
     await this.ensureDirectories();
-    await writeFile(this.compressionGuidelineDraftStatePath, `${JSON.stringify(state, null, 2)}
-`, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelineDraftStatePath, `${JSON.stringify(state, null, 2)}
+`);
   }
   async readCompressionGuidelineOptimizerState() {
     return this.readCompressionGuidelineStateFile(this.compressionGuidelineStatePath);
@@ -3341,7 +3721,7 @@ ${memory.content}
       return typeof rule.action === "string" && typeof rule.delta === "number" && Number.isFinite(rule.delta) && (rule.direction === "increase" || rule.direction === "decrease" || rule.direction === "hold") && (rule.confidence === "low" || rule.confidence === "medium" || rule.confidence === "high") && Array.isArray(rule.notes) && rule.notes.every((note) => typeof note === "string");
     };
     try {
-      const raw = await readFile(filePath, "utf-8");
+      const raw = await this.readStorageSecureFile(filePath);
       const parsed = JSON.parse(raw);
       const sourceWindow = parsed?.sourceWindow;
       const eventCounts = parsed?.eventCounts;
@@ -3371,18 +3751,21 @@ ${memory.content}
         ...actionSummaries ? { actionSummaries } : {},
         ...ruleUpdates ? { ruleUpdates } : {}
       };
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeIdentityAnchor(content) {
     await this.ensureDirectories();
-    await writeFile(this.identityAnchorPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.identityAnchorPath, content);
   }
   async readIdentityAnchor() {
     try {
-      return await readFile(this.identityAnchorPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.identityAnchorPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
@@ -3394,7 +3777,7 @@ ${memory.content}
     const id = this.generateId("incident");
     const incident = createContinuityIncidentRecord(id, input, nowIso);
     const filePath = path.join(this.identityIncidentsDir, `${date}-${id}.md`);
-    await writeFile(filePath, serializeContinuityIncident(incident), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeContinuityIncident(incident));
     return { ...incident, filePath };
   }
   async readContinuityIncidents(limit = 200, state = "all") {
@@ -3408,16 +3791,19 @@ ${memory.content}
         if (incidents.length >= cappedLimit) break;
         const filePath = path.join(this.identityIncidentsDir, file);
         try {
-          const raw = await readFile(filePath, "utf-8");
+          const raw = await this.readStorageSecureFile(filePath);
           const parsed = parseContinuityIncident(raw);
           if (!parsed) continue;
           if (state !== "all" && parsed.state !== state) continue;
           incidents.push({ ...parsed, filePath });
-        } catch {
+        } catch (err) {
+          if (err instanceof SecureStoreLockedError) throw err;
         }
       }
       return incidents;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -3427,7 +3813,7 @@ ${memory.content}
     if (!target || !directFilePath) return null;
     if (target.state === "closed") return target;
     const closed = closeContinuityIncidentRecord(target, closure, (/* @__PURE__ */ new Date()).toISOString());
-    await writeFile(directFilePath, serializeContinuityIncident(closed), "utf-8");
+    await this.writeStorageSecureFile(directFilePath, serializeContinuityIncident(closed));
     return { ...closed, filePath: directFilePath };
   }
   async writeIdentityAudit(period, key, content) {
@@ -3435,26 +3821,29 @@ ${memory.content}
     const safeKey = this.sanitizeIdentityAuditKey(key);
     const dir = period === "weekly" ? this.identityAuditsWeeklyDir : this.identityAuditsMonthlyDir;
     const filePath = path.join(dir, `${safeKey}.md`);
-    await writeFile(filePath, content, "utf-8");
+    await this.writeStorageSecureFile(filePath, content);
     return filePath;
   }
   async readIdentityAudit(period, key) {
     try {
       const safeKey = this.sanitizeIdentityAuditKey(key);
       const dir = period === "weekly" ? this.identityAuditsWeeklyDir : this.identityAuditsMonthlyDir;
-      return await readFile(path.join(dir, `${safeKey}.md`), "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(path.join(dir, `${safeKey}.md`));
+    } catch (err) {
+      if (err instanceof Error && err.message === "Invalid identity audit key") return null;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeIdentityImprovementLoops(content) {
     await this.ensureDirectories();
-    await writeFile(this.identityImprovementLoopsPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.identityImprovementLoopsPath, content);
   }
   async readIdentityImprovementLoops() {
     try {
-      return await readFile(this.identityImprovementLoopsPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.identityImprovementLoopsPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
@@ -3491,10 +3880,11 @@ ${memory.content}
   }
   async readContinuityIncidentFile(filePath) {
     try {
-      const raw = await readFile(filePath, "utf-8");
+      const raw = await this.readStorageSecureFile(filePath);
       const parsed = parseContinuityIncident(raw);
       return parsed ? { ...parsed, filePath } : null;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       return null;
     }
   }
@@ -3562,7 +3952,7 @@ ${question}
       for (const file of files) {
         if (!file.endsWith(".md")) continue;
         const filePath = path.join(this.questionsDir, file);
-        const raw = await readFile(filePath, "utf-8");
+        const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
         const parsed = this.parseQuestionFile(raw, filePath);
         if (parsed) {
           questions.push(parsed);
@@ -3693,20 +4083,22 @@ ${reflection}
   }
   async readIdentityReflections() {
     try {
-      return await readFile(this.identityReflectionsPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.identityReflectionsPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeIdentityReflections(content) {
     await mkdir(this.identityDir, { recursive: true });
-    await writeFile(this.identityReflectionsPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.identityReflectionsPath, content);
   }
   async appendIdentityReflection(reflection) {
     let existing = "";
     try {
-      existing = await readFile(this.identityReflectionsPath, "utf-8");
-    } catch {
+      existing = await this.readStorageSecureFile(this.identityReflectionsPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
     }
     if (existing.length > _StorageManager.IDENTITY_MAX_BYTES) {
       log.debug(
@@ -3731,7 +4123,7 @@ ${reflection}
 ${reflection}
 `;
     await mkdir(this.identityDir, { recursive: true });
-    await writeFile(this.identityReflectionsPath, `${existing.trimEnd()}${section}`, "utf-8");
+    await this.writeStorageSecureFile(this.identityReflectionsPath, `${existing.trimEnd()}${section}`);
     log.debug(`appended namespace-local reflection to ${this.identityReflectionsPath}`);
   }
   // ---------------------------------------------------------------------------
@@ -3745,9 +4137,11 @@ ${reflection}
     const filePath = path.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`addEntityRelationship: entity file ${name}.md not found`);
       return;
     }
@@ -3757,7 +4151,7 @@ ${reflection}
     if (exists) return;
     entity.relationships.push(rel);
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
-    await writeFile(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
   }
   /**
@@ -3768,9 +4162,11 @@ ${reflection}
     const filePath = path.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`addEntityActivity: entity file ${name}.md not found`);
       return;
     }
@@ -3779,7 +4175,7 @@ ${reflection}
       entity.activity = entity.activity.slice(0, maxEntries);
     }
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
-    await writeFile(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
   }
   /**
@@ -3789,16 +4185,18 @@ ${reflection}
     const filePath = path.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`addEntityAlias: entity file ${name}.md not found`);
       return;
     }
     if (entity.aliases.includes(alias)) return;
     entity.aliases.push(alias);
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
-    await writeFile(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
   }
   /**
@@ -3808,9 +4206,11 @@ ${reflection}
     const filePath = path.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`updateEntitySynthesis: entity file ${name}.md not found`);
       return;
     }
@@ -3827,7 +4227,7 @@ ${reflection}
     entity.synthesisStructuredFactDigest = synthesisStructuredFactDigest;
     entity.synthesisVersion = Math.max(0, entity.synthesisVersion ?? 0) + (options.incrementVersion === false ? 0 : 1);
     entity.updated = entityUpdatedAt;
-    await writeFile(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     await this.removeEntitySynthesisQueueEntries([
       .../* @__PURE__ */ new Set([name, normalizeEntityName(entity.name, entity.type)])
     ]);
@@ -3842,9 +4242,11 @@ ${reflection}
     let synthesisTimelineCount;
     try {
       const filePath = path.join(this.entitiesDir, `${name}.md`);
-      const content = await readFile(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       synthesisTimelineCount = parseEntityFile(content, this.entitySchemas).timeline.length;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       synthesisTimelineCount = void 0;
     }
     await this.updateEntitySynthesis(name, summary, {
@@ -3855,10 +4257,12 @@ ${reflection}
   }
   async readEntitySynthesisQueue() {
     try {
-      const raw = await readFile(this.entitySynthesisQueuePath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.entitySynthesisQueuePath);
       const parsed = JSON.parse(raw);
       return Array.isArray(parsed.entityNames) ? parsed.entityNames.filter((value) => typeof value === "string") : [];
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -3880,7 +4284,7 @@ ${reflection}
       return compareEntityTimestamps(rightTs, leftTs);
     }).map(({ entityName }) => entityName);
     await mkdir(this.stateDir, { recursive: true });
-    await writeFile(
+    await this.writeStorageSecureFile(
       this.entitySynthesisQueuePath,
       JSON.stringify(
         {
@@ -3889,8 +4293,7 @@ ${reflection}
         },
         null,
         2
-      ) + "\n",
-      "utf-8"
+      ) + "\n"
     );
     return staleEntityNames;
   }
@@ -3901,7 +4304,7 @@ ${reflection}
     const removals = new Set(entityNames);
     const nextQueue = queue.filter((name) => !removals.has(name));
     await mkdir(this.stateDir, { recursive: true });
-    await writeFile(
+    await this.writeStorageSecureFile(
       this.entitySynthesisQueuePath,
       JSON.stringify(
         {
@@ -3910,8 +4313,7 @@ ${reflection}
         },
         null,
         2
-      ) + "\n",
-      "utf-8"
+      ) + "\n"
     );
   }
   async migrateEntityFilesToCompiledTruthTimeline() {
@@ -3922,7 +4324,7 @@ ${reflection}
       if (!raw) continue;
       const serialized = serializeEntityFile(parseEntityFile(raw, this.entitySchemas), this.entitySchemas);
       if (raw.trimEnd() === serialized.trimEnd()) continue;
-      await writeFile(path.join(this.entitiesDir, `${entityName}.md`), serialized, "utf-8");
+      await this.writeStorageSecureFile(path.join(this.entitiesDir, `${entityName}.md`), serialized);
       migrated += 1;
     }
     if (migrated > 0) {
@@ -3944,7 +4346,8 @@ ${reflection}
   async readAllEntityFiles() {
     const currentVersion = this.getMemoryStatusVersion();
     const schemaCacheKey = buildEntitySchemaCacheKey(this.entitySchemas);
-    const cached = getCachedEntities(this.baseDir, currentVersion, schemaCacheKey);
+    const cacheKey = `${this.getEntityCacheSecureStoreKey()}\0${schemaCacheKey}`;
+    const cached = getCachedEntities(this.baseDir, currentVersion, cacheKey);
     if (cached) return cached;
     try {
       const entries = await readdir(this.entitiesDir);
@@ -3955,17 +4358,24 @@ ${reflection}
       for (let i = 0; i < mdFiles.length; i += BATCH_SIZE) {
         const batch = mdFiles.slice(i, i + BATCH_SIZE);
         const results = await Promise.all(
-          batch.map(
-            (entry) => readFile(path.join(this.entitiesDir, entry), "utf-8").catch(() => null)
-          )
+          batch.map(async (entry) => {
+            try {
+              return await this.readStorageSecureFile(path.join(this.entitiesDir, entry));
+            } catch (err) {
+              if (err instanceof SecureStoreLockedError) throw err;
+              if (!isErrnoCode(err, "ENOENT")) throw err;
+              return null;
+            }
+          })
         );
         for (const content of results) {
           if (content !== null) entities.push(parseEntityFile(content, this.entitySchemas));
         }
       }
-      setCachedEntities(this.baseDir, entities, currentVersion, schemaCacheKey);
+      setCachedEntities(this.baseDir, entities, currentVersion, cacheKey);
       return entities;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError || !isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -4098,7 +4508,7 @@ ${rows.join("\n")}
         for (const file of files) {
           const filePath = path.join(this.entitiesDir, file);
           try {
-            const content = await readFile(filePath, "utf-8");
+            const content = await this.readStorageSecureFile(filePath);
             const parsed = parseEntityFile(content, this.entitySchemas);
             if (!mergedEntity.type || mergedEntity.type === "other") {
               mergedEntity.type = parsed.type;
@@ -4175,7 +4585,9 @@ ${rows.join("\n")}
               title: section.title,
               lines: [...section.lines]
             })));
-          } catch {
+          } catch (err) {
+            if (err instanceof SecureStoreLockedError) throw err;
+            if (!isErrnoCode(err, "ENOENT")) throw err;
           }
         }
         const timelineKeys = /* @__PURE__ */ new Set();
@@ -4226,7 +4638,7 @@ ${rows.join("\n")}
         mergedEntity.created = mergedEntity.created || mergedEntity.updated || (/* @__PURE__ */ new Date()).toISOString();
         mergedEntity.updated = mergedEntity.updated || (/* @__PURE__ */ new Date()).toISOString();
         const canonicalPath = path.join(this.entitiesDir, `${canonical}.md`);
-        await writeFile(canonicalPath, serializeEntityFile(mergedEntity, this.entitySchemas), "utf-8");
+        await this.writeStorageSecureFile(canonicalPath, serializeEntityFile(mergedEntity, this.entitySchemas));
         for (const file of files) {
           const filePath = path.join(this.entitiesDir, file);
           if (filePath !== canonicalPath) {
@@ -4239,7 +4651,8 @@ ${rows.join("\n")}
           }
         }
       }
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError || !isErrnoCode(err, "ENOENT")) throw err;
     }
     return merged;
   }
@@ -4293,7 +4706,7 @@ ${rows.join("\n")}
 ${memory.content}
 `;
       try {
-        await writeFile(memory.path, fileContent, "utf-8");
+        await this.writeStorageSecureFile(memory.path, fileContent);
         updated++;
       } catch (err) {
         log.debug(`failed to update access tracking for ${entry.memoryId}: ${err}`);
@@ -4434,7 +4847,7 @@ ${sanitized.text}
     } else {
       filePath = path.join(this.factsDir, today, `${id}.md`);
     }
-    await writeFile(filePath, fileContent, "utf-8");
+    await this.writeStorageSecureFile(filePath, fileContent);
     log.debug(`wrote chunk ${id} (${chunkIndex + 1}/${chunkTotal}) to ${filePath}`);
     return id;
   }
@@ -4470,7 +4883,7 @@ ${sanitized.text}
 ${oldMemory.content}
 `;
     try {
-      await writeFile(oldMemory.path, fileContent, "utf-8");
+      await writeMaybeEncryptedFile(oldMemory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
       await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.supersedeMemory", {
         memoryId: oldMemoryId,
         eventType: "superseded",
@@ -4509,7 +4922,7 @@ Reason: ${reason}`, {
   async writeSummary(summary) {
     await mkdir(this.summariesDir, { recursive: true });
     const filePath = path.join(this.summariesDir, `${summary.id}.json`);
-    await writeFile(filePath, JSON.stringify(summary, null, 2), "utf-8");
+    await this.writeStorageSecureFile(filePath, JSON.stringify(summary, null, 2));
     log.debug(`wrote summary ${summary.id}`);
   }
   /**
@@ -4522,11 +4935,13 @@ Reason: ${reason}`, {
       for (const file of files) {
         if (!file.endsWith(".json")) continue;
         const filePath = path.join(this.summariesDir, file);
-        const raw = await readFile(filePath, "utf-8");
+        const raw = await this.readStorageSecureFile(filePath);
         summaries.push(JSON.parse(raw));
       }
       return summaries;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -4552,7 +4967,7 @@ Reason: ${reason}`, {
 ${memory.content}
 `;
       try {
-        await writeFile(memory.path, fileContent, "utf-8");
+        await this.writeStorageSecureFile(memory.path, fileContent);
         await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.archiveMemories", {
           memoryId: id,
           eventType: "archived",
@@ -4582,7 +4997,7 @@ ${memory.content}
   async saveTopics(topics) {
     const metaPath = path.join(this.stateDir, "topics.json");
     await mkdir(this.stateDir, { recursive: true });
-    await writeFile(metaPath, JSON.stringify({ topics, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf-8");
+    await this.writeStorageSecureFile(metaPath, JSON.stringify({ topics, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2));
     log.debug(`saved ${topics.length} topic scores`);
   }
   /**
@@ -4591,9 +5006,11 @@ ${memory.content}
   async loadTopics() {
     const metaPath = path.join(this.stateDir, "topics.json");
     try {
-      const raw = await readFile(metaPath, "utf-8");
+      const raw = await this.readStorageSecureFile(metaPath);
       return JSON.parse(raw);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return { topics: [], updatedAt: null };
     }
   }
@@ -4675,4 +5092,4 @@ export {
   serializeEntityFile,
   StorageManager
 };
-//# sourceMappingURL=chunk-F5VP6YCB.js.map
+//# sourceMappingURL=chunk-DCE6SQLA.js.map