@remnic/core 9.3.613 → 9.3.615

package/src/config.ts

@@ -13,6 +13,7 @@ import type {
   HeartbeatConfig,
   IdentityInjectionMode,
   MemoryOsPresetName,
+  AgentPersonaModelConfig,
   PluginConfig,
   PrincipalRule,
   RecallPipelineConfig,
@@ -69,6 +70,81 @@ function parseBoundedIntegerMs(
   return Math.min(max, Math.max(min, Math.floor(coerced)));
 }
 
+// A gateway model string must be "provider/model" — at least one "/" with a
+// non-empty provider segment and a non-empty model segment. This mirrors
+// FallbackLlmClient.parseModelString (which requires >= 2 slash-parts), so a
+// model the runtime would silently drop is rejected at config time instead.
+function isQualifiedModelString(value: string): boolean {
+  const slash = value.indexOf("/");
+  return slash > 0 && slash < value.length - 1;
+}
+
+function parseModelChainConfig(
+  value: unknown,
+  keyName: string,
+): AgentPersonaModelConfig | undefined {
+  // Absent → not configured (no error).
+  if (value === undefined || value === null) return undefined;
+
+  // Present but malformed → reject loudly rather than silently dropping it,
+  // so a typo'd chain surfaces instead of quietly reverting to defaults
+  // (gotcha #51). Issue #1365 / PR #1370.
+  if (typeof value !== "object" || Array.isArray(value)) {
+    throw new Error(
+      `${keyName} must be an object like { "primary": "provider/model", "fallbacks": ["provider/model", ...] }; got ${JSON.stringify(value)}`,
+    );
+  }
+  const raw = value as Record<string, unknown>;
+  // Reject unknown keys (matches the manifest's additionalProperties:false) so a
+  // misspelled "fallback"/"fallbackModels" doesn't silently drop the fallback
+  // chain (gotcha #51, codex review #1425).
+  const unknownKeys = Object.keys(raw).filter((k) => k !== "primary" && k !== "fallbacks");
+  if (unknownKeys.length > 0) {
+    throw new Error(
+      `${keyName} has unknown propert${unknownKeys.length === 1 ? "y" : "ies"}: ${unknownKeys.join(", ")}. Allowed: "primary", "fallbacks".`,
+    );
+  }
+  if (typeof raw.primary !== "string" || raw.primary.trim().length === 0) {
+    throw new Error(
+      `${keyName}.primary is required and must be a non-empty "provider/model" string; got ${JSON.stringify(raw.primary)}`,
+    );
+  }
+  const primary = raw.primary.trim();
+  if (!isQualifiedModelString(primary)) {
+    throw new Error(
+      `${keyName}.primary must be in "provider/model" form (e.g. "zai/glm-4.7-flash"); got ${JSON.stringify(primary)}`,
+    );
+  }
+
+  let dedupedFallbacks: string[] | undefined;
+  if (raw.fallbacks !== undefined) {
+    if (!Array.isArray(raw.fallbacks)) {
+      throw new Error(
+        `${keyName}.fallbacks must be an array of "provider/model" strings; got ${JSON.stringify(raw.fallbacks)}`,
+      );
+    }
+    if (raw.fallbacks.some((item) => typeof item !== "string")) {
+      throw new Error(`${keyName}.fallbacks must contain only strings`);
+    }
+    const trimmed = raw.fallbacks
+      .map((item) => (item as string).trim())
+      .filter((item) => item.length > 0 && item !== primary);
+    for (const fb of trimmed) {
+      if (!isQualifiedModelString(fb)) {
+        throw new Error(
+          `${keyName}.fallbacks entries must be in "provider/model" form; got ${JSON.stringify(fb)}`,
+        );
+      }
+    }
+    dedupedFallbacks = [...new Set(trimmed)];
+  }
+
+  return {
+    primary,
+    ...(dedupedFallbacks && dedupedFallbacks.length > 0 ? { fallbacks: dedupedFallbacks } : {}),
+  };
+}
+
 function parsePositiveInteger(value: unknown, keyName: string): number | undefined {
   if (value === undefined || value === null) return undefined;
   const coerced = coerceNumber(value);
@@ -139,6 +215,51 @@ function parseQmdChunkStrategy(value: unknown): "auto" | "regex" {
   throw new Error(`qmdChunkStrategy must be "auto" or "regex"; got ${JSON.stringify(value)}`);
 }
 
+// Issue #1335. Default "hybrid" preserves the historical lex+vec+hyde daemon plan.
+function parseQmdSearchStrategy(value: unknown): "hybrid" | "lex-vec" | "lex" {
+  if (value === undefined || value === null) return "hybrid";
+  if (typeof value !== "string") {
+    throw new Error(
+      `qmdSearchStrategy must be one of "hybrid", "lex-vec", or "lex"; got ${JSON.stringify(value)}`,
+    );
+  }
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "hybrid" || normalized === "lex-vec" || normalized === "lex") {
+    return normalized;
+  }
+  throw new Error(
+    `qmdSearchStrategy must be one of "hybrid", "lex-vec", or "lex"; got ${JSON.stringify(value)}`,
+  );
+}
+
+// Issue #1335. Reject non-numeric / non-integer timeouts rather than silently
+// coercing them (gotcha #51), then clamp valid integers to the documented bounds.
+function parseQmdDaemonTimeoutMs(value: unknown): number {
+  if (value === undefined || value === null) return 8_000;
+  const coerced = coerceNumber(value);
+  if (coerced === undefined || !Number.isInteger(coerced)) {
+    throw new Error(
+      `qmdDaemonTimeoutMs must be an integer number of milliseconds between 1000 and 120000; got ${JSON.stringify(value)}`,
+    );
+  }
+  return Math.min(120_000, Math.max(1_000, coerced));
+}
+
+// Issue #1335. Default "query" keeps `qmd query` (LLM expansion + rerank) per gotcha #7.
+function parseQmdSubprocessStrategy(value: unknown): "query" | "search" {
+  if (value === undefined || value === null) return "query";
+  if (typeof value !== "string") {
+    throw new Error(
+      `qmdSubprocessStrategy must be one of "query" or "search"; got ${JSON.stringify(value)}`,
+    );
+  }
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "query" || normalized === "search") return normalized;
+  throw new Error(
+    `qmdSubprocessStrategy must be one of "query" or "search"; got ${JSON.stringify(value)}`,
+  );
+}
+
 function parseOptionalNonEmptyString(value: unknown): string | undefined {
   if (typeof value !== "string") return undefined;
   const normalized = value.trim();
@@ -230,6 +351,38 @@ function coerceBooleanLike(value: unknown): boolean | undefined {
   return undefined;
 }
 
+/**
+ * Resolve the `emitLegacyTools` opt-out (issue #1427): config field wins, then
+ * the REMNIC_/ENGRAM_ env var, then default true. A *present-but-malformed*
+ * value fails fast rather than silently re-enabling legacy aliases — this knob
+ * controls the advertised MCP `tools/list` surface, so a typo like
+ * `emitLegacyTools=fales` must not be misread as `true` (gotcha #51).
+ */
+function resolveEmitLegacyTools(configValue: unknown): boolean {
+  const ACCEPTED = "true/false/1/0/yes/no/on/off";
+  if (configValue !== undefined && configValue !== null) {
+    const coerced = coerceBooleanLike(configValue);
+    if (coerced === undefined) {
+      throw new Error(
+        `emitLegacyTools must be a boolean-like value (${ACCEPTED}); got ${JSON.stringify(configValue)}`,
+      );
+    }
+    return coerced;
+  }
+  const envRaw =
+    readEnvVar("REMNIC_EMIT_LEGACY_TOOLS") ?? readEnvVar("ENGRAM_EMIT_LEGACY_TOOLS");
+  if (envRaw !== undefined) {
+    const coerced = coerceBooleanLike(envRaw);
+    if (coerced === undefined) {
+      throw new Error(
+        `REMNIC_EMIT_LEGACY_TOOLS must be a boolean-like value (${ACCEPTED}); got "${envRaw}"`,
+      );
+    }
+    return coerced;
+  }
+  return true;
+}
+
 export function isOpenaiApiKeyDisabled(value: unknown): boolean {
   return value === false || (typeof value === "string" && value.trim().toLowerCase() === "false");
 }
@@ -1379,6 +1532,9 @@ export function parseConfig(raw: unknown): PluginConfig {
     qmdChunkStrategy: parseQmdChunkStrategy(cfg.qmdChunkStrategy),
     qmdCandidateLimit: parsePositiveInteger(cfg.qmdCandidateLimit, "qmdCandidateLimit"),
     qmdQueryRerankEnabled: coerceBooleanLike(cfg.qmdQueryRerankEnabled) ?? true,
+    qmdSearchStrategy: parseQmdSearchStrategy(cfg.qmdSearchStrategy),
+    qmdSubprocessStrategy: parseQmdSubprocessStrategy(cfg.qmdSubprocessStrategy),
+    qmdDaemonTimeoutMs: parseQmdDaemonTimeoutMs(cfg.qmdDaemonTimeoutMs),
     qmdIndexName: parseOptionalNonEmptyString(cfg.qmdIndexName),
     qmdForceCpu: coerceBooleanLike(cfg.qmdForceCpu) ?? false,
     qmdGpuBackend: parseQmdGpuBackend(cfg.qmdGpuBackend),
@@ -2377,6 +2533,7 @@ export function parseConfig(raw: unknown): PluginConfig {
       typeof cfg.fastGatewayAgentId === "string" && cfg.fastGatewayAgentId.length > 0
         ? cfg.fastGatewayAgentId
         : "",
+    taskModelChain: parseModelChainConfig(cfg.taskModelChain, "taskModelChain"),
 
     // v3.0 namespaces (default off)
     namespacesEnabled: cfg.namespacesEnabled === true,
@@ -2716,20 +2873,30 @@ export function parseConfig(raw: unknown): PluginConfig {
           .filter((param): param is string => typeof param === "string" && param.trim().length > 0)
       : [...DEFAULT_BEHAVIOR_LOOP_PROTECTED_PARAMS],
     // v8.0 phase 1
-    recallPlannerEnabled: cfg.recallPlannerEnabled !== false,
+    // All recallPlanner boolean gates coerce boolean-like strings so CLI/env
+    // surfaces (`--config recallPlanner*=true|false`) behave correctly — the
+    // shadow-mode/telemetry/enable flags are documented rollout switches and
+    // must not silently ignore string values (gotcha #36, #1428 review).
+    recallPlannerEnabled: coerceBooleanLike(cfg.recallPlannerEnabled) ?? true,
+    // Issue #1367 / Option C: LLM-based recall planning is opt-in so the
+    // default recall path stays heuristic (no added latency / LLM call unless
+    // the operator asks for it — gotcha #30). Coerce boolean-like strings so
+    // CLI/env surfaces (`--config recallPlannerLlmEnabled=true`) actually
+    // enable it (gotcha #36); defaults off.
+    recallPlannerLlmEnabled: coerceBooleanLike(cfg.recallPlannerLlmEnabled) ?? false,
     recallPlannerModel:
       typeof cfg.recallPlannerModel === "string" && cfg.recallPlannerModel.trim().length > 0
         ? cfg.recallPlannerModel.trim()
         : DEFAULT_REASONING_MODEL,
     recallPlannerTimeoutMs:
       typeof cfg.recallPlannerTimeoutMs === "number" ? cfg.recallPlannerTimeoutMs : 1500,
-    recallPlannerUseResponsesApi: cfg.recallPlannerUseResponsesApi !== false,
+    recallPlannerUseResponsesApi: coerceBooleanLike(cfg.recallPlannerUseResponsesApi) ?? true,
     recallPlannerMaxPromptChars:
       typeof cfg.recallPlannerMaxPromptChars === "number" ? cfg.recallPlannerMaxPromptChars : 4000,
     recallPlannerMaxMemoryHints:
       typeof cfg.recallPlannerMaxMemoryHints === "number" ? cfg.recallPlannerMaxMemoryHints : 24,
-    recallPlannerShadowMode: cfg.recallPlannerShadowMode === true,
-    recallPlannerTelemetryEnabled: cfg.recallPlannerTelemetryEnabled !== false,
+    recallPlannerShadowMode: coerceBooleanLike(cfg.recallPlannerShadowMode) ?? false,
+    recallPlannerTelemetryEnabled: coerceBooleanLike(cfg.recallPlannerTelemetryEnabled) ?? true,
     recallPlannerMaxQmdResultsMinimal:
       typeof cfg.recallPlannerMaxQmdResultsMinimal === "number"
         ? cfg.recallPlannerMaxQmdResultsMinimal
@@ -3422,6 +3589,10 @@ export function parseConfig(raw: unknown): PluginConfig {
         ? cfg.binaryLifecycleBackendPath.trim()
         : "",
 
+    // Legacy MCP tool aliases opt-out (issue #1427). Config field wins; then
+    // the REMNIC_/ENGRAM_ env var (gotcha #9); default true for back-compat.
+    // Malformed values fail fast rather than silently defaulting (gotcha #51).
+    emitLegacyTools: resolveEmitLegacyTools(cfg.emitLegacyTools),
     // Codex citation parity (issue #379)
     citationsEnabled: cfg.citationsEnabled === true,
     citationsAutoDetect: cfg.citationsAutoDetect !== false,

package/src/connectors/codex-materialize-runner.ts

@@ -70,8 +70,9 @@ export async function runCodexMaterialize(
   }
 
   // Per-trigger gate: session-end runs must honor codexMaterializeOnSessionEnd.
-  // session-end.sh passes reason="session_end"; when the user has turned off the
-  // session-end trigger we short-circuit here without touching disk.
+  // The Codex Stop hook (remnic-codex-hook.cjs, session-end event) passes
+  // reason="session_end"; when the user has turned off the session-end trigger
+  // we short-circuit here without touching disk.
   if (options.reason === "session_end" && cfg.codexMaterializeOnSessionEnd === false) {
     log.debug(
       `[codex-materialize] skipped — session-end disabled via codexMaterializeOnSessionEnd=false`,
@@ -199,8 +200,10 @@ function resolveNamespaceDir(
 ): string {
   if (!cfg.namespacesEnabled) return memoryDir;
 
-  const defaultNamespace = (cfg.defaultNamespace ?? "").trim();
-  const ns = (namespace || defaultNamespace || "default").trim();
+  const configuredDefaultNamespace = (cfg.defaultNamespace ?? "").trim();
+  const defaultNamespace =
+    configuredDefaultNamespace.length > 0 ? configuredDefaultNamespace : "default";
+  const ns = (namespace || defaultNamespace).trim();
   if (!isSafeRouteNamespace(ns)) {
     throw new Error(`invalid materialize namespace: ${ns}`);
   }

package/src/consolidation-provenance-check.ts

@@ -18,7 +18,7 @@
  */
 
 import path from "node:path";
-import { access, readdir, readFile, stat } from "node:fs/promises";
+import { lstat, readdir, readFile, realpath, stat } from "node:fs/promises";
 import { constants as fsConstants } from "node:fs";
 import type { StorageManager } from "./storage.js";
 import {
@@ -499,7 +499,7 @@ export async function runConsolidationProvenanceCheck(options: {
     const scanRoots = ["facts", "corrections", "procedures", "reasoning-traces"];
     for (const rootName of scanRoots) {
       const rootPath = path.join(memoryDir, rootName);
-      for await (const file of walkMarkdownFiles(rootPath)) {
+      for await (const file of walkMarkdownFiles(rootPath, memoryDir)) {
         if (seenPaths.has(file)) continue;
         try {
           const raw = await readFile(file, "utf-8");
@@ -531,21 +531,40 @@ export async function runConsolidationProvenanceCheck(options: {
 /**
  * Recursively yield all `.md` file paths under `root`.  Silent on
  * missing directories — the facts/corrections dirs may not exist in
- * fresh installs.
+ * fresh installs.  Symlinked roots/directories are skipped so the
+ * best-effort parse-failure pass cannot escape `memoryDir`.
  */
-async function* walkMarkdownFiles(root: string): AsyncGenerator<string> {
+async function* walkMarkdownFiles(root: string, memoryDir: string): AsyncGenerator<string> {
   let entries;
+  let memoryDirReal: string;
   try {
+    const rootStat = await lstat(root);
+    if (!rootStat.isDirectory() || rootStat.isSymbolicLink()) return;
+    memoryDirReal = await realpath(memoryDir);
+    const rootReal = await realpath(root);
+    if (!isPathWithin(rootReal, memoryDirReal)) return;
     entries = await readdir(root, { withFileTypes: true });
   } catch {
     return;
   }
   for (const entry of entries) {
     const full = path.join(root, entry.name);
+    if (entry.isSymbolicLink()) continue;
     if (entry.isDirectory()) {
-      yield* walkMarkdownFiles(full);
+      yield* walkMarkdownFiles(full, memoryDirReal);
     } else if (entry.isFile() && entry.name.endsWith(".md")) {
+      try {
+        const fileReal = await realpath(full);
+        if (!isPathWithin(fileReal, memoryDirReal)) continue;
+      } catch {
+        continue;
+      }
       yield full;
     }
   }
 }
+
+function isPathWithin(candidate: string, root: string): boolean {
+  const relative = path.relative(root, candidate);
+  return relative === "" || (!!relative && !relative.startsWith("..") && !path.isAbsolute(relative));
+}

package/src/conversation-index/indexer.test.ts

@@ -98,6 +98,28 @@ test("writeConversationChunks keeps distinct raw session keys from overwriting a
   }
 });
 
+test("writeConversationChunks quotes metadata scalars in front matter", async () => {
+  const root = await mkdtemp(path.join(os.tmpdir(), "remnic-conversation-index-"));
+  try {
+    const sessionKey = "agent\nkind: other\n---\ncolon: value";
+    const written = await writeConversationChunks(root, [
+      sampleChunk({
+        sessionKey,
+        startTs: "2026-05-17T00:00:00.000Z",
+        endTs: "2026-05-17T00:01:00.000Z",
+      }),
+    ]);
+
+    const content = await readFile(written[0]!, "utf-8");
+    assert.match(content, /^sessionKey: "agent\\nkind: other\\n---\\ncolon: value"$/m);
+    assert.match(content, /^startTs: "2026-05-17T00:00:00.000Z"$/m);
+    assert.match(content, /^endTs: "2026-05-17T00:01:00.000Z"$/m);
+    assert.doesNotMatch(content, /^kind: other$/m);
+  } finally {
+    await rm(root, { recursive: true, force: true });
+  }
+});
+
 test("writeConversationChunks rejects invalid chunk timestamps before deriving paths", async () => {
   const root = await mkdtemp(path.join(os.tmpdir(), "remnic-conversation-index-"));
   try {

package/src/conversation-index/indexer.ts

@@ -40,6 +40,10 @@ function sanitizeChunkId(id: string): string {
   return sanitizePathComponent(id, "chunk");
 }
 
+function yamlQuotedScalar(value: string): string {
+  return JSON.stringify(value);
+}
+
 function datePathComponent(startTs: string): string {
   const match = typeof startTs === "string"
     ? /^(\d{4})-(\d{2})-(\d{2})T/.exec(startTs)
@@ -153,9 +157,9 @@ export async function writeConversationChunks(
     const content =
       `---\n` +
       `kind: conversation_chunk\n` +
-      `sessionKey: ${c.sessionKey}\n` +
-      `startTs: ${c.startTs}\n` +
-      `endTs: ${c.endTs}\n` +
+      `sessionKey: ${yamlQuotedScalar(c.sessionKey)}\n` +
+      `startTs: ${yamlQuotedScalar(c.startTs)}\n` +
+      `endTs: ${yamlQuotedScalar(c.endTs)}\n` +
       `---\n\n` +
       c.text +
       "\n";

package/src/cross-namespace-budget.test.ts

@@ -40,18 +40,47 @@ test("enabled budget warns past soft and denies past hard", () => {
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 2,
-    hardLimit: 3,
+    hardLimit: 4,
     windowMs: 10_000,
   });
   assert.equal(limiter.record("p1", 1).reason, "allowed-under-soft");
   assert.equal(limiter.record("p1", 2).reason, "allowed-under-soft");
   assert.equal(limiter.record("p1", 3).reason, "warn-over-soft");
-  // 4th call crosses hardLimit (count would be 4 > 3) => deny.
+  // 4th call reaches hardLimit and is denied.
   const deny = limiter.record("p1", 4);
   assert.equal(deny.allowed, false);
   assert.equal(deny.reason, "deny-over-hard");
 });
 
+test("enabled budget denies the threshold-crossing hard-limit request", () => {
+  const limiter = new CrossNamespaceBudget({
+    enabled: true,
+    softLimit: 0,
+    hardLimit: 2,
+    windowMs: 10_000,
+  });
+
+  const first = limiter.record("p1", 1);
+  assert.equal(first.allowed, true);
+  assert.equal(first.reason, "warn-over-soft");
+  assert.equal(first.count, 1);
+
+  const beforeSecond = limiter.peek({
+    principal: "p1",
+    principalNamespace: "alice",
+    queryNamespace: "bob",
+    now: 2,
+  });
+  assert.equal(beforeSecond.allowed, false);
+  assert.equal(beforeSecond.reason, "deny-over-hard");
+  assert.equal(beforeSecond.count, 1);
+
+  const second = limiter.record("p1", 2);
+  assert.equal(second.allowed, false);
+  assert.equal(second.reason, "deny-over-hard");
+  assert.equal(second.count, 1);
+});
+
 test("sliding window drops old timestamps", () => {
   const limiter = new CrossNamespaceBudget({
     enabled: true,
@@ -61,10 +90,9 @@ test("sliding window drops old timestamps", () => {
   });
   // Fill to hard.
   limiter.record("p1", 0);
-  limiter.record("p1", 50);
-  assert.equal(limiter.record("p1", 80).reason, "deny-over-hard");
+  assert.equal(limiter.record("p1", 50).reason, "deny-over-hard");
 
-  // Walk past the window so the first two slide out.
+  // Walk past the window so the first allowed timestamp slides out.
   const d = limiter.record("p1", 201);
   assert.equal(d.allowed, true);
   assert.equal(d.reason, "allowed-under-soft");
@@ -75,7 +103,7 @@ test("per-principal isolation: one principal's denial does not affect another",
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 1,
-    hardLimit: 1,
+    hardLimit: 2,
     windowMs: 10_000,
   });
   limiter.record("alice", 10);
@@ -107,7 +135,7 @@ test("check() engages on cross-namespace", () => {
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 1,
-    hardLimit: 1,
+    hardLimit: 2,
     windowMs: 10_000,
   });
   const d1 = limiter.check({
@@ -131,7 +159,7 @@ test("denied calls do not push bucket forward", () => {
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 1,
-    hardLimit: 1,
+    hardLimit: 2,
     windowMs: 100,
   });
   limiter.record("p1", 0);
@@ -150,7 +178,7 @@ test("missing principal is bucketed under __anonymous__ rather than failing open
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 0,
-    hardLimit: 1,
+    hardLimit: 2,
     windowMs: 10_000,
   });
   // An empty-string principal shares the anonymous bucket.
@@ -168,8 +196,7 @@ test("reset clears all state", () => {
     windowMs: 10_000,
   });
   limiter.record("p1", 1);
-  limiter.record("p1", 2);
-  assert.equal(limiter.record("p1", 3).reason, "deny-over-hard");
+  assert.equal(limiter.record("p1", 2).reason, "deny-over-hard");
   limiter.reset();
   const after = limiter.record("p1", 4);
   assert.equal(after.allowed, true);
@@ -231,7 +258,7 @@ test("record() normalizes non-finite clocks before mutating limiter state", () =
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 1,
-    hardLimit: 1,
+    hardLimit: 2,
     windowMs: 100,
   });
 
@@ -254,7 +281,7 @@ test("peek() with a non-finite clock is read-only and does not poison state", ()
   const limiter = new CrossNamespaceBudget({
     enabled: true,
     softLimit: 0,
-    hardLimit: 1,
+    hardLimit: 2,
     windowMs: 100,
   });
 
@@ -293,14 +320,10 @@ test("bucket is evicted after a denial rolls the only timestamp back", () => {
     hardLimit: 1,
     windowMs: 100,
   });
-  limiter.record("p1", 0);
-  // Denial at t=150 after the earlier timestamp has slid out. The
-  // timestamp just added gets rolled back; bucket becomes empty; must
-  // be evicted.
-  limiter.record("p1", 150);
-  // (wait — the above is allowed because the earlier timestamp slid out.)
-  // Force a deny path differently:
-  assert.equal(limiter.bucketCount(), 1);
+  const denied = limiter.record("p1", 0);
+  assert.equal(denied.allowed, false);
+  assert.equal(denied.reason, "deny-over-hard");
+  assert.equal(limiter.bucketCount(), 0);
 });
 
 test("check() does NOT fail-open when both namespaces are empty or undefined", () => {

package/src/cross-namespace-budget.ts

@@ -207,7 +207,7 @@ export class CrossNamespaceBudget {
     this.buckets.set(principal, bucket);
     const count = bucket.timestamps.length;
 
-    if (count > hardLimit) {
+    if (count >= hardLimit) {
       // Denied: roll back the timestamp we just added so a repeated denied
       // call does not push the bucket further into the future. This keeps
       // the limiter stateless with respect to denied attempts.
@@ -290,7 +290,7 @@ export class CrossNamespaceBudget {
       if (ts >= cutoff) liveCount++;
     }
     const projected = liveCount + 1; // +1 for the current call
-    if (projected > hardLimit) {
+    if (projected >= hardLimit) {
       return { allowed: false, reason: "deny-over-hard", count: liveCount, limit };
     }
     if (projected > softLimit) {

package/src/enrichment/pipeline.ts

@@ -32,12 +32,12 @@ interface RateLimitBucket {
 
 const rateBuckets = new Map<string, RateLimitBucket>();
 
-function isRateLimited(
+function reserveRateLimitSlot(
   provider: EnrichmentProvider,
   config: EnrichmentPipelineConfig,
 ): boolean {
   const providerCfg = config.providers.find((p) => p.id === provider.id);
-  if (!providerCfg?.rateLimit) return false;
+  if (!providerCfg?.rateLimit) return true;
 
   const now = Date.now();
   let bucket = rateBuckets.get(provider.id);
@@ -62,17 +62,13 @@ function isRateLimited(
   }
 
   const { maxPerMinute, maxPerDay } = providerCfg.rateLimit;
-  return bucket.minuteCount >= maxPerMinute || bucket.dayCount >= maxPerDay;
-}
-
-function recordCall(
-  providerId: string,
-): void {
-  const bucket = rateBuckets.get(providerId);
-  if (bucket) {
-    bucket.minuteCount += 1;
-    bucket.dayCount += 1;
+  if (bucket.minuteCount >= maxPerMinute || bucket.dayCount >= maxPerDay) {
+    return false;
   }
+
+  bucket.minuteCount += 1;
+  bucket.dayCount += 1;
+  return true;
 }
 
 // ---------------------------------------------------------------------------
@@ -129,8 +125,9 @@ export async function runEnrichmentPipeline(
         continue;
       }
 
-      // Check rate limit
-      if (isRateLimited(provider, config)) {
+      // Reserve quota before the awaited provider call so concurrent pipelines
+      // cannot all pass the same pre-await rate-limit check.
+      if (!reserveRateLimitSlot(provider, config)) {
         log.debug?.(
           `enrichment: skipping provider ${provider.id} for ${entity.name} — rate limited`,
         );
@@ -154,7 +151,6 @@ export async function runEnrichmentPipeline(
       try {
         candidates = await provider.enrich(entity);
       } catch (err) {
-        recordCall(provider.id);
         log.error?.(
           `enrichment: provider ${provider.id} failed for ${entity.name}: ${err instanceof Error ? err.message : String(err)}`,
         );
@@ -169,7 +165,6 @@ export async function runEnrichmentPipeline(
         });
         continue;
       }
-      recordCall(provider.id);
 
       // Tag each candidate with provider id
       for (const candidate of candidates) {

package/src/evals.ts

@@ -359,7 +359,7 @@ export function validateEvalBenchmarkManifest(
 
   return {
     schemaVersion: 1,
-    benchmarkId: assertString(raw.benchmarkId, "benchmarkId"),
+    benchmarkId: assertSafeBenchmarkId(assertString(raw.benchmarkId, "benchmarkId")),
     benchmarkType,
     title: assertString(raw.title, "title"),
     description:

package/src/explicit-capture.ts

@@ -25,6 +25,16 @@ export type ValidExplicitCapture = {
   entityRef?: string;
   expiresAt?: string;
   sourceReason?: string;
+  /**
+   * When true, `namespace` was already resolved AND authorized by the caller
+   * (the access service's `resolveCodingScopedWriteNamespace`, which auth-checks
+   * the base and derives a session-owned `project-*` overlay). The persist /
+   * queue layer then routes to it directly instead of re-validating against the
+   * static policy allow-list — which would otherwise reject legitimately-derived
+   * dynamic project namespaces (#1434). Callers that do NOT pre-authorize the
+   * namespace must leave this unset so the allow-list guard still applies.
+   */
+  namespacePreResolved?: boolean;
 };
 
 export type ExplicitCaptureSource = "memory_store" | "memory_capture" | "suggestion_submit" | "inline";
@@ -404,7 +414,9 @@ export async function persistExplicitCapture(
   candidate: ValidExplicitCapture,
   source: ExplicitCaptureSource,
 ): Promise<{ id: string; duplicateOf?: string }> {
-  const resolvedNamespace = resolveExplicitCaptureNamespace(orchestrator, candidate.namespace);
+  const resolvedNamespace = candidate.namespacePreResolved
+    ? asTrimmed(candidate.namespace)
+    : resolveExplicitCaptureNamespace(orchestrator, candidate.namespace);
   const duplicateOf = await findDuplicateExplicitCapture(orchestrator, resolvedNamespace, candidate);
   if (duplicateOf) {
     return { id: duplicateOf, duplicateOf };
@@ -490,7 +502,12 @@ export async function queueExplicitCaptureForReview(
 ): Promise<{ id: string; duplicateOf?: string }> {
   const reason = sanitizeReviewText(normalizeExplicitCaptureError(error), "explicit capture failed");
   const requestedNamespace = asTrimmed(input.namespace);
-  const queueNamespace = resolveExplicitCaptureReviewNamespace(orchestrator, requestedNamespace);
+  // A caller-pre-authorized namespace (e.g. a session-owned project overlay
+  // from the access service) routes directly; otherwise apply the static
+  // policy allow-list guard (#1434).
+  const queueNamespace = (input as { namespacePreResolved?: boolean }).namespacePreResolved
+    ? requestedNamespace
+    : resolveExplicitCaptureReviewNamespace(orchestrator, requestedNamespace);
   const content = buildExplicitCaptureReviewContent(input, reason);
   const duplicateOf = await findQueuedExplicitCaptureDuplicate(orchestrator, queueNamespace, content);
   if (duplicateOf) {