@remnic/plugin-openclaw 1.0.10 → 1.0.11

package/dist/{chunk-JJSNPSCD.js → chunk-TNH24SF6.js}

@@ -1,12 +1,17 @@
 import {
   createVersion
 } from "./chunk-6OJAU466.js";
+import {
+  SecureStoreLockedError,
+  readMaybeEncryptedFile,
+  writeMaybeEncryptedFile
+} from "./chunk-3I7RHWYT.js";
 import {
   log
 } from "./chunk-UFU5GGGA.js";
 
 // ../remnic-core/src/storage.ts
-import { access, readdir, readFile as readFile2, stat as stat2, writeFile as writeFile2, mkdir as mkdir2, unlink, rename, appendFile } from "fs/promises";
+import { access, readdir, readFile as readFile2, stat as stat2, writeFile as writeFile2, mkdir as mkdir2, unlink, appendFile } from "fs/promises";
 import { appendFileSync, mkdirSync, statSync } from "fs";
 import { createHash } from "crypto";
 import path4 from "path";
@@ -40,7 +45,7 @@ function getCachedEpisodeMap(baseDir, currentVersion) {
 function setCachedEpisodeMap(baseDir, memories, version) {
   const map = /* @__PURE__ */ new Map();
   for (const m of memories) {
-    if (m.frontmatter.status === "archived") continue;
+    if (m.frontmatter.status === "archived" || m.frontmatter.status === "forgotten") continue;
     if (m.frontmatter.memoryKind !== "episode") continue;
     map.set(m.frontmatter.id, m);
   }
@@ -58,7 +63,7 @@ function setCachedRuleMemories(baseDir, memories, version) {
   const all = [];
   for (const m of memories) {
     byId.set(m.frontmatter.id, m);
-    if (m.frontmatter.category === "rule" && m.frontmatter.status !== "archived") {
+    if (m.frontmatter.category === "rule" && m.frontmatter.status !== "archived" && m.frontmatter.status !== "forgotten") {
       all.push(m);
     }
   }
@@ -180,21 +185,41 @@ function sanitizeMemoryContent(text) {
 var CONSOLIDATION_OPERATORS = [
   "split",
   "merge",
-  "update"
+  "update",
+  "pattern-reinforcement"
 ];
 var DERIVED_FROM_ENTRY_RE = /^(.+):(\d+)$/;
-function isValidDerivedFromEntry(entry) {
-  if (typeof entry !== "string") return false;
+var DERIVED_FROM_MEMORY_ID_RE = /^[A-Za-z0-9][A-Za-z0-9_:-]*$/;
+function looksLikeSnapshotEntry(entry) {
   const match = entry.match(DERIVED_FROM_ENTRY_RE);
   if (!match) return false;
   const pathPart = match[1];
-  if (pathPart.length === 0 || pathPart.trim().length === 0) return false;
-  const versionNum = Number(match[2]);
-  return Number.isInteger(versionNum) && versionNum >= 0;
+  return pathPart.includes("/") || pathPart.includes(".");
+}
+function isValidDerivedFromEntry(entry) {
+  if (typeof entry !== "string") return false;
+  if (entry.length === 0) return false;
+  if (looksLikeSnapshotEntry(entry)) {
+    const match = entry.match(DERIVED_FROM_ENTRY_RE);
+    if (!match) return false;
+    const pathPart = match[1];
+    if (pathPart.length === 0 || pathPart.trim().length === 0) return false;
+    const versionNum = Number(match[2]);
+    return Number.isInteger(versionNum) && versionNum >= 0;
+  }
+  return DERIVED_FROM_MEMORY_ID_RE.test(entry);
 }
 function isConsolidationOperator(value) {
   return typeof value === "string" && CONSOLIDATION_OPERATORS.includes(value);
 }
+var SEMANTIC_CONSOLIDATION_LLM_OPERATORS = [
+  "split",
+  "merge",
+  "update"
+];
+function isSemanticConsolidationLlmOperator(value) {
+  return typeof value === "string" && SEMANTIC_CONSOLIDATION_LLM_OPERATORS.includes(value);
+}
 
 // ../remnic-core/src/entity-schema.ts
 var DEFAULT_ENTITY_SCHEMAS = {
@@ -541,6 +566,15 @@ function stripCitationForTemplate(text, template) {
 }
 
 // ../remnic-core/src/types.ts
+var RECALL_DISCLOSURE_LEVELS = [
+  "chunk",
+  "section",
+  "raw"
+];
+var DEFAULT_RECALL_DISCLOSURE = "chunk";
+function isRecallDisclosure(value) {
+  return typeof value === "string" && RECALL_DISCLOSURE_LEVELS.includes(value);
+}
 function confidenceTier(score) {
   if (score >= 0.95) return "explicit";
   if (score >= 0.7) return "implied";
@@ -1269,6 +1303,9 @@ function inferMemoryStatus(frontmatter, pathRel, fallbackStatus = "active") {
   if (frontmatter.status) return frontmatter.status;
   return fallbackStatus;
 }
+function isActiveMemoryStatus(status) {
+  return status === void 0 || status === "active";
+}
 function summarizeMemoryLifecycleState(memory) {
   return {
     category: memory.frontmatter.category,
@@ -1632,6 +1669,88 @@ function assertMemoryWorthCounter(field, value) {
     throw new Error(`${field} must be >= 0, got ${value}`);
   }
 }
+function isErrnoCode(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+function trimTrailingSpacesAndTabs(value) {
+  let end = value.length;
+  while (end > 0 && (value[end - 1] === " " || value[end - 1] === "	")) {
+    end -= 1;
+  }
+  return end === value.length ? value : value.slice(0, end);
+}
+function trimLeadingSpacesAndTabs(value) {
+  let start = 0;
+  while (start < value.length && (value[start] === " " || value[start] === "	")) {
+    start += 1;
+  }
+  return start === 0 ? value : value.slice(start);
+}
+function stripDefaultCitationMarkersWithoutRegex(value) {
+  return stripCitationMarkersForHashRemoval(value, DEFAULT_CITATION_FORMAT);
+}
+function citationTemplateLiteralParts(template) {
+  const parts = [];
+  let cursor = 0;
+  while (cursor < template.length) {
+    const open = template.indexOf("{", cursor);
+    if (open === -1) {
+      parts.push(template.slice(cursor));
+      break;
+    }
+    parts.push(template.slice(cursor, open));
+    const close = template.indexOf("}", open + 1);
+    if (close === -1) {
+      cursor = open + 1;
+    } else {
+      cursor = close + 1;
+    }
+  }
+  return parts.filter((part) => part.length > 0);
+}
+function stripCitationMarkersForHashRemoval(value, template) {
+  const parts = citationTemplateLiteralParts(template);
+  if (parts.length === 0) return value;
+  const first = parts[0];
+  const lowerValue = value.toLowerCase();
+  const lowerFirst = first.toLowerCase();
+  const lowerParts = parts.map((part) => part.toLowerCase());
+  if (!lowerValue.includes(lowerFirst)) return value;
+  let result = "";
+  let cursor = 0;
+  let removed = false;
+  while (cursor < value.length) {
+    const markerStart = lowerValue.indexOf(lowerFirst, cursor);
+    if (markerStart === -1) {
+      result += value.slice(cursor);
+      break;
+    }
+    const boundedEnd = first.startsWith("[") ? value.indexOf("]", markerStart + first.length) : -1;
+    if (first.startsWith("[") && boundedEnd === -1) {
+      result += value.slice(cursor);
+      break;
+    }
+    const searchLimit = boundedEnd === -1 ? value.length : boundedEnd + 1;
+    let markerEnd = markerStart + first.length;
+    let matched = true;
+    for (let i = 1; i < lowerParts.length; i += 1) {
+      const partIndex = lowerValue.indexOf(lowerParts[i], markerEnd);
+      if (partIndex === -1 || partIndex + parts[i].length > searchLimit) {
+        matched = false;
+        break;
+      }
+      markerEnd = partIndex + parts[i].length;
+    }
+    if (!matched) {
+      result += value.slice(cursor);
+      break;
+    }
+    result += trimTrailingSpacesAndTabs(value.slice(cursor, markerStart));
+    cursor = markerEnd;
+    removed = true;
+  }
+  return removed ? trimLeadingSpacesAndTabs(result) : value;
+}
 function serializeFrontmatter(fm) {
   const lines = [
     "---",
@@ -1654,6 +1773,10 @@ function serializeFrontmatter(fm) {
   if (fm.supersededBy) lines.push(`supersededBy: ${fm.supersededBy}`);
   if (fm.supersededAt) lines.push(`supersededAt: ${fm.supersededAt}`);
   if (fm.archivedAt) lines.push(`archivedAt: ${fm.archivedAt}`);
+  if (fm.valid_at) lines.push(`validAt: ${fm.valid_at}`);
+  if (fm.invalid_at) lines.push(`invalidAt: ${fm.invalid_at}`);
+  if (fm.forgottenAt) lines.push(`forgottenAt: ${fm.forgottenAt}`);
+  if (fm.forgottenReason) lines.push(`forgottenReason: ${JSON.stringify(fm.forgottenReason)}`);
   if (fm.lifecycleState) lines.push(`lifecycleState: ${fm.lifecycleState}`);
   if (fm.verificationState) lines.push(`verificationState: ${fm.verificationState}`);
   if (fm.policyClass) lines.push(`policyClass: ${fm.policyClass}`);
@@ -1731,11 +1854,22 @@ function serializeFrontmatter(fm) {
   if (fm.derived_via !== void 0) {
     if (!isConsolidationOperator(fm.derived_via)) {
       throw new Error(
-        `serializeFrontmatter: invalid derived_via ${JSON.stringify(fm.derived_via)} \u2014 expected one of "split" | "merge" | "update"`
+        `serializeFrontmatter: invalid derived_via ${JSON.stringify(fm.derived_via)} \u2014 expected one of "split" | "merge" | "update" | "pattern-reinforcement"`
       );
     }
     lines.push(`derived_via: ${fm.derived_via}`);
   }
+  if (fm.reinforcement_count !== void 0) {
+    if (!Number.isInteger(fm.reinforcement_count) || fm.reinforcement_count <= 0) {
+      throw new Error(
+        `serializeFrontmatter: reinforcement_count must be a positive integer (got ${JSON.stringify(fm.reinforcement_count)})`
+      );
+    }
+    lines.push(`reinforcement_count: ${fm.reinforcement_count}`);
+  }
+  if (fm.last_reinforced_at) {
+    lines.push(`last_reinforced_at: ${fm.last_reinforced_at}`);
+  }
   lines.push("---");
   return lines.join("\n");
 }
@@ -1768,6 +1902,20 @@ function parseLinkReasonValue(rawValue) {
     return legacyValue;
   }
 }
+function parseFrontmatterStringValue(rawValue) {
+  if (rawValue === void 0) return void 0;
+  const trimmed = rawValue.trim();
+  if (trimmed.length === 0) return void 0;
+  if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      return typeof parsed === "string" ? parsed : trimmed;
+    } catch {
+      return trimmed.slice(1, -1).replace(/\\"/g, '"');
+    }
+  }
+  return trimmed;
+}
 function parseMemoryWorthCounterField(raw) {
   if (raw === void 0) return void 0;
   const trimmed = raw.trim();
@@ -1776,6 +1924,14 @@ function parseMemoryWorthCounterField(raw) {
   if (!Number.isFinite(n) || !Number.isInteger(n) || n < 0) return void 0;
   return n;
 }
+function parseReinforcementCountField(raw) {
+  if (raw === void 0) return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  const n = Number(trimmed);
+  if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0) return void 0;
+  return n;
+}
 function parseFrontmatter2(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
   if (!match) return null;
@@ -1961,6 +2117,11 @@ function parseFrontmatter2(raw) {
       supersededBy: fm.supersededBy || void 0,
       supersededAt: fm.supersededAt || void 0,
       archivedAt: fm.archivedAt || void 0,
+      // Issue #680 — explicit fact lifecycle round-trip.
+      valid_at: fm.validAt || void 0,
+      invalid_at: fm.invalidAt || void 0,
+      forgottenAt: fm.forgottenAt || void 0,
+      forgottenReason: parseFrontmatterStringValue(fm.forgottenReason),
       lifecycleState: fm.lifecycleState || void 0,
       verificationState: fm.verificationState || void 0,
       policyClass: fm.policyClass || void 0,
@@ -1995,7 +2156,14 @@ function parseFrontmatter2(raw) {
       // Consolidation provenance (issue #561) — read-through only in this
       // PR; no code produces these fields yet.
       derived_from,
-      derived_via
+      derived_via,
+      // Pattern-reinforcement metadata (issue #687 PR 2/4).  Parse
+      // permissively: invalid values (negative, non-integer, blank
+      // ISO-strings) are dropped to undefined so a corrupt frontmatter
+      // never poisons downstream scoring.  Validation lives on the
+      // write path in serializeFrontmatter.
+      reinforcement_count: parseReinforcementCountField(fm.reinforcement_count),
+      last_reinforced_at: fm.last_reinforced_at || void 0
     },
     content
   };
@@ -3061,6 +3229,76 @@ var StorageManager = class _StorageManager {
   setVersioningConfig(config) {
     this._versioningConfig = config;
   }
+  /**
+   * At-rest encryption key (issue #690 PR 3/4).
+   *
+   * When non-null, every memory file read is decrypted and every write
+   * is encrypted using the secure-fs layer.  When null, the storage
+   * layer operates in plain-text mode (legacy/unencrypted store).
+   *
+   * Set by the orchestrator after init/unlock; cleared on lock.
+   * The key buffer is NEVER logged or serialized.
+   */
+  _secureStoreKey = null;
+  /**
+   * When true (and `_secureStoreKey` is non-null), new writes are
+   * encrypted.  Set to false to pause encryption of new writes while
+   * still decrypting existing files.
+   */
+  _secureStoreEncryptOnWrite = true;
+  /**
+   * When true, the secure-store is configured as required — writes
+   * MUST be encrypted and a locked store MUST reject writes rather
+   * than silently falling back to plaintext.  Set by the orchestrator
+   * from `config.secureStoreEnabled`.
+   */
+  _secureStoreRequired = false;
+  /**
+   * Set or clear the at-rest encryption key.
+   *
+   * Pass a 32-byte Buffer to enable encryption; pass null to clear
+   * (lock) the store.  The caller is responsible for key lifecycle —
+   * this method does not zero the buffer on replacement; the keyring
+   * module (`keyring.ts`) owns zeroization.
+   */
+  setSecureStoreKey(key, encryptOnWrite = true) {
+    this._secureStoreKey = key;
+    this._secureStoreEncryptOnWrite = encryptOnWrite;
+  }
+  /**
+   * Mark the secure-store as required for this storage instance.
+   * When required and locked, writes throw SecureStoreLockedError
+   * rather than silently writing plaintext.
+   */
+  setSecureStoreRequired(required) {
+    this._secureStoreRequired = required;
+  }
+  /** Return true iff the secure-store key is currently set (store is unlocked). */
+  isSecureStoreUnlocked() {
+    return this._secureStoreKey !== null;
+  }
+  /**
+   * Resolve the effective write key.
+   *
+   * - If `_secureStoreEncryptOnWrite` is false: returns null (plain write).
+   * - If `_secureStoreEncryptOnWrite` is true AND key is set: returns key.
+   * - If `_secureStoreEncryptOnWrite` is true AND key is null AND
+   *   `_secureStoreRequired` is true: throws SecureStoreLockedError so the
+   *   write fails loudly rather than silently writing plaintext (P1 finding
+   *   from Cursor review of PR #767).
+   * - If `_secureStoreEncryptOnWrite` is true AND key is null AND
+   *   `_secureStoreRequired` is false: returns null (unencrypted store).
+   */
+  resolveWriteKey() {
+    if (!this._secureStoreEncryptOnWrite) return null;
+    if (this._secureStoreKey !== null) return this._secureStoreKey;
+    if (this._secureStoreRequired) {
+      throw new SecureStoreLockedError(
+        "secure-store is locked \u2014 cannot write memory file. Run `remnic secure-store unlock` to decrypt, or restart the daemon after unlocking."
+      );
+    }
+    return null;
+  }
   /**
    * Snapshot the current content of a page before overwriting.
    * No-op when versioning is disabled or the file does not yet exist.
@@ -3068,7 +3306,7 @@ var StorageManager = class _StorageManager {
   async snapshotBeforeWrite(filePath, trigger) {
     if (!this._versioningConfig || !this._versioningConfig.enabled) return;
     try {
-      const existing = await readFile2(filePath, "utf-8");
+      const existing = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       await createVersion(filePath, existing, trigger, this._versioningConfig, log, void 0, this.baseDir);
     } catch {
     }
@@ -3091,7 +3329,7 @@ var StorageManager = class _StorageManager {
     if (!this._versioningConfig || !this._versioningConfig.enabled) return null;
     let existing;
     try {
-      existing = await readFile2(filePath, "utf-8");
+      existing = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
     } catch {
       return null;
     }
@@ -3433,7 +3671,7 @@ ${sanitized.text}
       filePath = path4.join(this.factsDir, today, `${id}.md`);
     }
     await this.snapshotBeforeWrite(filePath, "write");
-    await writeFile2(filePath, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(filePath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.writeMemory", {
       memoryId: id,
@@ -3469,6 +3707,50 @@ ${sanitized.text}
     const sanitized = sanitizeMemoryContent(content);
     return factHashIndex.has(sanitized.text);
   }
+  factContentHashForRemoval(memory) {
+    if (memory.frontmatter.category !== "fact") return null;
+    if (typeof memory.frontmatter.contentHash === "string" && memory.frontmatter.contentHash.length > 0) {
+      return memory.frontmatter.contentHash;
+    }
+    const configuredHashSource = stripCitationMarkersForHashRemoval(memory.content, this.citationTemplate);
+    const hashSource = configuredHashSource !== memory.content ? configuredHashSource : stripDefaultCitationMarkersWithoutRegex(memory.content);
+    return ContentHashIndex.computeHash(sanitizeMemoryContent(hashSource).text);
+  }
+  async removeFactContentHashesForMemories(memories) {
+    await this.ensureFactHashIndexAuthoritative();
+    const factHashIndex = await this.getFactHashIndex();
+    const removedIds = new Set(
+      memories.map((memory) => memory.frontmatter.id).filter((id) => typeof id === "string" && id.length > 0)
+    );
+    const removedHashes = /* @__PURE__ */ new Map();
+    for (const memory of memories) {
+      const hash = this.factContentHashForRemoval(memory);
+      if (hash) {
+        removedHashes.set(memory, hash);
+      }
+    }
+    if (removedHashes.size === 0) return;
+    const remainingActiveHashes = /* @__PURE__ */ new Set();
+    const remainingMemories = [
+      ...await this.readAllMemories(),
+      ...await this.readAllColdMemories()
+    ];
+    for (const memory of remainingMemories) {
+      if (memory.frontmatter.category !== "fact") continue;
+      if (removedIds.has(memory.frontmatter.id)) continue;
+      if (inferMemoryStatus(memory.frontmatter, memory.path) !== "active") continue;
+      const hash = this.factContentHashForRemoval(memory);
+      if (hash) {
+        remainingActiveHashes.add(hash);
+      }
+    }
+    for (const hash of removedHashes.values()) {
+      if (!remainingActiveHashes.has(hash)) {
+        factHashIndex.removeByHash(hash);
+      }
+    }
+    await factHashIndex.save();
+  }
   async isFactContentHashAuthoritative() {
     await this.ensureFactHashIndexAuthoritative();
     return true;
@@ -3502,10 +3784,10 @@ ${sanitized.text}
       return "";
     }
     const filePath = path4.join(dir, `${id}.md`);
-    await writeFile2(filePath, `${serializeFrontmatter(fm)}
+    await writeMaybeEncryptedFile(filePath, `${serializeFrontmatter(fm)}
 
 ${sanitized.text}
-`, "utf-8");
+`, this.resolveWriteKey(), {}, this.baseDir);
     const actor = typeof options.actor === "string" && options.actor.length > 0 ? options.actor : "storage.writeArtifact";
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.writeArtifact", {
       memoryId: id,
@@ -3680,15 +3962,19 @@ ${sanitized.text}
   }
   async readProfile() {
     try {
-      return await readFile2(this.profilePath, "utf-8");
-    } catch {
-      return "";
+      return await readMaybeEncryptedFile(this.profilePath, this._secureStoreKey, this.baseDir);
+    } catch (error) {
+      if (error instanceof SecureStoreLockedError) {
+        throw error;
+      }
+      if (isErrnoCode(error, "ENOENT")) return "";
+      throw error;
     }
   }
   async writeProfile(content) {
     await this.ensureDirectories();
     await this.snapshotBeforeWrite(this.profilePath, "consolidation");
-    await writeFile2(this.profilePath, content, "utf-8");
+    await writeMaybeEncryptedFile(this.profilePath, content, this.resolveWriteKey(), {}, this.baseDir);
     log.debug("updated profile.md");
   }
   /**
@@ -3771,6 +4057,24 @@ ${sanitized.text}
   invalidateAllMemoriesCacheForDir() {
     this.invalidateAllMemoriesCache();
   }
+  /** Invalidate only the cache layers affected by direct tier file deletes. */
+  invalidateMemoryCachesForTiers(tiers) {
+    let hotChanged = false;
+    let coldChanged = false;
+    for (const tier of tiers) {
+      if (tier === "cold") {
+        coldChanged = true;
+      } else if (tier === "hot" || tier === "archive") {
+        hotChanged = true;
+      }
+    }
+    if (hotChanged) {
+      this.invalidateAllMemoriesCache();
+    }
+    if (coldChanged) {
+      this.invalidateColdMemoriesCache();
+    }
+  }
   /** Clear ALL static caches. Use in tests that write files directly
    *  (bypassing StorageManager.writeMemory) to avoid stale reads. */
   static clearAllStaticCaches() {
@@ -3862,7 +4166,7 @@ ${sanitized.text}
       const results = await Promise.all(
         batch.map(async (fullPath) => {
           try {
-            const raw = await readFile2(fullPath, "utf-8");
+            const raw = await readMaybeEncryptedFile(fullPath, this._secureStoreKey, this.baseDir);
             const parsed = parseFrontmatter2(raw);
             if (!parsed) return null;
             return {
@@ -3874,7 +4178,8 @@ ${sanitized.text}
               ),
               content: parsed.content
             };
-          } catch {
+          } catch (err) {
+            if (err instanceof SecureStoreLockedError) throw err;
             return null;
           }
         })
@@ -3887,7 +4192,7 @@ ${sanitized.text}
   }
   async readWindowUpdatedMs(filePath) {
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       const match = raw.match(/^---\n([\s\S]*?)\n---\n?/);
       if (!match) return null;
       const frontmatterBlock = match[1];
@@ -4071,7 +4376,7 @@ ${sanitized.text}
             await readDir(fullPath);
           } else if (entry.name.endsWith(".md")) {
             try {
-              const raw = await readFile2(fullPath, "utf-8");
+              const raw = await readMaybeEncryptedFile(fullPath, this._secureStoreKey, this.baseDir);
               const parsed = parseFrontmatter2(raw);
               if (parsed) {
                 memories.push({
@@ -4084,7 +4389,8 @@ ${sanitized.text}
                   content: parsed.content
                 });
               }
-            } catch {
+            } catch (err) {
+              if (err instanceof SecureStoreLockedError) throw err;
             }
           }
         }
@@ -4097,7 +4403,7 @@ ${sanitized.text}
   /** Read a single memory file by its absolute path. Returns null if unreadable. */
   async readMemoryByPath(filePath) {
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       const parsed = parseFrontmatter2(raw);
       if (parsed) {
         return {
@@ -4132,7 +4438,8 @@ ${sanitized.text}
         };
       }
       return null;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       return null;
     }
   }
@@ -4170,19 +4477,8 @@ ${sanitized.text}
 
 ${memory.content}
 `;
-    await mkdir2(path4.dirname(targetPath), { recursive: true });
-    const tempPath = `${targetPath}.tmp-${process.pid}-${Date.now()}`;
-    try {
-      await writeFile2(tempPath, fileContent, "utf-8");
-      await rename(tempPath, targetPath);
-      this.invalidateAllMemoriesCache();
-    } catch (err) {
-      try {
-        await unlink(tempPath);
-      } catch {
-      }
-      throw err;
-    }
+    await writeMaybeEncryptedFile(targetPath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
+    this.invalidateAllMemoriesCache();
   }
   async moveMemoryToPath(memory, targetPath) {
     await this.writeMemoryFileAtomic(targetPath, memory);
@@ -4253,7 +4549,7 @@ ${memory.content}
 ${memory.content}
 `;
       const destPath = path4.join(destDir, path4.basename(memory.path));
-      await writeFile2(destPath, fileContent, "utf-8");
+      await writeMaybeEncryptedFile(destPath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
       await unlink(memory.path);
       this.invalidateAllMemoriesCache();
       await this.appendGeneratedMemoryLifecycleEventFailOpen(
@@ -4374,7 +4670,7 @@ ${memory.content}
 
 ${sanitized.text}
 `;
-    await writeFile2(memory.path, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(memory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.updateMemory", {
       memoryId: id,
@@ -4406,7 +4702,7 @@ ${sanitized.text}
 
 ${memory.content}
 `;
-    await writeFile2(memory.path, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(memory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     if (memory.path.includes(`${path4.sep}cold${path4.sep}`)) {
       this.invalidateColdMemoriesCache();
@@ -5088,7 +5384,7 @@ ${question}
       for (const file of files) {
         if (!file.endsWith(".md")) continue;
         const filePath = path4.join(this.questionsDir, file);
-        const raw = await readFile2(filePath, "utf-8");
+        const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
         const parsed = this.parseQuestionFile(raw, filePath);
         if (parsed) {
           questions.push(parsed);
@@ -5996,7 +6292,7 @@ ${sanitized.text}
 ${oldMemory.content}
 `;
     try {
-      await writeFile2(oldMemory.path, fileContent, "utf-8");
+      await writeMaybeEncryptedFile(oldMemory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
       await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.supersedeMemory", {
         memoryId: oldMemoryId,
         eventType: "superseded",
@@ -6195,6 +6491,12 @@ export {
   normalizeEntitySchemas,
   resolveRequestedEntitySectionKeys,
   sanitizeMemoryContent,
+  MEMORY_LIFECYCLE_EVENT_SORT_ORDER,
+  toMemoryPathRel,
+  inferMemoryStatus,
+  isActiveMemoryStatus,
+  buildLifecycleEventsForMemory,
+  sortMemoryLifecycleEvents,
   hasCitationForTemplate,
   attachCitation,
   stripCitationForTemplate,
@@ -6206,7 +6508,12 @@ export {
   setCachedQmdSearch,
   lintWorkspaceFiles,
   rotateMarkdownFileToArchive,
+  DERIVED_FROM_MEMORY_ID_RE,
   isConsolidationOperator,
+  isSemanticConsolidationLlmOperator,
+  RECALL_DISCLOSURE_LEVELS,
+  DEFAULT_RECALL_DISCLOSURE,
+  isRecallDisclosure,
   confidenceTier,
   openBetterSqlite3,
   MEMORY_PROJECTION_SCHEMA_VERSION,
@@ -6218,11 +6525,6 @@ export {
   readProjectedEntityMentions,
   readProjectedNativeKnowledgeChunks,
   readProjectedGovernanceRecord,
-  MEMORY_LIFECYCLE_EVENT_SORT_ORDER,
-  toMemoryPathRel,
-  inferMemoryStatus,
-  buildLifecycleEventsForMemory,
-  sortMemoryLifecycleEvents,
   normalizeProjectionPreview,
   normalizeProjectionTags,
   parseContinuityIncident,