@remnic/plugin-openclaw 1.0.10 → 1.0.12

package/dist/{chunk-JJSNPSCD.js → chunk-7UZNLMW5.js}

@@ -1,12 +1,18 @@
 import {
   createVersion
 } from "./chunk-6OJAU466.js";
+import {
+  SecureStoreLockedError,
+  isEncryptedFile,
+  readMaybeEncryptedFile,
+  writeMaybeEncryptedFile
+} from "./chunk-RKR6PTPA.js";
 import {
   log
 } from "./chunk-UFU5GGGA.js";
 
 // ../remnic-core/src/storage.ts
-import { access, readdir, readFile as readFile2, stat as stat2, writeFile as writeFile2, mkdir as mkdir2, unlink, rename, appendFile } from "fs/promises";
+import { access, readdir, readFile as readFile2, stat as stat2, writeFile as writeFile2, mkdir as mkdir2, unlink, appendFile } from "fs/promises";
 import { appendFileSync, mkdirSync, statSync } from "fs";
 import { createHash } from "crypto";
 import path4 from "path";
@@ -29,6 +35,12 @@ function setCachedEntities(baseDir, entities, version, schemaKey = "") {
     loadedAt: Date.now()
   });
 }
+function invalidateCachedEntities(baseDir) {
+  const prefix = `${baseDir}\0`;
+  for (const key of entityCacheByDir.keys()) {
+    if (key.startsWith(prefix)) entityCacheByDir.delete(key);
+  }
+}
 var episodeMapByDir = /* @__PURE__ */ new Map();
 var ruleMemoriesByDir = /* @__PURE__ */ new Map();
 function getCachedEpisodeMap(baseDir, currentVersion) {
@@ -40,7 +52,7 @@ function getCachedEpisodeMap(baseDir, currentVersion) {
 function setCachedEpisodeMap(baseDir, memories, version) {
   const map = /* @__PURE__ */ new Map();
   for (const m of memories) {
-    if (m.frontmatter.status === "archived") continue;
+    if (m.frontmatter.status === "archived" || m.frontmatter.status === "forgotten") continue;
     if (m.frontmatter.memoryKind !== "episode") continue;
     map.set(m.frontmatter.id, m);
   }
@@ -58,7 +70,7 @@ function setCachedRuleMemories(baseDir, memories, version) {
   const all = [];
   for (const m of memories) {
     byId.set(m.frontmatter.id, m);
-    if (m.frontmatter.category === "rule" && m.frontmatter.status !== "archived") {
+    if (m.frontmatter.category === "rule" && m.frontmatter.status !== "archived" && m.frontmatter.status !== "forgotten") {
       all.push(m);
     }
   }
@@ -180,21 +192,41 @@ function sanitizeMemoryContent(text) {
 var CONSOLIDATION_OPERATORS = [
   "split",
   "merge",
-  "update"
+  "update",
+  "pattern-reinforcement"
 ];
 var DERIVED_FROM_ENTRY_RE = /^(.+):(\d+)$/;
-function isValidDerivedFromEntry(entry) {
-  if (typeof entry !== "string") return false;
+var DERIVED_FROM_MEMORY_ID_RE = /^[A-Za-z0-9][A-Za-z0-9_:-]*$/;
+function looksLikeSnapshotEntry(entry) {
   const match = entry.match(DERIVED_FROM_ENTRY_RE);
   if (!match) return false;
   const pathPart = match[1];
-  if (pathPart.length === 0 || pathPart.trim().length === 0) return false;
-  const versionNum = Number(match[2]);
-  return Number.isInteger(versionNum) && versionNum >= 0;
+  return pathPart.includes("/") || pathPart.includes(".");
+}
+function isValidDerivedFromEntry(entry) {
+  if (typeof entry !== "string") return false;
+  if (entry.length === 0) return false;
+  if (looksLikeSnapshotEntry(entry)) {
+    const match = entry.match(DERIVED_FROM_ENTRY_RE);
+    if (!match) return false;
+    const pathPart = match[1];
+    if (pathPart.length === 0 || pathPart.trim().length === 0) return false;
+    const versionNum = Number(match[2]);
+    return Number.isInteger(versionNum) && versionNum >= 0;
+  }
+  return DERIVED_FROM_MEMORY_ID_RE.test(entry);
 }
 function isConsolidationOperator(value) {
   return typeof value === "string" && CONSOLIDATION_OPERATORS.includes(value);
 }
+var SEMANTIC_CONSOLIDATION_LLM_OPERATORS = [
+  "split",
+  "merge",
+  "update"
+];
+function isSemanticConsolidationLlmOperator(value) {
+  return typeof value === "string" && SEMANTIC_CONSOLIDATION_LLM_OPERATORS.includes(value);
+}
 
 // ../remnic-core/src/entity-schema.ts
 var DEFAULT_ENTITY_SCHEMAS = {
@@ -541,6 +573,15 @@ function stripCitationForTemplate(text, template) {
 }
 
 // ../remnic-core/src/types.ts
+var RECALL_DISCLOSURE_LEVELS = [
+  "chunk",
+  "section",
+  "raw"
+];
+var DEFAULT_RECALL_DISCLOSURE = "chunk";
+function isRecallDisclosure(value) {
+  return typeof value === "string" && RECALL_DISCLOSURE_LEVELS.includes(value);
+}
 function confidenceTier(score) {
   if (score >= 0.95) return "explicit";
   if (score >= 0.7) return "implied";
@@ -560,25 +601,44 @@ function loadBetterSqlite3() {
   if (cachedCtor) return cachedCtor;
   const require2 = createRequire(import.meta.url);
   try {
-    const loaded = require2("better-sqlite3");
-    const ctor = typeof loaded === "function" ? loaded : loaded.default;
-    if (typeof ctor !== "function") {
-      throw new Error("module did not export a constructor");
-    }
-    cachedCtor = ctor;
-    return ctor;
+    cachedCtor = requireBetterSqlite3Ctor(require2);
+    return cachedCtor;
   } catch (error) {
-    const detail = error instanceof Error && error.message.length > 0 ? ` (${error.message})` : "";
-    throw new Error(
-      "better-sqlite3 is unavailable. Rebuild it in the plugin install with `npm rebuild better-sqlite3 --build-from-source` before using SQLite-backed Engram features" + detail,
-      { cause: error instanceof Error ? error : void 0 }
-    );
+    throw unavailableError(error);
   }
 }
 function openBetterSqlite3(file, options) {
   const Database = loadBetterSqlite3();
   return new Database(file, options);
 }
+function requireBetterSqlite3Ctor(require2) {
+  const loaded = require2("better-sqlite3");
+  const ctor = typeof loaded === "function" ? loaded : loaded.default;
+  if (typeof ctor !== "function") {
+    throw new Error("module did not export a constructor");
+  }
+  return ctor;
+}
+function isLikelyBetterSqlite3NativeBindingError(error) {
+  const detail = errorDetail(error);
+  return detail.includes("Could not locate the bindings file") || detail.includes("better_sqlite3.node") || detail.includes("node-v") && detail.includes("better-sqlite3") || detail.includes("NODE_MODULE_VERSION") && detail.includes("better-sqlite3") || detail.includes("was compiled against a different Node.js version");
+}
+function unavailableError(error) {
+  const detail = errorDetail(error);
+  const nativeBindingHint = isLikelyBetterSqlite3NativeBindingError(error) ? " This usually means the better-sqlite3 native binding was not compiled for this Node.js/platform combination. Run `node scripts/ensure-better-sqlite3.mjs` from the Remnic install directory, or run `npx node-gyp rebuild --directory=node_modules/better-sqlite3` if the verification script is unavailable." : "";
+  return new Error(
+    "better-sqlite3 is unavailable. Remnic attempted to load the native SQLite binding and could not." + nativeBindingHint + (detail ? ` Original error: ${detail}` : ""),
+    { cause: error instanceof Error ? error : void 0 }
+  );
+}
+function errorDetail(error) {
+  if (error instanceof Error) {
+    const stack = error.stack && error.stack !== error.message ? `
+${error.stack}` : "";
+    return `${error.message}${stack}`;
+  }
+  return String(error ?? "");
+}
 
 // ../remnic-core/src/memory-projection-store.ts
 var MEMORY_PROJECTION_SCHEMA_VERSION = 2;
@@ -1269,6 +1329,9 @@ function inferMemoryStatus(frontmatter, pathRel, fallbackStatus = "active") {
   if (frontmatter.status) return frontmatter.status;
   return fallbackStatus;
 }
+function isActiveMemoryStatus(status) {
+  return status === void 0 || status === "active";
+}
 function summarizeMemoryLifecycleState(memory) {
   return {
     category: memory.frontmatter.category,
@@ -1632,6 +1695,88 @@ function assertMemoryWorthCounter(field, value) {
     throw new Error(`${field} must be >= 0, got ${value}`);
   }
 }
+function isErrnoCode(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+function trimTrailingSpacesAndTabs(value) {
+  let end = value.length;
+  while (end > 0 && (value[end - 1] === " " || value[end - 1] === "	")) {
+    end -= 1;
+  }
+  return end === value.length ? value : value.slice(0, end);
+}
+function trimLeadingSpacesAndTabs(value) {
+  let start = 0;
+  while (start < value.length && (value[start] === " " || value[start] === "	")) {
+    start += 1;
+  }
+  return start === 0 ? value : value.slice(start);
+}
+function stripDefaultCitationMarkersWithoutRegex(value) {
+  return stripCitationMarkersForHashRemoval(value, DEFAULT_CITATION_FORMAT);
+}
+function citationTemplateLiteralParts(template) {
+  const parts = [];
+  let cursor = 0;
+  while (cursor < template.length) {
+    const open = template.indexOf("{", cursor);
+    if (open === -1) {
+      parts.push(template.slice(cursor));
+      break;
+    }
+    parts.push(template.slice(cursor, open));
+    const close = template.indexOf("}", open + 1);
+    if (close === -1) {
+      cursor = open + 1;
+    } else {
+      cursor = close + 1;
+    }
+  }
+  return parts.filter((part) => part.length > 0);
+}
+function stripCitationMarkersForHashRemoval(value, template) {
+  const parts = citationTemplateLiteralParts(template);
+  if (parts.length === 0) return value;
+  const first = parts[0];
+  const lowerValue = value.toLowerCase();
+  const lowerFirst = first.toLowerCase();
+  const lowerParts = parts.map((part) => part.toLowerCase());
+  if (!lowerValue.includes(lowerFirst)) return value;
+  let result = "";
+  let cursor = 0;
+  let removed = false;
+  while (cursor < value.length) {
+    const markerStart = lowerValue.indexOf(lowerFirst, cursor);
+    if (markerStart === -1) {
+      result += value.slice(cursor);
+      break;
+    }
+    const boundedEnd = first.startsWith("[") ? value.indexOf("]", markerStart + first.length) : -1;
+    if (first.startsWith("[") && boundedEnd === -1) {
+      result += value.slice(cursor);
+      break;
+    }
+    const searchLimit = boundedEnd === -1 ? value.length : boundedEnd + 1;
+    let markerEnd = markerStart + first.length;
+    let matched = true;
+    for (let i = 1; i < lowerParts.length; i += 1) {
+      const partIndex = lowerValue.indexOf(lowerParts[i], markerEnd);
+      if (partIndex === -1 || partIndex + parts[i].length > searchLimit) {
+        matched = false;
+        break;
+      }
+      markerEnd = partIndex + parts[i].length;
+    }
+    if (!matched) {
+      result += value.slice(cursor);
+      break;
+    }
+    result += trimTrailingSpacesAndTabs(value.slice(cursor, markerStart));
+    cursor = markerEnd;
+    removed = true;
+  }
+  return removed ? trimLeadingSpacesAndTabs(result) : value;
+}
 function serializeFrontmatter(fm) {
   const lines = [
     "---",
@@ -1654,6 +1799,10 @@ function serializeFrontmatter(fm) {
   if (fm.supersededBy) lines.push(`supersededBy: ${fm.supersededBy}`);
   if (fm.supersededAt) lines.push(`supersededAt: ${fm.supersededAt}`);
   if (fm.archivedAt) lines.push(`archivedAt: ${fm.archivedAt}`);
+  if (fm.valid_at) lines.push(`validAt: ${fm.valid_at}`);
+  if (fm.invalid_at) lines.push(`invalidAt: ${fm.invalid_at}`);
+  if (fm.forgottenAt) lines.push(`forgottenAt: ${fm.forgottenAt}`);
+  if (fm.forgottenReason) lines.push(`forgottenReason: ${JSON.stringify(fm.forgottenReason)}`);
   if (fm.lifecycleState) lines.push(`lifecycleState: ${fm.lifecycleState}`);
   if (fm.verificationState) lines.push(`verificationState: ${fm.verificationState}`);
   if (fm.policyClass) lines.push(`policyClass: ${fm.policyClass}`);
@@ -1731,11 +1880,22 @@ function serializeFrontmatter(fm) {
   if (fm.derived_via !== void 0) {
     if (!isConsolidationOperator(fm.derived_via)) {
       throw new Error(
-        `serializeFrontmatter: invalid derived_via ${JSON.stringify(fm.derived_via)} \u2014 expected one of "split" | "merge" | "update"`
+        `serializeFrontmatter: invalid derived_via ${JSON.stringify(fm.derived_via)} \u2014 expected one of "split" | "merge" | "update" | "pattern-reinforcement"`
       );
     }
     lines.push(`derived_via: ${fm.derived_via}`);
   }
+  if (fm.reinforcement_count !== void 0) {
+    if (!Number.isInteger(fm.reinforcement_count) || fm.reinforcement_count <= 0) {
+      throw new Error(
+        `serializeFrontmatter: reinforcement_count must be a positive integer (got ${JSON.stringify(fm.reinforcement_count)})`
+      );
+    }
+    lines.push(`reinforcement_count: ${fm.reinforcement_count}`);
+  }
+  if (fm.last_reinforced_at) {
+    lines.push(`last_reinforced_at: ${fm.last_reinforced_at}`);
+  }
   lines.push("---");
   return lines.join("\n");
 }
@@ -1768,6 +1928,20 @@ function parseLinkReasonValue(rawValue) {
     return legacyValue;
   }
 }
+function parseFrontmatterStringValue(rawValue) {
+  if (rawValue === void 0) return void 0;
+  const trimmed = rawValue.trim();
+  if (trimmed.length === 0) return void 0;
+  if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      return typeof parsed === "string" ? parsed : trimmed;
+    } catch {
+      return trimmed.slice(1, -1).replace(/\\"/g, '"');
+    }
+  }
+  return trimmed;
+}
 function parseMemoryWorthCounterField(raw) {
   if (raw === void 0) return void 0;
   const trimmed = raw.trim();
@@ -1776,6 +1950,14 @@ function parseMemoryWorthCounterField(raw) {
   if (!Number.isFinite(n) || !Number.isInteger(n) || n < 0) return void 0;
   return n;
 }
+function parseReinforcementCountField(raw) {
+  if (raw === void 0) return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  const n = Number(trimmed);
+  if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0) return void 0;
+  return n;
+}
 function parseFrontmatter2(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
   if (!match) return null;
@@ -1961,6 +2143,11 @@ function parseFrontmatter2(raw) {
       supersededBy: fm.supersededBy || void 0,
       supersededAt: fm.supersededAt || void 0,
       archivedAt: fm.archivedAt || void 0,
+      // Issue #680 — explicit fact lifecycle round-trip.
+      valid_at: fm.validAt || void 0,
+      invalid_at: fm.invalidAt || void 0,
+      forgottenAt: fm.forgottenAt || void 0,
+      forgottenReason: parseFrontmatterStringValue(fm.forgottenReason),
       lifecycleState: fm.lifecycleState || void 0,
       verificationState: fm.verificationState || void 0,
       policyClass: fm.policyClass || void 0,
@@ -1995,7 +2182,14 @@ function parseFrontmatter2(raw) {
       // Consolidation provenance (issue #561) — read-through only in this
       // PR; no code produces these fields yet.
       derived_from,
-      derived_via
+      derived_via,
+      // Pattern-reinforcement metadata (issue #687 PR 2/4).  Parse
+      // permissively: invalid values (negative, non-integer, blank
+      // ISO-strings) are dropped to undefined so a corrupt frontmatter
+      // never poisons downstream scoring.  Validation lives on the
+      // write path in serializeFrontmatter.
+      reinforcement_count: parseReinforcementCountField(fm.reinforcement_count),
+      last_reinforced_at: fm.last_reinforced_at || void 0
     },
     content
   };
@@ -2106,13 +2300,19 @@ var ContentHashIndex = class _ContentHashIndex {
   hashes = /* @__PURE__ */ new Set();
   dirty = false;
   filePath;
-  constructor(stateDir) {
+  secureStoreKeyProvider;
+  secureStoreWriteKeyProvider;
+  memoryDir;
+  constructor(stateDir, secureStoreKeyProvider = () => null, secureStoreWriteKeyProvider = secureStoreKeyProvider, memoryDir = path4.dirname(stateDir)) {
     this.filePath = path4.join(stateDir, "fact-hashes.txt");
+    this.secureStoreKeyProvider = secureStoreKeyProvider;
+    this.secureStoreWriteKeyProvider = secureStoreWriteKeyProvider;
+    this.memoryDir = memoryDir;
   }
   /** Load existing hashes from disk. Safe to call multiple times. */
   async load() {
     try {
-      const raw = await readFile2(this.filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(this.filePath, this.secureStoreKeyProvider(), this.memoryDir);
       for (const line of raw.split("\n")) {
         const trimmed = line.trim();
         if (trimmed.length > 0) {
@@ -2120,7 +2320,9 @@ var ContentHashIndex = class _ContentHashIndex {
         }
       }
       log.debug(`content-hash index: loaded ${this.hashes.size} hashes`);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug("content-hash index: no existing index \u2014 starting fresh");
     }
   }
@@ -2143,7 +2345,13 @@ var ContentHashIndex = class _ContentHashIndex {
   async save() {
     if (!this.dirty) return;
     await mkdir2(path4.dirname(this.filePath), { recursive: true });
-    await writeFile2(this.filePath, [...this.hashes].join("\n") + "\n", "utf-8");
+    await writeMaybeEncryptedFile(
+      this.filePath,
+      [...this.hashes].join("\n") + "\n",
+      this.secureStoreWriteKeyProvider(),
+      {},
+      this.memoryDir
+    );
     this.dirty = false;
     log.debug(`content-hash index: saved ${this.hashes.size} hashes`);
   }
@@ -3006,6 +3214,8 @@ var StorageManager = class _StorageManager {
   // 1 minute
   static artifactWriteVersionByDir = /* @__PURE__ */ new Map();
   static memoryStatusVersionByDir = /* @__PURE__ */ new Map();
+  static secureStoreEntityCacheKeyIds = /* @__PURE__ */ new WeakMap();
+  static nextSecureStoreEntityCacheKeyId = 1;
   // In-process fallback for the cold-write sentinel (used when the disk file
   // is not accessible).  The canonical source of truth is state/cold-write.log.
   static coldWriteVersionByDir = /* @__PURE__ */ new Map();
@@ -3053,6 +3263,7 @@ var StorageManager = class _StorageManager {
   factHashIndexLoadPromise = null;
   factHashIndexAuthoritative = null;
   factHashIndexAuthoritativePromise = null;
+  secureAppendChains = /* @__PURE__ */ new Map();
   /** Optional: set by the orchestrator after construction to enable template-aware citation stripping during legacy hash rebuild. */
   citationTemplate = DEFAULT_CITATION_FORMAT;
   /** Page-versioning configuration.  Set by the orchestrator after construction. */
@@ -3061,6 +3272,87 @@ var StorageManager = class _StorageManager {
   setVersioningConfig(config) {
     this._versioningConfig = config;
   }
+  /**
+   * At-rest encryption key (issue #690 PR 3/4).
+   *
+   * When non-null, every memory file read is decrypted and every write
+   * is encrypted using the secure-fs layer.  When null, the storage
+   * layer operates in plain-text mode (legacy/unencrypted store).
+   *
+   * Set by the orchestrator after init/unlock; cleared on lock.
+   * The key buffer is NEVER logged or serialized.
+   */
+  _secureStoreKey = null;
+  /**
+   * When true (and `_secureStoreKey` is non-null), new writes are
+   * encrypted.  Set to false to pause encryption of new writes while
+   * still decrypting existing files.
+   */
+  _secureStoreEncryptOnWrite = true;
+  /**
+   * When true, the secure-store is configured as required — writes
+   * MUST be encrypted and a locked store MUST reject writes rather
+   * than silently falling back to plaintext.  Set by the orchestrator
+   * from `config.secureStoreEnabled`.
+   */
+  _secureStoreRequired = false;
+  /**
+   * Set or clear the at-rest encryption key.
+   *
+   * Pass a 32-byte Buffer to enable encryption; pass null to clear
+   * (lock) the store.  The caller is responsible for key lifecycle —
+   * this method does not zero the buffer on replacement; the keyring
+   * module (`keyring.ts`) owns zeroization.
+   */
+  setSecureStoreKey(key, encryptOnWrite = true) {
+    this._secureStoreKey = key;
+    this._secureStoreEncryptOnWrite = encryptOnWrite;
+    invalidateCachedEntities(this.baseDir);
+    this.invalidateKnowledgeIndexCache();
+  }
+  getEntityCacheSecureStoreKey() {
+    if (!this._secureStoreKey) return "secure-store:locked";
+    let id = _StorageManager.secureStoreEntityCacheKeyIds.get(this._secureStoreKey);
+    if (id === void 0) {
+      id = _StorageManager.nextSecureStoreEntityCacheKeyId++;
+      _StorageManager.secureStoreEntityCacheKeyIds.set(this._secureStoreKey, id);
+    }
+    return `secure-store:key:${id}`;
+  }
+  /**
+   * Mark the secure-store as required for this storage instance.
+   * When required and locked, writes throw SecureStoreLockedError
+   * rather than silently writing plaintext.
+   */
+  setSecureStoreRequired(required) {
+    this._secureStoreRequired = required;
+  }
+  /** Return true iff the secure-store key is currently set (store is unlocked). */
+  isSecureStoreUnlocked() {
+    return this._secureStoreKey !== null;
+  }
+  /**
+   * Resolve the effective write key.
+   *
+   * - If `_secureStoreEncryptOnWrite` is false: returns null (plain write).
+   * - If `_secureStoreEncryptOnWrite` is true AND key is set: returns key.
+   * - If `_secureStoreEncryptOnWrite` is true AND key is null AND
+   *   `_secureStoreRequired` is true: throws SecureStoreLockedError so the
+   *   write fails loudly rather than silently writing plaintext (P1 finding
+   *   from Cursor review of PR #767).
+   * - If `_secureStoreEncryptOnWrite` is true AND key is null AND
+   *   `_secureStoreRequired` is false: returns null (unencrypted store).
+   */
+  resolveWriteKey() {
+    if (!this._secureStoreEncryptOnWrite) return null;
+    if (this._secureStoreKey !== null) return this._secureStoreKey;
+    if (this._secureStoreRequired) {
+      throw new SecureStoreLockedError(
+        "secure-store is locked \u2014 cannot write memory file. Run `remnic secure-store unlock` to decrypt, or restart the daemon after unlocking."
+      );
+    }
+    return null;
+  }
   /**
    * Snapshot the current content of a page before overwriting.
    * No-op when versioning is disabled or the file does not yet exist.
@@ -3068,7 +3360,7 @@ var StorageManager = class _StorageManager {
   async snapshotBeforeWrite(filePath, trigger) {
     if (!this._versioningConfig || !this._versioningConfig.enabled) return;
     try {
-      const existing = await readFile2(filePath, "utf-8");
+      const existing = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       await createVersion(filePath, existing, trigger, this._versioningConfig, log, void 0, this.baseDir);
     } catch {
     }
@@ -3091,7 +3383,7 @@ var StorageManager = class _StorageManager {
     if (!this._versioningConfig || !this._versioningConfig.enabled) return null;
     let existing;
     try {
-      existing = await readFile2(filePath, "utf-8");
+      existing = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
     } catch {
       return null;
     }
@@ -3177,6 +3469,57 @@ var StorageManager = class _StorageManager {
   get entitiesDir() {
     return path4.join(this.baseDir, "entities");
   }
+  readStorageSecureFile(filePath) {
+    return readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
+  }
+  writeStorageSecureFile(filePath, content) {
+    return writeMaybeEncryptedFile(filePath, content, this.resolveWriteKey(), {}, this.baseDir);
+  }
+  createContentHashIndex() {
+    return new ContentHashIndex(
+      this.stateDir,
+      () => this._secureStoreKey,
+      () => this.resolveWriteKey(),
+      this.baseDir
+    );
+  }
+  async appendStorageSecureFile(filePath, content) {
+    const previous = this.secureAppendChains.get(filePath) ?? Promise.resolve();
+    const current = previous.catch(() => void 0).then(() => this.appendStorageSecureFileUnlocked(filePath, content));
+    const next = current.catch(() => void 0);
+    this.secureAppendChains.set(filePath, next);
+    try {
+      await current;
+    } finally {
+      if (this.secureAppendChains.get(filePath) === next) {
+        this.secureAppendChains.delete(filePath);
+      }
+    }
+  }
+  async appendStorageSecureFileUnlocked(filePath, content) {
+    const writeKey = this.resolveWriteKey();
+    await mkdir2(path4.dirname(filePath), { recursive: true });
+    if (writeKey === null) {
+      try {
+        if (isEncryptedFile(await readFile2(filePath))) {
+          const existing2 = await this.readStorageSecureFile(filePath);
+          await writeMaybeEncryptedFile(filePath, `${existing2}${content}`, null, {}, this.baseDir);
+          return;
+        }
+      } catch (err) {
+        if (!isErrnoCode(err, "ENOENT")) throw err;
+      }
+      await appendFile(filePath, content, "utf-8");
+      return;
+    }
+    let existing = "";
+    try {
+      existing = await this.readStorageSecureFile(filePath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
+    }
+    await writeMaybeEncryptedFile(filePath, `${existing}${content}`, writeKey, {}, this.baseDir);
+  }
   get stateDir() {
     return path4.join(this.baseDir, "state");
   }
@@ -3191,7 +3534,7 @@ var StorageManager = class _StorageManager {
       return this.factHashIndex;
     }
     if (!this.factHashIndexLoadPromise) {
-      const index = new ContentHashIndex(this.stateDir);
+      const index = this.createContentHashIndex();
       this.factHashIndexLoadPromise = index.load().then(() => {
         this.factHashIndex = index;
         return index;
@@ -3433,7 +3776,7 @@ ${sanitized.text}
       filePath = path4.join(this.factsDir, today, `${id}.md`);
     }
     await this.snapshotBeforeWrite(filePath, "write");
-    await writeFile2(filePath, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(filePath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.writeMemory", {
       memoryId: id,
@@ -3469,6 +3812,50 @@ ${sanitized.text}
     const sanitized = sanitizeMemoryContent(content);
     return factHashIndex.has(sanitized.text);
   }
+  factContentHashForRemoval(memory) {
+    if (memory.frontmatter.category !== "fact") return null;
+    if (typeof memory.frontmatter.contentHash === "string" && memory.frontmatter.contentHash.length > 0) {
+      return memory.frontmatter.contentHash;
+    }
+    const configuredHashSource = stripCitationMarkersForHashRemoval(memory.content, this.citationTemplate);
+    const hashSource = configuredHashSource !== memory.content ? configuredHashSource : stripDefaultCitationMarkersWithoutRegex(memory.content);
+    return ContentHashIndex.computeHash(sanitizeMemoryContent(hashSource).text);
+  }
+  async removeFactContentHashesForMemories(memories) {
+    await this.ensureFactHashIndexAuthoritative();
+    const factHashIndex = await this.getFactHashIndex();
+    const removedIds = new Set(
+      memories.map((memory) => memory.frontmatter.id).filter((id) => typeof id === "string" && id.length > 0)
+    );
+    const removedHashes = /* @__PURE__ */ new Map();
+    for (const memory of memories) {
+      const hash = this.factContentHashForRemoval(memory);
+      if (hash) {
+        removedHashes.set(memory, hash);
+      }
+    }
+    if (removedHashes.size === 0) return;
+    const remainingActiveHashes = /* @__PURE__ */ new Set();
+    const remainingMemories = [
+      ...await this.readAllMemories(),
+      ...await this.readAllColdMemories()
+    ];
+    for (const memory of remainingMemories) {
+      if (memory.frontmatter.category !== "fact") continue;
+      if (removedIds.has(memory.frontmatter.id)) continue;
+      if (inferMemoryStatus(memory.frontmatter, memory.path) !== "active") continue;
+      const hash = this.factContentHashForRemoval(memory);
+      if (hash) {
+        remainingActiveHashes.add(hash);
+      }
+    }
+    for (const hash of removedHashes.values()) {
+      if (!remainingActiveHashes.has(hash)) {
+        factHashIndex.removeByHash(hash);
+      }
+    }
+    await factHashIndex.save();
+  }
   async isFactContentHashAuthoritative() {
     await this.ensureFactHashIndexAuthoritative();
     return true;
@@ -3502,10 +3889,10 @@ ${sanitized.text}
       return "";
     }
     const filePath = path4.join(dir, `${id}.md`);
-    await writeFile2(filePath, `${serializeFrontmatter(fm)}
+    await writeMaybeEncryptedFile(filePath, `${serializeFrontmatter(fm)}
 
 ${sanitized.text}
-`, "utf-8");
+`, this.resolveWriteKey(), {}, this.baseDir);
     const actor = typeof options.actor === "string" && options.actor.length > 0 ? options.actor : "storage.writeArtifact";
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.writeArtifact", {
       memoryId: id,
@@ -3614,9 +4001,11 @@ ${sanitized.text}
       aliases: []
     };
     try {
-      const existing = await readFile2(filePath, "utf-8");
+      const existing = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(existing, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
     }
     const timestamp = options.timestamp?.trim() || (/* @__PURE__ */ new Date()).toISOString();
     const source = options.source?.trim() || void 0;
@@ -3672,7 +4061,7 @@ ${sanitized.text}
     entity.created = entity.created || timestamp;
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
     await this.snapshotBeforeWrite(filePath, "write");
-    await writeFile2(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
     this.bumpMemoryStatusVersion();
     log.debug(`wrote entity ${normalized}`);
@@ -3680,15 +4069,19 @@ ${sanitized.text}
   }
   async readProfile() {
     try {
-      return await readFile2(this.profilePath, "utf-8");
-    } catch {
-      return "";
+      return await readMaybeEncryptedFile(this.profilePath, this._secureStoreKey, this.baseDir);
+    } catch (error) {
+      if (error instanceof SecureStoreLockedError) {
+        throw error;
+      }
+      if (isErrnoCode(error, "ENOENT")) return "";
+      throw error;
     }
   }
   async writeProfile(content) {
     await this.ensureDirectories();
     await this.snapshotBeforeWrite(this.profilePath, "consolidation");
-    await writeFile2(this.profilePath, content, "utf-8");
+    await writeMaybeEncryptedFile(this.profilePath, content, this.resolveWriteKey(), {}, this.baseDir);
     log.debug("updated profile.md");
   }
   /**
@@ -3771,6 +4164,24 @@ ${sanitized.text}
   invalidateAllMemoriesCacheForDir() {
     this.invalidateAllMemoriesCache();
   }
+  /** Invalidate only the cache layers affected by direct tier file deletes. */
+  invalidateMemoryCachesForTiers(tiers) {
+    let hotChanged = false;
+    let coldChanged = false;
+    for (const tier of tiers) {
+      if (tier === "cold") {
+        coldChanged = true;
+      } else if (tier === "hot" || tier === "archive") {
+        hotChanged = true;
+      }
+    }
+    if (hotChanged) {
+      this.invalidateAllMemoriesCache();
+    }
+    if (coldChanged) {
+      this.invalidateColdMemoriesCache();
+    }
+  }
   /** Clear ALL static caches. Use in tests that write files directly
    *  (bypassing StorageManager.writeMemory) to avoid stale reads. */
   static clearAllStaticCaches() {
@@ -3862,7 +4273,7 @@ ${sanitized.text}
       const results = await Promise.all(
         batch.map(async (fullPath) => {
           try {
-            const raw = await readFile2(fullPath, "utf-8");
+            const raw = await readMaybeEncryptedFile(fullPath, this._secureStoreKey, this.baseDir);
             const parsed = parseFrontmatter2(raw);
             if (!parsed) return null;
             return {
@@ -3874,7 +4285,8 @@ ${sanitized.text}
               ),
               content: parsed.content
             };
-          } catch {
+          } catch (err) {
+            if (err instanceof SecureStoreLockedError) throw err;
             return null;
           }
         })
@@ -3887,7 +4299,7 @@ ${sanitized.text}
   }
   async readWindowUpdatedMs(filePath) {
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       const match = raw.match(/^---\n([\s\S]*?)\n---\n?/);
       if (!match) return null;
       const frontmatterBlock = match[1];
@@ -4071,7 +4483,7 @@ ${sanitized.text}
             await readDir(fullPath);
           } else if (entry.name.endsWith(".md")) {
             try {
-              const raw = await readFile2(fullPath, "utf-8");
+              const raw = await readMaybeEncryptedFile(fullPath, this._secureStoreKey, this.baseDir);
               const parsed = parseFrontmatter2(raw);
               if (parsed) {
                 memories.push({
@@ -4084,7 +4496,8 @@ ${sanitized.text}
                   content: parsed.content
                 });
               }
-            } catch {
+            } catch (err) {
+              if (err instanceof SecureStoreLockedError) throw err;
             }
           }
         }
@@ -4097,7 +4510,7 @@ ${sanitized.text}
   /** Read a single memory file by its absolute path. Returns null if unreadable. */
   async readMemoryByPath(filePath) {
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
       const parsed = parseFrontmatter2(raw);
       if (parsed) {
         return {
@@ -4132,7 +4545,8 @@ ${sanitized.text}
         };
       }
       return null;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       return null;
     }
   }
@@ -4170,19 +4584,8 @@ ${sanitized.text}
 
 ${memory.content}
 `;
-    await mkdir2(path4.dirname(targetPath), { recursive: true });
-    const tempPath = `${targetPath}.tmp-${process.pid}-${Date.now()}`;
-    try {
-      await writeFile2(tempPath, fileContent, "utf-8");
-      await rename(tempPath, targetPath);
-      this.invalidateAllMemoriesCache();
-    } catch (err) {
-      try {
-        await unlink(tempPath);
-      } catch {
-      }
-      throw err;
-    }
+    await writeMaybeEncryptedFile(targetPath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
+    this.invalidateAllMemoriesCache();
   }
   async moveMemoryToPath(memory, targetPath) {
     await this.writeMemoryFileAtomic(targetPath, memory);
@@ -4253,7 +4656,7 @@ ${memory.content}
 ${memory.content}
 `;
       const destPath = path4.join(destDir, path4.basename(memory.path));
-      await writeFile2(destPath, fileContent, "utf-8");
+      await writeMaybeEncryptedFile(destPath, fileContent, this.resolveWriteKey(), {}, this.baseDir);
       await unlink(memory.path);
       this.invalidateAllMemoriesCache();
       await this.appendGeneratedMemoryLifecycleEventFailOpen(
@@ -4289,8 +4692,10 @@ ${memory.content}
   }
   async readEntity(name) {
     try {
-      return await readFile2(path4.join(this.entitiesDir, `${name}.md`), "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(path4.join(this.entitiesDir, `${name}.md`));
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return "";
     }
   }
@@ -4374,7 +4779,7 @@ ${memory.content}
 
 ${sanitized.text}
 `;
-    await writeFile2(memory.path, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(memory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.updateMemory", {
       memoryId: id,
@@ -4406,7 +4811,7 @@ ${sanitized.text}
 
 ${memory.content}
 `;
-    await writeFile2(memory.path, fileContent, "utf-8");
+    await writeMaybeEncryptedFile(memory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
     this.invalidateAllMemoriesCache();
     if (memory.path.includes(`${path4.sep}cold${path4.sep}`)) {
       this.invalidateColdMemoriesCache();
@@ -4471,21 +4876,23 @@ ${memory.content}
   async loadBuffer() {
     const bufferPath = path4.join(this.stateDir, "buffer.json");
     try {
-      const raw = await readFile2(bufferPath, "utf-8");
+      const raw = await this.readStorageSecureFile(bufferPath);
       return JSON.parse(raw);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return { turns: [], lastExtractionAt: null, extractionCount: 0 };
     }
   }
   async saveBuffer(state) {
     await this.ensureDirectories();
     const bufferPath = path4.join(this.stateDir, "buffer.json");
-    await writeFile2(bufferPath, JSON.stringify(state, null, 2), "utf-8");
+    await this.writeStorageSecureFile(bufferPath, JSON.stringify(state, null, 2));
   }
   async loadMeta() {
     const metaPath = path4.join(this.stateDir, "meta.json");
     try {
-      const raw = await readFile2(metaPath, "utf-8");
+      const raw = await this.readStorageSecureFile(metaPath);
       const parsed = JSON.parse(raw);
       return {
         extractionCount: typeof parsed.extractionCount === "number" ? parsed.extractionCount : 0,
@@ -4502,7 +4909,9 @@ ${memory.content}
           observedAt: entry.observedAt
         })) : []
       };
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return {
         extractionCount: 0,
         lastExtractionAt: null,
@@ -4516,7 +4925,7 @@ ${memory.content}
   async saveMeta(state) {
     await this.ensureDirectories();
     const metaPath = path4.join(this.stateDir, "meta.json");
-    await writeFile2(metaPath, JSON.stringify(state, null, 2), "utf-8");
+    await this.writeStorageSecureFile(metaPath, JSON.stringify(state, null, 2));
   }
   async appendMemoryActionEvents(events) {
     if (events.length === 0) return 0;
@@ -4530,7 +4939,7 @@ ${memory.content}
       return `${JSON.stringify(normalized)}
 `;
     }).join("");
-    await appendFile(this.memoryActionsPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.memoryActionsPath, payload);
     return events.length;
   }
   async appendMemoryLifecycleEvents(events) {
@@ -4545,7 +4954,7 @@ ${memory.content}
       return `${JSON.stringify(normalized)}
 `;
     }).join("");
-    await appendFile(this.memoryLifecycleLedgerPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.memoryLifecycleLedgerPath, payload);
     return events.length;
   }
   /**
@@ -4570,7 +4979,7 @@ ${memory.content}
       return `${JSON.stringify(normalized)}
 `;
     }).join("");
-    await appendFile(this.bufferSurpriseLedgerPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.bufferSurpriseLedgerPath, payload);
     return events.length;
   }
   /**
@@ -4607,8 +5016,9 @@ ${memory.content}
   async readBufferSurpriseEvents(options = {}) {
     let raw;
     try {
-      raw = await readFile2(this.bufferSurpriseLedgerPath, "utf-8");
+      raw = await this.readStorageSecureFile(this.bufferSurpriseLedgerPath);
     } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       const code = err.code;
       if (code === "ENOENT") return [];
       throw err;
@@ -4643,7 +5053,7 @@ ${memory.content}
     await this.ensureDirectories();
     let existingKeys = /* @__PURE__ */ new Set();
     try {
-      const raw = await readFile2(this.behaviorSignalsPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.behaviorSignalsPath);
       const lines = raw.split("\n");
       for (const line of lines) {
         const row = line.trim();
@@ -4656,7 +5066,9 @@ ${memory.content}
         } catch {
         }
       }
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       existingKeys = /* @__PURE__ */ new Set();
     }
     const nowIso = (/* @__PURE__ */ new Date()).toISOString();
@@ -4673,7 +5085,7 @@ ${memory.content}
     if (deduped.length === 0) return 0;
     const payload = deduped.map((event) => `${JSON.stringify(event)}
 `).join("");
-    await appendFile(this.behaviorSignalsPath, payload, "utf-8");
+    await this.appendStorageSecureFile(this.behaviorSignalsPath, payload);
     return deduped.length;
   }
   async appendReextractJobs(events) {
@@ -4682,9 +5094,11 @@ ${memory.content}
     const filePath = path4.join(this.stateDir, "reextract-jobs.jsonl");
     const lines = events.map((event) => JSON.stringify(event)).join("\n") + "\n";
     try {
-      await appendFile(filePath, lines, "utf-8");
+      await this.appendStorageSecureFile(filePath, lines);
       return events.length;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return 0;
     }
   }
@@ -4692,7 +5106,7 @@ ${memory.content}
     const safeLimit = Number.isFinite(limit) ? Math.max(1, Math.min(1e3, Math.floor(limit))) : 200;
     const filePath = path4.join(this.stateDir, "reextract-jobs.jsonl");
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await this.readStorageSecureFile(filePath);
       const lines = raw.split("\n").filter((line) => line.trim().length > 0);
       const parsed = [];
       for (const line of lines) {
@@ -4712,7 +5126,9 @@ ${memory.content}
         }
       }
       return parsed.slice(-safeLimit);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -4720,7 +5136,7 @@ ${memory.content}
     const cappedLimit = Math.max(0, Math.floor(limit));
     if (cappedLimit === 0) return [];
     try {
-      const raw = await readFile2(this.behaviorSignalsPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.behaviorSignalsPath);
       const out = [];
       const lines = raw.split("\n");
       for (let i = lines.length - 1; i >= 0 && out.length < cappedLimit; i -= 1) {
@@ -4735,15 +5151,20 @@ ${memory.content}
         }
       }
       return out.reverse();
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
   async readMemoryActionEvents(limit = 200) {
+    return (await this.readMemoryActionEventRows(limit)).map((row) => row.event);
+  }
+  async readMemoryActionEventRows(limit = 200) {
     const cappedLimit = Math.max(0, Math.floor(limit));
     if (cappedLimit === 0) return [];
     try {
-      const raw = await readFile2(this.memoryActionsPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.memoryActionsPath);
       const out = [];
       const lines = raw.split("\n");
       for (let i = lines.length - 1; i >= 0 && out.length < cappedLimit; i -= 1) {
@@ -4751,20 +5172,29 @@ ${memory.content}
         if (!line) continue;
         try {
           const parsed = JSON.parse(line);
-          if (typeof parsed.timestamp === "string" && typeof parsed.action === "string" && typeof parsed.outcome === "string") {
-            out.push(parsed);
+          const outcome = parsed.outcome === "applied" || parsed.outcome === "skipped" || parsed.outcome === "failed" ? parsed.outcome : null;
+          if (typeof parsed.timestamp === "string" && typeof parsed.action === "string" && outcome !== null) {
+            out.push({
+              line: i + 1,
+              event: {
+                ...parsed,
+                outcome
+              }
+            });
           }
         } catch {
         }
       }
       return out.reverse();
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
   async readAllMemoryLifecycleEvents() {
     try {
-      const raw = await readFile2(this.memoryLifecycleLedgerPath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.memoryLifecycleLedgerPath);
       const out = [];
       const lines = raw.split("\n");
       for (const line of lines) {
@@ -4779,7 +5209,9 @@ ${memory.content}
         }
       }
       return sortMemoryLifecycleEvents(out);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -4791,35 +5223,39 @@ ${memory.content}
   }
   async writeCompressionGuidelines(content) {
     await this.ensureDirectories();
-    await writeFile2(this.compressionGuidelinesPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelinesPath, content);
   }
   async readCompressionGuidelines() {
     try {
-      return await readFile2(this.compressionGuidelinesPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.compressionGuidelinesPath);
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeCompressionGuidelineDraft(content) {
     await this.ensureDirectories();
-    await writeFile2(this.compressionGuidelineDraftPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelineDraftPath, content);
   }
   async readCompressionGuidelineDraft() {
     try {
-      return await readFile2(this.compressionGuidelineDraftPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.compressionGuidelineDraftPath);
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeCompressionGuidelineOptimizerState(state) {
     await this.ensureDirectories();
-    await writeFile2(this.compressionGuidelineStatePath, `${JSON.stringify(state, null, 2)}
-`, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelineStatePath, `${JSON.stringify(state, null, 2)}
+`);
   }
   async writeCompressionGuidelineDraftState(state) {
     await this.ensureDirectories();
-    await writeFile2(this.compressionGuidelineDraftStatePath, `${JSON.stringify(state, null, 2)}
-`, "utf-8");
+    await this.writeStorageSecureFile(this.compressionGuidelineDraftStatePath, `${JSON.stringify(state, null, 2)}
+`);
   }
   async readCompressionGuidelineOptimizerState() {
     return this.readCompressionGuidelineStateFile(this.compressionGuidelineStatePath);
@@ -4867,7 +5303,7 @@ ${memory.content}
       return typeof rule.action === "string" && typeof rule.delta === "number" && Number.isFinite(rule.delta) && (rule.direction === "increase" || rule.direction === "decrease" || rule.direction === "hold") && (rule.confidence === "low" || rule.confidence === "medium" || rule.confidence === "high") && Array.isArray(rule.notes) && rule.notes.every((note) => typeof note === "string");
     };
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await this.readStorageSecureFile(filePath);
       const parsed = JSON.parse(raw);
       const sourceWindow = parsed?.sourceWindow;
       const eventCounts = parsed?.eventCounts;
@@ -4897,18 +5333,21 @@ ${memory.content}
         ...actionSummaries ? { actionSummaries } : {},
         ...ruleUpdates ? { ruleUpdates } : {}
       };
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeIdentityAnchor(content) {
     await this.ensureDirectories();
-    await writeFile2(this.identityAnchorPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.identityAnchorPath, content);
   }
   async readIdentityAnchor() {
     try {
-      return await readFile2(this.identityAnchorPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.identityAnchorPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
@@ -4920,7 +5359,7 @@ ${memory.content}
     const id = this.generateId("incident");
     const incident = createContinuityIncidentRecord(id, input, nowIso);
     const filePath = path4.join(this.identityIncidentsDir, `${date}-${id}.md`);
-    await writeFile2(filePath, serializeContinuityIncident(incident), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeContinuityIncident(incident));
     return { ...incident, filePath };
   }
   async readContinuityIncidents(limit = 200, state = "all") {
@@ -4934,16 +5373,19 @@ ${memory.content}
         if (incidents.length >= cappedLimit) break;
         const filePath = path4.join(this.identityIncidentsDir, file);
         try {
-          const raw = await readFile2(filePath, "utf-8");
+          const raw = await this.readStorageSecureFile(filePath);
           const parsed = parseContinuityIncident(raw);
           if (!parsed) continue;
           if (state !== "all" && parsed.state !== state) continue;
           incidents.push({ ...parsed, filePath });
-        } catch {
+        } catch (err) {
+          if (err instanceof SecureStoreLockedError) throw err;
         }
       }
       return incidents;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -4953,7 +5395,7 @@ ${memory.content}
     if (!target || !directFilePath) return null;
     if (target.state === "closed") return target;
     const closed = closeContinuityIncidentRecord(target, closure, (/* @__PURE__ */ new Date()).toISOString());
-    await writeFile2(directFilePath, serializeContinuityIncident(closed), "utf-8");
+    await this.writeStorageSecureFile(directFilePath, serializeContinuityIncident(closed));
     return { ...closed, filePath: directFilePath };
   }
   async writeIdentityAudit(period, key, content) {
@@ -4961,26 +5403,29 @@ ${memory.content}
     const safeKey = this.sanitizeIdentityAuditKey(key);
     const dir = period === "weekly" ? this.identityAuditsWeeklyDir : this.identityAuditsMonthlyDir;
     const filePath = path4.join(dir, `${safeKey}.md`);
-    await writeFile2(filePath, content, "utf-8");
+    await this.writeStorageSecureFile(filePath, content);
     return filePath;
   }
   async readIdentityAudit(period, key) {
     try {
       const safeKey = this.sanitizeIdentityAuditKey(key);
       const dir = period === "weekly" ? this.identityAuditsWeeklyDir : this.identityAuditsMonthlyDir;
-      return await readFile2(path4.join(dir, `${safeKey}.md`), "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(path4.join(dir, `${safeKey}.md`));
+    } catch (err) {
+      if (err instanceof Error && err.message === "Invalid identity audit key") return null;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeIdentityImprovementLoops(content) {
     await this.ensureDirectories();
-    await writeFile2(this.identityImprovementLoopsPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.identityImprovementLoopsPath, content);
   }
   async readIdentityImprovementLoops() {
     try {
-      return await readFile2(this.identityImprovementLoopsPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.identityImprovementLoopsPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
@@ -5017,10 +5462,11 @@ ${memory.content}
   }
   async readContinuityIncidentFile(filePath) {
     try {
-      const raw = await readFile2(filePath, "utf-8");
+      const raw = await this.readStorageSecureFile(filePath);
       const parsed = parseContinuityIncident(raw);
       return parsed ? { ...parsed, filePath } : null;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
       return null;
     }
   }
@@ -5088,7 +5534,7 @@ ${question}
       for (const file of files) {
         if (!file.endsWith(".md")) continue;
         const filePath = path4.join(this.questionsDir, file);
-        const raw = await readFile2(filePath, "utf-8");
+        const raw = await readMaybeEncryptedFile(filePath, this._secureStoreKey, this.baseDir);
         const parsed = this.parseQuestionFile(raw, filePath);
         if (parsed) {
           questions.push(parsed);
@@ -5219,20 +5665,22 @@ ${reflection}
   }
   async readIdentityReflections() {
     try {
-      return await readFile2(this.identityReflectionsPath, "utf-8");
-    } catch {
+      return await this.readStorageSecureFile(this.identityReflectionsPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return null;
     }
   }
   async writeIdentityReflections(content) {
     await mkdir2(this.identityDir, { recursive: true });
-    await writeFile2(this.identityReflectionsPath, content, "utf-8");
+    await this.writeStorageSecureFile(this.identityReflectionsPath, content);
   }
   async appendIdentityReflection(reflection) {
     let existing = "";
     try {
-      existing = await readFile2(this.identityReflectionsPath, "utf-8");
-    } catch {
+      existing = await this.readStorageSecureFile(this.identityReflectionsPath);
+    } catch (err) {
+      if (!isErrnoCode(err, "ENOENT")) throw err;
     }
     if (existing.length > _StorageManager.IDENTITY_MAX_BYTES) {
       log.debug(
@@ -5257,7 +5705,7 @@ ${reflection}
 ${reflection}
 `;
     await mkdir2(this.identityDir, { recursive: true });
-    await writeFile2(this.identityReflectionsPath, `${existing.trimEnd()}${section}`, "utf-8");
+    await this.writeStorageSecureFile(this.identityReflectionsPath, `${existing.trimEnd()}${section}`);
     log.debug(`appended namespace-local reflection to ${this.identityReflectionsPath}`);
   }
   // ---------------------------------------------------------------------------
@@ -5271,9 +5719,11 @@ ${reflection}
     const filePath = path4.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile2(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`addEntityRelationship: entity file ${name}.md not found`);
       return;
     }
@@ -5283,7 +5733,7 @@ ${reflection}
     if (exists) return;
     entity.relationships.push(rel);
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
-    await writeFile2(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
   }
   /**
@@ -5294,9 +5744,11 @@ ${reflection}
     const filePath = path4.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile2(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`addEntityActivity: entity file ${name}.md not found`);
       return;
     }
@@ -5305,7 +5757,7 @@ ${reflection}
       entity.activity = entity.activity.slice(0, maxEntries);
     }
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
-    await writeFile2(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
   }
   /**
@@ -5315,16 +5767,18 @@ ${reflection}
     const filePath = path4.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile2(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`addEntityAlias: entity file ${name}.md not found`);
       return;
     }
     if (entity.aliases.includes(alias)) return;
     entity.aliases.push(alias);
     entity.updated = (/* @__PURE__ */ new Date()).toISOString();
-    await writeFile2(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     this.invalidateKnowledgeIndexCache();
   }
   /**
@@ -5334,9 +5788,11 @@ ${reflection}
     const filePath = path4.join(this.entitiesDir, `${name}.md`);
     let entity;
     try {
-      const content = await readFile2(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       entity = parseEntityFile(content, this.entitySchemas);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       log.debug(`updateEntitySynthesis: entity file ${name}.md not found`);
       return;
     }
@@ -5353,7 +5809,7 @@ ${reflection}
     entity.synthesisStructuredFactDigest = synthesisStructuredFactDigest;
     entity.synthesisVersion = Math.max(0, entity.synthesisVersion ?? 0) + (options.incrementVersion === false ? 0 : 1);
     entity.updated = entityUpdatedAt;
-    await writeFile2(filePath, serializeEntityFile(entity, this.entitySchemas), "utf-8");
+    await this.writeStorageSecureFile(filePath, serializeEntityFile(entity, this.entitySchemas));
     await this.removeEntitySynthesisQueueEntries([
       .../* @__PURE__ */ new Set([name, normalizeEntityName(entity.name, entity.type)])
     ]);
@@ -5368,9 +5824,11 @@ ${reflection}
     let synthesisTimelineCount;
     try {
       const filePath = path4.join(this.entitiesDir, `${name}.md`);
-      const content = await readFile2(filePath, "utf-8");
+      const content = await this.readStorageSecureFile(filePath);
       synthesisTimelineCount = parseEntityFile(content, this.entitySchemas).timeline.length;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       synthesisTimelineCount = void 0;
     }
     await this.updateEntitySynthesis(name, summary, {
@@ -5381,10 +5839,12 @@ ${reflection}
   }
   async readEntitySynthesisQueue() {
     try {
-      const raw = await readFile2(this.entitySynthesisQueuePath, "utf-8");
+      const raw = await this.readStorageSecureFile(this.entitySynthesisQueuePath);
       const parsed = JSON.parse(raw);
       return Array.isArray(parsed.entityNames) ? parsed.entityNames.filter((value) => typeof value === "string") : [];
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -5406,7 +5866,7 @@ ${reflection}
       return compareEntityTimestamps(rightTs, leftTs);
     }).map(({ entityName }) => entityName);
     await mkdir2(this.stateDir, { recursive: true });
-    await writeFile2(
+    await this.writeStorageSecureFile(
       this.entitySynthesisQueuePath,
       JSON.stringify(
         {
@@ -5415,8 +5875,7 @@ ${reflection}
         },
         null,
         2
-      ) + "\n",
-      "utf-8"
+      ) + "\n"
     );
     return staleEntityNames;
   }
@@ -5427,7 +5886,7 @@ ${reflection}
     const removals = new Set(entityNames);
     const nextQueue = queue.filter((name) => !removals.has(name));
     await mkdir2(this.stateDir, { recursive: true });
-    await writeFile2(
+    await this.writeStorageSecureFile(
       this.entitySynthesisQueuePath,
       JSON.stringify(
         {
@@ -5436,8 +5895,7 @@ ${reflection}
         },
         null,
         2
-      ) + "\n",
-      "utf-8"
+      ) + "\n"
     );
   }
   async migrateEntityFilesToCompiledTruthTimeline() {
@@ -5448,7 +5906,7 @@ ${reflection}
       if (!raw) continue;
       const serialized = serializeEntityFile(parseEntityFile(raw, this.entitySchemas), this.entitySchemas);
       if (raw.trimEnd() === serialized.trimEnd()) continue;
-      await writeFile2(path4.join(this.entitiesDir, `${entityName}.md`), serialized, "utf-8");
+      await this.writeStorageSecureFile(path4.join(this.entitiesDir, `${entityName}.md`), serialized);
       migrated += 1;
     }
     if (migrated > 0) {
@@ -5470,7 +5928,8 @@ ${reflection}
   async readAllEntityFiles() {
     const currentVersion = this.getMemoryStatusVersion();
     const schemaCacheKey = buildEntitySchemaCacheKey(this.entitySchemas);
-    const cached = getCachedEntities(this.baseDir, currentVersion, schemaCacheKey);
+    const cacheKey = `${this.getEntityCacheSecureStoreKey()}\0${schemaCacheKey}`;
+    const cached = getCachedEntities(this.baseDir, currentVersion, cacheKey);
     if (cached) return cached;
     try {
       const entries = await readdir(this.entitiesDir);
@@ -5481,17 +5940,24 @@ ${reflection}
       for (let i = 0; i < mdFiles.length; i += BATCH_SIZE) {
         const batch = mdFiles.slice(i, i + BATCH_SIZE);
         const results = await Promise.all(
-          batch.map(
-            (entry) => readFile2(path4.join(this.entitiesDir, entry), "utf-8").catch(() => null)
-          )
+          batch.map(async (entry) => {
+            try {
+              return await this.readStorageSecureFile(path4.join(this.entitiesDir, entry));
+            } catch (err) {
+              if (err instanceof SecureStoreLockedError) throw err;
+              if (!isErrnoCode(err, "ENOENT")) throw err;
+              return null;
+            }
+          })
         );
         for (const content of results) {
           if (content !== null) entities.push(parseEntityFile(content, this.entitySchemas));
         }
       }
-      setCachedEntities(this.baseDir, entities, currentVersion, schemaCacheKey);
+      setCachedEntities(this.baseDir, entities, currentVersion, cacheKey);
       return entities;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError || !isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -5624,7 +6090,7 @@ ${rows.join("\n")}
         for (const file of files) {
           const filePath = path4.join(this.entitiesDir, file);
           try {
-            const content = await readFile2(filePath, "utf-8");
+            const content = await this.readStorageSecureFile(filePath);
             const parsed = parseEntityFile(content, this.entitySchemas);
             if (!mergedEntity.type || mergedEntity.type === "other") {
               mergedEntity.type = parsed.type;
@@ -5701,7 +6167,9 @@ ${rows.join("\n")}
               title: section.title,
               lines: [...section.lines]
             })));
-          } catch {
+          } catch (err) {
+            if (err instanceof SecureStoreLockedError) throw err;
+            if (!isErrnoCode(err, "ENOENT")) throw err;
           }
         }
         const timelineKeys = /* @__PURE__ */ new Set();
@@ -5752,7 +6220,7 @@ ${rows.join("\n")}
         mergedEntity.created = mergedEntity.created || mergedEntity.updated || (/* @__PURE__ */ new Date()).toISOString();
         mergedEntity.updated = mergedEntity.updated || (/* @__PURE__ */ new Date()).toISOString();
         const canonicalPath = path4.join(this.entitiesDir, `${canonical}.md`);
-        await writeFile2(canonicalPath, serializeEntityFile(mergedEntity, this.entitySchemas), "utf-8");
+        await this.writeStorageSecureFile(canonicalPath, serializeEntityFile(mergedEntity, this.entitySchemas));
         for (const file of files) {
           const filePath = path4.join(this.entitiesDir, file);
           if (filePath !== canonicalPath) {
@@ -5765,7 +6233,8 @@ ${rows.join("\n")}
           }
         }
       }
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError || !isErrnoCode(err, "ENOENT")) throw err;
     }
     return merged;
   }
@@ -5819,7 +6288,7 @@ ${rows.join("\n")}
 ${memory.content}
 `;
       try {
-        await writeFile2(memory.path, fileContent, "utf-8");
+        await this.writeStorageSecureFile(memory.path, fileContent);
         updated++;
       } catch (err) {
         log.debug(`failed to update access tracking for ${entry.memoryId}: ${err}`);
@@ -5960,7 +6429,7 @@ ${sanitized.text}
     } else {
       filePath = path4.join(this.factsDir, today, `${id}.md`);
     }
-    await writeFile2(filePath, fileContent, "utf-8");
+    await this.writeStorageSecureFile(filePath, fileContent);
     log.debug(`wrote chunk ${id} (${chunkIndex + 1}/${chunkTotal}) to ${filePath}`);
     return id;
   }
@@ -5996,7 +6465,7 @@ ${sanitized.text}
 ${oldMemory.content}
 `;
     try {
-      await writeFile2(oldMemory.path, fileContent, "utf-8");
+      await writeMaybeEncryptedFile(oldMemory.path, fileContent, this.resolveWriteKey(), {}, this.baseDir);
       await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.supersedeMemory", {
         memoryId: oldMemoryId,
         eventType: "superseded",
@@ -6035,7 +6504,7 @@ Reason: ${reason}`, {
   async writeSummary(summary) {
     await mkdir2(this.summariesDir, { recursive: true });
     const filePath = path4.join(this.summariesDir, `${summary.id}.json`);
-    await writeFile2(filePath, JSON.stringify(summary, null, 2), "utf-8");
+    await this.writeStorageSecureFile(filePath, JSON.stringify(summary, null, 2));
     log.debug(`wrote summary ${summary.id}`);
   }
   /**
@@ -6048,11 +6517,13 @@ Reason: ${reason}`, {
       for (const file of files) {
         if (!file.endsWith(".json")) continue;
         const filePath = path4.join(this.summariesDir, file);
-        const raw = await readFile2(filePath, "utf-8");
+        const raw = await this.readStorageSecureFile(filePath);
         summaries.push(JSON.parse(raw));
       }
       return summaries;
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return [];
     }
   }
@@ -6078,7 +6549,7 @@ Reason: ${reason}`, {
 ${memory.content}
 `;
       try {
-        await writeFile2(memory.path, fileContent, "utf-8");
+        await this.writeStorageSecureFile(memory.path, fileContent);
         await this.appendGeneratedMemoryLifecycleEventFailOpen("storage.archiveMemories", {
           memoryId: id,
           eventType: "archived",
@@ -6108,7 +6579,7 @@ ${memory.content}
   async saveTopics(topics) {
     const metaPath = path4.join(this.stateDir, "topics.json");
     await mkdir2(this.stateDir, { recursive: true });
-    await writeFile2(metaPath, JSON.stringify({ topics, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf-8");
+    await this.writeStorageSecureFile(metaPath, JSON.stringify({ topics, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2));
     log.debug(`saved ${topics.length} topic scores`);
   }
   /**
@@ -6117,9 +6588,11 @@ ${memory.content}
   async loadTopics() {
     const metaPath = path4.join(this.stateDir, "topics.json");
     try {
-      const raw = await readFile2(metaPath, "utf-8");
+      const raw = await this.readStorageSecureFile(metaPath);
       return JSON.parse(raw);
-    } catch {
+    } catch (err) {
+      if (err instanceof SecureStoreLockedError) throw err;
+      if (!isErrnoCode(err, "ENOENT")) throw err;
       return { topics: [], updatedAt: null };
     }
   }
@@ -6195,6 +6668,12 @@ export {
   normalizeEntitySchemas,
   resolveRequestedEntitySectionKeys,
   sanitizeMemoryContent,
+  MEMORY_LIFECYCLE_EVENT_SORT_ORDER,
+  toMemoryPathRel,
+  inferMemoryStatus,
+  isActiveMemoryStatus,
+  buildLifecycleEventsForMemory,
+  sortMemoryLifecycleEvents,
   hasCitationForTemplate,
   attachCitation,
   stripCitationForTemplate,
@@ -6206,7 +6685,12 @@ export {
   setCachedQmdSearch,
   lintWorkspaceFiles,
   rotateMarkdownFileToArchive,
+  DERIVED_FROM_MEMORY_ID_RE,
   isConsolidationOperator,
+  isSemanticConsolidationLlmOperator,
+  RECALL_DISCLOSURE_LEVELS,
+  DEFAULT_RECALL_DISCLOSURE,
+  isRecallDisclosure,
   confidenceTier,
   openBetterSqlite3,
   MEMORY_PROJECTION_SCHEMA_VERSION,
@@ -6218,14 +6702,8 @@ export {
   readProjectedEntityMentions,
   readProjectedNativeKnowledgeChunks,
   readProjectedGovernanceRecord,
-  MEMORY_LIFECYCLE_EVENT_SORT_ORDER,
-  toMemoryPathRel,
-  inferMemoryStatus,
-  buildLifecycleEventsForMemory,
-  sortMemoryLifecycleEvents,
   normalizeProjectionPreview,
   normalizeProjectionTags,
-  parseContinuityIncident,
   parseContinuityImprovementLoops,
   normalizeEntityName,
   ContentHashIndex,