@rubytech/taskmaster 1.0.36 → 1.0.39

package/dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-DgT0m3bj.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-BQEnHucA.css">
+    <script type="module" crossorigin src="./assets/index-gQeHDI6a.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-Ceb3FTmS.css">
   </head>
   <body>
     <taskmaster-app></taskmaster-app>

package/dist/gateway/chat-sanitize.js

@@ -15,6 +15,9 @@ const ENVELOPE_CHANNELS = [
     "BlueBubbles",
 ];
 const MESSAGE_ID_LINE = /^\s*\[message_id:\s*[^\]]+\]\s*$/i;
+// Internal annotations prepended by buildInboundMediaNote / get-reply-run
+const MEDIA_ATTACHED_LINE = /^\s*\[media attached(?:\s+\d+\/\d+)?:\s*[^\]]+\]\s*$/i;
+const MEDIA_REPLY_HINT = /^\s*To send an image back, prefer the message tool\b/;
 function looksLikeEnvelopeHeader(header) {
     if (/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z\b/.test(header))
         return true;
@@ -23,13 +26,16 @@ function looksLikeEnvelopeHeader(header) {
     return ENVELOPE_CHANNELS.some((label) => header.startsWith(`${label} `));
 }
 export function stripEnvelope(text) {
-    const match = text.match(ENVELOPE_PREFIX);
-    if (!match)
-        return text;
-    const header = match[1] ?? "";
-    if (!looksLikeEnvelopeHeader(header))
-        return text;
-    return text.slice(match[0].length);
+    let result = text;
+    const match = result.match(ENVELOPE_PREFIX);
+    if (match) {
+        const header = match[1] ?? "";
+        if (looksLikeEnvelopeHeader(header)) {
+            result = result.slice(match[0].length);
+        }
+    }
+    result = stripMediaAnnotations(result);
+    return result;
 }
 function stripMessageIdHints(text) {
     if (!text.includes("[message_id:"))
@@ -38,6 +44,17 @@ function stripMessageIdHints(text) {
     const filtered = lines.filter((line) => !MESSAGE_ID_LINE.test(line));
     return filtered.length === lines.length ? text : filtered.join("\n");
 }
+function stripMediaAnnotations(text) {
+    if (!text.includes("[media attached"))
+        return text;
+    const lines = text.split(/\r?\n/);
+    const filtered = lines.filter((line) => !MEDIA_ATTACHED_LINE.test(line) && !MEDIA_REPLY_HINT.test(line));
+    if (filtered.length === lines.length)
+        return text;
+    // Also strip the "[media attached: N files]" header line
+    const result = filtered.filter((line) => !/^\s*\[media attached:\s*\d+\s+files?\]\s*$/i.test(line));
+    return result.join("\n").trim();
+}
 function stripEnvelopeFromContent(content) {
     let changed = false;
     const next = content.map((item) => {

package/dist/gateway/server-methods/chat.js

@@ -10,9 +10,9 @@ import { dispatchInboundMessage } from "../../auto-reply/dispatch.js";
 import { createReplyDispatcher } from "../../auto-reply/reply/reply-dispatcher.js";
 import { extractShortModelName, } from "../../auto-reply/reply/response-prefix-template.js";
 import { resolveSendPolicy } from "../../sessions/send-policy.js";
+import { createInternalHookEvent, triggerInternalHook } from "../../hooks/internal-hooks.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../../utils/message-channel.js";
 import { abortChatRunById, abortChatRunsForSessionKey, isChatStopCommandText, resolveChatRunExpiresAtMs, } from "../chat-abort.js";
-import { parseMessageWithAttachments } from "../chat-attachments.js";
 import { ErrorCodes, errorShape, formatValidationErrors, validateChatAbortParams, validateChatHistoryParams, validateChatInjectParams, validateChatSendParams, } from "../protocol/index.js";
 import { getMaxChatHistoryMessagesBytes } from "../server-constants.js";
 import { capArrayByJsonBytes, loadSessionEntry, readSessionMessages, resolveSessionModelRef, } from "../session-utils.js";
@@ -250,35 +250,74 @@ export const chatHandlers = {
         // Separate document attachments (PDFs, text files) from image attachments
         const imageAttachments = normalizedAttachments.filter((a) => a.type !== "document");
         const documentAttachments = normalizedAttachments.filter((a) => a.type === "document");
-        let parsedMessage = p.message;
-        let parsedImages = [];
-        if (imageAttachments.length > 0) {
-            try {
-                const parsed = await parseMessageWithAttachments(p.message, imageAttachments, {
-                    maxBytes: 5_000_000,
-                    log: context.logGateway,
-                });
-                parsedMessage = parsed.message;
-                parsedImages = parsed.images;
-            }
-            catch (err) {
-                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, String(err)));
-                return;
-            }
-        }
-        // Save document attachments to workspace uploads dir (persistent, accessible by agent)
-        const savedDocPaths = [];
-        if (documentAttachments.length > 0) {
+        // Resolve workspace uploads dir for all attachments (persistent, no TTL).
+        // Both images and documents are saved as plain files — same as every other channel.
+        let uploadsDir = null;
+        if (normalizedAttachments.length > 0) {
             const { cfg: sessionCfg } = loadSessionEntry(p.sessionKey);
             const agentId = resolveSessionAgentId({ sessionKey: p.sessionKey, config: sessionCfg });
             const workspaceDir = resolveAgentWorkspaceDir(sessionCfg, agentId);
-            const uploadsDir = path.join(workspaceDir, "uploads");
+            uploadsDir = path.join(workspaceDir, "uploads");
             try {
                 fs.mkdirSync(uploadsDir, { recursive: true });
             }
             catch {
                 /* ignore if exists */
             }
+        }
+        // Save image attachments to workspace uploads dir (persistent, accessible by agent).
+        // The agent runner detects file path references via [media attached: ...] and
+        // loads them from disk at inference time — no inline base64 in transcripts.
+        const savedImagePaths = [];
+        const savedImageTypes = [];
+        if (imageAttachments.length > 0 && uploadsDir) {
+            for (const att of imageAttachments) {
+                if (!att.content || typeof att.content !== "string")
+                    continue;
+                try {
+                    let b64 = att.content.trim();
+                    const dataUrlMatch = /^data:[^;]+;base64,(.*)$/.exec(b64);
+                    if (dataUrlMatch)
+                        b64 = dataUrlMatch[1];
+                    const buffer = Buffer.from(b64, "base64");
+                    // Derive extension from mime type
+                    const mimeBase = att.mimeType?.split(";")[0]?.trim();
+                    const extMap = {
+                        "image/jpeg": ".jpg",
+                        "image/png": ".png",
+                        "image/gif": ".gif",
+                        "image/webp": ".webp",
+                        "image/heic": ".heic",
+                        "image/heif": ".heif",
+                        "image/svg+xml": ".svg",
+                        "image/avif": ".avif",
+                    };
+                    const ext = (mimeBase && extMap[mimeBase]) ?? ".jpg";
+                    const uuid = randomUUID();
+                    let safeName;
+                    if (att.fileName) {
+                        const base = path
+                            .parse(att.fileName)
+                            .name.replace(/[^a-zA-Z0-9._-]/g, "_")
+                            .slice(0, 60);
+                        safeName = base ? `${base}---${uuid}${ext}` : `${uuid}${ext}`;
+                    }
+                    else {
+                        safeName = `${uuid}${ext}`;
+                    }
+                    const destPath = path.join(uploadsDir, safeName);
+                    fs.writeFileSync(destPath, buffer);
+                    savedImagePaths.push(destPath);
+                    savedImageTypes.push(mimeBase ?? "image/png");
+                }
+                catch (err) {
+                    context.logGateway.warn(`chat image save failed: ${String(err)}`);
+                }
+            }
+        }
+        // Save document attachments to workspace uploads dir (persistent, accessible by agent)
+        const savedDocPaths = [];
+        if (documentAttachments.length > 0 && uploadsDir) {
             for (const doc of documentAttachments) {
                 if (!doc.content || typeof doc.content !== "string")
                     continue;
@@ -354,14 +393,14 @@ export const chatHandlers = {
                 status: "started",
             };
             respond(true, ackPayload, undefined, { runId: clientRunId });
-            const trimmedMessage = parsedMessage.trim();
+            const trimmedMessage = p.message.trim();
             const injectThinking = Boolean(p.thinking && trimmedMessage && !trimmedMessage.startsWith("/"));
-            const commandBody = injectThinking ? `/think ${p.thinking} ${parsedMessage}` : parsedMessage;
+            const commandBody = injectThinking ? `/think ${p.thinking} ${p.message}` : p.message;
             // If documents were saved, prepend file paths to message so the agent knows about them
             const docNote = savedDocPaths.length > 0
                 ? savedDocPaths.map((p) => `[file: ${p}]`).join("\n") + "\n\n"
                 : "";
-            const messageWithDocs = docNote + parsedMessage;
+            const messageWithDocs = docNote + p.message;
             const clientInfo = client?.connect?.client;
             const ctx = {
                 Body: messageWithDocs,
@@ -379,11 +418,30 @@ export const chatHandlers = {
                 SenderId: clientInfo?.id,
                 SenderName: clientInfo?.displayName,
                 SenderUsername: clientInfo?.displayName,
+                // Image/media paths — same pattern as WhatsApp. buildInboundMediaNote()
+                // will generate [media attached: ...] annotations that the agent runner
+                // detects and loads from disk at inference time.
+                MediaPaths: savedImagePaths.length > 0 ? savedImagePaths : undefined,
+                MediaPath: savedImagePaths[0],
+                MediaTypes: savedImageTypes.length > 0 ? savedImageTypes : undefined,
+                MediaType: savedImageTypes[0],
             };
             const agentId = resolveSessionAgentId({
                 sessionKey: p.sessionKey,
                 config: cfg,
             });
+            // Fire message:inbound hook for conversation archiving.
+            // Include image paths so the archive references the attached media.
+            const imageNote = savedImagePaths.length > 0 ? savedImagePaths.map((ip) => `[image: ${ip}]`).join("\n") : "";
+            const archiveText = [p.message, imageNote].filter(Boolean).join("\n").trim();
+            void triggerInternalHook(createInternalHookEvent("message", "inbound", p.sessionKey, {
+                text: archiveText || undefined,
+                timestamp: now,
+                chatType: "direct",
+                agentId,
+                channel: "webchat",
+                cfg,
+            }));
             let prefixContext = {
                 identityName: resolveIdentityName(cfg, agentId),
             };
@@ -419,6 +477,7 @@ export const chatHandlers = {
                 },
             });
             let agentRunStarted = false;
+            context.logGateway.info(`webchat dispatch: sessionKey=${p.sessionKey} runId=${clientRunId} body=${messageWithDocs.length}ch images=${savedImagePaths.length} docs=${savedDocPaths.length}`);
             void dispatchInboundMessage({
                 ctx,
                 cfg,
@@ -426,10 +485,10 @@ export const chatHandlers = {
                 replyOptions: {
                     runId: clientRunId,
                     abortSignal: abortController.signal,
-                    images: parsedImages.length > 0 ? parsedImages : undefined,
                     disableBlockStreaming: true,
-                    onAgentRunStart: () => {
+                    onAgentRunStart: (runId) => {
                         agentRunStarted = true;
+                        context.logGateway.info(`webchat agent run started: sessionKey=${p.sessionKey} runId=${runId}`);
                     },
                     onModelSelected: (ctx) => {
                         prefixContext.provider = ctx.provider;
@@ -440,6 +499,8 @@ export const chatHandlers = {
                 },
             })
                 .then(() => {
+                const { entry: postEntry } = loadSessionEntry(p.sessionKey);
+                context.logGateway.info(`webchat dispatch done: sessionKey=${p.sessionKey} agentRunStarted=${agentRunStarted} sessionId=${postEntry?.sessionId ?? "none"} sessionFile=${postEntry?.sessionFile ?? "none"}`);
                 if (!agentRunStarted) {
                     const combinedReply = finalReplyParts
                         .map((part) => part.trim())
@@ -479,6 +540,18 @@ export const chatHandlers = {
                         message,
                     });
                 }
+                // Fire message:outbound hook for conversation archiving
+                const outboundText = finalReplyParts.join("\n\n").trim();
+                if (outboundText) {
+                    void triggerInternalHook(createInternalHookEvent("message", "outbound", p.sessionKey, {
+                        text: outboundText,
+                        timestamp: Date.now(),
+                        chatType: "direct",
+                        agentId,
+                        channel: "webchat",
+                        cfg,
+                    }));
+                }
                 context.dedupe.set(`chat:${clientRunId}`, {
                     ts: Date.now(),
                     ok: true,
@@ -486,6 +559,7 @@ export const chatHandlers = {
                 });
             })
                 .catch((err) => {
+                context.logGateway.warn(`webchat dispatch failed: sessionKey=${p.sessionKey} runId=${clientRunId} error=${formatForLog(err)}`);
                 const error = errorShape(ErrorCodes.UNAVAILABLE, String(err));
                 context.dedupe.set(`chat:${clientRunId}`, {
                     ts: Date.now(),

package/dist/gateway/server-methods/memory.js

@@ -1,5 +1,6 @@
-import { resolveDefaultAgentId } from "../../agents/agent-scope.js";
+import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../../agents/agent-scope.js";
 import { loadConfig } from "../../config/config.js";
+import { clearAuditEntries, getUnreviewedEntries } from "../../memory/audit.js";
 import { getMemorySearchManager } from "../../memory/index.js";
 import { ErrorCodes, errorShape } from "../protocol/index.js";
 export const memoryHandlers = {
@@ -59,4 +60,32 @@ export const memoryHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
         }
     },
+    "memory.audit": async ({ params, respond }) => {
+        try {
+            const cfg = loadConfig();
+            const agentId = typeof params.agentId === "string" && params.agentId.trim()
+                ? params.agentId.trim()
+                : resolveDefaultAgentId(cfg);
+            const workspaceDir = resolveAgentWorkspaceDir(cfg, agentId);
+            const entries = getUnreviewedEntries(workspaceDir);
+            respond(true, { ok: true, entries });
+        }
+        catch (err) {
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
+        }
+    },
+    "memory.auditClear": async ({ params, respond }) => {
+        try {
+            const cfg = loadConfig();
+            const agentId = typeof params.agentId === "string" && params.agentId.trim()
+                ? params.agentId.trim()
+                : resolveDefaultAgentId(cfg);
+            const workspaceDir = resolveAgentWorkspaceDir(cfg, agentId);
+            const result = clearAuditEntries(workspaceDir);
+            respond(true, { ok: true, cleared: result.cleared });
+        }
+        catch (err) {
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
+        }
+    },
 };

package/dist/gateway/server-methods/system.js

@@ -1,7 +1,5 @@
+import { spawn } from "node:child_process";
 import { resolveMainSessionKeyFromConfig } from "../../config/sessions.js";
-import { uninstallCommand } from "../../commands/uninstall.js";
-import { resolveGatewayService } from "../../daemon/service.js";
-import { defaultRuntime } from "../../runtime.js";
 import { getLastHeartbeatEvent } from "../../infra/heartbeat-events.js";
 import { setHeartbeatsEnabled } from "../../infra/heartbeat-runner.js";
 import { enqueueSystemEvent, isSystemEventContextChanged } from "../../infra/system-events.js";
@@ -124,46 +122,23 @@ export const systemHandlers = {
     },
     "system.uninstall": async ({ params, respond, context }) => {
         const purge = params.purge === true;
-        const validScopes = new Set(["service", "state", "workspace", "app"]);
-        const scopes = Array.isArray(params.scopes)
-            ? params.scopes.filter((s) => validScopes.has(s))
-            : ["service", "state", "workspace"];
         const log = context.logGateway;
-        log.info(`system.uninstall: scopes=${scopes.join(",")} purge=${purge}`);
-        // Respond before running uninstall — the gateway will exit afterward
-        respond(true, { ok: true, scopes, purge }, undefined);
-        // Small delay to let the response reach the client
-        await new Promise((r) => setTimeout(r, 500));
-        // skipService: we cannot stop our own service — systemd would SIGTERM
-        // this process before workspace/state removal runs. The service files
-        // are uninstalled separately below (without stopping).
-        try {
-            await uninstallCommand(defaultRuntime, {
-                state: scopes.includes("state"),
-                workspace: scopes.includes("workspace"),
-                app: scopes.includes("app"),
-                purge,
-                skipService: true,
-                yes: true,
-                nonInteractive: true,
-            });
-        }
-        catch (err) {
-            log.error(`system.uninstall failed: ${String(err)}`);
-        }
-        // Uninstall the service files without stopping — we ARE the service.
-        // process.exit below handles the actual stop.
-        if (scopes.includes("service")) {
-            try {
-                const service = resolveGatewayService();
-                await service.uninstall({ env: process.env, stdout: process.stdout });
-                log.info("Gateway service uninstalled");
-            }
-            catch (err) {
-                log.error(`Service uninstall failed: ${String(err)}`);
-            }
-        }
-        log.info("system.uninstall complete, exiting gateway");
-        process.exit(0);
+        // Resolve the taskmaster binary path — same binary that's running the gateway
+        const bin = process.argv[1] ?? "taskmaster";
+        const args = ["uninstall", "--all", "--yes"];
+        if (purge)
+            args.push("--purge");
+        log.info(`system.uninstall: spawning detached: ${bin} ${args.join(" ")}`);
+        // Spawn the uninstall as a detached process that outlives the gateway.
+        // The CLI command will stop the gateway service, remove all data, and
+        // optionally remove the npm package — all from a separate process so
+        // there's no self-SIGTERM problem.
+        const child = spawn(process.execPath, [bin, ...args], {
+            detached: true,
+            stdio: "ignore",
+            env: { ...process.env },
+        });
+        child.unref();
+        respond(true, { ok: true, pid: child.pid }, undefined);
     },
 };

package/dist/gateway/server-methods.js

@@ -90,6 +90,7 @@ const READ_METHODS = new Set([
     "workspaces.list",
     "workspaces.scan",
     "memory.status",
+    "memory.audit",
 ]);
 const WRITE_METHODS = new Set([
     "send",
@@ -176,6 +177,7 @@ function authorizeGatewayMethod(method, client) {
         method === "workspaces.create" ||
         method === "workspaces.remove" ||
         method === "memory.reindex" ||
+        method === "memory.auditClear" ||
         method === "system.uninstall") {
         return errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.admin");
     }

package/dist/hooks/bundled/conversation-archive/handler.js

@@ -31,6 +31,13 @@ function extractPeerFromSessionKey(sessionKey) {
     }
     return null;
 }
+/**
+ * Detect webchat session key format: agent:{agentId}:main
+ */
+function isWebchatSessionKey(sessionKey) {
+    const parts = sessionKey.toLowerCase().split(":").filter(Boolean);
+    return parts.length === 3 && parts[0] === "agent" && parts[2] === "main";
+}
 /**
  * Extract group ID from session key
  *
@@ -148,9 +155,10 @@ const archiveConversation = async (event) => {
         }
         // Get timestamp from context or event
         const timestamp = context.timestamp ?? event.timestamp;
-        // Try DM first, then group
+        // Determine conversation type from session key and route to correct archive path
         const peer = extractPeerFromSessionKey(event.sessionKey);
         const groupId = peer ? null : extractGroupIdFromSessionKey(event.sessionKey);
+        const isWebchat = !peer && !groupId && isWebchatSessionKey(event.sessionKey);
         if (peer) {
             // Admin DMs archive to memory/admin/conversations/ (not accessible by public agent).
             // Public DMs archive to memory/users/{peer}/conversations/.
@@ -187,8 +195,13 @@ const archiveConversation = async (event) => {
                 fileHeader,
             });
         }
+        else if (isWebchat) {
+            // Webchat (control panel) — archive under memory/admin/conversations/
+            const role = event.action === "inbound" ? "Admin" : "Assistant";
+            await archiveMessage({ workspaceDir, subdir: "admin", role, text, timestamp });
+        }
         else {
-            // Neither DM nor group — skip
+            // Unknown session key format — skip
             return;
         }
     }

package/dist/memory/audit.js

@@ -0,0 +1,86 @@
+/**
+ * Memory write audit trail.
+ *
+ * Tracks writes to shared/ and public/ memory folders so the business owner
+ * can review what the agent stored in externally-visible locations.
+ *
+ * Storage: JSON file at {workspaceDir}/.memory-audit.json
+ * Not placed inside memory/ to avoid being indexed by the memory search system.
+ *
+ * Integration: Called from syncMemoryFiles() in the memory manager, right after
+ * the "file updated/added" log line. Runs after the watcher detects changes and
+ * during the sync pass — no interference with upstream processing.
+ */
+import fs from "node:fs";
+import path from "node:path";
+const AUDIT_FILENAME = ".memory-audit.json";
+/** Paths that are excluded from audit — expected operational writes. */
+const EXCLUDED_PREFIXES = ["memory/shared/events/"];
+/**
+ * Returns true if a memory write path should be audited.
+ * Auditable paths: memory/shared/** and memory/public/** (excluding exemptions).
+ */
+export function isAuditablePath(relPath) {
+    const normalized = relPath.replace(/\\/g, "/").toLowerCase();
+    if (!normalized.startsWith("memory/shared/") && !normalized.startsWith("memory/public/")) {
+        return false;
+    }
+    for (const prefix of EXCLUDED_PREFIXES) {
+        if (normalized.startsWith(prefix))
+            return false;
+    }
+    return true;
+}
+function auditFilePath(workspaceDir) {
+    return path.join(workspaceDir, AUDIT_FILENAME);
+}
+function readAuditFile(workspaceDir) {
+    try {
+        const raw = fs.readFileSync(auditFilePath(workspaceDir), "utf-8");
+        const data = JSON.parse(raw);
+        return {
+            entries: Array.isArray(data.entries) ? data.entries : [],
+            lastReviewedAt: typeof data.lastReviewedAt === "number" ? data.lastReviewedAt : 0,
+        };
+    }
+    catch {
+        return { entries: [], lastReviewedAt: 0 };
+    }
+}
+function writeAuditFile(workspaceDir, data) {
+    try {
+        fs.writeFileSync(auditFilePath(workspaceDir), JSON.stringify(data, null, 2), "utf-8");
+    }
+    catch {
+        // Audit is best-effort — don't fail writes over audit persistence
+    }
+}
+/**
+ * Record an audit entry for a memory write.
+ */
+export function recordAuditEntry(workspaceDir, entry) {
+    const audit = readAuditFile(workspaceDir);
+    audit.entries.push(entry);
+    // Cap at 500 entries to prevent unbounded growth.
+    if (audit.entries.length > 500) {
+        audit.entries = audit.entries.slice(-500);
+    }
+    writeAuditFile(workspaceDir, audit);
+}
+/**
+ * Get unreviewed audit entries (entries added after the last review).
+ */
+export function getUnreviewedEntries(workspaceDir) {
+    const audit = readAuditFile(workspaceDir);
+    return audit.entries.filter((e) => e.timestamp > audit.lastReviewedAt);
+}
+/**
+ * Mark all current entries as reviewed.
+ */
+export function clearAuditEntries(workspaceDir) {
+    const audit = readAuditFile(workspaceDir);
+    const unreviewed = audit.entries.filter((e) => e.timestamp > audit.lastReviewedAt);
+    audit.lastReviewedAt = Date.now();
+    writeAuditFile(workspaceDir, audit);
+    return { cleared: unreviewed.length };
+}

package/dist/memory/manager.js

@@ -1,4 +1,5 @@
 import { randomUUID } from "node:crypto";
+import fsSync from "node:fs";
 import fs from "node:fs/promises";
 import path from "node:path";
 import chokidar from "chokidar";
@@ -9,6 +10,7 @@ import { resolveSessionTranscriptsDirForAgent } from "../config/sessions/paths.j
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { onSessionTranscriptUpdate } from "../sessions/transcript-events.js";
 import { resolveUserPath } from "../utils.js";
+import { isAuditablePath, recordAuditEntry } from "./audit.js";
 import { createEmbeddingProvider, } from "./embeddings.js";
 import { DEFAULT_GEMINI_EMBEDDING_MODEL } from "./embeddings-gemini.js";
 import { DEFAULT_OPENAI_EMBEDDING_MODEL } from "./embeddings-openai.js";
@@ -322,7 +324,25 @@ export class MemoryIndexManager {
             maxEntries: params.settings.cache.maxEntries,
         };
         this.fts = { enabled: params.settings.query.hybrid.enabled, available: false };
-        this.ensureSchema();
+        try {
+            this.ensureSchema();
+        }
+        catch (err) {
+            // Database is corrupted (e.g. orphaned FTS5 metadata blocking writes).
+            // Delete and rebuild from scratch.
+            const msg = err instanceof Error ? err.message : String(err);
+            log.warn(`schema init failed, rebuilding database: ${msg}`);
+            try {
+                this.db.close();
+            }
+            catch {
+                /* ignore */
+            }
+            const dbPath = resolveUserPath(this.settings.store.path);
+            this.removeIndexFilesSync(dbPath);
+            this.db = this.openDatabase();
+            this.ensureSchema();
+        }
         this.vector = {
             enabled: params.settings.store.vector.enabled,
             available: null,
@@ -534,6 +554,7 @@ export class MemoryIndexManager {
         }
         // Mark memory as dirty so it gets re-indexed
         this.dirty = true;
+        // Audit trail is recorded in syncMemoryFiles after the watcher detects changes
         return { path: relPath, bytesWritten: Buffer.byteLength(params.content, "utf-8") };
     }
     /**
@@ -846,6 +867,17 @@ export class MemoryIndexManager {
         const suffixes = ["", "-wal", "-shm"];
         await Promise.all(suffixes.map((suffix) => fs.rm(`${basePath}${suffix}`, { force: true })));
     }
+    removeIndexFilesSync(basePath) {
+        const suffixes = ["", "-wal", "-shm"];
+        for (const suffix of suffixes) {
+            try {
+                fsSync.rmSync(`${basePath}${suffix}`, { force: true });
+            }
+            catch {
+                /* ignore */
+            }
+        }
+    }
     ensureSchema() {
         const result = ensureMemoryIndexSchema({
             db: this.db,
@@ -1137,6 +1169,13 @@ export class MemoryIndexManager {
             }
             const action = record ? "updated" : "added";
             log.info(`file ${action} (${this.agentId}): ${entry.path}`);
+            if (isAuditablePath(entry.path)) {
+                recordAuditEntry(this.workspaceDir, {
+                    path: entry.path,
+                    timestamp: Date.now(),
+                    agentId: this.agentId,
+                });
+            }
             await this.indexFile(entry, { source: "memory" });
             if (params.progress) {
                 params.progress.completed += 1;

package/dist/memory/memory-schema.js

@@ -64,6 +64,9 @@ export function ensureMemoryIndexSchema(params) {
             // Leaving them in the DB can cause "no such module: fts5" errors on
             // unrelated operations if SQLite touches the virtual table machinery.
             dropOrphanedFtsTables(params.db, params.ftsTable);
+            // Verify the database is still writable after cleanup. FTS5 virtual table
+            // metadata left in sqlite_master can corrupt the database for all writes.
+            verifyWritable(params.db);
         }
     }
     ensureColumn(params.db, "files", "source", "TEXT NOT NULL DEFAULT 'memory'");
@@ -72,6 +75,21 @@ export function ensureMemoryIndexSchema(params) {
     params.db.exec(`CREATE INDEX IF NOT EXISTS idx_chunks_source ON chunks(source);`);
     return { ftsAvailable, ...(ftsError ? { ftsError } : {}) };
 }
+/**
+ * Verify the database is writable by performing a test write.
+ * If FTS5 cleanup left orphaned virtual table metadata in sqlite_master,
+ * SQLite may refuse all writes. Throws so the caller can delete and rebuild.
+ */
+function verifyWritable(db) {
+    try {
+        db.prepare(`INSERT INTO meta (key, value) VALUES ('_write_check', '1') ON CONFLICT(key) DO UPDATE SET value = '1'`).run();
+        db.prepare(`DELETE FROM meta WHERE key = '_write_check'`).run();
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`database not writable after FTS cleanup (needs rebuild): ${msg}`);
+    }
+}
 /**
  * When fts5 module is unavailable but the virtual table and its shadow tables
  * exist from a previous run, drop them to prevent "no such module" errors.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.0.36",
+  "version": "1.0.39",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"