@skill-map/spec 0.10.0 → 0.12.0

package/CHANGELOG.md

@@ -1,5 +1,125 @@
 # Spec changelog
 
+## 0.12.0
+
+### Minor Changes
+
+- 68c5e28: Step 14.1 — `sm serve` + Hono BFF skeleton
+
+  Adds `src/server/` Hono workspace with single-port wiring (`/api/health` real,
+  `/api/*` 404 stubs, `/ws` no-op upgrade, `serveStatic` + SPA fallback). Real
+  `ServeCommand` extracted from stub at `cli/commands/stubs.ts` to dedicated
+  `cli/commands/serve.ts` extending `SmCommand`. Loopback-only through v0.6.0
+  (Decision #119). Boot resilient to missing DB — `/api/health` reports
+  `db: 'missing'`. Spec `cli-contract.md` `sm serve` row updated to full flag
+  set; new `### Server` subsection (skeleton — endpoints fill at 14.2).
+
+  **Files added (server)**
+
+  - `src/server/index.ts` — `createServer(opts)` factory returning `ServerHandle` (`{ address, close }`); resolves spec version, builds the Hono app, instantiates a `WebSocketServer({ noServer: true })`, hands both to `@hono/node-server`'s `serve({ websocket: { server: wss } })`. Closing the http server tears down the WSS automatically (node-server registers the `'close'` hook internally); `close()` calls `wss.close()` defensively for forward-compatibility.
+  - `src/server/app.ts` — Hono app construction. Routes registered in single-port order: `GET /api/health` → real, `ALL /api/*` → structured 404, `GET /ws` via the injected `attachWs` registrar, static handler + SPA fallback. Global `app.onError` formats every uncaught throw into the error envelope.
+  - `src/server/options.ts` — `IServerOptions` + `validateServerOptions(input)`. Loopback-only check for `--dev-cors`; port range check `[0, 65535]`; scope validation.
+  - `src/server/paths.ts` — `resolveDefaultUiDist(ctx)` walks upwards from cwd looking for `ui/dist/browser/index.html`; `resolveExplicitUiDist(ctx, raw)` honours absolute paths for `--ui-dist`.
+  - `src/server/static.ts` — wraps `@hono/node-server`'s `serveStatic` middleware with the SPA-fallback layer (`serveStatic` does not do SPA fallback — it `next()`s on miss, which is exactly the seam we hook into). Absolute `root` paths work on POSIX in node-server@2.0.1 (verified runtime probe — implementation is `path.join(root, filename)`); the `.d.ts` "Absolute paths are not supported" string is stale (upstream issue honojs/node-server#187 still open). When the bundle is missing (`uiDist === null`), a tiny placeholder middleware serves the boot-without-bundle hint at `/`.
+  - `src/server/ws.ts` — `noopWebSocketRoute(app)` registers `GET /ws` via the official `upgradeWebSocket` re-exported from `@hono/node-server@2.x`. The 14.1 handler closes the connection in `onOpen` with code 1000 + reason `'no broadcaster yet'`. 14.4 swaps this registrar for the chokidar-fed broadcaster — one-line change in `index.ts`, `app.ts` untouched.
+  - `src/server/health.ts` — `buildHealth(deps)` synchronous; `resolveSpecVersion()` async, called once at boot.
+  - `src/server/i18n/server.texts.ts` — `SERVER_TEXTS` catalog.
+
+  **Files added (CLI)**
+
+  - `src/cli/commands/serve.ts` — `ServeCommand extends SmCommand`. Parses flags, validates, calls `createServer`, registers SIGINT/SIGTERM handlers, awaits shutdown. `protected emitElapsed = false` (long-running daemon).
+  - `src/cli/i18n/serve.texts.ts` — `SERVE_TEXTS` catalog.
+
+  **Tests added (15)**
+
+  - `src/test/server-boot.test.ts` (7) — boot/listen/health JSON, custom port, db state present/missing, structured 404, /ws upgrade closes with code 1000 + reason 'no broadcaster yet' (uses real `WebSocket` client from `ws`), shutdown < 1s + idempotent close, inline placeholder when uiDist null.
+  - `src/test/server-flags.test.ts` (6) — host non-loopback + dev-cors rejection, port out-of-range, port non-numeric, scope invalid, ui-dist missing, ui-dist with valid bundle.
+  - `src/test/server-db-missing.test.ts` (2) — `--db <missing>` exits 5, default boots cleanly with db:missing.
+
+  **Files edited**
+
+  - `src/cli/commands/stubs.ts` — `ServeCommand` removed; replaced with a comment pointer.
+  - `src/cli/entry.ts` — registers the new `ServeCommand`.
+  - `src/package.json` — adds `hono@4.12.16`, `@hono/node-server@2.0.1`, `ws@8.20.0` (deps); `@types/ws@8.18.1` (dev). All exact-pinned per AGENTS.md.
+  - `spec/cli-contract.md` — `sm serve` row replaced with the full 14.1 flag set; new `#### Server` subsection (stability: experimental).
+  - `spec/CHANGELOG.md` — `[Unreleased]` `### Minor` entry for the spec change.
+  - `spec/index.json` — regenerated (40 files hashed; previous head was 215 lines).
+
+  **Decisions during implementation (flag for orchestrator)**
+
+  - WebSocket support uses `@hono/node-server@2.x`'s built-in `upgradeWebSocket` plus the canonical `ws@8.20.0` Node WebSocket library, per the official README pattern. The previously-published `@hono/node-ws` adapter was deprecated when node-server@2.0 absorbed WebSocket support natively (PR honojs/node-server#328). The 14.4 broadcaster will replace `noopWebSocketRoute` with its own one-line registrar — no API churn between 14.1 and 14.4.
+  - The `/api/*` catch-all is wired with `app.all('/api/*', ...)` BEFORE the `/ws` registrar and the static handler so neither a `serveStatic` filesystem hit nor the SPA fallback can shadow API endpoints. `/ws` is registered BEFORE the static handler so a literal `/ws` path on disk inside `uiDist` cannot accidentally shadow the upgrade route.
+  - `serveStatic` from `@hono/node-server/serve-static` accepts absolute root paths at runtime on POSIX (its implementation is `path.join(root, filename)`); the `.d.ts` string saying otherwise is documentation drift, not a runtime contract. Verified with a runtime probe and cross-referenced against the open upstream issue (honojs/node-server#187). Documented in `src/server/static.ts` so future contributors don't re-investigate.
+
+## 0.11.0
+
+### Minor Changes
+
+- f8fca25: Step 10 prep — job artifacts move into the database (B2: content-addressed storage)
+
+  Removes the on-disk `.skill-map/jobs/<id>.md` and `.skill-map/reports/<id>.json` artifacts from the spec. Rendered job content and report payloads now live in the kernel database; the filesystem is no longer a normative layer of the job lifecycle. Pre-1.0 minor breaking per `versioning.md` § Pre-1.0.
+
+  **Why**: every other piece of operational state (`state_summaries`, `state_enrichments`, `state_plugin_kvs`, `node_enrichments`) already lives in the DB. Jobs and reports were the only outliers — and being outliers cost real complexity (orphan-file detection, partial backups, two-source-of-truth GC). With B2 (content-addressed dedup keyed on the existing `content_hash`), retries / `--force` / cross-node fan-out reuse a single content blob, so DB-only does not blow up storage on heavy users.
+
+  **Schema changes**
+
+  - New table `state_job_contents` (`content_hash` PK, `content` TEXT, `created_at`). Content-addressed: multiple `state_jobs` rows MAY reference the same row.
+  - `state_jobs.file_path` removed. The rendered content is fetched via `state_job_contents.content_hash` join.
+  - `state_executions.report_path` → `state_executions.report_json` (TEXT, parsed-JSON-on-read per the `_json` naming convention).
+
+  **Schema-typed contract changes**
+
+  - `Job.filePath` removed.
+  - `ExecutionRecord.reportPath` → `ExecutionRecord.report` (object/null — the parsed JSON payload).
+  - `Job.failureReason` and `ExecutionRecord.failureReason` enums: `job-file-missing` → `content-missing` (defensive failure-mode label for DB corruption where a job row outlives its content row; the runtime invariant should keep this state unreachable).
+  - `history-stats.schema.json` `perFailureReason` mirrors the rename.
+
+  **CLI surface changes**
+
+  - `sm job preview <id>` now prints the rendered content from `state_job_contents` (no file). Same output, different source.
+  - `sm job claim --json` is the contracted Skill-agent handover: returns `{id, nonce, content}` so the agent can call `sm record` afterwards with the nonce in hand. The plain-stdout form (id only) is preserved for legacy scripts.
+  - `sm record --report <path-or-dash>` accepts a file path OR `-` (stdin); the kernel reads the payload and stores it inline in `report_json`. The on-disk report file becomes operationally ephemeral — implementations SHOULD remove it after the kernel acknowledges the callback (courtesy GC, not normative).
+  - `sm job prune --orphan-files` removed. Replaced by automatic `state_job_contents` GC inside `sm job prune`: deletes terminal jobs past retention, then collects orphan content rows in the same transaction.
+  - `sm doctor` checks change accordingly: drops the "orphan job files / orphan DB rows pointing at missing files" pair; adds two DB-internal checks (`state_jobs` rows whose `content_hash` is missing from `state_job_contents`; `state_job_contents` rows referenced by zero `state_jobs` rows).
+
+  **Event stream changes**
+
+  - `job.spawning.data.jobFilePath` → `job.spawning.data.contentHash` (references the content row instead of a file path).
+  - `job.callback.received.data.reportPath` and `job.completed.data.reportPath` → `executionId` (references the `state_executions` row that holds the inline report payload). Reports are intentionally NOT inlined in events — consumers query the row when they need the body.
+
+  **Architecture changes**
+
+  - `RunnerPort.run(jobFilePath, options)` → `run(jobContent, options)` returning `{report, ...}` instead of `{reportPath, ...}`. Path-based reporting is no longer part of the port contract. Runners that need an actual file (the canonical case being `claude -p` reading stdin from a path) materialize a temp file inside `run()` and remove it after spawn — temp files are operational, not normative.
+
+  **Atomicity edge cases consolidated**
+
+  `spec/job-lifecycle.md` §Atomicity edge cases drops the four file-related rows. Two new DB-internal cases take their place: `state_jobs` row outliving its `state_job_contents` row (failure: `content-missing`); `state_job_contents` row with no live job references (GC straggler — `sm job prune` collects).
+
+  **Files touched**
+
+  - `spec/db-schema.md` — new `state_job_contents` section, `state_jobs.file_path` removed, `state_executions.report_path` → `report_json`, integrity section rewritten.
+  - `spec/job-lifecycle.md` — §Submit step 8 rewritten (DB store), §Atomic claim documents `--json` shape, §Atomicity edge cases consolidated, §Record callback rewritten for `--report` path-or-stdin semantics, §Retention extended to cover `state_job_contents` GC, failure-reason rename.
+  - `spec/cli-contract.md` — `sm job preview` / `sm job claim` / `sm job prune` rows updated, `sm job prune --orphan-files` row removed, `sm record` block rewritten with `<path-or-dash>`, `sm doctor` integrity bullets updated.
+  - `spec/prompt-preamble.md` — §How the kernel applies step 5 rewritten (DB store, no file).
+  - `spec/architecture.md` — §`RunnerPort` operations + reference impls updated for content-string + parsed-report shape.
+  - `spec/job-events.md` — `job.spawning` / `job.callback.received` / `job.completed` payloads changed.
+  - `spec/conformance/README.md` + `coverage.md` — `preamble-bitwise-match` references updated to `sm job preview` stdout.
+  - `spec/schemas/job.schema.json` — `filePath` property removed, failure-reason enum rename.
+  - `spec/schemas/execution-record.schema.json` — `reportPath` → `report` (object/null), failure-reason enum rename.
+  - `spec/schemas/history-stats.schema.json` — `perFailureReason` enum rename.
+  - `spec/index.json` regenerated (40 files hashed); `npm run spec:check` green.
+
+  **Migration for consumers**
+
+  - Any consumer reading `state_jobs.file_path` or `state_executions.report_path` reads from the renamed columns / DB-only paths instead.
+  - Any tooling that watched `.skill-map/jobs/*.md` or `.skill-map/reports/*.json` needs to query the DB or call the relevant `sm` verb.
+  - `--orphan-files` flag callers must drop the flag; `sm job prune` already does the equivalent automatically.
+  - Skill agents drain via `sm job claim --json` (id + nonce + content together) instead of `sm job claim` + reading a file.
+
+  **Out of scope**
+
+  The reference impl side of this (migration that adds `state_job_contents` + drops `state_jobs.file_path`; storage-adapter helpers; runtime piping in `ClaudeCliRunner` for the temp-file dance) lands in follow-up changesets under `@skill-map/cli`. The spec change above is self-contained: shipping it alone changes nothing at runtime, but unblocks the implementation phases.
+
 ## 0.10.0
 
 ### Minor Changes
@@ -103,6 +223,25 @@ list`, `sm plugins doctor`, `sm db prune` plugin filter, runtime
 
 ## [Unreleased]
 
+### Minor
+
+- **`sm serve` row + `### Server` subsection** in `cli-contract.md` —
+  Step 14.1 promotes `sm serve` from an implementation-defined stub to a
+  documented surface. The verb row at `§Verb catalog` › `### Server`
+  expands the flag set to the full 14.1 contract: `--port` (default
+  `4242`), `--host` (default `127.0.0.1`, loopback-only through v0.6.0),
+  `--scope project|global`, `--db <path>`, `--no-built-ins`,
+  `--no-plugins`, `--open` / `--no-open`, `--dev-cors`, `--ui-dist
+<path>` (hidden). New `#### Server` subsection documents the
+  single-port mandate, the boot-with-missing-DB resilience contract
+  (`/api/health` returns `db: 'missing'`), the v14.1 endpoint surface
+  (`GET /api/health` real, `ALL /api/*` 404 stubs, `GET /ws` upgrade-only,
+  static + SPA fallback), the structured error envelope shape, and the
+  flag table. Marked `*(Stability: experimental — locks at v0.6.0.)*` —
+  endpoints fill at v14.2, broadcaster at v14.4. Additive minor per
+  `versioning.md` § Pre-1.0 (no breaking change to the existing row's
+  semantics; the old wording was strictly less specific).
+
 ### Minor (breaking, pre-1.0)
 
 - **`Node.kind` opens to any non-empty string (was the closed enum
@@ -121,7 +260,7 @@ values]` to `{ "type": "string", "minLength": 1 }`. The
     `TEXT NOT NULL`.
   - `extensions/action.schema.json#/.../filter/kind` (the per-kind
     filter for action applicability) widens the same way: `items:
-  { type: 'string', minLength: 1 }` instead of the closed enum.
+{ type: 'string', minLength: 1 }` instead of the closed enum.
     Migration: consumers who validate exported `Node` JSON against
     `node.schema.json` will now accept external-Provider kinds. Any
     consumer that hard-coded the closed enum elsewhere (UI filter chip
@@ -398,53 +537,51 @@ the`CamelCasePlugin`; raw SQL fragments must use snake_case to
     a real i18n library, the strings move as-is. Functions would
     have to be re-shaped first.
 
-        Helper at `kernel/util/tx.ts`. Contract:
-
-        - Every `{{name}}` token MUST have a matching key in the vars
-          object — missing key throws (silent fallback hides
-          forgotten args in production).
-        - `null` / `undefined` values throw — caller coerces
-          upstream.
-        - Whitespace inside the braces tolerated (`{{ name }}`) so
-          long templates wrap cleanly across `+`-joined lines.
-        - Plural / conditional logic does NOT live in the template;
-          the caller picks `*_singular` vs `*_plural` keys.
-
-        Files created:
-
-        - `kernel/util/tx.ts` — the helper itself, with 13 tests in
-          `test/tx.test.ts` (single / multi token, whitespace,
-          missing / null / undefined keys, identifier shapes, error
-          truncation).
-        - `kernel/i18n/orchestrator.texts.ts` — frontmatter
-          malformed/invalid templates, `extension.error` payloads,
-          root validation errors.
-        - `kernel/i18n/plugin-loader.texts.ts` — every `load-error` /
-          `invalid-manifest` / `incompatible-spec` reason, plus the
-          import timeout message.
-        - `cli/i18n/scan.texts.ts` — `sm scan` flag-clash / scan
-          failure / guard / summary templates, plus the `sm scan
-
-    compare-with`dump-load errors.
--`cli/i18n/watch.texts.ts`—`sm watch`lifecycle templates.
--`cli/i18n/init.texts.ts`—`sm init`templates including
-  the`--dry-run`previews and the singular/plural pair for
-  gitignore updates.
--`cli/i18n/db.texts.ts`—`sm db reset`/`sm db restore`      templates including their`--dry-run`previews.
--`cli/i18n/cli-progress-emitter.texts.ts`— the
- `extension.error: ...` stderr line.
-
-        String content moved verbatim — every existing test that
-        matches on stderr / stdout content keeps passing. Trivial
-        single-token strings (`'No issues.\n'`) and rare per-handler
-        bespoke phrases stay inline; the pattern is now established
-        for whoever wants to migrate them in a follow-up.
-
-        Note on `ui/` divergence: today the two workspaces use
-        different shapes for their text tables (functions in `ui/`,
-        templates in `cli/`). Aligning them is a follow-up — the day a
-        real i18n library lands, both converge on its native shape.
-        The CLI shape is closer to the eventual destination.
+            Helper at `kernel/util/tx.ts`. Contract:
+
+            - Every `{{name}}` token MUST have a matching key in the vars
+              object — missing key throws (silent fallback hides
+              forgotten args in production).
+            - `null` / `undefined` values throw — caller coerces
+              upstream.
+            - Whitespace inside the braces tolerated (`{{ name }}`) so
+              long templates wrap cleanly across `+`-joined lines.
+            - Plural / conditional logic does NOT live in the template;
+              the caller picks `*_singular` vs `*_plural` keys.
+
+            Files created:
+
+            - `kernel/util/tx.ts` — the helper itself, with 13 tests in
+              `test/tx.test.ts` (single / multi token, whitespace,
+              missing / null / undefined keys, identifier shapes, error
+              truncation).
+            - `kernel/i18n/orchestrator.texts.ts` — frontmatter
+              malformed/invalid templates, `extension.error` payloads,
+              root validation errors.
+            - `kernel/i18n/plugin-loader.texts.ts` — every `load-error` /
+              `invalid-manifest` / `incompatible-spec` reason, plus the
+              import timeout message.
+            - `cli/i18n/scan.texts.ts` — `sm scan` flag-clash / scan
+              failure / guard / summary templates, plus the `sm scan
+
+        compare-with`dump-load errors.
+
+    -`cli/i18n/watch.texts.ts`—`sm watch`lifecycle templates. -`cli/i18n/init.texts.ts`—`sm init`templates including
+    the`--dry-run`previews and the singular/plural pair for
+    gitignore updates. -`cli/i18n/db.texts.ts`—`sm db reset`/`sm db restore` templates including their`--dry-run`previews. -`cli/i18n/cli-progress-emitter.texts.ts`— the
+    `extension.error: ...` stderr line.
+
+            String content moved verbatim — every existing test that
+            matches on stderr / stdout content keeps passing. Trivial
+            single-token strings (`'No issues.\n'`) and rare per-handler
+            bespoke phrases stay inline; the pattern is now established
+            for whoever wants to migrate them in a follow-up.
+
+            Note on `ui/` divergence: today the two workspaces use
+            different shapes for their text tables (functions in `ui/`,
+            templates in `cli/`). Aligning them is a follow-up — the day a
+            real i18n library lands, both converge on its native shape.
+            The CLI shape is closer to the eventual destination.
 
   - **N6 — `TIssueSeverity` aliased to `Severity`.** SQLite schema
     type now reads `type TIssueSeverity = Severity` instead of
@@ -1092,9 +1229,9 @@ kind, normalizedTrigger)` and prints one row per group with the
       (`Links out (12, 9 unique)`). When N > 1 detector emits the same
       logical link, the row also gets a `(×N)` suffix.
 
-                             `--json` output is byte-identical to before — raw rows, no merge.
-                             Storage is byte-identical to before. The grouping is purely a
-                             read-time presentation choice for human eyes.
+                                         `--json` output is byte-identical to before — raw rows, no merge.
+                                         Storage is byte-identical to before. The grouping is purely a
+                                         read-time presentation choice for human eyes.
 
   **Spec changes (patch)**:
 

package/architecture.md

@@ -78,12 +78,16 @@ Each plugin (and each built-in bundle) declares a **granularity** that controls
 
 ### `RunnerPort`
 
-Executes an action against a job file. Returns a report reference (or an error) plus runner-side metrics (duration, tokens, exit code).
+Executes an action against rendered job content. Returns the produced report (or an error) plus runner-side metrics (duration, tokens, exit code).
 
-Operations: `run(jobFilePath, options)` → `{ reportPath, tokensIn, tokensOut, durationMs, exitCode } | Error`.
+Operations: `run(jobContent, options)` → `{ report, tokensIn, tokensOut, durationMs, exitCode } | Error`.
+
+`jobContent` is a string: the kernel reads `state_job_contents` for the job and passes the content directly. There is no on-disk job file as part of the contract — runners that need an actual file (the `claude -p` subprocess, for example) materialize a temporary file inside `run()` and remove it after spawn. The temp file is operational, not normative.
+
+`report` is the parsed JSON the runner produced; the kernel ingests it into `state_executions.report_json`. Path-based reporting is not part of the port contract.
 
 Two reference implementations:
-- `ClaudeCliRunner` — subprocess `claude -p < jobfile`.
+- `ClaudeCliRunner` — subprocess `claude -p` with the content piped into a temp file or stdin.
 - `MockRunner` — deterministic fake for tests.
 
 The **Skill agent** does NOT implement this port: it is a peer driving adapter (alongside CLI and Server) that runs inside an LLM session and consumes `sm job claim` + `sm record` as a kernel client. The name "Skill runner" is descriptive, not structural — only the `ClaudeCliRunner` (and its test fake) implement `RunnerPort`. See [`job-lifecycle.md`](./job-lifecycle.md).

package/cli-contract.md

@@ -123,7 +123,8 @@ Diagnostic report:
 - DB file integrity (PRAGMA quick_check equivalent).
 - Pending migrations (count + list).
 - Orphan history rows (count).
-- Orphan job files (count).
+- `state_jobs` rows whose `content_hash` is missing from `state_job_contents` (corrupt-state count).
+- `state_job_contents` GC stragglers (count of rows referenced by zero `state_jobs` rows; `sm job prune` collects these).
 - Plugins in error state (list).
 - LLM runner availability (`claude` binary on PATH, version).
 - Detected Providers that matched nothing, or whose `explorationDir` does not exist on disk (non-blocking warning).
@@ -235,15 +236,14 @@ See `job-lifecycle.md` for the state machine; this table is the CLI surface.
 | `sm job submit ... --priority <n>` | Override job priority. Integer; higher runs first. Default `0`. Negative allowed (deprioritize). Frozen on `state_jobs.priority` at submit time. |
 | `sm job list [--status ...] [--action ...] [--node ...]` | List jobs. |
 | `sm job show <job.id>` | Detail: current state, claim timestamp, TTL remaining, runner, content hash. |
-| `sm job preview <job.id>` | Render the job MD file without executing. |
-| `sm job claim [--filter <action>]` | Atomic primitive: return next queued job id, mark it running. Exit 0 with id on stdout; exit 1 if queue empty. |
+| `sm job preview <job.id>` | Print the rendered MD content of the job without executing. Reads from `state_job_contents`; there is no on-disk artifact. |
+| `sm job claim [--filter <action>]` | Atomic primitive: return next queued job id, mark it running. Exit 0 with id on stdout; exit 1 if queue empty. `--json` returns `{id, nonce, content}` — drivers that intend to call `sm record` afterwards MUST use the `--json` form to receive the nonce. |
 | `sm job run` | Full CLI-runner loop: claim + spawn + record. Runs one job. |
 | `sm job run --all` | Drain the queue (sequential through `v1.0`; in-runner parallelism deferred). |
 | `sm job run --max N` | Drain at most N jobs. |
 | `sm job status [<job.id>]` | Counts (per status) or single-job status. |
 | `sm job cancel <job.id> \| --all` | Force a running job to `failed` state with reason `user-cancelled`. `--all` cancels every `queued` and `running` job. |
-| `sm job prune` | Retention GC for completed/failed jobs (per config policy). |
-| `sm job prune --orphan-files` | Remove MD files with no matching DB row. |
+| `sm job prune` | Retention GC: deletes terminal jobs past the configured retention window AND collects orphaned `state_job_contents` rows in the same transaction. |
 
 Submit returns the job id on stdout in pretty mode, or a `Job` object conforming to `job.schema.json` in `--json` mode.
 
@@ -253,12 +253,12 @@ Submit returns the job id on stdout in pretty mode, or a `Job` object conforming
 
 ```
 sm record --id <job.id> --nonce <n> --status completed \
-         --report <path> \
+         --report <path-or-dash> \
          --tokens-in N --tokens-out N --duration-ms N \
          --model <name>
 ```
 
-Closes a running job with success.
+Closes a running job with success. `--report` accepts either a filesystem path the kernel reads, or `-` to read the JSON payload from stdin. The kernel stores the parsed JSON inline on `state_executions.report_json`; the path / stdin source is ingestion-only and not retained.
 
 ```
 sm record --id <job.id> --nonce <n> --status failed --error "..."
@@ -316,7 +316,55 @@ Destructive verbs (`reset --state`, `reset --hard`, `restore`) require interacti
 
 | Command | Purpose |
 |---|---|
-| `sm serve [--port N] [--host ...] [--no-open]` | Start Hono + WebSocket for the Web UI. Default port is implementation-defined but MUST be the same across runs. Implementations MUST NOT bind 0.0.0.0 by default. |
+| `sm serve [--port N] [--host ...] [--scope project\|global] [--db <path>] [--no-built-ins] [--no-plugins] [--open\|--no-open] [--dev-cors] [--ui-dist <path>]` | Start Hono + WebSocket for the Web UI. Single-port mandate: SPA + REST + WS under one listener. Default port 4242, default host 127.0.0.1 (loopback-only through v0.6.0; multi-host deferred — see §Server). |
+
+#### Server
+
+*(Stability: experimental — locks at v0.6.0.)*
+
+The reference implementation ships a Hono BFF rooted at `src/server/`. One Node process serves the Angular SPA, the REST API under `/api/*`, and the WebSocket at `/ws` — single-port mandate, no proxy. Loopback-only assumption through v0.6.0: no per-connection auth on `/ws`; combining `--dev-cors` with a non-loopback `--host` is rejected (exit 2).
+
+**Boot resilience**: `sm serve` boots even when the project DB is missing. `/api/health` reports `db: 'missing'` so the SPA can render an empty-state CTA instead of failing the connection. Explicit `--db <path>` that doesn't exist is the exception — that exits 5 (NotFound) per `§Exit codes`.
+
+**Endpoints (v14.1 surface)**:
+
+| Path | Status | Shape |
+|---|---|---|
+| `GET /api/health` | implemented | `{ ok: true, schemaVersion, specVersion, implVersion, scope: 'project'\|'global', db: 'present'\|'missing' }` |
+| `ALL /api/*` (other) | reserved | structured 404 envelope (see below); real endpoints land at v14.2 |
+| `GET /ws` | upgrade-only | accepts WebSocket upgrade and immediately closes; broadcaster lands at v14.4 |
+| `GET *` | implemented | static asset from the resolved UI bundle, falling back to `index.html` for SPA deep links |
+
+**Error envelope** (mirrors `§Machine-readable output rules`):
+
+```json
+{
+  "ok": false,
+  "error": {
+    "code": "not-found" | "bad-query" | "db-missing" | "internal",
+    "message": "<human-readable>",
+    "details": { ... } | null
+  }
+}
+```
+
+HTTP status mapping: `400` → `bad-query`, `404` → `not-found`, `500` → `internal` / `db-missing`.
+
+**Flag surface**:
+
+| Flag | Default | Purpose |
+|---|---|---|
+| `--port N` | `4242` | Listening port. `0` = OS-assigned (handle reports the bound port). |
+| `--host <ip>` | `127.0.0.1` | Listening host. Implementations MUST NOT bind `0.0.0.0` by default. |
+| `--scope project\|global` | `project` | Effective scope for `/api/*` reads. Alias for `-g/--global`. |
+| `--db <path>` | resolved per spec § Global flags | Override the DB file location. Missing explicit `--db` exits 5. |
+| `--no-built-ins` | off | Skip built-in plugin registration (parity with `sm scan --no-built-ins`). |
+| `--no-plugins` | off | Skip drop-in plugin discovery. |
+| `--open` / `--no-open` | `--open` | Auto-open the SPA in the user's default browser after listen. |
+| `--dev-cors` | off | Enable permissive CORS for the Angular dev-server proxy workflow. Loopback-only when set. |
+| `--ui-dist <path>` | auto | Override the UI bundle directory. Hidden flag — used by the demo build pipeline + tests; everyday users never need it. |
+
+**Graceful shutdown**: SIGINT / SIGTERM trigger a graceful close; the verb returns exit 0 on clean shutdown. Bind failure (port in use, EACCES) returns exit 2.
 
 ---
 

package/conformance/README.md

@@ -78,8 +78,7 @@ A case is a JSON document with this shape:
   "assertions": [
     { "type": "exit-code", "value": 0 },
     { "type": "json-path", "path": "$.schemaVersion", "equals": 1 },
-    { "type": "file-exists", "path": ".skill-map/jobs/*.md" },
-    { "type": "file-contains-verbatim", "path": ".skill-map/jobs/*.md", "fixture": "preamble-v1.txt" }
+    { "type": "stdout-contains-verbatim", "fixture": "preamble-v1.txt" }
   ]
 }
 ```
@@ -125,7 +124,7 @@ Cases explicitly referenced elsewhere in the spec (landing before v1.0):
 
 | Id | Source | Verifies |
 |---|---|---|
-| `preamble-bitwise-match` | `prompt-preamble.md` | Rendered job files contain `preamble-v1.txt` byte-for-byte. Deferred to Step 10 (requires `sm job preview`). |
+| `preamble-bitwise-match` | `prompt-preamble.md` | Rendered job content (printed by `sm job preview`) contains `preamble-v1.txt` byte-for-byte. Deferred to Step 10 (requires `sm job preview`). |
 
 ### Provider-owned (per `<plugin-dir>/conformance/`)
 

package/conformance/coverage.md

@@ -43,7 +43,7 @@ These have their own conformance cases even though they are not JSON Schemas.
 
 | # | Artifact | Case | Status | Notes |
 |---|---|---|---|---|
-| A | Preamble verbatim text | `preamble-bitwise-match` | 🟠 deferred | Deferred to Step 10 (needs `sm job preview` to render a job file). Fixture: `fixtures/preamble-v1.txt` (already present, byte-identical to `prompt-preamble.md` source). |
+| A | Preamble verbatim text | `preamble-bitwise-match` | 🟠 deferred | Deferred to Step 10 (needs `sm job preview` to print the rendered content from `state_job_contents`). Fixture: `fixtures/preamble-v1.txt` (already present, byte-identical to `prompt-preamble.md` source). |
 | B | Kernel empty-boot invariant | `kernel-empty-boot` | 🟢 covered | All extensions disabled → empty ScanResult. |
 | C | Atomic-claim race safety | — | 🔴 missing | Blocked by Step 10. Two concurrent `sm job claim` invocations against a single queued row — exactly one MUST succeed. |
 | D | Duplicate detection | — | 🔴 missing | Blocked by Step 10. Two `sm job submit` with same `(action, version, node, contentHash)` — second exits 3. |

package/db-schema.md

@@ -232,7 +232,6 @@ Matching [`schemas/job.schema.json`](./schemas/job.schema.json). See [`job-lifec
 | `failure_reason` | TEXT | NULL, CHECK in (`runner-error`, `report-invalid`, `timeout`, `abandoned`, `job-file-missing`, `user-cancelled`) |
 | `runner` | TEXT | NULL, CHECK in (`cli`, `skill`, `in-process`) |
 | `ttl_seconds` | INTEGER | NOT NULL |
-| `file_path` | TEXT | NULL |
 | `created_at` | INTEGER | NOT NULL |
 | `claimed_at` | INTEGER | NULL |
 | `finished_at` | INTEGER | NULL |
@@ -241,6 +240,28 @@ Matching [`schemas/job.schema.json`](./schemas/job.schema.json). See [`job-lifec
 
 Indexes: `ix_state_jobs_status`, `ix_state_jobs_action_node_hash` (unique partial index WHERE `status IN ('queued','running')` for duplicate detection).
 
+The rendered job content is NOT stored on this table. It lives in `state_job_contents` keyed by `content_hash` so multiple jobs with identical action + node + template pairs share a single physical blob. See `state_job_contents` below for the storage shape and GC contract.
+
+### `state_job_contents`
+
+Content-addressed store for the rendered MD content of every queued or completed job. Decouples the content from the lifecycle row in `state_jobs` so that retries / `--force` reruns / cross-node fan-out emissions of the same prompt all reference one blob.
+
+| Column | Type | Constraint |
+|---|---|---|
+| `content_hash` | TEXT | PRIMARY KEY |
+| `content` | TEXT | NOT NULL |
+| `created_at` | INTEGER | NOT NULL |
+
+No indexes (PK already covers lookup by hash; the table is keyed-by-hash exclusively).
+
+**Insertion semantics**: `INSERT OR IGNORE INTO state_job_contents(content_hash, content, created_at) VALUES (?, ?, ?)` — an existing row for the same hash is a no-op (the prior insert already paid the storage cost).
+
+**GC contract**: `sm job prune` MUST delete every row whose `content_hash` is no longer referenced by any `state_jobs` row, in the same transaction that prunes the job rows. Implementations MUST NOT delete `state_job_contents` rows on `sm job cancel` (a cancelled job's content is recoverable via `sm job submit --force` of the same content_hash and dedup is desirable).
+
+`content_hash` is the same hash that `state_jobs.content_hash` carries, computed at submit time as `sha256(actionId + actionVersion + bodyHash + frontmatterHash + promptTemplateHash)`. Two jobs with identical `content_hash` MUST render to identical content (the formula is deterministic over all rendering inputs); the table relies on this invariant to dedup.
+
+Honest note on FK enforcement: SQLite foreign keys are off by default and the kernel does not currently turn them on (per `dialect.ts`). The `state_jobs.content_hash → state_job_contents.content_hash` relationship is enforced procedurally by the storage adapter (insert content row before job row in the same transaction; never delete content while jobs reference it). A future foreign-key push may upgrade this to a true FK without breaking the contract.
+
 ### `state_executions`
 
 Matching [`schemas/execution-record.schema.json`](./schemas/execution-record.schema.json).
@@ -262,11 +283,13 @@ Matching [`schemas/execution-record.schema.json`](./schemas/execution-record.sch
 | `duration_ms` | INTEGER | NULL |
 | `tokens_in` | INTEGER | NULL |
 | `tokens_out` | INTEGER | NULL |
-| `report_path` | TEXT | NULL |
+| `report_json` | TEXT | NULL |
 | `job_id` | TEXT | NULL |
 
 Indexes: `ix_state_executions_extension_id`, `ix_state_executions_started_at`, `ix_state_executions_job_id`.
 
+The full report payload (the JSON the model returned, validated against the action's `reportSchemaRef`) is stored inline in `report_json`. There is no on-disk report file. `sm job show <id>` and `sm history --json` read the column directly.
+
 ### `state_summaries`
 
 One row per `(node_id, summarizer_action_id)`. See [`schemas/summaries/`](./schemas/summaries/).
@@ -463,11 +486,11 @@ Both verbs operate on FK ownership only; neither edits files on disk.
 - DB file exists and is readable.
 - `PRAGMA quick_check` (or equivalent) returns OK.
 - Applied migration version matches code-bundled migrations.
-- No orphan job files (`.skill-map/jobs/*.md` without a matching DB row).
-- No orphan DB rows (jobs whose `file_path` does not exist).
+- No `state_jobs` rows whose `content_hash` is missing from `state_job_contents` (corrupt state — the content row was deleted out from under a live job).
+- No `state_job_contents` rows whose `content_hash` is referenced by zero `state_jobs` rows (GC stragglers — `sm job prune` should have collected these).
 - No plugin in `load-error` or `incompatible-spec` status.
 
-Failures are reported with suggested remediation (e.g., "run `sm db migrate`", "run `sm job prune --orphan-files`").
+Failures are reported with suggested remediation (e.g., "run `sm db migrate`", "run `sm job prune`").
 
 ---
 

package/index.json

@@ -166,27 +166,27 @@
       }
     ]
   },
-  "specPackageVersion": "0.10.0",
+  "specPackageVersion": "0.12.0",
   "integrity": {
     "algorithm": "sha256",
     "files": {
-      "CHANGELOG.md": "a7712801b4513c3212cbefb8b1e7540accd40e22c4aa09234b98f6b044bd42c9",
+      "CHANGELOG.md": "c85703fa37d3c084e2251c0b77626c94fa5c6897289c1534432ae45ac168762b",
       "README.md": "bd30780525e75379eaeb5f8a903bdc601daf3862f3ec69dffc96c437e8d476fc",
-      "architecture.md": "c69a50e3e9b7d091799bd19cd9efe854a924c83bc2c8e79e0fcb727196151f6c",
-      "cli-contract.md": "1d09d047e07fd8793968259660012ebf64ab136967afead2d2666a59a40a020a",
-      "conformance/README.md": "07970f06c467e34413f07f6d8bec09ece892d1a903fa039d25b34a77e91187d2",
+      "architecture.md": "9a6d96d150af60ed8d476af572d07dcce605f116fde720bebb2662b11250bf4b",
+      "cli-contract.md": "89dcd366624821c1ab77d1014229b4c209953f337d0c62d16b24472c64c3bad4",
+      "conformance/README.md": "838b1247e1ffb402d96bd8a0fe9c1c0f4a99ed0fbc4bf8156f7a58330cac27f5",
       "conformance/cases/kernel-empty-boot.json": "ad4bbe9d637537625025c8bdb61285b1433568a2544b1ce0248f304ccff8c350",
-      "conformance/coverage.md": "eb57cd979bca59a252e3cd49796e068ac601169f859f32cdf37634486574c44c",
+      "conformance/coverage.md": "4df23b78ec44887dc355e0622b9008bb2514f3b8e9c302db18eb51532fda5275",
       "conformance/fixtures/preamble-v1.txt": "1e0aeef224b64477bdc13a949c3ad402e68249caf499ecdba1302371677c068b",
-      "db-schema.md": "6542311118d2e74bdb7c7a48c208eccd5e55cf574f7cb38e976d6d7c3c666745",
+      "db-schema.md": "cbd2d3395ca4f01065d6f15405c7442d59a468b15448377d6f9373fa6aeff334",
       "interfaces/security-scanner.md": "4a982667008f233656f44c61ce9948e062432d3debdcbf7a134da03bd4139d7d",
-      "job-events.md": "831501bd696a2801e2d160b314eb49794d0ba553da4487e15c7dcc72a1c230f6",
-      "job-lifecycle.md": "1fe88b1a2ed204e41bb41ac172fbb3e912dccd0dd8a1f8ea8e21a681b336d6ee",
+      "job-events.md": "8f371e0991816eca2e1a55cbd8a50733546ca5e7c861588048c18be1d22dbd57",
+      "job-lifecycle.md": "12bfc27690c92cf93682a3b6fbfeb7e2d252d33f704fd2d7de9a13db713e6281",
       "plugin-author-guide.md": "2dcdf8c570342d94c2c8f8d47594715254e3956d7939443023f1d6420e2b30d0",
       "plugin-kv-api.md": "04b2178f46fb88adeae9240df9c9e1761b660396072001dac32cd402e11a2d7d",
-      "prompt-preamble.md": "23a8eff0477fbbc46192a27781bc781bda4202bb9c669b7a7a002b0d668146b0",
+      "prompt-preamble.md": "fb40ab510234383326f198dec82cd6d744f28b7432eebac6cbfbb7ca1c483b7d",
       "schemas/conformance-case.schema.json": "7cd0f3aae5124f24be57cddb213d002d0466f79d06fd3da896075c8b28650410",
-      "schemas/execution-record.schema.json": "607e939bfcac4e18385ef93e27bbe28987ba35d5a7c67f3d6e4377ca819a9425",
+      "schemas/execution-record.schema.json": "9628fa557cb856402f3a5f1d1167c609e46a197c850fe8171abfddd46c1028a8",
       "schemas/extensions/action.schema.json": "262272175c06a2e33c08f819a45c3ef8260276c91a9d0542fdffc932aeb32db7",
       "schemas/extensions/base.schema.json": "e5c3406b88b0496a89791890b05083929429319d96b1f8cea0bec3ec9e3de8af",
       "schemas/extensions/extractor.schema.json": "122d3f81ef91edcde9798e7dc8fcbf442a2996deea65aa4b03c9d5cb01ba2519",
@@ -197,7 +197,7 @@
       "schemas/frontmatter/base.schema.json": "dfee192458765b8cb872ef9e7145ec31b9e07ceb19ee44be48af2172329e7a38",
       "schemas/history-stats.schema.json": "23f472d1de06d23fc775aabba821f8375f347af4dc8d89ba567980d61a11f9de",
       "schemas/issue.schema.json": "40f6f8abadcce0fd8eac9df27ffcc20b2fc9fda6970142ddb8e7e56b1760b9b1",
-      "schemas/job.schema.json": "582999899f8846f70c4d745d2813e53b97a4f5ccd3d8d163eeb68b201e7124e4",
+      "schemas/job.schema.json": "ffbdd51c54b487c44eb57fabd07f624ac1030c14ef69b46933c154092853a84c",
       "schemas/link.schema.json": "0a95a24849a38b9ef5bad5361519a9f9e012b5bc3001289fad29d0851fceff6b",
       "schemas/node.schema.json": "f9a0cc5d5a7f581915719e91ae401e46a82688e0865fd3a2eb64bd42798a6b2b",
       "schemas/plugins-registry.schema.json": "5ca1d4970ae64f064f05c237a649d9f82d5edbeb7c121ec50cb4aaca13f4bc51",

package/job-events.md

@@ -145,7 +145,7 @@ Emitted when a drain attempts to claim but finds no eligible job.
 
 ### `job.spawning`
 
-Emitted when the runner is about to execute the job file.
+Emitted when the runner is about to execute the job content.
 
 ```json
 {
@@ -156,12 +156,12 @@ Emitted when the runner is about to execute the job file.
   "data": {
     "runner": "cli | skill | in-process",
     "command": "claude -p",
-    "jobFilePath": ".skill-map/jobs/d-20260420-143055-b001.md"
+    "contentHash": "0a3f…"
   }
 }
 ```
 
-`command` is implementation-defined free-form; it is descriptive, not invokable.
+`command` is implementation-defined free-form; it is descriptive, not invokable. `contentHash` references the row in `state_job_contents` the runner is about to execute against — useful for downstream observers that want to correlate the spawn with the rendered content (which is in DB, not on disk).
 
 > **Hookable** — see [`architecture.md` §Hook · curated trigger set](./architecture.md#hook--curated-trigger-set). Plugins MAY subscribe a `hook` extension to this event for pre-flight checks or audit logging. Reactions only — hooks cannot block the spawn.
 
@@ -197,11 +197,13 @@ Emitted inside `sm record` when the callback arrives and passes nonce validation
   "data": {
     "status": "completed | failed",
     "model": "claude-opus-4-7",
-    "reportPath": ".skill-map/reports/d-20260420-143055-b001.json"
+    "executionId": "e-20260420-143104-b001"
   }
 }
 ```
 
+`executionId` references the just-written `state_executions` row whose `report_json` carries the report payload. Consumers that need the content fetch it via `sm history --json` or directly from the DB; the event itself stays small.
+
 `runId` on this event is the run that originally claimed the job. If the record is called from outside a CLI run — the canonical case being a Skill agent that called `sm job claim` + `sm record` without ever entering `sm job run` — the kernel MUST synthesize a `runId` of the form `r-ext-YYYYMMDD-HHMMSS-XXXX` (same timestamp + 4-hex shape as real run ids, with the `r-ext-` prefix reserved for externally-driven claims).
 
 Synthetic-run envelope: when a Skill agent claims a job, the kernel MUST emit — on the server's WebSocket and in the `--json` ndjson stream if active — a full envelope covering that claim:
@@ -232,11 +234,13 @@ Emitted when a job transitions to `completed`.
     "tokensIn": 2431,
     "tokensOut": 1072,
     "model": "claude-opus-4-7",
-    "reportPath": ".skill-map/reports/d-20260420-143055-b001.json"
+    "executionId": "e-20260420-143104-b001"
   }
 }
 ```
 
+`executionId` references the `state_executions` row that holds the report payload (in `report_json`). The full report is intentionally NOT inlined in the event — keep events small and let consumers query the row when they want the body.
+
 > **Hookable** — see [`architecture.md` §Hook · curated trigger set](./architecture.md#hook--curated-trigger-set). The most common hookable event: notification, billing, downstream dispatch.
 
 ### `job.failed`

package/job-lifecycle.md

@@ -39,7 +39,7 @@ Terminal states: `completed`, `failed`. Once terminal, a job MUST NOT transition
 | `queued` | `running` | Atomic claim by a runner. |
 | `queued` | `failed` | `sm job cancel <id>` (reason `user-cancelled`). |
 | `running` | `completed` | `sm record --status completed` with valid nonce. |
-| `running` | `failed` | `sm record --status failed`, OR TTL expired (reason `abandoned`), OR runner subprocess returned non-zero (reason `runner-error`), OR report failed schema validation (reason `report-invalid`), OR job file missing at runtime (reason `job-file-missing`). |
+| `running` | `failed` | `sm record --status failed`, OR TTL expired (reason `abandoned`), OR runner subprocess returned non-zero (reason `runner-error`), OR report failed schema validation (reason `report-invalid`), OR rendered content row missing at runtime (reason `job-file-missing` — historically named for the on-disk artifact; now refers to a missing `state_job_contents` row, a DB-corruption-only state since the runtime invariant is that `state_jobs.content_hash` always resolves). |
 
 Any other transition attempt MUST be rejected and MUST NOT mutate state. Implementations SHOULD log the attempt.
 
@@ -56,8 +56,8 @@ Any other transition attempt MUST be rejected and MUST NOT mutate state. Impleme
 5. Compute `ttlSeconds` per §TTL resolution below. Frozen on `state_jobs.ttlSeconds` for the life of this job.
 6. Resolve `priority` (integer, default `0`). Precedence (lowest → highest): action manifest `defaultPriority` → user config `jobs.perActionPriority.<actionId>` → flag `--priority <n>`. Higher runs first; ties broken by `createdAt ASC`. Negative values are permitted and run after the default bucket. The resolved value is frozen on `state_jobs.priority` at submit time and is immutable for the life of the job.
 7. Generate `nonce` (implementation-chosen; MUST be cryptographically random, ≥ 128 bits of entropy).
-8. Render the job file at `.skill-map/jobs/<id>.md`, applying the canonical preamble (see [`prompt-preamble.md`](./prompt-preamble.md)).
-9. Insert a row in `state_jobs` with `status = 'queued'`, `createdAt = now`.
+8. Render the rendered job content (canonical preamble + action template + interpolated user content per [`prompt-preamble.md`](./prompt-preamble.md)) and write it to `state_job_contents` via `INSERT OR IGNORE` keyed by `content_hash`. Multiple `state_jobs` rows MAY share the same `content_hash` row: the content is stored exactly once and refcounted by reference. Implementations MUST NOT persist the rendered content to a filesystem path — the DB row is the canonical artifact.
+9. Insert a row in `state_jobs` with `status = 'queued'`, `createdAt = now`. The row's `content_hash` references the just-stored `state_job_contents.content_hash`. Steps 8 and 9 MUST run inside one transaction.
 10. Return the job id.
 
 `--all` fans out one job per node matching the action's `preconditions`. Each fan-out job is independent: some may be duplicates and be refused, others succeed. The CLI reports a summary.
@@ -91,6 +91,8 @@ The second `AND status = 'queued'` guards against a race where two runners selec
 
 `sm job claim` exposes this primitive to Skill agents (and any driving adapter that wants to drain from outside a CLI-runner loop): returns the id on stdout (exit 0) or exits 1 if the queue is empty.
 
+In `--json` mode, `sm job claim` instead returns the document `{ "id": "<id>", "nonce": "<nonce>", "content": "<rendered MD content>" }`. Drivers MUST use the `--json` form when they intend to call `sm record` afterwards: the nonce is the sole credential the callback verb checks, and embedding it in the claim's structured response is the contracted handover. The plain stdout form (id only) is preserved for legacy scripts that just want to know what id was claimed.
+
 ---
 
 ## TTL and auto-reap
@@ -165,13 +167,15 @@ Negative or zero values MUST be rejected with exit 2 at submit time.
 1. Load the job by id. If not found → exit 5.
 2. Compare the supplied nonce against `state_jobs.nonce`. Mismatch → exit 4 without mutation.
 3. If `state_jobs.status != 'running'` → exit 2 with message "job not in running state". This catches late callbacks after a reap.
-4. If `--status completed`: validate the report file against the action's declared report schema. On validation failure → transition to `failed` with reason `report-invalid`; DO NOT stay `running`.
-5. Write the execution record (see [`schemas/execution-record.schema.json`](./schemas/execution-record.schema.json)) with the full metrics.
+4. If `--status completed`: read the report payload from the path passed to `--report` (the path is implementation-input only; the kernel reads its contents and stores them inline — there is no canonical on-disk report artifact), validate the parsed JSON against the action's declared report schema. On validation failure → transition to `failed` with reason `report-invalid`; DO NOT stay `running`.
+5. Write the execution record (see [`schemas/execution-record.schema.json`](./schemas/execution-record.schema.json)) with the full metrics. The report payload (if any) is stored inline in `state_executions.report_json` as the parsed JSON; the input path is NOT retained.
 6. Transition the job to the terminal state.
 7. Emit `job.callback.received` followed by `job.completed` or `job.failed` (see [`job-events.md`](./job-events.md)).
 
 The nonce is the sole authentication factor. A compromised nonce allows forged callbacks for that single job. Nonces MUST be generated per-job; never reused; never logged at info level or above.
 
+`--report` accepts either a file path or `-` (stdin). Drivers MAY choose either form; the kernel ingests both into `report_json` identically. The on-disk file the runner authored is ephemeral — implementations SHOULD remove it after the kernel acknowledges the callback (this is a courtesy GC, not a normative requirement).
+
 ---
 
 ## Duplicate prevention rationale
@@ -204,11 +208,9 @@ Implementations MUST handle each of the following:
 
 | Scenario | Required handling |
 |---|---|
-| DB says `queued` or `running`, but the job MD file is missing on disk. | Mark `failed` with `failureReason = job-file-missing`. `sm doctor` MUST report these proactively. |
-| MD file present in `.skill-map/jobs/`, no matching DB row. | `sm doctor` MUST list them. Implementations MUST NOT auto-delete. `sm job prune --orphan-files` removes them explicitly. |
-| User edited the MD file between submit and run. | By design: the runner uses the current file contents. The user owns the consequences. Event stream MAY note the mtime change. |
-| Job `completed`, MD file still present. | Normal. Retention policy (`sm job prune` per `jobs.retention.*` config) eventually cleans up. |
-| Runner crashes between `claim` and reading the file. | Covered by TTL/reap: when `expiresAt` passes, the next reap marks the job `failed` with `abandoned`. |
+| `state_jobs` row exists but its `content_hash` is missing from `state_job_contents` (DB corruption — the content row was deleted by external means). | Mark `failed` with `failureReason = job-file-missing`. `sm doctor` MUST report these proactively. The kernel does NOT itself produce this state under normal operation; the contract is that submit and prune both keep the two tables consistent. The legacy enum name `job-file-missing` is preserved across the disk-to-DB shift to keep the failure-reason vocabulary backward-compatible — the semantic now refers to a missing content row rather than a missing on-disk file. |
+| `state_job_contents` row references no live `state_jobs` row (GC straggler). | `sm doctor` MUST list them. `sm job prune` MUST collect them in the same transaction that prunes terminal jobs. |
+| Runner crashes between `claim` and reading the content. | Covered by TTL/reap: when `expiresAt` passes, the next reap marks the job `failed` with `abandoned`. |
 | Callback arrives after reap already failed the job. | Reject with exit 2 (see Record step 3). The runner should treat this as an error and log it. |
 
 ---
@@ -234,13 +236,15 @@ Config controls (`jobs.retention.completed`, `jobs.retention.failed`):
 
 `sm job prune` applies retention. Implementations MAY run this on a schedule (e.g., on `sm doctor`, or in a cron adapter) but MUST NOT prune implicitly during normal verb execution.
 
+`sm job prune` MUST also collect orphaned `state_job_contents` rows (no live `state_jobs` references) in the same transaction that prunes terminal jobs. The natural ordering is: delete terminal `state_jobs` rows in the retention window, then delete `state_job_contents` rows whose `content_hash` no longer appears in any `state_jobs` row. This keeps the two tables consistent without separate verbs.
+
 ---
 
 ## See also
 
 - [`architecture.md`](./architecture.md) — `RunnerPort` definition; driving-adapter peer rule for Skill agents.
 - [`job-events.md`](./job-events.md) — canonical event stream emitted during job execution.
-- [`prompt-preamble.md`](./prompt-preamble.md) — verbatim preamble prepended to every rendered job file.
+- [`prompt-preamble.md`](./prompt-preamble.md) — verbatim preamble prepended to every rendered job content row.
 - [`db-schema.md`](./db-schema.md) — `state_jobs` and `state_executions` table catalogs.
 - [`cli-contract.md`](./cli-contract.md) — `sm job` verb surface and exit codes.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skill-map/spec",
-  "version": "0.10.0",
+  "version": "0.12.0",
   "description": "JSON Schemas, prose contracts, and conformance suite for the skill-map specification.",
   "license": "MIT",
   "type": "module",

package/prompt-preamble.md

@@ -1,6 +1,6 @@
 # Prompt preamble
 
-Canonical text the kernel prepends to every rendered job file before the action-specific template. The preamble exists to mitigate prompt injection from user-authored node content. This document defines:
+Canonical text the kernel prepends to every rendered job content blob before the action-specific template. The preamble exists to mitigate prompt injection from user-authored node content. This document defines:
 
 1. The **delimiter contract** that wraps user content.
 2. The **verbatim preamble text** (the only normative text in the spec).
@@ -116,7 +116,7 @@ On `sm job submit`:
 2. The kernel validates that the template does not interpolate user text outside of `<user-content>` blocks.
 3. The kernel prepends the verbatim preamble text above.
 4. The kernel renders the template by interpolating the node content, wrapping it in `<user-content>`.
-5. The kernel writes the result to `.skill-map/jobs/<id>.md`.
+5. The kernel stores the result in `state_job_contents` keyed by `contentHash` (content-addressed: multiple jobs that resolve to the same `contentHash` share one row). There is no canonical filesystem artifact — `sm job preview` and `sm job claim --json` both read directly from this table. Subprocess runners that need a file (e.g., `claude -p` reading stdin from a path) materialize a temporary file from the DB row and remove it after spawn; the temp file is operationally ephemeral, not part of the contract.
 6. The kernel computes `contentHash` over (among other things) the concatenation of preamble + template. A changed preamble (e.g., spec bump) MUST produce a different hash and therefore MUST NOT collide with prior jobs.
 
 Implementations MUST NOT modify the preamble text at runtime (e.g., based on locale, model, or config). The text is universal and invariant.
@@ -158,4 +158,4 @@ Defense-in-depth: the deterministic rule `injection-pattern` (shipped as a built
 
 ## Stability
 
-The verbatim text above is **stable** as of spec v1.0.0. It is reproduced in the conformance suite as [`conformance/fixtures/preamble-v1.txt`](./conformance/fixtures/preamble-v1.txt). Any implementation whose rendered job files do not contain this text verbatim fails the conformance check `preamble-bitwise-match`.
+The verbatim text above is **stable** as of spec v1.0.0. It is reproduced in the conformance suite as [`conformance/fixtures/preamble-v1.txt`](./conformance/fixtures/preamble-v1.txt). Any implementation whose rendered job content (read via `sm job preview` or `sm job claim --json`) does not contain this text verbatim fails the conformance check `preamble-bitwise-match`.

package/schemas/execution-record.schema.json

@@ -42,7 +42,7 @@
     "failureReason": {
       "type": ["string", "null"],
       "enum": ["runner-error", "report-invalid", "timeout", "abandoned", "job-file-missing", "user-cancelled", null],
-      "description": "Normalized reason when `status = failed` or `cancelled`. Null for `completed`."
+      "description": "Normalized reason when `status = failed` or `cancelled`. Null for `completed`. `job-file-missing` mirrors the same enum value on `Job.failureReason` (legacy name preserved across the disk-to-DB shift)."
     },
     "exitCode": {
       "type": ["integer", "null"],
@@ -78,7 +78,7 @@
     },
     "reportPath": {
       "type": ["string", "null"],
-      "description": "Path to the written report, relative to scope root. Null for actions that don't produce a report file."
+      "description": "Legacy field preserved across the disk-to-DB shift. Under B2 (DB-only job artifacts) this is always null because reports live inline in `state_executions.report_json`. Phase A of Step 10 will rename to `report` (object/null) carrying the parsed payload; until then the field remains as documented for backward compat."
     },
     "jobId": {
       "type": ["string", "null"],

package/schemas/job.schema.json

@@ -45,7 +45,7 @@
     "failureReason": {
       "type": ["string", "null"],
       "enum": ["runner-error", "report-invalid", "timeout", "abandoned", "job-file-missing", "user-cancelled", null],
-      "description": "Populated when `status = failed`."
+      "description": "Populated when `status = failed`. `job-file-missing` (legacy name preserved across the disk-to-DB shift) covers DB corruption where `state_jobs.content_hash` no longer resolves in `state_job_contents` — the runtime invariant should keep this state unreachable; the enum value exists as a defensive failure-mode label."
     },
     "runner": {
       "type": ["string", "null"],
@@ -56,10 +56,6 @@
       "minimum": 1,
       "description": "Resolved TTL at submit time: max(expectedDurationSeconds × graceMultiplier, minimumTtlSeconds). Frozen."
     },
-    "filePath": {
-      "type": ["string", "null"],
-      "description": "Relative path to the rendered job file (usually `.skill-map/jobs/<id>.md`). Null before rendering."
-    },
     "createdAt": { "type": "integer", "description": "Unix ms. Submit time." },
     "claimedAt": { "type": ["integer", "null"], "description": "Unix ms. Null while queued." },
     "finishedAt": { "type": ["integer", "null"], "description": "Unix ms. Null while not terminal." },