akm-cli 0.8.0-rc.8 → 0.8.0-rc.9

package/dist/cli.js

@@ -2051,6 +2051,258 @@ const vaultCommand = defineCommand({
         });
     },
 });
+// ── secret ──────────────────────────────────────────────────────────────────
+//
+// `akm secret` manages whole-file secrets under each stash's secrets/ directory.
+// Unlike vaults (.env key/value), the ENTIRE file is the secret value. The bytes
+// are NEVER written to stdout or structured output. Values reach a command only
+// via `akm secret run` (injected into a child env var) or `akm secret path`
+// (the Docker /run/secrets + `_FILE` convention).
+function parseSecretRef(ref) {
+    return parseAssetRef(ref.includes(":") ? ref : `secret:${ref}`);
+}
+function makeSecretRef(name, source) {
+    return source?.registryId ? `${source.registryId}//secret:${name}` : `secret:${name}`;
+}
+function resolveSecretPath(ref) {
+    const parsed = parseSecretRef(ref);
+    if (parsed.type !== "secret") {
+        throw new UsageError(`Expected a secret ref (secret:<name>); got "${ref}".`);
+    }
+    // Source resolution is identical for every asset type; reuse the vault helper.
+    const source = findVaultSource(parsed.origin);
+    const typeRoot = path.join(source.path, "secrets");
+    const absPath = resolveAssetPathFromName("secret", typeRoot, parsed.name);
+    // Defense-in-depth: ensure the resolved path stays inside the secrets dir.
+    if (!isWithin(absPath, typeRoot)) {
+        throw new UsageError(`Secret name "${parsed.name}" escapes the secrets directory.`);
+    }
+    return { name: parsed.name, absPath, source };
+}
+/** Walk `secrets/` across all stashes, returning one entry per secret file. */
+function listSecretsRecursive() {
+    const result = [];
+    for (const source of resolveSourceEntries(undefined, loadConfig())) {
+        const secretsDir = path.join(source.path, "secrets");
+        if (!fs.existsSync(secretsDir))
+            continue;
+        const walk = (dir) => {
+            for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+                const full = path.join(dir, entry.name);
+                if (entry.isDirectory()) {
+                    walk(full);
+                    continue;
+                }
+                if (!entry.isFile())
+                    continue;
+                if (entry.name.endsWith(".lock") || entry.name.endsWith(".sensitive"))
+                    continue;
+                // A sibling `<name>.sensitive` marker suppresses listing.
+                if (fs.existsSync(`${full}.sensitive`))
+                    continue;
+                const canonical = deriveCanonicalAssetName("secret", secretsDir, full);
+                if (!canonical)
+                    continue;
+                result.push({ ref: makeSecretRef(canonical, source), path: full });
+            }
+        };
+        walk(secretsDir);
+    }
+    return result;
+}
+const secretListCommand = defineCommand({
+    meta: {
+        name: "list",
+        description: "List all secrets across all stashes by name (the file contents are never shown)",
+    },
+    run() {
+        return runWithJsonErrors(async () => {
+            output("secret-list", { secrets: listSecretsRecursive() });
+        });
+    },
+});
+const secretSetCommand = defineCommand({
+    meta: {
+        name: "set",
+        description: "Create or overwrite a secret. The value is read from stdin by default (never via argv). Use --from-file <path> to import an existing file byte-exact, or --from-env <VAR> to read from an environment variable. Multi-line values are allowed.",
+    },
+    args: {
+        ref: { type: "positional", description: "Secret ref (e.g. secret:deploy-key or just deploy-key)", required: true },
+        "from-file": { type: "string", description: "Read the value from this file (stored byte-exact)" },
+        "from-env": { type: "string", description: "Read the value from the named environment variable" },
+    },
+    run({ args }) {
+        return runWithJsonErrors(async () => {
+            const { setSecret } = await import("./commands/secret.js");
+            const { name, absPath, source } = resolveSecretPath(args.ref);
+            const fromEnv = getHyphenatedArg(args, "from-env");
+            const fromFile = getHyphenatedArg(args, "from-file");
+            if (fromEnv !== undefined && fromFile !== undefined) {
+                throw new UsageError("Pass only one of --from-file or --from-env (or use stdin).", "INVALID_FLAG_VALUE");
+            }
+            const MAX_SECRET_BYTES = 5 * 1024 * 1024; // 5 MB
+            let value;
+            if (fromFile !== undefined) {
+                if (!fs.existsSync(fromFile)) {
+                    throw new NotFoundError(`File not found: ${fromFile}`, "FILE_NOT_FOUND");
+                }
+                value = fs.readFileSync(fromFile);
+                if (value.byteLength > MAX_SECRET_BYTES) {
+                    throw new UsageError("Secret exceeds the 5 MB limit.");
+                }
+            }
+            else if (fromEnv !== undefined) {
+                const envVal = process.env[fromEnv];
+                if (envVal === undefined) {
+                    throw new UsageError(`Environment variable "${fromEnv}" is not set.`, "INVALID_FLAG_VALUE");
+                }
+                value = Buffer.from(envVal, "utf8");
+            }
+            else {
+                if (process.stdin.isTTY) {
+                    process.stderr.write(`Enter value for secret "${name}" (Ctrl-D when done):\n`);
+                }
+                let totalBytes = 0;
+                const chunks = [];
+                for await (const chunk of Bun.stdin.stream()) {
+                    totalBytes += chunk.byteLength;
+                    if (totalBytes > MAX_SECRET_BYTES) {
+                        throw new UsageError("Secret exceeds the 5 MB limit.");
+                    }
+                    chunks.push(chunk);
+                }
+                // Strip a single trailing newline so `echo "$TOKEN" | akm secret set`
+                // stores the token without the shell-added newline. Use --from-file for
+                // byte-exact storage of multi-line material (PEM keys, certs).
+                value = Buffer.from(Buffer.concat(chunks).toString("utf8").replace(/\n$/, ""), "utf8");
+            }
+            setSecret(absPath, value);
+            output("secret-set", { ref: makeSecretRef(name, source) });
+        });
+    },
+});
+const secretPathCommand = defineCommand({
+    meta: {
+        name: "path",
+        description: "Print the absolute secret file path for the Docker `_FILE` convention, e.g. `MY_SECRET_FILE=$(akm secret path secret:deploy-key)`.",
+    },
+    args: {
+        ref: { type: "positional", description: "Secret ref", required: true },
+    },
+    run({ args }) {
+        return runWithJsonErrors(async () => {
+            const { name, absPath, source } = resolveSecretPath(args.ref);
+            if (!fs.existsSync(absPath)) {
+                throw new NotFoundError(`Secret not found: ${makeSecretRef(name, source)}`);
+            }
+            process.stdout.write(`${absPath}\n`);
+        });
+    },
+});
+const secretRunCommand = defineCommand({
+    meta: {
+        name: "run",
+        description: "Run a command with a secret's value injected into an env var: `akm secret run <ref> <VAR> -- <command>`. The value is set as $VAR in the child process only.",
+    },
+    args: {
+        ref: { type: "positional", description: "Secret ref", required: true },
+        var: { type: "positional", description: "Environment variable name to inject the value into", required: true },
+    },
+    run({ args }) {
+        return runWithJsonErrors(async () => {
+            // Validate the target env var name FIRST (before the command split) so a
+            // dangerous/invalid name is rejected regardless of how the command is
+            // supplied — and so the failure does not depend on argv parsing.
+            const varName = args.var;
+            if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(varName)) {
+                throw new UsageError(`"${varName}" is not a valid environment variable name.`, "INVALID_FLAG_VALUE");
+            }
+            const { isDangerousVaultKey } = await import("./commands/lint/vault-key-rules.js");
+            if (isDangerousVaultKey(varName)) {
+                throw new UsageError(`Refusing to inject a secret into "${varName}": it is a known process-hijacking variable (e.g. LD_PRELOAD, PATH).`, "INVALID_FLAG_VALUE");
+            }
+            const dashIndex = process.argv.indexOf("--");
+            if (dashIndex < 0 || dashIndex === process.argv.length - 1) {
+                throw new UsageError("Missing command. Usage: akm secret run <ref> <VAR> -- <command>");
+            }
+            const command = process.argv.slice(dashIndex + 1);
+            const { name, absPath, source } = resolveSecretPath(args.ref);
+            if (!fs.existsSync(absPath)) {
+                throw new NotFoundError(`Secret not found: ${makeSecretRef(name, source)}`);
+            }
+            const { readValue } = await import("./commands/secret.js");
+            const mergedEnv = { ...process.env };
+            mergedEnv[varName] = readValue(absPath).toString("utf8");
+            // Audit trail: record access by ref + var name only — never the value.
+            appendEvent({
+                eventType: "secret_access",
+                ref: makeSecretRef(name, source),
+                metadata: { var: varName },
+            });
+            const result = spawnSync(command[0], command.slice(1), {
+                stdio: "inherit",
+                env: mergedEnv,
+            });
+            if (result.error) {
+                const err = result.error;
+                if (err.code === "ENOENT") {
+                    throw new NotFoundError(`Command not found: ${command[0]}`, "FILE_NOT_FOUND", `Install '${command[0]}' or add its directory to PATH before invoking 'akm secret run'.`);
+                }
+                if (err.code === "EACCES") {
+                    throw new ConfigError(`Command not executable: ${command[0]}`, "STASH_DIR_UNREADABLE", `Add execute permission ('chmod +x ${command[0]}') or invoke via an interpreter.`);
+                }
+                throw err;
+            }
+            process.exit(result.status ?? 0);
+        });
+    },
+});
+const secretRemoveCommand = defineCommand({
+    meta: { name: "remove", description: "Remove a secret (and its .sensitive marker, if any)" },
+    args: {
+        ref: { type: "positional", description: "Secret ref", required: true },
+        yes: { type: "boolean", alias: "y", description: "Skip confirmation prompt", default: false },
+    },
+    run({ args }) {
+        return runWithJsonErrors(async () => {
+            const { name, absPath, source } = resolveSecretPath(args.ref);
+            const { confirmDestructive } = await import("./cli/confirm.js");
+            const confirmed = await confirmDestructive(`Remove secret "${args.ref}"? This cannot be undone.`, {
+                yes: args.yes === true,
+            });
+            if (!confirmed) {
+                process.stderr.write("Aborted.\n");
+                return;
+            }
+            const { removeSecret } = await import("./commands/secret.js");
+            if (!fs.existsSync(absPath)) {
+                throw new NotFoundError(`Secret not found: ${makeSecretRef(name, source)}`);
+            }
+            const removed = removeSecret(absPath);
+            output("secret-remove", { ref: makeSecretRef(name, source), removed });
+        });
+    },
+});
+const secretCommand = defineCommand({
+    meta: {
+        name: "secret",
+        description: "Manage whole-file secrets (PEM keys, tokens, certs). Names are visible; the file contents are the value and never appear in structured output.",
+    },
+    subCommands: {
+        list: secretListCommand,
+        path: secretPathCommand,
+        run: secretRunCommand,
+        set: secretSetCommand,
+        remove: secretRemoveCommand,
+    },
+    run({ args }) {
+        return runWithJsonErrors(async () => {
+            if (hasSubcommand(args, SECRET_SUBCOMMAND_SET))
+                return;
+            output("secret-list", { secrets: listSecretsRecursive() });
+        });
+    },
+});
 // ── Wiki subcommands ─────────────────────────────────────────────────────────
 const wikiCreateCommand = defineCommand({
     meta: { name: "create", description: "Scaffold a new wiki under <stashDir>/wikis/<name>/" },
@@ -3171,7 +3423,7 @@ const tasksCommand = defineCommand({
         });
     },
 });
-const main = defineCommand({
+export const main = defineCommand({
     meta: {
         name: "akm",
         version: pkgVersion,
@@ -3243,12 +3495,14 @@ const main = defineCommand({
         hints: hintsCommand,
         completions: completionsCommand,
         vault: vaultCommand,
+        secret: secretCommand,
         wiki: wikiCommand,
         tasks: tasksCommand,
     },
 });
 const CONFIG_SUBCOMMAND_SET = new Set(["path", "list", "show", "get", "set", "unset"]);
 const VAULT_SUBCOMMAND_SET = new Set(["list", "path", "run", "create", "set", "unset"]);
+const SECRET_SUBCOMMAND_SET = new Set(["list", "path", "run", "set", "remove"]);
 const WIKI_SUBCOMMAND_SET = new Set([
     "create",
     "register",
@@ -3267,62 +3521,69 @@ const EXIT_GENERAL = 1;
  *  fired but no hard failure). Chosen as 4 to avoid colliding with EXIT_GENERAL
  *  (1) and USAGE (2). CI monitors can map: 0=pass, 4=warn, 1=fail. */
 const EXIT_HEALTH_WARN = 4;
-// citty reads process.argv directly and does not accept a custom argv array,
-// so we must replace process.argv with the normalized version before runMain.
-process.argv = normalizeShowArgv(process.argv);
-// Resolve output mode once at startup from the (normalized) argv and persisted
-// config. All subsequent output() calls read from this in-memory singleton.
-// `initOutputMode` can throw a UsageError when --format/--detail values are
-// invalid; surface it through the same JSON-error path the rest of the CLI uses
-// rather than letting the raw exception escape with a stack trace.
-try {
-    applyEarlyStderrFlags(process.argv);
-    initOutputMode(process.argv, loadConfig().output ?? {});
-}
-catch (error) {
-    emitJsonError(error);
-}
-// One-time cleanup of stale 0.7.x index file at the old cache location.
-// 0.8.0 moved the index to $XDG_DATA_HOME/akm/index.db (getDataDir()).
-// If the old file exists at $XDG_CACHE_HOME/akm/index.db, remove it so the
-// user isn't confused by a phantom DB. Best-effort; never fatal.
-try {
-    const oldIndexPath = path.join(getCacheDir(), "index.db");
-    if (fs.existsSync(oldIndexPath)) {
-        fs.rmSync(oldIndexPath, { force: true });
-        fs.rmSync(`${oldIndexPath}-shm`, { force: true });
-        fs.rmSync(`${oldIndexPath}-wal`, { force: true });
-        warn(`Cleaned up stale 0.7.x index from ${oldIndexPath}. Canonical path is now ${getDbPath()}.`);
+// Only run the CLI when this module is the direct entry point. When it is
+// imported (e.g. by the in-process test harness in tests/_helpers/cli.ts),
+// `import.meta.main` is false and we skip all startup side effects (argv
+// mutation, output-mode init, index cleanup, banner, runMain) so importers
+// can drive the `main` command themselves without the process exiting.
+if (import.meta.main) {
+    // citty reads process.argv directly and does not accept a custom argv array,
+    // so we must replace process.argv with the normalized version before runMain.
+    process.argv = normalizeShowArgv(process.argv);
+    // Resolve output mode once at startup from the (normalized) argv and persisted
+    // config. All subsequent output() calls read from this in-memory singleton.
+    // `initOutputMode` can throw a UsageError when --format/--detail values are
+    // invalid; surface it through the same JSON-error path the rest of the CLI uses
+    // rather than letting the raw exception escape with a stack trace.
+    try {
+        applyEarlyStderrFlags(process.argv);
+        initOutputMode(process.argv, loadConfig().output ?? {});
     }
-}
-catch {
-    // Non-fatal; one-time warning only.
-}
-// First-time-user breadcrumb: when run with no subcommand AND no config
-// exists yet AND stderr is a TTY, print a friendly pointer to `akm setup`
-// above citty's auto-generated usage block. Triggers only when stdin/stderr
-// are interactive (so JSON-output users / CI consumers see nothing extra)
-// and stays silent for any flag-only invocation citty would handle itself
-// (--help, --version).
-(function maybePrintFirstTimeBanner() {
-    const argv = process.argv.slice(2);
-    // Fire only on completely bare `akm` invocation. Any explicit flag or
-    // subcommand means the user knows what they want.
-    if (argv.length > 0)
-        return;
-    if (!process.stderr.isTTY)
-        return;
+    catch (error) {
+        emitJsonError(error);
+    }
+    // One-time cleanup of stale 0.7.x index file at the old cache location.
+    // 0.8.0 moved the index to $XDG_DATA_HOME/akm/index.db (getDataDir()).
+    // If the old file exists at $XDG_CACHE_HOME/akm/index.db, remove it so the
+    // user isn't confused by a phantom DB. Best-effort; never fatal.
     try {
-        if (fs.existsSync(getConfigPath()))
-            return;
+        const oldIndexPath = path.join(getCacheDir(), "index.db");
+        if (fs.existsSync(oldIndexPath)) {
+            fs.rmSync(oldIndexPath, { force: true });
+            fs.rmSync(`${oldIndexPath}-shm`, { force: true });
+            fs.rmSync(`${oldIndexPath}-wal`, { force: true });
+            warn(`Cleaned up stale 0.7.x index from ${oldIndexPath}. Canonical path is now ${getDbPath()}.`);
+        }
     }
     catch {
-        // If we can't resolve the config path, assume non-fresh and stay silent.
-        return;
+        // Non-fatal; one-time warning only.
     }
-    console.error(plainize("👋 First time with akm? Run `akm setup` to get started.\n   Docs: https://github.com/itlackey/akm#readme\n"));
-})();
-runMain(main);
+    // First-time-user breadcrumb: when run with no subcommand AND no config
+    // exists yet AND stderr is a TTY, print a friendly pointer to `akm setup`
+    // above citty's auto-generated usage block. Triggers only when stdin/stderr
+    // are interactive (so JSON-output users / CI consumers see nothing extra)
+    // and stays silent for any flag-only invocation citty would handle itself
+    // (--help, --version).
+    (function maybePrintFirstTimeBanner() {
+        const argv = process.argv.slice(2);
+        // Fire only on completely bare `akm` invocation. Any explicit flag or
+        // subcommand means the user knows what they want.
+        if (argv.length > 0)
+            return;
+        if (!process.stderr.isTTY)
+            return;
+        try {
+            if (fs.existsSync(getConfigPath()))
+                return;
+        }
+        catch {
+            // If we can't resolve the config path, assume non-fresh and stay silent.
+            return;
+        }
+        console.error(plainize("👋 First time with akm? Run `akm setup` to get started.\n   Docs: https://github.com/itlackey/akm#readme\n"));
+    })();
+    runMain(main);
+}
 // ── Hints (embedded AGENTS.md) ──────────────────────────────────────────────
 function loadHints(detail = "normal") {
     const filename = detail === "full" ? "AGENTS.full.md" : "AGENTS.md";

package/dist/commands/consolidate.js

@@ -22,7 +22,7 @@ import { detectTruncatedDescription } from "../core/text-truncation";
 export { hasSupersededStatus, validateProposalFrontmatter };
 import { warn } from "../core/warn";
 import { deleteAssetFromSource, resolveWriteTarget, writeAssetToSource } from "../core/write-source";
-import { closeDatabase, getAllEntries, openExistingDatabase } from "../indexer/db";
+import { closeDatabase, findEntryIdByRef, getAllEntries, getEntryById, getNeighborsByEntryId, openExistingDatabase, } from "../indexer/db";
 import { resolveImproveProcessRunnerFromProfile } from "../integrations/agent/runner";
 import { chatCompletion } from "../llm/client";
 import { cosineSimilarity, embedBatch } from "../llm/embedder";
@@ -239,12 +239,13 @@ export const DEFAULT_CONTEXT_LENGTH_TOKENS = 4_096;
  *
  * @param contextLength - Model context window in tokens.
  * @param bodyTruncation - Max chars per memory body included in the prompt.
+ * @param maxChunkSize - Optional override for the hardcoded cap of 50 (1–50).
  */
-export function computeSafeChunkSize(contextLength, bodyTruncation) {
+export function computeSafeChunkSize(contextLength, bodyTruncation, maxChunkSize) {
     const usableTokens = Math.max(contextLength - PROMPT_OVERHEAD_TOKENS, 0);
     const tokensPerMemory = Math.max(Math.ceil(bodyTruncation / CHARS_PER_TOKEN), 1);
     const raw = Math.floor(usableTokens / tokensPerMemory);
-    return Math.max(1, Math.min(50, raw));
+    return Math.max(1, Math.min(maxChunkSize ?? 50, raw));
 }
 // ── Similarity clustering (C-1 / #380) ──────────────────────────────────────
 /**
@@ -748,7 +749,7 @@ export async function akmConsolidate(opts = {}) {
     }
     const warnings = [];
     checkForIncompleteJournal(stashDir, opts.recoveryMode ?? "abort", warnings);
-    const memories = loadMemoriesForSource(opts.target, stashDir, warnings);
+    let memories = loadMemoriesForSource(opts.target, stashDir, warnings);
     if (memories.length === 0) {
         return {
             schemaVersion: 1,
@@ -766,6 +767,26 @@ export async function akmConsolidate(opts = {}) {
             durationMs: Date.now() - startMs,
         };
     }
+    if (opts.incrementalSince) {
+        memories = narrowToIncrementalCandidates(memories, opts.incrementalSince, warnings);
+        if (memories.length === 0) {
+            return {
+                schemaVersion: 1,
+                ok: true,
+                shape: "consolidate-result",
+                dryRun: opts.dryRun ?? false,
+                previewOnly: false,
+                target: opts.target ?? stashDir,
+                processed: 0,
+                merged: 0,
+                deleted: 0,
+                promoted: [],
+                contradicted: 0,
+                warnings,
+                durationMs: Date.now() - startMs,
+            };
+        }
+    }
     // Consolidation always uses the HTTP LLM client directly — never the agent
     // CLI. The agent CLI is for interactive agent sessions (reflect, propose);
     // structured JSON generation works better and faster via HTTP.
@@ -786,7 +807,7 @@ export async function akmConsolidate(opts = {}) {
     // per chunk instead.
     const bodyTruncation = 500;
     const modelContextLength = llmConfig?.contextLength ?? DEFAULT_CONTEXT_LENGTH_TOKENS;
-    const chunkSize = computeSafeChunkSize(modelContextLength, bodyTruncation);
+    const chunkSize = computeSafeChunkSize(modelContextLength, bodyTruncation, opts.maxChunkSize);
     // -- Phase A: plan generation -----------------------------------------------
     const sourceName = opts.target ?? stashDir;
     // C-1 / #380: Pre-cluster memories by embedding similarity before chunking.
@@ -870,7 +891,9 @@ export async function akmConsolidate(opts = {}) {
             const failureRate = totalChunksFailed / totalChunksProcessed;
             if (failureRate >= ABORT_FAILURE_RATE) {
                 const skipped = chunks.length - chunkIdx;
-                warnings.push(`Consolidation aborted — failure rate ${(failureRate * 100).toFixed(0)}% over ${totalChunksProcessed} chunks (>= ${ABORT_FAILURE_RATE * 100}% threshold). LLM may be unavailable. ${skipped} chunk(s) skipped.`);
+                const abortMsg = `Consolidation aborted — failure rate ${(failureRate * 100).toFixed(0)}% over ${totalChunksProcessed} chunks (>= ${ABORT_FAILURE_RATE * 100}% threshold). LLM may be unavailable. ${skipped} chunk(s) skipped.`;
+                warn(abortMsg);
+                warnings.push(abortMsg);
                 // Account for memories in chunks we never attempted: they are
                 // neither judgedNoAction (no plan parsed) nor skipReason (no op
                 // rejected). Without this, the accounting invariant fails by
@@ -896,7 +919,7 @@ export async function akmConsolidate(opts = {}) {
                 const content = await chatCompletion(llmConfig, [
                     { role: "system", content: CONSOLIDATE_SYSTEM_PROMPT },
                     { role: "user", content: userPrompt },
-                ], { responseSchema: CONSOLIDATE_PLAN_JSON_SCHEMA });
+                ], { responseSchema: CONSOLIDATE_PLAN_JSON_SCHEMA, enableThinking: false });
                 return { ok: true, content };
             }
             catch (e) {
@@ -904,6 +927,7 @@ export async function akmConsolidate(opts = {}) {
             }
         }, { ok: false, error: `chunk ${chunkIdx + 1} failed` });
         if (!raw.ok) {
+            warn(raw.error ?? `chunk ${chunkIdx + 1} failed`);
             warnings.push(raw.error ?? `chunk ${chunkIdx + 1} failed`);
             totalChunksProcessed++;
             totalChunksFailed++;
@@ -923,6 +947,7 @@ export async function akmConsolidate(opts = {}) {
             const hint = raw.content !== undefined && raw.content.trim() === ""
                 ? " (empty response — if using a thinking model, disable thinking mode)"
                 : "";
+            warn(`Chunk ${chunkIdx + 1}: invalid plan from AI — skipping.${hint}`);
             warnings.push(`Chunk ${chunkIdx + 1}: invalid plan from AI — skipping.${hint}`);
             totalChunksProcessed++;
             totalChunksFailed++;
@@ -1821,6 +1846,61 @@ export async function checkPreEmitDedup(opts) {
     }
     return { duplicate: false };
 }
+/**
+ * Incremental candidate set: {changed} ∪ {top-k persisted-vector neighbours of
+ * each changed memory}, intersected with the loaded pool. Returns [] when
+ * nothing changed (caller emits a no-op envelope), the full pool when
+ * everything changed or the index can't answer (fail-open to preserve merge
+ * correctness). `since` is an ISO timestamp.
+ */
+export function narrowToIncrementalCandidates(memories, since, warnings) {
+    const isChanged = (m) => {
+        try {
+            return fs.statSync(m.filePath).mtime.toISOString() > since;
+        }
+        catch {
+            return true; // never silently drop a memory we cannot stat
+        }
+    };
+    const changed = memories.filter(isChanged);
+    if (changed.length === 0)
+        return [];
+    if (changed.length === memories.length)
+        return memories;
+    const NEIGHBORS_PER_CHANGED = 5;
+    const byName = new Map(memories.map((m) => [m.name, m]));
+    const keep = new Set(changed.map((m) => m.name));
+    let db;
+    try {
+        db = openExistingDatabase();
+        for (const m of changed) {
+            const id = findEntryIdByRef(db, `memory:${m.name}`);
+            if (id === undefined)
+                continue;
+            for (const hit of getNeighborsByEntryId(db, id, NEIGHBORS_PER_CHANGED + 1)) {
+                if (hit.id === id)
+                    continue;
+                const entry = getEntryById(db, hit.id);
+                if (!entry)
+                    continue;
+                const name = entry.entry.name;
+                if (byName.has(name))
+                    keep.add(name); // only neighbours present in the loaded pool
+            }
+        }
+    }
+    catch {
+        warnings.push("Incremental consolidation: index unavailable — processing full pool.");
+        return memories;
+    }
+    finally {
+        if (db)
+            closeDatabase(db);
+    }
+    const candidates = memories.filter((m) => keep.has(m.name));
+    warnings.push(`Incremental consolidation: ${changed.length} changed + neighbours → ${candidates.length}/${memories.length} memories considered (since ${since}).`);
+    return candidates;
+}
 function loadMemoriesForSource(source, stashDir, warnings) {
     // Load from DB first
     let memories = [];
@@ -1925,7 +2005,9 @@ async function generateMergedContent(config, primaryRef, primaryBody, secondaryR
         if (!llmConfig)
             return { ok: false, error: "No LLM configured for consolidation" };
         try {
-            const content = await chatCompletion(llmConfig, [{ role: "user", content: prompt }]);
+            const content = await chatCompletion(llmConfig, [{ role: "user", content: prompt }], {
+                enableThinking: false,
+            });
             return { ok: true, content };
         }
         catch (e) {

package/dist/commands/health.js

@@ -479,6 +479,8 @@ function mergeImproveMetrics(dst, src) {
     dst.consolidation.totalChunks += src.consolidation.totalChunks;
     dst.consolidation.durationMs += src.consolidation.durationMs;
     dst.consolidation.judgedNoAction += src.consolidation.judgedNoAction;
+    dst.consolidation.mergedSecondaries += src.consolidation.mergedSecondaries;
+    dst.consolidation.failedChunkMemories += src.consolidation.failedChunkMemories;
     for (const [reason, count] of Object.entries(src.consolidation.skipReasons)) {
         dst.consolidation.skipReasons[reason] = (dst.consolidation.skipReasons[reason] ?? 0) + count;
     }
@@ -704,29 +706,6 @@ function computeWallTimeStats(durationsMs, byPhase) {
         byPhase: phase,
     };
 }
-/**
- * NOTE: this reads from task_history, which can produce a count that differs
- * by ±1 from improve_runs (the source for wallTime.byPhase). The discrepancy
- * occurs when a task_history row has no matching improve_runs record (task
- * crashed before recordImproveRun wrote) or vice versa (manual run). The
- * count mismatch is cosmetic — it does not affect median/p95 materially.
- * A full fix requires joining against improve_runs; tracked as a follow-up.
- */
-function collectImproveWallTimes(db, since, until) {
-    const sql = until
-        ? "SELECT started_at, completed_at FROM task_history WHERE task_id = 'akm-improve' AND started_at >= ? AND started_at < ? AND completed_at IS NOT NULL"
-        : "SELECT started_at, completed_at FROM task_history WHERE task_id = 'akm-improve' AND started_at >= ? AND completed_at IS NOT NULL";
-    const rows = (until ? db.prepare(sql).all(since, until) : db.prepare(sql).all(since));
-    const out = [];
-    for (const row of rows) {
-        const startMs = new Date(row.started_at).getTime();
-        const endMs = new Date(row.completed_at).getTime();
-        if (Number.isFinite(startMs) && Number.isFinite(endMs) && endMs >= startMs) {
-            out.push(endMs - startMs);
-        }
-    }
-    return out;
-}
 function buildImproveSkipSummary(events) {
     const skipReasons = {};
     for (const event of events) {
@@ -973,9 +952,12 @@ function buildWindowMetrics(db, stateDbPath, since, until) {
     const skipSummary = buildImproveSkipSummary(improveSkippedEvents);
     improveSummary.skipped = skipSummary.skipped;
     improveSummary.skipReasons = skipSummary.skipReasons;
-    // Preserve the per-phase aggregation computed by summarizeImproveRuns —
-    // computeWallTimeStats only refreshes the top-level wrapper stats.
-    improveSummary.wallTime = computeWallTimeStats(collectImproveWallTimes(db, since, until), improveSummary.wallTime.byPhase);
+    // Preserve the per-phase aggregation computed by summarizeImproveRuns and
+    // derive top-level wall times from the same improve-runs window so counts
+    // and percentiles stay aligned with per-run reporting.
+    const perRunSummaries = buildPerRunSummaries(db, since, until);
+    const wallTimes = perRunSummaries.map((run) => run.wallTimeMs).filter((ms) => Number.isFinite(ms) && ms > 0);
+    improveSummary.wallTime = computeWallTimeStats(wallTimes, improveSummary.wallTime.byPhase);
     const metrics = {
         taskFailRate: roundRate(taskFailRate),
         agentFailureRate: roundRate(agentFailureRate),
@@ -1114,7 +1096,9 @@ export function akmHealth(options = {}) {
         const skipSummary = buildImproveSkipSummary(improveSkippedEvents);
         improveSummary.skipped = skipSummary.skipped;
         improveSummary.skipReasons = skipSummary.skipReasons;
-        improveSummary.wallTime = computeWallTimeStats(collectImproveWallTimes(db, since), improveSummary.wallTime.byPhase);
+        const perRunSummaries = buildPerRunSummaries(db, since);
+        const wallTimes = perRunSummaries.map((run) => run.wallTimeMs).filter((ms) => Number.isFinite(ms) && ms > 0);
+        improveSummary.wallTime = computeWallTimeStats(wallTimes, improveSummary.wallTime.byPhase);
         let sessionLogEntries = [];
         try {
             const sinceDays = Math.max(0, Math.ceil((Date.now() - new Date(since).getTime()) / (24 * 60 * 60 * 1000)));

package/dist/commands/improve.js

@@ -1921,6 +1921,14 @@ async function runImprovePostLoopStage(args) {
             config: consolidationConfig,
             stashDir: options.stashDir,
             autoTriggered: volumeTriggered,
+            // Incremental consolidation: in steady state (not bootstrap, not volume-
+            // triggered) pass the last-consolidation timestamp so akmConsolidate skips
+            // chunks with no memory changed since then. Converts consolidation cost
+            // from O(pool) to O(changed clusters) — the fix for the rising p95 tail
+            // where full-pool re-judging produced 5–10 min runs that promoted ~0.
+            // undefined → full pass (bootstrap, or volume-triggered large-pool sweep).
+            incrementalSince: volumeTriggered ? undefined : lastConsolidateTs,
+            maxChunkSize: improveProfile?.processes?.consolidate?.maxChunkSize,
             // Honor profile.autoAccept (already merged into options.autoAccept at the
             // top of akmImprove). The CLI parser always supplies 90 when --auto-accept
             // is absent, so ?? 90 is not needed here and would prevent --auto-accept=false