brainclaw 1.7.5 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (143) hide show
  1. package/README.md +28 -11
  2. package/dist/brainclaw-vscode.vsix +0 -0
  3. package/dist/cli.js +139 -13
  4. package/dist/commands/add-step.js +1 -1
  5. package/dist/commands/bootstrap.js +2 -26
  6. package/dist/commands/check-security-mcp.js +50 -33
  7. package/dist/commands/check-security.js +86 -43
  8. package/dist/commands/claim.js +22 -21
  9. package/dist/commands/confirm.js +26 -0
  10. package/dist/commands/context-diff.js +1 -1
  11. package/dist/commands/dispatch-watch.js +142 -0
  12. package/dist/commands/doctor.js +113 -2
  13. package/dist/commands/estimation-report.js +115 -16
  14. package/dist/commands/harvest.js +502 -16
  15. package/dist/commands/init.js +123 -21
  16. package/dist/commands/loops-handlers.js +4 -0
  17. package/dist/commands/mcp-read-handlers.js +198 -29
  18. package/dist/commands/mcp.js +615 -92
  19. package/dist/commands/memory.js +21 -17
  20. package/dist/commands/migrate.js +81 -17
  21. package/dist/commands/prune.js +78 -4
  22. package/dist/commands/reflect.js +26 -20
  23. package/dist/commands/register-agent.js +57 -1
  24. package/dist/commands/repair.js +20 -0
  25. package/dist/commands/session-end.js +15 -6
  26. package/dist/commands/session-start.js +18 -1
  27. package/dist/commands/setup-security.js +39 -18
  28. package/dist/commands/setup.js +26 -27
  29. package/dist/commands/stale.js +16 -2
  30. package/dist/commands/uninstall.js +126 -34
  31. package/dist/commands/update-step.js +6 -0
  32. package/dist/commands/worktree.js +60 -0
  33. package/dist/core/actions.js +12 -3
  34. package/dist/core/agent-capability.js +11 -13
  35. package/dist/core/agent-files.js +844 -547
  36. package/dist/core/agent-integrations.js +0 -3
  37. package/dist/core/agent-inventory.js +67 -0
  38. package/dist/core/agent-registry.js +163 -29
  39. package/dist/core/agentrun-reconciler.js +33 -2
  40. package/dist/core/agentruns.js +7 -1
  41. package/dist/core/ai-agent-detection.js +31 -44
  42. package/dist/core/archival.js +15 -9
  43. package/dist/core/assignment-reconciler.js +56 -0
  44. package/dist/core/assignment-sweeper.js +127 -4
  45. package/dist/core/assignments.js +69 -11
  46. package/dist/core/bootstrap.js +233 -67
  47. package/dist/core/brainclaw-version.js +22 -0
  48. package/dist/core/candidates.js +21 -1
  49. package/dist/core/claims.js +313 -150
  50. package/dist/core/config.js +6 -1
  51. package/dist/core/context-diff.js +148 -20
  52. package/dist/core/context.js +129 -8
  53. package/dist/core/coordination.js +22 -3
  54. package/dist/core/dispatch-status.js +109 -5
  55. package/dist/core/dispatcher.js +65 -11
  56. package/dist/core/entity-operations.js +45 -24
  57. package/dist/core/entity-registry.js +31 -5
  58. package/dist/core/event-log.js +138 -21
  59. package/dist/core/events/checkpoint.js +258 -0
  60. package/dist/core/events/genesis.js +220 -0
  61. package/dist/core/events/journal.js +507 -0
  62. package/dist/core/events/materialize.js +126 -0
  63. package/dist/core/events/registry-post-image.js +110 -0
  64. package/dist/core/events/verify.js +109 -0
  65. package/dist/core/execution-adapters.js +23 -0
  66. package/dist/core/execution.js +25 -0
  67. package/dist/core/facade-schema.js +48 -0
  68. package/dist/core/gc-semantic.js +130 -5
  69. package/dist/core/handoff-snapshot.js +68 -0
  70. package/dist/core/ids.js +19 -8
  71. package/dist/core/instruction-templates.js +34 -115
  72. package/dist/core/io.js +39 -3
  73. package/dist/core/json-store.js +10 -1
  74. package/dist/core/lock.js +153 -28
  75. package/dist/core/loops/bootstrap-acquire.js +25 -1
  76. package/dist/core/loops/facade-schema.js +2 -0
  77. package/dist/core/loops/hooks/survey-signals-baseline.js +36 -0
  78. package/dist/core/loops/index.js +1 -0
  79. package/dist/core/loops/presets/bootstrap.js +7 -0
  80. package/dist/core/loops/store.js +17 -0
  81. package/dist/core/loops/verbs.js +24 -1
  82. package/dist/core/markdown.js +8 -76
  83. package/dist/core/mcp-command-resolution.js +245 -0
  84. package/dist/core/memory-compactor.js +5 -3
  85. package/dist/core/memory-lifecycle.js +282 -0
  86. package/dist/core/merge-risk.js +150 -0
  87. package/dist/core/messaging.js +8 -1
  88. package/dist/core/migration.js +11 -1
  89. package/dist/core/observer-mode.js +26 -0
  90. package/dist/core/operations/memory-mutation.js +90 -65
  91. package/dist/core/operations/plan.js +27 -1
  92. package/dist/core/protocol-skills.js +210 -0
  93. package/dist/core/reflection-safety.js +6 -7
  94. package/dist/core/reputation.js +84 -2
  95. package/dist/core/runtime-signals.js +71 -9
  96. package/dist/core/runtime.js +84 -1
  97. package/dist/core/schema.js +125 -0
  98. package/dist/core/security-detectors.js +125 -0
  99. package/dist/core/security-extract.js +189 -0
  100. package/dist/core/security-guard.js +107 -29
  101. package/dist/core/security-packages.js +121 -0
  102. package/dist/core/security-scoring.js +76 -9
  103. package/dist/core/security.js +34 -2
  104. package/dist/core/sequence.js +11 -2
  105. package/dist/core/setup-flow.js +141 -13
  106. package/dist/core/spawn-check.js +110 -4
  107. package/dist/core/staleness.js +109 -1
  108. package/dist/core/state.js +250 -54
  109. package/dist/core/store-resolution.js +19 -5
  110. package/dist/core/worktree.js +169 -7
  111. package/dist/facts.js +8 -8
  112. package/dist/facts.json +7 -7
  113. package/docs/PROTOCOL.md +223 -0
  114. package/docs/cli.md +11 -10
  115. package/docs/concepts/coordinator-runbook.md +129 -0
  116. package/docs/concepts/dispatch-lifecycle.md +17 -0
  117. package/docs/concepts/event-log-store-critique-A.md +333 -0
  118. package/docs/concepts/event-log-store-critique-B.md +353 -0
  119. package/docs/concepts/event-log-store-phase0-measurements.md +58 -0
  120. package/docs/concepts/event-log-store-proposal-A.md +365 -0
  121. package/docs/concepts/event-log-store-proposal-B.md +404 -0
  122. package/docs/concepts/event-log-store.md +928 -0
  123. package/docs/concepts/identity-model-proposal.md +371 -0
  124. package/docs/concepts/memory.md +5 -4
  125. package/docs/concepts/observer-protocol.md +361 -0
  126. package/docs/concepts/parallel-merge-protocol.md +71 -0
  127. package/docs/concepts/plans-and-claims.md +43 -0
  128. package/docs/concepts/skills.md +78 -0
  129. package/docs/concepts/workspace-bootstrapping.md +61 -0
  130. package/docs/integrations/agents.md +4 -4
  131. package/docs/integrations/cline.md +10 -11
  132. package/docs/integrations/codex.md +2 -2
  133. package/docs/integrations/continue.md +5 -5
  134. package/docs/integrations/copilot.md +14 -12
  135. package/docs/integrations/openclaw.md +7 -6
  136. package/docs/integrations/overview.md +7 -7
  137. package/docs/integrations/roo.md +3 -3
  138. package/docs/integrations/windsurf.md +6 -6
  139. package/docs/mcp-schema-changelog.md +51 -20
  140. package/docs/quickstart.md +48 -47
  141. package/docs/security.md +174 -15
  142. package/docs/storage.md +4 -2
  143. package/package.json +8 -6
@@ -1,11 +1,13 @@
1
1
  import fs from 'node:fs';
2
2
  import path from 'node:path';
3
3
  import { ConstraintSchema, DecisionSchema, TrapSchema, HandoffSchema, PlanItemSchema } from './schema.js';
4
- import { ensureMemoryDir, resolveEntityDir } from './io.js';
4
+ import { ensureMemoryDir, resolveEntityDir, writeFileAtomic } from './io.js';
5
5
  import { mutate } from './mutation-pipeline.js';
6
6
  import { commitMemoryChange } from './memory-git.js';
7
7
  import { appendEvent } from './event-log.js';
8
- import { loadVersionedJsonFile, saveVersionedJsonFile } from './migration.js';
8
+ import { appendJournalRecords, resolveJournalMode, resolveCheckpointRead } from './events/journal.js';
9
+ import { materializeStateFromCheckpoint } from './events/checkpoint.js';
10
+ import { loadVersionedJsonFile, serializeVersionedJson, preparePersistedDocument } from './migration.js';
9
11
  import { rebuildProjectMd } from './markdown.js';
10
12
  import { refreshLiveCompanions } from '../commands/export.js';
11
13
  import { logger } from './logger.js';
@@ -102,6 +104,24 @@ export function findLoadValidationWarning(entity, id, cwd) {
102
104
  export function loadState(cwd) {
103
105
  // Load from entity-aligned directories (with legacy fallback)
104
106
  const effectiveCwd = cwd ?? process.cwd();
107
+ // pln#566 Inc0 s2 — checkpointRead fast path. OFF by default (dual/off mode):
108
+ // projection files remain the read substrate. When the capability is enabled
109
+ // (primary soak) AND a verified journal-derived checkpoint exists, serve from
110
+ // checkpoint + sealed tail instead of reading every projection file. ANY
111
+ // failure (no checkpoint, failed verification, replay error) falls through to
112
+ // the projection read below — the checkpoint is never the sole truth.
113
+ if (resolveCheckpointRead(effectiveCwd)) {
114
+ try {
115
+ const fast = materializeStateFromCheckpoint(effectiveCwd);
116
+ // Merge over emptyState so the served State carries the same envelope
117
+ // fields (version/write_version) a projection read produces; the
118
+ // checkpoint only materializes the 5 entity collections. Already sorted
119
+ // by projectLiveToState.
120
+ if (fast)
121
+ return { ...emptyState(), ...fast };
122
+ }
123
+ catch { /* fall through to projection read */ }
124
+ }
105
125
  const state = emptyState();
106
126
  state.active_constraints = loadDirectoryItems(resolveEntityDir('constraints', effectiveCwd, 'read'), ConstraintSchema, 'constraint');
107
127
  state.recent_decisions = loadDirectoryItems(resolveEntityDir('decisions', effectiveCwd, 'read'), DecisionSchema, 'decision');
@@ -116,72 +136,189 @@ export function loadState(cwd) {
116
136
  state.plan_items.sort((a, b) => a.created_at.localeCompare(b.created_at));
117
137
  return state;
118
138
  }
119
- function syncDirectory(dirPath, items, documentType, schema) {
120
- if (!fs.existsSync(dirPath)) {
121
- fs.mkdirSync(dirPath, { recursive: true });
139
+ const persistWriteStats = { written: 0, skippedUnchanged: 0 };
140
+ export function readPersistWriteStats() {
141
+ return { ...persistWriteStats };
142
+ }
143
+ export function resetPersistWriteStats() {
144
+ persistWriteStats.written = 0;
145
+ persistWriteStats.skippedUnchanged = 0;
146
+ }
147
+ /**
148
+ * Order-insensitive canonical form of a JSON document, for the dirty-tracking
149
+ * skip compare. Recursively sorts object keys; returns the raw input on parse
150
+ * failure so corrupt/non-JSON bytes never compare equal to a valid desired doc.
151
+ */
152
+ function canonicalJson(raw) {
153
+ const sortKeys = (value) => {
154
+ if (Array.isArray(value))
155
+ return value.map(sortKeys);
156
+ if (value && typeof value === 'object') {
157
+ return Object.fromEntries(Object.entries(value)
158
+ .sort(([a], [b]) => a.localeCompare(b))
159
+ .map(([k, v]) => [k, sortKeys(v)]));
160
+ }
161
+ return value;
162
+ };
163
+ try {
164
+ return JSON.stringify(sortKeys(JSON.parse(raw)));
165
+ }
166
+ catch {
167
+ return raw; // unparseable → never equals a canonical desired doc
122
168
  }
123
- // Write all current items
169
+ }
170
+ /**
171
+ * Pure planning pass: compute which projection files WOULD change, without
172
+ * writing anything. Same dirty-tracking + canonical-compare + parseable-guard
173
+ * logic as the old syncDirectory; only the IO is deferred to applySyncPlan.
174
+ */
175
+ function planSyncDirectory(dirPath, items, documentType, schema, deleteMissing) {
176
+ const plan = { dirPath, writes: [], deletes: [] };
177
+ // Write only the items whose on-disk bytes would change (dirty-tracking,
178
+ // pln#543 step 3). The comparison uses the writer's own serializer so a
179
+ // "skip" can never diverge from what saveVersionedJsonFile would produce.
180
+ // Safe against trp#126: a missing/byte-different file never matches, so an
181
+ // in-state entity whose projection is absent/corrupt is always rewritten.
124
182
  const currentIds = new Set();
125
183
  for (const item of items) {
126
184
  currentIds.add(item.id);
127
185
  const filepath = path.join(dirPath, `${item.id}.json`);
128
- saveVersionedJsonFile(documentType, filepath, item);
129
- }
130
- // Remove files that are no longer in the state (e.g. if deleted/pruned).
131
- // CRITICAL: we must distinguish "file dropped from state intentionally" from
132
- // "file silently dropped by loadDirectoryItems because its schema.parse threw".
133
- // Deleting the second kind corrupts data (see trap: silent-data-loss via
134
- // load-swallow + write-sync-GC). So before unlinking, we re-validate the file
135
- // against the schema. Parseable + not in state = intentional remove → unlink.
136
- // Unparseable = preserved, operator can inspect/repair.
137
- const files = fs.readdirSync(dirPath).filter(f => f.endsWith('.json'));
186
+ const desired = serializeVersionedJson(documentType, item);
187
+ let existing;
188
+ try {
189
+ existing = fs.readFileSync(filepath, 'utf-8');
190
+ }
191
+ catch {
192
+ existing = undefined; // missing/unreadable write
193
+ }
194
+ // Semantic (canonical, sorted-key) compare, not byte compare: loadState
195
+ // re-parses through zod which can reorder keys; a byte compare would
196
+ // rewrite the whole store every persist. Unparseable bytes never match
197
+ // → rewrite (keeps trp#126 safety).
198
+ if (existing !== undefined && canonicalJson(existing) === canonicalJson(desired)) {
199
+ persistWriteStats.skippedUnchanged += 1;
200
+ continue;
201
+ }
202
+ plan.writes.push({ filepath, desired, item, created: existing === undefined });
203
+ }
204
+ if (!deleteMissing)
205
+ return plan;
206
+ // Plan removals of files no longer in state. CRITICAL: distinguish an
207
+ // intentional drop from a file silently dropped by loadDirectoryItems on a
208
+ // schema.parse throw (deleting the second kind corrupts data — trp#126). Only
209
+ // parseable + not-in-state files are unlinked; unparseable are preserved.
210
+ const files = fs.existsSync(dirPath)
211
+ ? fs.readdirSync(dirPath).filter(f => f.endsWith('.json'))
212
+ : [];
138
213
  for (const file of files) {
139
214
  const id = file.replace('.json', '');
140
215
  if (currentIds.has(id))
141
216
  continue;
142
217
  const filepath = path.join(dirPath, file);
143
- let parseable = false;
144
218
  try {
145
219
  schema.parse(loadVersionedJsonFile(documentType, filepath).document);
146
- parseable = true;
147
220
  }
148
221
  catch {
149
222
  // Already logged by loadDirectoryItems — leave the file in place.
223
+ continue;
150
224
  }
151
- if (parseable) {
152
- fs.unlinkSync(filepath);
153
- }
225
+ plan.deletes.push({ filepath, id });
226
+ }
227
+ return plan;
228
+ }
229
+ /** Apply a planned sync: the actual projection-file writes/unlinks (the IO that
230
+ * must happen AFTER the journal append+fsync). Returns the dirty result. */
231
+ function applySyncPlan(plan) {
232
+ const result = { written: [], deleted: [] };
233
+ // Create the entity dir unconditionally (matches the pre-split syncDirectory,
234
+ // which always ensured the dir even for an empty/unchanged collection).
235
+ if (!fs.existsSync(plan.dirPath)) {
236
+ fs.mkdirSync(plan.dirPath, { recursive: true });
237
+ }
238
+ for (const { filepath, desired, item, created } of plan.writes) {
239
+ writeFileAtomic(filepath, desired);
240
+ persistWriteStats.written += 1;
241
+ result.written.push({ item, created });
154
242
  }
243
+ for (const { filepath, id } of plan.deletes) {
244
+ fs.unlinkSync(filepath);
245
+ result.deleted.push(id);
246
+ }
247
+ return result;
155
248
  }
156
249
  export function saveState(state, cwd) {
157
250
  persistState(state, cwd, { writeProjectMarkdown: false });
158
251
  }
159
252
  function persistStateUnlocked(state, cwd, options = {}) {
160
- writeStateDirectories(state, cwd);
253
+ ensureMemoryDir(cwd);
254
+ const effectiveCwd = cwd ?? process.cwd();
255
+ // pln#566 F1 — JOURNAL BEFORE PROJECTIONS (invariant I2). Persist now runs in
256
+ // three ordered phases so the journal can never lag the projections: a crash
257
+ // mid-persist leaves the journal AHEAD (the only direction lazy-reconcile can
258
+ // recover), never projections ahead (which materialize/verify could not
259
+ // explain). Phase 1 PLAN (pure compute, no IO) → Phase 2 emit+fsync the
260
+ // per-entity post-images to the journal → Phase 3 APPLY projection writes.
261
+ const { plans, legacyDeletes, dirty } = planStateDirectories(state, effectiveCwd, options.deleteMissing ?? false);
262
+ emitPerEntityJournalRecords(dirty, options.eventAction, effectiveCwd);
263
+ faultPoint('after_journal'); // test-only: crash AFTER journal, BEFORE projections
264
+ applyStatePlans(plans, legacyDeletes);
265
+ faultPoint('after_projection'); // test-only: crash AFTER projections written
161
266
  if (options.writeProjectMarkdown ?? true) {
162
- rebuildProjectMd(state, cwd);
267
+ rebuildProjectMd(state, effectiveCwd);
163
268
  }
269
+ // v1 events.jsonl: keep the coarse store event for existing consumers, but
270
+ // suppress its envelope-only journal dual-write — the v2 per-entity emit
271
+ // above is the authoritative §2.8 diff choke point.
164
272
  appendEvent({
165
273
  action: options.eventAction ?? 'update',
166
274
  item_type: 'state',
167
275
  agent: 'system',
168
276
  summary: options.eventSummary,
169
- }, cwd);
170
- commitMemoryChange(options.commitMessage ?? 'state update', cwd);
171
- // Auto-refresh live companion files (Tier B/C agents) after state mutations.
172
- // Non-fatal: failures are logged but don't break the mutation.
277
+ }, effectiveCwd, { journalDualWrite: false });
278
+ // NOTE (pln#558 step 2): the git commit and refreshLiveCompanions used to
279
+ // run here, INSIDE the mutation lock. A single persistState was holding
280
+ // the lock for >5s on Juan's machine (full-store rewrite + git add -A +
281
+ // git commit + live-companion refresh), which serialized every other
282
+ // writer. They are now invoked by persistState / mutateState AFTER the
283
+ // lock releases — see runPostWriteHooks below. The critical section is
284
+ // now writes-only; commit / companion-refresh are best-effort observers.
285
+ }
286
+ function runPostWriteHooks(cwd, commitMessage) {
287
+ // git add + git commit. Safe outside the lock because (a) git itself
288
+ // serializes concurrent index access via .git/index.lock, (b) the
289
+ // implementation already swallows failures (see memory-git.ts), and
290
+ // (c) the commit is an audit trail, not the data itself.
291
+ try {
292
+ commitMemoryChange(commitMessage, cwd);
293
+ }
294
+ catch { /* best-effort */ }
295
+ // Live companion files (Tier B/C agent surfaces). Already best-effort.
173
296
  try {
174
297
  refreshLiveCompanions(cwd);
175
298
  }
176
299
  catch { /* best-effort */ }
177
300
  }
178
- function cleanupLegacyDir(entityName, currentIds, cwd, documentType, schema) {
301
+ /**
302
+ * Test-only crash injection (pln#566 F1). No-op unless BRAINCLAW_FAULT_POINT
303
+ * matches the label — then it throws, simulating a process death at that exact
304
+ * point in the persist pipeline so crash-ordering invariants can be tested
305
+ * deterministically without racing a real SIGKILL.
306
+ */
307
+ function faultPoint(label) {
308
+ if (process.env.BRAINCLAW_FAULT_POINT === label) {
309
+ throw new Error(`fault-injection: crashed at "${label}" (BRAINCLAW_FAULT_POINT)`);
310
+ }
311
+ }
312
+ /**
313
+ * Plan (do not apply) the removal of legacy-dir orphans. Read-only: matches
314
+ * syncDirectory's safety condition (only parseable records absent from state
315
+ * are deletable; unparseable are preserved for inspection/repair). The actual
316
+ * unlink is deferred to applyStatePlans so it lands AFTER the journal append.
317
+ */
318
+ function planCleanupLegacyDir(entityName, currentIds, cwd, documentType, schema) {
319
+ const out = [];
179
320
  const writeDir = resolveEntityDir(entityName, cwd, 'write');
180
321
  const readDir = resolveEntityDir(entityName, cwd, 'read');
181
- // If read resolves to a different (legacy) directory, clean orphans there too.
182
- // Match syncDirectory's safety condition: only delete parseable records that
183
- // are absent from the current state. Schema-invalid legacy files may be drifted
184
- // data that operators still need to inspect or repair.
185
322
  if (readDir !== writeDir && fs.existsSync(readDir)) {
186
323
  const files = fs.readdirSync(readDir).filter(f => f.endsWith('.json'));
187
324
  for (const file of files) {
@@ -189,51 +326,110 @@ function cleanupLegacyDir(entityName, currentIds, cwd, documentType, schema) {
189
326
  if (currentIds.has(id))
190
327
  continue;
191
328
  const filepath = path.join(readDir, file);
192
- let parseable = false;
193
329
  try {
194
330
  schema.parse(loadVersionedJsonFile(documentType, filepath).document);
195
- parseable = true;
196
331
  }
197
332
  catch {
198
333
  logger.warn(`Preserving unparseable legacy ${entityName} file ${file}`);
199
334
  continue;
200
335
  }
201
- if (parseable) {
202
- fs.unlinkSync(filepath);
203
- }
336
+ out.push({ filepath, id }); // O3: surfaced so a delete tombstone is emitted
204
337
  }
205
338
  }
339
+ return out;
206
340
  }
207
- function writeStateDirectories(state, cwd) {
208
- ensureMemoryDir(cwd);
209
- const effectiveCwd = cwd ?? process.cwd();
341
+ /**
342
+ * Phase 1 of persist: compute every projection change WITHOUT writing. The
343
+ * returned `dirty` (post-images + tombstone ids) lets the journal be emitted +
344
+ * fsync'd before applyStatePlans touches any file (pln#566 F1 / I2).
345
+ */
346
+ function planStateDirectories(state, cwd, deleteMissing) {
210
347
  const entities = [
211
- { name: 'constraints', items: state.active_constraints, docType: 'constraint', schema: ConstraintSchema },
212
- { name: 'decisions', items: state.recent_decisions, docType: 'decision', schema: DecisionSchema },
213
- { name: 'traps', items: state.known_traps, docType: 'trap', schema: TrapSchema },
214
- { name: 'handoffs', items: state.open_handoffs, docType: 'handoff', schema: HandoffSchema },
215
- { name: 'plans', items: state.plan_items, docType: 'plan', schema: PlanItemSchema },
348
+ { name: 'constraints', itemType: 'constraint', items: state.active_constraints, docType: 'constraint', schema: ConstraintSchema },
349
+ { name: 'decisions', itemType: 'decision', items: state.recent_decisions, docType: 'decision', schema: DecisionSchema },
350
+ { name: 'traps', itemType: 'trap', items: state.known_traps, docType: 'trap', schema: TrapSchema },
351
+ { name: 'handoffs', itemType: 'handoff', items: state.open_handoffs, docType: 'handoff', schema: HandoffSchema },
352
+ { name: 'plans', itemType: 'plan', items: state.plan_items, docType: 'plan', schema: PlanItemSchema },
216
353
  ];
217
- for (const { name, items, docType, schema } of entities) {
218
- const writeDir = resolveEntityDir(name, effectiveCwd, 'write');
219
- syncDirectory(writeDir, items, docType, schema);
220
- const currentIds = new Set(items.map(item => item.id));
221
- cleanupLegacyDir(name, currentIds, effectiveCwd, docType, schema);
354
+ const plans = [];
355
+ const legacyDeletes = [];
356
+ const dirty = [];
357
+ for (const { name, itemType, items, docType, schema } of entities) {
358
+ const writeDir = resolveEntityDir(name, cwd, 'write');
359
+ const plan = planSyncDirectory(writeDir, items, docType, schema, deleteMissing);
360
+ plans.push(plan);
361
+ const deleted = plan.deletes.map(d => d.id);
362
+ if (deleteMissing) {
363
+ // O3: legacy-dir orphans must also emit a delete tombstone.
364
+ const legacy = planCleanupLegacyDir(name, new Set(items.map(i => i.id)), cwd, docType, schema);
365
+ for (const l of legacy) {
366
+ legacyDeletes.push(l);
367
+ deleted.push(l.id);
368
+ }
369
+ }
370
+ dirty.push({ itemType, written: plan.writes.map(w => ({ item: w.item, created: w.created })), deleted });
371
+ }
372
+ return { plans, legacyDeletes, dirty };
373
+ }
374
+ /** Phase 3 of persist: apply the planned projection writes/unlinks (the IO that
375
+ * must follow the journal append+fsync). */
376
+ function applyStatePlans(plans, legacyDeletes) {
377
+ for (const plan of plans)
378
+ applySyncPlan(plan);
379
+ for (const { filepath } of legacyDeletes) {
380
+ try {
381
+ fs.unlinkSync(filepath);
382
+ }
383
+ catch { /* already gone — idempotent */ }
384
+ }
385
+ }
386
+ /**
387
+ * Emit one journal record per dirty entity with its full post-image
388
+ * (entity-state class, §2.1.1 / §2.8): the persist path is where the store's
389
+ * source-of-truth events are minted, because only it holds the entity docs.
390
+ * No-op when the journal flag is off. Failures are swallowed inside
391
+ * appendJournalRecords (dual mode: v1 projections remain the truth).
392
+ */
393
+ function emitPerEntityJournalRecords(dirty, storeAction, cwd) {
394
+ if (resolveJournalMode(cwd) === 'off')
395
+ return;
396
+ const records = [];
397
+ for (const { itemType, written, deleted } of dirty) {
398
+ for (const { item, created } of written) {
399
+ // Post-image = the prepared document (with schema_version), so the
400
+ // journal record is byte-faithful to the projection: materialize can
401
+ // reconstruct an identical file, and verify compares like-for-like.
402
+ records.push({
403
+ action: storeAction && storeAction !== 'update' ? storeAction : (created ? 'create' : 'update'),
404
+ item_type: itemType,
405
+ item_id: item.id,
406
+ agent: 'system',
407
+ payload: preparePersistedDocument(itemType, item),
408
+ });
409
+ }
410
+ for (const id of deleted) {
411
+ records.push({ action: 'delete', item_type: itemType, item_id: id, agent: 'system' });
412
+ }
222
413
  }
414
+ if (records.length > 0)
415
+ appendJournalRecords(records, cwd);
223
416
  }
224
417
  export function persistState(state, cwd, options = {}) {
225
418
  const effectiveCwd = cwd ?? process.cwd();
226
419
  mutate({ cwd: effectiveCwd }, () => {
227
420
  persistStateUnlocked(state, effectiveCwd, options);
228
421
  });
422
+ runPostWriteHooks(effectiveCwd, options.commitMessage ?? 'state update');
229
423
  }
230
424
  export function mutateState(mutateFn, cwd, options = {}) {
231
425
  const effectiveCwd = cwd ?? process.cwd();
232
- return mutate({ cwd: effectiveCwd }, () => {
426
+ const result = mutate({ cwd: effectiveCwd }, () => {
233
427
  const state = loadState(effectiveCwd);
234
- const result = mutateFn(state);
235
- persistStateUnlocked(state, effectiveCwd, options);
236
- return result;
428
+ const value = mutateFn(state);
429
+ persistStateUnlocked(state, effectiveCwd, { ...options, deleteMissing: true });
430
+ return value;
237
431
  });
432
+ runPostWriteHooks(effectiveCwd, options.commitMessage ?? 'state update');
433
+ return result;
238
434
  }
239
435
  //# sourceMappingURL=state.js.map
@@ -166,12 +166,24 @@ export function resolveProjectRef(ref, cwd = process.cwd(), storeChainOptions) {
166
166
  ?? resolveWorkspaceRoot(cwd, storeChainOptions);
167
167
  if (!wsRoot)
168
168
  return undefined;
169
- // Try as absolute path
169
+ // The trust boundary for raw path refs is the provided cwd. Callers in
170
+ // MCP context set cwd to the workspace root, so child projects resolve
171
+ // naturally. Walking further up (to a user-level store at home) would
172
+ // allow path-injection to sibling or home stores — that is the vulnerability
173
+ // we are closing. Name-based lookup below is unrestricted since it matches
174
+ // by project_name / project_id, not by arbitrary path.
175
+ const trustBoundary = path.resolve(cwd);
176
+ // Try as absolute path — only allowed if within the cwd boundary.
170
177
  if (path.isAbsolute(ref)) {
178
+ if (!isAtOrBelow(ref, trustBoundary))
179
+ return undefined;
171
180
  return fs.existsSync(path.join(ref, MEMORY_DIR, 'config.yaml')) ? ref : undefined;
172
181
  }
173
- // Try as relative path from workspace root
174
- const asPath = path.resolve(wsRoot, ref);
182
+ // Try as relative path resolved from the cwd boundary.
183
+ // Guards against ../ traversal (e.g. "../sibling-project").
184
+ const asPath = path.resolve(trustBoundary, ref);
185
+ if (!isAtOrBelow(asPath, trustBoundary))
186
+ return undefined;
175
187
  if (fs.existsSync(path.join(asPath, MEMORY_DIR, 'config.yaml'))) {
176
188
  return asPath;
177
189
  }
@@ -315,8 +327,10 @@ function findClosestStoreBelow(target, ceiling) {
315
327
  */
316
328
  function isAtOrBelow(dir, ancestor) {
317
329
  const rel = path.relative(ancestor, dir);
318
- // If relative path starts with '..', dir is above ancestor
319
- return !rel.startsWith('..');
330
+ // '..' prefix → dir is above ancestor. An absolute result means a different
331
+ // Windows drive (path.relative returns the absolute `to` path then), which is
332
+ // also outside the boundary — without this check `D:\evil` would pass.
333
+ return !rel.startsWith('..') && !path.isAbsolute(rel);
320
334
  }
321
335
  function resolveAbsoluteTargetPath(cwd, target) {
322
336
  if (path.isAbsolute(target)) {
@@ -10,6 +10,30 @@ import { parsePorcelainZ, isSystemDirtyPath } from './dirty-scope.js';
10
10
  function gitPath(p) {
11
11
  return p.replace(/\\/g, '/');
12
12
  }
13
+ /**
14
+ * can_45316d5c — sanitize a scope-derived slug into a valid git branch
15
+ * component (`git check-ref-format` rules). Scopes like `.github/workflows`
16
+ * produced `feat/.github-workflows`, which git rejects (component starting
17
+ * with a dot), failing the whole worktree creation.
18
+ *
19
+ * Rules covered: no leading dots/dashes, no trailing dots, no `..`, no
20
+ * `@{`, no control/space/`~^:?*[\\` characters, no trailing `.lock`.
21
+ */
22
+ export function sanitizeBranchComponent(raw, fallback = 'scope') {
23
+ let slug = raw
24
+ .replace(/[\s~^:?*[\]\\]/g, '-') // chars forbidden by check-ref-format
25
+ .replace(/@\{/g, '-') // reflog syntax
26
+ .replace(/\.\.+/g, '.') // no double dots
27
+ .replace(/[^a-zA-Z0-9._-]/g, '-') // conservative whitelist for the rest
28
+ .replace(/-+/g, '-') // collapse dashes
29
+ .replace(/^[.-]+/, '') // no leading dot/dash
30
+ .replace(/[.-]+$/, ''); // no trailing dot/dash
31
+ if (/\.lock$/i.test(slug))
32
+ slug = slug.slice(0, -'.lock'.length);
33
+ if (!slug)
34
+ slug = fallback;
35
+ return slug.slice(0, 48);
36
+ }
13
37
  /**
14
38
  * Stack marker → shared directories mapping.
15
39
  * Maven/Gradle/Cargo intentionally excluded — their dep caches live
@@ -138,7 +162,15 @@ function canonicalizeScopePath(target) {
138
162
  * project even when two projects share the same repo name.
139
163
  */
140
164
  export function worktreesBaseDir(mainWorktreePath) {
141
- const hash = crypto.createHash('sha1').update(mainWorktreePath).digest('hex').slice(0, 12);
165
+ let stablePath = path.resolve(mainWorktreePath);
166
+ try {
167
+ stablePath = fs.realpathSync.native(stablePath);
168
+ }
169
+ catch { /* path may not exist yet; path.resolve is still deterministic */ }
170
+ if (process.platform === 'win32' || /^[a-zA-Z]:[\\/]/.test(mainWorktreePath)) {
171
+ stablePath = stablePath.toLowerCase();
172
+ }
173
+ const hash = crypto.createHash('sha1').update(stablePath).digest('hex').slice(0, 12);
142
174
  return path.join(os.homedir(), '.brainclaw', 'worktrees', hash);
143
175
  }
144
176
  /**
@@ -176,6 +208,104 @@ export function hasGitLock(cwd) {
176
208
  const lockPath = path.join(gitDir.stdout.trim(), 'index.lock');
177
209
  return fs.existsSync(lockPath);
178
210
  }
211
+ /**
212
+ * True when `worktreePath` is a LINKED git worktree (created by `git worktree
213
+ * add`), NOT the main repository. The key invariant for pln#534's commit-on-
214
+ * behalf: brainclaw must NEVER commit into the integration repo, only into the
215
+ * isolated worktree it dispatched.
216
+ *
217
+ * Detection uses the canonical, platform-stable signal: in a linked worktree
218
+ * the entry at `<worktree>/.git` is a FILE (a `gitdir: …` pointer into the main
219
+ * repo's `.git/worktrees/<name>`), whereas the main repository's `.git` is a
220
+ * DIRECTORY. (An earlier implementation compared `git rev-parse
221
+ * --absolute-git-dir` against `--git-common-dir`, but those returned
222
+ * differently-normalized paths on the Windows CI runner — short 8.3 names /
223
+ * drive-letter case — so the main repo was misread as linked. The file-vs-dir
224
+ * check needs no path normalization.)
225
+ */
226
+ export function isLinkedWorktree(worktreePath) {
227
+ if (!fs.existsSync(worktreePath))
228
+ return false;
229
+ try {
230
+ const dotGit = path.join(worktreePath, '.git');
231
+ const st = fs.statSync(dotGit);
232
+ // main repo → .git is a directory; linked worktree → .git is a file pointer.
233
+ return st.isFile();
234
+ }
235
+ catch {
236
+ return false; // no .git entry → not a git worktree
237
+ }
238
+ }
239
+ /**
240
+ * pln#534 (worktree-as-contract) — commit the uncommitted diff of a dispatched
241
+ * worktree ON BEHALF of a worker that cannot commit itself (a sandboxed agent
242
+ * whose root excludes `.git`, i.e. `dispatchCanCommit=false`). The worker's only
243
+ * contract is "edit files in this worktree + drop LANE-RESULT.json"; brainclaw
244
+ * carries the commit so the code lands on the lane branch and propagates.
245
+ *
246
+ * GUARDS (defence-in-depth, since this writes git history):
247
+ * - the path must exist and be a LINKED worktree — NEVER the main repo;
248
+ * - no commit when an index.lock is present (concurrent git op);
249
+ * - no commit when the worktree is clean;
250
+ * - all git runs are `spawnSync('git', [...])` with `-C <worktree>` semantics
251
+ * (cwd-scoped, no shell) so nothing can escape the worktree.
252
+ * Returns a structured result instead of throwing so callers degrade gracefully.
253
+ */
254
+ export function commitWorktreeOnBehalf(worktreePath, message, options = {}) {
255
+ if (!fs.existsSync(worktreePath)) {
256
+ return { committed: false, files_changed: [], reason: `worktree path does not exist: ${worktreePath}` };
257
+ }
258
+ if (!isLinkedWorktree(worktreePath)) {
259
+ return { committed: false, files_changed: [], reason: `refusing to commit: ${worktreePath} is not a linked git worktree (main-repo guard)` };
260
+ }
261
+ if (hasGitLock(worktreePath)) {
262
+ return { committed: false, files_changed: [], reason: 'git index.lock present — another git operation is in progress' };
263
+ }
264
+ const status = runGit(['status', '--porcelain'], worktreePath);
265
+ if (!status.ok) {
266
+ return { committed: false, files_changed: [], reason: `git status failed: ${status.stderr.trim()}` };
267
+ }
268
+ if (status.stdout.trim().length === 0) {
269
+ return { committed: false, files_changed: [], reason: 'worktree clean — nothing to commit' };
270
+ }
271
+ // Stage everything, then UNSTAGE the transient files that must never land on
272
+ // the lane branch: the worker's own `LANE-RESULT.json` report and any
273
+ // `.brainclaw/` coordination state. Committing those would pollute the branch
274
+ // (and master, on merge) with non-deliverable artefacts.
275
+ const add = runGit(['add', '-A'], worktreePath);
276
+ if (!add.ok) {
277
+ return { committed: false, files_changed: [], reason: `git add failed: ${add.stderr.trim()}` };
278
+ }
279
+ runGit(['reset', '-q', '--', 'LANE-RESULT.json', '.brainclaw', '.brainclaw-heartbeat-*'], worktreePath);
280
+ // The files actually staged for this commit (post-exclusion) — also the
281
+ // truthful files_changed report.
282
+ const staged = runGit(['diff', '--cached', '--name-only'], worktreePath);
283
+ const files = staged.stdout.split(/\r?\n/).map((l) => l.trim()).filter(Boolean);
284
+ if (files.length === 0) {
285
+ // Only transient files changed — nothing deliverable to commit. Restore the
286
+ // index so the worktree is left exactly as the worker left it.
287
+ runGit(['reset', '-q'], worktreePath);
288
+ return { committed: false, files_changed: [], reason: 'no committable changes (only transient LANE-RESULT.json / .brainclaw)' };
289
+ }
290
+ const authorName = options.authorName ?? 'brainclaw (on behalf)';
291
+ const authorEmail = options.authorEmail ?? 'brainclaw@on-behalf.local';
292
+ const commit = runGit([
293
+ '-c', `user.name=${authorName}`,
294
+ '-c', `user.email=${authorEmail}`,
295
+ '-c', 'commit.gpgsign=false',
296
+ 'commit', '-m', message,
297
+ ], worktreePath);
298
+ if (!commit.ok) {
299
+ return { committed: false, files_changed: files, reason: `git commit failed: ${commit.stderr.trim()}` };
300
+ }
301
+ const head = runGit(['rev-parse', 'HEAD'], worktreePath);
302
+ return {
303
+ committed: true,
304
+ sha: head.ok ? head.stdout.trim() : undefined,
305
+ files_changed: files,
306
+ reason: 'committed on behalf of worker',
307
+ };
308
+ }
179
309
  /**
180
310
  * Re-points an EXISTING worktree to `ref` via a hard reset of its checked-out
181
311
  * branch + working tree. Used when a dispatch reuses an existing claim/worktree
@@ -222,6 +352,7 @@ export function resetWorktreeToRef(worktreePath, ref) {
222
352
  const norm = p.replace(/\\/g, '/');
223
353
  return norm !== '.brainclaw-worktree.json'
224
354
  && !norm.startsWith('.brainclaw/')
355
+ && !norm.startsWith('.brainclaw-heartbeat-')
225
356
  && !norm.startsWith('.git/');
226
357
  });
227
358
  if (residue.length > 0) {
@@ -322,14 +453,42 @@ export function createWorktree(mainWorktreePath, branchName, options = {}) {
322
453
  const branchCheck = runGit(['rev-parse', '--verify', branchName], mainWorktreePath);
323
454
  const branchExists = branchCheck.ok;
324
455
  const baseRef = options.baseRef ?? 'HEAD';
325
- if (branchExists && options.resetExistingBranch) {
456
+ if (branchExists) {
326
457
  const attachedWorktreePath = findWorktreePathForBranch(listWorktrees(mainWorktreePath), branchName);
327
458
  if (attachedWorktreePath) {
328
- throw new Error(`Cannot reset branch ${branchName}: it is checked out in worktree ${attachedWorktreePath}. Remove or merge that worktree first.`);
459
+ throw new Error(`Cannot reuse branch ${branchName}: it is checked out in worktree ${attachedWorktreePath}. Remove or merge that worktree first.`);
460
+ }
461
+ if (options.resetExistingBranch) {
462
+ const reset = runGit(['branch', '--force', branchName, baseRef], mainWorktreePath);
463
+ if (!reset.ok) {
464
+ throw new Error(`git branch --force failed for ${branchName}: ${reset.stderr.trim()}`);
465
+ }
329
466
  }
330
- const reset = runGit(['branch', '--force', branchName, baseRef], mainWorktreePath);
331
- if (!reset.ok) {
332
- throw new Error(`git branch --force failed for ${branchName}: ${reset.stderr.trim()}`);
467
+ else {
468
+ // can_2e282880 (worktree-as-contract at creation): a reused branch is a
469
+ // CONTRACT that the worker starts from the dispatch base, not from
470
+ // whatever stale base the branch happened to sit on (observed live: a
471
+ // June dispatch reused a feat/<scope> branch based on April master).
472
+ // - branch has NO commits ahead of the base → silently re-point it to
473
+ // the base (it carries nothing worth keeping);
474
+ // - branch HAS commits not on the base → REFUSE and name them: they
475
+ // are unharvested work — merging/harvesting first is the only safe
476
+ // move, a silent reset would destroy it and a silent reuse would
477
+ // run the worker on a stale base.
478
+ const ahead = runGit(['rev-list', '--count', `${baseRef}..${branchName}`], mainWorktreePath);
479
+ const aheadCount = ahead.ok ? parseInt(ahead.stdout.trim(), 10) : NaN;
480
+ if (!Number.isFinite(aheadCount)) {
481
+ throw new Error(`Cannot assess divergence of existing branch ${branchName} vs ${baseRef}: ${ahead.stderr.trim()}`);
482
+ }
483
+ if (aheadCount > 0) {
484
+ const commits = runGit(['log', '--oneline', '-n', '5', `${baseRef}..${branchName}`], mainWorktreePath);
485
+ throw new Error(`Refusing to reuse branch ${branchName}: it has ${aheadCount} commit(s) not on ${baseRef} (unharvested work). ` +
486
+ `Harvest/merge or delete the branch first. Divergent commits:\n${commits.stdout.trim()}`);
487
+ }
488
+ const reset = runGit(['branch', '--force', branchName, baseRef], mainWorktreePath);
489
+ if (!reset.ok) {
490
+ throw new Error(`git branch --force failed for ${branchName}: ${reset.stderr.trim()}`);
491
+ }
333
492
  }
334
493
  }
335
494
  // Use forward-slash paths for git on Windows
@@ -719,7 +878,10 @@ export function worktreeHasOnlyBirthNoise(statusZStdout) {
719
878
  const paths = parsePorcelainZ(statusZStdout);
720
879
  return paths.every((p) => {
721
880
  const norm = p.replace(/\\/g, '/');
722
- return WORKTREE_BIRTH_NOISE.has(norm) || isSystemDirtyPath(norm);
881
+ return WORKTREE_BIRTH_NOISE.has(norm)
882
+ || norm.startsWith('.brainclaw-heartbeat-') // worker liveness sentinel (sprint 1.5)
883
+ || norm === 'LANE-RESULT.json' // worker outcome report — harvested, never committed
884
+ || isSystemDirtyPath(norm);
723
885
  });
724
886
  }
725
887
  /**