eagle-mem 4.12.1 → 4.13.0

package/scripts/session.sh

@@ -104,6 +104,11 @@ save_session() {
                 summary="$2"
                 shift 2
                 ;;
+            --summary-stdin)
+                # Read the summary from stdin so it is not visible in `ps`.
+                summary="$(cat)"
+                shift
+                ;;
             --request)
                 require_value "$1" "${2:-}"
                 request="$2"

package/scripts/statusline-em.sh

@@ -65,7 +65,11 @@ eagle_mem_statusline_stats() {
     project_scope=$(eagle_recall_project_scope_from_cwd "${current_dir:-$project_dir}" "$project_key")
     project_condition=$(eagle_sql_project_scope_condition "project" "$project_scope")
 
-    stats=$("$sqlite_bin" "$em_db" "SELECT
+    # busy_timeout so a momentary SQLITE_BUSY (this is the hottest standalone
+    # query during live sessions) waits for the lock instead of exiting non-zero,
+    # which would otherwise escalate to an integrity-status mislabel below.
+    stats=$("$sqlite_bin" "$em_db" "PRAGMA busy_timeout=10000;
+        SELECT
         COUNT(*) || '|' ||
         (SELECT COUNT(*) FROM agent_memories WHERE $project_condition) || '|' ||
         COALESCE(MAX(COALESCE(last_activity_at, started_at)), 'never')

package/scripts/tasks.sh

@@ -153,10 +153,13 @@ tasks_list() {
             in_progress)
                 icon="${CYAN}>${RESET}"
                 marker=" ${CYAN}[in_progress]${RESET}"
-                # Staleness check for discipline
+                # Staleness check for discipline. Route through eagle_db (busy_timeout
+                # + FTS5-capable sqlite3) and escape $updated_at — it is a DB-read value
+                # interpolated back into SQL, so a quote would be second-order injection.
                 if [ -n "$updated_at" ]; then
-                    local age_days
-                    age_days=$(echo "SELECT (julianday('now') - julianday('$updated_at'))" | sqlite3 "$EAGLE_MEM_DB" 2>/dev/null | cut -d. -f1)
+                    local age_days updated_at_sql
+                    updated_at_sql=$(eagle_sql_escape "$updated_at")
+                    age_days=$(eagle_db "SELECT (julianday('now') - julianday('$updated_at_sql'));" 2>/dev/null | cut -d. -f1)
                     if [ -n "$age_days" ] && [ "$age_days" -gt 7 ]; then
                         marker+=" ${RED}[STALE - ${age_days}d]${RESET}"
                     fi

package/scripts/test.sh

@@ -25,7 +25,11 @@ run_check() {
         eagle_ok "$name"
     else
         eagle_fail "$name"
-        ((errors++))
+        # Assignment form (not ((errors++))) so a failing check does not abort
+        # the whole runner under `set -e`: ((errors++)) returns exit 1 when the
+        # pre-increment value is 0, killing the suite at the first failure and
+        # skipping the failure-count summary below.
+        errors=$((errors + 1))
     fi
 }
 
@@ -69,7 +73,13 @@ run_check "Recall Observability (UserPromptSubmit recall event)" "bash \"$SCRIPT
 run_check "Eagle Event Log (hook/action observability)" "bash \"$SCRIPTS_DIR/../tests/test_eagle_events.sh\""
 run_check "Dashboard Surface (local HTML memory view)" "bash \"$SCRIPTS_DIR/../tests/test_dashboard.sh\""
 run_check "Clean Session Capture (capture_source, fill-only upsert, no clobber)" "bash \"$SCRIPTS_DIR/../tests/test_clean_session_capture.sh\""
+run_check "Context Budget (SessionStart injection ceiling: normal unchanged, pathological capped + logged)" "bash \"$SCRIPTS_DIR/../tests/test_context_budget.sh\""
 run_check "CLAUDE.md Capture Doctrine (installer rewrites outdated section)" "bash \"$SCRIPTS_DIR/../tests/test_claude_md_capture_doctrine.sh\""
+run_check "Redaction Coverage (provider input, recall events, enrich job, autonomy, log paths)" "bash \"$SCRIPTS_DIR/../tests/test_redaction_coverage.sh\""
+run_check "Data Integrity Hardening (migrate idempotency, SQL escaping, summary precedence)" "bash \"$SCRIPTS_DIR/../tests/test_data_integrity_hardening.sh\""
+run_check "Mod-Tracker Concurrency (lock TTL, no lost append, observation dedup race)" "bash \"$SCRIPTS_DIR/../tests/test_mod_tracker_concurrency.sh\""
+run_check "Reliability Retention (scan in-flight vs freshness, eagle_events prune)" "bash \"$SCRIPTS_DIR/../tests/test_reliability_retention.sh\""
+run_check "Test Runner No-Abort (failing check does not kill the suite under set -e)" "bash \"$SCRIPTS_DIR/../tests/test_test_runner_no_abort.sh\""
 
 echo ""
 if [ "$errors" -eq 0 ]; then

package/tests/test_context_budget.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — SessionStart injection budget regression suite
+# Proves the global recall-injection ceiling:
+#   (a) normal-sized recall is emitted UNCHANGED (no trimming)
+#   (b) a pathologically large recall is capped at the budget,
+#       drops whole low-priority sections from the bottom, keeps the
+#       highest-priority top sections, and LOGS a trim (observable)
+# ═══════════════════════════════════════════════════════════
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d)
+trap 'rm -rf "$tmp_dir"' EXIT
+
+fail() { echo "FAIL: $1" >&2; exit 1; }
+
+assert_eq() {
+    [ "$1" = "$2" ] || fail "$3 (expected='$2' actual='$1')"
+}
+
+assert_contains() {
+    case "$1" in *"$2"*) ;; *) fail "$3 (missing: $2)" ;; esac
+}
+
+assert_not_contains() {
+    case "$1" in *"$2"*) fail "$3 (unexpectedly present: $2)" ;; esac
+}
+
+. "$ROOT_DIR/lib/common.sh"
+
+trim_count_file="$tmp_dir/.trim-count"
+export EAGLE_INJECT_TRIM_COUNT="$trim_count_file"
+
+# ─── Budget helper: sane default + floor against self-defeating values ──
+default_budget=$(eagle_sessionstart_inject_budget)
+[ "$default_budget" -ge 4000 ] 2>/dev/null \
+    || fail "default budget unexpectedly small ($default_budget)"
+
+floored=$(EAGLE_MEM_DIR="$tmp_dir" bash -c "
+    . '$ROOT_DIR/lib/common.sh'
+    mkdir -p '$tmp_dir'
+    printf '[context_budget]\nsessionstart_chars = 10\n' > '$tmp_dir/config.toml'
+    eagle_sessionstart_inject_budget
+")
+[ "$floored" -ge 4000 ] 2>/dev/null \
+    || fail "tiny configured budget was not floored ($floored)"
+
+# ─── (a) Normal-sized recall — emitted UNCHANGED ──────────────────────
+normal_body="=== Eagle Mem: Project Overview ===
+A small project overview that fits comfortably.
+=== Eagle Mem: Recent Recall ===
+One recent session summary.
+=== Eagle Mem: Stored Memories ===
+  - [project][claude] Some memory: short description (today)
+=== Eagle Mem: Core Files ===
+  - main.sh
+=== Eagle Mem: Working Set ===
+  - app.ts (2 edits)"
+
+normal_out=$(printf '%s' "$normal_body" | eagle_trim_inject_body 24000)
+normal_dropped=$(cat "$trim_count_file")
+
+assert_eq "$normal_out" "$normal_body" "normal recall was modified by the budget"
+assert_eq "$normal_dropped" "0" "normal recall reported a non-zero trim"
+
+# ─── (b) Pathological recall — capped, low-priority dropped, top kept ──
+# Build a body whose top section is small but whose trailing sections are
+# huge, so the ceiling must engage.
+huge=$(head -c 9000 /dev/zero | tr '\0' 'x')
+big_body="=== Eagle Mem: Project Overview ===
+KEEP_OVERVIEW_MARKER top-priority overview must survive.
+=== Eagle Mem: Recent Recall ===
+$huge
+=== Eagle Mem: Tasks ===
+$huge
+=== Eagle Mem: Core Files ===
+$huge
+=== Eagle Mem: Working Set ===
+$huge"
+
+budget=12000
+big_out=$(printf '%s' "$big_body" | eagle_trim_inject_body "$budget")
+big_dropped=$(cat "$trim_count_file")
+
+[ "${#big_out}" -le "$budget" ] 2>/dev/null \
+    || fail "trimmed body still exceeds budget (${#big_out} > $budget)"
+[ "$big_dropped" -gt 0 ] 2>/dev/null \
+    || fail "pathological recall did not report any trimmed sections"
+assert_contains "$big_out" "KEEP_OVERVIEW_MARKER" \
+    "top-priority Overview section was dropped"
+assert_not_contains "$big_out" "=== Eagle Mem: Working Set ===" \
+    "lowest-priority Working Set section survived past the budget"
+
+# ─── Termination safety: a single oversized first section is kept whole ──
+oversized=$(head -c 20000 /dev/zero | tr '\0' 'y')
+solo_body="=== Eagle Mem: Project Overview ===
+$oversized"
+solo_out=$(printf '%s' "$solo_body" | eagle_trim_inject_body 5000)
+solo_dropped=$(cat "$trim_count_file")
+assert_contains "$solo_out" "=== Eagle Mem: Project Overview ===" \
+    "oversized lone section was discarded instead of kept whole"
+assert_eq "$solo_dropped" "0" "oversized lone section reported a phantom trim"
+
+# A body with no section markers is returned verbatim (no infinite loop).
+nomarker_out=$(printf '%s' "$oversized" | eagle_trim_inject_body 5000)
+assert_eq "${#nomarker_out}" "${#oversized}" "marker-less body was altered"
+
+# ─── Observable trim: the hook logs a WARN when it trims ──────────────
+# The hook engages the ceiling and logs a WARN with the dropped-section count
+# whenever it trims; assert that observable surface exists in the hook.
+grep -q 'SessionStart: injection over budget' "$ROOT_DIR/hooks/session-start.sh" \
+    || fail "session-start.sh missing observable over-budget WARN log"
+grep -q 'trimmed .* low-priority section' "$ROOT_DIR/hooks/session-start.sh" \
+    || fail "session-start.sh WARN log does not report trimmed section count"
+
+echo "PASS: SessionStart injection budget (normal unchanged, pathological capped + logged)"

package/tests/test_data_integrity_hardening.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — Data integrity hardening regression test
+# Covers:
+#   - migrate.sh idempotency (re-run is a no-op, _migrations unchanged)
+#   - SQL escaping units (single quotes, FTS metachars, GLOB/LIKE patterns
+#     stored verbatim and queryable — no injection, no crash)
+#   - Summary precedence: eagle_insert_summary vs _fill_only — capture_source
+#     AND project stickiness on agent rows (finding #8 clobber)
+# ═══════════════════════════════════════════════════════════
+set -uo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d)
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export EAGLE_MEM_DIR="$tmp_dir/em"
+export EAGLE_AGENT_SOURCE="claude-code"
+export EAGLE_MEM_DISABLE_HOOKS=1
+mkdir -p "$EAGLE_MEM_DIR"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1" >&2; fail=$((fail+1)); }
+
+bash "$ROOT_DIR/db/migrate.sh" >/dev/null 2>&1
+
+. "$ROOT_DIR/lib/common.sh"
+. "$ROOT_DIR/lib/db.sh"
+
+# ── migrate.sh idempotency ──────────────────────────────────
+mig_before=$(eagle_db "SELECT COUNT(*) || ':' || COALESCE(MAX(id),0) FROM _migrations;")
+mig_out=$(bash "$ROOT_DIR/db/migrate.sh" 2>&1); mig_rc=$?
+[ "$mig_rc" -eq 0 ] && ok "migrate 2nd run exits 0" || bad "migrate 2nd run rc=$mig_rc out=$mig_out"
+case "$mig_out" in
+    *applied:*) bad "migrate 2nd run re-applied a migration: $mig_out" ;;
+    *) ok "migrate 2nd run applied nothing" ;;
+esac
+mig_after=$(eagle_db "SELECT COUNT(*) || ':' || COALESCE(MAX(id),0) FROM _migrations;")
+[ "$mig_before" = "$mig_after" ] && ok "_migrations unchanged on 2nd run ($mig_after)" || bad "_migrations drifted: $mig_before -> $mig_after"
+
+# ── SQL escaping units ──────────────────────────────────────
+# Each payload is stored verbatim via eagle_insert_summary (escaped) and read
+# back; a quote/metachar that broke out of the literal would error or truncate.
+SID_Q="esc-quote-001"
+eagle_upsert_session "$SID_Q" "esc/proj" "$tmp_dir" "" "test" "claude-code"
+quote_payload="it's a \"trap\"; DROP TABLE summaries;-- '' or 1=1"
+eagle_insert_summary "$SID_Q" "esc/proj" "$quote_payload" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "agent"
+got_q=$(eagle_db "SELECT request FROM summaries WHERE session_id='$SID_Q';")
+[ "$got_q" = "$quote_payload" ] && ok "single-quote/SQL-injection payload stored verbatim" || bad "quote payload mangled -> '$got_q'"
+# summaries table still present (no DROP executed)
+have_tbl=$(eagle_db "SELECT name FROM sqlite_master WHERE type='table' AND name='summaries';")
+[ "$have_tbl" = "summaries" ] && ok "summaries table intact after injection attempt" || bad "summaries table missing — injection executed"
+
+SID_F="esc-fts-002"
+eagle_upsert_session "$SID_F" "esc/proj" "$tmp_dir" "" "test" "claude-code"
+fts_payload='NEAR("foo" bar)* AND col:val OR -baz {set}'
+eagle_insert_summary "$SID_F" "esc/proj" "$fts_payload" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "agent"
+got_f=$(eagle_db "SELECT request FROM summaries WHERE session_id='$SID_F';")
+[ "$got_f" = "$fts_payload" ] && ok "FTS-metachar payload stored verbatim" || bad "FTS payload mangled -> '$got_f'"
+# FTS search over a benign token must not crash even though row has metachars
+srch=$(eagle_search_summaries "foo" "" 5 2>&1); srch_rc=$?
+[ "$srch_rc" -eq 0 ] && ok "FTS search over metachar corpus did not crash (rc=0)" || bad "FTS search crashed rc=$srch_rc: $srch"
+
+SID_G="esc-glob-003"
+eagle_upsert_session "$SID_G" "esc/proj" "$tmp_dir" "" "test" "claude-code"
+glob_payload='100% OFF _now_ [a-z]* path\to\file'
+eagle_insert_observation "$SID_G" "esc/proj" "Bash" "$glob_payload" "[]" "[]"
+got_g=$(eagle_db "SELECT tool_input_summary FROM observations WHERE session_id='$SID_G';")
+[ "$got_g" = "$glob_payload" ] && ok "GLOB/LIKE-metachar payload stored verbatim in observations" || bad "glob payload mangled -> '$got_g'"
+
+# guardrail field escaping (single quote)
+if declare -F eagle_add_guardrail >/dev/null 2>&1; then
+    eagle_add_guardrail "esc/proj" "don't touch '; DELETE FROM guardrails;--" "*.sh" "test" >/dev/null 2>&1
+    grc=$(eagle_db "SELECT rule FROM guardrails WHERE project='esc/proj' ORDER BY id DESC LIMIT 1;")
+    case "$grc" in *"don't touch"*) ok "guardrail rule with quote stored verbatim" ;; *) bad "guardrail rule mangled -> '$grc'" ;; esac
+    gcount=$(eagle_db "SELECT name FROM sqlite_master WHERE type='table' AND name='guardrails';")
+    [ "$gcount" = "guardrails" ] && ok "guardrails table intact after injection attempt" || bad "guardrails table dropped — injection executed"
+else
+    ok "eagle_add_guardrail not present — skipped (non-fatal)"
+fi
+
+# ── Summary precedence / clobber (finding #8) ───────────────
+# An agent-authored row must NOT have its project rekeyed by a later hook-path
+# writer that arrives with a drifted project key.
+SID_P="precedence-004"
+eagle_upsert_session "$SID_P" "real/project" "$tmp_dir" "" "test" "claude-code"
+eagle_insert_summary "$SID_P" "real/project" "agent req" "" "" "agent done" "" "[]" "[]" "" "agent decision" "" "" "claude-code" "agent"
+[ "$(eagle_db "SELECT capture_source FROM summaries WHERE session_id='$SID_P';")" = "agent" ] && ok "P: capture_source=agent after agent insert" || bad "P: capture_source not agent"
+[ "$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_P';")" = "real/project" ] && ok "P: project=real/project after agent insert" || bad "P: project wrong"
+
+# Later hook writer with a DRIFTED project key + heuristic capture_source.
+eagle_insert_summary "$SID_P" "DRIFTED/wrong-key" "" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "hook"
+proj_after=$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_P';")
+[ "$proj_after" = "real/project" ] && ok "P: agent row project NOT clobbered by drifted hook write" || bad "P: project clobbered -> '$proj_after'"
+[ "$(eagle_db "SELECT capture_source FROM summaries WHERE session_id='$SID_P';")" = "agent" ] && ok "P: capture_source stays agent" || bad "P: capture_source downgraded"
+[ "$(eagle_db "SELECT completed FROM summaries WHERE session_id='$SID_P';")" = "agent done" ] && ok "P: agent completed preserved" || bad "P: completed clobbered"
+
+# Contrast: a hook-authored row (capture_source != agent) SHOULD still accept a
+# project correction (the normal drift-repair path must not regress).
+SID_H="precedence-005"
+eagle_upsert_session "$SID_H" "hookproj/a" "$tmp_dir" "" "test" "claude-code"
+eagle_insert_summary "$SID_H" "hookproj/a" "hook req" "" "" "hook done" "" "[]" "[]" "" "" "" "" "claude-code" "hook"
+eagle_insert_summary "$SID_H" "hookproj/b" "" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "hook"
+proj_h=$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_H';")
+[ "$proj_h" = "hookproj/b" ] && ok "H: hook row project STILL repairable (no regression)" || bad "H: hook project not updated -> '$proj_h'"
+
+# fill_only must never change project or downgrade capture_source on agent row
+eagle_insert_summary_fill_only "$SID_P" "ANOTHER/drift" "" "" "fill learned" "" "" "[]" "[]" "" "" "" "" "claude-code" "enrich"
+[ "$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_P';")" = "real/project" ] && ok "P: fill_only did not change project" || bad "P: fill_only changed project"
+case "$(eagle_db "SELECT learned FROM summaries WHERE session_id='$SID_P';")" in *"fill learned"*) ok "P: fill_only filled empty learned gap" ;; *) bad "P: fill_only did not fill learned" ;; esac
+
+echo ""
+echo "test_data_integrity_hardening: $pass passed, $fail failed"
+[ "$fail" -eq 0 ]

package/tests/test_mod_tracker_concurrency.sh

@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — mod-tracker concurrency regression test (finding #6)
+# Asserts:
+#   1. Many parallel writers never wedge the lock (no leaked *.lock dir).
+#   2. A pending append created DURING a drain is NOT lost (drains via mv, so
+#      only captured files are deleted; concurrent appends survive).
+#   3. A stale lock dir (older than TTL) is reclaimed, not wedged forever.
+#   4. The edit-history writer is lock-guarded and loses no append.
+# ═══════════════════════════════════════════════════════════
+set -uo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d)
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export EAGLE_MEM_DIR="$tmp_dir/em"
+export EAGLE_AGENT_SOURCE="claude-code"
+export EAGLE_MEM_DISABLE_HOOKS=1
+export EAGLE_MOD_LOCK_TTL=2
+mkdir -p "$EAGLE_MEM_DIR"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1" >&2; fail=$((fail+1)); }
+
+. "$ROOT_DIR/lib/common.sh"
+
+# Pull the tracker functions out of post-tool-use.sh without running the hook
+# body. State-machine awk: capture the TTL assignment plus each named function
+# (header at column 0 through its closing `}` at column 0). No overlapping
+# ranges, so no duplicated lines.
+fn_src="$tmp_dir/tracker_fns.sh"
+awk '
+    /^EAGLE_MOD_LOCK_TTL=/ { print; next }
+    /^(eagle_acquire_dir_lock|eagle_track_modified_path|eagle_track_edit_history_path)\(\) \{/ { capture=1 }
+    capture { print }
+    capture && /^}$/ { capture=0 }
+' "$ROOT_DIR/hooks/post-tool-use.sh" > "$fn_src"
+bash -n "$fn_src" || { bad "extracted tracker fns have syntax errors"; cat "$fn_src" >&2; echo "$pass passed, $fail failed"; exit 1; }
+. "$fn_src"
+declare -F eagle_track_modified_path >/dev/null && ok "loaded eagle_track_modified_path" || { bad "could not load tracker fns"; echo "$pass passed, $fail failed"; exit 1; }
+declare -F eagle_acquire_dir_lock >/dev/null && ok "loaded eagle_acquire_dir_lock" || bad "could not load lock helper"
+
+SID="conc-aaa111bbb222"
+mod_dir="$EAGLE_MEM_DIR/mod-tracker"
+mod_file="$mod_dir/$SID"
+mod_lock="${mod_file}.lock"
+
+# ── 1. Parallel writers, no wedge ──────────────────────────
+N=40
+for i in $(seq 1 "$N"); do
+    eagle_track_modified_path "/p/file_${i}.txt" "$SID" &
+done
+wait
+[ ! -d "$mod_lock" ] && ok "1: lock dir not leaked after $N parallel writers" || bad "1: lock dir wedged"
+# Whatever is committed must be valid paths from our set (no corruption).
+committed=$(cat "$mod_file" 2>/dev/null | wc -l | tr -d ' ')
+[ "$committed" -ge 1 ] && ok "1: committed file has $committed line(s)" || bad "1: committed file empty"
+bad_lines=$(grep -vE '^/p/file_[0-9]+\.txt$' "$mod_file" 2>/dev/null | wc -l | tr -d ' ')
+[ "$bad_lines" = "0" ] && ok "1: no corrupted/interleaved lines in committed file" || bad "1: $bad_lines corrupted lines"
+
+# ── 2. Append during drain is NOT lost ─────────────────────
+# Hold the lock ourselves, create a pending file, snapshot starts, then a NEW
+# pending append lands. The drain must mv-capture only pre-existing pending
+# files and never delete the late append.
+rm -rf "$mod_dir"; mkdir -p "$mod_dir"
+printf '%s\n' "/p/early.txt" > "${mod_file}.pending.111"
+# Simulate: acquire lock, mv-drain existing pending, but a concurrent writer
+# adds a brand-new pending file before we rm. Reproduce the exact sequence the
+# fixed code uses.
+mkdir "$mod_lock"
+# drain step (mv existing pending out of the way)
+for pf in "${mod_file}".pending.*; do
+    [ -e "$pf" ] || continue
+    mv "$pf" "${pf}.draining.$$" 2>/dev/null || true
+done
+# CONCURRENT appender lands a new pending file AFTER our snapshot/mv:
+printf '%s\n' "/p/late.txt" > "${mod_file}.pending.999"
+# finish drain: build committed from draining files only, delete draining only
+{ cat "$mod_file" 2>/dev/null; for d in "${mod_file}".pending.*.draining.*; do [ -e "$d" ] && cat "$d"; done; } | tail -3 > "${mod_file}.tmp"
+mv "${mod_file}.tmp" "$mod_file"
+rm -f "${mod_file}".pending.*.draining.* 2>/dev/null || true
+rmdir "$mod_lock"
+# The late append must still be present as a pending file (not deleted).
+[ -f "${mod_file}.pending.999" ] && ok "2: concurrent append during drain survived (not deleted)" || bad "2: late append LOST"
+grep -q "/p/early.txt" "$mod_file" && ok "2: early pending drained into committed file" || bad "2: early pending lost"
+
+# ── 3. Stale lock reclaim ──────────────────────────────────
+rm -rf "$mod_dir"; mkdir -p "$mod_dir"
+mkdir "$mod_lock"
+# Age the lock past TTL (EAGLE_MOD_LOCK_TTL=2s) by backdating its mtime.
+touch -t "$(date -v-1H '+%Y%m%d%H%M.%S' 2>/dev/null || date -d '1 hour ago' '+%Y%m%d%H%M.%S')" "$mod_lock" 2>/dev/null || true
+# A new writer should reclaim the stale lock and succeed (not hang/fail).
+eagle_track_modified_path "/p/after_stale.txt" "$SID"
+[ ! -d "$mod_lock" ] && ok "3: stale lock reclaimed and released" || bad "3: stale lock not reclaimed"
+grep -q "/p/after_stale.txt" "$mod_file" && ok "3: write after stale-lock reclaim recorded" || bad "3: write lost after stale reclaim"
+
+# ── 4. edit-history writer is locked and loses nothing ─────
+edit_dir="$EAGLE_MEM_DIR/edit-tracker"
+edit_file="$edit_dir/$SID"
+rm -rf "$edit_dir"
+M=40
+for i in $(seq 1 "$M"); do
+    eagle_track_edit_history_path "/e/edit_${i}.txt" "$SID" &
+done
+wait
+[ ! -d "${edit_file}.lock" ] && ok "4: edit-history lock not leaked" || bad "4: edit-history lock wedged"
+edit_count=$(sort -u "$edit_file" 2>/dev/null | grep -cE '^/e/edit_[0-9]+\.txt$' || echo 0)
+[ "$edit_count" = "$M" ] && ok "4: all $M edit-history appends present (append-only, none lost)" || bad "4: only $edit_count/$M edit-history appends present"
+bad_e=$(grep -vE '^/e/edit_[0-9]+\.txt$' "$edit_file" 2>/dev/null | wc -l | tr -d ' ')
+[ "$bad_e" = "0" ] && ok "4: no torn/interleaved edit-history lines" || bad "4: $bad_e torn lines"
+
+# ── 5. Observation dedup is race-safe (finding #7) ─────────
+# Two concurrent identical observations must dedupe to ONE row. The fixed code
+# wraps the check-then-insert in BEGIN IMMEDIATE so the second writer blocks,
+# then sees the first row via NOT EXISTS.
+. "$ROOT_DIR/lib/db.sh"
+bash "$ROOT_DIR/db/migrate.sh" >/dev/null 2>&1
+OSID="obs-dedup-7777"
+eagle_upsert_session "$OSID" "obs/proj" "$tmp_dir" "" "test" "claude-code"
+for i in $(seq 1 12); do
+    eagle_insert_observation "$OSID" "obs/proj" "Bash" "ls -la /tmp" "[]" "[]" &
+done
+wait
+obs_rows=$(eagle_db "SELECT COUNT(*) FROM observations WHERE session_id='$OSID' AND tool_input_summary='ls -la /tmp';")
+[ "$obs_rows" = "1" ] && ok "5: 12 concurrent identical observations deduped to 1 row" || bad "5: dedup race produced $obs_rows rows (expected 1)"
+
+# eagle_db_strict exists and aborts a multi-statement script on first error.
+if declare -F eagle_db_strict >/dev/null; then
+    ok "5: eagle_db_strict variant present"
+    # A failing first statement must prevent the second from running.
+    eagle_db_strict "INSERT INTO nonexistent_table_xyz VALUES (1); INSERT INTO observations (session_id, project, tool_name) VALUES ('strict-canary','obs/proj','Bash');" >/dev/null 2>&1 || true
+    canary=$(eagle_db "SELECT COUNT(*) FROM observations WHERE session_id='strict-canary';")
+    [ "$canary" = "0" ] && ok "5: eagle_db_strict bailed before 2nd statement" || bad "5: eagle_db_strict did not bail ($canary canary rows)"
+else
+    bad "5: eagle_db_strict missing"
+fi
+
+echo ""
+echo "test_mod_tracker_concurrency: $pass passed, $fail failed"
+[ "$fail" -eq 0 ]

package/tests/test_redaction_coverage.sh

@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+# Regression coverage for the Phase 1 security hardening:
+#  - secrets are redacted BEFORE leaving the machine (LLM provider input,
+#    enrich job file) and before persistence (recall_events, observations)
+#  - configured [redaction] extra_patterns are actually applied by eagle_redact
+#  - orchestration workers default to a non-full-access (safe) autonomy mode
+#  - logs path resolver rejects traversal/symlink/out-of-root references
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+
+tmp_dir=$(mktemp -d "$ROOT_DIR/.tmp-redaction.XXXXXX")
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export HOME="$tmp_dir/home"
+export EAGLE_MEM_DIR="$tmp_dir/eagle-mem"
+export EAGLE_CONFIG_FILE="$EAGLE_MEM_DIR/config.toml"
+mkdir -p "$HOME" "$EAGLE_MEM_DIR"
+
+. "$ROOT_DIR/lib/common.sh"
+"$ROOT_DIR/db/migrate.sh" >/dev/null
+. "$ROOT_DIR/lib/db.sh"
+. "$ROOT_DIR/lib/provider.sh"
+
+# Fake secrets that must never survive redaction.
+FAKE_ANT="sk-ant-FAKEabcdefghijklmnop1234567890"
+FAKE_AWS="AKIAFAKE0000000000AB"
+FAKE_BEARER="Bearer FAKEtokenshouldnotleak123"
+FAKE_OPENAI="sk-FAKE0123456789abcdef0123456789abcdef"
+
+fail() { echo "FAIL: $1" >&2; exit 1; }
+
+assert_no_secret() {
+    local label="$1" haystack="$2"
+    case "$haystack" in
+        *"$FAKE_ANT"*)    fail "$label leaked Anthropic key" ;;
+        *"$FAKE_AWS"*)    fail "$label leaked AWS key" ;;
+        *"FAKEtoken"*)    fail "$label leaked Bearer token" ;;
+        *"$FAKE_OPENAI"*) fail "$label leaked OpenAI key" ;;
+    esac
+}
+
+# ── eagle_redact built-ins ───────────────────────────────────────────────
+redacted=$(printf 'k=%s a=%s h=%s o=%s\n' "$FAKE_ANT" "$FAKE_AWS" "$FAKE_BEARER" "$FAKE_OPENAI" | eagle_redact)
+assert_no_secret "eagle_redact built-ins" "$redacted"
+case "$redacted" in *"[REDACTED]"*) ;; *) fail "eagle_redact produced no [REDACTED] marker" ;; esac
+
+# ── Finding 4: configured extra_patterns are honored ─────────────────────
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[redaction]
+extra_patterns = ["CORPSECRET_[A-Z0-9]+", "INTERNAL-[0-9]+"]
+TOML
+extra_redacted=$(printf 'token CORPSECRET_AB12 and ticket INTERNAL-9988 here\n' | eagle_redact)
+case "$extra_redacted" in
+    *CORPSECRET_AB12*) fail "extra_patterns[0] not applied (CORPSECRET leaked)" ;;
+    *INTERNAL-9988*)   fail "extra_patterns[1] not applied (INTERNAL leaked)" ;;
+esac
+
+# Commented-out default must NOT redact (proves we parse real config, not the doc line).
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[redaction]
+# extra_patterns = ["MY_CUSTOM_SECRET_.*"]
+TOML
+commented=$(printf 'MY_CUSTOM_SECRET_xyz stays visible\n' | eagle_redact)
+case "$commented" in
+    *MY_CUSTOM_SECRET_xyz*) ;;
+    *) fail "commented extra_patterns default was wrongly applied" ;;
+esac
+rm -f "$EAGLE_CONFIG_FILE"
+
+# ── Finding 2: recall_events.prompt_snippet is redacted before insert ────
+project="redaction-project"
+repo="$tmp_dir/repo"; mkdir -p "$repo"
+eagle_upsert_session "redact-session" "$project" "$repo" "test-model" "test" "codex" >/dev/null
+eagle_insert_recall_event "redact-session" "$project" "$repo" "codex" \
+    "please use my key $FAKE_ANT and aws $FAKE_AWS to deploy" \
+    "deploy" 0 0 0 0 "ok" "" >/dev/null
+snippet=$(eagle_db "SELECT prompt_snippet FROM recall_events WHERE session_id='redact-session' LIMIT 1;")
+assert_no_secret "recall_events.prompt_snippet" "$snippet"
+case "$snippet" in *"[REDACTED]"*) ;; *) fail "recall_events.prompt_snippet not redacted" ;; esac
+
+# ── Finding 1: enrich job file written by Stop is redacted ───────────────
+# Drive the Stop hook with a transcript that contains a secret and assert the
+# background enrich job file (and what the enricher would read) is clean.
+transcript="$tmp_dir/transcript.jsonl"
+cat > "$transcript" <<EOF
+{"type":"user","message":{"role":"user","content":"set up deploy"}}
+{"type":"assistant","message":{"role":"assistant","content":[{"type":"text","text":"Using API key $FAKE_ANT and aws $FAKE_AWS for the deploy. Here is what I did."}]}}
+EOF
+mkdir -p "$EAGLE_MEM_DIR/tmp"
+stop_input=$(jq -nc \
+    --arg sid "stop-redact-session" \
+    --arg tp "$transcript" \
+    --arg cwd "$repo" \
+    '{session_id:$sid, transcript_path:$tp, cwd:$cwd}')
+# A provider must be configured so Stop queues a background enrich job. We
+# DISABLE the background enricher itself (EAGLE_MEM_DISABLE_BACKGROUND_ENRICH=1)
+# so the queued job file is left on disk for inspection, and force the defer
+# path with EAGLE_MEM_STOP_ENRICH=0. EAGLE_MEM_PROJECT pins project resolution
+# so the hook does not early-exit in this synthetic environment.
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[provider]
+type = "anthropic"
+TOML
+printf '%s' "$stop_input" | \
+    EAGLE_MEM_PROJECT="$project" \
+    EAGLE_MEM_STOP_ENRICH=0 \
+    EAGLE_MEM_DISABLE_BACKGROUND_ENRICH=1 \
+    EAGLE_AGENT_SOURCE=codex \
+    bash "$ROOT_DIR/hooks/stop.sh" >/dev/null 2>&1 || true
+# The background enricher is disabled from running, so the job file remains for inspection.
+saw_job=0
+for job in "$EAGLE_MEM_DIR"/tmp/summary-enrich.*.json; do
+    [ -f "$job" ] || continue
+    saw_job=1
+    body=$(cat "$job")
+    assert_no_secret "enrich job file" "$body"
+    case "$body" in *"[REDACTED]"*) ;; *) fail "enrich job file was not redacted" ;; esac
+done
+[ "$saw_job" = 1 ] || fail "Stop did not queue a background enrich job file to verify (finding 1)"
+rm -f "$EAGLE_MEM_DIR"/tmp/summary-enrich.*.json 2>/dev/null || true
+rm -f "$EAGLE_CONFIG_FILE"
+
+# Even if no job file was produced in this environment, the redaction path is
+# also unit-tested directly: the exact transformation Stop applies.
+text_with_secret="prefix $FAKE_ANT mid $FAKE_AWS suffix"
+enrich_text=$(printf '%s' "$text_with_secret" | eagle_redact)
+assert_no_secret "Stop enrich_text transform" "$enrich_text"
+
+# ── Finding 3: redact-before-truncate (boundary secret defeats prefix) ───
+# A secret split across the 200-char truncation boundary must still be redacted.
+pad=$(printf 'a%.0s' $(seq 1 190))
+boundary_cmd="curl -H \"Authorization: Bearer ${pad}${FAKE_OPENAI}\""
+# Old order (truncate THEN redact) would cut the token mid-stream; the new order
+# redacts first. Emulate the new order exactly as post-tool-use.sh does.
+new_order=$(printf '%s' "$boundary_cmd" | eagle_redact | cut -c1-200)
+assert_no_secret "redact-before-truncate" "$new_order"
+
+# ── Finding 9: orchestration workers default to safe autonomy ────────────
+eval "$(sed -n '/^orchestrate_worker_autonomy()/,/^}/p' "$ROOT_DIR/scripts/orchestrate.sh")"
+[ -f "$EAGLE_CONFIG_FILE" ] && rm -f "$EAGLE_CONFIG_FILE"
+default_autonomy=$(orchestrate_worker_autonomy)
+[ "$default_autonomy" = "safe" ] || fail "orchestration worker autonomy should default to 'safe', got '$default_autonomy'"
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[orchestration]
+worker_autonomy = "danger"
+TOML
+opt_in_autonomy=$(orchestrate_worker_autonomy)
+[ "$opt_in_autonomy" = "danger" ] || fail "worker_autonomy='danger' should opt into 'danger', got '$opt_in_autonomy'"
+rm -f "$EAGLE_CONFIG_FILE"
+
+# The generated safe run-script must not contain danger-full-access / never / dontAsk.
+project="orch-proj"; name="orch-name"
+eval "$(sed -n '/^orchestrate_worker_run_script()/,/^}/p' "$ROOT_DIR/scripts/orchestrate.sh")"
+safe_script="$tmp_dir/safe-run.sh"
+orchestrate_worker_run_script "$safe_script" "codex" "m" "xhigh" "/wt" "/p.md" "/exit" "/last" "/bin" "lane1" "/log"
+if grep -qE 'danger-full-access|approval_policy="never"' "$safe_script"; then
+    fail "safe-mode codex worker still uses full-access flags"
+fi
+safe_claude="$tmp_dir/safe-claude.sh"
+orchestrate_worker_run_script "$safe_claude" "claude-code" "m" "xhigh" "/wt" "/p.md" "/exit" "/last" "/bin" "lane1" "/log"
+if grep -q 'permission-mode dontAsk' "$safe_claude"; then
+    fail "safe-mode claude worker still uses --permission-mode dontAsk"
+fi
+
+# ── Finding 7: logs path resolver containment ────────────────────────────
+runs_root="$tmp_dir/runs"; mkdir -p "$runs_root"
+echo "log line" > "$runs_root/run1.log"
+secret_dir="$tmp_dir/secret"; mkdir -p "$secret_dir"
+echo "TOPSECRET" > "$secret_dir/secret.log"
+ln -s "$secret_dir/secret.log" "$runs_root/evil.log"
+eval "$(sed -n '/^canonicalize_path()/,/^}/p;/^path_within()/,/^}/p;/^resolve_log_path()/,/^}/p' "$ROOT_DIR/scripts/logs.sh")"
+EAGLE_RUNS_DIR="$runs_root"
+
+valid=$(resolve_log_path "run1" || true)
+[ -n "$valid" ] || fail "logs resolver rejected a valid in-root log"
+
+if resolve_log_path "evil.log" >/dev/null 2>&1; then fail "logs resolver followed a symlink out of root"; fi
+if resolve_log_path "../../etc/passwd" >/dev/null 2>&1; then fail "logs resolver allowed traversal"; fi
+if resolve_log_path "$secret_dir/secret.log" >/dev/null 2>&1; then fail "logs resolver allowed an out-of-root absolute path"; fi
+if resolve_log_path "$runs_root/../secret/secret.log" >/dev/null 2>&1; then fail "logs resolver allowed prefixed traversal"; fi
+
+echo "PASS: redaction + autonomy + log-path containment regression coverage"