eagle-mem 4.12.1 → 4.13.1

package/scripts/logs.sh

@@ -26,13 +26,52 @@ Commands:
 EOF
 }
 
+# Canonicalize an absolute path, resolving symlinks and '..'. Prefers realpath,
+# falls back to python3, then to a best-effort directory canonicalization.
+canonicalize_path() {
+    local p="$1"
+    if command -v realpath >/dev/null 2>&1; then
+        realpath "$p" 2>/dev/null && return 0
+    fi
+    if command -v python3 >/dev/null 2>&1; then
+        python3 -c 'import os,sys; print(os.path.realpath(sys.argv[1]))' "$p" 2>/dev/null && return 0
+    fi
+    local dir base
+    dir=$(dirname "$p")
+    base=$(basename "$p")
+    dir=$(cd -P "$dir" 2>/dev/null && pwd) || return 1
+    printf '%s/%s\n' "$dir" "$base"
+}
+
+# Verify that $1 (a canonical path) is contained within $2 (a canonical dir).
+path_within() {
+    local path="$1" root="$2"
+    case "$path" in
+        "$root"/*) return 0 ;;
+        *) return 1 ;;
+    esac
+}
+
 resolve_log_path() {
     local ref="${1:-}"
     local runs_root="${EAGLE_RUNS_DIR%/}" rel_ref
+    local canon_root resolved canon_resolved
+    canon_root=$(canonicalize_path "$runs_root" 2>/dev/null) || canon_root="$runs_root"
+
+    emit_if_contained() {
+        local candidate="$1"
+        [ -L "$candidate" ] && return 1
+        [ -f "$candidate" ] || return 1
+        local canon
+        canon=$(canonicalize_path "$candidate" 2>/dev/null) || return 1
+        path_within "$canon" "$canon_root" || return 1
+        printf '%s\n' "$candidate"
+        return 0
+    }
+
     if [ -z "$ref" ]; then
         ls -t "$runs_root"/*.log 2>/dev/null | while IFS= read -r candidate; do
-            [ -L "$candidate" ] && continue
-            [ -f "$candidate" ] && printf '%s\n' "$candidate" && break
+            emit_if_contained "$candidate" && break
         done
         return 0
     fi
@@ -43,21 +82,14 @@ resolve_log_path() {
             rel_ref="${ref#"$runs_root"/}"
             [ "$rel_ref" != "$ref" ] || return 1
             case "$rel_ref" in ""|*/*) return 1 ;; esac
-            [ -L "$runs_root/$rel_ref" ] && return 1
-            [ -f "$runs_root/$rel_ref" ] && printf '%s\n' "$runs_root/$rel_ref" && return 0
+            emit_if_contained "$runs_root/$rel_ref" && return 0
             return 1
             ;;
         */*) return 1 ;;
     esac
 
-    if [ ! -L "$runs_root/$ref" ] && [ -f "$runs_root/$ref" ]; then
-        printf '%s\n' "$runs_root/$ref"
-        return 0
-    fi
-    if [ ! -L "$runs_root/$ref.log" ] && [ -f "$runs_root/$ref.log" ]; then
-        printf '%s\n' "$runs_root/$ref.log"
-        return 0
-    fi
+    emit_if_contained "$runs_root/$ref" && return 0
+    emit_if_contained "$runs_root/$ref.log" && return 0
     return 1
 }
 

package/scripts/orchestrate.sh

@@ -203,6 +203,20 @@ orchestrate_worker_effort() {
     esac
 }
 
+# Worker autonomy level. Defaults to "safe" so spawned workers cannot run with
+# unattended full-access sandbox/approval settings on prompts assembled from
+# DB-stored lane descriptions (stored-prompt-injection surface). Set
+# [orchestration] worker_autonomy = "danger" to opt back into the previous
+# full-access behavior.
+orchestrate_worker_autonomy() {
+    local mode
+    mode=$(eagle_config_get "orchestration" "worker_autonomy" "safe")
+    case "$mode" in
+        danger|danger-full-access|full) echo "danger" ;;
+        *) echo "safe" ;;
+    esac
+}
+
 orchestrate_require_worker_cli() {
     case "$1" in
         codex)
@@ -775,6 +789,22 @@ orchestrate_worker_run_script() {
     local complete_note="Worker exited 0; log: $log_path"
     local block_note="Worker exited non-zero; log: $log_path"
 
+    # Autonomy gating: full-access unattended execution is opt-in (see
+    # orchestrate_worker_autonomy). The default "safe" mode keeps a sandbox and
+    # approval/permission gate in place because lane prompts come from
+    # DB-stored descriptions (stored-prompt-injection surface).
+    local autonomy codex_sandbox codex_approval claude_permission
+    autonomy=$(orchestrate_worker_autonomy)
+    if [ "$autonomy" = "danger" ]; then
+        codex_sandbox="danger-full-access"
+        codex_approval='approval_policy="never"'
+        claude_permission="dontAsk"
+    else
+        codex_sandbox="workspace-write"
+        codex_approval='approval_policy="on-request"'
+        claude_permission="acceptEdits"
+    fi
+
     {
         echo '#!/usr/bin/env bash'
         echo 'set +e'
@@ -786,12 +816,12 @@ orchestrate_worker_run_script() {
         printf 'export EAGLE_ORCHESTRATION_LANE=%q\n' "$lane_key"
         printf 'export EAGLE_ORCHESTRATION_WORKTREE=%q\n' "$worktree"
         if [ "$worker_agent" = "codex" ]; then
-            printf 'codex exec --cd %q --model %q -c %q -c %q --sandbox danger-full-access --output-last-message %q - < %q\n' \
-                "$worktree" "$worker_model" "$effort_config" 'approval_policy="never"' "$last_message_path" "$prompt_file"
+            printf 'codex exec --cd %q --model %q -c %q -c %q --sandbox %q --output-last-message %q - < %q\n' \
+                "$worktree" "$worker_model" "$effort_config" "$codex_approval" "$codex_sandbox" "$last_message_path" "$prompt_file"
         else
             printf 'prompt=$(cat %q)\n' "$prompt_file"
-            printf 'claude -p --model %q --effort %q --permission-mode dontAsk --output-format text "$prompt"\n' \
-                "$worker_model" "$worker_effort"
+            printf 'claude -p --model %q --effort %q --permission-mode %q --output-format text "$prompt"\n' \
+                "$worker_model" "$worker_effort" "$claude_permission"
         fi
         echo 'rc=$?'
         printf 'printf "%%s\\n" "$rc" > %q\n' "$exit_path"

package/scripts/session.sh

@@ -104,6 +104,11 @@ save_session() {
                 summary="$2"
                 shift 2
                 ;;
+            --summary-stdin)
+                # Read the summary from stdin so it is not visible in `ps`.
+                summary="$(cat)"
+                shift
+                ;;
             --request)
                 require_value "$1" "${2:-}"
                 request="$2"

package/scripts/statusline-em.sh

@@ -65,7 +65,11 @@ eagle_mem_statusline_stats() {
     project_scope=$(eagle_recall_project_scope_from_cwd "${current_dir:-$project_dir}" "$project_key")
     project_condition=$(eagle_sql_project_scope_condition "project" "$project_scope")
 
-    stats=$("$sqlite_bin" "$em_db" "SELECT
+    # busy_timeout so a momentary SQLITE_BUSY (this is the hottest standalone
+    # query during live sessions) waits for the lock instead of exiting non-zero,
+    # which would otherwise escalate to an integrity-status mislabel below.
+    stats=$("$sqlite_bin" "$em_db" "PRAGMA busy_timeout=10000;
+        SELECT
         COUNT(*) || '|' ||
         (SELECT COUNT(*) FROM agent_memories WHERE $project_condition) || '|' ||
         COALESCE(MAX(COALESCE(last_activity_at, started_at)), 'never')

package/scripts/tasks.sh

@@ -153,10 +153,13 @@ tasks_list() {
             in_progress)
                 icon="${CYAN}>${RESET}"
                 marker=" ${CYAN}[in_progress]${RESET}"
-                # Staleness check for discipline
+                # Staleness check for discipline. Route through eagle_db (busy_timeout
+                # + FTS5-capable sqlite3) and escape $updated_at — it is a DB-read value
+                # interpolated back into SQL, so a quote would be second-order injection.
                 if [ -n "$updated_at" ]; then
-                    local age_days
-                    age_days=$(echo "SELECT (julianday('now') - julianday('$updated_at'))" | sqlite3 "$EAGLE_MEM_DB" 2>/dev/null | cut -d. -f1)
+                    local age_days updated_at_sql
+                    updated_at_sql=$(eagle_sql_escape "$updated_at")
+                    age_days=$(eagle_db "SELECT (julianday('now') - julianday('$updated_at_sql'));" 2>/dev/null | cut -d. -f1)
                     if [ -n "$age_days" ] && [ "$age_days" -gt 7 ]; then
                         marker+=" ${RED}[STALE - ${age_days}d]${RESET}"
                     fi

package/scripts/test.sh

@@ -16,16 +16,31 @@ eagle_banner
 eagle_header "Smoke Tests"
 
 errors=0
+skipped=0
 
 run_check() {
     local name="$1"
     local cmd="$2"
     echo -e "  ${BOLD}→${RESET} $name"
-    if eval "$cmd" >/dev/null 2>&1; then
+    local rc=0
+    eval "$cmd" >/dev/null 2>&1 || rc=$?
+    if [ "$rc" -eq 0 ]; then
         eagle_ok "$name"
+    elif [ "$rc" -eq 2 ]; then
+        # Exit code 2 = the check skipped itself because its preconditions are
+        # absent in this environment — e.g. a dev-only contract test running
+        # from a published install, where the maintainer doc it guards is not
+        # shipped in the npm package. A skip is neither a pass nor a failure, so
+        # it must not increment the error count or fail the suite.
+        eagle_info "skipped: $name (preconditions not present here)"
+        skipped=$((skipped + 1))
     else
         eagle_fail "$name"
-        ((errors++))
+        # Assignment form (not ((errors++))) so a failing check does not abort
+        # the whole runner under `set -e`: ((errors++)) returns exit 1 when the
+        # pre-increment value is 0, killing the suite at the first failure and
+        # skipping the failure-count summary below.
+        errors=$((errors + 1))
     fi
 }
 
@@ -69,11 +84,24 @@ run_check "Recall Observability (UserPromptSubmit recall event)" "bash \"$SCRIPT
 run_check "Eagle Event Log (hook/action observability)" "bash \"$SCRIPTS_DIR/../tests/test_eagle_events.sh\""
 run_check "Dashboard Surface (local HTML memory view)" "bash \"$SCRIPTS_DIR/../tests/test_dashboard.sh\""
 run_check "Clean Session Capture (capture_source, fill-only upsert, no clobber)" "bash \"$SCRIPTS_DIR/../tests/test_clean_session_capture.sh\""
+run_check "Context Budget (SessionStart injection ceiling: normal unchanged, pathological capped + logged)" "bash \"$SCRIPTS_DIR/../tests/test_context_budget.sh\""
 run_check "CLAUDE.md Capture Doctrine (installer rewrites outdated section)" "bash \"$SCRIPTS_DIR/../tests/test_claude_md_capture_doctrine.sh\""
+run_check "Redaction Coverage (provider input, recall events, enrich job, autonomy, log paths)" "bash \"$SCRIPTS_DIR/../tests/test_redaction_coverage.sh\""
+run_check "Data Integrity Hardening (migrate idempotency, SQL escaping, summary precedence)" "bash \"$SCRIPTS_DIR/../tests/test_data_integrity_hardening.sh\""
+run_check "Mod-Tracker Concurrency (lock TTL, no lost append, observation dedup race)" "bash \"$SCRIPTS_DIR/../tests/test_mod_tracker_concurrency.sh\""
+run_check "Reliability Retention (scan in-flight vs freshness, eagle_events prune)" "bash \"$SCRIPTS_DIR/../tests/test_reliability_retention.sh\""
+run_check "Test Runner No-Abort (failing check does not kill the suite under set -e)" "bash \"$SCRIPTS_DIR/../tests/test_test_runner_no_abort.sh\""
+# Python lane: the native Antigravity hook (mocked). Subshell-wrapped so a
+# missing python3 yields a clean skip (exit 2) instead of aborting the suite.
+run_check "Antigravity Hook (native Python SDK lifecycle, mocked)" "( command -v python3 >/dev/null 2>&1 || exit 2; python3 \"$SCRIPTS_DIR/../tests/test_antigravity_hook.py\" )"
 
 echo ""
 if [ "$errors" -eq 0 ]; then
-    eagle_ok "All smoke tests passed"
+    if [ "$skipped" -gt 0 ]; then
+        eagle_ok "All smoke tests passed ($skipped skipped — preconditions not present here)"
+    else
+        eagle_ok "All smoke tests passed"
+    fi
     
     # Auto-verify the 7 core features in the database
     for feat in "compaction-survival" "feature-verification" "grok-cli-integration" "agent-orchestration" "Cross Agent Memory" "Installer And Updater" "Code Scan And Index"; do

package/scripts/update.sh

@@ -86,23 +86,9 @@ fi
 # ─── Re-register hooks (idempotent) ───────────────────────
 
 if [ "$claude_found" = true ] && [ -f "$SETTINGS" ] && command -v jq &>/dev/null; then
-    # Clean old registrations before re-registering (handles matcher changes across versions)
-    eagle_clean_hook_entries "$SETTINGS" "Stop" "$EAGLE_MEM_DIR/hooks/stop.sh"
-    eagle_clean_hook_entries "$SETTINGS" "PostToolUse" "$EAGLE_MEM_DIR/hooks/post-tool-use.sh"
-    eagle_clean_hook_entries "$SETTINGS" "PreToolUse" "$EAGLE_MEM_DIR/hooks/pre-tool-use.sh"
-
-    eagle_patch_hook "$SETTINGS" "SessionStart" "" "$EAGLE_MEM_DIR/hooks/session-start.sh"
-    eagle_patch_hook "$SETTINGS" "Stop" "" "bash \"$EAGLE_MEM_DIR/hooks/stop.sh\""
-    eagle_patch_hook "$SETTINGS" "PostToolUse" "Read|Write|Edit|Bash|TaskUpdate" "$EAGLE_MEM_DIR/hooks/post-tool-use.sh"
-    eagle_patch_hook "$SETTINGS" "TaskCreated" "" "$EAGLE_MEM_DIR/hooks/post-tool-use.sh"
-    eagle_patch_hook "$SETTINGS" "TaskCompleted" "" "$EAGLE_MEM_DIR/hooks/post-tool-use.sh"
-    eagle_patch_hook "$SETTINGS" "SessionEnd" "" "$EAGLE_MEM_DIR/hooks/session-end.sh"
-    eagle_patch_hook "$SETTINGS" "UserPromptSubmit" "" "$EAGLE_MEM_DIR/hooks/user-prompt-submit.sh"
-    eagle_patch_hook "$SETTINGS" "PreToolUse" "Bash|Read|Edit|Write" "$EAGLE_MEM_DIR/hooks/pre-tool-use.sh"
-
-    # Allow agent-issued session capture to run without a permission prompt
-    eagle_patch_permission_allow "$SETTINGS" "Bash(eagle-mem session save:*)"
-
+    # Single source of truth for the Claude hook set (see lib/hooks.sh); quiet
+    # mode — the updater prints one summary line instead of per-hook lines.
+    eagle_register_claude_hooks "$SETTINGS"
     eagle_ok "Hooks registered"
 fi
 

package/tests/test_compaction_survival_matrix.sh

@@ -7,7 +7,12 @@ set -euo pipefail
 ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 EAGLE_BIN="$ROOT_DIR/bin/eagle-mem"
 
-tmp_dir=$(mktemp -d "$ROOT_DIR/.tmp-compaction-survival.XXXXXX")
+# Use a neutral system temp dir, NOT one inside $ROOT_DIR. From a published
+# install $ROOT_DIR lives under node_modules/, and the code scanner excludes
+# node_modules — so a fixture repo created here would index 0 files and the
+# post-compact "Relevant Code" recall would never appear (the suite is run from
+# the installed package via `eagle-mem test`).
+tmp_dir=$(mktemp -d "${TMPDIR:-/tmp}/eagle-compaction-survival.XXXXXX")
 trap 'rm -rf "$tmp_dir"' EXIT
 
 export HOME="$tmp_dir/home"
@@ -190,6 +195,13 @@ assert_json "$compaction_json" '
     and .metrics.semantic_graph_nodes >= 5
 ' "compaction --json did not report durable survival metrics"
 
+# Index the fixture code deterministically so the post-compact recall can
+# surface "Relevant Code". This previously relied on a background auto-index
+# that only won the race from a warm source checkout, so the assertion failed
+# when the suite ran from a published install via `eagle-mem test`. The
+# `index` command is synchronous, so chunks exist by the time the hook runs.
+( cd "$repo" && "$EAGLE_BIN" index >/dev/null 2>&1 )
+
 eagle_upsert_session "$post_session" "$project" "$repo" "test-model" "test" "codex" >/dev/null
 hook_input=$(jq -nc \
     --arg sid "$post_session" \

package/tests/test_context_budget.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — SessionStart injection budget regression suite
+# Proves the global recall-injection ceiling:
+#   (a) normal-sized recall is emitted UNCHANGED (no trimming)
+#   (b) a pathologically large recall is capped at the budget,
+#       drops whole low-priority sections from the bottom, keeps the
+#       highest-priority top sections, and LOGS a trim (observable)
+# ═══════════════════════════════════════════════════════════
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d)
+trap 'rm -rf "$tmp_dir"' EXIT
+
+fail() { echo "FAIL: $1" >&2; exit 1; }
+
+assert_eq() {
+    [ "$1" = "$2" ] || fail "$3 (expected='$2' actual='$1')"
+}
+
+assert_contains() {
+    case "$1" in *"$2"*) ;; *) fail "$3 (missing: $2)" ;; esac
+}
+
+assert_not_contains() {
+    case "$1" in *"$2"*) fail "$3 (unexpectedly present: $2)" ;; esac
+}
+
+. "$ROOT_DIR/lib/common.sh"
+
+trim_count_file="$tmp_dir/.trim-count"
+export EAGLE_INJECT_TRIM_COUNT="$trim_count_file"
+
+# ─── Budget helper: sane default + floor against self-defeating values ──
+default_budget=$(eagle_sessionstart_inject_budget)
+[ "$default_budget" -ge 4000 ] 2>/dev/null \
+    || fail "default budget unexpectedly small ($default_budget)"
+
+floored=$(EAGLE_MEM_DIR="$tmp_dir" bash -c "
+    . '$ROOT_DIR/lib/common.sh'
+    mkdir -p '$tmp_dir'
+    printf '[context_budget]\nsessionstart_chars = 10\n' > '$tmp_dir/config.toml'
+    eagle_sessionstart_inject_budget
+")
+[ "$floored" -ge 4000 ] 2>/dev/null \
+    || fail "tiny configured budget was not floored ($floored)"
+
+# ─── (a) Normal-sized recall — emitted UNCHANGED ──────────────────────
+normal_body="=== Eagle Mem: Project Overview ===
+A small project overview that fits comfortably.
+=== Eagle Mem: Recent Recall ===
+One recent session summary.
+=== Eagle Mem: Stored Memories ===
+  - [project][claude] Some memory: short description (today)
+=== Eagle Mem: Core Files ===
+  - main.sh
+=== Eagle Mem: Working Set ===
+  - app.ts (2 edits)"
+
+normal_out=$(printf '%s' "$normal_body" | eagle_trim_inject_body 24000)
+normal_dropped=$(cat "$trim_count_file")
+
+assert_eq "$normal_out" "$normal_body" "normal recall was modified by the budget"
+assert_eq "$normal_dropped" "0" "normal recall reported a non-zero trim"
+
+# ─── (b) Pathological recall — capped, low-priority dropped, top kept ──
+# Build a body whose top section is small but whose trailing sections are
+# huge, so the ceiling must engage.
+huge=$(head -c 9000 /dev/zero | tr '\0' 'x')
+big_body="=== Eagle Mem: Project Overview ===
+KEEP_OVERVIEW_MARKER top-priority overview must survive.
+=== Eagle Mem: Recent Recall ===
+$huge
+=== Eagle Mem: Tasks ===
+$huge
+=== Eagle Mem: Core Files ===
+$huge
+=== Eagle Mem: Working Set ===
+$huge"
+
+budget=12000
+big_out=$(printf '%s' "$big_body" | eagle_trim_inject_body "$budget")
+big_dropped=$(cat "$trim_count_file")
+
+[ "${#big_out}" -le "$budget" ] 2>/dev/null \
+    || fail "trimmed body still exceeds budget (${#big_out} > $budget)"
+[ "$big_dropped" -gt 0 ] 2>/dev/null \
+    || fail "pathological recall did not report any trimmed sections"
+assert_contains "$big_out" "KEEP_OVERVIEW_MARKER" \
+    "top-priority Overview section was dropped"
+assert_not_contains "$big_out" "=== Eagle Mem: Working Set ===" \
+    "lowest-priority Working Set section survived past the budget"
+
+# ─── Termination safety: a single oversized first section is kept whole ──
+oversized=$(head -c 20000 /dev/zero | tr '\0' 'y')
+solo_body="=== Eagle Mem: Project Overview ===
+$oversized"
+solo_out=$(printf '%s' "$solo_body" | eagle_trim_inject_body 5000)
+solo_dropped=$(cat "$trim_count_file")
+assert_contains "$solo_out" "=== Eagle Mem: Project Overview ===" \
+    "oversized lone section was discarded instead of kept whole"
+assert_eq "$solo_dropped" "0" "oversized lone section reported a phantom trim"
+
+# A body with no section markers is returned verbatim (no infinite loop).
+nomarker_out=$(printf '%s' "$oversized" | eagle_trim_inject_body 5000)
+assert_eq "${#nomarker_out}" "${#oversized}" "marker-less body was altered"
+
+# ─── Observable trim: the hook logs a WARN when it trims ──────────────
+# The hook engages the ceiling and logs a WARN with the dropped-section count
+# whenever it trims; assert that observable surface exists in the hook.
+grep -q 'SessionStart: injection over budget' "$ROOT_DIR/hooks/session-start.sh" \
+    || fail "session-start.sh missing observable over-budget WARN log"
+grep -q 'trimmed .* low-priority section' "$ROOT_DIR/hooks/session-start.sh" \
+    || fail "session-start.sh WARN log does not report trimmed section count"
+
+echo "PASS: SessionStart injection budget (normal unchanged, pathological capped + logged)"

package/tests/test_data_integrity_hardening.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — Data integrity hardening regression test
+# Covers:
+#   - migrate.sh idempotency (re-run is a no-op, _migrations unchanged)
+#   - SQL escaping units (single quotes, FTS metachars, GLOB/LIKE patterns
+#     stored verbatim and queryable — no injection, no crash)
+#   - Summary precedence: eagle_insert_summary vs _fill_only — capture_source
+#     AND project stickiness on agent rows (finding #8 clobber)
+# ═══════════════════════════════════════════════════════════
+set -uo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d)
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export EAGLE_MEM_DIR="$tmp_dir/em"
+export EAGLE_AGENT_SOURCE="claude-code"
+export EAGLE_MEM_DISABLE_HOOKS=1
+mkdir -p "$EAGLE_MEM_DIR"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1" >&2; fail=$((fail+1)); }
+
+bash "$ROOT_DIR/db/migrate.sh" >/dev/null 2>&1
+
+. "$ROOT_DIR/lib/common.sh"
+. "$ROOT_DIR/lib/db.sh"
+
+# ── migrate.sh idempotency ──────────────────────────────────
+mig_before=$(eagle_db "SELECT COUNT(*) || ':' || COALESCE(MAX(id),0) FROM _migrations;")
+mig_out=$(bash "$ROOT_DIR/db/migrate.sh" 2>&1); mig_rc=$?
+[ "$mig_rc" -eq 0 ] && ok "migrate 2nd run exits 0" || bad "migrate 2nd run rc=$mig_rc out=$mig_out"
+case "$mig_out" in
+    *applied:*) bad "migrate 2nd run re-applied a migration: $mig_out" ;;
+    *) ok "migrate 2nd run applied nothing" ;;
+esac
+mig_after=$(eagle_db "SELECT COUNT(*) || ':' || COALESCE(MAX(id),0) FROM _migrations;")
+[ "$mig_before" = "$mig_after" ] && ok "_migrations unchanged on 2nd run ($mig_after)" || bad "_migrations drifted: $mig_before -> $mig_after"
+
+# ── SQL escaping units ──────────────────────────────────────
+# Each payload is stored verbatim via eagle_insert_summary (escaped) and read
+# back; a quote/metachar that broke out of the literal would error or truncate.
+SID_Q="esc-quote-001"
+eagle_upsert_session "$SID_Q" "esc/proj" "$tmp_dir" "" "test" "claude-code"
+quote_payload="it's a \"trap\"; DROP TABLE summaries;-- '' or 1=1"
+eagle_insert_summary "$SID_Q" "esc/proj" "$quote_payload" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "agent"
+got_q=$(eagle_db "SELECT request FROM summaries WHERE session_id='$SID_Q';")
+[ "$got_q" = "$quote_payload" ] && ok "single-quote/SQL-injection payload stored verbatim" || bad "quote payload mangled -> '$got_q'"
+# summaries table still present (no DROP executed)
+have_tbl=$(eagle_db "SELECT name FROM sqlite_master WHERE type='table' AND name='summaries';")
+[ "$have_tbl" = "summaries" ] && ok "summaries table intact after injection attempt" || bad "summaries table missing — injection executed"
+
+SID_F="esc-fts-002"
+eagle_upsert_session "$SID_F" "esc/proj" "$tmp_dir" "" "test" "claude-code"
+fts_payload='NEAR("foo" bar)* AND col:val OR -baz {set}'
+eagle_insert_summary "$SID_F" "esc/proj" "$fts_payload" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "agent"
+got_f=$(eagle_db "SELECT request FROM summaries WHERE session_id='$SID_F';")
+[ "$got_f" = "$fts_payload" ] && ok "FTS-metachar payload stored verbatim" || bad "FTS payload mangled -> '$got_f'"
+# FTS search over a benign token must not crash even though row has metachars
+srch=$(eagle_search_summaries "foo" "" 5 2>&1); srch_rc=$?
+[ "$srch_rc" -eq 0 ] && ok "FTS search over metachar corpus did not crash (rc=0)" || bad "FTS search crashed rc=$srch_rc: $srch"
+
+SID_G="esc-glob-003"
+eagle_upsert_session "$SID_G" "esc/proj" "$tmp_dir" "" "test" "claude-code"
+glob_payload='100% OFF _now_ [a-z]* path\to\file'
+eagle_insert_observation "$SID_G" "esc/proj" "Bash" "$glob_payload" "[]" "[]"
+got_g=$(eagle_db "SELECT tool_input_summary FROM observations WHERE session_id='$SID_G';")
+[ "$got_g" = "$glob_payload" ] && ok "GLOB/LIKE-metachar payload stored verbatim in observations" || bad "glob payload mangled -> '$got_g'"
+
+# guardrail field escaping (single quote)
+if declare -F eagle_add_guardrail >/dev/null 2>&1; then
+    eagle_add_guardrail "esc/proj" "don't touch '; DELETE FROM guardrails;--" "*.sh" "test" >/dev/null 2>&1
+    grc=$(eagle_db "SELECT rule FROM guardrails WHERE project='esc/proj' ORDER BY id DESC LIMIT 1;")
+    case "$grc" in *"don't touch"*) ok "guardrail rule with quote stored verbatim" ;; *) bad "guardrail rule mangled -> '$grc'" ;; esac
+    gcount=$(eagle_db "SELECT name FROM sqlite_master WHERE type='table' AND name='guardrails';")
+    [ "$gcount" = "guardrails" ] && ok "guardrails table intact after injection attempt" || bad "guardrails table dropped — injection executed"
+else
+    ok "eagle_add_guardrail not present — skipped (non-fatal)"
+fi
+
+# ── Summary precedence / clobber (finding #8) ───────────────
+# An agent-authored row must NOT have its project rekeyed by a later hook-path
+# writer that arrives with a drifted project key.
+SID_P="precedence-004"
+eagle_upsert_session "$SID_P" "real/project" "$tmp_dir" "" "test" "claude-code"
+eagle_insert_summary "$SID_P" "real/project" "agent req" "" "" "agent done" "" "[]" "[]" "" "agent decision" "" "" "claude-code" "agent"
+[ "$(eagle_db "SELECT capture_source FROM summaries WHERE session_id='$SID_P';")" = "agent" ] && ok "P: capture_source=agent after agent insert" || bad "P: capture_source not agent"
+[ "$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_P';")" = "real/project" ] && ok "P: project=real/project after agent insert" || bad "P: project wrong"
+
+# Later hook writer with a DRIFTED project key + heuristic capture_source.
+eagle_insert_summary "$SID_P" "DRIFTED/wrong-key" "" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "hook"
+proj_after=$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_P';")
+[ "$proj_after" = "real/project" ] && ok "P: agent row project NOT clobbered by drifted hook write" || bad "P: project clobbered -> '$proj_after'"
+[ "$(eagle_db "SELECT capture_source FROM summaries WHERE session_id='$SID_P';")" = "agent" ] && ok "P: capture_source stays agent" || bad "P: capture_source downgraded"
+[ "$(eagle_db "SELECT completed FROM summaries WHERE session_id='$SID_P';")" = "agent done" ] && ok "P: agent completed preserved" || bad "P: completed clobbered"
+
+# Contrast: a hook-authored row (capture_source != agent) SHOULD still accept a
+# project correction (the normal drift-repair path must not regress).
+SID_H="precedence-005"
+eagle_upsert_session "$SID_H" "hookproj/a" "$tmp_dir" "" "test" "claude-code"
+eagle_insert_summary "$SID_H" "hookproj/a" "hook req" "" "" "hook done" "" "[]" "[]" "" "" "" "" "claude-code" "hook"
+eagle_insert_summary "$SID_H" "hookproj/b" "" "" "" "" "" "[]" "[]" "" "" "" "" "claude-code" "hook"
+proj_h=$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_H';")
+[ "$proj_h" = "hookproj/b" ] && ok "H: hook row project STILL repairable (no regression)" || bad "H: hook project not updated -> '$proj_h'"
+
+# fill_only must never change project or downgrade capture_source on agent row
+eagle_insert_summary_fill_only "$SID_P" "ANOTHER/drift" "" "" "fill learned" "" "" "[]" "[]" "" "" "" "" "claude-code" "enrich"
+[ "$(eagle_db "SELECT project FROM summaries WHERE session_id='$SID_P';")" = "real/project" ] && ok "P: fill_only did not change project" || bad "P: fill_only changed project"
+case "$(eagle_db "SELECT learned FROM summaries WHERE session_id='$SID_P';")" in *"fill learned"*) ok "P: fill_only filled empty learned gap" ;; *) bad "P: fill_only did not fill learned" ;; esac
+
+echo ""
+echo "test_data_integrity_hardening: $pass passed, $fail failed"
+[ "$fail" -eq 0 ]