eagle-mem 4.13.1 → 4.14.1

package/CHANGELOG.md

@@ -4,6 +4,38 @@ All notable changes to the **Eagle Mem** project are documented here.
 
 ---
 
+## v4.14.1 busy_timeout Echo Fix
+
+A latent data-corruption and statusline-display bug, introduced when `busy_timeout` protection was added to three hot SQLite paths (the 2026-06-10 data-integrity hardening). No new feature; pure correctness.
+
+- **Root cause.** Setting the busy timeout with an inline value-form `PRAGMA busy_timeout=10000;` run in the *same* `sqlite3` invocation as a `SELECT` makes SQLite echo the timeout value (`10000`) as the **first output row**. Any caller that reads the first line then mis-reads `10000` as query data.
+- **Impact (all three fixed).**
+  - `scripts/statusline-em.sh`: the HUD parsed the echoed `10000` as the session count, rendering `Sessions: 10000`, `Memories: 0`, `Last: never`.
+  - `lib/common.sh` `eagle_get_session_project_light`: returned `10000` as the project, **mis-filing sessions under a phantom `10000` project key** (the data-corruption vector).
+  - `lib/common.sh` `eagle_project_has_table_row`: the echoed value failed the `= "1"` test, so it **always reported "no row"**, breaking ancestor-project repair.
+- **Fix.** All three set the timeout via the silent `-cmd ".timeout 10000"` dot-command, which emits no row. No SQL behavior, hook contract, statusline schema, or output format changes — only the timeout-set mechanism. `db/migrate.sh` (uses `tail -n1`) and the `.output`-bracketed setups in `lib/db-core.sh` were already echo-safe and are unchanged.
+- **No data migration needed for most installs.** The corruption only accrues while running unpatched code, and only affects session→project tags. The release ships the durable source fix so `eagle-mem update` can no longer reintroduce the bug.
+
+New coverage: `tests/test_busy_timeout_echo.sh` (reproduces the failure — buggy form returns `10000`/always-false — plus a structural guard against re-introducing the inline value-PRAGMA-before-SELECT shape). Compatibility evidence: `docs/agent-compatibility/claude-code.md`.
+
+---
+
+## v4.14.0 Governance Parity & Curator Provenance
+
+Two trust-surface features that close the remaining governance gaps from the v4.13.0 review.
+
+- **Release-gate parity at the git layer (`eagle-mem gate`).** The feature-verification gate was enforced only in `PreToolUse`, so a bare-shell `git push` or a Grok session (no hook lifecycle) bypassed governance entirely. New `eagle-mem gate`:
+  - `gate check` runs the same reconcile-and-block logic as the hook for the current repo (exit 1 when verifications are pending). It **fails open** (exit 0) when Eagle Mem is disabled, has no database, or the directory isn't a recognized project — a git hook must never wedge unrelated pushes.
+  - `gate install [--repo PATH] [--force]` installs an **opt-in, repo-local** `pre-push` hook that calls `gate check`, and **refuses to clobber** a pre-existing non-Eagle-Mem hook. `gate uninstall` removes only the managed hook.
+  - Bypass a single push with `git push --no-verify` or `EAGLE_MEM_DISABLE_HOOKS=1 git push`.
+  - Opt-in by design (Eagle Mem installs agent hooks globally but does not silently add git hooks to every repo). The cross-agent enforcement scope is documented in `docs/agent-compatibility/README.md`.
+- **Provenance + trust gate for curator-generated command rules.** Command rules steer `PreToolUse` output handling (`truncate` appends `| head -N`; `summary` adds a hint). They could be authored by the LLM curator with only format-level validation. Migration 045 adds `command_rules.source` (`manual` | `curator`); the curator tags its rules `curator`; and `eagle_get_command_rule` honors `token_guard.trust_learned_rules` (default **true**, preserving auto-learning). Set it `false` to apply only human-authored rules, so model output cannot silently shape command handling. (Guardrails already carried provenance; the actual command rewrite path is code-derived, not LLM-derived — so the gap was scoped to command rules.)
+- **Performance proposals evaluated, intentionally not implemented.** The deferred Phase 4 micro-optimizations were assessed and found net-negative: a PostToolUse zero-state short-circuit adds a query to the common populated case to save queries only in rare empty projects; UserPromptSubmit query consolidation entangles three differently-ranked FTS queries to save ~1 process spawn; a provider output cache has a near-zero hit rate because enrichment prompts embed unique per-session transcript excerpts. The meaningful token-economy win (the SessionStart injection ceiling) shipped in v4.13.0.
+
+New coverage: `tests/test_release_gate_prepush.sh`, `tests/test_command_rule_provenance.sh`.
+
+---
+
 ## v4.13.1 Test-Suite & Packaging Hygiene
 
 Follow-up cleanup that clears the bounded items left after the v4.13.0 review. No runtime behavior change for normal sessions.

package/bin/eagle-mem

@@ -31,6 +31,7 @@ case "$command" in
     updates)    bash "$SCRIPTS_DIR/updates.sh" "$@" ;;
     statusline) "$SCRIPTS_DIR/statusline-em.sh" "$@" ;;
     guard)      bash "$SCRIPTS_DIR/guard.sh" "$@" ;;
+    gate)       bash "$SCRIPTS_DIR/gate.sh" "$@" ;;
     overview)   bash "$SCRIPTS_DIR/overview.sh" "$@" ;;
     graph)      bash "$SCRIPTS_DIR/memories.sh" graph "$@" ;;
     session|sessions)

package/db/045_command_rules_source.sql

@@ -0,0 +1,14 @@
+-- Migration 045: Command-rule provenance
+-- command_rules steer output handling (truncate / summary) in the PreToolUse
+-- hook. They can be authored by a human OR generated by the LLM curator from
+-- observed command patterns. Tag who authored each rule so model-derived rules
+-- are auditable and can be excluded from enforcement when desired:
+--   'manual'  — human-authored (default; trusted)
+--   'curator' — generated by the LLM curator (eagle-mem curate)
+-- Default 'manual' preserves every existing row and the current behavior. The
+-- getter (eagle_get_command_rule) honors `token_guard.trust_learned_rules`
+-- (default true); set it false to apply only 'manual' rules.
+
+ALTER TABLE command_rules ADD COLUMN source TEXT NOT NULL DEFAULT 'manual';
+
+CREATE INDEX IF NOT EXISTS idx_command_rules_source ON command_rules(source);

package/docs/agent-compatibility/README.md

@@ -36,3 +36,18 @@ The compatibility gate applies to these file groups:
 - `CLAUDE.md` when present
 
 The test `tests/test_agent_compatibility_docs_gate.sh` enforces that these docs and fixtures exist. When sensitive files are changed in an uncommitted worktree, the same test also requires a changed compatibility doc or agent-hook fixture in the same diff.
+
+## Release-Gate Enforcement Scope
+
+The feature-verification release gate (blocking `git push` / `npm publish` / `gh pr create` while changed files map to unverified features) is enforced inside `PreToolUse` for agents that have a hook lifecycle: **Claude Code** and **Codex** (and, via the plugin adapter, **OpenCode**). Two paths historically bypassed it:
+
+- **Grok** is skills-and-CLI only — it has no hook lifecycle, so nothing intercepts its tool calls.
+- A **bare-shell `git push`** (any terminal, any agent, or none) never reaches `PreToolUse`.
+
+`eagle-mem gate` closes this gap at the git layer so governance is not silently skippable:
+
+- `eagle-mem gate check` runs the same reconcile-and-block logic as the hook for the current repo, exiting non-zero when verifications are pending. It **fails open** (exit 0) when Eagle Mem is disabled (`EAGLE_MEM_DISABLE_HOOKS=1`), has no database, or the directory is not a recognized project — a git hook must never wedge unrelated pushes.
+- `eagle-mem gate install [--repo PATH] [--force]` installs an **opt-in, repo-local** `pre-push` hook that calls `gate check`. It refuses to clobber a pre-existing non-Eagle-Mem `pre-push` hook unless `--force` is given. `eagle-mem gate uninstall` removes only the Eagle-Mem-managed hook.
+- Bypass a single push with `git push --no-verify` (skips git hooks) or `EAGLE_MEM_DISABLE_HOOKS=1 git push`.
+
+This is opt-in by design: Eagle Mem installs agent hooks globally but does not silently add git hooks to every repository. Coverage proof: `tests/test_release_gate_prepush.sh` (blocks on pending, fails open, install/foreign-protection/uninstall).

package/docs/agent-compatibility/claude-code.md

@@ -84,3 +84,12 @@ Phase 4 token-economy hardening added a generous global size ceiling on the reca
 
 Covered by `tests/test_context_budget.sh`.
 
+### Evidence: busy_timeout echo fix (2026-06-13)
+
+Corrects a regression introduced by the 2026-06-10 data-integrity note above. Setting the SQLite busy timeout with an inline value-form `PRAGMA busy_timeout=10000;` run in the *same* `sqlite3` invocation as a `SELECT` echoes the timeout value (`10000`) as the first output row. Any caller that reads the first row then misreads `10000` as data. The earlier note's claim that "statusline output rendering [is] unchanged" was therefore wrong — the statusline showed `Sessions: 10000`, `Memories: 0`. The fix sets the timeout via the silent `-cmd ".timeout 10000"` dot-command (no echoed row); no Claude Code contract changes (hook events, statusline stdin schema, and stdout/exit semantics are all unchanged). Specifically:
+
+- `scripts/statusline-em.sh`: the stats query drops the inline `PRAGMA busy_timeout=10000;` prefix and passes `-cmd ".timeout 10000"` to `sqlite3` instead, so `IFS='|' read` parses the real `sessions|memories|last` row rather than the echoed `10000`.
+- `lib/common.sh`: `eagle_get_session_project_light` (was returning `10000` as the project, mis-filing sessions under a phantom `10000` project key) and `eagle_project_has_table_row` (whose `= "1"` test always failed on the echoed value, so ancestor-project repair always saw "no row") use the same `-cmd ".timeout"` form.
+
+Covered by `tests/test_busy_timeout_echo.sh` (reproduces the failure: the buggy form returns `10000`/always-false; also a structural guard against re-introducing the inline value-PRAGMA-before-SELECT shape).
+

package/lib/common.sh

@@ -456,9 +456,12 @@ eagle_get_session_project_light() {
 
     local sid_sql project
     sid_sql=$(eagle_sql_escape "$session_id")
-    # busy_timeout so a momentary SQLITE_BUSY waits for the lock instead of
-    # exiting non-zero and being misread as "session has no project" (fail-open).
-    project=$("$sqlite_bin" "$EAGLE_MEM_DB" "PRAGMA busy_timeout=10000; SELECT project FROM sessions WHERE id = '$sid_sql' AND project != '' LIMIT 1;" 2>/dev/null | awk 'NF { print; exit }')
+    # busy_timeout (via the silent `-cmd ".timeout"` dot-command, NOT an inline
+    # `PRAGMA busy_timeout=N;`) so a momentary SQLITE_BUSY waits for the lock
+    # instead of exiting non-zero and being misread as "session has no project"
+    # (fail-open). An inline value-setting PRAGMA echoes its value ("10000") as
+    # the first output row, which `awk 'NF{...}'` would then return as the project.
+    project=$("$sqlite_bin" -cmd ".timeout 10000" "$EAGLE_MEM_DB" "SELECT project FROM sessions WHERE id = '$sid_sql' AND project != '' LIMIT 1;" 2>/dev/null | awk 'NF { print; exit }')
     [ -n "$project" ] || return 1
     printf '%s\n' "$project"
 }
@@ -481,9 +484,12 @@ eagle_project_has_table_row() {
 
     local project_sql found
     project_sql=$(eagle_sql_escape "$project")
-    # busy_timeout so a momentary SQLITE_BUSY waits for the lock instead of
-    # exiting non-zero and being misread as "row doesn't exist" (fail-open).
-    found=$("$sqlite_bin" "$EAGLE_MEM_DB" "PRAGMA busy_timeout=10000; SELECT 1 FROM $table WHERE project = '$project_sql' LIMIT 1;" 2>/dev/null | awk 'NF { print; exit }')
+    # busy_timeout (via the silent `-cmd ".timeout"` dot-command, NOT an inline
+    # `PRAGMA busy_timeout=N;`) so a momentary SQLITE_BUSY waits for the lock
+    # instead of exiting non-zero and being misread as "row doesn't exist"
+    # (fail-open). An inline value-setting PRAGMA echoes its value ("10000") as
+    # the first output row, which would then fail the `= "1"` test below.
+    found=$("$sqlite_bin" -cmd ".timeout 10000" "$EAGLE_MEM_DB" "SELECT 1 FROM $table WHERE project = '$project_sql' LIMIT 1;" 2>/dev/null | awk 'NF { print; exit }')
     [ "$found" = "1" ]
 }
 

package/lib/db-observations.sh

@@ -90,9 +90,26 @@ eagle_get_command_rule() {
     local project; project=$(eagle_sql_escape "$1")
     local base_cmd; base_cmd=$(eagle_sql_escape "$2")
     local full_cmd; full_cmd=$(eagle_sql_escape "${3:-$2}")
+
+    # Provenance gate: command_rules are human-authored ('manual') or generated
+    # by the LLM curator ('curator'). When token_guard.trust_learned_rules is
+    # false, only human-authored rules may steer command handling — model-derived
+    # rules are excluded so LLM output cannot silently shape execution. Default
+    # true preserves the auto-learning behavior. COALESCE guards rows written
+    # before migration 045 (treated as 'manual').
+    local trust
+    if declare -F eagle_config_get >/dev/null 2>&1; then
+        trust=$(eagle_config_get "token_guard" "trust_learned_rules" "true")
+    else
+        trust=$(eagle_config_get_light "token_guard" "trust_learned_rules" "true")
+    fi
+    local source_filter=""
+    [ "$trust" = "false" ] && source_filter="AND COALESCE(source, 'manual') = 'manual'"
+
     eagle_db "SELECT strategy, max_lines, reason
         FROM command_rules
         WHERE enabled = 1
+        $source_filter
         AND (project = '$project' OR project = '')
         AND ('$base_cmd' = pattern OR '$full_cmd' = pattern OR '$full_cmd' LIKE pattern || ' %')
         ORDER BY CASE WHEN project != '' THEN 0 ELSE 1 END,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eagle-mem",
-  "version": "4.13.1",
+  "version": "4.14.1",
   "description": "Shared memory, release guardrails, RTK token protection, and worker lanes for Claude Code, Codex, OpenCode, Grok, and Google Antigravity",
   "bin": {
     "eagle-mem": "bin/eagle-mem"

package/scripts/curate.sh

@@ -316,12 +316,15 @@ If no rules needed, output: NONE"
                             ml_val="${max_lines:-NULL}"
                             [ "$ml_val" != "NULL" ] && ml_val=$(eagle_sql_int "$ml_val")
 
-                            eagle_db "INSERT INTO command_rules (project, pattern, strategy, max_lines, reason)
-                                VALUES ('$p_esc', '$pattern_esc', '$strategy', $ml_val, '$reason_esc')
+                            # Tag provenance: these rules are LLM-derived. They can be
+                            # excluded from enforcement via token_guard.trust_learned_rules=false.
+                            eagle_db "INSERT INTO command_rules (project, pattern, strategy, max_lines, reason, source)
+                                VALUES ('$p_esc', '$pattern_esc', '$strategy', $ml_val, '$reason_esc', 'curator')
                                 ON CONFLICT(project, pattern) DO UPDATE SET
                                     strategy = excluded.strategy,
                                     max_lines = excluded.max_lines,
                                     reason = excluded.reason,
+                                    source = 'curator',
                                     updated_at = strftime('%Y-%m-%dT%H:%M:%fZ', 'now');"
                             eagle_log "INFO" "Curator: added command rule: $pattern → $strategy"
                         fi

package/scripts/gate.sh

@@ -0,0 +1,159 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — Release gate (git-layer parity)
+#
+# The PreToolUse hook already blocks release-boundary commands for Claude and
+# Codex. But a bare-shell `git push`, or a Grok session (which has no hook
+# lifecycle), bypasses that gate entirely. This brings the SAME feature-
+# verification gate to the git layer via an opt-in `pre-push` hook, so
+# governance is not silently skippable regardless of which agent (or no agent)
+# runs the push.
+#
+#   eagle-mem gate check            run the gate for the current repo (exit 1 if blocked)
+#   eagle-mem gate install [--repo PATH] [--force]
+#                                   install a repo-local .git/hooks/pre-push that runs `gate check`
+#   eagle-mem gate uninstall [--repo PATH]
+#                                   remove the Eagle Mem pre-push hook (only if it's ours)
+#
+# Bypass a single push: `git push --no-verify` or `EAGLE_MEM_DISABLE_HOOKS=1 git push`.
+# ═══════════════════════════════════════════════════════════
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+LIB_DIR="$SCRIPT_DIR/../lib"
+
+. "$LIB_DIR/common.sh"
+. "$LIB_DIR/db.sh"
+. "$SCRIPT_DIR/style.sh"
+
+HOOK_SENTINEL="# eagle-mem-managed-pre-push"
+
+gate_check() {
+    # Fail OPEN in any situation where blocking would be wrong: explicitly
+    # disabled, no database yet, or not inside a recognized project. A git hook
+    # must never wedge pushes just because Eagle Mem isn't set up here.
+    [ "${EAGLE_MEM_DISABLE_HOOKS:-}" = "1" ] && exit 0
+    [ -f "$EAGLE_MEM_DB" ] || exit 0
+
+    local cwd project
+    cwd="$(pwd)"
+    project=$(eagle_project_from_cwd "$cwd")
+    [ -z "$project" ] && exit 0
+
+    local release_changed_files
+    release_changed_files=$(eagle_changed_files_for_release "$cwd" 2>/dev/null || true)
+    eagle_reconcile_current_feature_verifications "$project" "$cwd" "git-prepush" "git-push" \
+        "Release boundary detected for current repository diff" "$release_changed_files" >/dev/null 2>&1 || true
+
+    local pending_rows pending_count
+    pending_rows=$(eagle_list_current_pending_feature_verifications "$project" "$cwd" "$release_changed_files" 8 2>/dev/null || true)
+    pending_count=$(printf '%s\n' "$pending_rows" | sed '/^[[:space:]]*$/d' | wc -l | tr -d ' ')
+    pending_count=${pending_count:-0}
+
+    if [ "$pending_count" -gt 0 ] 2>/dev/null; then
+        {
+            echo ""
+            echo "Eagle Mem blocked this push because ${pending_count} feature verification(s) are pending."
+            echo ""
+            echo "Resolve them, then push again:"
+            echo "  eagle-mem feature verify <name> --notes \"what passed\""
+            echo "  eagle-mem feature waive <id> --reason \"why this is safe\""
+            echo ""
+            echo "Pending checks:"
+            while IFS='|' read -r pid pname pfile preason _ptrigger _pcreated psmoke pfingerprint; do
+                [ -z "$pid" ] && continue
+                local line="  #${pid} ${pname}"
+                [ -n "$pfile" ] && line+=" (${pfile})"
+                [ -n "$preason" ] && line+=" — ${preason}"
+                [ -n "$psmoke" ] && line+=" | smoke: ${psmoke}"
+                [ -n "$pfingerprint" ] && line+=" | diff: ${pfingerprint}"
+                echo "$line"
+            done <<< "$pending_rows"
+            echo ""
+            echo "Bypass once: git push --no-verify   (or EAGLE_MEM_DISABLE_HOOKS=1 git push)"
+        } >&2
+        exit 1
+    fi
+    exit 0
+}
+
+# Resolve the .git/hooks dir for a repo (handles worktrees and submodules).
+gate_hooks_dir() {
+    local repo="$1"
+    ( cd "$repo" 2>/dev/null && git rev-parse --git-path hooks 2>/dev/null )
+}
+
+gate_install() {
+    local repo="" force=0
+    while [ $# -gt 0 ]; do
+        case "$1" in
+            --repo) repo="${2:-}"; shift 2 ;;
+            --force|-f) force=1; shift ;;
+            *) shift ;;
+        esac
+    done
+    repo="${repo:-$(pwd)}"
+
+    if ! ( cd "$repo" 2>/dev/null && git rev-parse --is-inside-work-tree >/dev/null 2>&1 ); then
+        eagle_err "Not a git repository: $repo"
+        exit 1
+    fi
+
+    local hooks_dir hook
+    hooks_dir="$(gate_hooks_dir "$repo")"
+    # git rev-parse --git-path returns a path relative to the repo; resolve it.
+    case "$hooks_dir" in
+        /*) ;;
+        *) hooks_dir="$repo/$hooks_dir" ;;
+    esac
+    mkdir -p "$hooks_dir"
+    hook="$hooks_dir/pre-push"
+
+    if [ -f "$hook" ] && ! grep -qF "$HOOK_SENTINEL" "$hook" 2>/dev/null && [ "$force" -ne 1 ]; then
+        eagle_err "A non-Eagle-Mem pre-push hook already exists: $hook"
+        eagle_info "Re-run with --force to replace it, or add this line to your hook manually:"
+        eagle_dim "  command -v eagle-mem >/dev/null 2>&1 && eagle-mem gate check"
+        exit 1
+    fi
+
+    cat > "$hook" <<EOF
+#!/usr/bin/env bash
+$HOOK_SENTINEL
+# Runs the Eagle Mem feature-verification gate before every push.
+# Fail-open if eagle-mem is unavailable so pushes never wedge on a missing tool.
+command -v eagle-mem >/dev/null 2>&1 || exit 0
+exec eagle-mem gate check
+EOF
+    chmod +x "$hook"
+    eagle_ok "Installed Eagle Mem pre-push gate: $hook"
+    eagle_dim "Bypass once with: git push --no-verify"
+}
+
+gate_uninstall() {
+    local repo="" ; repo="${1:-}"
+    [ "$repo" = "--repo" ] && { repo="${2:-}"; }
+    repo="${repo:-$(pwd)}"
+    local hooks_dir hook
+    hooks_dir="$(gate_hooks_dir "$repo")"
+    case "$hooks_dir" in /*) ;; *) hooks_dir="$repo/$hooks_dir" ;; esac
+    hook="$hooks_dir/pre-push"
+    if [ -f "$hook" ] && grep -qF "$HOOK_SENTINEL" "$hook" 2>/dev/null; then
+        rm -f "$hook"
+        eagle_ok "Removed Eagle Mem pre-push gate: $hook"
+    else
+        eagle_info "No Eagle Mem pre-push gate found for: $repo"
+    fi
+}
+
+subcommand="${1:-check}"
+shift 2>/dev/null || true
+case "$subcommand" in
+    check)      gate_check ;;
+    install)    gate_install "$@" ;;
+    uninstall)  gate_uninstall "$@" ;;
+    *)
+        eagle_err "Unknown gate command: $subcommand"
+        eagle_info "Usage: eagle-mem gate [check|install|uninstall]"
+        exit 1
+        ;;
+esac

package/scripts/statusline-em.sh

@@ -65,11 +65,13 @@ eagle_mem_statusline_stats() {
     project_scope=$(eagle_recall_project_scope_from_cwd "${current_dir:-$project_dir}" "$project_key")
     project_condition=$(eagle_sql_project_scope_condition "project" "$project_scope")
 
-    # busy_timeout so a momentary SQLITE_BUSY (this is the hottest standalone
-    # query during live sessions) waits for the lock instead of exiting non-zero,
-    # which would otherwise escalate to an integrity-status mislabel below.
-    stats=$("$sqlite_bin" "$em_db" "PRAGMA busy_timeout=10000;
-        SELECT
+    # busy_timeout (via the silent `-cmd ".timeout"` dot-command, NOT an inline
+    # `PRAGMA busy_timeout=N;`) so a momentary SQLITE_BUSY (this is the hottest
+    # standalone query during live sessions) waits for the lock instead of exiting
+    # non-zero, which would otherwise escalate to an integrity-status mislabel below.
+    # An inline value-setting PRAGMA echoes "10000" as the first output row, which
+    # the `IFS='|' read` below would parse as sessions=10000, memories=0, last=never.
+    stats=$("$sqlite_bin" -cmd ".timeout 10000" "$em_db" "SELECT
         COUNT(*) || '|' ||
         (SELECT COUNT(*) FROM agent_memories WHERE $project_condition) || '|' ||
         COALESCE(MAX(COALESCE(last_activity_at, started_at)), 'never')

package/scripts/test.sh

@@ -94,6 +94,9 @@ run_check "Test Runner No-Abort (failing check does not kill the suite under set
 # Python lane: the native Antigravity hook (mocked). Subshell-wrapped so a
 # missing python3 yields a clean skip (exit 2) instead of aborting the suite.
 run_check "Antigravity Hook (native Python SDK lifecycle, mocked)" "( command -v python3 >/dev/null 2>&1 || exit 2; python3 \"$SCRIPTS_DIR/../tests/test_antigravity_hook.py\" )"
+run_check "Release Gate Parity (eagle-mem gate: blocks pending, fails open, pre-push install)" "bash \"$SCRIPTS_DIR/../tests/test_release_gate_prepush.sh\""
+run_check "Command Rule Provenance (curator rules tagged + trust_learned_rules gate)" "bash \"$SCRIPTS_DIR/../tests/test_command_rule_provenance.sh\""
+run_check "busy_timeout Echo (no PRAGMA value leaks into project/row/statusline reads)" "bash \"$SCRIPTS_DIR/../tests/test_busy_timeout_echo.sh\""
 
 echo ""
 if [ "$errors" -eq 0 ]; then

package/tests/test_busy_timeout_echo.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Eagle Mem — busy_timeout echo regression test
+#
+# Root cause guarded here: an inline value-setting `PRAGMA busy_timeout=N;`
+# run in the SAME sqlite3 invocation as a SELECT echoes its value ("10000")
+# as the FIRST output row. Any caller that reads the first line then mis-reads
+# the timeout value as data:
+#   - eagle_get_session_project_light -> returns "10000" as the project,
+#     mis-filing every session under a phantom "10000" project.
+#   - eagle_project_has_table_row -> `[ "10000" = "1" ]` is false, so it
+#     ALWAYS reports "no row", breaking ancestor-project repair.
+#   - statusline stats -> `IFS='|' read` parses "10000" as sessions, 0 memories.
+# The fix sets the timeout via the silent `-cmd ".timeout"` dot-command, which
+# emits no output. This test reproduces the failure (buggy code returns 10000
+# / always-false) and structurally guards against re-introducing the shape.
+# ═══════════════════════════════════════════════════════════
+set -uo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d)
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export EAGLE_MEM_DIR="$tmp_dir/em"
+export EAGLE_AGENT_SOURCE="claude-code"
+export EAGLE_MEM_DISABLE_HOOKS=1
+mkdir -p "$EAGLE_MEM_DIR"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1" >&2; fail=$((fail+1)); }
+
+bash "$ROOT_DIR/db/migrate.sh" >/dev/null 2>&1
+
+. "$ROOT_DIR/lib/common.sh"
+. "$ROOT_DIR/lib/db.sh"
+
+# ── eagle_get_session_project_light returns the real project ────────────────
+SID="sess-busy-timeout-001"
+PROJ="personal_projects/eagle-mem"
+eagle_upsert_session "$SID" "$PROJ" "$tmp_dir" "" "test" "claude-code"
+
+got=$(eagle_get_session_project_light "$SID")
+if [ "$got" = "10000" ]; then
+    bad "eagle_get_session_project_light returned the busy_timeout echo ('10000') as the project"
+elif [ "$got" = "$PROJ" ]; then
+    ok "eagle_get_session_project_light returns the real project ('$got')"
+else
+    bad "eagle_get_session_project_light returned unexpected value: '$got' (expected '$PROJ')"
+fi
+
+# Unknown session must resolve to nothing (rc=1), never the echo value.
+if unknown=$(eagle_get_session_project_light "sess-does-not-exist-999"); then
+    bad "eagle_get_session_project_light succeeded for unknown session, returned '$unknown'"
+else
+    ok "eagle_get_session_project_light fails closed for unknown session"
+fi
+
+# ── eagle_project_has_table_row: true for present, false for absent ──────────
+if eagle_project_has_table_row "sessions" "$PROJ"; then
+    ok "eagle_project_has_table_row finds the existing project row"
+else
+    bad "eagle_project_has_table_row reports 'no row' for a project that HAS a row (busy_timeout echo broke the '= 1' test)"
+fi
+
+if eagle_project_has_table_row "sessions" "no/such/project-xyz"; then
+    bad "eagle_project_has_table_row reports a row for a project with none"
+else
+    ok "eagle_project_has_table_row correctly reports no row for an absent project"
+fi
+
+# ── Structural guard: no inline value-setting PRAGMA before a parsed SELECT ──
+# (comment lines are stripped so the explanatory comments above don't match)
+common_hit=$(grep -vE '^[[:space:]]*#' "$ROOT_DIR/lib/common.sh" | grep -nE 'busy_timeout=[0-9]+;[[:space:]]*SELECT' || true)
+if [ -n "$common_hit" ]; then
+    bad "lib/common.sh re-introduced an inline 'PRAGMA busy_timeout=N; SELECT' (echoes the value): $common_hit"
+else
+    ok "lib/common.sh has no inline value-setting PRAGMA before a SELECT"
+fi
+
+statusline_hit=$(grep -vE '^[[:space:]]*#' "$ROOT_DIR/scripts/statusline-em.sh" | grep -nE 'busy_timeout' || true)
+if [ -n "$statusline_hit" ]; then
+    bad "scripts/statusline-em.sh re-introduced an inline PRAGMA busy_timeout (use -cmd \".timeout\"): $statusline_hit"
+else
+    ok "scripts/statusline-em.sh sets the timeout via the silent -cmd \".timeout\" dot-command"
+fi
+
+echo
+echo "busy_timeout echo regression: $pass passed, $fail failed"
+[ "$fail" -eq 0 ]

package/tests/test_command_rule_provenance.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Curator command-rule provenance — closes the curator -> guardrail -> PreToolUse
+# loop where LLM output became enforcement input with no provenance.
+# command_rules steer PreToolUse output handling (truncate/summary). Curator-
+# generated rules are now tagged source='curator'; setting
+# token_guard.trust_learned_rules=false excludes them so model output cannot
+# silently shape command handling. Human ('manual') rules are unaffected.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d "${TMPDIR:-/tmp}/eagle-rule-prov.XXXXXX")
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export HOME="$tmp_dir/home"
+export EAGLE_MEM_DIR="$tmp_dir/eagle-mem"
+mkdir -p "$HOME" "$EAGLE_MEM_DIR"
+
+. "$ROOT_DIR/lib/common.sh"
+"$ROOT_DIR/db/migrate.sh" >/dev/null
+. "$ROOT_DIR/lib/db.sh"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1"; fail=$((fail+1)); }
+
+project="rule-prov"
+p=$(eagle_sql_escape "$project")
+eagle_db "INSERT INTO command_rules (project, pattern, strategy, max_lines, reason, source)
+          VALUES ('$p','curatorcmd','truncate',50,'noisy','curator');" >/dev/null
+eagle_db "INSERT INTO command_rules (project, pattern, strategy, max_lines, reason, source)
+          VALUES ('$p','manualcmd','truncate',50,'noisy','manual');" >/dev/null
+
+# 1. provenance is persisted
+[ "$(eagle_db "SELECT source FROM command_rules WHERE pattern='curatorcmd';")" = "curator" ] \
+    && ok "curator rule stored with source=curator" || bad "curator source not persisted"
+[ "$(eagle_db "SELECT source FROM command_rules WHERE pattern='manualcmd';")" = "manual" ] \
+    && ok "manual rule stored with source=manual" || bad "manual source not persisted"
+
+# 2. default (no config) trusts learned rules — curator rule applies
+[ -n "$(eagle_get_command_rule "$project" "curatorcmd" "curatorcmd")" ] \
+    && ok "default: curator rule applies (auto-learning preserved)" \
+    || bad "default: curator rule should apply"
+
+# 3. trust_learned_rules=false excludes curator rules, keeps manual rules
+printf '[token_guard]\ntrust_learned_rules = false\n' > "$EAGLE_MEM_DIR/config.toml"
+[ -z "$(eagle_get_command_rule "$project" "curatorcmd" "curatorcmd")" ] \
+    && ok "trust=false: curator rule excluded from enforcement" \
+    || bad "trust=false: curator rule should be excluded"
+[ -n "$(eagle_get_command_rule "$project" "manualcmd" "manualcmd")" ] \
+    && ok "trust=false: manual rule still applies" \
+    || bad "trust=false: manual rule should still apply"
+
+# 4. the curator code path tags new rules as 'curator'
+grep -q "VALUES ('\$p_esc', '\$pattern_esc', '\$strategy', \$ml_val, '\$reason_esc', 'curator')" "$ROOT_DIR/scripts/curate.sh" \
+    && ok "curate.sh writes command rules with source='curator'" \
+    || bad "curate.sh does not tag command rules as curator"
+
+echo ""
+echo "test_command_rule_provenance: $pass passed, $fail failed"
+[ "$fail" -eq 0 ] || exit 1

package/tests/test_release_gate_prepush.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+# Release-gate parity at the git layer (`eagle-mem gate`). The PreToolUse hook
+# blocks release-boundary commands for Claude/Codex; this proves the SAME
+# feature-verification gate is enforceable for bare-shell / Grok pushes via an
+# opt-in pre-push hook, blocks when verifications are pending, fails OPEN where
+# blocking would be wrong, and never clobbers a foreign pre-push hook.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+BIN="$ROOT_DIR/bin/eagle-mem"
+tmp_dir=$(mktemp -d "${TMPDIR:-/tmp}/eagle-gate-prepush.XXXXXX")
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export HOME="$tmp_dir/home"
+export EAGLE_MEM_DIR="$tmp_dir/eagle-mem"
+mkdir -p "$HOME" "$EAGLE_MEM_DIR"
+
+. "$ROOT_DIR/lib/common.sh"
+"$ROOT_DIR/db/migrate.sh" >/dev/null
+. "$ROOT_DIR/lib/db.sh"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1"; fail=$((fail+1)); }
+
+# ── git repo fixture with a committed, feature-mapped file ──────────────────
+project="gate-prepush-test"
+export EAGLE_MEM_PROJECT="$project"
+repo="$HOME/proj"; mkdir -p "$repo/src"
+(
+  cd "$repo"
+  git init -q
+  git config user.email t@example.com
+  git config user.name tester
+  printf 'console.log("v1");\n' > src/app.js
+  git add -A && git commit -qm init
+)
+
+eagle_upsert_feature "$project" "app-entry" "app entrypoint"
+fid=$(eagle_get_feature_id "$project" "app-entry")
+eagle_add_feature_file "$fid" "src/app.js" "entrypoint" >/dev/null
+
+# ── 1. clean working tree → gate passes ────────────────────────────────────
+if ( cd "$repo" && "$BIN" gate check ) >/dev/null 2>&1; then
+    ok "clean working tree passes the gate (exit 0)"
+else
+    bad "clean working tree should pass the gate"
+fi
+
+# ── 2. uncommitted change to a feature file → gate blocks ──────────────────
+printf 'console.log("v2");\n' > "$repo/src/app.js"
+out=$( cd "$repo" && "$BIN" gate check 2>&1 ) && rc=0 || rc=$?
+[ "$rc" -eq 1 ] && ok "pending verification blocks the push (exit 1)" || bad "expected block exit 1, got $rc"
+case "$out" in *"blocked this push"*) ok "block message is shown" ;; *) bad "block message missing: $out" ;; esac
+
+# ── 3. EAGLE_MEM_DISABLE_HOOKS bypasses even with a pending verification ────
+if ( cd "$repo" && EAGLE_MEM_DISABLE_HOOKS=1 "$BIN" gate check ) >/dev/null 2>&1; then
+    ok "EAGLE_MEM_DISABLE_HOOKS=1 bypasses the gate"
+else
+    bad "EAGLE_MEM_DISABLE_HOOKS=1 should bypass the gate"
+fi
+
+# ── 4. verifying the feature unblocks the gate ─────────────────────────────
+( cd "$repo" && "$BIN" feature verify "app-entry" --notes "tested" ) >/dev/null 2>&1 || true
+if ( cd "$repo" && "$BIN" gate check ) >/dev/null 2>&1; then
+    ok "verified feature unblocks the gate (exit 0)"
+else
+    bad "verified feature should unblock the gate"
+fi
+
+# ── 5. fail-open outside a recognized project ──────────────────────────────
+other=$(mktemp -d "$tmp_dir/other.XXXXXX")
+if ( cd "$other" && env -u EAGLE_MEM_PROJECT "$BIN" gate check ) >/dev/null 2>&1; then
+    ok "fails open outside a recognized project (exit 0)"
+else
+    bad "should fail open outside a recognized project"
+fi
+
+# ── 6. install writes a managed, executable pre-push hook ──────────────────
+rm -f "$repo/.git/hooks/pre-push"
+( cd "$repo" && "$BIN" gate install ) >/dev/null 2>&1 || true
+if [ -x "$repo/.git/hooks/pre-push" ] && grep -q "eagle-mem-managed-pre-push" "$repo/.git/hooks/pre-push"; then
+    ok "gate install writes a managed, executable pre-push hook"
+else
+    bad "gate install should write a managed pre-push hook"
+fi
+
+# ── 7. install refuses to clobber a FOREIGN pre-push hook ──────────────────
+printf '#!/bin/sh\necho keepme\n' > "$repo/.git/hooks/pre-push"
+if ( cd "$repo" && "$BIN" gate install ) >/dev/null 2>&1; then
+    bad "gate install should refuse a foreign pre-push hook"
+else
+    ok "gate install refuses to clobber a foreign pre-push hook"
+fi
+grep -q "echo keepme" "$repo/.git/hooks/pre-push" && ok "foreign pre-push hook preserved" || bad "foreign pre-push hook was clobbered"
+
+# ── 8. uninstall leaves a foreign hook alone ───────────────────────────────
+( cd "$repo" && "$BIN" gate uninstall ) >/dev/null 2>&1 || true
+grep -q "echo keepme" "$repo/.git/hooks/pre-push" && ok "uninstall leaves a foreign hook untouched" || bad "uninstall removed a foreign hook"
+
+echo ""
+echo "test_release_gate_prepush: $pass passed, $fail failed"
+[ "$fail" -eq 0 ] || exit 1