hippo-memory 1.14.0 → 1.16.0

package/dist/src/db.js

@@ -6,83 +6,83 @@ import { cleanupArchivedMirrors } from './raw-archive-mirror-cleanup.js';
 import { PACKAGE_VERSION, compareSemver } from './version.js';
 const require = createRequire(import.meta.url);
 const { DatabaseSync } = require('node:sqlite');
-const CURRENT_SCHEMA_VERSION = 29;
+const CURRENT_SCHEMA_VERSION = 37;
 const MIGRATIONS = [
     {
         version: 1,
         up: (db) => {
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS memories (
-          id TEXT PRIMARY KEY,
-          created TEXT NOT NULL,
-          last_retrieved TEXT NOT NULL,
-          retrieval_count INTEGER NOT NULL,
-          strength REAL NOT NULL,
-          half_life_days REAL NOT NULL,
-          layer TEXT NOT NULL,
-          tags_json TEXT NOT NULL,
-          emotional_valence TEXT NOT NULL,
-          schema_fit REAL NOT NULL,
-          source TEXT NOT NULL,
-          outcome_score REAL,
-          conflicts_with_json TEXT NOT NULL,
-          pinned INTEGER NOT NULL,
-          confidence TEXT NOT NULL,
-          content TEXT NOT NULL,
-          updated_at TEXT NOT NULL DEFAULT (datetime('now'))
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_memories_layer_created ON memories(layer, created);
-        CREATE INDEX IF NOT EXISTS idx_memories_last_retrieved ON memories(last_retrieved);
-
-        CREATE TABLE IF NOT EXISTS consolidation_runs (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          timestamp TEXT NOT NULL,
-          decayed INTEGER NOT NULL,
-          merged INTEGER NOT NULL,
-          removed INTEGER NOT NULL
-        );
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS memories (
+          id TEXT PRIMARY KEY,
+          created TEXT NOT NULL,
+          last_retrieved TEXT NOT NULL,
+          retrieval_count INTEGER NOT NULL,
+          strength REAL NOT NULL,
+          half_life_days REAL NOT NULL,
+          layer TEXT NOT NULL,
+          tags_json TEXT NOT NULL,
+          emotional_valence TEXT NOT NULL,
+          schema_fit REAL NOT NULL,
+          source TEXT NOT NULL,
+          outcome_score REAL,
+          conflicts_with_json TEXT NOT NULL,
+          pinned INTEGER NOT NULL,
+          confidence TEXT NOT NULL,
+          content TEXT NOT NULL,
+          updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_memories_layer_created ON memories(layer, created);
+        CREATE INDEX IF NOT EXISTS idx_memories_last_retrieved ON memories(last_retrieved);
+
+        CREATE TABLE IF NOT EXISTS consolidation_runs (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          timestamp TEXT NOT NULL,
+          decayed INTEGER NOT NULL,
+          merged INTEGER NOT NULL,
+          removed INTEGER NOT NULL
+        );
       `);
         },
     },
     {
         version: 2,
         up: (db) => {
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS task_snapshots (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          task TEXT NOT NULL,
-          summary TEXT NOT NULL,
-          next_step TEXT NOT NULL,
-          status TEXT NOT NULL,
-          source TEXT NOT NULL,
-          created_at TEXT NOT NULL,
-          updated_at TEXT NOT NULL
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_task_snapshots_status_updated
-        ON task_snapshots(status, updated_at DESC, id DESC);
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS task_snapshots (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          task TEXT NOT NULL,
+          summary TEXT NOT NULL,
+          next_step TEXT NOT NULL,
+          status TEXT NOT NULL,
+          source TEXT NOT NULL,
+          created_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_task_snapshots_status_updated
+        ON task_snapshots(status, updated_at DESC, id DESC);
       `);
         },
     },
     {
         version: 3,
         up: (db) => {
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS memory_conflicts (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          memory_a_id TEXT NOT NULL,
-          memory_b_id TEXT NOT NULL,
-          reason TEXT NOT NULL,
-          score REAL NOT NULL DEFAULT 0,
-          status TEXT NOT NULL,
-          detected_at TEXT NOT NULL,
-          updated_at TEXT NOT NULL,
-          UNIQUE(memory_a_id, memory_b_id)
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_memory_conflicts_status_updated
-        ON memory_conflicts(status, updated_at DESC, id DESC);
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS memory_conflicts (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          memory_a_id TEXT NOT NULL,
+          memory_b_id TEXT NOT NULL,
+          reason TEXT NOT NULL,
+          score REAL NOT NULL DEFAULT 0,
+          status TEXT NOT NULL,
+          detected_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL,
+          UNIQUE(memory_a_id, memory_b_id)
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_memory_conflicts_status_updated
+        ON memory_conflicts(status, updated_at DESC, id DESC);
       `);
         },
     },
@@ -92,67 +92,67 @@ const MIGRATIONS = [
             if (!tableHasColumn(db, 'task_snapshots', 'session_id')) {
                 db.exec(`ALTER TABLE task_snapshots ADD COLUMN session_id TEXT`);
             }
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS session_events (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          session_id TEXT NOT NULL,
-          task TEXT,
-          event_type TEXT NOT NULL,
-          content TEXT NOT NULL,
-          source TEXT NOT NULL,
-          metadata_json TEXT NOT NULL,
-          created_at TEXT NOT NULL
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_session_events_session_created
-        ON session_events(session_id, created_at DESC, id DESC);
-
-        CREATE INDEX IF NOT EXISTS idx_session_events_task_created
-        ON session_events(task, created_at DESC, id DESC);
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS session_events (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id TEXT NOT NULL,
+          task TEXT,
+          event_type TEXT NOT NULL,
+          content TEXT NOT NULL,
+          source TEXT NOT NULL,
+          metadata_json TEXT NOT NULL,
+          created_at TEXT NOT NULL
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_session_events_session_created
+        ON session_events(session_id, created_at DESC, id DESC);
+
+        CREATE INDEX IF NOT EXISTS idx_session_events_task_created
+        ON session_events(task, created_at DESC, id DESC);
       `);
         },
     },
     {
         version: 5,
         up: (db) => {
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS session_handoffs (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          session_id TEXT NOT NULL,
-          repo_root TEXT,
-          task_id TEXT,
-          summary TEXT NOT NULL,
-          next_action TEXT,
-          artifacts_json TEXT NOT NULL DEFAULT '[]',
-          created_at TEXT NOT NULL
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_session_handoffs_session
-        ON session_handoffs(session_id, created_at DESC);
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS session_handoffs (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id TEXT NOT NULL,
+          repo_root TEXT,
+          task_id TEXT,
+          summary TEXT NOT NULL,
+          next_action TEXT,
+          artifacts_json TEXT NOT NULL DEFAULT '[]',
+          created_at TEXT NOT NULL
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_session_handoffs_session
+        ON session_handoffs(session_id, created_at DESC);
       `);
         },
     },
     {
         version: 6,
         up: (db) => {
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS working_memory (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          scope TEXT NOT NULL,
-          session_id TEXT,
-          task_id TEXT,
-          importance REAL NOT NULL DEFAULT 0,
-          content TEXT NOT NULL,
-          metadata_json TEXT NOT NULL DEFAULT '{}',
-          created_at TEXT NOT NULL,
-          updated_at TEXT NOT NULL
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_working_memory_scope
-        ON working_memory(scope, importance DESC, created_at DESC);
-
-        CREATE INDEX IF NOT EXISTS idx_working_memory_session
-        ON working_memory(session_id, created_at DESC);
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS working_memory (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          scope TEXT NOT NULL,
+          session_id TEXT,
+          task_id TEXT,
+          importance REAL NOT NULL DEFAULT 0,
+          content TEXT NOT NULL,
+          metadata_json TEXT NOT NULL DEFAULT '{}',
+          created_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_working_memory_scope
+        ON working_memory(scope, importance DESC, created_at DESC);
+
+        CREATE INDEX IF NOT EXISTS idx_working_memory_session
+        ON working_memory(session_id, created_at DESC);
       `);
         },
     },
@@ -193,9 +193,9 @@ const MIGRATIONS = [
             if (!tableHasColumn(db, 'memories', 'source_session_id')) {
                 db.exec(`ALTER TABLE memories ADD COLUMN source_session_id TEXT`);
             }
-            db.exec(`
-        CREATE INDEX IF NOT EXISTS idx_memories_source_session_id
-        ON memories(source_session_id) WHERE source_session_id IS NOT NULL
+            db.exec(`
+        CREATE INDEX IF NOT EXISTS idx_memories_source_session_id
+        ON memories(source_session_id) WHERE source_session_id IS NOT NULL
       `);
         },
     },
@@ -257,44 +257,44 @@ const MIGRATIONS = [
             db.exec(`UPDATE memories SET kind = 'superseded' WHERE kind IS NULL AND superseded_by IS NOT NULL`);
             db.exec(`UPDATE memories SET kind = 'distilled' WHERE kind IS NULL`);
             // raw_archive: legitimate path for kind='raw' removal (used by archiveRawMemory).
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS raw_archive (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          memory_id TEXT NOT NULL,
-          archived_at TEXT NOT NULL,
-          reason TEXT NOT NULL,
-          archived_by TEXT,
-          payload_json TEXT NOT NULL
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS raw_archive (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          memory_id TEXT NOT NULL,
+          archived_at TEXT NOT NULL,
+          reason TEXT NOT NULL,
+          archived_by TEXT,
+          payload_json TEXT NOT NULL
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_raw_archive_memory_id ON raw_archive(memory_id)`);
             // Append-only invariant: kind='raw' rows cannot be deleted directly.
             // Use raw_archive flow: archive-then-update-then-delete (see src/raw-archive.ts).
-            db.exec(`
-        CREATE TRIGGER IF NOT EXISTS trg_memories_raw_append_only
-        BEFORE DELETE ON memories
-        WHEN OLD.kind = 'raw'
-        BEGIN
-          SELECT RAISE(ABORT, 'raw is append-only');
-        END
+            db.exec(`
+        CREATE TRIGGER IF NOT EXISTS trg_memories_raw_append_only
+        BEFORE DELETE ON memories
+        WHEN OLD.kind = 'raw'
+        BEGIN
+          SELECT RAISE(ABORT, 'raw is append-only');
+        END
       `);
             // CHECK substitute: ALTER TABLE cannot add CHECK, so enforce kind allowed-set
             // via INSERT/UPDATE triggers.
-            db.exec(`
-        CREATE TRIGGER IF NOT EXISTS trg_memories_kind_check_insert
-        BEFORE INSERT ON memories
-        WHEN NEW.kind IS NOT NULL AND NEW.kind NOT IN ('raw','distilled','superseded','archived')
-        BEGIN
-          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived');
-        END
+            db.exec(`
+        CREATE TRIGGER IF NOT EXISTS trg_memories_kind_check_insert
+        BEFORE INSERT ON memories
+        WHEN NEW.kind IS NOT NULL AND NEW.kind NOT IN ('raw','distilled','superseded','archived')
+        BEGIN
+          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived');
+        END
       `);
-            db.exec(`
-        CREATE TRIGGER IF NOT EXISTS trg_memories_kind_check_update
-        BEFORE UPDATE ON memories
-        WHEN NEW.kind IS NOT NULL AND NEW.kind NOT IN ('raw','distilled','superseded','archived')
-        BEGIN
-          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived');
-        END
+            db.exec(`
+        CREATE TRIGGER IF NOT EXISTS trg_memories_kind_check_update
+        BEFORE UPDATE ON memories
+        WHEN NEW.kind IS NOT NULL AND NEW.kind NOT IN ('raw','distilled','superseded','archived')
+        BEGIN
+          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived');
+        END
       `);
         },
     },
@@ -312,30 +312,30 @@ const MIGRATIONS = [
             //     allowed (different timestamps).
             db.exec(`DROP TRIGGER IF EXISTS trg_memories_kind_check_insert`);
             db.exec(`DROP TRIGGER IF EXISTS trg_memories_kind_check_update`);
-            db.exec(`
-        CREATE TRIGGER trg_memories_kind_check_insert
-        BEFORE INSERT ON memories
-        WHEN NEW.kind IS NULL OR NEW.kind NOT IN ('raw','distilled','superseded','archived')
-        BEGIN
-          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived (not null)');
-        END
+            db.exec(`
+        CREATE TRIGGER trg_memories_kind_check_insert
+        BEFORE INSERT ON memories
+        WHEN NEW.kind IS NULL OR NEW.kind NOT IN ('raw','distilled','superseded','archived')
+        BEGIN
+          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived (not null)');
+        END
       `);
-            db.exec(`
-        CREATE TRIGGER trg_memories_kind_check_update
-        BEFORE UPDATE ON memories
-        WHEN NEW.kind IS NULL OR NEW.kind NOT IN ('raw','distilled','superseded','archived')
-        BEGIN
-          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived (not null)');
-        END
+            db.exec(`
+        CREATE TRIGGER trg_memories_kind_check_update
+        BEFORE UPDATE ON memories
+        WHEN NEW.kind IS NULL OR NEW.kind NOT IN ('raw','distilled','superseded','archived')
+        BEGIN
+          SELECT RAISE(ABORT, 'invalid kind: must be raw|distilled|superseded|archived (not null)');
+        END
       `);
             // Defensive: any rows that somehow have NULL kind get fixed (shouldn't exist post-v14
             // backfill, but cheap insurance).
             db.exec(`UPDATE memories SET kind = 'distilled' WHERE kind IS NULL`);
             // raw_archive uniqueness. SQLite cannot ADD CONSTRAINT, but a partial unique index
             // on (memory_id, archived_at) is equivalent for INSERT-time enforcement.
-            db.exec(`
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_raw_archive_id_at
-        ON raw_archive(memory_id, archived_at)
+            db.exec(`
+        CREATE UNIQUE INDEX IF NOT EXISTS idx_raw_archive_id_at
+        ON raw_archive(memory_id, archived_at)
       `);
         },
     },
@@ -369,31 +369,31 @@ const MIGRATIONS = [
             // A5 stub auth: api_keys (scrypt-hashed; plaintext returned to caller exactly once)
             // and audit_log (append-only mutation trail). Both carry tenant_id from day 1 so
             // future multi-tenant enforcement is a config flip, not a re-migration.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS api_keys (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          key_id TEXT UNIQUE NOT NULL,
-          key_hash TEXT NOT NULL,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          label TEXT,
-          created_at TEXT NOT NULL,
-          revoked_at TEXT
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS api_keys (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          key_id TEXT UNIQUE NOT NULL,
+          key_hash TEXT NOT NULL,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          label TEXT,
+          created_at TEXT NOT NULL,
+          revoked_at TEXT
+        )
       `);
-            db.exec(`
-        CREATE INDEX IF NOT EXISTS idx_api_keys_tenant_active
-        ON api_keys(tenant_id) WHERE revoked_at IS NULL
+            db.exec(`
+        CREATE INDEX IF NOT EXISTS idx_api_keys_tenant_active
+        ON api_keys(tenant_id) WHERE revoked_at IS NULL
       `);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS audit_log (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          ts TEXT NOT NULL,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          actor TEXT NOT NULL,
-          op TEXT NOT NULL,
-          target_id TEXT,
-          metadata_json TEXT NOT NULL DEFAULT '{}'
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS audit_log (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          ts TEXT NOT NULL,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          actor TEXT NOT NULL,
+          op TEXT NOT NULL,
+          target_id TEXT,
+          metadata_json TEXT NOT NULL DEFAULT '{}'
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_audit_log_tenant_ts ON audit_log(tenant_id, ts DESC)`);
         },
@@ -403,102 +403,102 @@ const MIGRATIONS = [
         up: (db) => {
             // E1.3 Slack ingestion: idempotency log, per-channel backfill cursors, DLQ.
             // See docs/plans/2026-04-29-e1.3-slack-ingestion.md.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS slack_event_log (
-          event_id TEXT PRIMARY KEY,
-          ingested_at TEXT NOT NULL,
-          memory_id TEXT
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS slack_event_log (
+          event_id TEXT PRIMARY KEY,
+          ingested_at TEXT NOT NULL,
+          memory_id TEXT
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_slack_event_log_memory ON slack_event_log(memory_id) WHERE memory_id IS NOT NULL`);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS slack_cursors (
-          tenant_id TEXT NOT NULL,
-          channel_id TEXT NOT NULL,
-          latest_ts TEXT NOT NULL,
-          updated_at TEXT NOT NULL,
-          PRIMARY KEY (tenant_id, channel_id)
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS slack_cursors (
+          tenant_id TEXT NOT NULL,
+          channel_id TEXT NOT NULL,
+          latest_ts TEXT NOT NULL,
+          updated_at TEXT NOT NULL,
+          PRIMARY KEY (tenant_id, channel_id)
+        )
       `);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS slack_dlq (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          tenant_id TEXT NOT NULL,
-          raw_payload TEXT NOT NULL,
-          error TEXT NOT NULL,
-          received_at TEXT NOT NULL,
-          retried_at TEXT
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS slack_dlq (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          tenant_id TEXT NOT NULL,
+          raw_payload TEXT NOT NULL,
+          error TEXT NOT NULL,
+          received_at TEXT NOT NULL,
+          retried_at TEXT
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_slack_dlq_tenant_received ON slack_dlq(tenant_id, received_at)`);
             // Multi-tenant routing seam (review patch #6). Empty by default — single-
             // tenant deployments resolve via HIPPO_TENANT fallback. Multi-workspace
             // deployments populate this table to map team_id → tenant_id.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS slack_workspaces (
-          team_id TEXT PRIMARY KEY,
-          tenant_id TEXT NOT NULL,
-          added_at TEXT NOT NULL
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS slack_workspaces (
+          team_id TEXT PRIMARY KEY,
+          tenant_id TEXT NOT NULL,
+          added_at TEXT NOT NULL
+        )
       `);
         },
     },
     {
         version: 18,
         up: (db) => {
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS goal_stack (
-          id TEXT PRIMARY KEY,
-          session_id TEXT NOT NULL,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          goal_name TEXT NOT NULL,
-          level INTEGER NOT NULL DEFAULT 0
-            CHECK (level BETWEEN 0 AND 2),
-          parent_goal_id TEXT REFERENCES goal_stack(id) ON DELETE SET NULL,
-          status TEXT NOT NULL CHECK (status IN ('active','suspended','completed')),
-          success_condition TEXT,
-          retrieval_policy_id TEXT,
-          created_at TEXT NOT NULL,
-          completed_at TEXT,
-          outcome_score REAL
-            CHECK (outcome_score IS NULL OR (outcome_score >= 0 AND outcome_score <= 1))
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_goal_stack_tenant_session_status
-          ON goal_stack(tenant_id, session_id, status, created_at);
-
-        CREATE TABLE IF NOT EXISTS retrieval_policy (
-          id TEXT PRIMARY KEY,
-          goal_id TEXT NOT NULL REFERENCES goal_stack(id) ON DELETE CASCADE,
-          policy_type TEXT NOT NULL CHECK (policy_type IN
-            ('schema-fit-biased','error-prioritized','recency-first','hybrid')),
-          weight_schema_fit REAL NOT NULL DEFAULT 1.0
-            CHECK (weight_schema_fit >= 0 AND weight_schema_fit <= 100),
-          weight_recency REAL NOT NULL DEFAULT 1.0
-            CHECK (weight_recency >= 0 AND weight_recency <= 100),
-          weight_outcome REAL NOT NULL DEFAULT 1.0
-            CHECK (weight_outcome >= 0 AND weight_outcome <= 100),
-          error_priority REAL NOT NULL DEFAULT 1.0
-            CHECK (error_priority >= 0 AND error_priority <= 100)
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_retrieval_policy_goal
-          ON retrieval_policy(goal_id);
-
-        CREATE TABLE IF NOT EXISTS goal_recall_log (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          goal_id TEXT NOT NULL REFERENCES goal_stack(id) ON DELETE CASCADE,
-          memory_id TEXT NOT NULL REFERENCES memories(id) ON DELETE CASCADE,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          session_id TEXT NOT NULL,
-          recalled_at TEXT NOT NULL,
-          score REAL NOT NULL
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_goal_recall_log_goal
-          ON goal_recall_log(goal_id);
-        CREATE UNIQUE INDEX IF NOT EXISTS uniq_goal_recall_log_memory_goal
-          ON goal_recall_log(memory_id, goal_id);
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS goal_stack (
+          id TEXT PRIMARY KEY,
+          session_id TEXT NOT NULL,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          goal_name TEXT NOT NULL,
+          level INTEGER NOT NULL DEFAULT 0
+            CHECK (level BETWEEN 0 AND 2),
+          parent_goal_id TEXT REFERENCES goal_stack(id) ON DELETE SET NULL,
+          status TEXT NOT NULL CHECK (status IN ('active','suspended','completed')),
+          success_condition TEXT,
+          retrieval_policy_id TEXT,
+          created_at TEXT NOT NULL,
+          completed_at TEXT,
+          outcome_score REAL
+            CHECK (outcome_score IS NULL OR (outcome_score >= 0 AND outcome_score <= 1))
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_goal_stack_tenant_session_status
+          ON goal_stack(tenant_id, session_id, status, created_at);
+
+        CREATE TABLE IF NOT EXISTS retrieval_policy (
+          id TEXT PRIMARY KEY,
+          goal_id TEXT NOT NULL REFERENCES goal_stack(id) ON DELETE CASCADE,
+          policy_type TEXT NOT NULL CHECK (policy_type IN
+            ('schema-fit-biased','error-prioritized','recency-first','hybrid')),
+          weight_schema_fit REAL NOT NULL DEFAULT 1.0
+            CHECK (weight_schema_fit >= 0 AND weight_schema_fit <= 100),
+          weight_recency REAL NOT NULL DEFAULT 1.0
+            CHECK (weight_recency >= 0 AND weight_recency <= 100),
+          weight_outcome REAL NOT NULL DEFAULT 1.0
+            CHECK (weight_outcome >= 0 AND weight_outcome <= 100),
+          error_priority REAL NOT NULL DEFAULT 1.0
+            CHECK (error_priority >= 0 AND error_priority <= 100)
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_retrieval_policy_goal
+          ON retrieval_policy(goal_id);
+
+        CREATE TABLE IF NOT EXISTS goal_recall_log (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          goal_id TEXT NOT NULL REFERENCES goal_stack(id) ON DELETE CASCADE,
+          memory_id TEXT NOT NULL REFERENCES memories(id) ON DELETE CASCADE,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          session_id TEXT NOT NULL,
+          recalled_at TEXT NOT NULL,
+          score REAL NOT NULL
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_goal_recall_log_goal
+          ON goal_recall_log(goal_id);
+        CREATE UNIQUE INDEX IF NOT EXISTS uniq_goal_recall_log_memory_goal
+          ON goal_recall_log(memory_id, goal_id);
       `);
         },
     },
@@ -595,27 +595,27 @@ const MIGRATIONS = [
             // EXISTS bodies before ALTERing. A silent skip would otherwise stamp
             // schema_version=22 on a DB missing the underlying tables, leaving
             // them permanently absent.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS session_events (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          session_id TEXT NOT NULL,
-          task TEXT,
-          event_type TEXT NOT NULL,
-          content TEXT NOT NULL,
-          source TEXT NOT NULL,
-          metadata_json TEXT NOT NULL,
-          created_at TEXT NOT NULL
-        );
-        CREATE TABLE IF NOT EXISTS session_handoffs (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          session_id TEXT NOT NULL,
-          repo_root TEXT,
-          task_id TEXT,
-          summary TEXT NOT NULL,
-          next_action TEXT,
-          artifacts_json TEXT NOT NULL DEFAULT '[]',
-          created_at TEXT NOT NULL
-        );
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS session_events (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id TEXT NOT NULL,
+          task TEXT,
+          event_type TEXT NOT NULL,
+          content TEXT NOT NULL,
+          source TEXT NOT NULL,
+          metadata_json TEXT NOT NULL,
+          created_at TEXT NOT NULL
+        );
+        CREATE TABLE IF NOT EXISTS session_handoffs (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id TEXT NOT NULL,
+          repo_root TEXT,
+          task_id TEXT,
+          summary TEXT NOT NULL,
+          next_action TEXT,
+          artifacts_json TEXT NOT NULL DEFAULT '[]',
+          created_at TEXT NOT NULL
+        );
       `);
             if (!tableHasColumn(db, 'session_events', 'tenant_id')) {
                 db.exec(`ALTER TABLE session_events ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
@@ -635,25 +635,25 @@ const MIGRATIONS = [
             // tenant boundaries on guesses. The COUNT(DISTINCT) gate is the load-
             // bearing check; without it, rows with multiple tenants under the same
             // session_id would silently pick whichever group came first.
-            db.exec(`
-        UPDATE session_events
-           SET tenant_id = (
-             SELECT MAX(t.tenant_id) FROM task_snapshots t
-              WHERE t.session_id = session_events.session_id
-           )
-         WHERE tenant_id = 'default'
-           AND (SELECT COUNT(DISTINCT t.tenant_id) FROM task_snapshots t
-                 WHERE t.session_id = session_events.session_id) = 1
+            db.exec(`
+        UPDATE session_events
+           SET tenant_id = (
+             SELECT MAX(t.tenant_id) FROM task_snapshots t
+              WHERE t.session_id = session_events.session_id
+           )
+         WHERE tenant_id = 'default'
+           AND (SELECT COUNT(DISTINCT t.tenant_id) FROM task_snapshots t
+                 WHERE t.session_id = session_events.session_id) = 1
       `);
-            db.exec(`
-        UPDATE session_handoffs
-           SET tenant_id = (
-             SELECT MAX(t.tenant_id) FROM task_snapshots t
-              WHERE t.session_id = session_handoffs.session_id
-           )
-         WHERE tenant_id = 'default'
-           AND (SELECT COUNT(DISTINCT t.tenant_id) FROM task_snapshots t
-                 WHERE t.session_id = session_handoffs.session_id) = 1
+            db.exec(`
+        UPDATE session_handoffs
+           SET tenant_id = (
+             SELECT MAX(t.tenant_id) FROM task_snapshots t
+              WHERE t.session_id = session_handoffs.session_id
+           )
+         WHERE tenant_id = 'default'
+           AND (SELECT COUNT(DISTINCT t.tenant_id) FROM task_snapshots t
+                 WHERE t.session_id = session_handoffs.session_id) = 1
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_session_events_tenant_session ON session_events(tenant_id, session_id, created_at DESC, id DESC)`);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_session_handoffs_tenant_session ON session_handoffs(tenant_id, session_id, created_at DESC)`);
@@ -665,19 +665,19 @@ const MIGRATIONS = [
             // task_snapshots: add scope so all three continuity tables carry it.
             // Self-heal partial-init stores via CREATE TABLE IF NOT EXISTS (the v22
             // session_events / session_handoffs healing is upstream).
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS task_snapshots (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          task TEXT NOT NULL,
-          summary TEXT NOT NULL,
-          next_step TEXT NOT NULL,
-          status TEXT NOT NULL,
-          source TEXT NOT NULL,
-          session_id TEXT,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          created_at TEXT NOT NULL,
-          updated_at TEXT NOT NULL
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS task_snapshots (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          task TEXT NOT NULL,
+          summary TEXT NOT NULL,
+          next_step TEXT NOT NULL,
+          status TEXT NOT NULL,
+          source TEXT NOT NULL,
+          session_id TEXT,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          created_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL
+        )
       `);
             if (!tableHasColumn(db, 'task_snapshots', 'scope')) {
                 db.exec(`ALTER TABLE task_snapshots ADD COLUMN scope TEXT`);
@@ -710,64 +710,64 @@ const MIGRATIONS = [
         up: (db) => {
             // v1.3.0 GitHub connector schema (codex round 1, 2026-05-04).
             // Six tables + a min_compatible_binary meta row for rollback safety.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS github_event_log (
-          idempotency_key TEXT PRIMARY KEY,
-          delivery_id TEXT NOT NULL,
-          event_name TEXT NOT NULL,
-          ingested_at TEXT NOT NULL,
-          memory_id TEXT
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS github_event_log (
+          idempotency_key TEXT PRIMARY KEY,
+          delivery_id TEXT NOT NULL,
+          event_name TEXT NOT NULL,
+          ingested_at TEXT NOT NULL,
+          memory_id TEXT
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_github_event_log_memory ON github_event_log(memory_id) WHERE memory_id IS NOT NULL`);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_github_event_log_delivery ON github_event_log(delivery_id)`);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS github_cursors (
-          tenant_id TEXT NOT NULL,
-          repo_full_name TEXT NOT NULL,
-          issues_hwm TEXT,
-          issue_comments_hwm TEXT,
-          pr_review_comments_hwm TEXT,
-          updated_at TEXT NOT NULL,
-          PRIMARY KEY (tenant_id, repo_full_name)
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS github_cursors (
+          tenant_id TEXT NOT NULL,
+          repo_full_name TEXT NOT NULL,
+          issues_hwm TEXT,
+          issue_comments_hwm TEXT,
+          pr_review_comments_hwm TEXT,
+          updated_at TEXT NOT NULL,
+          PRIMARY KEY (tenant_id, repo_full_name)
+        )
       `);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS github_dlq (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          tenant_id TEXT NOT NULL,
-          raw_payload TEXT NOT NULL,
-          error TEXT NOT NULL,
-          event_name TEXT,
-          delivery_id TEXT,
-          signature TEXT,
-          installation_id TEXT,
-          repo_full_name TEXT,
-          retry_count INTEGER NOT NULL DEFAULT 0,
-          received_at TEXT NOT NULL,
-          retried_at TEXT,
-          bucket TEXT NOT NULL DEFAULT 'parse_error'
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS github_dlq (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          tenant_id TEXT NOT NULL,
+          raw_payload TEXT NOT NULL,
+          error TEXT NOT NULL,
+          event_name TEXT,
+          delivery_id TEXT,
+          signature TEXT,
+          installation_id TEXT,
+          repo_full_name TEXT,
+          retry_count INTEGER NOT NULL DEFAULT 0,
+          received_at TEXT NOT NULL,
+          retried_at TEXT,
+          bucket TEXT NOT NULL DEFAULT 'parse_error'
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_github_dlq_tenant_received ON github_dlq(tenant_id, received_at)`);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS github_installations (
-          installation_id TEXT PRIMARY KEY,
-          tenant_id TEXT NOT NULL,
-          added_at TEXT NOT NULL
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS github_installations (
+          installation_id TEXT PRIMARY KEY,
+          tenant_id TEXT NOT NULL,
+          added_at TEXT NOT NULL
+        )
       `);
             // PAT-mode multi-tenant routing (codex P0 #4). Maps repo_full_name to
             // tenant when the webhook envelope has no `installation` field. Composite
             // PK so the same repo can intentionally be visible to multiple tenants
             // (e.g., shared tooling accounts) — collision is on (repo, tenant) pair.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS github_repositories (
-          repo_full_name TEXT NOT NULL,
-          tenant_id TEXT NOT NULL,
-          added_at TEXT NOT NULL,
-          PRIMARY KEY (repo_full_name, tenant_id)
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS github_repositories (
+          repo_full_name TEXT NOT NULL,
+          tenant_id TEXT NOT NULL,
+          added_at TEXT NOT NULL,
+          PRIMARY KEY (repo_full_name, tenant_id)
+        )
       `);
             // Rollback-safety guard (codex P0 #2). Any binary < 1.2.1 lacks the
             // generic *:private:* default-deny and would leak github:private:* rows
@@ -797,26 +797,26 @@ const MIGRATIONS = [
             // Backfill descendant_count for existing level-2 summary rows. Use
             // dag_parent_id pointing at the summary id. Level-3 (entity profiles)
             // not built today; their descendant_count stays at default 0.
-            db.exec(`
-        UPDATE memories
-           SET descendant_count = (
-             SELECT COUNT(*) FROM memories AS c WHERE c.dag_parent_id = memories.id
-           )
-         WHERE dag_level >= 2
-           AND descendant_count = 0
+            db.exec(`
+        UPDATE memories
+           SET descendant_count = (
+             SELECT COUNT(*) FROM memories AS c WHERE c.dag_parent_id = memories.id
+           )
+         WHERE dag_level >= 2
+           AND descendant_count = 0
       `);
             // Backfill earliest_at / latest_at from child created timestamps for
             // existing summaries. Children of a level-2 summary are level-1 facts.
-            db.exec(`
-        UPDATE memories
-           SET earliest_at = (
-             SELECT MIN(c.created) FROM memories AS c WHERE c.dag_parent_id = memories.id
-           ),
-               latest_at = (
-             SELECT MAX(c.created) FROM memories AS c WHERE c.dag_parent_id = memories.id
-           )
-         WHERE dag_level >= 2
-           AND earliest_at IS NULL
+            db.exec(`
+        UPDATE memories
+           SET earliest_at = (
+             SELECT MIN(c.created) FROM memories AS c WHERE c.dag_parent_id = memories.id
+           ),
+               latest_at = (
+             SELECT MAX(c.created) FROM memories AS c WHERE c.dag_parent_id = memories.id
+           )
+         WHERE dag_level >= 2
+           AND earliest_at IS NULL
       `);
         },
     },
@@ -859,32 +859,32 @@ const MIGRATIONS = [
             // bug, fixes anyone who has it. Includes the role column from the
             // start so it matches v26's intent without needing v26 to ALTER on
             // this heal path.
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS api_keys (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          key_id TEXT UNIQUE NOT NULL,
-          key_hash TEXT NOT NULL,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          label TEXT,
-          created_at TEXT NOT NULL,
-          revoked_at TEXT,
-          role TEXT NOT NULL DEFAULT 'admin'
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS api_keys (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          key_id TEXT UNIQUE NOT NULL,
+          key_hash TEXT NOT NULL,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          label TEXT,
+          created_at TEXT NOT NULL,
+          revoked_at TEXT,
+          role TEXT NOT NULL DEFAULT 'admin'
+        )
       `);
-            db.exec(`
-        CREATE INDEX IF NOT EXISTS idx_api_keys_tenant_active
-        ON api_keys(tenant_id) WHERE revoked_at IS NULL
+            db.exec(`
+        CREATE INDEX IF NOT EXISTS idx_api_keys_tenant_active
+        ON api_keys(tenant_id) WHERE revoked_at IS NULL
       `);
-            db.exec(`
-        CREATE TABLE IF NOT EXISTS audit_log (
-          id INTEGER PRIMARY KEY AUTOINCREMENT,
-          ts TEXT NOT NULL,
-          tenant_id TEXT NOT NULL DEFAULT 'default',
-          actor TEXT NOT NULL,
-          op TEXT NOT NULL,
-          target_id TEXT,
-          metadata_json TEXT NOT NULL DEFAULT '{}'
-        )
+            db.exec(`
+        CREATE TABLE IF NOT EXISTS audit_log (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          ts TEXT NOT NULL,
+          tenant_id TEXT NOT NULL DEFAULT 'default',
+          actor TEXT NOT NULL,
+          op TEXT NOT NULL,
+          target_id TEXT,
+          metadata_json TEXT NOT NULL DEFAULT '{}'
+        )
       `);
             db.exec(`CREATE INDEX IF NOT EXISTS idx_audit_log_tenant_ts ON audit_log(tenant_id, ts DESC)`);
             // Belt-and-braces: if api_keys existed before this migration WITHOUT
@@ -952,58 +952,872 @@ const MIGRATIONS = [
             // J3 computes accuracy (clean vs regressed) from (estimate_value,
             // actual_value) at query time.
             if (!tableExists(db, 'predictions')) {
-                db.exec(`
-          CREATE TABLE predictions (
-            id INTEGER PRIMARY KEY AUTOINCREMENT,
-            memory_id TEXT,
-            tenant_id TEXT NOT NULL,
-            class_tag TEXT NOT NULL,
-            claim_text TEXT NOT NULL,
-            estimate_value REAL,
-            estimate_unit TEXT,
-            target_date TEXT,
-            actual_value REAL,
-            closure_state TEXT NOT NULL DEFAULT 'open'
-              CHECK (closure_state IN ('open', 'closed', 'closed-unknown')),
-            closed_at TEXT,
-            closure_note TEXT,
-            created_at TEXT NOT NULL,
-            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL
-          )
+                db.exec(`
+          CREATE TABLE predictions (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            class_tag TEXT NOT NULL,
+            claim_text TEXT NOT NULL,
+            estimate_value REAL,
+            estimate_unit TEXT,
+            target_date TEXT,
+            actual_value REAL,
+            closure_state TEXT NOT NULL DEFAULT 'open'
+              CHECK (closure_state IN ('open', 'closed', 'closed-unknown')),
+            closed_at TEXT,
+            closure_note TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL
+          )
         `);
-                db.exec(`
-          CREATE INDEX IF NOT EXISTS idx_predictions_tenant_class
-          ON predictions(tenant_id, class_tag, closure_state)
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_predictions_tenant_class
+          ON predictions(tenant_id, class_tag, closure_state)
         `);
-                db.exec(`
-          CREATE INDEX IF NOT EXISTS idx_predictions_memory
-          ON predictions(memory_id) WHERE memory_id IS NOT NULL
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_predictions_memory
+          ON predictions(memory_id) WHERE memory_id IS NOT NULL
         `);
                 // Cross-tenant safety: tenant_id must match the referenced memory's
                 // tenant_id when memory_id IS NOT NULL. INSERT + UPDATE pair, mirroring
                 // v14 memories.kind enforcement (db.ts:298-322).
-                db.exec(`
-          CREATE TRIGGER IF NOT EXISTS trg_predictions_tenant_match_insert
-          BEFORE INSERT ON predictions
-          WHEN NEW.memory_id IS NOT NULL
-          BEGIN
-            SELECT CASE
-              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
-              THEN RAISE(ABORT, 'predictions.tenant_id must match memories.tenant_id for the referenced memory')
-            END;
-          END
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_predictions_tenant_match_insert
+          BEFORE INSERT ON predictions
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'predictions.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
         `);
-                db.exec(`
-          CREATE TRIGGER IF NOT EXISTS trg_predictions_tenant_match_update
-          BEFORE UPDATE ON predictions
-          WHEN NEW.memory_id IS NOT NULL
-            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
-          BEGIN
-            SELECT CASE
-              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
-              THEN RAISE(ABORT, 'predictions.tenant_id must match memories.tenant_id for the referenced memory')
-            END;
-          END
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_predictions_tenant_match_update
+          BEFORE UPDATE ON predictions
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'predictions.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 30,
+        up: (db) => {
+            // E2 decision first-class object (docs/plans/2026-05-28-e2-decision-object.md).
+            // Promotes `hippo decide` from a tagged memory (which decayed on a 90-day
+            // half-life even while the decision was still in force) to a canonical
+            // decisions table that is the source of truth. The memory mirror is kept
+            // for recall but is no longer authoritative; memory_id is NULLABLE with
+            // ON DELETE SET NULL so forget/consolidate/archive does not lose a
+            // decision. Mirrors the v29 predictions tenant-match trigger pattern.
+            //
+            // status (active|superseded|closed): superseded carries a self-FK
+            // superseded_by to the successor decision; closed is a terminal
+            // retire-without-successor. A superseded_by same-tenant trigger makes
+            // cross-tenant supersession unrepresentable at the schema level.
+            if (!tableExists(db, 'decisions')) {
+                db.exec(`
+          CREATE TABLE decisions (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            decision_text TEXT NOT NULL,
+            context TEXT,
+            status TEXT NOT NULL DEFAULT 'active'
+              CHECK (status IN ('active', 'superseded', 'closed')),
+            superseded_by INTEGER,
+            superseded_at TEXT,
+            closed_at TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL,
+            FOREIGN KEY (superseded_by) REFERENCES decisions(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_decisions_tenant_status
+          ON decisions(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_decisions_memory
+          ON decisions(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                // Cross-tenant safety vs the referenced memory (mirrors predictions v29).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_decisions_tenant_match_insert
+          BEFORE INSERT ON decisions
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'decisions.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_decisions_tenant_match_update
+          BEFORE UPDATE ON decisions
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'decisions.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Cross-tenant safety vs the successor decision (self-FK). superseded_by
+                // is set only via UPDATE (the supersede path); the successor must share
+                // the tenant. The successor row already exists in the same transaction
+                // when this fires, so the subquery resolves.
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_decisions_supersede_tenant_match_update
+          BEFORE UPDATE ON decisions
+          WHEN NEW.superseded_by IS NOT NULL
+            AND NEW.superseded_by IS NOT OLD.superseded_by
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM decisions WHERE id = NEW.superseded_by)
+              THEN RAISE(ABORT, 'decisions.superseded_by must reference a decision in the same tenant')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 31,
+        up: (db) => {
+            // E2 incident first-class object (docs/plans/2026-05-29-e2-incident-object.md).
+            // Mirrors the v30 decisions block but for an open -> resolved -> closed
+            // lifecycle (NOT supersede): there is no superseded_by self-FK and no
+            // supersede trigger. An incident is a postmortem capsule: a recorded
+            // operational event with a lifecycle and optional linked receipts (the
+            // memories that are its evidence, stored as a JSON array of ids in
+            // linked_memory_ids). The memory mirror is kept for recall but is not
+            // authoritative; memory_id is NULLABLE with ON DELETE SET NULL so
+            // forget/consolidate/archive does not lose an incident.
+            //
+            // status (open|resolved|closed): resolved records a resolution_text +
+            // resolved_at and stays on record; closed is a terminal retire reachable
+            // from open or resolved. Cross-tenant safety: BEFORE INSERT + BEFORE
+            // UPDATE triggers enforce incidents.tenant_id == the referenced memory's
+            // tenant_id (verbatim mirror of the v30 decisions tenant-match triggers).
+            if (!tableExists(db, 'incidents')) {
+                db.exec(`
+          CREATE TABLE incidents (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            incident_text TEXT NOT NULL,
+            context TEXT,
+            status TEXT NOT NULL DEFAULT 'open'
+              CHECK (status IN ('open', 'resolved', 'closed')),
+            resolution_text TEXT,
+            resolved_at TEXT,
+            closed_at TEXT,
+            linked_memory_ids TEXT NOT NULL DEFAULT '[]',
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_incidents_tenant_status
+          ON incidents(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_incidents_memory
+          ON incidents(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                // Cross-tenant safety vs the referenced memory (verbatim mirror of the
+                // v30 decisions tenant-match triggers; no supersede trigger).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_incidents_tenant_match_insert
+          BEFORE INSERT ON incidents
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'incidents.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_incidents_tenant_match_update
+          BEFORE UPDATE ON incidents
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'incidents.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 32,
+        up: (db) => {
+            // E2 process first-class object (docs/plans/2026-05-29-e2-process-object.md).
+            // A process is a "living process map": a named, ordered list of steps that
+            // evolves. Unlike incident (open->resolved->closed, no supersede), process
+            // REUSES the v30 decisions supersede path as its delta mechanism: a process
+            // evolves by being superseded by a NEW VERSION that records what changed
+            // (change_summary) and the full new state (steps), carrying a derived
+            // version counter. So this table combines the v31 incidents tenant-match
+            // trigger pair (vs the referenced memory) WITH the v30 decisions
+            // superseded_by self-FK + supersede tenant-match trigger.
+            //
+            // status (active|superseded|closed): superseded carries a self-FK
+            // superseded_by to the successor version; closed is a terminal
+            // retire-without-successor (only an active head closes). The memory mirror
+            // is kept for recall but is not authoritative; memory_id is NULLABLE with
+            // ON DELETE SET NULL so forget/consolidate/archive does not lose a process.
+            // steps is a JSON-encoded array of step strings (scoped v1; a normalized
+            // process_steps table is deferred). version is server-derived
+            // (predecessor.version + 1); change_summary is set on a successor row only.
+            if (!tableExists(db, 'processes')) {
+                db.exec(`
+          CREATE TABLE processes (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            process_name TEXT NOT NULL,
+            description TEXT,
+            steps TEXT NOT NULL DEFAULT '[]',
+            version INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'active'
+              CHECK (status IN ('active', 'superseded', 'closed')),
+            superseded_by INTEGER,
+            superseded_at TEXT,
+            change_summary TEXT,
+            closed_at TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL,
+            FOREIGN KEY (superseded_by) REFERENCES processes(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_processes_tenant_status
+          ON processes(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_processes_memory
+          ON processes(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                // Cross-tenant safety vs the referenced memory (verbatim mirror of the
+                // v31 incidents / v30 decisions tenant-match triggers).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_processes_tenant_match_insert
+          BEFORE INSERT ON processes
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'processes.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_processes_tenant_match_update
+          BEFORE UPDATE ON processes
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'processes.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Cross-tenant safety vs the successor process (self-FK; verbatim mirror
+                // of the v30 decisions supersede trigger). superseded_by is set only via
+                // the supersede UPDATE; the successor must share the tenant. The successor
+                // row already exists in the same transaction when this fires.
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_processes_supersede_tenant_match_update
+          BEFORE UPDATE ON processes
+          WHEN NEW.superseded_by IS NOT NULL
+            AND NEW.superseded_by IS NOT OLD.superseded_by
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM processes WHERE id = NEW.superseded_by)
+              THEN RAISE(ABORT, 'processes.superseded_by must reference a process in the same tenant')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 33,
+        up: (db) => {
+            // E2 policy first-class object (docs/plans/2026-05-30-e2-policy-object.md).
+            // The "bi-temporal-first" object type: a named rule/statement that is in
+            // force over an EFFECTIVE-TIME range (valid_from required, valid_to nullable
+            // = open-ended) and evolves via the v32 processes supersede machinery
+            // (superseded_by self-FK + supersede tenant-match trigger + version +
+            // change_summary). This table = the v32 processes table MINUS `steps`
+            // (a policy has policy_text, not an ordered step list) PLUS the first-class
+            // effective-time columns valid_from/valid_to. Valid-time is the queryable
+            // axis (the as-of query loadPoliciesAsOf); transaction-time is present via
+            // created_at + the supersede chain's superseded_at (time-travel deferred).
+            //
+            // All date inputs are normalized to canonical ISO-8601 datetime
+            // (toISOString) at the store boundary before persist/compare, so the
+            // fixed-width values sort lexically and the half-open [valid_from, valid_to)
+            // as-of comparison is correct (plan-eng-critic round-1 CRIT fix).
+            if (!tableExists(db, 'policies')) {
+                db.exec(`
+          CREATE TABLE policies (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            policy_name TEXT NOT NULL,
+            policy_text TEXT NOT NULL,
+            valid_from TEXT NOT NULL,
+            valid_to TEXT,
+            version INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'active'
+              CHECK (status IN ('active', 'superseded', 'closed')),
+            superseded_by INTEGER,
+            superseded_at TEXT,
+            change_summary TEXT,
+            closed_at TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL,
+            FOREIGN KEY (superseded_by) REFERENCES policies(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_policies_tenant_status
+          ON policies(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_policies_memory
+          ON policies(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                // Supports the as-of query (active policies in force at a valid-time).
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_policies_asof
+          ON policies(tenant_id, valid_from)
+        `);
+                // Cross-tenant safety vs the referenced memory (verbatim mirror of the
+                // v32 processes tenant-match triggers).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_policies_tenant_match_insert
+          BEFORE INSERT ON policies
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'policies.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_policies_tenant_match_update
+          BEFORE UPDATE ON policies
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'policies.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Cross-tenant safety vs the successor policy (self-FK; verbatim mirror of
+                // the v32 processes supersede trigger).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_policies_supersede_tenant_match_update
+          BEFORE UPDATE ON policies
+          WHEN NEW.superseded_by IS NOT NULL
+            AND NEW.superseded_by IS NOT OLD.superseded_by
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM policies WHERE id = NEW.superseded_by)
+              THEN RAISE(ABORT, 'policies.superseded_by must reference a policy in the same tenant')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 34,
+        up: (db) => {
+            // E2 skill first-class object (docs/plans/2026-05-30-e2-skill-object.md).
+            // A skill is a reusable, agent-followable capability: an `instructions` body
+            // + an optional `trigger_text` (when to apply), evolving via the v32
+            // processes supersede machinery (superseded_by self-FK + supersede
+            // tenant-match trigger + version + change_summary). This table = the v32
+            // processes table MINUS `steps` (a skill's content is a single instructions
+            // body) PLUS `instructions` (NOT NULL) and `trigger_text`. "Executable" is
+            // scoped to an agent-followable instruction that EXPORTS into the agent's
+            // in-force rules (AGENTS.md / CLAUDE.md) via exportSkills; literal code
+            // execution is deferred. NOTE: the column is `trigger_text`, NOT `trigger`,
+            // because TRIGGER is a SQLite reserved keyword.
+            if (!tableExists(db, 'skills')) {
+                db.exec(`
+          CREATE TABLE skills (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            skill_name TEXT NOT NULL,
+            instructions TEXT NOT NULL,
+            trigger_text TEXT,
+            version INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'active'
+              CHECK (status IN ('active', 'superseded', 'closed')),
+            superseded_by INTEGER,
+            superseded_at TEXT,
+            change_summary TEXT,
+            closed_at TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL,
+            FOREIGN KEY (superseded_by) REFERENCES skills(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_skills_tenant_status
+          ON skills(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_skills_memory
+          ON skills(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                // Cross-tenant safety vs the referenced memory (verbatim mirror of the
+                // v32 processes tenant-match triggers).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_skills_tenant_match_insert
+          BEFORE INSERT ON skills
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'skills.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_skills_tenant_match_update
+          BEFORE UPDATE ON skills
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'skills.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Cross-tenant safety vs the successor skill (self-FK; verbatim mirror of
+                // the v32 processes supersede trigger).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_skills_supersede_tenant_match_update
+          BEFORE UPDATE ON skills
+          WHEN NEW.superseded_by IS NOT NULL
+            AND NEW.superseded_by IS NOT OLD.superseded_by
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM skills WHERE id = NEW.superseded_by)
+              THEN RAISE(ABORT, 'skills.superseded_by must reference a skill in the same tenant')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 35,
+        up: (db) => {
+            // E2 project_brief first-class object
+            // (docs/plans/2026-05-30-e2-project-brief-object.md). A project_brief is the
+            // living, repo-scoped summary of a repository's state: a `summary` body
+            // scoped to a `repo`, evolving via the v34 skills supersede machinery
+            // (superseded_by self-FK + supersede tenant-match trigger + version +
+            // change_summary). This table = the v34 skills table with
+            // skill_name/trigger_text replaced by `repo` (the repo-scoping dimension)
+            // PLUS `summary` (the brief body). The distinguishing op (refreshBrief, in
+            // src/project-briefs.ts) auto-assembles the summary from the repo's receipts
+            // (memory rows tagged path:<repo>); it needs no schema support beyond `repo`.
+            // All column names were checked against SQLite reserved words (skill-episode
+            // lesson re: `trigger`): repo/summary/version/status/etc. are non-reserved.
+            if (!tableExists(db, 'project_briefs')) {
+                db.exec(`
+          CREATE TABLE project_briefs (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            repo TEXT NOT NULL,
+            summary TEXT NOT NULL,
+            version INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'active'
+              CHECK (status IN ('active', 'superseded', 'closed')),
+            superseded_by INTEGER,
+            superseded_at TEXT,
+            change_summary TEXT,
+            closed_at TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL,
+            FOREIGN KEY (superseded_by) REFERENCES project_briefs(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_project_briefs_tenant_status
+          ON project_briefs(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_project_briefs_memory
+          ON project_briefs(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_project_briefs_repo
+          ON project_briefs(tenant_id, repo, status)
+        `);
+                // Cross-tenant safety vs the referenced memory (verbatim mirror of the
+                // v34 skills tenant-match triggers).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_project_briefs_tenant_match_insert
+          BEFORE INSERT ON project_briefs
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'project_briefs.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_project_briefs_tenant_match_update
+          BEFORE UPDATE ON project_briefs
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'project_briefs.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Cross-tenant safety vs the successor brief (self-FK; verbatim mirror of
+                // the v34 skills supersede trigger).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_project_briefs_supersede_tenant_match_update
+          BEFORE UPDATE ON project_briefs
+          WHEN NEW.superseded_by IS NOT NULL
+            AND NEW.superseded_by IS NOT OLD.superseded_by
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM project_briefs WHERE id = NEW.superseded_by)
+              THEN RAISE(ABORT, 'project_briefs.superseded_by must reference a project_brief in the same tenant')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 36,
+        up: (db) => {
+            // E2 customer_note first-class object (the LAST E2 object)
+            // (docs/plans/2026-06-01-e2-customer-note-object.md). A customer_note is a
+            // discrete note recorded against an account/customer entity, evolving via the
+            // v35 project_briefs supersede machinery (superseded_by self-FK + supersede
+            // tenant-match trigger + version + change_summary). This table = the v35
+            // project_briefs table with repo/summary replaced by `customer` (the
+            // entity-scoping dimension; a free-form account/customer id - the entities
+            // table is unbuilt E3.1, so a FK is deferred) PLUS `note` (the note body).
+            // MANY notes per customer (each its own supersede chain), unlike the
+            // one-summary-per-repo project_brief. All column names checked against SQLite
+            // reserved words (skill-episode lesson, codebase-audit rule 10): customer/note/
+            // version/status/etc. are non-reserved.
+            if (!tableExists(db, 'customer_notes')) {
+                db.exec(`
+          CREATE TABLE customer_notes (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            memory_id TEXT,
+            tenant_id TEXT NOT NULL,
+            customer TEXT NOT NULL,
+            note TEXT NOT NULL,
+            version INTEGER NOT NULL DEFAULT 1,
+            status TEXT NOT NULL DEFAULT 'active'
+              CHECK (status IN ('active', 'superseded', 'closed')),
+            superseded_by INTEGER,
+            superseded_at TEXT,
+            change_summary TEXT,
+            closed_at TEXT,
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE SET NULL,
+            FOREIGN KEY (superseded_by) REFERENCES customer_notes(id) ON DELETE SET NULL
+          )
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_customer_notes_tenant_status
+          ON customer_notes(tenant_id, status)
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_customer_notes_memory
+          ON customer_notes(memory_id) WHERE memory_id IS NOT NULL
+        `);
+                db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_customer_notes_customer
+          ON customer_notes(tenant_id, customer, status)
+        `);
+                // Cross-tenant safety vs the referenced memory (verbatim mirror of the
+                // v35 project_briefs tenant-match triggers).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_customer_notes_tenant_match_insert
+          BEFORE INSERT ON customer_notes
+          WHEN NEW.memory_id IS NOT NULL
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'customer_notes.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_customer_notes_tenant_match_update
+          BEFORE UPDATE ON customer_notes
+          WHEN NEW.memory_id IS NOT NULL
+            AND (NEW.memory_id IS NOT OLD.memory_id OR NEW.tenant_id IS NOT OLD.tenant_id)
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'customer_notes.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Cross-tenant safety vs the successor note (self-FK; verbatim mirror of the
+                // v35 project_briefs supersede trigger).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_customer_notes_supersede_tenant_match_update
+          BEFORE UPDATE ON customer_notes
+          WHEN NEW.superseded_by IS NOT NULL
+            AND NEW.superseded_by IS NOT OLD.superseded_by
+          BEGIN
+            SELECT CASE
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM customer_notes WHERE id = NEW.superseded_by)
+              THEN RAISE(ABORT, 'customer_notes.superseded_by must reference a customer_note in the same tenant')
+            END;
+          END
+        `);
+            }
+        },
+    },
+    {
+        version: 37,
+        up: (db) => {
+            // E3.3 graph-on-consolidated guard (docs/plans/2026-06-01-e3-graph-guard.md).
+            // The graph layer (entities + relations) sits ON TOP OF consolidated state and
+            // must NEVER index the raw layer. The substrate: entities + relations +
+            // graph_extraction_queue, each FK-ing to memories and guarded so they can only
+            // reference CONSOLIDATED memories (kind IN ('distilled','superseded')), never
+            // kind='raw'. New tables -> real CHECK constraints (unlike the ALTER'd memories,
+            // whose kind CHECK lives in triggers). The kind/source MATCH (source_kind ==
+            // the FK'd memory's actual kind) cannot be a CHECK (CHECK can't subquery), so it
+            // is a BEFORE INSERT *and* BEFORE UPDATE trigger (the subquery-capable pattern
+            // from the v30 decisions / predictions tenant-match triggers). Both INSERT and
+            // UPDATE are guarded: an INSERT-only guard is bypassable via a raw SQL UPDATE
+            // that moves a row onto a raw memory (plan-eng-critic 2026-06-01). All column
+            // names checked vs SQL reserved words (rule 10): rel_type avoids REFERENCES.
+            if (!tableExists(db, 'entities')) {
+                db.exec(`
+          CREATE TABLE entities (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            tenant_id TEXT NOT NULL,
+            entity_type TEXT NOT NULL
+              CHECK (entity_type IN ('person', 'project', 'customer', 'system', 'policy', 'decision')),
+            name TEXT NOT NULL,
+            memory_id TEXT NOT NULL,
+            source_kind TEXT NOT NULL CHECK (source_kind IN ('distilled', 'superseded')),
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE CASCADE
+          )
+        `);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_entities_tenant ON entities(tenant_id)`);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_entities_memory ON entities(memory_id)`);
+                db.exec(`
+          CREATE TABLE relations (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            tenant_id TEXT NOT NULL,
+            from_entity_id INTEGER NOT NULL,
+            to_entity_id INTEGER NOT NULL,
+            rel_type TEXT NOT NULL
+              CHECK (rel_type IN ('owns', 'supersedes', 'depends-on', 'blocked-by', 'references')),
+            memory_id TEXT NOT NULL,
+            source_kind TEXT NOT NULL CHECK (source_kind IN ('distilled', 'superseded')),
+            created_at TEXT NOT NULL,
+            FOREIGN KEY (from_entity_id) REFERENCES entities(id) ON DELETE CASCADE,
+            FOREIGN KEY (to_entity_id) REFERENCES entities(id) ON DELETE CASCADE,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE CASCADE
+          )
+        `);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_relations_tenant ON relations(tenant_id)`);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_relations_from ON relations(from_entity_id)`);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_relations_to ON relations(to_entity_id)`);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_relations_memory ON relations(memory_id)`);
+                db.exec(`
+          CREATE TABLE graph_extraction_queue (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            tenant_id TEXT NOT NULL,
+            memory_id TEXT NOT NULL,
+            kind TEXT NOT NULL CHECK (kind IN ('distilled', 'superseded')),
+            status TEXT NOT NULL DEFAULT 'pending'
+              CHECK (status IN ('pending', 'processed', 'skipped')),
+            enqueued_at TEXT NOT NULL,
+            processed_at TEXT,
+            FOREIGN KEY (memory_id) REFERENCES memories(id) ON DELETE CASCADE
+          )
+        `);
+                db.exec(`CREATE INDEX IF NOT EXISTS idx_graph_queue_status ON graph_extraction_queue(tenant_id, status)`);
+                // entities guard: source_kind must equal the FK'd memory's actual kind (so a
+                // raw memory or a lying source_kind both ABORT), and tenant must match. Both
+                // INSERT and UPDATE (UPDATE fires when memory_id/source_kind/tenant_id change).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_entities_consolidated_only_insert
+          BEFORE INSERT ON entities
+          BEGIN
+            SELECT CASE
+              WHEN NEW.source_kind != (SELECT kind FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'entities.source_kind must equal the referenced memory kind; the graph indexes consolidated state only (no raw)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'entities.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_entities_consolidated_only_update
+          BEFORE UPDATE ON entities
+          WHEN NEW.memory_id IS NOT OLD.memory_id
+            OR NEW.source_kind IS NOT OLD.source_kind
+            OR NEW.tenant_id IS NOT OLD.tenant_id
+          BEGIN
+            SELECT CASE
+              WHEN NEW.source_kind != (SELECT kind FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'entities.source_kind must equal the referenced memory kind; the graph indexes consolidated state only (no raw)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'entities.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // relations guard: source_kind must equal the FK'd memory's kind; tenant must
+                // match the memory AND both endpoint entities (no cross-tenant edges).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_relations_consolidated_only_insert
+          BEFORE INSERT ON relations
+          BEGIN
+            SELECT CASE
+              WHEN NEW.source_kind != (SELECT kind FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'relations.source_kind must equal the referenced memory kind; the graph indexes consolidated state only (no raw)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'relations.tenant_id must match memories.tenant_id for the referenced memory')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM entities WHERE id = NEW.from_entity_id)
+              THEN RAISE(ABORT, 'relations.tenant_id must match the from_entity tenant (no cross-tenant edges)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM entities WHERE id = NEW.to_entity_id)
+              THEN RAISE(ABORT, 'relations.tenant_id must match the to_entity tenant (no cross-tenant edges)')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_relations_consolidated_only_update
+          BEFORE UPDATE ON relations
+          WHEN NEW.memory_id IS NOT OLD.memory_id
+            OR NEW.source_kind IS NOT OLD.source_kind
+            OR NEW.tenant_id IS NOT OLD.tenant_id
+            OR NEW.from_entity_id IS NOT OLD.from_entity_id
+            OR NEW.to_entity_id IS NOT OLD.to_entity_id
+          BEGIN
+            SELECT CASE
+              WHEN NEW.source_kind != (SELECT kind FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'relations.source_kind must equal the referenced memory kind; the graph indexes consolidated state only (no raw)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'relations.tenant_id must match memories.tenant_id for the referenced memory')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM entities WHERE id = NEW.from_entity_id)
+              THEN RAISE(ABORT, 'relations.tenant_id must match the from_entity tenant (no cross-tenant edges)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM entities WHERE id = NEW.to_entity_id)
+              THEN RAISE(ABORT, 'relations.tenant_id must match the to_entity tenant (no cross-tenant edges)')
+            END;
+          END
+        `);
+                // graph_extraction_queue guard: kind must equal the FK'd memory's actual kind
+                // (so a raw memory ABORTs), and tenant must match. INSERT and UPDATE.
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_graph_queue_consolidated_only_insert
+          BEFORE INSERT ON graph_extraction_queue
+          BEGIN
+            SELECT CASE
+              WHEN NEW.kind != (SELECT kind FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'graph_extraction_queue.kind must equal the referenced memory kind; only consolidated memories are queued (no raw)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'graph_extraction_queue.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_graph_queue_consolidated_only_update
+          BEFORE UPDATE ON graph_extraction_queue
+          WHEN NEW.memory_id IS NOT OLD.memory_id
+            OR NEW.kind IS NOT OLD.kind
+            OR NEW.tenant_id IS NOT OLD.tenant_id
+          BEGIN
+            SELECT CASE
+              WHEN NEW.kind != (SELECT kind FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'graph_extraction_queue.kind must equal the referenced memory kind; only consolidated memories are queued (no raw)')
+              WHEN NEW.tenant_id != (SELECT tenant_id FROM memories WHERE id = NEW.memory_id)
+              THEN RAISE(ABORT, 'graph_extraction_queue.tenant_id must match memories.tenant_id for the referenced memory')
+            END;
+          END
+        `);
+                // Reverse guard (codex-review-critic 2026-06-01, P1): the graph-table triggers
+                // only fire on writes to the GRAPH tables. They do NOT fire when an
+                // already-indexed memory is later mutated. So 'UPDATE memories SET kind=raw'
+                // (or a tenant change) on a memory the graph references would silently leave
+                // entity/relation/queue rows pointing at a raw / cross-tenant memory while
+                // their source_kind stays 'distilled' - bypassing the central 'graph never
+                // indexes raw' invariant after insertion. This trigger closes that direction:
+                // a memory cannot be reclassified to raw, nor moved cross-tenant, WHILE the
+                // graph references it (rebuild/remove the graph rows first). Cheap: the EXISTS
+                // checks are only evaluated when kind actually becomes raw or tenant changes.
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_memories_graph_referenced_guard
+          BEFORE UPDATE ON memories
+          WHEN (NEW.kind IS NOT OLD.kind OR NEW.tenant_id IS NOT OLD.tenant_id)
+            AND (
+              EXISTS (SELECT 1 FROM entities WHERE memory_id = OLD.id)
+              OR EXISTS (SELECT 1 FROM relations WHERE memory_id = OLD.id)
+              OR EXISTS (SELECT 1 FROM graph_extraction_queue WHERE memory_id = OLD.id)
+            )
+          BEGIN
+            SELECT RAISE(ABORT, 'cannot change the kind or tenant of a memory while the graph references it (E3.3 graph-on-consolidated guard); a graph-referenced memory is immutable in kind/tenant - rebuild/remove the graph rows first, or rebuild them after supersession');
+          END
+        `);
+                // Reverse guard #2 (codex-review-critic 2026-06-01 retry, P2): an entity that is
+                // a relation endpoint cannot be moved cross-tenant. The entity UPDATE trigger
+                // validates the entity against its source memory, but an existing relation
+                // pointing at the entity is NOT re-validated, so a raw 'UPDATE entities SET
+                // tenant_id=?, memory_id=?' to another tenant would leave a tenant-A relation
+                // pointing at a tenant-B entity. Block the tenant move while the entity is
+                // referenced by any relation (rebuild the relations first).
+                db.exec(`
+          CREATE TRIGGER IF NOT EXISTS trg_entities_no_tenant_move_when_referenced
+          BEFORE UPDATE ON entities
+          WHEN NEW.tenant_id IS NOT OLD.tenant_id
+            AND EXISTS (SELECT 1 FROM relations WHERE from_entity_id = OLD.id OR to_entity_id = OLD.id)
+          BEGIN
+            SELECT RAISE(ABORT, 'cannot move an entity cross-tenant while a relation references it as an endpoint (E3.3 graph-on-consolidated guard); rebuild/remove the relations first');
+          END
         `);
             }
         },
@@ -1101,11 +1915,11 @@ function runMigrations(db) {
     ensureOptionalFts(db);
 }
 function ensureMetaTable(db) {
-    db.exec(`
-    CREATE TABLE IF NOT EXISTS meta (
-      key TEXT PRIMARY KEY,
-      value TEXT NOT NULL
-    );
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS meta (
+      key TEXT PRIMARY KEY,
+      value TEXT NOT NULL
+    );
   `);
 }
 export function getSchemaVersion(db) {
@@ -1148,17 +1962,17 @@ function backfillFtsIndex(db) {
     const ftsCount = db.prepare(`SELECT COUNT(*) AS c FROM memories_fts`).get()?.c ?? 0;
     if (memCount === ftsCount)
         return;
-    db.exec(`
-    INSERT INTO memories_fts(id, content, tags)
-    SELECT m.id, m.content, m.tags_json
-    FROM memories m
-    WHERE NOT EXISTS (
-      SELECT 1 FROM memories_fts f WHERE f.id = m.id
-    )
+    db.exec(`
+    INSERT INTO memories_fts(id, content, tags)
+    SELECT m.id, m.content, m.tags_json
+    FROM memories m
+    WHERE NOT EXISTS (
+      SELECT 1 FROM memories_fts f WHERE f.id = m.id
+    )
   `);
-    db.exec(`
-    DELETE FROM memories_fts
-    WHERE id NOT IN (SELECT id FROM memories)
+    db.exec(`
+    DELETE FROM memories_fts
+    WHERE id NOT IN (SELECT id FROM memories)
   `);
 }
 export function closeHippoDb(db) {
@@ -1175,13 +1989,13 @@ export function isFtsAvailable(db) {
     return getMeta(db, 'fts5_available', '0') === '1';
 }
 export function pruneConsolidationRuns(db, keep = 50) {
-    db.prepare(`
-    DELETE FROM consolidation_runs
-    WHERE id NOT IN (
-      SELECT id FROM consolidation_runs
-      ORDER BY timestamp DESC, id DESC
-      LIMIT ?
-    )
+    db.prepare(`
+    DELETE FROM consolidation_runs
+    WHERE id NOT IN (
+      SELECT id FROM consolidation_runs
+      ORDER BY timestamp DESC, id DESC
+      LIMIT ?
+    )
   `).run(keep);
 }
 //# sourceMappingURL=db.js.map