hypomnema 1.2.1 → 1.3.1

package/hooks/version-check.mjs

@@ -18,8 +18,8 @@
  *     than overwrites so it never erases the hook's `notifiedFor` marks.
  */
 
-import { readFileSync, writeFileSync, renameSync, mkdirSync } from 'fs';
-import { dirname, join } from 'path';
+import { readFileSync, writeFileSync, renameSync, mkdirSync, realpathSync, existsSync } from 'fs';
+import { dirname, join, delimiter } from 'path';
 import { homedir } from 'os';
 
 export const TTL_MS = 24 * 60 * 60 * 1000; // 24h
@@ -48,24 +48,72 @@ export function parseSemver(v) {
     .replace(/^v/, '')
     .match(/^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?(?:\+[0-9A-Za-z.-]+)?$/);
   if (!m) return null;
-  return { major: +m[1], minor: +m[2], patch: +m[3], pre: m[4] || '' };
+  // Keep core identifiers as RAW DIGIT STRINGS (not +Number) so compareSemver can
+  // order them precisely — SemVer caps neither core nor prerelease numeric length,
+  // and Number() silently loses precision past 2^53.
+  return { major: m[1], minor: m[2], patch: m[3], pre: m[4] || '' };
+}
+
+/**
+ * Compare two SemVer numeric identifier strings (digits only, no leading zeros).
+ * Done WITHOUT Number() so arbitrary-length identifiers order exactly: fewer
+ * digits ⇒ smaller value; equal length ⇒ ASCII order is numeric order.
+ */
+function compareNumericId(x, y) {
+  if (x.length !== y.length) return x.length < y.length ? -1 : 1;
+  if (x !== y) return x < y ? -1 : 1;
+  return 0;
+}
+
+/**
+ * Compare two prerelease strings per the SemVer §11 precedence rules. Identifiers
+ * are dot-separated; numeric ones compare numerically and always rank LOWER than
+ * alphanumeric ones; a larger set of identifiers outranks a smaller one when all
+ * preceding identifiers are equal. Both inputs are non-empty prereleases here.
+ */
+function comparePrerelease(a, b) {
+  const ai = a.split('.');
+  const bi = b.split('.');
+  const len = Math.max(ai.length, bi.length);
+  for (let i = 0; i < len; i++) {
+    // "a larger set of pre-release fields has higher precedence" → the one that
+    // still has identifiers wins once the shorter one runs out.
+    if (i >= ai.length) return -1;
+    if (i >= bi.length) return 1;
+    const x = ai[i];
+    const y = bi[i];
+    const xn = /^\d+$/.test(x);
+    const yn = /^\d+$/.test(y);
+    if (xn && yn) {
+      const c = compareNumericId(x, y);
+      if (c !== 0) return c;
+    } else if (xn !== yn) {
+      return xn ? -1 : 1; // numeric identifiers have lower precedence
+    } else if (x !== y) {
+      return x < y ? -1 : 1; // ASCII lexical for alphanumeric
+    }
+  }
+  return 0;
 }
 
 /**
  * Compare two semver strings. Returns -1 / 0 / 1, or null if either is invalid.
- * A release outranks a prerelease of the same x.y.z (1.2.3 > 1.2.3-rc.1).
+ * A release outranks a prerelease of the same x.y.z (1.2.3 > 1.2.3-rc.1), and
+ * prereleases follow full SemVer §11 precedence (1.2.3-rc.2 < 1.2.3-rc.10) — this
+ * matters because compareSemver now gates the init/upgrade downgrade guard.
  */
 export function compareSemver(a, b) {
   const pa = parseSemver(a);
   const pb = parseSemver(b);
   if (!pa || !pb) return null;
   for (const k of ['major', 'minor', 'patch']) {
-    if (pa[k] !== pb[k]) return pa[k] < pb[k] ? -1 : 1;
+    const c = compareNumericId(pa[k], pb[k]);
+    if (c !== 0) return c;
   }
   if (pa.pre === pb.pre) return 0;
   if (!pa.pre) return 1; // release > prerelease
   if (!pb.pre) return -1;
-  return pa.pre < pb.pre ? -1 : 1; // lexicographic fallback (good enough)
+  return comparePrerelease(pa.pre, pb.pre);
 }
 
 // ── channel detection ──────────────────────────────────────────────────────
@@ -182,3 +230,153 @@ export function mergeLatest(path, latest, now = Date.now()) {
 export function isOptedOut(env = process.env) {
   return Boolean(env.HYPO_NO_UPDATE_CHECK || env.NO_UPDATE_NOTIFIER || env.CI);
 }
+
+// ── stale-sibling detection (ADR 0038) ───────────────────────────────────────
+//
+// A second, OLDER Hypomnema can sit on $PATH (e.g. a stale `npm i -g hypomnema`)
+// while a newer copy owns the active hooks. The CLI bin (`hypomnema`) then routes
+// `hypomnema init` / `upgrade --apply` through the OLD package, which silently
+// downgrades the newer registered hooks (dropping features like this notifier).
+//
+// The update-notifier above only asks "is MY install behind latest?" — it is
+// blind to a stale SIBLING. These helpers add that axis. They are fs-only and
+// offline (no `npm`, no `which` spawn) so they are safe inside the SessionStart
+// hook and `doctor`.
+
+/** realpathSync that returns null instead of throwing on a missing/broken path. */
+export function realpathSafe(p) {
+  if (typeof p !== 'string' || !p) return null;
+  try {
+    return realpathSync(p);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Read the nearest ancestor `package.json` named `hypomnema`, starting at `start`
+ * and walking up. Returns { pkgRoot, version } or null. Used to map a resolved
+ * bin path back to the package that owns it.
+ */
+function readOwningPkg(start) {
+  let dir = start;
+  // Bounded ascent (filesystem depth is finite; cap defensively).
+  for (let i = 0; i < 64; i++) {
+    const pkgPath = join(dir, 'package.json');
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+        if (pkg && pkg.name === 'hypomnema' && typeof pkg.version === 'string') {
+          return { pkgRoot: dir, version: pkg.version };
+        }
+      } catch {
+        /* keep ascending — a non-hypomnema package.json is not our target */
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+/**
+ * Locate the `hypomnema` CLI on $PATH WITHOUT spawning `which`/`npm`.
+ *
+ * Splits $PATH, probes each dir for the bin (plus PATHEXT variants on Windows),
+ * resolves symlinks (npm global bins are symlinks into node_modules), then walks
+ * up to the owning package.json. Returns { binPath, pkgRoot, version } for the
+ * FIRST hit — that is the one the shell would actually run — or null.
+ *
+ * Windows note: npm installs `.cmd`/`.ps1` launcher shims (not symlinks), so the
+ * realpath→package.json walk usually fails there and we return null rather than
+ * guess. POSIX (the reported footgun) resolves cleanly.
+ */
+export function resolveCliOnPath(binName = 'hypomnema', env = process.env) {
+  const pathVar = env.PATH || env.Path || '';
+  if (!pathVar) return null;
+  const dirs = pathVar.split(delimiter).filter(Boolean);
+  const exts =
+    process.platform === 'win32'
+      ? (env.PATHEXT || '.COM;.EXE;.BAT;.CMD').split(';').filter(Boolean)
+      : [''];
+  for (const dir of dirs) {
+    for (const ext of exts) {
+      const candidate = join(dir, binName + ext.toLowerCase());
+      const real = realpathSafe(candidate);
+      if (!real) continue;
+      const owner = readOwningPkg(dirname(real));
+      if (owner) return { binPath: candidate, ...owner };
+    }
+  }
+  return null;
+}
+
+/**
+ * Classify two installs by version and identity. Returns:
+ *   'same'      — same package root (dev re-run / npm-link) → never a downgrade
+ *   'downgrade' — `incoming` is strictly OLDER than `active`
+ *   'ok'        — `incoming` >= `active`
+ *   'unknown'   — either version unparseable; cannot prove a downgrade
+ *
+ * realpath-compares the roots first so a dev workspace re-running its own
+ * init/upgrade is never mis-flagged.
+ */
+export function classifyInstall(incoming, active) {
+  const ri = realpathSafe(incoming && incoming.pkgRoot);
+  const ra = realpathSafe(active && active.pkgRoot);
+  if (ri && ra && ri === ra) return 'same';
+  const cmp = compareSemver(incoming && incoming.version, active && active.version);
+  if (cmp === null) return 'unknown';
+  return cmp < 0 ? 'downgrade' : 'ok';
+}
+
+/**
+ * Decide whether to warn about a stale sibling owning the CLI. Returns
+ * { cliVersion, line, key } or null. Warns only when the PATH CLI is a DIFFERENT,
+ * strictly OLDER package than the active install.
+ *
+ * `key` is a throttle token (cli path+version → active version) so the
+ * SessionStart hook can suppress repeats via `siblingNotifiedFor`.
+ */
+export function computeSiblingNotice(cli, active) {
+  if (!cli || !active || !active.version) return null;
+  if (classifyInstall(cli, active) !== 'downgrade') return null;
+  const key = `${cli.binPath || cli.pkgRoot}@${cli.version}->${active.version}`;
+  const line =
+    `[Hypomnema] Stale install on PATH: \`${cli.binPath || cli.pkgRoot}\` is v${cli.version}, ` +
+    `but your active install is v${active.version}.\n` +
+    `  Running \`hypomnema init\`/\`upgrade\` from PATH would DOWNGRADE your hooks.\n` +
+    `  → remove the old one:  npm uninstall -g hypomnema   (then re-check with \`hypomnema doctor\`)`;
+  return { cliVersion: cli.version, line, key };
+}
+
+/** Has this exact sibling tuple already been surfaced? */
+export function siblingAlreadyNotified(cache, key) {
+  return Boolean(cache && cache.siblingNotifiedFor === key);
+}
+
+/** Record that the sibling banner for `key` was shown (read-merge-write). */
+export function markSiblingNotified(path, key) {
+  try {
+    const cache = readCache(path) || {};
+    cache.siblingNotifiedFor = key;
+    writeCacheAtomic(path, cache);
+  } catch {
+    /* best-effort */
+  }
+}
+
+/**
+ * Shared one-line message for the init/upgrade downgrade guard (P). `op` is
+ * 'init' or 'upgrade'. Kept here so guard text stays identical across both CLIs.
+ */
+export function downgradeGuardMessage(incomingVersion, activeVersion, op) {
+  return (
+    `[Hypomnema] Refusing to ${op}: this package is v${incomingVersion}, but your ` +
+    `active install is NEWER (v${activeVersion}).\n` +
+    `  This is usually a stale global CLI on PATH — proceeding would DOWNGRADE your hooks.\n` +
+    `  → upgrade the stale copy:  npm install -g hypomnema\n` +
+    `  → or, if you really mean to downgrade:  re-run with --allow-downgrade`
+  );
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hypomnema",
-  "version": "1.2.1",
+  "version": "1.3.1",
   "description": "LLM-native personal wiki system for Claude Code",
   "type": "module",
   "license": "MIT",
@@ -39,11 +39,14 @@
   "scripts": {
     "test": "node tests/runner.mjs",
     "lint": "node scripts/lint.mjs",
+    "fix:verify": "node scripts/fix-status-verify.mjs",
     "graph": "node scripts/graph.mjs",
     "smoke-pack": "node scripts/smoke-pack.mjs",
+    "check:bilingual": "node scripts/check-bilingual.mjs --changelog",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
-    "prepublishOnly": "npm test && npm run lint && npm run smoke-pack"
+    "prepare": "node scripts/install-git-hooks.mjs",
+    "prepublishOnly": "npm test && npm run lint && npm run smoke-pack && npm run check:bilingual"
   },
   "devDependencies": {
     "prettier": "^3.8.3"

package/scripts/bump-version.mjs

@@ -52,6 +52,12 @@ for (const { path, pattern } of targets) {
 }
 
 console.log(`\nNext steps:`);
-console.log(`  git add -A && git commit -m "chore(release): v${next}"`);
-console.log(`  git tag v${next}`);
-console.log(`  git push origin <branch> --tags`);
+console.log(`  1. Edit CHANGELOG.md — ensure the "## [${next}]" section has a`);
+console.log(`     "### 한글 요약" sub-section (release.yml check-bilingual gate).`);
+console.log(`  2. node scripts/check-bilingual.mjs --changelog   # local pre-check`);
+console.log(`  3. git add -A && git commit -m "chore(release): v${next}"`);
+console.log(`  4. Create an ANNOTATED tag (lightweight tags are rejected by CI):`);
+console.log(`       git tag -a v${next} -m "<English body>\\n\\n---\\n\\n<한글 요약>"`);
+console.log(`     See docs/CONTRIBUTING.md "Cutting a release" for the full template.`);
+console.log(`  5. node scripts/check-bilingual.mjs --tag v${next}   # local pre-check`);
+console.log(`  6. git push origin <branch> --tags`);

package/scripts/check-bilingual.mjs

@@ -0,0 +1,115 @@
+#!/usr/bin/env node
+/**
+ * check-bilingual.mjs — CLI gate for the bilingual release-doc rule.
+ *
+ * Modes:
+ *   --changelog [version]   Validate CHANGELOG.md section for given version.
+ *                           Defaults to package.json's "version" field.
+ *                           Wired into npm `prepublishOnly` so publishes fail
+ *                           when the Korean summary is missing.
+ *
+ *   --tag <ref>             Validate annotated tag body for given ref.
+ *                           Wired into .github/workflows/release.yml so a
+ *                           lightweight tag or a missing Korean section
+ *                           blocks the npm publish step.
+ *
+ * Exits 0 on pass, 1 on fail with a stderr diagnostic.
+ */
+
+import { readFileSync } from 'fs';
+import { spawnSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import { validateChangelog, validateTagBody } from './lib/check-bilingual.mjs';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const REPO_ROOT = join(__dirname, '..');
+
+const RULE_REF =
+  'Rule source: CLAUDE.md learned_behaviors (release-doc-bilingual, 2026-05-24). ' +
+  'OSS Hypomnema ships must carry English body + Korean summary in both CHANGELOG section and git tag annotation.';
+
+function fail(msg) {
+  process.stderr.write(`[check-bilingual] FAIL: ${msg}\n${RULE_REF}\n`);
+  process.exit(1);
+}
+
+function ok(msg) {
+  process.stdout.write(`[check-bilingual] OK: ${msg}\n`);
+  process.exit(0);
+}
+
+function usage(exitCode) {
+  process.stdout.write(
+    `Usage:\n` +
+      `  node scripts/check-bilingual.mjs --changelog [version]\n` +
+      `      Validate CHANGELOG.md "## [<version>]" section. Default version: package.json.\n` +
+      `  node scripts/check-bilingual.mjs --tag <ref>\n` +
+      `      Validate annotated tag body (lightweight tags are rejected).\n`,
+  );
+  process.exit(exitCode);
+}
+
+const args = process.argv.slice(2);
+const mode = args[0];
+
+if (mode === '--help' || mode === '-h') usage(0);
+if (!mode) usage(1);
+
+if (mode === '--changelog') {
+  let version = args[1];
+  if (!version) {
+    try {
+      const pkg = JSON.parse(readFileSync(join(REPO_ROOT, 'package.json'), 'utf-8'));
+      version = pkg.version;
+    } catch (err) {
+      fail(`cannot read package.json: ${err.message}`);
+    }
+  }
+  if (!version) fail('no version (arg empty, package.json has no "version" field)');
+
+  let content;
+  try {
+    content = readFileSync(join(REPO_ROOT, 'CHANGELOG.md'), 'utf-8');
+  } catch (err) {
+    fail(`cannot read CHANGELOG.md: ${err.message}`);
+  }
+
+  const result = validateChangelog(content, version);
+  if (!result.ok) fail(result.reason);
+  ok(`CHANGELOG.md [${version}] — ${result.hangulCount} Hangul chars in "### 한글 요약".`);
+} else if (mode === '--tag') {
+  const ref = args[1];
+  if (!ref) fail('--tag requires a ref argument (e.g. v1.2.1)');
+
+  // Reject lightweight tags. `git rev-parse <ref>^{tag}` succeeds ONLY for
+  // annotated tags. For lightweight tags the ^{tag} peel fails because there
+  // is no tag object — the ref points straight at a commit.
+  const tagObj = spawnSync('git', ['rev-parse', '--verify', '--quiet', `${ref}^{tag}`], {
+    encoding: 'utf-8',
+    cwd: REPO_ROOT,
+  });
+  if (tagObj.status !== 0) {
+    const exists = spawnSync('git', ['rev-parse', '--verify', '--quiet', ref], {
+      encoding: 'utf-8',
+      cwd: REPO_ROOT,
+    });
+    if (exists.status !== 0) fail(`tag ${ref} not found`);
+    fail(
+      `tag ${ref} is a lightweight tag, not annotated. ` +
+        `Re-create with: git tag -a ${ref} -m "<English body>\n\n---\n\n<Korean summary>"`,
+    );
+  }
+
+  const tagBody = spawnSync('git', ['tag', '-l', `--format=%(contents)`, ref], {
+    encoding: 'utf-8',
+    cwd: REPO_ROOT,
+  });
+  if (tagBody.status !== 0) fail(`failed to read tag ${ref}: ${tagBody.stderr}`);
+
+  const result = validateTagBody(tagBody.stdout || '');
+  if (!result.ok) fail(`tag ${ref} — ${result.reason}`);
+  ok(`tag ${ref} annotation — ${result.hangulCount} Hangul chars after last "---" separator.`);
+} else {
+  fail(`unknown mode: ${mode}. Use --changelog or --tag (see --help).`);
+}

package/scripts/crystallize.mjs

@@ -55,7 +55,9 @@
  *     hypo-personal-check is still the final enforcement.
  *   • Post-apply — runs after the writes. Surfaces as stage='post-apply-lint'
  *     (or 'post-apply-verification+lint' if freshness also fails). Catches
- *     payloads that introduce a broken wikilink / malformed body.
+ *     payloads that introduce a malformed body / bad frontmatter (error-level);
+ *     broken wikilinks are lint W4 warnings and are not gated. A lint crash
+ *     hard-fails regardless of scope.
  */
 
 import {
@@ -77,6 +79,9 @@ import {
   writeSessionClosedMarker,
   sessionClosedMarkerPath,
   hypoIsClean,
+  extractTouchedWikiFiles,
+  closeFileTargets,
+  partitionLintScope,
 } from '../hooks/hypo-shared.mjs';
 
 const LINT_SCRIPT = join(dirname(fileURLToPath(import.meta.url)), 'lint.mjs');
@@ -117,6 +122,7 @@ function parseArgs(argv) {
     sessionId: null,
     payload: null,
     force: false,
+    transcriptPath: null,
   };
   for (const arg of argv.slice(2)) {
     if (arg.startsWith('--hypo-dir=')) args.hypoDir = expandHome(arg.slice(11));
@@ -126,6 +132,7 @@ function parseArgs(argv) {
     else if (arg === '--mark-session-closed') args.markSessionClosed = true;
     else if (arg.startsWith('--session-id=')) args.sessionId = arg.slice(13);
     else if (arg.startsWith('--payload=')) args.payload = arg.slice(10);
+    else if (arg.startsWith('--transcript-path=')) args.transcriptPath = expandHome(arg.slice(18));
     else if (arg === '--force') args.force = true;
     else if (arg === '--json') args.json = true;
   }
@@ -246,7 +253,7 @@ function writeIfChanged(path, content) {
  * Append `entry` to `path` only if `alreadyPresent(content)` is false.
  * Atomic: rebuilds the full file content and writes via atomicWrite — a crash
  * mid-append cannot leave log.md or session-log/YYYY-MM.md half-written, which
- * matters for these append-only history files (codex review of fix #38).
+ * matters for these append-only history files.
  */
 function appendIfAbsent(path, entry, alreadyPresent) {
   let content = '';
@@ -350,13 +357,58 @@ function runMarkSessionClosed(args) {
     if (args.json) {
       console.log(JSON.stringify(result, null, 2));
     } else {
-      console.log(`✗ session-close gate not satisfied — marker not written (project: ${status.project || '(unresolved)'}):`);
+      console.log(
+        `✗ session-close gate not satisfied — marker not written (project: ${status.project || '(unresolved)'}):`,
+      );
       for (const f of status.missing) console.log(`  ✗ ${f} (missing)`);
       for (const f of status.stale) console.log(`  ✗ ${f} (stale)`);
       if (!git.clean) console.log(`  ✗ git: ${git.reason}`);
     }
     process.exit(1);
   }
+  // Bug A coherence: the marker suppresses the Stop hook, but PreCompact blocks
+  // on lint. If a transcript is provided, refuse the marker when THIS session's
+  // own files (edited ∪ mandatory close files) carry lint errors — otherwise
+  // Stop would pass only for /compact to immediately re-block. No transcript →
+  // legacy freshness+git recovery path (lint left to PreCompact).
+  if (args.transcriptPath) {
+    let scopedLint = null;
+    try {
+      scopedLint = runLint(args.hypoDir);
+    } catch (err) {
+      // Lint crash → fail-open (never strand the marker writer on tooling), same
+      // posture as the PreCompact hook.
+      process.stderr.write(
+        `[crystallize] mark-session-closed lint skipped: ${err?.message ?? err}\n`,
+      );
+    }
+    if (scopedLint) {
+      const scope = new Set([
+        ...extractTouchedWikiFiles(args.transcriptPath, args.hypoDir),
+        ...closeFileTargets(args.hypoDir),
+      ]);
+      const { blocking } = partitionLintScope(scopedLint.errors || [], scope);
+      if (blocking.length > 0) {
+        const files = [...new Set(blocking.map((b) => b.file))];
+        const result = {
+          ok: false,
+          session_id: args.sessionId,
+          project: status.project,
+          lint_blockers: files,
+          error: "session-close gate not satisfied — lint errors in this session's files",
+        };
+        if (args.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          console.log(
+            `✗ lint errors in files this session touched — marker not written (fix then re-run):`,
+          );
+          for (const b of blocking) console.log(`  ✗ ${b.file}: ${b.message}`);
+        }
+        process.exit(1);
+      }
+    }
+  }
   writeSessionClosedMarker(args.hypoDir, args.sessionId, { project: status.project });
   // Marker writer swallows IO errors (best-effort, see hypo-shared.mjs). Verify
   // the file actually landed before claiming success — otherwise CLI exits 0
@@ -364,7 +416,11 @@ function runMarkSessionClosed(args) {
   // Codex Worker-2 CONCERN (pre-commit review).
   if (!existsSync(sessionClosedMarkerPath(args.hypoDir, args.sessionId))) {
     const err = 'marker file did not land after write (likely .cache permission/disk issue)';
-    console.log(args.json ? JSON.stringify({ ok: false, session_id: args.sessionId, error: err }, null, 2) : `✗ ${err}`);
+    console.log(
+      args.json
+        ? JSON.stringify({ ok: false, session_id: args.sessionId, error: err }, null, 2)
+        : `✗ ${err}`,
+    );
     process.exit(1);
   }
   const result = {
@@ -376,7 +432,9 @@ function runMarkSessionClosed(args) {
   if (args.json) {
     console.log(JSON.stringify(result, null, 2));
   } else {
-    console.log(`✓ session-closed marker written (session_id: ${args.sessionId}, project: ${status.project}).`);
+    console.log(
+      `✓ session-closed marker written (session_id: ${args.sessionId}, project: ${status.project}).`,
+    );
   }
   process.exit(0);
 }
@@ -469,6 +527,19 @@ function applySessionClose(args) {
   if (payload.rootHot) overwriteTargets.add('hot.md');
   if (payload.openQuestions) overwriteTargets.add(join('pages', 'open-questions.md'));
 
+  // Bug B: the documented close path must not be blocked by lint debt OUTSIDE
+  // the files it writes (other projects, shared pages this close did not author).
+  // payloadScope = every file this apply writes or appends. Both lint passes are
+  // judged against it; errors elsewhere are surfaced as notices, never blocking.
+  const payloadScope = new Set([
+    join('projects', project, 'session-state.md'),
+    join('projects', project, 'hot.md'),
+    'hot.md',
+    join('projects', project, 'session-log', `${ym}.md`),
+    'log.md',
+    ...(payload.openQuestions ? [join('pages', 'open-questions.md')] : []),
+  ]);
+
   let preflightLint;
   try {
     preflightLint = runLint(args.hypoDir);
@@ -477,7 +548,13 @@ function applySessionClose(args) {
     console.log(args.json ? JSON.stringify(out, null, 2) : `✗ ${e.message}`);
     process.exit(1);
   }
-  const blockingErrors = preflightLint.errors.filter((e) => !overwriteTargets.has(e.file));
+  // Block only on errors in payload files we are NOT about to overwrite (append
+  // targets — session-log, log.md — can't be repaired by appending, so existing
+  // corruption there must block). Overwrite targets are about to be replaced;
+  // out-of-scope debt is not this close's concern (Bug B).
+  const blockingErrors = preflightLint.errors.filter(
+    (e) => payloadScope.has(e.file) && !overwriteTargets.has(e.file),
+  );
   if (blockingErrors.length > 0) {
     const out = {
       ok: false,
@@ -536,16 +613,26 @@ function applySessionClose(args) {
     (wrote ? applied : skipped).push('log (log.md)');
   }
 
-  const verification = sessionCloseFileStatus(args.hypoDir);
+  // ISSUE-7 Part A: verify against the SAME project this apply just wrote
+  // (`project` = payload.project || probe.project, resolved at the top). Without
+  // the override, sessionCloseFileStatus re-derives via resolveActiveProject and,
+  // on a same-date root-hot.md tie, can pick a different project — false-failing
+  // a completed close (the 2026-06-09 security-ops-kb incident).
+  const verification = sessionCloseFileStatus(args.hypoDir, { projectOverride: project });
 
-  // Fix #40 post-apply lint: payload may have introduced a broken wikilink or
-  // a malformed session-state body. Surface as a distinct `stage` so caller can
-  // tell "lint broke" apart from "frontmatter stale". This runs even if the
-  // freshness gate also failed — both failure modes are useful to the caller.
+  // Fix #40 post-apply lint: payload may have introduced a malformed body or
+  // bad frontmatter. Surface as a distinct `stage` so caller can tell "lint
+  // broke" apart from "frontmatter stale". This runs even if the freshness gate
+  // also failed — both failure modes are useful to the caller.
   let postApplyLint;
+  let postApplyCrashed = false;
   try {
     postApplyLint = runLint(args.hypoDir);
   } catch (e) {
+    // A lint crash (unparseable output) after writes is NOT scopeable — there is
+    // no reliable `file` to classify — and must stay a HARD failure, exactly as
+    // before scoping was introduced.
+    postApplyCrashed = true;
     postApplyLint = {
       ok: false,
       errors: [{ file: '(lint crash)', message: e.message }],
@@ -553,9 +640,24 @@ function applySessionClose(args) {
     };
   }
 
-  const ok = verification.ok && postApplyLint.ok;
+  // Scope post-apply lint to payload files (Bug B): a payload-introduced error
+  // lands in a file this apply wrote, so it blocks; pre-existing debt elsewhere
+  // is a non-blocking notice. A lint crash bypasses scoping and blocks outright.
+  let postBlocking;
+  let postNotice;
+  if (postApplyCrashed) {
+    postBlocking = postApplyLint.errors;
+    postNotice = [];
+  } else {
+    ({ blocking: postBlocking, notice: postNotice } = partitionLintScope(
+      postApplyLint.errors || [],
+      payloadScope,
+    ));
+  }
+  const postLintOk = !postApplyCrashed && postBlocking.length === 0;
+  const ok = verification.ok && postLintOk;
 
-  // fix #27 PR-C (ADR 0022 amendment 2026-05-19): auto-write the per-session
+  // ADR 0022 amendment 2026-05-19: auto-write the per-session
   // closed marker on a verified close. Hook authority is read-only; this is
   // one of the two writer paths (the other is --mark-session-closed standalone).
   // Marker requires BOTH file/lint gate (already in `ok`) AND clean git tree —
@@ -573,7 +675,7 @@ function applySessionClose(args) {
   }
   const stage = ok
     ? null
-    : !verification.ok && !postApplyLint.ok
+    : !verification.ok && !postLintOk
       ? 'post-apply-verification+lint'
       : !verification.ok
         ? 'post-apply-verification'
@@ -587,6 +689,9 @@ function applySessionClose(args) {
     skipped,
     verification,
     lint: { preflight: preflightLint, postApply: postApplyLint },
+    // Pre-existing lint debt in files this close did not author (Bug B): surfaced
+    // for visibility, never gated. Empty on a clean vault.
+    notices: [...new Set(postNotice.map((e) => e.file))],
   };
 
   if (args.json) {
@@ -606,12 +711,21 @@ function applySessionClose(args) {
         console.log(`\n✗ session-close still incomplete after apply: ${bad}`);
         console.log('  Fix the payload (likely an `updated:` field) and retry.');
       }
-      if (!postApplyLint.ok) {
+      if (!postLintOk) {
         console.log('\n✗ post-apply lint failed:');
-        for (const e of postApplyLint.errors) console.log(`  ✗ ${e.file}: ${e.message}`);
+        for (const e of postBlocking) console.log(`  ✗ ${e.file}: ${e.message}`);
         console.log('  Payload introduced a lint blocker — fix the payload content and retry.');
       }
     }
+    if (postNotice.length > 0) {
+      console.log(
+        `\n· ${postNotice.length} pre-existing lint issue(s) in untouched files (not blocking): ${[
+          ...new Set(postNotice.map((e) => e.file)),
+        ]
+          .slice(0, 5)
+          .join(', ')}${postNotice.length > 5 ? ', …' : ''}`,
+      );
+    }
   }
   process.exit(ok ? 0 : 1);
 }