npm - pgserve - Versions diffs - 2.1.3 → 2.2.1 - Mend

pgserve 2.1.3 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (235) hide show

package/CHANGELOG.md +96 -0
package/README.md +105 -1
package/bin/autopg-wrapper.cjs +16 -0
package/bin/pgserve-wrapper.cjs +32 -6
package/bin/postgres-server.js +56 -0
package/console/README.md +131 -0
package/console/api.js +173 -0
package/console/app.jsx +483 -0
package/console/colors_and_type.css +227 -0
package/console/components.jsx +167 -0
package/console/console.css +1666 -0
package/console/data.jsx +350 -0
package/console/index.html +31 -0
package/console/screens/databases.jsx +5 -0
package/console/screens/health.jsx +5 -0
package/console/screens/ingress.jsx +5 -0
package/console/screens/optimizer.jsx +5 -0
package/console/screens/rlm-sim.jsx +5 -0
package/console/screens/rlm-trace.jsx +5 -0
package/console/screens/security.jsx +5 -0
package/console/screens/settings.jsx +611 -0
package/console/screens/sql.jsx +5 -0
package/console/screens/sync.jsx +5 -0
package/console/screens/tables.jsx +5 -0
package/console/tweaks-panel.jsx +425 -0
package/package.json +14 -2
package/scripts/postinstall.cjs +60 -0
package/src/cli-config.cjs +310 -0
package/src/cli-install.cjs +112 -11
package/src/cli-restart.cjs +228 -0
package/src/cli-ui.cjs +580 -0
package/src/cluster.js +43 -38
package/src/postgres.js +141 -19
package/src/settings-loader.cjs +235 -0
package/src/settings-migrate.cjs +212 -0
package/src/settings-pg-args.cjs +146 -0
package/src/settings-schema.cjs +422 -0
package/src/settings-validator.cjs +416 -0
package/src/settings-writer.cjs +288 -0
package/src/upgrade/index.js +65 -0
package/src/upgrade/runner.js +23 -0
package/src/upgrade/steps/binary-cache-flush.js +67 -0
package/src/upgrade/steps/consumer-signal.js +40 -0
package/src/upgrade/steps/env-refresh.js +89 -0
package/src/upgrade/steps/health-validate.js +53 -0
package/src/upgrade/steps/plpgsql-resolve.js +66 -0
package/src/upgrade/steps/port-reconcile.js +52 -0
package/.claude/context/windows-debug.md +0 -119
package/.genie/AGENTS.md +0 -15
package/.genie/agents/README.md +0 -110
package/.genie/agents/analyze.md +0 -176
package/.genie/agents/forge.md +0 -290
package/.genie/agents/garbage-cleaner.md +0 -324
package/.genie/agents/garbage-collector.md +0 -596
package/.genie/agents/github-issue-gc.md +0 -618
package/.genie/agents/review.md +0 -380
package/.genie/agents/semantic-analyzer/find-duplicates.md +0 -90
package/.genie/agents/semantic-analyzer/find-orphans.md +0 -99
package/.genie/agents/semantic-analyzer.md +0 -101
package/.genie/agents/update.md +0 -182
package/.genie/agents/wish.md +0 -357
package/.genie/brainstorms/pgserve-v2/DESIGN.md +0 -174
package/.genie/code/AGENTS.md +0 -694
package/.genie/code/agents/audit/risk.md +0 -173
package/.genie/code/agents/audit/security.md +0 -189
package/.genie/code/agents/audit.md +0 -145
package/.genie/code/agents/challenge.md +0 -230
package/.genie/code/agents/change-reviewer.md +0 -295
package/.genie/code/agents/code-garbage-collector.md +0 -425
package/.genie/code/agents/code-quality.md +0 -410
package/.genie/code/agents/commit-suggester.md +0 -255
package/.genie/code/agents/commit.md +0 -124
package/.genie/code/agents/consensus.md +0 -204
package/.genie/code/agents/daily-standup.md +0 -722
package/.genie/code/agents/docgen.md +0 -48
package/.genie/code/agents/explore.md +0 -79
package/.genie/code/agents/fix.md +0 -100
package/.genie/code/agents/git/commit-advisory.md +0 -219
package/.genie/code/agents/git/workflows/issue.md +0 -244
package/.genie/code/agents/git/workflows/pr.md +0 -179
package/.genie/code/agents/git/workflows/release.md +0 -460
package/.genie/code/agents/git/workflows/report.md +0 -342
package/.genie/code/agents/git.md +0 -432
package/.genie/code/agents/implementor.md +0 -161
package/.genie/code/agents/install.md +0 -515
package/.genie/code/agents/issue-creator.md +0 -344
package/.genie/code/agents/polish.md +0 -116
package/.genie/code/agents/qa.md +0 -653
package/.genie/code/agents/refactor.md +0 -294
package/.genie/code/agents/release.md +0 -1129
package/.genie/code/agents/roadmap.md +0 -885
package/.genie/code/agents/tests.md +0 -557
package/.genie/code/agents/tracer.md +0 -50
package/.genie/code/agents/update/upstream-update.md +0 -85
package/.genie/code/agents/update/versions/generic-update.md +0 -305
package/.genie/code/agents/vibe.md +0 -1317
package/.genie/code/spells/agent-configuration.md +0 -58
package/.genie/code/spells/automated-rc-publishing.md +0 -106
package/.genie/code/spells/branch-tracker-guidance.md +0 -28
package/.genie/code/spells/debug.md +0 -320
package/.genie/code/spells/emoji-naming-convention.md +0 -303
package/.genie/code/spells/evidence-storage.md +0 -26
package/.genie/code/spells/file-naming-rules.md +0 -35
package/.genie/code/spells/forge-code-blueprints.md +0 -195
package/.genie/code/spells/genie-integration.md +0 -153
package/.genie/code/spells/publishing-protocol.md +0 -61
package/.genie/code/spells/team-consultation-protocol.md +0 -284
package/.genie/code/spells/tool-requirements.md +0 -20
package/.genie/code/spells/triad-maintenance-protocol.md +0 -154
package/.genie/code/teams/tech-council/council.md +0 -328
package/.genie/code/teams/tech-council/jt.md +0 -352
package/.genie/code/teams/tech-council/nayr.md +0 -305
package/.genie/code/teams/tech-council/oettam.md +0 -375
package/.genie/neurons/README.md +0 -193
package/.genie/neurons/forge.md +0 -106
package/.genie/neurons/genie.md +0 -63
package/.genie/neurons/review.md +0 -106
package/.genie/neurons/wish.md +0 -104
package/.genie/product/README.md +0 -20
package/.genie/product/cli-automation.md +0 -359
package/.genie/product/environment.md +0 -60
package/.genie/product/mission.md +0 -60
package/.genie/product/roadmap.md +0 -44
package/.genie/product/tech-stack.md +0 -34
package/.genie/product/templates/context-template.md +0 -218
package/.genie/product/templates/qa-done-report-template.md +0 -68
package/.genie/product/templates/review-report-template.md +0 -89
package/.genie/product/templates/wish-template.md +0 -120
package/.genie/scripts/helpers/analyze-commit.js +0 -195
package/.genie/scripts/helpers/bullet-counter.js +0 -194
package/.genie/scripts/helpers/bullet-find.js +0 -289
package/.genie/scripts/helpers/bullet-id.js +0 -244
package/.genie/scripts/helpers/check-secrets.js +0 -237
package/.genie/scripts/helpers/count-tokens.js +0 -200
package/.genie/scripts/helpers/create-frontmatter.js +0 -456
package/.genie/scripts/helpers/detect-markers.js +0 -293
package/.genie/scripts/helpers/detect-todos.js +0 -267
package/.genie/scripts/helpers/detect-unlabeled-blocks.js +0 -135
package/.genie/scripts/helpers/embeddings.js +0 -344
package/.genie/scripts/helpers/find-empty-sections.js +0 -158
package/.genie/scripts/helpers/index.js +0 -319
package/.genie/scripts/helpers/validate-frontmatter.js +0 -578
package/.genie/scripts/helpers/validate-links.js +0 -207
package/.genie/scripts/helpers/validate-paths.js +0 -373
package/.genie/spells/README.md +0 -9
package/.genie/spells/ace-protocol.md +0 -118
package/.genie/spells/ask-one-at-a-time.md +0 -175
package/.genie/spells/backup-analyzer.md +0 -542
package/.genie/spells/blocker.md +0 -12
package/.genie/spells/break-things-move-fast.md +0 -56
package/.genie/spells/context-candidates.md +0 -72
package/.genie/spells/context-critic.md +0 -51
package/.genie/spells/defer-to-expertise.md +0 -278
package/.genie/spells/delegate-dont-do.md +0 -292
package/.genie/spells/error-investigation-protocol.md +0 -328
package/.genie/spells/evidence-based-completion.md +0 -273
package/.genie/spells/experiment.md +0 -65
package/.genie/spells/file-creation-protocol.md +0 -229
package/.genie/spells/forge-integration.md +0 -281
package/.genie/spells/forge-orchestration.md +0 -514
package/.genie/spells/gather-context.md +0 -18
package/.genie/spells/global-health-check.md +0 -34
package/.genie/spells/global-noop-roundtrip.md +0 -25
package/.genie/spells/install-genie.md +0 -1232
package/.genie/spells/install.md +0 -82
package/.genie/spells/investigate-before-commit.md +0 -112
package/.genie/spells/know-yourself.md +0 -288
package/.genie/spells/learn.md +0 -828
package/.genie/spells/mcp-diagnostic-protocol.md +0 -246
package/.genie/spells/mcp-first.md +0 -124
package/.genie/spells/multi-step-execution.md +0 -67
package/.genie/spells/orchestration-boundary-protocol.md +0 -256
package/.genie/spells/orchestrator-not-implementor.md +0 -189
package/.genie/spells/prompt.md +0 -746
package/.genie/spells/reflect.md +0 -404
package/.genie/spells/routing-decision-matrix.md +0 -368
package/.genie/spells/run-in-parallel.md +0 -12
package/.genie/spells/session-state-updater-example.md +0 -196
package/.genie/spells/session-state-updater.md +0 -220
package/.genie/spells/track-long-running-tasks.md +0 -133
package/.genie/spells/troubleshoot-infrastructure.md +0 -176
package/.genie/spells/upgrade-genie.md +0 -415
package/.genie/spells/url-presentation-protocol.md +0 -301
package/.genie/spells/wish-initiation.md +0 -158
package/.genie/spells/wish-issue-linkage.md +0 -410
package/.genie/spells/wish-lifecycle.md +0 -100
package/.genie/state/provider-status.json +0 -3
package/.genie/state/version.json +0 -16
package/.genie/wishes/canonical-pgserve-pm2-supervision/WISH.md +0 -290
package/.genie/wishes/pgserve-v2/BRIEF-from-genie-pgserve.md +0 -99
package/.genie/wishes/pgserve-v2/WISH.md +0 -442
package/.genie/wishes/release-system-genie-pattern/WISH.md +0 -268
package/.genie/wishes/release-system-genie-pattern/validation.md +0 -205
package/.gitguardian.yaml +0 -29
package/.gitguardianignore +0 -16
package/.github/workflows/ci.yml +0 -122
package/.github/workflows/release.yml +0 -289
package/.github/workflows/version.yml +0 -228
package/.husky/pre-commit +0 -2
package/AGENTS.md +0 -433
package/CLAUDE.md +0 -1
package/Makefile +0 -285
package/assets/icon.ico +0 -0
package/bun.lock +0 -435
package/bunfig.toml +0 -28
package/ecosystem.config.cjs +0 -23
package/eslint.config.js +0 -63
package/examples/multi-tenant-demo.js +0 -104
package/install.sh +0 -123
package/knip.json +0 -9
package/tests/audit.test.js +0 -189
package/tests/backpressure.test.js +0 -167
package/tests/benchmarks/runner.js +0 -1197
package/tests/benchmarks/vector-generator.js +0 -368
package/tests/cli-install.test.js +0 -322
package/tests/control-db.test.js +0 -285
package/tests/daemon-args.test.js +0 -86
package/tests/daemon-control.test.js +0 -171
package/tests/daemon-fingerprint-integration.test.js +0 -111
package/tests/daemon-pr24-regression.test.js +0 -198
package/tests/fingerprint.test.js +0 -263
package/tests/fixtures/240-orphan-seed.sql +0 -30
package/tests/multi-tenant.test.js +0 -374
package/tests/orphan-cleanup.test.js +0 -390
package/tests/pg-version-regex.test.js +0 -129
package/tests/quick-bench.js +0 -135
package/tests/router-handshake-retry.test.js +0 -119
package/tests/router-handshake-watchdog.test.js +0 -110
package/tests/sdk.test.js +0 -71
package/tests/stale-postmaster-pid.test.js +0 -85
package/tests/stress-test.js +0 -439
package/tests/sync-perf-test.js +0 -150
package/tests/tcp-listen.test.js +0 -368
package/tests/tenancy.test.js +0 -403
package/tests/wrapper-supervision.test.js +0 -107

package/.genie/brainstorms/pgserve-v2/DESIGN.md DELETED Viewed

@@ -1,174 +0,0 @@
-# DESIGN — pgserve v2 (consolidated from genie-pgserve agent brain)
-| Field | Value |
-|-------|-------|
-| **Status** | CRYSTALLIZED |
-| **Origin** | Council v2 deliberation (`conv-bf3e8657`, 2026-04-26) — total convergence in Round 2 |
-| **Source agent** | `genie-pgserve` (`/home/genie/workspace/agents/genie-pgserve`) |
-| **Source docs** | `brain/_decisions/pgserve-roadmap-design.md` + `brain/_decisions/pgserve-roadmap-open-questions-resolved.md` |
-| **Council members** | questioner, architect, simplifier, ergonomist |
-| **Slug** | `pgserve-v2` |
-## Problem
-pgserve = "Neon for AI agents" — embedded Postgres-as-a-service for Node.js apps. Tagline: "npx pgserve and it just works, no credentials needed." `postgres/postgres` superuser is intentional product DNA.
-Production usage growing across 6 Namastex apps (brain, omni, rlmx, genie, hapvida-eugenia, email). Pain points:
-1. Each app spawns its own pgserve → port conflicts.
-2. 240+ orphaned test DBs accumulated (no ownership, no GC) — caught a 2,130 errors/sec outage on 2026-04-24 (PR #24 fix).
-3. No isolation — any app can see any other app's data (shared superuser by design).
-4. PR #16 attempted schema-per-name + role-per-tenant + deny-by-default — rejected because consumer-owns-naming felt wrong.
-## Goal
-Cut pgserve **v2.0.0** — breaking semver bump (deliberately violating the original "we do not break userspace" plan). Replace v1's per-app TCP spawn + shared-superuser-without-isolation with a portless, fingerprinted, kernel-rooted, lifecycle-managed model. Use `automagik-dev/genie` as the canary consumer (dogfood loop) to validate the design empirically before broader migration.
-The original design (`pgserve-roadmap-design.md`) staged this evolution v1.0 → v2.0 across 5 ABI-compatible releases. Felipe's direction on 2026-04-26 collapsed this into a single v2.0.0 cut, accepting the breakage cost in exchange for shorter cycle time and aligning the breaking semver with the actual breaking change.
-## Approach
-### 1. Transport — portless by default
-- Singleton daemon binds well-known control socket at `$XDG_RUNTIME_DIR/pgserve/control.sock` (fallback `/tmp/pgserve/control.sock` for hosts without XDG_RUNTIME_DIR).
-- Per-pid sockets remain for direct-embed callers (preserve PR #24 invariants — `_stopping` flag, exit-handler reset, router fallback-on-missing-socket).
-- TCP only behind `--listen :PORT` opt-in (k8s pods, remote sync).
-- **Kills port conflicts forever** — no ports to conflict over by default.
-### 2. Identity — kernel-rooted, package.json-keyed
-**Tuple:** `(realpath(nearest-ancestor-package.json), name field, uid)` → `sha256(...).slice(0, 12)`.
-Mechanism:
-1. SO_PEERCRED on Unix socket → unforgeable `(pid, uid, gid)` from kernel.
-2. pgserve walks up `/proc/$pid/cwd` to find nearest `package.json`.
-3. Hash the tuple → 12 hex char fingerprint.
-4. **Fallback** for scripts with no package.json: `(uid, sha256(cwd + cmdline[1]).slice(0, 12))`.
-Why NOT others considered:
-- ❌ `sha256(/proc/$pid/exe)` — every Node app resolves to `/usr/local/bin/node`, collision.
-- ❌ `cmdline` — mutable (pm2/tsx/nodemon rewrite).
-- ❌ `cwd` alone — different cwd in same project = different DBs (wrong).
-- ✅ `package.json` realpath — stable across npm install, runtime swap (node→bun), git pull, sub-cd.
-### 3. Tenancy — database-per-fingerprint (NOT schema-per)
-Schema-per is "isolation theater" under shared superuser — `SET search_path` to anything, fully-qualified SELECTs across schemas, `pg_catalog` enumeration.
-Database-per wins because:
-- DROP DATABASE atomic → GC trivial (one statement).
-- pg_dump per-app works as-is (backup boundary = isolation boundary).
-- App still sees `postgres://postgres:postgres@.../app-db` with full superuser inside its DB → magic preserved.
-- Cross-DB requires re-auth → proxy routes back → mechanical isolation, not policy.
-Database name format: `app_<sanitized-name>_<12hex>`.
-### 4. Lifecycle — 3-layer composition
-| Layer | Mechanism |
-|-------|-----------|
-| Default | Ephemeral — auto-DROP when liveness signal lost AND TTL elapsed. |
-| Liveness signal | `kill -0 $pid` or `stat /proc/$pid` — owner died starts TTL. |
-| Grace window | TTL 24h since last connection — restart with same fingerprint reclaims its DB. |
-| Override | `package.json: "pgserve": {"persist": true}` — disables both, durable until explicit drop. |
-Composition: test DBs vanish minutes after exit, agent runs vanish 24h after last activity, production knowledge stores never vanish. Zero cron config-side, 240-orphan disease cures itself.
-### 5. GC sweep — three composed triggers
-| Trigger | When |
-|---------|------|
-| Opportunistic | Every new connection acquired through control socket (sample 1/N to avoid herd). |
-| Periodic | Hourly daemon timer. |
-| Boot | Daemon startup (catches orphans accumulated while daemon was down). |
-All three call one `gcSweep()` function — no cron config, no consumer involvement.
-### 6. Audit log — tiered
-| Tier | Destination | Default | Introduced |
-|------|-------------|---------|------------|
-| 1 | `~/.pgserve/audit.log` (JSONL, rotating 50MB × 5) | ON | v2.0 |
-| 2 | Local syslog (`pgserve.audit.target: "syslog"`) | OFF | v2.0 |
-| 3 | HTTP webhook (`pgserve.audit.target: "url"`) | OFF | v2.1 |
-Schema: `{ts, event, fingerprint, db, peer_uid, peer_pid, package_realpath, ...event_specific}`.
-Events: `db_created`, `db_reaped_ttl`, `db_reaped_liveness`, `db_persist_honored`, `connection_routed`, `connection_denied_fingerprint_mismatch`, `enforcement_kill_switch_used`.
-### 7. Enforcement — default-on with kill switch
-- Default-ON in v2.0.
-- `PGSERVE_DISABLE_FINGERPRINT_ENFORCEMENT=1` environment variable bypasses enforcement (panic kill switch for ops emergencies).
-- Marked deprecated; removal slated for v3.0.
-### 8. Monorepo behavior
-Walk up from `/proc/$pid/cwd` to first `package.json` (deepest match wins). Matches Node's `require.resolve` semantics.
-Edge case: `npm workspaces` runs from repo root → all members share root fingerprint → all share one DB. Documented; if isolation needed, run member directly: `cd packages/foo && bun run start`.
-Future escape hatch (deferred): `pgserve.fingerprintRoot: "monorepo-root"` in package.json. Build only when demand surfaces.
-### 9. Control schema — `pgserve_meta`
-Lives in pgserve's own admin DB (separate from user DBs):
-```sql
-CREATE TABLE pgserve_meta (
-  database_name      TEXT PRIMARY KEY,
-  fingerprint        TEXT NOT NULL,           -- 12 hex
-  peer_uid           INTEGER NOT NULL,
-  package_realpath   TEXT,                    -- NULL for script fallback
-  created_at         TIMESTAMPTZ DEFAULT now(),
-  last_connection_at TIMESTAMPTZ DEFAULT now(),
-  liveness_pid       INTEGER,                 -- last known owner pid
-  persist            BOOLEAN DEFAULT false
-);
-```
-## Decisions
-| # | Decision | Rationale |
-|---|----------|-----------|
-| 1 | Single v2.0.0 cut, not staged | Felipe 2026-04-26: bundle the breaking changes under one semver-major. Cycle time over compat. |
-| 2 | Portless default + Unix socket | Eliminates port conflicts (THE #1 embedded-server failure mode) + enables SO_PEERCRED for kernel-rooted identity. |
-| 3 | package.json as identity key | Stable across npm install, runtime swap, git pull. npm already mandates it for unrelated reasons. |
-| 4 | Database-per-fingerprint over schema-per | Real mechanical isolation vs theater under shared superuser; atomic GC; tool compat (pg_dump, drizzle, prisma). |
-| 5 | Fingerprint hash truncated to 12 hex (48-bit) | Birthday-bound at ~16M projects. Postgres ident limit (63) leaves room for `app_<sanitized-name>_<12hex>`. |
-| 6 | GC: opportunistic + hourly + boot, single sweep function | Bounds worst-case orphan lifetime ≤ 1h on idle hosts; immediate on active hosts. |
-| 7 | Enforcement default-ON with `PGSERVE_DISABLE_FINGERPRINT_ENFORCEMENT=1` kill switch | Simplifier wins happy path; architect keeps emergency valve. |
-| 8 | Monorepo: nearest-ancestor package.json wins | Matches Node `require.resolve`; familiar mental model. |
-| 9 | Audit log tiered (file → syslog → webhook) | Zero-config promise honored at tier 1; ops opt into separate sink. |
-| 10 | Dogfood `automagik-dev/genie` consumer in lockstep | Provides empirical safety net for the breaking cut; first canary before brain/omni/rlmx/eugenia/email migrate. |
-| 11 | DELETE PR #16 schema/role machinery | Replaced by database boundary + peer-creds routing — fewer lines AND honest isolation. |
-## Risks & Assumptions
-| Risk | Severity | Mitigation |
-|------|----------|------------|
-| 5 other consumer apps (brain, omni, rlmx, hapvida-eugenia, email) break on v2.0 install | High | Pin v1.x in their package.json until per-app migration wishes ship. Document upgrade path in v2.0 release notes. |
-| package.json walk fails on edge cases (worktree without root, monorepos) | Medium | Fallback to script-mode hash; document monorepo behavior; defer escape hatch until demanded. |
-| Production knowledge store loses data on missed `persist: true` flag | High | Errors-that-teach: "Database for `myapp` was reaped — to survive long gaps, set `persist:true`. See pgserve.dev/persist". Pre-flight warning at 90% of TTL. |
-| Daemon mode = single point of failure for whole machine | Low | pgserve daemon supervised (PM2/systemd); restart fast; existing apps already tolerated pgserve restarts (per-app spawn). |
-| Existing 240 orphans contain sensitive data (PII from hapvida-eugenia, etc) | Medium | One-time inventory + classification BEFORE GC sweep on prod hosts. Separate ops task (out of this wish). |
-| Genie consumer migration reveals design flaw mid-build | Medium | Dogfood twin reports daily; if blocking flaw surfaces, pause wish, reconvene council, possibly revert to staged plan. |
-| PR #24's stale-socketDir invariants regress in daemon work | High | Wave 2 group must regression-test the three scenarios from #24 (stop nulls socketDir, double-start no-op, exit-handler resets state). |
-## What was considered and rejected
-- Use vanilla Postgres + 50-line script — pgserve IS the answer; vanilla lacks npx-magic embed.
-- Per-app credentials in `.env` — leak via git/Slack/CI logs.
-- Schema-per-fingerprint with search_path — isolation theater under shared superuser.
-- Pure binary_hash fingerprint — Node apps all resolve to `/usr/local/bin/node`.
-- Pure cwd fingerprint — different cwd in same project = different DBs.
-- Consumer-supplied naming (PR #16) — pushes ownership to consumer, recreates naming problem.
-- TTL-only lifecycle (24h universal) — risks "production data vanished after long weekend".
-- ps-aux-only liveness — production knowledge store on host that crashes for 25h would lose data invisibly.
-- ABI-compatible 5-stage rollout (`pgserve-roadmap-design.md` original plan) — superseded by Felipe's 2026-04-26 call to bundle as v2.0.
-## Open follow-ups (not blockers for this wish)
-- One-time inventory + classification of existing 240 orphans on prod hosts (separate ops task).
-- Migration wishes for the 5 non-genie consumers (one per app: brain, omni, rlmx, hapvida-eugenia, email).
-- Future: cross-host coordination, encryption-at-rest, TLS, multi-tenant role permissions.