prism-mcp-server 8.0.0 → 8.0.2

package/README.md

@@ -20,7 +20,7 @@ npx -y prism-mcp-server
 
 Works with **Claude Desktop · Claude Code · Cursor · Windsurf · Cline · Gemini · Antigravity** — **any MCP client.**
 
-## 📖 Table of Contents
+## Table of Contents
 
 - [Why Prism?](#why-prism)
 - [Quick Start](#quick-start)
@@ -28,8 +28,8 @@ Works with **Claude Desktop · Claude Code · Cursor · Windsurf · Cline · Gem
 - [Setup Guides](#setup-guides)
 - [Universal Import: Bring Your History](#universal-import-bring-your-history)
 - [What Makes Prism Different](#what-makes-prism-different)
-- [Synapse Engine (v8.0)](#-synapse-engine-v80)
-- [Cognitive Architecture (v7.8)](#-cognitive-architecture-v78)
+- [Synapse Engine (v8.0)](#synapse-engine-v80)
+- [Cognitive Architecture (v7.8)](#cognitive-architecture-v78)
 - [Data Privacy & Egress](#data-privacy--egress)
 - [Use Cases](#use-cases)
 - [What's New](#whats-new)
@@ -53,15 +53,15 @@ Every time you start a new conversation with an AI coding assistant, it starts f
 
 Prism has three pillars:
 
-1. **🧠 Cognitive Memory** — Memories are ranked like a human brain: recently and frequently accessed context surfaces first, while stale context fades naturally via ACT-R activation decay. Raw experience consolidates into semantic principles through Hebbian learning. The result is retrieval quality that no flat vector search can match. *(See [Cognitive Architecture](#-cognitive-architecture-v78) and [Scientific Foundation](#-scientific-foundation).)*
+1. **🧠 Cognitive Memory** — Memories are ranked like a human brain: recently and frequently accessed context surfaces first, while stale context fades naturally via ACT-R activation decay. Raw experience consolidates into semantic principles through Hebbian learning. The result is retrieval quality that no flat vector search can match. *(See [Cognitive Architecture](#cognitive-architecture-v78) and [Scientific Foundation](#scientific-foundation).)*
 
-2. **⚡ Synapse Engine (GraphRAG)** — When your agent searches for "Error X", the Synapse Engine doesn't just find logs mentioning "Error X". Multi-hop energy propagation traverses the causal graph — dampened by fan effect, bounded by lateral inhibition — and surfaces "Workaround Y" connected to "Architecture Decision Z". Nodes discovered exclusively via graph traversal are tagged `[🌐 Synapse]` so you can *see* the engine working. *(See [Synapse Engine](#-synapse-engine-v80).)*
+2. **⚡ Synapse Engine (GraphRAG)** — When your agent searches for "Error X", the Synapse Engine doesn't just find logs mentioning "Error X". Multi-hop energy propagation traverses the causal graph — dampened by fan effect, bounded by lateral inhibition — and surfaces "Workaround Y" connected to "Architecture Decision Z". Nodes discovered exclusively via graph traversal are tagged `[🌐 Synapse]` so you can *see* the engine working. *(See [Synapse Engine](#synapse-engine-v80).)*
 
-3. **🏭 Autonomous Execution (Dark Factory)** — When you're ready, Prism can run coding tasks end-to-end with a fail-closed pipeline where an adversarial evaluator catches bugs the generator missed — before you ever see the PR. *(See [Dark Factory](#-dark-factory--adversarial-autonomous-pipelines).)*
+3. **🏭 Autonomous Execution (Dark Factory)** — When you're ready, Prism can run coding tasks end-to-end with a fail-closed pipeline where an adversarial evaluator catches bugs the generator missed — before you ever see the PR. *(See [Dark Factory](#dark-factory--adversarial-autonomous-pipelines).)*
 
 ---
 
-## 🚀 Quick Start
+## Quick Start
 
 ### Prerequisites
 
@@ -135,7 +135,7 @@ Then open `http://localhost:3001` instead.
 
 ---
 
-## ✨ The Magic Moment
+## The Magic Moment
 
 > **Session 1** (Monday evening):
 > ```
@@ -156,7 +156,7 @@ Then open `http://localhost:3001` instead.
 
 ---
 
-## 📖 Setup Guides
+## Setup Guides
 
 <details>
 <summary><strong>Claude Desktop</strong></summary>
@@ -379,7 +379,7 @@ Prism can be deployed natively to cloud platforms like [Render](https://render.c
 
 ---
 
-## 📥 Universal Import: Bring Your History
+## Universal Import: Bring Your History
 
 Switching to Prism? Don't leave months of AI session history behind. Prism can **ingest historical sessions from Claude Code, Gemini, and OpenAI** and give your Mind Palace an instant head start — no manual re-entry required.
 
@@ -412,7 +412,7 @@ npx -y prism-mcp-server universal-import --format gemini --path ./gemini_history
 
 ---
 
-## ✨ What Makes Prism Different
+## What Makes Prism Different
 
 
 ### 🧠 Your Agent Learns From Mistakes
@@ -455,12 +455,12 @@ OpenTelemetry spans for every MCP tool call, LLM hop, and background worker. Rou
 ### 🌐 Autonomous Web Scholar
 Prism researches while you sleep. A background pipeline searches the web, scrapes articles, synthesizes findings via LLM, and injects results directly into your semantic memory — fully searchable on your next session. Brave Search → Firecrawl scrape → LLM synthesis → Prism ledger. Task-aware, Hivemind-integrated, and zero-config when API keys are missing (falls back to Yahoo + Readability).
 
-### 🏭 Dark Factory — Adversarial Autonomous Pipelines
+### Dark Factory — Adversarial Autonomous Pipelines
 When you trigger a Dark Factory pipeline, Prism doesn't just run your task — it fights itself to produce high-quality output. A `PLAN_CONTRACT` step locks a machine-parseable rubric before any code is written. After execution, an **Adversarial Evaluator** (in a fully isolated context) scores the output against the rubric. It cannot pass the Generator without providing exact file and line evidence for every failing criterion. Failed evaluations inject the critique directly into the Generator's retry prompt so it's never flying blind. The result: security issues, regressions, and lazy debug logs caught autonomously — before you ever see the PR. → [See it in action](examples/adversarial-eval-demo/README.md)
 
 ---
 
-## ⚡ Synapse Engine (v8.0)
+## Synapse Engine (v8.0)
 
 > *Standard RAG retrieves documents. GraphRAG traverses relationships. The Synapse Engine does both — a pure, storage-agnostic multi-hop propagation engine that turns your agent's memory into an associative reasoning network.*
 
@@ -507,7 +507,7 @@ The Synapse Engine (v8.0) replaces the legacy SQL-coupled spreading activation w
 
 ---
 
-## 🧠 Cognitive Architecture (v7.8)
+## Cognitive Architecture (v7.8)
 
 > *Prism v7.8 is our biggest leap forward yet. We have moved beyond flat vector search and implemented a true Cognitive Architecture inspired by human brain mechanics. With the new ACT-R Spreading Activation Engine, Episodic-to-Semantic memory consolidation, and Uncertainty-Aware Rejection Gates, Prism doesn't just store logs anymore — it forms principles, follows causal trains of thought, and possesses the self-awareness to know when it lacks information.*
 
@@ -572,7 +572,7 @@ Standard RAG (Retrieval-Augmented Generation) is now a commodity. Everyone has v
 
 ---
 
-## 🔒 Data Privacy & Egress
+## Data Privacy & Egress
 
 **Where is my data stored?**
 
@@ -603,7 +603,7 @@ Prism will recreate the directory with empty databases on next startup.
 
 ---
 
-## 🎯 Use Cases
+## Use Cases
 
 - **Long-running feature work** — Save state at end of day, restore full context next morning. No re-explaining.
 - **Multi-agent collaboration** — Dev, QA, and PM agents share real-time context without stepping on each other's memory.
@@ -632,7 +632,7 @@ Then continue a specific thread with a follow-up message to the selected agent,
 
 ---
 
-## ⚔️ Adversarial Evaluation in Action
+## Adversarial Evaluation in Action
 
 > **Split-Brain Anti-Sycophancy** — the signature feature of v7.4.0.
 
@@ -737,12 +737,12 @@ The Generator strips the `console.log`, resubmits, and the next `EVALUATE` retur
 
 ---
 
-## 🆕 What's New
+## What's New
 
 > **Current release: v8.0.0 — Synapse Engine**
 
 - ⚡ **v8.0.0 — Synapse Engine:** Pure, storage-agnostic multi-hop graph propagation engine replaces the legacy SQL-coupled spreading activation. O(T × M) bounded ACT-R energy propagation with dampened fan effect, asymmetric bidirectional flow, cyclic loop prevention, and sigmoid normalization. Full integration into both SQLite and Supabase backends. 5 new config knobs. Battle-hardened with NaN guards, config clamping, non-fatal enrichment, and 16 passing tests. **Memory search now follows the causal graph, not just keywords.** → [Synapse Engine](#synapse-engine-v80)
-- 🧠 **v7.8.x — Cognitive Architecture:** Episodic-to-Semantic consolidation (Hebbian learning), ACT-R Spreading Activation with multi-hop causal reasoning, Uncertainty-Aware Rejection Gate, and Dynamic Fast Weight Decay. Validated by **LoCoMo-Plus benchmark**. → [Cognitive Architecture](#-cognitive-architecture-v78)
+- 🧠 **v7.8.x — Cognitive Architecture:** Episodic-to-Semantic consolidation (Hebbian learning), ACT-R Spreading Activation with multi-hop causal reasoning, Uncertainty-Aware Rejection Gate, and Dynamic Fast Weight Decay. Validated by **LoCoMo-Plus benchmark**. → [Cognitive Architecture](#cognitive-architecture-v78)
 - 🌐 **v7.7.0 — Cloud-Native SSE Transport:** Full unauthenticated and authenticated Server-Sent Events MCP support for seamless network deployments.
 - 🩺 **v7.5.0 — Intent Health Dashboard + Security Hardening:** Real-time 0–100 project health scoring (staleness × TODO load × decisions). 10 XSS injection vectors patched. Algorithm hardened with NaN guards and score ceiling.
 - ⚔️ **v7.4.0 — Adversarial Evaluation:** Split-brain anti-sycophancy pipeline. Generator and evaluator in isolated roles with evidence-bound findings.
@@ -752,7 +752,7 @@ The Generator strips the `console.log`, resubmits, and the next `EVALUATE` retur
 
 ---
 
-## ⚔️ How Prism Compares
+## How Prism Compares
 
 Standard memory servers (like Mem0, Zep, or the baseline Anthropic MCP) act as passive filing cabinets — they wait for the LLM to search them. **Prism is an active cognitive architecture.** Designed specifically for the **Model Context Protocol (MCP)**, Prism doesn't just store vectors — it consolidates experience into principles, traverses causal graphs for multi-hop reasoning, and rejects queries it can't confidently answer.
 
@@ -804,7 +804,7 @@ Every other AI coding pipeline has a fatal flaw: it asks the same model that wro
 
 ---
 
-## 🔧 Tool Reference
+## Tool Reference
 
 Prism ships 30+ tools, but **90% of your workflow uses just three:**
 
@@ -1066,7 +1066,7 @@ Prism is a **stdio-based MCP server** that manages persistent agent memory. Here
 
 ### Auto-Load Architecture
 
-Each MCP client has its own mechanism for ensuring Prism context loads on session start. See the platform-specific [Setup Guides](#-setup-guides) above for detailed instructions:
+Each MCP client has its own mechanism for ensuring Prism context loads on session start. See the platform-specific [Setup Guides](#setup-guides) above for detailed instructions:
 
 - **Claude Code** — Lifecycle hooks (`SessionStart` / `Stop`)
 - **Gemini / Antigravity** — Three-layer architecture (User Rules + AGENTS.md + Startup Skill)
@@ -1077,7 +1077,7 @@ All platforms benefit from the **server-side fallback** (v5.2.1): if `session_lo
 
 ---
 
-## 🧬 Scientific Foundation
+## Scientific Foundation
 
 Prism has evolved from smart session logging into a **cognitive memory architecture** — grounded in real research, not marketing. Every retrieval decision is backed by peer-reviewed models from cognitive psychology, neuroscience, and distributed computing.
 
@@ -1120,7 +1120,7 @@ Prism has evolved from smart session logging into a **cognitive memory architect
 
 ---
 
-## 📦 Milestones & Roadmap
+## Milestones & Roadmap
 
 > **Current: v8.0.0** — Synapse Engine ([CHANGELOG](CHANGELOG.md))
 
@@ -1145,7 +1145,7 @@ Prism has evolved from smart session logging into a **cognitive memory architect
 👉 **[Full ROADMAP.md →](ROADMAP.md)**
 
 
-## ❓ Troubleshooting FAQ
+## Troubleshooting FAQ
 
 **Q: Why is the dashboard project selector stuck on "Loading projects..."?**
 A: Fixed in v7.3.3. The root cause was a multi-layer quote-escaping trap in the `abortPipeline` onclick handler that generated a `SyntaxError` in the browser, silently killing the entire dashboard IIFE. Update to v7.3.3+ (`npx -y prism-mcp-server`). If still stuck, check that Supabase env values are properly set (unresolved placeholders like `${SUPABASE_URL}` cause `/api/projects` to return empty). Prism auto-falls back to local SQLite when Supabase is misconfigured.

package/dist/darkfactory/runner.js

@@ -599,6 +599,13 @@ async function runnerTick() {
             const harnessPath = path.join(path.resolve(spec.workingDirectory), 'verification_harness.json');
             if (fs.existsSync(harnessPath)) {
                 try {
+                    // MED-5 FIX: Guard against LLM-generated files that are malformed or
+                    // excessively large. Cap at 1MB to prevent heap exhaustion.
+                    const MAX_HARNESS_SIZE = 1_000_000;
+                    const stat = fs.statSync(harnessPath);
+                    if (stat.size > MAX_HARNESS_SIZE) {
+                        throw new Error(`Verification harness too large (${stat.size} bytes, max ${MAX_HARNESS_SIZE}). Possible corrupt LLM output.`);
+                    }
                     const rawHarness = fs.readFileSync(harnessPath, 'utf8');
                     const harnessData = JSON.parse(rawHarness);
                     // GAP-5 fix: Persist the harness so CLI drift detection works for DarkFactory runs

package/dist/darkfactory/safetyController.js

@@ -45,8 +45,16 @@ export class SafetyController {
         if (!spec.workingDirectory)
             return true;
         // Resolve symlinks and protect against ../ escapes.
-        const resolvedTarget = path.resolve(targetPath);
-        const resolvedWorkspace = path.resolve(spec.workingDirectory);
+        let resolvedTarget = path.resolve(targetPath);
+        let resolvedWorkspace = path.resolve(spec.workingDirectory);
+        // EDGE-2 FIX: macOS (HFS+/APFS) and Windows (NTFS) use case-insensitive
+        // filesystems by default. Without case normalization, "/App/Workspace"
+        // and "/app/workspace" are treated as different paths — allowing a scope
+        // escape via case mismatch.
+        if (process.platform === 'darwin' || process.platform === 'win32') {
+            resolvedTarget = resolvedTarget.toLowerCase();
+            resolvedWorkspace = resolvedWorkspace.toLowerCase();
+        }
         // Path Traversal Guard: A naive startsWith() check is vulnerable to
         // prefix collisions — e.g. /app/workspace-hacked passes startsWith('/app/workspace').
         // We require EITHER exact match OR the target starts with workspace + path separator.

package/dist/sdm/sdmEngine.js

@@ -5,6 +5,12 @@ const SDM_M = 10000;
 export const D_ADDR_UINT32 = PRISM_DEFAULT_CONFIG.d / 32;
 // Bump this whenever the PRNG algorithm changes, to invalidate stale persisted state.
 export const SDM_ADDRESS_VERSION = 2;
+// EDGE-5 FIX: Separate version constant for the HDC concept dictionary.
+// SDM_ADDRESS_VERSION tracks the PRNG algorithm for hard-location addresses.
+// HDC_DICTIONARY_VERSION tracks the binary encoding format for concept vectors.
+// Using the same constant creates false coupling — a PRNG change doesn't
+// invalidate the concept dictionary, and vice versa.
+export const HDC_DICTIONARY_VERSION = 1;
 // The hard threshold boundary applied to counters during HDC writes
 // to retain memory plasticity over long periods.
 const COUNTER_CLIP = 20;
@@ -271,17 +277,35 @@ export class SparseDistributedMemory {
         }
         return state;
     }
+    /** Returns the current mode lock of this engine instance. */
+    getMode() {
+        return this._mode;
+    }
     /**
      * Import a previously serialized 1D Float32Array matrix back into
      * the 2D counters array.
+     *
+     * IMPORTANT: Uses slice() (not subarray()) to create independent copies
+     * of each counter row. subarray() creates aliased views over the same
+     * ArrayBuffer — if the source buffer is GC'd or detached, all counters
+     * would silently point to invalid memory.
+     *
+     * @param state - 1D Float32Array of length SDM_M * D
+     * @param mode  - The mode this state was exported from. If provided,
+     *                locks the engine to this mode to prevent HDC/semantic
+     *                cross-talk on deserialization. (Default: preserve current)
      */
-    importState(state) {
+    importState(state, mode) {
         if (state.length !== SDM_M * PRISM_DEFAULT_CONFIG.d) {
             throw new Error(`Invalid SDM state size: expected ${SDM_M * PRISM_DEFAULT_CONFIG.d}, got ${state.length}`);
         }
         for (let i = 0; i < SDM_M; i++) {
-            // Subarray creates a fast view over the underlying buffer
-            this.counters[i] = state.subarray(i * PRISM_DEFAULT_CONFIG.d, (i + 1) * PRISM_DEFAULT_CONFIG.d);
+            // slice() creates an independent copy — safe against source buffer detachment
+            this.counters[i] = state.slice(i * PRISM_DEFAULT_CONFIG.d, (i + 1) * PRISM_DEFAULT_CONFIG.d);
+        }
+        // Restore the mode lock if persisted alongside the counter state
+        if (mode) {
+            this._mode = mode;
         }
     }
 }

package/dist/storage/sqlite.js

@@ -1411,19 +1411,22 @@ export class SqliteStorage {
             conditions.push("role = ?");
             args.push(params.role);
         }
+        // Escape LIKE wildcards (% and _) in user input to prevent pattern injection.
+        // Without this, a search for "100%_done" would match unintended rows.
+        const escapeLike = (s) => s.replace(/[%_]/g, '\\$&');
         // Add LIKE conditions for each keyword
         for (const kw of params.keywords) {
             if (kw.length > 2) {
-                conditions.push("(summary LIKE ? OR keywords LIKE ? OR decisions LIKE ?)");
-                const pattern = `%${kw}%`;
+                conditions.push("(summary LIKE ? ESCAPE '\\' OR keywords LIKE ? ESCAPE '\\' OR decisions LIKE ? ESCAPE '\\')");
+                const pattern = `%${escapeLike(kw)}%`;
                 args.push(pattern, pattern, pattern);
             }
         }
         // BUG FIX: queryText was previously ignored — if keywords were empty,
         // zero search filters were added, returning unfiltered top-N results.
         if (params.queryText) {
-            conditions.push("(summary LIKE ? OR keywords LIKE ? OR decisions LIKE ?)");
-            const pattern = `%${params.queryText}%`;
+            conditions.push("(summary LIKE ? ESCAPE '\\' OR keywords LIKE ? ESCAPE '\\' OR decisions LIKE ? ESCAPE '\\')");
+            const pattern = `%${escapeLike(params.queryText)}%`;
             args.push(pattern, pattern, pattern);
         }
         args.push(params.limit);
@@ -1564,12 +1567,16 @@ export class SqliteStorage {
                     fallbackConditions.push("role = ?");
                     fallbackArgs.push(params.role);
                 }
+                // PERF: LIMIT 5000 prevents unbounded heap usage on large datasets.
+                // Tier-2 scores all rows JS-side, so we cap to a safe ceiling.
+                const TIER2_MAX_CANDIDATES = 5000;
                 const fallbackSql = `
           SELECT id, project, summary, decisions, files_changed,
                  session_date, created_at, is_rollup, importance, last_accessed_at,
                  embedding_compressed, embedding_turbo_radius
           FROM session_ledger
           WHERE ${fallbackConditions.join(" AND ")}
+          LIMIT ${TIER2_MAX_CANDIDATES}
         `;
                 const fallbackResult = await this.db.execute({ sql: fallbackSql, args: fallbackArgs });
                 // Score each entry using asymmetric cosine similarity
@@ -1642,7 +1649,7 @@ export class SqliteStorage {
             if (missingIds.length > 0) {
                 const placeholders = missingIds.map(() => '?').join(',');
                 const missingQuery = `
-          SELECT id, project, summary, session_date, decisions, files_changed
+          SELECT id, project, summary, session_date, decisions, files_changed, keywords, is_rollup, importance, last_accessed_at
           FROM session_ledger
           WHERE id IN (${placeholders}) AND deleted_at IS NULL AND user_id = ?
         `;
@@ -1655,6 +1662,9 @@ export class SqliteStorage {
                         session_date: row.session_date,
                         decisions: this.parseJsonColumn(row.decisions),
                         files_changed: this.parseJsonColumn(row.files_changed),
+                        is_rollup: Boolean(row.is_rollup),
+                        importance: Number(row.importance) || 0,
+                        last_accessed_at: row.last_accessed_at || null,
                         similarity: 0.0,
                     });
                 }
@@ -1666,6 +1676,7 @@ export class SqliteStorage {
                     const normEnergy = normalizeActivationEnergy(r.activationEnergy);
                     node.activationScore = normEnergy;
                     node.rawActivationEnergy = r.activationEnergy;
+                    node.isDiscovered = r.isDiscovered;
                     // Hybrid blend: 70% original match relevance, 30% structural energy
                     node.hybridScore = (node.similarity * 0.7) + (normEnergy * 0.3);
                     finalResults.push(node);
@@ -2085,13 +2096,16 @@ export class SqliteStorage {
         const setClauses = ["status = ?"];
         const args = [status];
         // Allow watchdog to set arbitrary safe fields (e.g., loop_count reset)
+        // SECURITY: Hardcoded allowlist + regex validation prevents SQL injection
+        // even if new keys are added without review.
         const ALLOWED_FIELDS = new Set([
             "loop_count", "task_start_time", "expected_duration_minutes",
             "task_hash", "current_task",
         ]);
+        const SAFE_COLUMN_RE = /^[a-z_]+$/;
         if (additionalFields) {
             for (const [key, val] of Object.entries(additionalFields)) {
-                if (ALLOWED_FIELDS.has(key)) {
+                if (ALLOWED_FIELDS.has(key) && SAFE_COLUMN_RE.test(key)) {
                     setClauses.push(`${key} = ?`);
                     args.push(val);
                 }
@@ -2505,16 +2519,16 @@ export class SqliteStorage {
         // The vector is a Uint32Array. We need its underlying buffer for SQLite.
         // Wrap in Uint8Array to satisfy @libsql/client InValue typing which rejects SharedArrayBuffer
         const buffer = new Uint8Array(vector.buffer, vector.byteOffset, vector.byteLength);
-        const { SDM_ADDRESS_VERSION } = await import('../sdm/sdmEngine.js');
+        const { HDC_DICTIONARY_VERSION } = await import('../sdm/sdmEngine.js');
         await this.db.execute({
             sql: `INSERT INTO hdc_dictionary (concept_name, vector, prng_version) 
             VALUES (?, ?, ?)
             ON CONFLICT(concept_name) DO UPDATE SET 
               vector = excluded.vector,
               prng_version = excluded.prng_version`,
-            args: [concept, buffer, SDM_ADDRESS_VERSION],
+            args: [concept, buffer, HDC_DICTIONARY_VERSION],
         });
-        debugLog(`[SqliteStorage] Persisted HDC orthogonal concept v${SDM_ADDRESS_VERSION} to dictionary: ${concept}`);
+        debugLog(`[SqliteStorage] Persisted HDC concept v${HDC_DICTIONARY_VERSION} to dictionary: ${concept}`);
     }
     // ─── v6.1: Storage Hygiene ────────────────────────────────────────────
     /**
@@ -2743,11 +2757,29 @@ export class SqliteStorage {
             args: [sourceId, targetId, linkType],
         });
     }
-    async decayLinks(olderThanDays) {
+    async decayLinks(olderThanDays, userId) {
         // Reduce strength by -0.05 for non-structural associative links not traversed in N days.
         // Floor at 0.0 (enforced by CHECK constraint) — links at 0.0 are
         // effectively dead but preserved for provenance audit.
         // We only decay related_to heuristical links, not factual structural links.
+        //
+        // TENANT ISOLATION: When userId is provided, scope decay to links
+        // owned by this user's ledger entries (prevents cross-tenant decay
+        // in shared-database deployments).
+        if (userId) {
+            const result = await this.db.execute({
+                sql: `UPDATE memory_links
+              SET strength = MAX(strength - 0.05, 0.0)
+              WHERE last_traversed_at < datetime('now', ?)
+                AND link_type IN ('related_to')
+                AND source_id IN (
+                  SELECT id FROM session_ledger WHERE user_id = ?
+                )`,
+                args: [`-${olderThanDays} days`, userId],
+            });
+            return result.rowsAffected;
+        }
+        // Fallback: unscoped decay (backward-compatible for single-tenant)
         const result = await this.db.execute({
             sql: `UPDATE memory_links
             SET strength = MAX(strength - 0.05, 0.0)

package/dist/storage/supabase.js

@@ -374,7 +374,7 @@ export class SupabaseStorage {
                         id: `in.(${missingIds.join(",")})`,
                         user_id: `eq.${userId}`,
                         deleted_at: "is.null",
-                        select: "id,project,summary,session_date,decisions,files_changed",
+                        select: "id,project,summary,session_date,decisions,files_changed,is_rollup,importance,last_accessed_at",
                     });
                     for (const row of (Array.isArray(rows) ? rows : [])) {
                         fullNodeMap.set(row.id, {
@@ -384,6 +384,9 @@ export class SupabaseStorage {
                             session_date: row.session_date,
                             decisions: Array.isArray(row.decisions) ? row.decisions : [],
                             files_changed: Array.isArray(row.files_changed) ? row.files_changed : [],
+                            is_rollup: Boolean(row.is_rollup),
+                            importance: Number(row.importance) || 0,
+                            last_accessed_at: row.last_accessed_at || null,
                             similarity: 0.0,
                         });
                     }
@@ -400,6 +403,7 @@ export class SupabaseStorage {
                     const normEnergy = normalizeActivationEnergy(r.activationEnergy);
                     node.activationScore = normEnergy;
                     node.rawActivationEnergy = r.activationEnergy;
+                    node.isDiscovered = r.isDiscovered;
                     // Hybrid blend: 70% original match relevance, 30% structural energy
                     node.hybridScore = (node.similarity * 0.7) + (normEnergy * 0.3);
                     finalResults.push(node);
@@ -968,13 +972,13 @@ export class SupabaseStorage {
     }
     async saveHdcConcept(concept, vector) {
         const base64Vector = this.uint32ToBase64(vector);
-        const { SDM_ADDRESS_VERSION } = await import('../sdm/sdmEngine.js');
+        const { HDC_DICTIONARY_VERSION } = await import('../sdm/sdmEngine.js');
         await supabasePost("hdc_dictionary", {
             concept_name: concept,
             vector: base64Vector,
-            prng_version: SDM_ADDRESS_VERSION,
+            prng_version: HDC_DICTIONARY_VERSION,
         }, { on_conflict: "concept_name" }, { Prefer: "return=minimal,resolution=merge-duplicates" });
-        debugLog(`[SupabaseStorage] Persisted HDC concept v${SDM_ADDRESS_VERSION} to dictionary: ${concept}`);
+        debugLog(`[SupabaseStorage] Persisted HDC concept v${HDC_DICTIONARY_VERSION} to dictionary: ${concept}`);
     }
     // ─── v6.1: Storage Hygiene ────────────────────────────────────
     async vacuumDatabase(_opts) {
@@ -1152,7 +1156,7 @@ export class SupabaseStorage {
             return;
         }
     }
-    async decayLinks(olderThanDays) {
+    async decayLinks(olderThanDays, _userId) {
         try {
             const affected = await supabaseRpc("prism_decay_links", {
                 p_older_than_days: olderThanDays

package/dist/tools/graphHandlers.js

@@ -146,67 +146,9 @@ export async function knowledgeSearchHandler(args) {
         });
         contentBlocks.push(traceToContentBlock(trace));
     }
-    // ── v6.0 Phase 3: 1-Hop Graph Expansion ──────────────────
-    // Same pattern as sessionSearchMemoryHandler:
-    // Traverse outbound links from direct hits to find associated memories.
-    // Graph-expanded results are BONUS — don't consume limit slots.
-    try {
-        // Extract IDs from the knowledge search results
-        const directIds = new Set();
-        if (data.results && Array.isArray(data.results)) {
-            for (const entry of data.results) {
-                if (entry?.id)
-                    directIds.add(entry.id);
-            }
-        }
-        if (directIds.size > 0) {
-            const enrichedIds = new Set();
-            const maxGraphResults = Math.min(limit, 10);
-            for (const directId of directIds) {
-                if (enrichedIds.size >= maxGraphResults)
-                    break;
-                const links = await storage.getLinksFrom(directId, PRISM_USER_ID, 0.3, 5);
-                for (const link of links) {
-                    if (!directIds.has(link.target_id) && !enrichedIds.has(link.target_id)) {
-                        enrichedIds.add(link.target_id);
-                        if (enrichedIds.size >= maxGraphResults)
-                            break;
-                    }
-                }
-            }
-            if (enrichedIds.size > 0) {
-                const enrichedEntries = await storage.getLedgerEntries({
-                    user_id: `eq.${PRISM_USER_ID}`,
-                    ids: [...enrichedIds],
-                    select: "id,summary,project,created_at",
-                });
-                if (enrichedEntries.length > 0) {
-                    const graphFormatted = enrichedEntries.map((e) => `[🔗] ${e.created_at?.split("T")[0] || "unknown"} — ${e.project || "unknown"}\n` +
-                        `  Summary: ${e.summary}`).join("\n");
-                    contentBlocks[0] = {
-                        type: "text",
-                        text: contentBlocks[0].text +
-                            `\n\n🔗 Graph-connected memories (${enrichedEntries.length} via 1-hop expansion):\n\n${graphFormatted}`,
-                    };
-                    // Fire-and-forget: reinforce traversed links
-                    for (const directId of directIds) {
-                        storage.getLinksFrom(directId, PRISM_USER_ID, 0.3, 5)
-                            .then(links => {
-                            for (const link of links) {
-                                if (enrichedIds.has(link.target_id)) {
-                                    storage.reinforceLink(directId, link.target_id, link.link_type).catch(() => { });
-                                }
-                            }
-                        })
-                            .catch(() => { });
-                    }
-                }
-            }
-        }
-    }
-    catch (graphErr) {
-        debugLog(`[knowledge_search] Graph expansion failed (non-fatal): ${graphErr instanceof Error ? graphErr.message : String(graphErr)}`);
-    }
+    // v8.0: Legacy v6.0 1-Hop Graph Expansion has been removed.
+    // The Synapse Engine now handles multi-hop traversal at the storage layer,
+    // integrating discovered nodes into the main ranked result array.
     return { content: contentBlocks, isError: false };
 }
 export async function knowledgeForgetHandler(args) {
@@ -437,9 +379,12 @@ export async function sessionSearchMemoryHandler(args) {
                     // They should decay 50% slower than raw episodic chatter to retain long-term context.
                     const decayRate = r.is_rollup ? PRISM_ACTR_DECAY * 0.5 : PRISM_ACTR_DECAY;
                     const Bi = baseLevelActivation(timestamps, now, decayRate);
-                    // S_i: Structural activation energy from Synapse logic 
+                    // S_i: Normalized structural activation energy from Synapse logic 
                     // (computed during applySynapse in storage layer)
-                    const Si = (typeof r.rawActivationEnergy === 'number') ? r.rawActivationEnergy : 0;
+                    // v8.0: Use normalized 0-1 activationScore, NOT unbounded rawActivationEnergy.
+                    // Raw energy can reach 15+ for hub nodes, which saturates the sigmoid
+                    // and erases Bi (recency/frequency) from the composite score.
+                    const Si = (typeof r.activationScore === 'number') ? r.activationScore : 0;
                     // Composite retrieval score
                     const composite = compositeRetrievalScore(typeof r.similarity === "number" ? r.similarity : 0, Bi + Si, PRISM_ACTR_WEIGHT_SIMILARITY, PRISM_ACTR_WEIGHT_ACTIVATION, PRISM_ACTR_SIGMOID_MIDPOINT, PRISM_ACTR_SIGMOID_STEEPNESS);
                     // Attach to result for re-sorting and display
@@ -510,7 +455,9 @@ export async function sessionSearchMemoryHandler(args) {
             const actrStr = r._actr_composite !== undefined
                 ? `  ACT-R: composite=${r._actr_composite.toFixed(3)} (B=${r._actr_Bi?.toFixed(2)}, S=${r._actr_Si?.toFixed(3)})\n`
                 : "";
-            return `[${i + 1}] ${simScore} similar — ${r.session_date || "unknown date"}\n` +
+            // v8.0: Tag nodes discovered via Synapse multi-hop traversal
+            const synapseTag = r.isDiscovered ? " [🌐 Synapse]" : "";
+            return `[${i + 1}] ${simScore} similar${synapseTag} — ${r.session_date || "unknown date"}\n` +
                 `  Project: ${r.project}\n` +
                 `  Summary: ${r.summary}\n` +
                 importanceStr +
@@ -551,62 +498,9 @@ export async function sessionSearchMemoryHandler(args) {
             });
             contentBlocks.push(traceToContentBlock(trace));
         }
-        // ── v6.0 Phase 3: 1-Hop Graph Expansion ──────────────────
-        // After direct hits, traverse outbound links from each result to
-        // find associated memories. Graph-expanded results are BONUS — they
-        // don't consume limit slots. Hard-capped at `limit` additional results
-        // to protect LLM context windows.
-        //
-        // Fire-and-forget: errors degrade gracefully to just direct hits.
-        try {
-            const directIds = new Set(results.map((r) => r.id).filter(Boolean));
-            const enrichedIds = new Set();
-            const maxGraphResults = Math.min(limit, 10); // Hard cap
-            for (const directId of directIds) {
-                if (enrichedIds.size >= maxGraphResults)
-                    break;
-                const links = await storage.getLinksFrom(directId, PRISM_USER_ID, 0.3, 5);
-                for (const link of links) {
-                    if (!directIds.has(link.target_id) && !enrichedIds.has(link.target_id)) {
-                        enrichedIds.add(link.target_id);
-                        if (enrichedIds.size >= maxGraphResults)
-                            break;
-                    }
-                }
-            }
-            if (enrichedIds.size > 0) {
-                // Fetch the actual entries for enriched IDs
-                const enrichedEntries = await storage.getLedgerEntries({
-                    user_id: `eq.${PRISM_USER_ID}`,
-                    ids: [...enrichedIds],
-                    select: "id,summary,project,created_at",
-                });
-                if (enrichedEntries.length > 0) {
-                    const graphFormatted = enrichedEntries.map((e) => `[🔗] ${e.created_at?.split("T")[0] || "unknown"} — ${e.project || "unknown"}\n` +
-                        `  Summary: ${e.summary}`).join("\n");
-                    contentBlocks[0] = {
-                        type: "text",
-                        text: contentBlocks[0].text +
-                            `\n\n🔗 Graph-connected memories (${enrichedEntries.length} via 1-hop expansion):\n\n${graphFormatted}`,
-                    };
-                    // Fire-and-forget: reinforce traversed links
-                    for (const directId of directIds) {
-                        storage.getLinksFrom(directId, PRISM_USER_ID, 0.3, 5)
-                            .then(links => {
-                            for (const link of links) {
-                                if (enrichedIds.has(link.target_id)) {
-                                    storage.reinforceLink(directId, link.target_id, link.link_type).catch(() => { });
-                                }
-                            }
-                        })
-                            .catch(() => { });
-                    }
-                }
-            }
-        }
-        catch (graphErr) {
-            debugLog(`[session_search_memory] Graph expansion failed (non-fatal): ${graphErr instanceof Error ? graphErr.message : String(graphErr)}`);
-        }
+        // v8.0: Legacy v6.0 1-Hop Graph Expansion has been removed.
+        // The Synapse Engine now handles multi-hop traversal at the storage layer,
+        // integrating discovered nodes into the main ranked result array.
         return { content: contentBlocks, isError: false };
     }
     catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "prism-mcp-server",
-  "version": "8.0.0",
+  "version": "8.0.2",
   "mcpName": "io.github.dcostenco/prism-mcp",
   "description": "The Mind Palace for AI Agents — a true Cognitive Architecture with Hebbian learning (episodic→semantic consolidation), ACT-R spreading activation (multi-hop causal reasoning), uncertainty-aware rejection gates (agents that know when they don't know), adversarial evaluation (anti-sycophancy), fail-closed Dark Factory pipelines, persistent memory (SQLite/Supabase), multi-agent Hivemind, time travel & visual dashboard. Zero-config local mode.",
   "module": "index.ts",

package/dist/memory/spreadingActivation.js

@@ -1,107 +0,0 @@
-/**
- * Apply ACT-R inspired Spreading Activation, Lateral Inhibition, and Fan Effect.
- * It traverses the `memory_links` table over T iterations starting from the given anchors.
- */
-export async function applySpreadingActivation(db, anchors, options, userId) {
-    if (!options.enabled || anchors.length === 0)
-        return anchors;
-    const T = options.iterations ?? 3;
-    const S = options.spreadFactor ?? 0.8;
-    const softM = 20; // Soft lateral inhibition during propagation
-    const finalM = options.lateralInhibition ?? 7; // Final hard lateral inhibition
-    // State: current activation score for nodes.
-    let activeNodes = new Map();
-    for (const anchor of anchors) {
-        activeNodes.set(anchor.id, anchor.similarity || 1.0);
-    }
-    for (let t = 0; t < T; t++) {
-        const nextNodes = new Map();
-        // Preserve existing activation: a_i^(t+1) = a_i^(t) + incoming
-        for (const [id, score] of activeNodes.entries()) {
-            nextNodes.set(id, score);
-        }
-        const currentIds = Array.from(activeNodes.keys());
-        if (currentIds.length === 0)
-            break;
-        const placeholders = currentIds.map(() => '?').join(',');
-        // Fetch edges connected to active nodes with LIMIT to prevent explosion on hub nodes.
-        const edgeQuery = `
-      SELECT source_id, target_id, strength
-      FROM memory_links 
-      WHERE source_id IN (${placeholders}) OR target_id IN (${placeholders})
-      LIMIT 200
-    `;
-        const edgeArgs = [...currentIds, ...currentIds];
-        const edgeRes = await db.execute({ sql: edgeQuery, args: edgeArgs });
-        // Compute out-degree (Fan Effect) directly from fetched edge rows
-        // instead of a separate SQL round-trip — halves query count per iteration.
-        const fanMap = new Map();
-        for (const row of edgeRes.rows) {
-            const src = row.source_id;
-            if (activeNodes.has(src)) {
-                fanMap.set(src, (fanMap.get(src) || 0) + 1);
-            }
-        }
-        for (const row of edgeRes.rows) {
-            const source = row.source_id;
-            const target = row.target_id;
-            const strength = Number(row.strength);
-            // Forward flow: Source is active, flows to Target
-            if (activeNodes.has(source)) {
-                const fan = fanMap.get(source) || 1;
-                // Dampened fan effect: instead of strict 1/fan, we use 1 / ln(fan + e)
-                const dampedFan = Math.log(fan + Math.E);
-                const flow = S * (strength * activeNodes.get(source) / dampedFan);
-                nextNodes.set(target, (nextNodes.get(target) || 0) + flow);
-            }
-            // Backward flow: Target is active, flows backward to Source with a heavier penalty
-            if (activeNodes.has(target)) {
-                const flow = (S * 0.5) * (strength * activeNodes.get(target));
-                nextNodes.set(source, (nextNodes.get(source) || 0) + flow);
-            }
-        }
-        // Soft lateral inhibition: Keep only top softM candidates to prevent explosion
-        const sorted = Array.from(nextNodes.entries()).sort((a, b) => b[1] - a[1]);
-        activeNodes = new Map(sorted.slice(0, softM));
-    }
-    // Final evaluation
-    const finalIds = Array.from(activeNodes.keys()).slice(0, finalM);
-    const anchorMap = new Map();
-    for (const a of anchors)
-        anchorMap.set(a.id, a);
-    const finalResults = [];
-    const missingIds = finalIds.filter(id => !anchorMap.has(id));
-    if (missingIds.length > 0) {
-        const placeholders = missingIds.map(() => '?').join(',');
-        const missingQuery = `
-      SELECT id, project, summary, session_date, decisions, files_changed
-      FROM session_ledger
-      WHERE id IN (${placeholders}) AND deleted_at IS NULL AND user_id = ?
-    `;
-        const missingRes = await db.execute({ sql: missingQuery, args: [...missingIds, userId] });
-        for (const row of missingRes.rows) {
-            anchorMap.set(row.id, {
-                id: row.id,
-                project: row.project,
-                summary: row.summary,
-                session_date: row.session_date,
-                decisions: row.decisions && typeof row.decisions === 'string' ? JSON.parse(row.decisions) : undefined,
-                files_changed: row.files_changed && typeof row.files_changed === 'string' ? JSON.parse(row.files_changed) : undefined,
-                similarity: 0.0 // Base similarity is 0 since it wasn't matched originally
-            });
-        }
-    }
-    // Compute Hybrid Score and return M nodes
-    for (const id of finalIds) {
-        if (anchorMap.has(id)) {
-            const node = anchorMap.get(id);
-            const activationScore = activeNodes.get(id) || 0;
-            node.activationScore = activationScore;
-            // Hybrid blend: 70% original match relevance, 30% activation structural energy
-            node.hybridScore = (node.similarity * 0.7) + (activationScore * 0.3);
-            finalResults.push(node);
-        }
-    }
-    // Sort descending by Hybrid Score
-    return finalResults.sort((a, b) => (b.hybridScore || 0) - (a.hybridScore || 0));
-}