v0.35.4.0 fix(doctor,entities): supervisor crash classification + bare-name resolver + 58x perf + stub guard observability

[garrytan]

Summary

This branch replaces the closed PR #1022 (which contained leaked private-brain artifacts) with a sanitized, hardened, and tested version of the same fix. Built end-to-end via /plan-eng-review + /codex outside-voice + 13 implementation tasks (T1-T13).

Privacy / containment:

• Three reports/network-intelligence/*.md files containing real founder/family names removed. Branch rebuilt from origin/master so leak commits never enter the branch graph.
• Two dev scripts (scripts/sql.mjs, scripts/supersede.mjs) dropped — the latter hardcoded /data/brain and would corrupt a different brain than the one it was pointed at.
• Test fixtures + JSDoc real names → alice-example / bob-example / charlie-example / dave-example per CLAUDE.md privacy rule.
• Fork branch on garrytan-agents/gbrain force-pushed to scrubbed SHA; PR fix(doctor): classify supervisor crashes vs clean restarts + auto-heal spec #1022 closed.

Bug fixes:

• doctor + jobs supervisor status now correctly classify code === 0 worker exits as clean restarts (not crashes). Matches the v0.34.3.0 supervisor's restart-policy semantics. No more false-positive WARNs after autopilot drain.
• resolveEntitySlug adds a prefix-expansion step between fuzzy match and slugify fallback. Bare first names like "Alice" now resolve to people/alice-example instead of spawning an unparented alice.md at brain root.
• writeFactsToFence adds a defensive stub-creation guard for unprefixed slugs. Facts still persist via the legacy DB-only path; only the phantom markdown file is refused.

DRY:

• New src/core/minions/exit-classification.ts is the one source of truth for "is this exit a crash?" Three call sites (supervisor restart policy, doctor's supervisor check, jobs supervisor status) call the same helper. Signature consumes audit-JSON shape (code: number | null) so audit-log readers and Node-callback writers stay aligned.

Observability:

• New stub_guard_24h doctor check reads ~/.gbrain/audit/stub-guard-YYYY-Www.jsonl. WARN at >10 hits/24h; OK with count when non-zero; silent when zero. Wired with a v0.36 sunset criterion baked into the JSDoc.
• New stub-guard audit log uses a dual-week-aware reader that reads both current AND previous ISO-week files before timestamp-filtering — deliberately diverges from supervisor-audit.ts:readSupervisorEvents which loses 24h-window correctness across Monday 00:00 UTC. Follow-up TODO filed to fix the supervisor reader with the same pattern.

Performance:

• tryPrefixExpansion rewritten from derived-table JOINs (whole-table aggregation per call) to correlated subqueries scoped to slug-LIKE candidates. Measured 58x speedup (18.16ms → 0.31ms median on 5K pages + 50K links + 25K chunks). Behavior preserved; tiebreaker semantics unchanged.

Test Coverage

NEW FILES:                                            EXISTING FILES EXTENDED:
[+] src/core/minions/exit-classification.ts           [+] test/fence-write.test.ts (+3 stub-guard cases)
  └── classifyWorkerExit()                              ├── [★★★] Bare slug refused, audit fired
      ├── [★★★] code=0 → clean_exit                     ├── [★★★] Prefixed slug bypasses guard
      ├── [★★★] code=1, null, undefined, 137 → crash    └── [★★★] Empty facts no-op (no guard fire)
      └── [★★★] Consumer wire-up + audit-shape roundtrip
                                                      [+] test/facts-backstop.test.ts (+1 case)
[+] src/core/facts/stub-guard-audit.ts                  └── [★★★] Bare-name routes to engine.insertFact
  ├── computeStubGuardAuditFilename()                       (no phantom file, fact persists)
  │   ├── [★★★] Mid-week ISO-week math
  │   └── [★★★] Year-boundary 2027-01-01 → W53/2026     [+] test/doctor.test.ts (+5 cases)
  ├── logStubGuardEvent()                                 ├── [★★★] Check name stub_guard_24h
  │   ├── [★★★] JSONL append with ts                      ├── [★★★] WARN threshold > 10
  │   └── [★★★] Never throws on unwritable dir            ├── [★★★] Fix hint points at audit log
  └── readRecentStubGuardEvents()                         ├── [★★★] Uses dual-week reader, not supervisor
      ├── [★★★] DUAL-WEEK boundary read (Sun→Mon)         └── [★★★] Zero hits emits no check
      ├── [★★★] Sorted oldest-first
      ├── [★★★] Missing file returns []
      ├── [★★★] Malformed JSON tolerated
      └── [★★★] Required fields enforced

[+] src/core/entities/resolve.ts (prefix-expansion + SQL rewrite)
  └── tryPrefixExpansion() + isBareName()
      ├── [★★★] Single match + lowercase + slug fallback (×3)
      ├── [★★★] Multi-match tiebreaker (connection count)
      ├── [★★★] Multi-word + hyphenated bypass
      └── [★★★] Empty input

PERF REGRESSION GUARD:
[+] test/entity-resolve-perf.slow.test.ts
  └── [★★★] OLD shape vs NEW shape side-by-side, 5x median assertion
      └── Measured: old=18.16ms, new=0.31ms, speedup=58.22x

Tests added: 36 new (17 exit-classification + 9 stub-guard-audit + 13 entity-resolve +
  3 fence-write + 1 backstop + 5 doctor + 1 perf regression — minus reuse double-counts).
Test counts: 6621 parallel pass + 19 serial files pass on full suite, 0 failures.

Pre-Landing Review

Plan-eng-review run inline (in plan mode) before implementation. 9 decisions locked (D1-D9):

• D1: PII reports → full sweep (force-push fork + close PR)
• D2: real names in tests/comments → full scrub to placeholders
• D3: dev scripts → drop both
• D4: crash classification duplication → extract helper (T7)
• D5: stub guard hardening → audit + doctor + tests + sunset comment
• D6: doctor/jobs consumer tests → both
• D7: prefix-expansion perf → correlated-subquery rewrite + perf gate
• D8: full lake scope kept
• D9: rebuild from master (not git-rm-at-tip)

Codex outside-voice surfaced 16 findings; 6 plan corrections absorbed inline:

• T3 rebuild workflow (was git-rm-at-tip → rebuild for branch-history correctness)
• T7 helper signature consumes audit-JSON shape (not Node callback)
• T8 dual-week reader (don't copy supervisor-audit's boundary bug)
• T10 extends test/fence-write.test.ts (not new file)
• T12 correlated subqueries (no CTE cap that excluded correct candidates)
• T13 baseline-ratio perf assertion (not absolute wall-clock)

Plan Completion

All 13 implementation tasks (T1-T13) completed and verified. No deferred items. 4 follow-up TODOs filed for v0.36.x:

• Fix supervisor-audit.ts:77 reader's ISO-week boundary bug (use stub-guard reader as template)
• Decommission stub guard once sunset criterion holds (track via stub_guard_24h doctor surface)
• Make PREFIX_EXPANSION_DIRS config-driven
• Sweep pre-existing "wintermute" references out of CHANGELOG.md narrative text

TODOS

4 new follow-ups added to TODOS.md under "kinshasa-v3 follow-ups (v0.35.2.0)" section. No existing TODOs marked complete (this PR's work was bug fixes + new code, not addressing pre-existing TODO items).

Plan file

Lives at ~/.claude/plans/review-all-these-changes-compiled-bee.md. 13 tasks, 9 decisions, GSTACK REVIEW REPORT as terminal section. Plan-eng-review + Codex outside-voice both CLEARED.

Test plan

• bun run test passes (6621 unit + 19 serial files, 0 failures)
• bun run typecheck clean
• Verify the supervisor + stub_guard_24h doctor checks render correctly:

  gbrain doctor --json | jq '.checks[] | select(.name == "supervisor" or .name == "stub_guard_24h")'

• Confirm no reports/network-intelligence/ directory in the branch tree
• Confirm no wintermute references introduced (pre-existing CHANGELOG references flagged in follow-up TODO)
• Branch rebuilt from origin/master via T3 (not git-rm-at-tip); leak commits never enter the branch graph

🤖 Generated with Claude Code