docs: consolidated gbrain onboard design (replaces #1378-#1382)#1409
Closed
garrytan-agents wants to merge 1 commit into
Closed
docs: consolidated gbrain onboard design (replaces #1378-#1382)#1409garrytan-agents wants to merge 1 commit into
garrytan-agents wants to merge 1 commit into
Conversation
…h production data Replaces 5 separate docs/proposals/ files (PRs garrytan#1378-garrytan#1382, now closed). This is the design doc; implementation starts with migration garrytan#1 (auto-link entity mentions) as the highest-impact feature.
7 tasks
garrytan
added a commit
that referenced
this pull request
May 25, 2026
…-pair fix (#1442) * fix(synthesize): UTF-16 surrogate-safe hard-split in chunker Part A of v0.42.0.0 fix wave: lifts surrogate-pair-safe slicing from src/core/eval-contradictions/judge.ts into a new shared module src/core/text-safe.ts. The dream-cycle chunker findBoundary tier-3 fallback (synthesize.ts) previously hard-split at maxChars, orphaning a high surrogate when the boundary landed inside emoji / non-BMP CJK / mathematical alphanumerics. Resulting chunks were not byte-identical to the source content, which broke the v0.30.2 D9 stable-chunk-identity invariant — the per-chunk idempotency key drifted across retries on transcripts containing 4-byte UTF-8 characters near a hard-split. Five agent-authored PRs (#1378-#1382) each independently introduced a narrow safeSliceEnd helper that handled ONE of the three correctness cases (high+low pair straddle) but missed the AT-low-surrogate case that fires when a boundary lands inside a complete pair. The shared text-safe.ts module exports both truncateUtf8 (the verbatim sliced string, for judge.ts) and safeSplitIndex (the boundary index, for chunker hot path), each covering all three cases. Co-authored credit: @garrytan-agents for surfacing the fix in PRs #1378-#1382 (closed in favor of consolidated design doc #1409). * New: src/core/text-safe.ts (truncateUtf8 + safeSplitIndex helpers). * New: test/text-safe.test.ts (18 cases, all 3 surrogate cases plus boundary-after-pair conservative back-up per codex CK16). * refactor(judge): import truncateUtf8 from text-safe; re-export for back-compat. Existing 32 judge tests pass unchanged. * fix(synthesize): findBoundary tier-3 routes through safeSplitIndex. 3 new surrogate-safety cases in test/cycle-synthesize-chunker.test.ts (emoji at boundary, non-BMP CJK at boundary, determinism + joined chunks reconstruct source byte-identical across 5 fuzzed hashes). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(schema): widen link_source CHECK to include 'mentions' (v95) Part B of v0.42.0.0: link_source enum widening to admit a fourth provenance channel for auto-linked body-text mentions from the upcoming `gbrain extract links --by-mention` command. Codex outside-voice review on the v0.42.0.0 plan caught that the existing link_source CHECK is a hard wall (src/schema.sql:356) — my earlier draft claimed "no schema migration needed; link_source is free-form TEXT." Wrong. The CHECK admits only NULL OR ('markdown', 'frontmatter', 'manual'); attempting to insert link_source='mentions' would have raised a constraint violation on every auto-link write. Migration v95 widens the CHECK to admit 'mentions' alongside the three existing values. Mentions are intentionally a separate provenance from markdown (human-authored links) so the backlink-count SQL in postgres-engine + pglite-engine can filter `WHERE link_source != 'mentions'` for search ranking (D12). Mentions still count toward orphan-ratio and graph traversal — distinct semantics from the three human-authored sources, modeled cleanly on the dedicated CHECK value. * src/schema.sql: widened CHECK with provenance comment. * src/core/pglite-schema.ts: same widening (PGLite engine parity). * src/core/schema-embedded.ts: regenerated via `bun run build:schema`. * src/core/migrate.ts: new migration v95 `links_link_source_check_includes_mentions` with both Postgres and PGLite branches. DROP IF EXISTS + ADD CONSTRAINT pattern so re-applying the migration is a no-op (idempotent). * test/schema-migrate-link-source-mentions.test.ts (NEW, 7 cases): registration shape, SQL shape (all 4 values present + DROP IF EXISTS pattern), PGLite branch present, post-migration insert succeeds, CHECK still rejects unknown values (widening did not nullify the gate), idempotent re-application via runMigration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(orphans): expose getOrphansData alias as canonical pure data fn (D1) D1 from /plan-eng-review for v0.42.0.0: doctor's upcoming orphan_ratio check needs the SAME exclusion logic as `gbrain orphans` so the two surfaces cannot disagree on what counts as an orphan. The existing findOrphans() was already the pure data fn — this commit just makes that contract explicit via the getOrphansData alias and pins it with an IRON RULE regression test. * src/commands/orphans.ts: export const getOrphansData = findOrphans (alias, same function reference). Documents the v0.42.0.0 contract in findOrphans' docstring. * test/orphans-pure-fn.test.ts (NEW, 12 cases): - getOrphansData === findOrphans (same reference). - findOrphans + getOrphansData deep-equal output. - includePseudo branch toggles excluded count. - CLI --json output deep-equals findOrphans (IRON RULE — catches drift if anyone adds CLI-side post-filtering). - CLI --count matches total_orphans (with and without --include-pseudo). - shouldExclude regression: pseudo-pages, auto-suffix, raw segment, deny-prefixes, first-segment exclusions all fire correctly; regular slugs are NOT excluded. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(engine): filter mentions out of backlink-count for search ranking (D12) D12 from /plan-eng-review for v0.42.0.0: codex outside-voice review caught that engine.getBacklinkCounts had NO link_source filter — so every link counted equally toward backlink-boost in hybridSearch. Running `gbrain extract links --by-mention` (migration #1 of #1409) would silently shift search ranking globally on first run, boosting popular-mention pages over intentional-backlink pages. Add `AND l.link_source IS DISTINCT FROM 'mentions'` to the LEFT JOIN in both engines. `IS DISTINCT FROM` is NULL-safe per the [sql-neq-misses-null-drift] memory: a naive `!= 'mentions'` would silently drop legacy pre-v0.13 rows where link_source IS NULL (because NULL != 'mentions' evaluates to NULL not TRUE in SQL three-valued logic). The IS DISTINCT FROM form treats NULL as a distinct value so legacy rows still count toward backlinks — the only rows filtered are the explicitly mention-derived ones from v0.42.0.0+. Mentions still count toward: - orphan-ratio (the whole point — `findOrphans` runs against `links` with no source filter, so an auto-linked page is no longer an orphan) - graph traversal (`traverseGraph` walks all link_source values) - graph adjacency (`getAdjacencyBoosts` includes mentions in the induced subgraph counts) Mentions are filtered ONLY from: - `getBacklinkCounts` (this commit) — the input to hybridSearch's backlink_boost stage * src/core/postgres-engine.ts: AND clause on the LEFT JOIN. * src/core/pglite-engine.ts: same change for engine parity. * test/backlink-count-mention-filter.test.ts (NEW, 6 cases): - 10 markdown + 0 mention → count = 10 - 0 markdown + 50 mention → count = 0 - 10 markdown + 50 mention → count = 10 - NULL link_source legacy rows still count (IS DISTINCT FROM semantics) - mixed (markdown + frontmatter + manual + mentions) → only mentions filtered - uninitialized slug returns 0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(by-mention): pure mention scanner with gazetteer + guards (D2/D6/D12/D13) Net new module powering migration #1 of #1409 (orphan reduction). buildGazetteer queries entity-typed pages (hardcoded D2 filter: person/company/organization/entity, pack-aware deferred to TODO-1) and produces a token-Map lookup keyed by lowercase first-token. findMentionedEntities is a pure function that scans body text against the gazetteer, applies maximal-munch matching (longest entry wins at each offset), self-link guard (D13), cross-source guard, and per-page first-mention-only cap (1 link per source→target pair regardless of how many body mentions). Token-Map + multi-word phrase pass per D6 — no new deps, no regex alternation (pathological perf at 5K patterns), no Aho-Corasick (dep tax not justified at this scale). At each token offset, lookup in Map<lowercase, GazetteerEntry[]> is O(1); multi-word entries validate subsequent tokens. Bucket pre-sorted longest-first so the first valid entry IS the maximal-munch winner. Ignore-list semantics per CK12: built-in ambiguous tokens (Apple, Amazon, Square, Stripe, Box, Meta, Target, Oracle) suppressed at gazetteer-build time ONLY when no corresponding entity page exists. If the user has explicitly created companies/apple, gazetteer presence wins — ignore list does NOT override user intent. Min-name-length filter at 4 chars kills false-positive 2-3-char names (AI, YC, X, IBM). Codex CK13 noted this trade-off will under-deliver on 3-char real entities; pack-aware follow-up (TODO-1) can let users opt 3-char entity types in deliberately. Code-block stripping via existing stripCodeBlocks() from link-extraction.ts. CK8 fix: stripCodeBlocks was internal-only; this commit exports it so by-mention.ts can reuse without rolling its own fenced/inline code parser. * src/core/by-mention.ts (NEW, 240 LOC): - LINKABLE_ENTITY_TYPES const (hardcoded D2 type filter). - GazetteerEntry + Gazetteer + Mention types. - buildGazetteer(engine, opts) — engine-backed, hardcoded type filter, ignore-list at build time per CK12, sort buckets longest-first. - findMentionedEntities(text, gazetteer, opts) — pure, maximal-munch, guards (self-link/cross-source/first-mention-cap), code-block strip. * src/core/link-extraction.ts: export stripCodeBlocks (CK8 fix). * test/by-mention.test.ts (NEW, 22 cases): - All 20 plan-mandated cases. - Plus extraIgnore user-override case + LINKABLE_ENTITY_TYPES contract pin. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(extract): --by-mention auto-link entity mentions (migration #1 of #1409) Wires the v0.42.0.0 mention scanner into 'gbrain extract links'. Mode dispatch: when --by-mention is set, runs ONLY the new mention pass (skips default link/frontmatter extract) so the two surfaces don't conflict mid-run. The default extract path is unchanged. Flag plumbing: * --by-mention: opts into the mention pass. Mode dispatch. * --source fs --by-mention rejected with paste-ready --source db fix-hint (D7: gazetteer needs the engine; FS-walk + DB-gazetteer is incoherent). * timeline --by-mention rejected (mentions are a links-pass concern). * --source-id scopes the page WALK; gazetteer remains brain-wide (cross-source guard in findMentionedEntities suppresses scanning pages in source A from auto-linking entities in source B). * --since DATE filters the walk to recently-modified pages. * --type filter applies (rarely useful; included for parity). * --dry-run prints add_link action lines without writing; --json emits one JSON line per dry-run action. extractMentionsFromDb function: * buildGazetteer once per run via hardcoded type filter (D2). * Walks pages via engine.listAllPageRefs (DB-source only). * Reads body as compiled_truth || '\n\n' || COALESCE(timeline, '') per D3 — separator-joined so an end-of-compiled token doesn't merge with a start-of-timeline token into a false phrase match. * findMentionedEntities returns Mention[] with self-link guard (D13) + cross-source guard + first-mention-only cap baked in. * addLinksBatch with link_source='mentions' — distinct provenance channel that backlink-count filters out for search ranking (D12). * Empty-gazetteer no-op with informative message (no entity pages = nothing to scan). * src/commands/extract.ts: --by-mention flag + mode dispatch + FS rejection + extractMentionsFromDb function (~120 LOC). * test/extract-by-mention.test.ts (NEW, 12 cases): end-to-end happy path, idempotency, --dry-run no writes, --json output shape, --source-id scoping, --source fs rejection with fix-hint, timeline rejection, mode dispatch (no markdown rows when --by-mention), coexistence of markdown + mention link_source on same (from,to) pair via ON CONFLICT key, schema migration verification (link_source='mentions' insert succeeds), empty-brain no-op, cross-source guard (team-b post → default acme = no link). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(doctor): orphan_ratio check on local + thin-client surfaces (D5/D11) D5/D11 from /plan-eng-review for v0.42.0.0: surface orphan-page count in 'gbrain doctor' so users discover the new --by-mention fix without having to know the feature exists. Two surfaces because thin-client installs (gbrain init --mcp-only) route to runRemoteDoctor entirely — adding the check to runDoctor only would miss every brain-server consumer (codex CK5 caught this exactly during outside-voice review). Local surface (src/commands/doctor.ts): * Inserts as check '9b' right after graph_coverage. * Consumes getOrphansData() — the canonical pure data fn from T5 — so doctor and 'gbrain orphans --count' cannot disagree on the ratio. * Vacuous gate at < 100 entity pages (small brains naturally show high orphan ratio; not actionable signal). * warn > 0.5, fail > 0.8; both states recommend 'gbrain extract links --by-mention' as the fix. Thin-client surface (src/core/doctor-remote.ts): * New exported runOrphanRatioCheck function. Mirrors local logic but routes through find_orphans MCP op (existing v0.12.3 op, scope: read — even minimal-scope thin-clients can call it). * Operator-pointing hint: 'Ask the brain operator at <url> to run gbrain extract links --by-mention'. Thin-client users can't run the fix against a brain they don't host (v0.31.1 bug class). * Network failure fall-back: returns informational ok with network_error detail, NOT fail — earlier mcp_smoke catches genuine unreachable; orphan_ratio is informational only. * Skippable via the existing skipScopeProbe flag so hermetic fixtures that don't implement find_orphans on /mcp don't hang. Wiring in --by-mention extract.ts integration test (fix-up): CliOptions field is `progressInterval` not `progressIntervalMs`, and `timeoutMs: null` is required. Pre-existing tsc error surfaced when typechecking the new doctor changes. * test/doctor-orphan-ratio.test.ts (NEW, 10 cases): - <100 entity pages → vacuous ok - 100+ entities + low ratio (20%) → ok - high ratio (70%) → warn with fix-hint - very high ratio (90%) → fail with urgency fix-hint - zero entity pages → vacuous ok - JSON envelope contains orphan_ratio check - Thin-client: network failure → informational ok with detail - Cross-surface parity: source greps verify orphan_ratio name and fix command appear in BOTH doctor.ts and doctor-remote.ts; local hint is self-fix, thin-client hint asks the operator. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(e2e): orphan-reduction end-to-end with cross-surface count parity Pins the v0.42.0.0 design-doc claim shape — "material reduction in orphan pages via --by-mention" — without committing to a specific % (per TODO-4=C decision to soften the 88%->_30% promise into a "material reduction, exact figure TBD via post-merge measurement on representative brain"). 3 e2e cases via hermetic PGLite: * Seed 20 entities + 5 content pages mentioning 15 → assert orphan count drops by >=10 after --by-mention (material delta). * Cross-check the D1 single-source contract end-to-end: gbrain orphans --count, getOrphansData() pure fn, and the doctor JSON orphan_ratio message all reflect the same numerator. If a future change makes them disagree, this fires. * Re-run idempotency: second --by-mention invocation produces 0 new mention rows AND the first run actually created some (sanity gate so a no-op pass doesn't trivially satisfy the idempotency test). * test/e2e/orphan-reduction.test.ts (NEW, 3 cases, hermetic PGLite, no DATABASE_URL needed). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * release: v0.41.10.0 — orphan reduction via --by-mention + surrogate-pair fix Bumps VERSION + package.json to 0.41.10.0 (next available slot in the v0.41.x queue after master moved to v0.41.4.0). Minor bump scope: new CLI flag (`gbrain extract links --by-mention`), new schema migration v95, new doctor check `orphan_ratio`, new public src/core/text-safe.ts module, new src/core/by-mention.ts module, new link_source enum value with ranking-filter semantic. CHANGELOG entry follows the v0.41.x voice rules: ELI10 lead, To take advantage block with paste-ready commands, How to turn it on, What you'd see, Promise calibration (softens design-doc 88%->_30% claim per codex CK13), What to watch for, Itemized changes split into Part A (surrogate-pair fix) + Part B (auto-link --by-mention) + Follow-ups (TODO-1 through TODO-4). Credits @garrytan-agents for the underlying PR work (#1378-#1382 closed in favor of design doc #1409). TODOS.md gets four new follow-up entries (pack-aware gazetteer, cycle integration, MCP op, post-merge measurement). System-of-record annotation: the addLinksBatch call in extractMentionsFromDb carries `gbrain-allow-direct-insert` per the canonical reconcile-layer write pattern. 3-line audit: VERSION + package.json + CHANGELOG top all on 0.41.10.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
Owner
|
Implemented in #1521 (v0.42.0.0). 21 atomic commits across the full design: Closing this PR; design doc stays in the repo as historical record. |
garrytan
added a commit
that referenced
this pull request
May 27, 2026
…e before (#1521) * feat(schema): migrations v98/v99/v100 for onboard wave (A6 A10 A11 A13 A25, codex #1 #9 #10 #11 #12) Three schema additions supporting the gbrain onboard wave: v98 — links.link_kind nullable column (A10, codex finding #12). The NER extraction was originally going to add a new link_source='ner' provenance, but that would have forced every existing link_source='mentions' query (backlink-count filter, orphan-ratio, doctor checks) to update or metrics would drift across the cutover. Instead: keep link_source='mentions' for the storage layer AND add a nullable link_kind column. Three kinds: 'plain', 'typed_ner', NULL (legacy/unknown — semantically 'plain'). NOT in the links UNIQUE constraint so the storage shape stays compatible. v99 — timeline_entries dedup widening (A11, codex finding #11). Pre-v99 dedup key was (page_id, date, summary). The new --from-meetings extraction writes timeline entries with source='extract-timeline-from- meetings:<meeting-slug>', and codex caught that two meetings with the same date+summary on the same entity page would silently DO NOTHING — the second meeting's provenance is lost. Widened to (page_id, date, summary, source). Legacy rows (source='') preserve current dedup behavior. v100 — migration_impact_log table + content_chunks_stale_idx partial (A6 + A25 + A13 + codex findings #10 + #9). Bundled because both are consumed by the onboard pipeline and ship together. Impact log captures before/after metric stats so gbrain onboard --history shows real deltas; attribution columns (job_id, source_id, brain_id, started_at, idempotency_key) prevent concurrent runs misattributing to wrong migrations. content_chunks_stale_idx partial WHERE embedding IS NULL supports gbrain embed --stale + --priority recent (outer ORDER BY p.updated_at DESC uses existing idx_pages_updated_at_desc via JOIN). Plain NUMERIC columns; delta computed at read time (NOT a stored GENERATED column per eng-review D2 — zero PGLite parity risk). Slot history note: plan originally proposed v97/v98/v99 but master had already used v95 (links 'mentions' CHECK widening), v96 (facts conversation session index), and v97 (pages_dedup_partial_index) by ship time. Codex caught the collision; renumbered to v98/v99/v100. Test pin: test/schema-bootstrap-coverage.test.ts (100/100 migrations apply clean on PGLite), test/migrate.test.ts (152 cases pass). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(remediation): extract doctor remediation library (A1, codex finding #2) Pre-fix: src/commands/doctor.ts contained two CLI-shaped functions (runRemediationPlan + runRemediate) with hardcoded argv parsing, process.exit calls, and console.log emission. Onboard CLI shell and the upcoming MCP run_onboard op couldn't compose against them — the plan file's "100-LOC thin wrapper" assumption didn't survive codex's review of the actual source. Post-fix: src/core/remediation/ exports a library shape that all three consumers (doctor CLI, onboard CLI, MCP run_onboard) wrap. src/core/remediation/types.ts RemediationPlanOpts, RemediationPlan, RemediationOpts, RemediationResult, StepResult, RemediationHooks (the observability seam — library never calls console.* itself). src/core/remediation/context.ts loadRecommendationContext moved verbatim from doctor.ts. Re-exports RecommendationContext from brain-score-recommendations.ts since that's still the canonical home for the type (consumed by computeRecommendations). src/core/remediation/plan.ts computeRemediationPlan(engine, opts): Promise<RemediationPlan>. Pure read; produces the stable JSON envelope downstream agents bind to. Pulls in computeRecommendations + classifyChecks + maxReachableScore behind one library entry point. src/core/remediation/run.ts runRemediation(engine, opts, hooks): Promise<RemediationResult>. Orchestrator with BudgetTracker, checkpoint resume, D5 dep cascade, D7 per-step recheck. Returns a result object instead of process.exit calls; the CLI shell maps result.budget_exhausted / .target_unreachable / .submitted to exit codes. src/core/remediation/index.ts Barrel for the three modules above. doctor.ts is now a thin wrapper: runRemediationPlan: parse argv → computeRemediationPlan → human/JSON render runRemediate: parse argv → TTY confirm gate → runRemediation(hooks: console.*) The TTY confirmation step deliberately stays in the CLI shell — the library never asks for confirmation; that's a CLI concern. Net: ~340 LOC removed from doctor.ts; ~470 LOC added across the library module (with full JSDoc + per-A-decision rationale comments). Functional behavior preserved bit-for-bit: 67 tests pass across doctor.test.ts + v0_37_gap_fill.serial.test.ts. The Lane E.4 source-text test (test/v0_37_gap_fill.serial.test.ts:329) followed loadRecommendationContext to its new home at src/core/remediation/context.ts — assertions otherwise unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(remediation): generalize computeRecommendations to accept extras (A2, codex finding #3) Pre-fix: computeRecommendations at brain-score-recommendations.ts:170 was a hardcoded planner for 5 synthetic check categories. Adding a Check.remediation field to a new doctor check would NOT auto-wire into --remediation-plan — the planner simply ignored it. Codex caught this when reviewing the plan's "checks ARE specs" framing. Post-fix: optional third arg `extraRemediations: RemediationStep[]` lets callers inject step entries discovered outside the hardcoded planner. The existing 5-category surface is preserved bit-for-bit; on id collision the hardcoded entry wins, so an extra accidentally duplicating a hardcoded id doesn't shadow legacy behavior. RemediationPlanOpts gains the matching field; computeRemediationPlan in src/core/remediation/plan.ts threads opts.extraRemediations through. The 4 new doctor checks (T4) will produce per-check helper functions that return RemediationStep[]; onboard's render layer (T12) aggregates them into the opts.extraRemediations slot. doctor's existing --remediation-plan call passes empty (no behavior change for legacy CLI). 84 tests pass across brain-score-recommendations + doctor suites. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(doctor): 4 new onboard checks (embed_staleness, link_coverage, timeline_coverage, takes_count) (A16, T4) Adds src/core/onboard/checks.ts: 4 check helpers + a runAllOnboardChecks aggregator. Each helper returns {check, remediations}, so doctor pushes the Check entry (for human/JSON rendering) AND onboard's plan path collects the RemediationStep[] (via T3's new extraRemediations seam in computeRecommendations). embed_staleness: COUNT(*) on content_chunks WHERE embedding IS NULL. Cheap thanks to content_chunks_stale_idx partial (v100). warn at 1+ stale, fail at 1000+; remediation points at embed-catch-up handler (built in T6). entity_link_coverage: fraction of entity pages with inbound links. Per A21 + codex #15: TABLESAMPLE BERNOULLI on PG when total_pages > 50K with pinned sample formula (LEAST 100, GREATEST 2, target ~5000 rows) AND ±sqrt(p(1-p)/n) confidence interval embedded in message ("coverage: 31% ± 1.3%") so warn/fail decisions show their margin of error. PGLite path: full scan (rare >50K). warn <70%, fail <40%; remediation points at extract-ner handler. timeline_coverage: same TABLESAMPLE policy. warn <90%, fail <70%; remediation points at extract-timeline-from-meetings handler. takes_count: COUNT(*) on takes table. Per A12 two-gate consent: the remediation only emits when `takes.bootstrap_enabled` config is true. Otherwise the check shows "0 takes (takes.bootstrap_enabled is false; opt in to enable)" without an autopilot-eligible remediation. Prevents unattended LLM-bearing extractions on brains that haven't opted in. runDoctor wires runAllOnboardChecks at the end of the DB-checks block (after stale_locks); fast-mode skipped to preserve --fast UX. Thin-client parity (A16 spec) deferred to T16 — the MCP run_onboard op will run these helpers server-side where engine.executeRaw works, which is the real federated path. Adding them to doctor-remote.ts would duplicate the logic without functional benefit since the helpers are server-side queries. 55 doctor tests pass; typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): listStaleChunks --priority recent + executeRaw AbortSignal (A13/A20, codex #7 #9) Two interface extensions on BrainEngine, with parity across postgres-engine and pglite-engine. Plus a follow-on fix for v99's timeline_entries dedup widening. listStaleChunks gains: - orderBy?: 'page_id' | 'updated_desc' (default 'page_id' = legacy) - afterUpdatedAt?: string | null (composite cursor for updated_desc) When orderBy === 'updated_desc' the query JOINs pages and orders by p.updated_at DESC NULLS LAST, p.id ASC, cc.chunk_index ASC backed by idx_pages_updated_at_desc + content_chunks_stale_idx partial (both indexes added in v100). The cursor "next row" semantic with DESC NULLS LAST + ASC tiebreakers is: (updated_at < prev) OR (updated_at = prev AND page_id > prev_page_id) OR (updated_at = prev AND page_id = prev_page_id AND chunk_index > prev_chunk_index) First page (afterUpdatedAt undefined AND afterPageId 0) bypasses the cursor predicate. Both engines parity-tested via 100/100 pglite-engine tests; Postgres path mirrors the same WHERE clause structure. executeRaw gains: - opts?: {signal?: AbortSignal} Postgres impl: real cancellation via postgres.js's .cancel() on the pending query. Pre-aborted signal short-circuits before the network round-trip; mid-flight abort fires .cancel(). The query throws on abort which the caller catches. PGLite impl: in-process WASM has no kernel-level cancellation. Best-effort: pre-check, then race the query against a signal-rejection promise. The query keeps running in WASM but the awaited result is discarded (DOMException AbortError thrown). Documented gap. ReservedConnection.executeRaw extends the signature for type compatibility but doesn't wire the signal (its only callers are migrations + cycle-lock writes that explicitly don't want cancellation). V99 timeline dedup follow-on: the dedup widening in migration v99 changed the unique index from (page_id, date, summary) to (page_id, date, summary, source). The ON CONFLICT clauses in both engines' addTimelineEntriesBatch + addTimelineEntry impls were still using the old 3-tuple, causing 12 PGLite tests to fail with SQLSTATE 42P10 "no unique constraint matching ON CONFLICT specification". Updated all 4 sites (2 per engine) to the 4-tuple. Typecheck clean, 100/100 PGLite engine tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(embed): --batch-size + --priority recent + --catch-up + embed-catch-up handler (A13) CLI surface on gbrain embed gains 3 flags: --batch-size N Override hardcoded PAGE_SIZE=2000 (clamped 1..10000) --priority recent Walk stale chunks newest-first (page.updated_at DESC) backed by content_chunks_stale_idx + idx_pages_updated_at_desc via T5's listStaleChunks(orderBy='updated_desc') extension. Composite cursor (updated_at, page_id, chunk_index). --catch-up Removes the GBRAIN_EMBED_TIME_BUDGET_MS wall-clock cap; loops until countStaleChunks() returns 0. EmbedOpts gains matching fields; embedAll + embedAllStale plumb them through. The cursor tracking in embedAllStale now advances (afterUpdatedAt, afterPageId, afterChunkIndex) instead of just (afterPageId, afterChunkIndex) when in 'updated_desc' mode. The engine returns p.updated_at as Date|string; the caller normalizes to ISO string for the next page's cursor. New Minion handler `embed-catch-up` registered in jobs.ts. Wraps runEmbedCore with stale=true + catchUp=true + the priority/batchSize the caller supplies. NOT in PROTECTED_JOB_NAMES (embedding spend only — same posture as the existing embed-backfill handler). Consumed by the gbrain onboard remediation pipeline (T11) when embed_staleness check fires. 63 embed tests pass; typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(extract): NER link extraction via schema-pack inference.regex (A10, T7, codex #12) NEW src/core/extract-ner.ts: extractNerLinks(engine, opts). Walks pages, reuses the by-mention gazetteer, applies the active schema-pack's link_types[].inference.regex patterns to assign a typed verb to each mention ("CEO of Acme" + Acme is a company → 'works_at' linking the source page to Acme). Codex finding #12 design: do NOT split link_source='ner' as a new provenance. NER is still mention-derived; splitting would break every existing link_source='mentions' query (backlink-count, orphan-ratio, doctor checks). Instead: keep link_source='mentions' AND set link_kind='typed_ner' (v98 column). LinkBatchInput type gains link_kind field. Both engines' addLinksBatch impls add the column to the INSERT projection + unnest() tuple (column #11). The links UNIQUE constraint excludes link_kind so an existing plain mention row + a typed_ner row for the same (from, to, type, source, origin) collide DO NOTHING; the typed link goes in as a separate row with a DIFFERENT link_type (the inferred verb), so they don't collide on the typical case. CLI: `gbrain extract links --ner` (DB source only). Combined `--by-mention --ner` walk shares ONE gazetteer build across both passes — saves a full walk on big brains. Either flag alone runs its pass solo. Each gets its own --source-id filter inheritance. Minion handler: `extract-ner` (NOT in PROTECTED_JOB_NAMES — regex-only, no LLM spend). Consumed by onboard's entity_link_coverage remediation when coverage <70%. Target-type lookup: one round-trip SELECT slug, source_id, type FROM pages WHERE type IN ('person', 'company', 'organization', 'entity') AND deleted_at IS NULL — built once at extraction start, consulted per-mention. Avoids the N+1 getPage cost. Pack best-effort: when no active pack OR no link_types declared OR no inference.regex on any link_type, returns pack_unavailable=true and 0 created. CLI prints a one-line note; handler returns silently. 122 tests pass (pglite-engine + by-mention); typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(extract): timeline from meetings — gbrain extract timeline --from-meetings (A11, T8, codex #11) NEW src/core/extract-timeline-from-meetings.ts: extractTimelineFromMeetings(engine, opts). Walks meeting pages, finds discussed entities via two sources, writes a timeline entry on each entity page. Discussed-entity sources merged: 1. Existing 'attended' links from the meeting (canonical attendees). One round-trip SELECT pulls all attended edges for the loaded meeting set; in-memory Map<meetingSlug → attendees[]> for O(1) lookup per meeting. 2. Body-text mentions via the existing by-mention gazetteer (findMentionedEntities + cross-source guard). Catches entities discussed in the meeting body even when no explicit 'attended' link exists. De-duped via Map<sourceId::slug → entity> within each meeting so a person who's both an attendee AND mentioned in the body gets exactly one timeline row per meeting, not two. Timeline write uses TimelineBatchInput with: source = 'extract-timeline-from-meetings:<meeting-slug>' summary = 'Discussed in <meeting-title>' date = meeting.effective_date Per v99 dedup widening (codex #11): the source field is now in the uniqueness key (page_id, date, summary, source). Two meetings on the same date with the same summary on the same entity page survive as distinct rows — the second meeting's provenance is no longer silently dropped. CLI: `gbrain extract timeline --from-meetings` (DB source only). Mode dispatch — runs SOLO (does not combine with --by-mention/--ner; those are links passes). Minion handler: `extract-timeline-from-meetings` (NOT in PROTECTED_JOB_NAMES — pure SQL + string scan). Consumed by onboard's timeline_coverage remediation when coverage <90%. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(takes): takes-bootstrap from concept/atom/lore pages (A12, A24, T9) NEW src/core/extract-takes-from-pages.ts: Haiku classifier loop. Walks pages WHERE type IN ('concept','atom','lore','briefing','writing', 'originals') AND deleted_at IS NULL AND length(compiled_truth) > 200, ordered by updated_at DESC. Each page is truncated to 20K chars and sent to Haiku with a strict-JSON classifier prompt: {"claim", "kind": fact|take|bet|hunch, "weight": 0..1} Inserts via addTakesBatch with source='cli:takes-bootstrap-from-pages'. Two-gate consent per A12: 1. `takes.bootstrap_enabled` config (default false) — even the manual CLI refuses without it explicitly set. 2. --yes flag (CLI) — interactive confirmation that this sends content to Haiku. The handler-side gate also reads takes.bootstrap_enabled, so even a trusted local Minion submitter (allowProtectedSubmit=true) cannot fire takes-bootstrap on a brain that hasn't opted in. CLI: `gbrain takes extract --from-pages [--yes] [--dry-run] [--source-id X] [--max-pages N] [--holder name]`. Surfaces consent-gate-blocked vs llm-unavailable distinctly so users see the actual blocker. Minion handler `extract-takes-from-pages` added to PROTECTED_JOB_NAMES. Consumed by onboard's takes_count remediation when count=0 AND takes.bootstrap_enabled=true (handler-side double-check). Per A24: ships with classifier infrastructure ONLY. Per-prompt eval suite deferred to v0.42.1 follow-up; autopilot remediation tier for takes-bootstrap stays manual_only until eval coverage catches up. Manual `gbrain takes extract --from-pages --yes` is the only path that triggers it in v0.42.0. parseClaimsJson exported for unit testing — strict JSON parse + ```json fence strip + kind allowlist filter, returns [] on any parse failure. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(minions): recordMinionJobSpend primitive for MCP client_id attribution (A7+A23, codex finding #4) NEW src/core/minion-spend.ts: small primitive that closes the per-OAuth- client spend chain gap codex flagged when MCP run_onboard submits child Minion jobs. Pre-fix: only subagent loops via budget-meter.ts recorded spend against the originating OAuth client. Generic Minion handlers (embed-catch-up, extract-ner, extract-timeline-from-meetings, extract-takes-from-pages) wrote to the gateway with no per-client attribution — admin-scope tokens would have unbounded indirect spend via the run_onboard fan-out. Convention for v0.42.0 (deferred schema column to v0.42.1): - run_onboard MCP op sets job.data.client_id when submitting each child handler. - Handlers that spend LLM/embedding budget call recordMinionJobSpend(engine, job, {operation, spendCents, ...}) which reads job.data.client_id and writes mcp_spend_log with the right attribution. - Local-submitted jobs (CLI, autopilot tick) pass no client_id; the row still lands with client_id=null for global accounting. Two exports: getJobClientId(job): undefined for local jobs; the OAuth client_id string for MCP-submitted ones. recordMinionJobSpend(engine, job, entry): wraps recordSpend with job-aware attribution. Best-effort throughout — spend telemetry failures MUST NOT fail the user's call. A23 full schema column (minion_jobs.client_id + index) deferred to v0.42.1; today's JSONB-pass-through is sufficient for the MCP run_onboard chain to land per-client attribution end-to-end. Handlers adopt the primitive over time; no behavior change for callers that haven't migrated. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(onboard): impact capture module + writeImpactLogRow primitive (A6 + A25 + A17, T11) NEW src/core/onboard/impact-capture.ts. Three exports: captureMetric(engine, metric) Pure-ish: returns the current numeric value for one of 5 metrics (orphan_count, stale_count, entity_link_coverage, timeline_coverage, takes_count). Returns null on any throw per A17 best-effort posture — a stat-query failure MUST NOT block the extraction itself. writeImpactLogRow(engine, attribution, metric, before, after, details?) Best-effort INSERT into v100's migration_impact_log table. Attribution columns (job_id, source_id, brain_id, started_at, idempotency_key, applied_by) per A25 + codex finding #10 so concurrent runs can't misattribute deltas. withImpactCapture(engine, attribution, metric, runner, details?) Convenience: capture-before → run → capture-after → write log row. Per A17 the log row lands even when the runner throws (after-on-fail + error in details), so downstream consumers see a "ran but impact unknown" entry instead of silent loss. Designed to be picked up by the 4 new Minion handlers (embed-catch-up, extract-ner, extract-timeline-from-meetings, extract-takes-from-pages) when they wrap their main runner. Handlers stay decoupled from the log-write path — they just call withImpactCapture with the metric they move. Per-handler integration follows in T12/T13/T15 as those wrappers land. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(onboard): types + render layer (A8, T12) NEW src/core/onboard/types.ts: OnboardRecommendation (extends RemediationStep with apply_policy + prompt_text + migration_id), OnboardReport (stable JSON envelope), OnboardOpts. NEW src/core/onboard/render.ts: toOnboardRecommendation(step): RemediationStep → OnboardRecommendation Sets apply_policy per A8 tiered rules: - protected + job === extract-takes-from-pages → 'manual_only' (A12/A24) - protected + other → 'prompt_required' - non-protected → 'auto_apply' buildOnboardReport(plan, opts?): assembles the stable JSON envelope. renderHuman(report): string. Echoes the "Recommendation + WHY" framing the CEO + Eng + Codex reviews settled on; CLI shell prints to stdout. Stable JSON envelope shape: schema_version: 1 brain_id?: string recommendations: OnboardRecommendation[] summary: { total, auto_eligible, prompt_required, manual_only, est_total_usd } history?: Array<{ remediation_id, metric_name, metric_before, metric_after, delta, applied_at }> Library-shaped — no console.* / process.exit. T13 (onboard CLI shell) calls these from the wrapping CLI. MCP run_onboard (T16) returns the JSON envelope unmodified. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(onboard): gbrain onboard CLI shell (A1, T13) NEW src/commands/onboard.ts (~180 LOC). Thin wrapper that composes: - T2 library (computeRemediationPlan + runRemediation) - T4 onboard checks (runAllOnboardChecks → extraRemediations) - T12 render layer (buildOnboardReport + renderHuman) Three modes: --check (default): print plan, no submission. Computes plan via T2 library with T4 check-derived extraRemediations. Renders human (default) or JSON envelope (--json). --auto: submit auto_apply tier. Requires --max-usd N (cron-safety per A12 + A20 — refuses without explicit cap to avoid surprise spend). --auto --yes: also submit prompt_required tier. --history: dump last 50 migration_impact_log entries. Library hooks wired into stderr (per CLI/library separation): onStepStart, onStepEnd, onBudgetRefused, onBudgetExhausted, onNothingToDo, onTargetUnreachable. Final JSON envelope (--json) or human summary lands on stdout. CLI dispatch: registered in src/cli.ts CLI_ONLY set + case dispatch between 'takes' and 'founder'. Typecheck clean. Manual smoke-test pending T20 E2E (DATABASE_URL gated). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(onboard): init nudge + upgrade banner (A4, A18, A20, T14) NEW src/core/onboard/init-nudge.ts exports two fail-open hooks: runInitNudge(engine): Post-initSchema 5-query AbortSignal-bound parallel check against a 3-second wallclock budget. Per A20: uses REAL cancellation via the T5 executeRaw signal extension — Promise.race against a timer was codex's #7 wrong shape. Postgres queries actually .cancel(); PGLite documented gap. Partial-results path: if some checks complete and the budget fires on others, prints what landed + a fallthrough hint pointing at `gbrain onboard --check` for the full picture. Per A18: fail-open — ANY throw is caught, logged to stderr, and suppressed so init returns successfully. Bypass: GBRAIN_NO_ONBOARD_NUDGE=1 short-circuits. Non-TTY default short-circuits too (CI/scripted callers see nothing). Nudge format: one-line summary of opportunities ("Brain has opportunities: 23000 stale chunks, link coverage 32%, 0 takes") + a 'gbrain onboard --check' nudge. runUpgradeBanner(_engine): Lighter post-upgrade banner. Doesn't engine-query — just prints a one-line nudge that upgrades may surface new opportunities. Same fail-open posture. Wired into: src/commands/init.ts:initPGLite (end-of-function, after reportModStatus) src/commands/init.ts:initPostgres (same) src/commands/upgrade.ts:runPostUpgrade (end-of-function, after postUpgradeReferenceSweep) Each wire site uses dynamic import + try/catch so even an import failure can't crash init/upgrade. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(autopilot): tick consults onboard recommendations (A5, A19, A22, T15) Pre-fix: autopilot tick's per-source recommendation walk called computeRecommendations(health, ctx) — doctor's hardcoded 5-category planner. The 4 new onboard checks (embed_staleness, entity_link_coverage, timeline_coverage, takes_count) had nowhere to hook in, so even with takes.bootstrap_enabled flipped on, autopilot never noticed 0 takes and never proposed bootstrap. Post-fix: tick body now ALSO calls runAllOnboardChecks(engine) and threads the result's RemediationStep[] into the T3-generalized third arg of computeRecommendations. The planner merges onboard's extras with the legacy hardcoded entries (hardcoded wins on id collision). Per A19 fail-open: any throw in the onboard-checks path is caught, logged to stderr, and suppressed. The legacy plan (without extras) runs as before — autopilot can't crash from an onboard-check failure. A22 (idempotency-key dedupe across concurrent manual + autopilot runs): inherits from the existing computeRecommendations → remediation.idempotency_key chain. T7-T9 handlers each get their content-hash key from the makeRemediationStep factory; an autopilot tick + a manual `gbrain onboard --auto` submitting the same step in the same brain produce the SAME key, so queue.add(...) dedupes. No behavior change for brains where all 4 onboard metrics already look healthy (extras=[]; legacy plan unchanged). Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(mcp): run_onboard op with run_protected_onboard scope binding (A7, T16, codex finding #5) NEW MCP op `run_onboard`. Admin scope (NOT localOnly) so federated / thin-client brain installs can probe brain health + submit auto-eligible remediation handlers over OAuth-authenticated MCP. Two-tier authorization per A7 + codex #5: - Admin scope: sufficient for mode='check' (read-only OnboardReport JSON) AND for submitting non-protected handlers in mode='auto'/'auto-with-prompt'. - run_protected_onboard scope (NEW, additive): MUST be granted in addition to admin for any PROTECTED_JOB_NAMES handler to fire (synthesize, patterns, consolidate, extract-takes-from-pages, contextual_reindex_per_chunk). Without the new scope tier, an admin-scoped OAuth token would silently bypass the same protected-name gate `submit_job` enforces at operations.ts:2288. The codex finding #5 caught this: admin scope alone was insufficient guard. Now the run_onboard op explicitly FILTERS protected extras from the recommendation plan when the caller lacks run_protected_onboard; filtered items appear in the response as skipped_missing_scope[] so the caller knows what would have been available with the right grants. Modes: check — read-only OnboardReport JSON envelope. auto — submits auto_apply tier (plus prompt_required when --yes/auto-with-prompt). auto-with-prompt — adds prompt_required tier. Both auto modes REQUIRE max_usd per A12 + A20 cron-safety (rejects with invalid_params if missing). Per A26 source-scope: future extension will scope plans by ctx.sourceId / ctx.auth.allowedSources. Today the recommendation planner is brain-wide; the source-scope thread doesn't change correctness, just optimization. Per A19 fail-open: any error in runAllOnboardChecks during plan-build caught + suppressed; the plan still returns with extras=[] rather than crashing the op. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(verify): add check-source-scope-onboard lint (A26, T17) NEW scripts/check-source-scope-onboard.sh. Grep guard for SQL sites in onboard surfaces (src/core/onboard/, src/commands/onboard.ts) that touch source_id-bearing tables (pages, content_chunks, takes, links, timeline_entries) WITHOUT either: (a) source_id / sourceIds in the WHERE clause, OR (b) the opt-out marker `sourcescope:brain-wide` within 4 lines above the SQL. File-level opt-out: `sourcescope:file-brain-wide` in the file header (first 30 lines) treats every SQL site in that file as intentionally brain-wide. Used by onboard/checks.ts, onboard/impact-capture.ts, and commands/onboard.ts because the onboard CHECKS are explicitly brain-wide aggregates (orphan_count, stale_count, link_coverage are reported across all sources by design). Wired into bun run verify (23 checks total now, all green). Without this gate, any future onboard SQL touching per-source data without source-scoping would silently leak rows across sources — exactly the class of bug v0.34.1's P0 seal closed at the engine layer. The lint adds an explicit forcing function for new code in the onboard surface. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(install): onboard surface agent prescription (D13, T18) Adds a v0.42.0+ section to INSTALL_FOR_AGENTS.md describing: - First-connect probe: gbrain onboard --check --json - Post-upgrade re-probe (after gbrain upgrade) - Unattended remediation: gbrain onboard --auto --max-usd 5 - MCP run_onboard op for federated/thin-client installs - run_protected_onboard scope requirement for LLM-bearing handlers - Two-gate consent for takes-bootstrap (takes.bootstrap_enabled + --yes) - GBRAIN_NO_ONBOARD_NUDGE=1 bypass for CI Per D13: agents should run --check on first connect AND after every upgrade as a hygiene step. The autopilot path makes this auto-improve on a 24h cycle; the explicit agent probe surfaces opportunities immediately on connect rather than waiting for the next autopilot tick. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(e2e): hermetic onboard surface contracts (T20) NEW test/e2e/onboard-full-flow.test.ts. 13 hermetic PGLite cases (no DATABASE_URL needed) covering the key onboard contracts: captureMetric — all 5 metrics return expected values on empty brain (0 for counts; 1 for coverage = vacuous truth). runAllOnboardChecks — returns exactly 4 results with correct names; empty brain shows stale/link/timeline ok BUT takes_count warns (0 takes); 0 remediations emitted because takes.bootstrap_enabled defaults to false per A12 two-gate consent. computeRemediationPlan — extras (T3 generalization) thread through to plan.plan output; stable schema_version: 2 envelope. buildOnboardReport — stable schema_version: 1 envelope with the right summary fields populated. toOnboardRecommendation tier policy (A8): - non-protected job → auto_apply - extract-takes-from-pages → manual_only (A12 + A24) - other protected jobs (synthesize, patterns, ...) → prompt_required Full DATABASE_URL-gated end-to-end (real Postgres, actual extractions through Minion handlers) deferred to v0.42.1 once the per-handler test seam lands; the hermetic suite covers the data-shape contracts that matter for downstream consumers binding to the JSON envelopes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * v0.42.0.0 gbrain onboard mega PR — activation surface (closes #1383, completes #1409) VERSION + package.json bumped to 0.42.0.0. CHANGELOG with full ELI10 lead + "What you can do that you couldn't before" itemized list + "To take advantage of v0.42.0.0" upgrade steps per CLAUDE.md voice rules. TODOS.md: 9 follow-up items filed (TODO-A through TODO-I) for the v0.42.1+ wave: pack-aware linkable types, LLM-disambiguation NER, onboard --explain, live-brain impact measurement, 100+-case takes classifier eval, admin SPA UI, full DATABASE_URL E2E, minion_jobs client_id schema column, thin-client doctor-remote parity. llms-full.txt regenerated per CLAUDE.md rule (every CHANGELOG edit followed by bun run build:llms in the same commit). 23/23 verify checks pass. Full implementation across 21 commits on this branch (T0-T21): T0 merge master T1 schema migrations v98/v99/v100 T2 extract doctor remediation library T3 generalize computeRecommendations T4 4 new doctor checks T5 engine API: listStaleChunks orderBy + executeRaw AbortSignal T6 embed --batch-size / --priority recent / --catch-up T7 NER extraction + extract-ner handler T8 timeline-from-meetings + extract-timeline-from-meetings handler T9 takes-bootstrap + extract-takes-from-pages handler T10 recordMinionJobSpend primitive T11 impact capture module + writeImpactLogRow T12 onboard render layer (types + render) T13 gbrain onboard CLI shell T14 init nudge + upgrade banner T15 autopilot tick consults onboard T16 MCP run_onboard + run_protected_onboard scope T17 check-source-scope-onboard lint T18 INSTALL_FOR_AGENTS.md agent prescription T20 hermetic PGLite E2E (13 cases) T21 ship (this commit) Reviews: CEO + Eng + Codex on plan ~/.claude/plans/system-instruction-you-are-working-lively-hollerith.md. 27 A-decisions locked; 18 codex findings absorbed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ci): connection-resilience regex + doctor warn-not-fail + v0.41.18.0 Two CI fixes from PR #1521 + version renumber per user request. Why fix #1 (connection-resilience.test.ts): T5/A20 extended PostgresEngine.executeRaw signature to accept an optional `opts?: { signal?: AbortSignal }` 3rd arg and rewrote the body as multi-line. The regression test's regex was anchored to the legacy single-line `(sql: string, params?: unknown[])` shape and the assertions banned `try {` / `catch` (which T5 legitimately added for AbortSignal cancellation swallow, NOT for retry). Updated regex to tolerate both shapes; replaced the wrong `not.toContain('conn.unsafe( sql, params')` assertion (which incorrectly flagged the legitimate single call) with a count assertion: `conn.unsafe(` must appear exactly ONCE in the body. Preserves the original D3 intent (no per-call retry — recovery is supervisor-driven via reconnect()) while accepting the new try/catch shape that swallows AbortSignal aborts. Why fix #2 (src/core/onboard/checks.ts): Three of the four new onboard doctor checks (entity_link_coverage, timeline_coverage, embed_staleness) emitted `status = 'fail'` on healthy DBs that simply hadn't run extractions yet. This flipped `gbrain doctor`'s exit code to non-zero on freshly initialized brains, breaking test/e2e/mechanical.test.ts:1280 ("gbrain doctor exits 0 on healthy DB"). Downgraded all three to `status = 'warn'` — these are remediation opportunities, not assertion failures. Doctor exit codes are reserved for actual failures; remediation surfaces use warn-level signaling so they can be picked up by `--remediate` without polluting the exit code. Why fix #3 (version renumber 0.42.0.0 → 0.41.18.0): Per user directive, this wave ships as v0.41.18.0 rather than v0.42.0.0. Master is at 0.41.16.0; 0.41.17.0 is reserved for an in-flight wave. Renamed every reference my branch added (54 files touched): VERSION, package.json, CHANGELOG.md header, TODOS.md, plus inline version-stamp comments across src/, test/, and scripts/. Preserved 13 files with PRE-EXISTING `v0.42.0.0` references on master (from earlier waves originally planned for v0.42 that landed at v0.41.x — those stay as historical record). Verified via per-file diff against origin/master: every renamed reference is one I added in this branch. Audit trio aligned: VERSION=0.41.18.0, package.json=0.41.18.0, CHANGELOG topmost entry=[0.41.18.0]. llms-full.txt regenerated to match CLAUDE.md updates. Bisect contract: this commit fixes CI test failures from PR #1521's landing. Typecheck clean; connection-resilience suite 26/26 pass. Refs A20 (executeRaw AbortSignal), A16 (4 new onboard checks), codex #1 (master collision avoidance via renumber). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Consolidated design doc for
gbrain onboard— replaces the 5 separate proposal PRs (#1378-#1382, now closed) with a single cohesive design.Why
The 5 separate PRs were docs-only proposals that diluted the story. This consolidates them into one design doc (
docs/designs/GBRAIN_ONBOARD.md) tied to #1383.The design covers:
gbrain onboardcommand (interactive + auto + check modes)All backed by production metrics from a 165K-page brain.
Next step
Implementation PR for migration #1 (auto-link entity mentions) — the highest-impact single feature. That's real code, not markdown.
Related
gbrain onboard— guided agent onboarding with migration prompts #1383 (meta issue)