feat(ui): add dreaming diary controls and navigation

[mbelinky]

Summary

• Problem: the grounded diary/backfill lane was only inspectable via raw markdown and the existing Dreams UI made it hard to browse days, inspect grounded output, or trigger rebuild/reset flows.
• Why it matters: we need a usable review surface before deciding which grounded candidate truths should feed the live dreaming evidence lane.
• What changed: added diary navigation, three-column grounded diary presentation, scene-level backfill/reset controls, and the gateway doctor surface those controls need.
• What did NOT change (scope boundary): this PR does not change grounded extraction logic and does not wire grounded candidates into live promotion.

Change Type (select all)

• Feature
• Bug fix
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• UI / DX
• Memory / storage
• Skills / tool execution
• Auth / tokens
• Integrations
• API / contracts
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related feat(memory): add grounded REM backfill lane #63273
• This PR fixes a bug or regression

Root Cause / Regression History (if applicable)

• Root cause: the backfill lane had no usable control surface or browseable diary presentation.
• Missing detection / guardrail: we had no focused UI/controller tests for grounded diary actions and rendering.
• Prior context (git blame, prior PR, issue, or refactor if known): UI follow-up on top of feat(memory): add grounded REM backfill lane #63273.
• Why this regressed now: N/A
• If unknown, what was ruled out: N/A

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/gateway/server-methods/doctor.test.ts, ui/src/ui/controllers/dreaming.test.ts, ui/src/ui/views/dreaming.test.ts, ui/src/ui/navigation.browser.test.ts
• Scenario the test should lock in: diary action RPCs, diary render layout/data, and browser navigation behavior.
• Why this is the smallest reliable guardrail: these seams cover the full UI control loop without requiring a live gateway/browser E2E.
• Existing test that already covers this (if any): N/A
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• Dreams Diary gets a timeline/heatmap navigator and a three-column grounded layout.
• Scene gets Backfill and Reset controls for the diary backfill lane.
• grounded diary content is easier to inspect day by day.

Diagram (if applicable)

Before:
[user opens Dreams] -> [summary card + raw/weak diary inspection]

After:
[user opens Dreams] -> [timeline + heatmap + 3-column diary]
                     -> [Backfill / Reset controls]

Security Impact (required)

• New permissions/capabilities? (Yes/No) Yes
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) Yes
• If any Yes, explain risk + mitigation: the UI can now trigger grounded diary backfill/reset through the doctor gateway surface. The server-side actions remain workspace-local and marker-scoped; reset only removes backfilled diary entries.

Repro + Verification

Environment

• OS: macOS authoring, mb-server for gates
• Runtime/container: Node 22 / Vitest 4
• Model/provider: N/A
• Integration/channel (if any): Control UI / gateway doctor RPC
• Relevant config (redacted): default memory workspace layout

Steps

1. Open Dreams.
2. Navigate the diary with the timeline/heatmap.
3. Trigger Backfill and Reset from Scene.

Expected

• diary renders in 3 columns with navigation
• controls call the right gateway methods and reload state

Actual

• Matches expected in focused UI/gateway tests.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: diary navigation/rendering, scene action control loop, doctor action endpoints.
• Edge cases checked: loading state, navigation token warnings already covered by existing browser tests.
• What you did not verify: manual screenshot attachment in this draft.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Risks and Mitigations

• Risk: UI and doctor action surface could drift from the grounded backfill lane if the CLI side changes later.
  • Mitigation: this PR is stacked directly on the backfill foundation PR and has focused controller/server tests for the action loop.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 4 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	Sensitive memory snippets and absolute paths exposed via doctor.memory.status to READ-scope clients
2	🟠 High	Symlink-following arbitrary file overwrite via DREAMS.md backfill/reset writes
3	🟠 High	Symlink traversal enables arbitrary file read/write via dream diary backfill/reset
4	🟡 Medium	Unbounded dream diary backfill can exhaust CPU/memory/disk (server-side DoS)

1. 🟠 Sensitive memory snippets and absolute paths exposed via `doctor.memory.status` to READ-scope clients

Property	Value
Severity	High
CWE	CWE-200
Location	src/gateway/server-methods/doctor.ts:396-418

Description

The doctor.memory.status handler now returns detailed lists of short-term memory store entries, including potentially sensitive snippet text and path values.

• Input/source: loadDreamingStoreStats() reads the on-disk short-term memory store JSON and copies entry.snippet / entry.summary and entry.path into the response payload.
• Exposure: doctor.memory.status is categorized under READ_SCOPE (see src/gateway/method-scopes.ts), so any client/token with read access can retrieve these details.
• Impact: Memory snippets can contain PII/secrets (e.g., user preferences, names, travel details). Additionally, normalizeMemoryPath() does not strip absolute paths (it only normalizes slashes and removes leading ./), so if entry.path is absolute (or includes workspace prefixes), the response can leak filesystem layout.

Vulnerable code:

const snippet =
  normalizeTrimmedString(entry.snippet) ??
  normalizeTrimmedString(entry.summary) ??
  normalizeMemoryPath(entryPath);

const detail: DoctorMemoryDreamingEntryPayload = {
  key: entryKey,
  path: normalizeMemoryPath(entryPath),
  ...
  snippet,
};

This detail object is included in the doctor.memory.status response as dreaming.shortTermEntries, dreaming.signalEntries, and dreaming.promotedEntries.

Recommendation

Restrict or redact sensitive fields in doctor.memory.status.

Access control options

• Move doctor.memory.status (or at least the entry lists) behind a stronger scope (e.g., ADMIN_SCOPE) or require an explicit privileged flag.
• Alternatively, split into two methods: a low-privilege status endpoint (counts only) and a privileged endpoint for detailed entry inspection.

Data minimization/redaction

• Do not return snippet by default. Return only counts + opaque IDs/keys.
• If snippets are required for trusted admins, return a heavily redacted/preview form and ensure they cannot contain full raw memory text.

Path sanitization

• Ensure returned paths are workspace-relative and never absolute. For example:

function toWorkspaceRelativePath(workspaceDir: string, entryPath: string): string {
  const rel = path.posix.normalize(entryPath.replaceAll("\\", "/"));
  const ws = workspaceDir.replaceAll("\\", "/");
  return rel.startsWith(ws + "/") ? rel.slice(ws.length + 1) : path.posix.basename(rel);
}

Also consider adding tests that an absolute entry.path does not leak in the API response.

2. 🟠 Symlink-following arbitrary file overwrite via DREAMS.md backfill/reset writes

Property	Value
Severity	High
CWE	CWE-59
Location	extensions/memory-core/src/dreaming-narrative.ts:275-315

Description

The new doctor endpoints call writeBackfillDiaryEntries / removeBackfillDiaryEntries, which write to a path resolved as ${workspaceDir}/DREAMS.md (or dreams.md). The implementation uses fs.writeFile() directly on that path without defending against symlinks.

If an attacker can create/replace DREAMS.md inside the workspace with a symlink to another file on the filesystem, triggering backfill/reset will overwrite the symlink target with attacker-influenced content.

• Input/control: attacker-controlled workspace contents (ability to create DREAMS.md symlink) and the backfill/reset action.
• Sink: fs.writeFile(dreamsPath, ...) follows symlinks.

Vulnerable code:

const dreamsPath = await resolveDreamsPath(params.workspaceDir);
...
await fs.writeFile(dreamsPath, updated, "utf-8");

Recommendation

Harden writes against symlink attacks and make updates atomic.

• Open the file via a file descriptor with symlink-safe flags (platform permitting) and write through the fd.
• Or write to a newly-created temp file in the same directory and rename() it into place, while verifying the target is a regular file.
• Additionally, lstat() the target and refuse to write if it is a symlink.

Example (POSIX-focused) approach:

import { constants as fsConstants } from "node:fs";

const dreamsPath = await resolveDreamsPath(workspaceDir);
const st = await fs.lstat(dreamsPath).catch((e) => (e.code === "ENOENT" ? null : Promise.reject(e)));
if (st && !st.isFile()) throw new Error("Refusing to write non-regular DREAMS.md");
if (st && st.isSymbolicLink()) throw new Error("Refusing to follow symlink DREAMS.md");

const tmpPath = `${dreamsPath}.${process.pid}.tmp`;
await fs.writeFile(tmpPath, updated, { encoding: "utf-8", flag: "wx" });
await fs.rename(tmpPath, dreamsPath);

This prevents overwriting arbitrary symlink targets and reduces corruption risk from partial writes.

3. 🟠 Symlink traversal enables arbitrary file read/write via dream diary backfill/reset

Property	Value
Severity	High
CWE	CWE-22
Location	extensions/memory-core/src/rem-evidence.ts:1018-1054

Description

The dream diary backfill/reset flow follows symlinks within the workspace, allowing files outside workspaceDir to be read and/or overwritten.

Arbitrary file read (via previewGroundedRemMarkdown)

• collectMarkdownFiles() uses fs.stat() (follows symlinks) and adds any resolved .md file.
• previewGroundedRemMarkdown() then readFile()s those paths.
• The gateway handler passes inputPaths built from workspaceDir/memory/*.md. If an attacker can place a symlink such as workspaceDir/memory/2026-02-19.md -> /etc/passwd (or any readable file), the code will read the target and include processed content in the preview/backfill output.

Arbitrary file write (via writeBackfillDiaryEntries / removeBackfillDiaryEntries)

• resolveDreamsPath() constructs workspaceDir/DREAMS.md (or dreams.md) and later writeFile() is used.
• If DREAMS.md is a symlink to an arbitrary path outside workspaceDir, backfill/reset will overwrite that external target.

Vulnerable code paths include:

​// rem-evidence.ts
const stat = await fs.stat(resolved); // follows symlinks
...
const content = await fs.readFile(filePath, "utf-8");

​// dreaming-narrative.ts
const target = path.join(workspaceDir, name);
...
await fs.writeFile(dreamsPath, updated, "utf-8");

Recommendation

Constrain all reads/writes to real paths under workspaceDir and avoid following symlinks.

For reading input paths (backfill preview):

• Use lstat() to detect symlinks and either skip them or resolve them safely.
• Resolve realpath() and verify it is within workspaceDir before reading.

Example:

import fs from "node:fs/promises";
import path from "node:path";

async function assertInsideWorkspace(workspaceDir: string, candidate: string): Promise<string> {
  const wsReal = await fs.realpath(workspaceDir);
  const candReal = await fs.realpath(candidate);
  const rel = path.relative(wsReal, candReal);
  if (rel.startsWith("..") || path.isAbsolute(rel)) {
    throw new Error(`Path escapes workspace: ${candidate}`);
  }
  return candReal;
}

const st = await fs.lstat(resolved);
if (st.isSymbolicLink()) return; // or handle explicitly
const safePath = await assertInsideWorkspace(workspaceDir, resolved);
const content = await fs.readFile(safePath, "utf-8");

For writing DREAMS.md:

• Before writing, lstat() the destination and refuse to write if it is a symlink.
• Optionally, write to a temp file in the same directory and rename atomically.

const dreamsPath = await resolveDreamsPath(workspaceDir);
try {
  const st = await fs.lstat(dreamsPath);
  if (st.isSymbolicLink()) throw new Error("Refusing to write to symlinked DREAMS.md");
} catch (e) {
  if ((e as NodeJS.ErrnoException).code !== "ENOENT") throw e;
}
await fs.writeFile(dreamsPath, updated, "utf-8");

4. 🟡 Unbounded dream diary backfill can exhaust CPU/memory/disk (server-side DoS)

Property	Value
Severity	Medium
CWE	CWE-400
Location	src/gateway/server-methods/doctor.ts:847-878

Description

The doctor.memory.backfillDreamDiary handler performs an unbounded scan and render of all daily memory markdown files and then writes the rendered output into the dream diary, with no server-side limits.

• listWorkspaceDailyFiles() enumerates every memory/YYYY-MM-DD.md file in the workspace.
• The full list is passed to previewGroundedRemMarkdown(), which reads every file into memory and generates rendered markdown.
• The rendered markdown is split/filtered and then persisted via writeBackfillDiaryEntries(), potentially creating very large output and repeatedly rewriting the dreams file.
• The only apparent guard against repeated triggering is dreamDiaryActionLoading in the UI (client-side), which does not protect the server from repeated requests (e.g., via automation or another client).

Vulnerable code:

const sourceFiles = await listWorkspaceDailyFiles(memoryDir);
const grounded = await previewGroundedRemMarkdown({
  workspaceDir,
  inputPaths: sourceFiles,
});
...
const written = await writeBackfillDiaryEntries({
  workspaceDir,
  entries,
  timezone: remConfig.timezone,
});

Recommendation

Add server-side controls to cap work and prevent repeated expensive scans.

Suggested hardening (combine as appropriate):

1. Limit number of files and/or date range processed per request.

const MAX_BACKFILL_FILES = 365; // or configurable
const sourceFilesAll = await listWorkspaceDailyFiles(memoryDir);
const sourceFiles = sourceFilesAll.slice(-MAX_BACKFILL_FILES);

2. Enforce file size limits before reading/rendering.

const stat = await fs.stat(filePath);
if (stat.size > MAX_MD_BYTES) continue;

3. Rate limit / lock the action server-side (per-workspace), so concurrent/repeated calls cannot overlap.

4. Consider making the endpoint require an explicit, validated start/end parameter (or “last N days”) instead of scanning everything.

These measures reduce the risk of CPU/memory spikes and uncontrolled disk growth from large workspaces or repeated calls.

---

Analyzed PR: #63298 at commit 0a2ae66

_{Last updated on: 2026-04-08T18:36:05Z}

[greptile-apps]

Greptile Summary

This PR adds grounded diary navigation and controls to the Dreams UI: a timeline/heatmap navigator, three-column structured diary layout, scene-level Backfill/Reset buttons, and the two new doctor.memory.backfillDreamDiary / doctor.memory.resetDreamDiary gateway handlers that power them. The scope is well-contained — grounded extraction logic and live promotion are explicitly not changed.

The only finding is a P2 style issue: doctor.test.ts mocks the private internal module paths (src/rem-evidence.js, src/dreaming-narrative.js) rather than the public api.js barrel that doctor.ts now imports from. This is noted inline.

Confidence Score: 5/5

Safe to merge — all findings are P2 style/boundary concerns with no functional impact.

The only finding is a test mock path that targets private extension internals instead of the public api.js barrel. This violates the repo boundary rule and should be fixed, but it does not affect runtime correctness or test reliability today since api.ts is a pure re-export. All other logic — gateway handlers, controller actions, diary parsing, navigation rendering — is correct and well-tested.

src/gateway/server-methods/doctor.test.ts — mock paths should be updated to target api.js.

Vulnerabilities

No security concerns identified. The new backfill and reset gateway methods operate on workspace-local diary files only, are not exposed to untrusted input, and do not introduce new auth surfaces or secrets handling.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/gateway/server-methods/doctor.test.ts
Line: 39-46

Comment:
**Test mocks bypass the declared `api.js` boundary**

The tests mock the private internal modules `src/rem-evidence.js` and `src/dreaming-narrative.js`, but `doctor.ts` (updated in the second commit of this PR) now imports from `../../../extensions/memory-core/api.js`. Per the CLAUDE.md rule, "core tests must not deep-import bundled plugin internals such as a plugin's `src/**` files."

The tests still pass today only because `api.ts` is a pure re-export barrel. If the barrel ever adds wrapping, caching, or transformation, the mocks will silently continue targeting the wrong module. The mock paths should point to `../../../extensions/memory-core/api.js`:

```ts
vi.mock("../../../extensions/memory-core/api.js", () => ({
  previewGroundedRemMarkdown,
  writeBackfillDiaryEntries,
  removeBackfillDiaryEntries,
}));
```

**Context Used:** CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8))

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "ui: consume grounded diary helpers via m..." | Re-trigger Greptile}

[greptile-apps]

Test mocks bypass the declared api.js boundary

The tests mock the private internal modules src/rem-evidence.js and src/dreaming-narrative.js, but doctor.ts (updated in the second commit of this PR) now imports from ../../../extensions/memory-core/api.js. Per the CLAUDE.md rule, "core tests must not deep-import bundled plugin internals such as a plugin's src/** files."

The tests still pass today only because api.ts is a pure re-export barrel. If the barrel ever adds wrapping, caching, or transformation, the mocks will silently continue targeting the wrong module. The mock paths should point to ../../../extensions/memory-core/api.js:

vi.mock("../../../extensions/memory-core/api.js", () => ({
  previewGroundedRemMarkdown,
  writeBackfillDiaryEntries,
  removeBackfillDiaryEntries,
}));

Context Used: CLAUDE.md (source)

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/gateway/server-methods/doctor.test.ts
Line: 39-46

Comment:
**Test mocks bypass the declared `api.js` boundary**

The tests mock the private internal modules `src/rem-evidence.js` and `src/dreaming-narrative.js`, but `doctor.ts` (updated in the second commit of this PR) now imports from `../../../extensions/memory-core/api.js`. Per the CLAUDE.md rule, "core tests must not deep-import bundled plugin internals such as a plugin's `src/**` files."

The tests still pass today only because `api.ts` is a pure re-export barrel. If the barrel ever adds wrapping, caching, or transformation, the mocks will silently continue targeting the wrong module. The mock paths should point to `../../../extensions/memory-core/api.js`:

```ts
vi.mock("../../../extensions/memory-core/api.js", () => ({
  previewGroundedRemMarkdown,
  writeBackfillDiaryEntries,
  removeBackfillDiaryEntries,
}));
```

**Context Used:** CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8))

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e8de688b95

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Normalize grounded diary headings before persisting entries

This helper writes grounded markdown lines verbatim, but previewGroundedRemMarkdown emits section headers like ## What Happened. The Dreams UI parser drops #-prefixed lines, so real backfilled entries lose their section markers and never render in the new structured three-panel layout. The CLI backfill path already normalizes these headings; this server method should do the same to keep diary rendering consistent.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Mock memory-core through its public API seam

AGENTS.md (repo root) says core code/tests must not deep-import bundled plugin internals (src/**). This new mock block targets extensions/memory-core/src/... directly, coupling gateway tests to private plugin file layout and making unrelated plugin refactors break core tests. Mock the public extensions/memory-core/api.js surface instead.

Useful? React with 👍 / 👎.

[mbelinky]

Merged via squash.

• Prepared head SHA: 0a2ae66913af5735fba4891c3b4ebf29ba71b44f
• Merge commit: 66b824870d737b28013f760b9b8b313467d9c00f

Thanks @mbelinky!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0a2ae66913

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Skip backfill write when no source memory files

doctor.memory.backfillDreamDiary always proceeds to writeBackfillDiaryEntries even if listWorkspaceDailyFiles returns no daily files, so entries can be empty here. writeBackfillDiaryEntries strips existing backfill blocks before rewriting, which means clicking Backfill with an empty/missing memory/ directory can silently delete previously backfilled diary entries instead of no-oping or reporting an error. Add an explicit empty-source guard before writing.

Useful? React with 👍 / 👎.