Conversation
… + flow lessons) Updates the HANDOFF for the next session pickup: §0 Status table: - Date moved to 2026-05-01 noche (post-Phase-12). - "Estado del release" reflects @netzi/recall@0.1.2-beta.3 PUBLISHED in npm beta channel; smoke against the dogfood DB confirmed B-MCP-2 (mem.health real), B-MCP-3 (worker started), B-MCP-4 (migration 008 applied, schema_version=8), B-MCP-5 (shipped). - "Issues abiertos": 0 -> 1 (B-MCP-7 #24). - "Memoria propia": notes the queue is in mixed state (32 attempts=0 + 32 attempts=5 perma-failed by B-MCP-7), and documents the flow violation of running manual UPDATE during smoke (must implement `recall reset-queue` instead). - "Repositorio GitHub": corrects the inaccurate Phase-10 note that said "push directo permitido a maintainers" on develop. Empirically the strict status check blocks direct push. - "Workflow Claude": new row noting the user proposed configuring PreToolUse hooks in `.claude/settings.json` per-repo via the update-config skill, decision pending. §6.17 Phase-12 (NEW): - Cronologia: PR #21 release merged → audit found stale READMEs → hotfix PR #23 → re-tag v0.1.2-beta.3 to new HEAD → PR #22 sync develop ← main (with conflicts resolved via --theirs) → user ran npm publish → smoke validated 4 fixes + discovered B-MCP-7. - Decisiones D-1201..D-1210, including the two flow violations (D-1208 manual SQL UPDATE on dogfood DB; D-1209 two accidental commits to main, blocked by branch protection). - 8 hallazgos durables, including: tag re-creation safety pre-publish, fastembed cacheDir defaults, FlagEmbedding.init() takes ~4.3s even with cache present (so pre-warm alone does NOT fix B-MCP-7), dogfood DB is a critical QA asset. §7 "Como retomar el trabajo": - Sample prompt for next Claude session: focus on B-MCP-7 + workflow setup, codifies the durable rules (no worktrees, no manual SQL, always `git branch --show-current` first). - Tests count updated 2501 → 2519 in 208 files. - Release notes pointer updated v0.1.2-beta.0 → v0.1.2-beta.3. §8 "Bloqueadores activos": - Replaced the old 4-bug table (all closed) with the single B-MCP-7 row + recommended fix (Option A typed error union + Option C `recall reset-queue`). - Updated "Caveat sobre la suite de tests" to explain why L-embedding-worker-drains missed B-MCP-7 (uses StubRawEmbedder which returns sync, doesn't simulate cold-start). Footer timestamp updated. No source files touched. No npm/build needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
h2devx
added a commit
that referenced
this pull request
May 2, 2026
…ated B-MCP-8 fix end-to-end (#36) ## Summary Standard phase-close docs PR (pattern: [#25](#25), [#28](#28), [#32](#32)). Updates HANDOFF.md §0 + §6.20 + footer to reflect Phase-15 fully closed end-to-end. ## What Phase-15 delivered (all already shipped) - [PR #33](#33) — B-MCP-8 fix (always-include-top-hit + continue-not-break + default max_tokens 4000→8000). - [PR #34](#34) — release v0.1.2-beta.5 to main with conflict resolution (--ours). - Tag `v0.1.2-beta.5` → `4a281f0` + GitHub pre-release. - `npm publish --tag beta` (user, WebAuthn passkey). - Smoke against dogfood DB: **2/2 PASS, 0 FAIL** — `mem.recall("GitFlow")` returns `hits=2` (was 0 in beta.4); `mem.recall("embedding worker async")` returns `hits=1` (was 0). - [PR #35](#35) — merge-back develop ← main with conflict resolution (--theirs). ## What this PR adds Only HANDOFF.md changes (33 insertions, 30 deletions): - §0: 10 rows updated to reflect post-publish reality (Fecha, Fase actual, Paquete npm, Estado del release, Memoria propia, Proximo paso, etc.). - §6.20: sub-fases 5-9 marked complete with concrete outcomes (commit SHAs, conflict resolution patterns, smoke results); new lecciones durables (#5 smoke script reusability, #6 wire output shape parsing, #7 conflict resolution symmetry); estado del repo post-Phase-15 with actual SHAs and dist-tags; Siguiente accion concreta refocused. - Footer "Ultima actualizacion" updated to reflect end-to-end closure. ## Caveat tracked for next phase `serverInfo.version` reported by the JSON-RPC handshake reads `0.1.2-beta.3` even though the installed binary is beta.5. Confirmed in smoke. Cosmetic only — needs `grep -rn "0.1.2-beta" code/src` to locate hardcoded value before promoting to `release/0.1.2` stable. ## Test plan - [x] No code changes — pure docs PR (HANDOFF.md only). - [x] Hooks pre-commit no-op (no `code/src/` changes → typecheck not triggered). - [ ] CI green on this PR (typecheck + lint + lint:tests + validate:modules + build + test:coverage + Sonar all pass over unchanged source). - [ ] Squash-merge to develop. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
h2devx
added a commit
that referenced
this pull request
May 3, 2026
…smoke 10/10 PASS (#42) ## Summary Standard phase-close docs PR (pattern: [#25](#25), [#28](#28), [#32](#32), [#36](#36)). Updates HANDOFF.md §0 + §6.21 + 3 new lecciones durables + footer to reflect Phase-16 fully closed end-to-end. ## What Phase-16 delivered (all already shipped) - [PR #40](#40) — release v0.1.2 STABLE to main with conflict resolution (--ours). - Tag `v0.1.2` → `29371f8` + GitHub release stable (NO prerelease). - `npm publish` (user, WebAuthn passkey, NO `--tag beta` → published to `latest`). - `npm deprecate` 0.1.0 + 0.1.1 with messages pointing at `@latest`. - Smoke fresh stable: **10/10 PASS** against `npx --yes @netzi/recall@latest` in clean workspace `/tmp/recall-stable-smoke`. `serverInfo.version === "0.1.2"` confirmed (no `-beta` suffix). - [PR #41](#41) — merge-back develop ← main with conflict resolution (--theirs). Develop and main converged. ## What this PR adds Only HANDOFF.md changes (30 insertions, 23 deletions): - §0: 8 rows updated to reflect post-publish + post-merge-back reality (Fecha, Fase actual, Paquete npm, Estado del release, Memoria propia, Issues, Próximo paso, etc.). - §6.21: sub-fases 9-15 marked complete with concrete outcomes (squash-merge SHAs, smoke results, dist-tags, deprecate final messages); estado del repo post-Phase-16 with actual SHAs and dist-tags. - 3 new lecciones durables: (5) `npm view dist-tags` cache local sin honor TTL — usar `--prefer-online`; (6) `npm deprecate` con target hardcoded a una version envejece mal — siempre apuntar a `@latest`; (7) "1 bug por beta" del cycle 0.1.2-beta.* es patrón observado, no garantía para 0.1.3-beta.* futuros. - Footer "Ultima actualizacion" updated to reflect end-to-end closure. ## npm registry state confirmed ``` $ npm view @netzi/recall dist-tags { latest: '0.1.2', beta: '0.1.2-beta.6' } $ npm view @netzi/recall@0.1.0 deprecated Critical bug B-MCP-1 (Phase-7) — all MCP tools fail with real clients. Use @netzi/recall@latest... $ npm view @netzi/recall@0.1.1 deprecated Bugs B-MCP-2..8 surfaced via dogfood — closed in 0.1.2. Use @netzi/recall@latest... ``` ## Test plan - [x] No code changes — pure docs PR (HANDOFF.md only). - [x] Hooks pre-commit no-op (no `code/src/` changes → typecheck not triggered). - [ ] CI green on this PR (typecheck + lint + lint:tests + validate:modules + build + test:coverage + Sonar all pass over unchanged source). - [ ] Squash-merge to develop. After this merges, the cycle `0.1.2-beta.*` + `0.1.2` stable + Phase-16 follow-up docs is fully closed end-to-end. Next session inherits an accurate HANDOFF reflecting the published state. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
h2devx
added a commit
that referenced
this pull request
May 3, 2026
) ## Summary Phase-17 close docs-only PR. Pattern matches PR #25 (Phase-12), #28 (Phase-13), #32 (Phase-14), #36 (Phase-15), #42 (Phase-16) — each cycle/phase ends with a docs-only PR synthesizing the closure. ## What Phase-17 delivered **v0.5 hardening defensivo cycle** — 4 incremental PRs squash-merged to \`develop\`: | # | PR | Warning | Fix | |---|---|---|---| | 1 | [#43](#43) | W-3.5-SEC-M2 | chmod 0o600 on recall.db | | 2 | [#44](#44) | W-3.5-SEC-M1 | atomic write+rename on .gitignore + writeConfig consolidated with CSPRNG suffix | | 3 | [#45](#45) | W-3.5-SEC-L1 (partial) | redact absolute paths from DatabaseError messages → \`details.path\` + 4 new pino redact globs | | 4 | [#46](#46) | W-3.1-SEC-M1 | configurable buffer cap on StdioJsonRpcServer (default 10 MiB) + env var override + transport closure on overflow | Zero security-auditor rejections (4 APPROVED WITH OBSERVATIONS). 1 CI round-trip in PR-2 over S7735 negated condition trivial fix. 36 new VALOR-asserting tests consolidated, 5+1 EXIT=0 green in each PR, SonarQube quality gate PASSED in each PR. ## Key finding tracked: W-3.5-SEC-L2 follow-up PR #45's security-auditor revealed that **W-3.5-SEC-L1 is NOT categorically closed** — only closed for DatabaseError. **9+ Error factories in workspace/secrets/curator modules** still interpolate \`rootPath\`/\`startPath\`/\`hookPath\` into \`message\`, and they flow to the wire JSON-RPC via \`error-mapper.ts\` Tier 3.5. Same leak pattern, also flowing to MCP clients. Affected files (tracked as W-3.5-SEC-L2 for next hardening cycle): - \`workspace/infrastructure/errors/workspace-infrastructure-error.ts\` (9 factories) - \`workspace/application/errors/workspace-application-error.ts\` (NoWorkspaceAtPathError) - \`secrets/infrastructure/errors/foreign-hook-exists-error.ts\` - \`curator/infrastructure/errors/curator-infrastructure-error.ts\` (scanFailed) Recommendation: apply same \`details: { path }\` pattern across all error factories before v0.5 GA. ## What this PR adds Pure HANDOFF.md changes (212 insertions / 8 deletions): - **§0**: 6 rows updated (Fecha, Fase actual, Lineas codigo, Tests, Issues abiertos, Proximo paso). - **§6.21**: roadmap row 4 (hardening defensivo) marked CLOSED in Phase-17. - **§6.22 NEW**: full Phase-17 cycle close section (decisions, sub-phases, detail per PR, consolidated observations table with 12 entries, 8 orchestrator decisions D-1701..D-1708, 5 durable lessons, repo state, next-action with 3 options for release). - **Footer** "Ultima actualizacion" updated to reflect Phase-17 closure. ## State of repo post-merge | Item | Value | |---|---| | HEAD develop | \`f23457e\` (4 commits ahead of main) | | HEAD main | \`29371f8\` (unchanged) | | Tag latest | \`v0.1.2\` (unchanged) | | npm dist-tags | \`{ latest: '0.1.2', beta: '0.1.2-beta.6' }\` (unchanged — Phase-17 publishes nothing) | | Tests | 2588 passing in 212 files (+28 vs Phase-16 baseline) | | Coverage | new 100% / overall 96.4% | | Hardening warnings closed | 4/4 | | Follow-ups tracked | 12 (1 medium W-3.5-SEC-L2 + 11 low/info) | | Issues open | 0 | | PRs open | 0 (after this merge) | ## Test plan - [x] No code changes — pure docs PR (HANDOFF.md only). - [x] Hooks pre-commit no-op (no \`code/src/\` changes → typecheck not triggered). - [x] CI required status check \`ci\`. - [x] SonarQube quality gate (no source files affected). ## Decision pending after merge **Cut \`release/0.1.3-beta.0\` now or later?** - **Option A** — cut now with 4 hardening fixes alone (Phase-9/12/14 cooling pattern: ship beta, dogfood real, fix what surfaces). - **Option B** — accumulate more changes (item #1 multi-key envelope, item #3 perf hardening, item #5 swap embedder) before next release. - **Option C** — defer release until a real bug surfaces in 0.1.2 stable ("first new bug + feature plus" pattern from §6.21). Recommendation: Option A aligns with project's historical cadence. Final call belongs to the human. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Que cambia
Actualiza HANDOFF.md para reflejar el estado post-publish de
`@netzi/recall@0.1.2-beta.3` y el descubrimiento de B-MCP-7
(issue #24) durante el smoke. Documento listo para que la proxima
sesion (Claude o humano) entre en contexto sin overhead.
Por que
Se necesitaba documentar:
valido los 4 fixes de Phase-11 (B-MCP-2/3/4/5) end-to-end
contra la DB real del dogfood.
retries durante cold-start de fastembed). Fix planeado en
`v0.1.2-beta.4`.
main por error x2, manual SQL UPDATE en DB del dogfood).
Ambas ya documentadas como hallazgos durables; el usuario
propuso configurar hooks pre-commit en `.claude/settings.json`
per-repo via la skill `update-config` para prevenirlos en el
futuro.
directo permitido a maintainers" en develop era incorrecta
empiricamente; la branch protection con strict status check
bloquea push directo. Corregido en §0 + §6.17 hallazgo 1.
Tipo de cambio
Cambios
estado, issues abiertos, memoria, repo, proximo paso) + nueva row
"Workflow Claude" pendiente.
(incluye las 2 flow violations explicitamente), 8 hallazgos
durables.
proxima sesion (focus en B-MCP-7 + workflow setup).
unico bloqueador, "Caveat sobre la suite de tests" reescrito.
Checklist
Notas para el reviewer
Este PR es non-blocking para el siguiente trabajo (B-MCP-7
fix). Pueden mergear cuando quieran o despues. Lo subo como PR a
develop (no main) porque es un doc update incremental, no parte del
release.