docs(handoff): close Phase-17 — v0.5 hardening cycle (4 PRs merged)

[h2devx]

Summary

Phase-17 close docs-only PR. Pattern matches PR #25 (Phase-12), #28 (Phase-13), #32 (Phase-14), #36 (Phase-15), #42 (Phase-16) — each cycle/phase ends with a docs-only PR synthesizing the closure.

What Phase-17 delivered

v0.5 hardening defensivo cycle — 4 incremental PRs squash-merged to `develop`:

#	PR	Warning	Fix
1	#43	W-3.5-SEC-M2	chmod 0o600 on recall.db
2	#44	W-3.5-SEC-M1	atomic write+rename on .gitignore + writeConfig consolidated with CSPRNG suffix
3	#45	W-3.5-SEC-L1 (partial)	redact absolute paths from DatabaseError messages → `details.path` + 4 new pino redact globs
4	#46	W-3.1-SEC-M1	configurable buffer cap on StdioJsonRpcServer (default 10 MiB) + env var override + transport closure on overflow

Zero security-auditor rejections (4 APPROVED WITH OBSERVATIONS). 1 CI round-trip in PR-2 over S7735 negated condition trivial fix. 36 new VALOR-asserting tests consolidated, 5+1 EXIT=0 green in each PR, SonarQube quality gate PASSED in each PR.

Key finding tracked: W-3.5-SEC-L2 follow-up

PR #45's security-auditor revealed that W-3.5-SEC-L1 is NOT categorically closed — only closed for DatabaseError. 9+ Error factories in workspace/secrets/curator modules still interpolate `rootPath`/`startPath`/`hookPath` into `message`, and they flow to the wire JSON-RPC via `error-mapper.ts` Tier 3.5. Same leak pattern, also flowing to MCP clients.

Affected files (tracked as W-3.5-SEC-L2 for next hardening cycle):

• `workspace/infrastructure/errors/workspace-infrastructure-error.ts` (9 factories)
• `workspace/application/errors/workspace-application-error.ts` (NoWorkspaceAtPathError)
• `secrets/infrastructure/errors/foreign-hook-exists-error.ts`
• `curator/infrastructure/errors/curator-infrastructure-error.ts` (scanFailed)

Recommendation: apply same `details: { path }` pattern across all error factories before v0.5 GA.

What this PR adds

Pure HANDOFF.md changes (212 insertions / 8 deletions):

• §0: 6 rows updated (Fecha, Fase actual, Lineas codigo, Tests, Issues abiertos, Proximo paso).
• §6.21: roadmap row 4 (hardening defensivo) marked CLOSED in Phase-17.
• §6.22 NEW: full Phase-17 cycle close section (decisions, sub-phases, detail per PR, consolidated observations table with 12 entries, 8 orchestrator decisions D-1701..D-1708, 5 durable lessons, repo state, next-action with 3 options for release).
• Footer "Ultima actualizacion" updated to reflect Phase-17 closure.

State of repo post-merge

Item	Value
HEAD develop	`f23457e` (4 commits ahead of main)
HEAD main	`29371f8` (unchanged)
Tag latest	`v0.1.2` (unchanged)
npm dist-tags	`{ latest: '0.1.2', beta: '0.1.2-beta.6' }` (unchanged — Phase-17 publishes nothing)
Tests	2588 passing in 212 files (+28 vs Phase-16 baseline)
Coverage	new 100% / overall 96.4%
Hardening warnings closed	4/4
Follow-ups tracked	12 (1 medium W-3.5-SEC-L2 + 11 low/info)
Issues open	0
PRs open	0 (after this merge)

Test plan

• No code changes — pure docs PR (HANDOFF.md only).
• Hooks pre-commit no-op (no `code/src/` changes → typecheck not triggered).
• CI required status check `ci`.
• SonarQube quality gate (no source files affected).

Decision pending after merge

Cut `release/0.1.3-beta.0` now or later?

• Option A — cut now with 4 hardening fixes alone (Phase-9/12/14 cooling pattern: ship beta, dogfood real, fix what surfaces).
• Option B — accumulate more changes (item [B-MCP-2] mem.health returns hardcoded values for 8 wire fields (false diagnostics) #1 multi-key envelope, item [B-MCP-4] mem.remember silently drops 'content' field for kind='decision' (data loss) #3 perf hardening, item chore(ci)(deps): bump SonarSource/sonarqube-scan-action from 6 to 7 #5 swap embedder) before next release.
• Option C — defer release until a real bug surfaces in 0.1.2 stable ("first new bug + feature plus" pattern from §6.21).

Recommendation: Option A aligns with project's historical cadence. Final call belongs to the human.

🤖 Generated with Claude Code