v1.9.0

Added

• Fail→success pattern mining: SessionEnd mines error→success tool-call pairs from the session transcript into linked error/pattern graph memories joined by a RESOLVES edge (items_pattern sidecar, migration 0016). Mined error text and tool args are passed through best-effort secret redaction before storage (raw text still feeds the fingerprint, so dedup is unaffected); the SessionEnd envelope reports a patterns_redacted count. Additive, non-blocking, embedder-free.
• recall --on-error: an error-shaped query boosts the RESOLVES-linked fix above the error node (retrieval.resolveOnErrorBonus, default 3.0). Under --on-error, pattern-type items are excluded from the FTS seed pool so a mined fix is reached only via the RESOLVES walk and the bonus fires deterministically. Promotes retrieval.freshnessExponent / retrieval.hopDecay from hardcoded constants to operator-tunable config reads.
• patterns list read verb and patterns.* config keys (patterns.enabled, patterns.pair_window_minutes (now >= 1), patterns.bash_target_tokens).
• Maintenance purge_legacy_stubs job now also reaps orphan items_content rows (content with no referencing item) so cosmetic-variant re-mines of the same logical error do not strand rows.
• Local pure-Go embedder (internal/embed): an opt-in intake.ModelAdapter.Embed that lights up the vector arm of recall, dark since launch (vec_index_map=0). Runs bge-small-en-v1.5 (384-dim, CLS-pooled + L2-normalized) via onnx-gomlx + the SimpleGo pure-Go backend — no CGO, no cloud, inference 100% local (only the one-time SHA256-pinned model acquisition touches the network). Gated by seeded embedder.{enabled,model,max_seq_tokens} keys (default off → byte-identical FTS-only behavior). Adds the missing knowledge-side items_vec write (shared memory.WriteItemVec, lifted from the codegraph indexer, which now embeds before its write tx for single-connection safety), a maintenance reindex --target {knowledge,code} [--dry-run] backfill emitting a reindex/BACKFILL_COMPLETE events row, and a core health "vec arm: live|stub" banner. No schema migration (items_vec is dimension-agnostic). The maintenance reindex envelope reports skipped_empty (candidate rows with an empty body are accounted for, not silently dropped), and the knowledge intake path skips embedding an empty/whitespace body so it agrees with the backfill's skip rule. The headless-LLM Extract arm stays stubbed (separate task).
• Automatic error-recall reflex (internal/recallonerror): an always-on PostToolUseFailure/Bash hook that, when a Bash command fails, recalls the RESOLVES-linked prior fix mined from your own history and injects it as additionalContext so it is in front of the model on the next turn. FTS-only recall (RunRecall(OnError:true), no embedder, NoRerank) gated by a per-error-fingerprint cooldown sentinel and a recall_on_error.min_score floor; the recalled fix is prefixed with an untrusted-input marker (treat-as-hint, not instruction). The hook ALWAYS exits 0 and emits {} on any fault — it never blocks or delays the tool. Seeded recall_on_error.{enabled,cooldown_seconds,min_score} keys (default true / 30 / 0.5). Every terminal decision (injected or suppressed_*) is appended to the new events.recall_on_error_log ledger (migration 0017); recall-on-error stats rolls the ledger up by outcome (json/text) and recall-on-error doctor --error <text> reports the candidate pattern + score + would-inject for min_score calibration. The query is FTS5-escaped (raw stderr metacharacters would otherwise break items_fts MATCH), and pattern detection is by items_pattern sidecar presence (walked RESOLVES nodes carry no type).

Security

• Pattern-mining redaction now masks compound OAuth credential keys (client_secret, refresh_token, and any *_secret/*_token/*_key form) that previously leaked through unmasked, plus JWTs and Authorization: Basic headers. The HTTP-Basic rule is anchored to the auth header so it does not over-mask the common adjective "basic".

Fixed

• Pattern mining writes each pair's error node, pattern node (with its sidecar), and RESOLVES edge in a single transaction, so a mid-pair failure no longer strands a half-written pair — previously the walk-critical edge committed outside any transaction.
• SessionEnd pattern-mining failures now emit a WARN/PATTERNS_FAILED row to the unified events log under the patterns source (matching the subsystem spec), and the PATTERNS_MINED success event is filed under patterns rather than hooks.
• A transcript line larger than the 4 MB cap is now drained-and-skipped rather than aborting the whole scan (a single giant tool result no longer costs a session's patterns), and the SessionEnd envelope reports patterns_lines_malformed / patterns_decode_degraded so silent reader-side drops are diagnosable. A typo'd patterns.enabled value is logged before falling open.