feat: Phases 2-5 + 8a/8b/8c/8d — dashboard, self-learning, consistency, documents

[thebtf]

Summary

Massive roadmap implementation: 40+ tasks across 6 phases.

Phase 2: Dashboard Frontend

• Bulk ops (delete/scope/tag) with confirmation dialogs
• Tag cloud sidebar with clickable filters
• Per-token usage stats
• Auth-disabled warning badge
• Vault encryption setup helper

Phase 3: Self-Learning

• Injection floor (min 3 observations always injected)
• Cross-session priming (1.3x boost for recent sessions)
• Per-project adaptive relevance threshold (project_settings table)
• Feedback→threshold adjustment loop
• Dedup threshold raised 0.55→0.7
• Manual search feedback signal

Phase 4: MCP Tools (already merged in PR #58)

Phase 5: Deployment

• install.sh --client-only default
• DEPLOYMENT.md naming fix

Phase 8a: Consistency Engine

• Orphan vector cleanup, missing vector detection
• Stale relation cleanup, FalkorDB drift detection
• Embedding model change detection (system_config table)

Phase 8b: Knowledge Graph

• Intentional links [[obs:1234]] parser
• File→observation graph edges
• GetCluster method in GraphStore

Phase 8c: Causal Linking

• LLM causal classifier (fixed_by/corrects)
• Wired into Detect() for bugfix/guidance types

Phase 8d: Document Storage

• Migration 051: documents + document_comments tables
• VersionedDocumentStore CRUD (7 methods)

Test plan

• go build ./... passes
• Dashboard bulk ops functional (manual walkthrough)
• Tag cloud shows tags from /api/observations/tag-cloud
• Injection floor: search with no matches still returns 3 observations
• Maintenance cycle runs without errors

Summary by CodeRabbit

Release Notes

• Новые возможности

  • Управление версиями документов с поддержкой комментариев
  • Адаптивные пороги релевантности для проектов
  • Усиление поиска на основе активных сессий
  • Облако тегов с фильтрацией наблюдений
  • Массовые операции: удаление, изменение области видимости, добавление тегов
  • Классификация причинно-следственных связей между наблюдениями
  • Статистика использования токенов
  • Поддержка шифрования хранилища

• Улучшения

  • Оптимизированные алгоритмы поиска и инъекции контекста
  • Автоматическое обнаружение изменений модели встраивания

• Документация

  • Обновлены инструкции развёртывания

[coderabbitai]

Описание

Обновления включают расширение системы хранения с новыми хранилищами для управления версионированными документами, параметрами проектов и отношениями наблюдений; добавление адаптивного порога релевантности на уровне проекта, повышение оценки на основе сеансов, логики минимального порога инъекции; введение классификации причинно-следственных связей на основе LLM; расширение миграций БД для трёх новых таблиц; обновления обработчиков работника для контекстного поиска и утилит наблюдений; улучшения интерфейса пользователя для наблюдений, токенов и вилки.

Изменения

Когорта / Файлы	Резюме
Документация и развёртывание docs/DEPLOYMENT.md	Обновлены инструкции Docker для использования имени образа/контейнера engram-server вместо cmplus-server.
Конфигурация internal/config/config.go	Увеличен порог дедупликации сходства с 0,55 до 0,7; добавлены новые поля InjectionFloor (по умолчанию 3) и SessionBoost (по умолчанию 1,3) с поддержкой переменных окружения.
Миграции БД internal/db/gorm/migrations.go	Добавлены три миграции: 049 для таблицы project_settings, 050 для system_config (хранилище ключ-значение), 051 для версионированных документов с таблицами documents и document_comments.
Вспомогательные функции БД internal/db/gorm/helpers.go	Экспортированы функции преобразования ToModelObservation и ToModelRelations для доступа из других пакетов.
Хранилище параметров проекта internal/db/gorm/project_settings_store.go	Новое хранилище GORM для управления параметрами проекта: получение/корректировка адаптивного порога релевантности с фиксацией в диапазон [0,1, 0,8] и инкрементированием счётчика обратной связи.
Хранилище наблюдений internal/db/gorm/observation_store.go	Добавлены методы GetRecentSessionIDs для получения активных сеансов и GetTopImportanceObservations для выборки наблюдений по важности.
Хранилище версионированных документов internal/db/gorm/versioned_document_store.go	Новое хранилище для управления версионированными документами с методами создания, чтения (последняя версия/конкретная версия/история), перечисления и управления комментариями к документам.
Граф отношений internal/graph/store.go, internal/graph/falkordb/client.go, internal/graph/noop.go	Добавлен новый метод интерфейса GetCluster для получения наблюдений в одном кластере с использованием BFS-обхода на глубину до 3 шагов; реализовано в FalkorDB и Noop хранилищах.
Обслуживание internal/maintenance/service.go	Расширены задачи обслуживания (10–14): удаление невостребованных векторов, переиндексация наблюдений без встроений, удаление устаревших отношений, обнаружение дрейфа графика, отслеживание изменений модели встроений; добавлены новые зависимости и метод IsEmbeddingModelChanged().
Классификация причинно-следственных связей internal/relation/causal_classifier.go	Новая система для классификации отношений между наблюдениями на основе LLM с поддержкой меток fixed_by, corrects, unrelated; применяется только к типам ObsTypeBugfix и ObsTypeGuidance.
Обнаружение отношений internal/relation/detector.go	Расширено для поддержки парсинга ссылок в нарративе (формат [[obs:<id>]]), создания рёбер на основе файлов и интеграции LLM-классификации причинно-следственных связей для топ-3 кандидатов.
Поиск и менеджер internal/search/manager.go	Добавлена функция ApplySessionBoost для повышения оценок на основе недавних сеансов; новые методы для установки и получения адаптивного порога релевантности на уровне проекта.
Обработчики работника (контекст и оценка) internal/worker/handlers_context.go, internal/worker/handlers_scoring.go	Введены адаптивный порог поиска на уровне проекта, повышение на основе сеансов и логика минимального порога инъекции в контекстном поиске; добавлена корректировка порога в обработчике утилит наблюдений.
Сервис работника internal/worker/service.go	Добавлено новое поле projectSettingsStore; расширена инициализация обслуживания новыми зависимостями; интеграция параметров проекта с поиском.
Скрипты установки scripts/install.sh	Добавлена поддержка режимов установки (client-only по умолчанию, --full для полной установки); сервер устанавливается только в режиме full.
Интерфейс (боковая панель) ui/src/components/layout/AppSidebar.vue	Добавлена проверка отключённой аутентификации при монтировании компонента; условное скрытие раздела "токены" и отображение предупреждающего значка.
Интерфейс (наблюдения) ui/src/views/ObservationsView.vue	Расширена поддержка массовых действий (архивирование, удаление, изменение области, добавление тегов); добавлено облако тегов с фильтрацией и выбор нескольких действий через встроенный ввод.
Интерфейс (система) ui/src/views/SystemView.vue	Добавлена поддержка статуса хранилища ключей; новый раздел с инструкциями и кнопкой для копирования команды настройки в буфер обмена.
Интерфейс (токены) ui/src/views/TokensView.vue	Введена ленивая загрузка статистики токенов (количество запросов, время последнего использования) с кнопкой "Загрузить статистику" для каждого токена.
Плагин (обработчик остановки) plugin/engram/hooks/stop.js	Добавлено обнаружение недостаточной инъекции по вызовам функций поиска engram и отправка сигнала обратной связи в конце обработки остановки.

Диаграммы последовательности

sequenceDiagram
    participant Client
    participant SearchMgr
    participant ProjectSettings
    participant ObservationStore
    participant Database
    
    Client->>SearchMgr: HandleSearchByPrompt(project)
    SearchMgr->>ProjectSettings: GetProjectThreshold(project)
    ProjectSettings->>Database: Query threshold
    Database-->>ProjectSettings: threshold value
    ProjectSettings-->>SearchMgr: adaptive threshold
    
    SearchMgr->>ObservationStore: GetRecentSessionIDs(project, 2h ago)
    ObservationStore->>Database: Query active sessions
    Database-->>ObservationStore: session IDs
    ObservationStore-->>SearchMgr: map[string]bool
    
    SearchMgr->>SearchMgr: ApplySessionBoost(scores, sessionIDs)
    SearchMgr->>ObservationStore: GetTopImportanceObservations(project)
    ObservationStore->>Database: Query by importance
    Database-->>ObservationStore: observations
    ObservationStore-->>SearchMgr: []*Observation
    
    SearchMgr-->>Client: results with adaptive threshold & session boost

Loading

sequenceDiagram
    participant RelationDetector
    participant CausalClassifier
    participant LLMClient
    participant RelationStore
    participant Database
    
    RelationDetector->>RelationDetector: ParseObservationReferences(narrative)
    RelationDetector->>RelationStore: StoreRelation(references)
    RelationStore->>Database: Insert edge
    
    RelationDetector->>RelationDetector: ParseFileEdges(files_modified)
    RelationDetector->>RelationStore: StoreRelation(modifies)
    RelationStore->>Database: Insert edge
    
    alt Should Classify (BugFix or Guidance)
        RelationDetector->>CausalClassifier: ClassifyPair(obsA, obsB)
        CausalClassifier->>LLMClient: Complete(prompt)
        LLMClient-->>CausalClassifier: response text
        CausalClassifier->>CausalClassifier: ParseLabel(response)
        CausalClassifier-->>RelationDetector: label (fixed_by/corrects/unrelated)
        RelationDetector->>RelationStore: StoreRelation(causal type)
        RelationStore->>Database: Insert causal edge
    end

Loading

Оценка сложности рецензирования

🎯 4 (Сложно) | ⏱️ ~60 минут

Возможно связанные PR

• PR #42: Модификация одного и того же файла миграций БД и расширение методов observation_store.go в обоих PR.
• PR #22: Изменение подсистемы обнаружения отношений с добавлением поддержки классификации и интеграции в хранилище GORM.
• PR #40: Модификация логики поиска и менеджера с вводом повышения оценок на основе сеансов и адаптивных порогов.

Рекомендуемые метки

ai-review:passed

Стихотворение

🐰 Документы теперь версийны и живут в почёте,
Проекты знают пороги — каждый в отчёте,
Сеансы поют в буста́х, файлы рождают рёбра,
Причины и следствия LLM раскрывает без отвёра,
От ядра к интерфейсу—адаптивность везде,
Engram растёт с размахом в цифровой беде! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective by referencing the specific roadmap phases (2–5, 8a/8b/8c/8d) and key feature areas implemented in this changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 87.50% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/self-learning-completion

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a substantial set of features across multiple phases of the roadmap, significantly enhancing the system's intelligence, maintainability, and user interface. It introduces advanced self-learning mechanisms, improves data consistency through new maintenance routines, expands the knowledge graph capabilities, and lays the foundation for versioned document storage and AI agent collaboration. The dashboard also receives usability upgrades with new bulk actions and filtering options.

Highlights

• Dashboard Frontend Enhancements: Implemented bulk operations (delete, scope, tag) for observations, added a clickable tag cloud sidebar for filtering, and introduced per-token usage statistics. A warning badge for disabled authentication was also added.
• Self-Learning Improvements: Introduced an injection floor to ensure a minimum number of observations are always injected, added cross-session priming to boost recent session observations, and implemented per-project adaptive relevance thresholds with a feedback adjustment loop. The deduplication similarity threshold was raised from 0.55 to 0.7.
• Deployment Updates: Modified the install.sh script to support --client-only and --full installation modes, and updated Docker image names in DEPLOYMENT.md to engram-server.
• Consistency Engine (Phase 8a): Added maintenance tasks for cleaning orphan vectors, detecting missing vectors, cleaning stale relations, detecting FalkorDB graph drift, and checking for embedding model changes.
• Knowledge Graph (Phase 8b): Implemented parsing for [[obs:1234]] intentional links in narratives and created file-to-observation graph edges for files_modified and files_read. A GetCluster method was added to the graph store.
• Causal Linking (Phase 8c): Introduced an LLM-based causal classifier to identify fixed_by and corrects relationships between bugfix/guidance observations.
• Document Storage (Phase 8d): Added new database migrations for documents and document_comments tables, along with a VersionedDocumentStore for CRUD operations on versioned documents.
• Vault Encryption Setup Helper: Added a UI helper in the System View to guide users through setting up vault encryption.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[thebtf]

@coderabbitai review

[thebtf]

@gemini-code-assist review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thebtf]

@codex review

[gemini-code-assist]

Code Review

This pull request introduces significant enhancements across the system, focusing on improved data management, relation detection, and search relevance. Key changes include new database migrations for project-specific settings, system configuration, and versioned document storage with comments. The maintenance service gains new tasks for cleaning orphan vectors, detecting missing vectors, cleaning stale relations, detecting graph drift, and checking for embedding model changes. Relation detection is expanded to include intentional links in narratives and file-based graph edges, alongside a new LLM-based causal classifier for observation pairs. Search functionality is enhanced with session boosting, adaptive per-project relevance thresholds, and an injection floor to ensure a minimum number of results. The UI is updated to support new batch actions for observations, display vault encryption status, and show token usage statistics. Review comments highlight several areas for improvement, including handling database errors in GetThreshold to avoid masking issues, refactoring GetCluster to use parameterized queries to prevent SQL injection, ensuring error propagation in migration rollbacks, standardizing CreatedAt fields to time.Time in document stores, and consistently generating negative file node IDs in the relation detector to prevent collisions.

[gemini-code-assist]

Code Review

This pull request introduces several major features and improvements, including versioned document storage with comments, adaptive per-project relevance thresholds, and enhanced observation relationship detection using LLMs, intentional links, and file-based graph edges. The maintenance service now includes tasks for cleaning orphan vectors, detecting missing embeddings, cleaning stale relations, and monitoring graph drift and embedding model changes. Search functionality is improved with session boosting and an injection floor to ensure a minimum number of relevant results. The UI has been updated to support new batch actions for observations, a tag cloud for filtering, a vault encryption setup guide, and token usage statistics. A critical race condition was identified in the VersionedDocumentStore.Create method, where concurrent calls could lead to unique constraint violations due to non-atomic version number generation. Additionally, error handling in the 051_documents migration's Rollback function needs to be improved to ensure database consistency.

[coderabbitai]

Actionable comments posted: 4

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

🟠 Major comments (18)

internal/relation/causal_classifier.go-13-21 (1)

13-21: ⚠️ Potential issue | 🟠 Major

Classifier выдаёт label'ы вне канонического RelationType.

Промпт на Lines 16-21 и parser на Lines 55-66 разрешают только fixed_by/corrects, но в pkg/models/relation.go из предоставленного контекста нет таких констант: канонический тип там fixes, а corrects не объявлен вовсе. Дальше internal/relation/detector.go просто приводит эту строку к models.RelationType, так что в граф уйдут неподдерживаемые значения. Здесь нужно либо перейти на vocabulary из модели, либо сначала расширить модель и всех потребителей новых relation type.

Also applies to: 54-67

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/relation/causal_classifier.go` around lines 13 - 21, The classifier
currently emits labels ("fixed_by", "corrects") that don't match the canonical
models.RelationType (which uses "fixes"), causing invalid relation values
downstream; update either the causalClassifierSystemPrompt labels to the exact
vocabulary in models.RelationType (e.g., "fixes" and "unrelated") or add a
deterministic mapping in the parser (the parsing code at ~Lines 55-66 in
causal_classifier.go) that translates "fixed_by" -> models.RelationType("fixes")
and "corrects" -> the appropriate canonical RelationType, and ensure
internal/relation/detector.go consumes only models.RelationType values (or
extend models.RelationType and all its consumers if you choose to add new
canonical values).

internal/relation/detector.go-257-286 (1)

257-286: ⚠️ Potential issue | 🟠 Major

Не создавайте references-связи без проверки project.

На Line 264 ID из narrative сразу превращается в relation. Если [[obs:1234]] укажет на observation из другого project, код на Lines 269-285 создаст межпроектные references/referenced_by-рёбра и сломает изоляцию графа. Перед StoreRelation здесь нужно убедиться, что refID существует и принадлежит тому же проекту.

Предлагаемый фикс

 			refID, parseErr := strconv.ParseInt(match[1], 10, 64)
 			if parseErr != nil || refID == obsID {
 				continue
 			}
+			refObs, loadErr := d.observationStore.GetObservationByID(ctx, refID)
+			if loadErr != nil || refObs == nil || refObs.Project != obs.Project {
+				continue
+			}
 			// Create bidirectional edges: current → referenced, referenced → current

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/relation/detector.go` around lines 257 - 286, The code is creating
references/referenced_by edges from parsed intentional links without verifying
the referenced observation's project; before calling
d.relationStore.StoreRelation for refRel/backRel, load the referenced
observation (e.g. via the existing observation store method like
GetByID/GetObservation) and verify it exists and its ProjectID matches the
current observation's project; only then create both models.ObservationRelation
entries (keep the checks around refID/obsID and the existing logging) and skip
storing relations if the referenced obs is missing or belongs to a different
project.

internal/relation/detector.go-290-317 (1)

290-317: ⚠️ Potential issue | 🟠 Major

fileNodeID нужно отделить от observation ID и привязать к project.

Line 296 обещает отрицательный pseudo-ID, но на Lines 297 и 312 сохраняется положительный hashString(filePath). В результате одинаковые пути вроде README.md схлопнутся между разными проектами, а сами file-ноды ещё и делят пространство ID с observation. Хэш лучше строить хотя бы от project + path и сохранять в отдельном диапазоне, например отрицательном.

Предлагаемый фикс

-		// Use file path hash as a pseudo node ID (negative to avoid collision with observation IDs)
-		fileNodeID := int64(hashString(filePath))
+		// Namespace file nodes by project and keep them negative to avoid colliding with observation IDs.
+		fileNodeID := -hashString(obs.Project + "\x00" + filePath)
 		rel := &models.ObservationRelation{
 			SourceID:     obsID,
 			TargetID:     fileNodeID,
 			RelationType: "modifies",
@@
-		fileNodeID := int64(hashString(filePath))
+		fileNodeID := -hashString(obs.Project + "\x00" + filePath)
 		rel := &models.ObservationRelation{
 			SourceID:     obsID,
 			TargetID:     fileNodeID,
 			RelationType: "reads",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/relation/detector.go` around lines 290 - 317, The file-node IDs are
colliding with observation IDs and across projects because fileNodeID is
currently set to int64(hashString(filePath)); update the ID derivation to
include the project identifier and map file nodes into a separate ID range
(e.g., negate the hash or prefix with project) so they cannot collide with
observation IDs: change usages around fileNodeID (in the obs.FilesModified and
obs.FilesRead loops where models.ObservationRelation is created and
relationStore.StoreRelation is called) to compute the hash from project+filePath
(via the existing hashString function) and then convert it into the distinct
negative/namespace range before assigning to TargetID; ensure any comments about
pseudo node ID reflect this new scheme and keep Confidence/RelationType logic
the same.

ui/src/views/ObservationsView.vue-100-105 (1)

100-105: ⚠️ Potential issue | 🟠 Major

Не просите scope свободным текстом.

Для PATCH /api/observations/bulk-scope сервер принимает только global или project (internal/worker/handlers_data.go:52-100), а эта форма предлагает ввести любую строку. В результате bulk change scope почти всегда упрётся в 400, если пользователь не знает точные литералы.

💡 Возможный фикс

-const batchScopeInput = ref('')
+const batchScopeInput = ref<'global' | 'project'>('project')

-<input
-  v-model="batchScopeInput"
-  type="text"
-  placeholder="Enter new scope..."
-  `@keydown.enter`="executeBatchAction"
-/>
+<select v-model="batchScopeInput">
+  <option value="project">project</option>
+  <option value="global">global</option>
+</select>

Also applies to: 369-389

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/ObservationsView.vue` around lines 100 - 105, The form currently
sends arbitrary text from batchScopeInput to the bulk-scope endpoint (see
batchAction.value === 'scope' branch and fetch('/api/observations/bulk-scope')),
but the server only accepts "global" or "project"; change the UI to
restrict/validate the value: replace the free-text input bound to
batchScopeInput with a select (or radio) offering only "global" and "project",
and add a client-side check before the fetch to ensure batchScopeInput is one of
those two literals (otherwise show an error and avoid calling the endpoint);
update any other places using batchScopeInput (e.g., the other scope-handling
code around lines 369-389) to the same constrained pattern.

ui/src/views/ObservationsView.vue-136-143 (1)

136-143: ⚠️ Potential issue | 🟠 Major

Фильтр Top Tags сейчас ничего не фильтрует.

filterByTag() меняет currentTagFilter и делает fetchPage(), но выбранный тег дальше нигде не используется. Ни запрос списка, ни filteredObservations не зависят от currentTagFilter, поэтому клик меняет только активное состояние пилюли.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/ObservationsView.vue` around lines 136 - 143, filterByTag
toggles currentTagFilter and calls fetchPage(), but neither the network request
nor the local computed filteredObservations use currentTagFilter; update the
logic so the selected tag actually filters results: modify fetchPage (or the API
params it calls) to include currentTagFilter.value when building the
query/params so the backend returns tag-filtered items, and/or change the
computed filteredObservations to apply a filter by currentTagFilter.value (e.g.,
compare observation.tags.includes(currentTagFilter.value)) so the UI reflects
the chosen tag; ensure the symbols mentioned (filterByTag, currentTagFilter,
fetchPage, filteredObservations) are updated accordingly and that offset.value
reset behavior remains.

ui/src/views/ObservationsView.vue-564-576 (1)

564-576: ⚠️ Potential issue | 🟠 Major

Замените span на семантический элемент button.

Элемент <span> с обработчиком клика не доступен с клавиатуры: он не фокусируется по Tab и не реагирует на Enter/Space. Для интерактивного управления требуется семантический элемент <button type="button"> с встроенной клавиатурной активацией и правильной семантикой.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/ObservationsView.vue` around lines 564 - 576, Replace the
non-semantic <span> interactive items with a proper button to restore keyboard
accessibility: in the v-for that iterates over tagCloud (keyed by item.tag)
change the element to a <button type="button"> and keep the :key, :class binding
and `@click`="filterByTag(item.tag)"; also ensure currentTagFilter logic is
preserved for styling and add an accessible state attribute (e.g.,
:aria-pressed="currentTagFilter === item.tag") so assistive tech and keyboard
users get proper semantics and state from the tag component.

ui/src/views/ObservationsView.vue-95-112 (1)

95-112: ⚠️ Potential issue | 🟠 Major

Добавьте проверку response.ok для batch-запросов.

fetch() не отклоняет Promise при ошибках 4xx/5xx — это приводит к тому, что операции delete/scope/tag могут завершиться ошибкой валидации или на сервере, но UI все равно пойдёт по успешной ветке: очистит выделение и перезагрузит список. Это критично для деструктивных операций.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/ObservationsView.vue` around lines 95 - 112, The batch action
handlers (the branches using batchAction.value that call fetch for
'/api/observations/bulk', '/api/observations/bulk-scope', and
'/api/observations/batch-tag') must check the fetch Response.ok and handle
non-OK responses before proceeding to clear selection or reload the list; for
each await fetch(...) call, inspect the returned response, if !response.ok read
and surface the error (e.g., throw or return the parsed JSON/error message) so
the caller can stop the success flow and show an error, and only clear
batchScopeInput.value / batchTagInput.value and reload when response.ok is true.
Ensure the check covers all three endpoints and use the same error-handling
pattern so validation/4xx/5xx results do not falsely trigger the success branch.

internal/worker/handlers_scoring.go-212-233 (1)

212-233: ⚠️ Potential issue | 🟠 Major

Порог адаптации привязывается не к тому проекту.

У этого endpoint в запросе нет project, поэтому на Line 226 вы берёте obs.Project. Для scope="global" или переиспользуемых observation это обновит чужой project_settings либо вообще ничего не обновит при пустом Project, хотя feedback пришёл из конкретной сессии текущего проекта. Нужен project/session_id в payload или lookup через session injection.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/worker/handlers_scoring.go` around lines 212 - 233, The
adaptive-threshold adjustment is using obs.Project (from observation) which can
be empty or belong to a different project; modify the handler to determine the
project from the incoming request/session first and only fall back to
observation.Project if needed. Concretely: add or read a project identifier from
the request payload (e.g., req.Project or req.SessionID) or resolve the session
from the request context (via session lookup) to obtain session.Project, then
call projectSettingsStore.AdjustThreshold(r.Context(), project, delta) using
that resolved project; keep the current observationStore.GetObservationByID(id)
only for fallback or validation, and ensure you skip AdjustThreshold when the
resolved project is empty to avoid touching other projects' settings.

plugin/engram/hooks/stop.js-356-390 (1)

356-390: ⚠️ Potential issue | 🟠 Major

Поиск manual search сейчас не видит structured tool calls.

Здесь проверяется только m.text, но parseTranscript() выше наполняет его через extractTextContent(), который сохраняет лишь part.type === 'text'. Если engram__search/engram__find_by_* приходят как tool_use/function-call блоки, insufficient_injection не отправится.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugin/engram/hooks/stop.js` around lines 356 - 390, Manual-search detection
only checks assistant message text (m.text) but
parseTranscript()/extractTextContent() drops non-text parts, so
tool_use/function-call entries like engram__search or engram__find_by_* are
missed; update the detection inside the stop hook to also inspect assistant
message metadata for tool/function calls (e.g., check
message.function_call.name, message.tool_call?.name, message.type or
message.parts for tool entries) when computing
assistantFullText/manualSearchDetected (the messages array and variables
sessionID, lib.requestPost remain the same) and fall back to the existing text
check so tool-based calls trigger the insufficient_injection request.

internal/worker/service.go-972-975 (1)

972-975: ⚠️ Potential issue | 🟠 Major

Новый ProjectSettingsStore не переживает reinitializeDatabase().

Он создаётся только здесь. В path повторной инициализации БД ниже новый instance не создаётся и не пробрасывается обратно в searchMgr, поэтому после recreation базы adaptive thresholds будут читать/писать через устаревший DB handle.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/worker/service.go` around lines 972 - 975, ProjectSettingsStore is
only constructed once via gorm.NewProjectSettingsStore and assigned to
s.projectSettingsStore and searchMgr here, but reinitializeDatabase() recreates
the DB without recreating or re-registering that store; update
reinitializeDatabase() to create a fresh ProjectSettingsStore (call
gorm.NewProjectSettingsStore with the new DB handle), assign it to
s.projectSettingsStore, and call searchMgr.SetProjectSettingsStore(newStore) so
searchMgr and the service use the new DB handle after DB recreation.

internal/maintenance/service.go-645-678 (1)

645-678: ⚠️ Potential issue | 🟠 Major

Метрика drift сравнивает несопоставимые сущности.

Stats().NodeCount считает все graph nodes, а SQL ниже считает все активные observations. После добавления file-нод и при наличии observations без relations эти числа по определению расходятся, поэтому maintenance будет регулярно триггерить ложный full re-sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/maintenance/service.go` around lines 645 - 678, The drift metric is
comparing all graph nodes (stats.NodeCount from s.graphStore.Stats) to all
active observations (the obsCount SQL on table "observations"), which is invalid
when file-nodes or observations without relations exist; update the obsCount
query to only count observations that are actually linked into the graph (e.g.,
join or exists against the relations/edges table or whatever relation table
holds observation→node links) so obsCount reflects only observations that should
map to graph nodes, or alternatively compute graphCount to exclude file-type
nodes from stats.NodeCount; adjust the code around s.graphStore.Stats,
stats.NodeCount and the observations Count(...) query so both sides measure the
same entity set before computing drift.

internal/search/manager.go-351-355 (1)

351-355: ⚠️ Potential issue | 🟠 Major

0.3 нельзя использовать как sentinel для “unset”.

Проект, у которого threshold реально опустился до 0.3, здесь считается “не настроенным” и заменяется globalDefault. Если глобальный порог поднят выше 0.3, feedback-driven настройка для такого проекта больше никогда не сможет закрепиться на 0.3.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/search/manager.go` around lines 351 - 355, The code wrongly treats
the literal 0.3 as a sentinel for “unset” when deciding between threshold and
globalDefault; change the stored threshold to be explicitly nullable or
accompanied by an explicit flag instead of comparing to 0.3 (e.g., make
threshold a *float64 or add a ThresholdSet bool), update the logic where
threshold is read (the variable named threshold and the decision that currently
returns globalDefault) to check for nil/ThresholdSet rather than value equality,
and return globalDefault only when the stored value is truly absent; ensure any
callers/serializers are updated to handle the nullable/flagged representation.

internal/graph/falkordb/client.go-368-375 (1)

368-375: ⚠️ Potential issue | 🟠 Major

Сейчас это не GetCluster, а только 3-hop neighborhood.

[:REL*1..3] режет связанную компоненту на глубине 3, а LIMIT без сортировки по длине пути возвращает произвольное подмножество. Для длинных цепочек метод будет отдавать неполный и нестабильный “кластер”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/graph/falkordb/client.go` around lines 368 - 375, The current query
in GetCluster (the query string building using "MATCH (a:Observation {id:
%d})-[:REL*1..3]-(b:Observation) ... LIMIT %d") only returns a 3‑hop
neighborhood and with LIMIT returns an arbitrary subset; change it to compute
the full connected component instead and make results stable: replace the fixed
depth pattern "[:REL*1..3]" with an unbounded variable-length pattern (e.g.
"[:REL*]" or use a shortest-path pattern like "MATCH
p=shortestPath((a)-[:REL*]-(b)) RETURN b.id, length(p) ORDER BY length(p) ASC"
if you must keep a LIMIT), and remove or pair LIMIT with an ORDER BY length(p)
so returned nodes are deterministic; update the query construction in the
GetCluster-related code that builds the query string to use the new pattern and
ordering.

internal/maintenance/service.go-618-629 (1)

618-629: ⚠️ Potential issue | 🟠 Major

SyncFromRelations не распространяет удаления в граф.

После удаления relation в PostgreSQL вызов graphStore.SyncFromRelations() не почистит FalkorDB: текущая реализация только MERGE-ит существующие рёбра. То же самое касается нижнего drift-recovery path, который вызывает этот же sync, поэтому stale edges в графе останутся.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/maintenance/service.go` around lines 618 - 629, The current call to
s.graphStore.SyncFromRelations(ctx, modelRelations) only MERGEs edges and thus
doesn’t remove stale FalkorDB edges; update the sync call to perform a full
reconciliation that also deletes edges missing from modelRelations — either by
calling an existing full-sync API on graphStore (e.g., SyncFromRelations(ctx,
modelRelations, FullSync/withDeletions option) or a dedicated method like
ReplaceRelations/SyncFromRelationsWithDeletions), or implement a two-step
prune-then-merge on s.graphStore (delete edges not in modelRelations then upsert
the modelRelations); apply the same change to the lower drift-recovery path that
currently uses gorm.ToModelRelations(...) and s.graphStore.SyncFromRelations so
both paths propagate deletions to FalkorDB and log failures via s.log.

internal/worker/handlers_context.go-1128-1141 (1)

1128-1141: ⚠️ Potential issue | 🟠 Major

Здесь считается не distinct-count, а сумма длин срезов.

totalInjected сейчас завышается, если один и тот же observation попал сразу в несколько секций. Тогда floor может не добрать записи, хотя уникальных observation ID всё ещё меньше минимума.

🛠 Вариант правки

-	totalInjected := len(recentFresh) + len(relevantObservations) + len(guidanceObservations) + len(alwaysInjectObservations)
+	injectedIDs := make(map[int64]struct{}, len(recentFresh)+len(relevantObservations)+len(guidanceObservations)+len(alwaysInjectObservations))
+	for _, section := range [][]*models.Observation{recentFresh, relevantObservations, guidanceObservations, alwaysInjectObservations} {
+		for _, obs := range section {
+			injectedIDs[obs.ID] = struct{}{}
+		}
+	}
+	totalInjected := len(injectedIDs)
 	if totalInjected < injectionFloor && s.observationStore != nil {
 		needed := injectionFloor - totalInjected
 		fillObs, fillErr := s.observationStore.GetTopImportanceObservations(ctx, project, needed+totalInjected)
 		if fillErr == nil {
 			for _, obs := range fillObs {
-				if _, already := recentIDs[obs.ID]; !already {
+				if _, already := injectedIDs[obs.ID]; !already {
 					recentFresh = append(recentFresh, obs)
+					injectedIDs[obs.ID] = struct{}{}
 					recentIDs[obs.ID] = struct{}{}
 					needed--
 					if needed == 0 {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/worker/handlers_context.go` around lines 1128 - 1141, The current
totalInjected calculation uses sum of slice lengths (totalInjected :=
len(recentFresh) + len(relevantObservations) + len(guidanceObservations) +
len(alwaysInjectObservations)) which overcounts when the same observation
appears in multiple slices; change the logic to count unique observation IDs
instead (compute a set/map of IDs across recentFresh, relevantObservations,
guidanceObservations, alwaysInjectObservations, then use its size as
totalInjected) before deciding to call
s.observationStore.GetTopImportanceObservations; ensure later checks that add to
recentFresh also consult and update the same recentIDs map so uniqueness is
preserved (referencing totalInjected, recentFresh, relevantObservations,
guidanceObservations, alwaysInjectObservations, recentIDs, and
observationStore.GetTopImportanceObservations).

internal/db/gorm/project_settings_store.go-57-63 (1)

57-63: ⚠️ Potential issue | 🟠 Major

Первый feedback для нового проекта сейчас теряется.

На insert-пути UPSERT пишет фиксированные 0.3 и 0, поэтому первый вызов AdjustThreshold() не применяет delta и не увеличивает feedback_count. Адаптивный threshold начинает реально меняться только со второго feedback-события.

🛠 Вариант правки

 	sql := `INSERT INTO project_settings (project, relevance_threshold, feedback_count, updated_at)
-	        VALUES (?, 0.3, 0, NOW())
+	        VALUES (?, GREATEST(0.1, LEAST(0.8, 0.3 + ?)), 1, NOW())
 	        ON CONFLICT (project) DO UPDATE
 	        SET relevance_threshold = GREATEST(0.1, LEAST(0.8, project_settings.relevance_threshold + ?)),
 	            feedback_count      = project_settings.feedback_count + 1,
 	            updated_at          = NOW()`
-	return s.db.WithContext(ctx).Exec(sql, project, delta).Error
+	return s.db.WithContext(ctx).Exec(sql, project, delta, delta).Error

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/db/gorm/project_settings_store.go` around lines 57 - 63, The INSERT
uses fixed initial values (0.3 and 0) so the very first AdjustThreshold call
ignores the delta and doesn't increment feedback_count; change the UPSERT so the
INSERT path applies the delta and sets feedback_count to 1 (e.g. VALUES (?, 0.3
+ ?, 1, NOW()) or use EXCLUDED.relevance_threshold) and keep the DO UPDATE logic
to add delta and increment feedback_count; also update the Exec parameter list
for s.db.WithContext(ctx).Exec(sql, ...) (or adjust the SQL to reference
EXCLUDED to avoid extra params) so the first call actually applies the delta and
increases feedback_count.

internal/db/gorm/versioned_document_store.go-83-106 (1)

83-106: ⚠️ Potential issue | 🟠 Major

MAX(version)+1 небезопасен при параллельных Create.

Два одновременных запроса для одного (path, project) могут прочитать один и тот же maxVersion и попытаться вставить одинаковый version. Под нагрузкой это даст спорадические ошибки вставки и потерю одного из обновлений.

🛠 Вариант правки

-	var maxVersion int
-	if err := s.db.WithContext(ctx).
-		Model(&VersionedDocument{}).
-		Where("path = ? AND project = ?", path, project).
-		Select("COALESCE(MAX(version), 0)").
-		Scan(&maxVersion).Error; err != nil {
-		return 0, fmt.Errorf("versioned_document_store: query max version: %w", err)
-	}
-
-	doc := VersionedDocument{
-		Path:        path,
-		Project:     project,
-		Version:     maxVersion + 1,
-		Content:     content,
-		ContentHash: contentHash,
-		DocType:     docType,
-		Metadata:    metadata,
-		Author:      author,
-		CreatedAt:   now,
-	}
-
-	if err := s.db.WithContext(ctx).Create(&doc).Error; err != nil {
-		return 0, fmt.Errorf("versioned_document_store: insert document: %w", err)
-	}
+	var doc VersionedDocument
+	if err := s.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		if err := tx.Exec(
+			`SELECT pg_advisory_xact_lock(hashtext(?), hashtext(?))`,
+			project, path,
+		).Error; err != nil {
+			return fmt.Errorf("versioned_document_store: lock document stream: %w", err)
+		}
+
+		var maxVersion int
+		if err := tx.Model(&VersionedDocument{}).
+			Where("path = ? AND project = ?", path, project).
+			Select("COALESCE(MAX(version), 0)").
+			Scan(&maxVersion).Error; err != nil {
+			return fmt.Errorf("versioned_document_store: query max version: %w", err)
+		}
+
+		doc = VersionedDocument{
+			Path:        path,
+			Project:     project,
+			Version:     maxVersion + 1,
+			Content:     content,
+			ContentHash: contentHash,
+			DocType:     docType,
+			Metadata:    metadata,
+			Author:      author,
+			CreatedAt:   now,
+		}
+		if err := tx.Create(&doc).Error; err != nil {
+			return fmt.Errorf("versioned_document_store: insert document: %w", err)
+		}
+		return nil
+	}); err != nil {
+		return 0, err
+	}
 	return doc.ID, nil

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/db/gorm/versioned_document_store.go` around lines 83 - 106, Race on
computing MAX(version)+1 can yield duplicate versions under concurrent Create;
wrap the read-and-insert in a DB transaction and lock the relevant rows before
reading the max version. Specifically, in the method that builds
VersionedDocument and inserts it, use s.db.WithContext(ctx).Transaction(...) and
inside use the transaction (tx) to SELECT COALESCE(MAX(version),0) FOR UPDATE
(via GORM locking clause) for the given path and project into maxVersion, then
set Version = maxVersion+1 and insert via tx.Create(&doc); return or retry on
unique-constraint conflicts if needed. Ensure you reference VersionedDocument,
the maxVersion read, and the Create call so the atomic read+write is done inside
the transaction.

internal/worker/handlers_context.go-356-379 (1)

356-379: ⚠️ Potential issue | 🟠 Major

Сохраните obs_type при доборе через injection floor.

Если запрос пришёл с obs_type, этот блок добирает GetTopImportanceObservations(...) без повторной фильтрации и может вернуть наблюдения другого типа. В результате /api/context/search иногда нарушает собственный контракт фильтрации.

🛠 Вариант правки

 		fillObs, fillErr := s.observationStore.GetTopImportanceObservations(r.Context(), project, needed+len(clusteredObservations))
 		if fillErr == nil {
 			for _, obs := range fillObs {
+				if obsTypeFilter != "" && string(obs.Type) != obsTypeFilter {
+					continue
+				}
 				if _, already := includedIDs[obs.ID]; !already {
 					clusteredObservations = append(clusteredObservations, obs)
 					includedIDs[obs.ID] = struct{}{}
 					needed--
 					if needed == 0 {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/worker/handlers_context.go` around lines 356 - 379, The
injection-floor filler uses s.observationStore.GetTopImportanceObservations to
top-up clusteredObservations but doesn't respect the incoming obs_type filter;
update the filler (around variables injectionFloor, clusteredObservations and
the call to s.observationStore.GetTopImportanceObservations) to preserve the
requested obs_type by either passing the obs_type into the
GetTopImportanceObservations call if it supports a type/filter argument, or by
post-filtering fillObs to only append obs where obs.Type == requestedObsType (or
equivalent field) before deduplication and appending; ensure needed/de-dup logic
and includedIDs handling remain correct after applying this filter.

🟡 Minor comments (6)

ui/src/views/TokensView.vue-20-36 (1)

20-36: ⚠️ Potential issue | 🟡 Minor

Отсутствует credentials: 'include' в fetch-запросе.

Эндпоинт /api/auth/tokens/{id}/stats находится в защищённой секции маршрутов (см. handlers_auth.go). Без credentials: 'include' запрос может не пройти аутентификацию через cookie-сессию.

Также: при ошибке запроса tokenStats[tokenId] остаётся undefined, но повторная попытка заблокирована проверкой на строке 21. Пользователь не сможет повторить загрузку статистики.

🐛 Предложение: добавить credentials и обработку ошибок

 async function loadTokenStats(tokenId: string) {
-  if (tokenStats.value[tokenId] !== undefined || statsLoading.value[tokenId]) return
+  if (statsLoading.value[tokenId]) return
   statsLoading.value = { ...statsLoading.value, [tokenId]: true }
   try {
-    const res = await fetch(`/api/auth/tokens/${encodeURIComponent(tokenId)}/stats`)
+    const res = await fetch(`/api/auth/tokens/${encodeURIComponent(tokenId)}/stats`, {
+      credentials: 'include',
+    })
     if (res.ok) {
       const data: TokenStats = await res.json()
       tokenStats.value = { ...tokenStats.value, [tokenId]: data }
+    } else {
+      // Помечаем как null для возможности повторной попытки
+      tokenStats.value = { ...tokenStats.value, [tokenId]: null as unknown as TokenStats }
     }
   } catch {
     // Non-critical — stats are supplemental
   } finally {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/TokensView.vue` around lines 20 - 36, In loadTokenStats: include
credentials: 'include' in the fetch call to ensure cookie-based auth, and change
the early-return guard from tokenStats.value[tokenId] !== undefined to a
presence check using Object.prototype.hasOwnProperty.call(tokenStats.value,
tokenId) (or an equivalent key-owned check) so a failed fetch that left no key
does not block retries; keep statsLoading handling and only set
tokenStats.value[...] on successful res.ok, and ensure the catch/finally still
clears statsLoading[tokenId].

scripts/install.sh-176-179 (1)

176-179: ⚠️ Potential issue | 🟡 Minor

--client-only не очищает старый engram-server.

В client-only ветке новый бинарь просто не копируется, но уже существующий engram-server остаётся в $INSTALL_DIR. Потом Line 258 копирует весь каталог в cache, так что обновление поверх старой full-установки продолжит таскать server binary, хотя режим по умолчанию теперь client-only.

🧹 Минимальная очистка stale binary

     # Copy binaries (--client-only skips server binary)
     if [[ "$INSTALL_MODE" == "full" ]]; then
         cp "$tmp_dir/engram-server" "$INSTALL_DIR/" 2>/dev/null || true
+    else
+        rm -f "$INSTALL_DIR/engram-server"
     fi

Also applies to: 211-213

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/install.sh` around lines 176 - 179, When INSTALL_MODE is
"client-only" the script currently skips copying engram-server but does not
remove an existing stale binary; update the install logic around the
engram-server handling to explicitly remove any existing
"$INSTALL_DIR/engram-server" when INSTALL_MODE != "full" (i.e., in the
client-only branch) before proceeding, and apply the same cleanup in the other
similar block (the one referenced around lines handling tmp_dir copy at
211-213); use the INSTALL_MODE and INSTALL_DIR variables and the "engram-server"
filename to locate the code to modify.

docs/DEPLOYMENT.md-94-104 (1)

94-104: ⚠️ Potential issue | 🟡 Minor

Переименование в manual Docker осталось незавершённым.

В этом блоке сервер уже называется engram-server, но шаг выше всё ещё использует cmplus-postgres и cmplus-pgdata. В результате пример остаётся с двумя наборами имён и сбивает при копипасте.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/DEPLOYMENT.md` around lines 94 - 104, The deployment docs are
inconsistent: the server is named engram-server but the previous DB containers
still use cmplus-postgres and cmplus-pgdata; update those container names to
match the manual naming (e.g., rename cmplus-postgres -> engram-postgres and
cmplus-pgdata -> engram-pgdata or choose a single prefix) so references are
consistent with --name engram-server and the subsequent -e DATABASE_DSN; change
all occurrences of cmplus-postgres and cmplus-pgdata in the same block to the
chosen engram-* names and ensure the DATABASE_DSN host matches that container
name.

internal/db/gorm/helpers.go-105-110 (1)

105-110: ⚠️ Potential issue | 🟡 Minor

Сделайте экспортируемый mapper nil-safe.

Теперь это публичный helper. Передача nil извне приведёт к panic внутри toModelObservation, что для exported API слишком хрупко.

🛡️ Минимальное исправление

 func ToModelObservation(o *Observation) *models.Observation {
+	if o == nil {
+		return nil
+	}
 	return toModelObservation(o)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/db/gorm/helpers.go` around lines 105 - 110, ToModelObservation
currently forwards to toModelObservation and will panic if passed nil; make the
exported mapper nil-safe by guarding against nil before delegating (or update
toModelObservation to handle nil) so passing a nil *Observation returns nil (or
a zero-value *models.Observation) instead of panicking; update
ToModelObservation to check if o == nil and return nil (and add a small unit
test for ToModelObservation nil input) while keeping toModelObservation
unchanged unless you prefer centralizing the nil check there.

internal/config/config.go-597-606 (1)

597-606: ⚠️ Potential issue | 🟡 Minor

Новые настройки сейчас нельзя задать через settings.json.

Для ENGRAM_INJECTION_FLOOR и ENGRAM_SESSION_BOOST добавлен только env-override блок. В секции JSON-разбора выше этих ключей нет, поэтому значения в ~/.engram/settings.json будут молча игнорироваться. Если они задуманы как env-only, лучше убрать json-теги, чтобы не создавать ложное ожидание.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/config/config.go` around lines 597 - 606, The JSON settings parser
currently lacks entries for ENGRAM_INJECTION_FLOOR and ENGRAM_SESSION_BOOST so
the env-only overrides in the config init (reading ENGRAM_INJECTION_FLOOR ->
cfg.InjectionFloor and ENGRAM_SESSION_BOOST -> cfg.SessionBoost) silently ignore
values in ~/.engram/settings.json; either add corresponding JSON-parsed fields
to the settings struct/JSON decode path so settings.json values populate
cfg.InjectionFloor and cfg.SessionBoost (and keep the env overrides as
fallbacks), or remove the json tags/consumer expectations for those keys to make
them clearly env-only; locate the settings struct and the JSON decode logic used
for loading settings.json and update it to include InjectionFloor and
SessionBoost (or remove json metadata) so behavior matches expectations.

internal/db/gorm/versioned_document_store.go-172-174 (1)

172-174: ⚠️ Potential issue | 🟡 Minor

Экранируйте % и _ в pathPrefix перед LIKE.

Сейчас pathPrefix+"%" трактует _ и % как wildcard-ы, поэтому prefix-фильтр может возвращать лишние документы для вполне обычных имён путей.

🛠 Вариант правки

 	if pathPrefix != "" {
-		clauses = append(clauses, "path LIKE ?")
-		args = append(args, pathPrefix+"%")
+		escapedPrefix := strings.NewReplacer(`\`, `\\`, `%`, `\%`, `_`, `\_`).Replace(pathPrefix)
+		clauses = append(clauses, `path LIKE ? ESCAPE '\'`)
+		args = append(args, escapedPrefix+"%")
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/db/gorm/versioned_document_store.go` around lines 172 - 174, В блоке
где формируются clauses/args для фильтра по path (переменные pathPrefix,
clauses, args и строка "path LIKE ?") нужно экранировать спецсимволы SQL-LIKE в
pathPrefix (заменить "%" на "\%" и "_" на "\_") и затем подставлять
экранированный префикс с "%" для поиска по префиксу; одновременно изменить
строку условия на "path LIKE ? ESCAPE '\\'" чтобы СУБД правильно
интерпретировала обратный слеш как экранирующий символ. Это гарантирует, что
обычные символы '_' и '%' в pathPrefix не будут трактоваться как wildcard'ы.

🧹 Nitpick comments (5)

ui/src/views/SystemView.vue (2)

60-70: Ошибка получения статуса vault не отображается пользователю.

vaultResult не включён в массив failures на строке 65, поэтому ошибки при получении статуса шифрования не будут показаны пользователю. Если это намеренно (некритичная функция), стоит добавить комментарий. Если статус vault важен — добавьте его в обработку ошибок.

♻️ Предложение: добавить vaultResult в обработку ошибок

     // Surface real errors (not AbortErrors for the current signal).
-    const failures = [h, v, g]
+    const failures = [h, v, g, vaultResult]
       .filter(r => r.status === 'rejected')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/SystemView.vue` around lines 60 - 70, The vaultResult rejection
isn't included in the failures aggregation so vault-related errors won't be
surfaced; update the failure collection logic that builds failures (currently
from [h, v, g]) to also include vaultResult when its status is 'rejected' (or
otherwise include its reason) and then map/filter out AbortError the same way so
error.value receives vault errors; touch the code around the failures array
construction and the subsequent error.value assignment (symbols: vaultResult,
failures, error.value) and/or add a comment if omission was intentional.

---

82-88: Отсутствует обратная связь при неудачном копировании.

Если copyToClipboard возвращает false, пользователь не получает никакого уведомления о неудаче. Рекомендуется добавить обработку этого случая для улучшения UX.

♻️ Предложение: добавить обработку ошибки

 async function copyVaultSetupCommand() {
   const ok = await copyToClipboard('openssl rand -hex 32 > vault.key')
   if (ok) {
     vaultCopyFeedback.value = true
     setTimeout(() => { vaultCopyFeedback.value = false }, 2000)
+  } else {
+    // Можно показать уведомление или изменить состояние
+    console.warn('Failed to copy to clipboard')
   }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/SystemView.vue` around lines 82 - 88, Handle the case when
copyToClipboard returns false in copyVaultSetupCommand: when ok is false, set a
failure feedback state (e.g., create and set vaultCopyError.value = true or
reuse an existing error feedback ref), trigger a short timeout to clear it (like
the success path’s 2s), and optionally log the failure; update the template to
show the error feedback to the user so failed clipboard attempts surface in the
UI (refer to copyVaultSetupCommand, vaultCopyFeedback and copyToClipboard).

ui/src/components/layout/AppSidebar.vue (1)

19-33: Дублирование запроса к /api/auth/me.

Композабл useAuth (см. useAuth.ts) уже вызывает /api/auth/me при проверке аутентификации, но не возвращает поле auth_disabled. Текущая реализация создаёт второй запрос к тому же эндпоинту при монтировании компонента.

Рекомендуется расширить useAuth, чтобы он также возвращал authDisabled, избежав дублирования запросов.

♻️ Альтернативный подход: расширить useAuth

В composables/useAuth.ts:

const authDisabled = ref(false)

async function checkAuth(): Promise<void> {
  loading.value = true
  try {
    const res = await fetch('/api/auth/me', { credentials: 'include' })
    authenticated.value = res.ok
    if (res.ok) {
      const data = await res.json()
      authDisabled.value = data?.auth_disabled === true
    }
  } catch {
    authenticated.value = false
  } finally {
    loading.value = false
  }
}

return {
  // ...existing
  authDisabled: computed(() => authDisabled.value),
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/components/layout/AppSidebar.vue` around lines 19 - 33, The component
duplicates /api/auth/me—remove the local checkAuthDisabled in AppSidebar.vue and
instead extend the composable useAuth: add a ref authDisabled, update the
existing checkAuth (or checkAuthentication) to parse data?.auth_disabled and set
authDisabled.value when res.ok, and export authDisabled as a computed property
from useAuth so AppSidebar imports authDisabled from useAuth and reads that
reactive value; ensure the existing loading/authenticated behavior in checkAuth
is preserved.

ui/src/views/ObservationsView.vue (1)

92-114: tagCloud не синхронизирован с текущим контекстом списка.

loadTagCloud() всегда запрашивает глобальное облако и вызывается только при монтировании. После смены проекта или успешных batch-операций основной список уже обновлён, а сайдбар остаётся со старыми/глобальными тегами. Бэкенд уже поддерживает project query в internal/worker/handlers_tags.go:100-160, так что облако лучше перезагружать вместе с проектом и после мутаций.

Also applies to: 125-134, 249-250

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/src/views/ObservationsView.vue` around lines 92 - 114, The tagCloud
sidebar isn’t refreshed when the project context or after batch mutations
change; update ObservationsView.vue to call loadTagCloud with the current
project context (or trigger the same refresh path) whenever the active project
changes and after successful batch actions
(archive/delete/batch-scope/batch-tag) so tagCloud reflects project-scoped tags;
locate the batch handlers in the conditional using batchAction.value and the
loadTagCloud/tagCloud usage to add a reload call, and rely on the backend
project query support implemented in internal/worker/handlers_tags.go to fetch
project-scoped tags.

internal/db/gorm/observation_store.go (1)

1663-1675: GetTopImportanceObservations полностью дублирует GetActiveObservations.

Фильтры, сортировка и Limit здесь совпадают 1:1 с методом выше. Лучше сделать тонкую обёртку, иначе любая правка active/filter-логики легко разъедется между двумя путями.

♻️ Вариант упрощения

 func (s *ObservationStore) GetTopImportanceObservations(ctx context.Context, project string, limit int) ([]*models.Observation, error) {
-	var dbObservations []Observation
-	err := s.db.WithContext(ctx).
-		Scopes(projectScopeFilter(project), activeObservationFilter(), importanceOrdering()).
-		Limit(limit).
-		Find(&dbObservations).Error
-	if err != nil {
-		return nil, err
-	}
-	return toModelObservations(dbObservations), nil
+	return s.GetActiveObservations(ctx, project, limit)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/db/gorm/observation_store.go` around lines 1663 - 1675,
GetTopImportanceObservations currently duplicates the query logic in
GetActiveObservations; refactor so the shared filtering/ordering is centralized:
either have GetTopImportanceObservations call GetActiveObservations (adding a
limit/importance ordering parameter) or extract the common scope/query
construction into a helper (e.g., buildActiveObservationQuery or
activeObservationsBase) used by both functions; update
GetTopImportanceObservations to reuse that helper or call GetActiveObservations
with the appropriate limit and importance ordering to avoid duplicate
filter/active-logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5424c372-94cb-45bb-8828-4feca764bc27

📥 Commits

Reviewing files that changed from the base of the PR and between 847fce4 and 1f7f379.

📒 Files selected for processing (23)

• docs/DEPLOYMENT.md
• internal/config/config.go
• internal/db/gorm/helpers.go
• internal/db/gorm/migrations.go
• internal/db/gorm/observation_store.go
• internal/db/gorm/project_settings_store.go
• internal/db/gorm/versioned_document_store.go
• internal/graph/falkordb/client.go
• internal/graph/noop.go
• internal/graph/store.go
• internal/maintenance/service.go
• internal/relation/causal_classifier.go
• internal/relation/detector.go
• internal/search/manager.go
• internal/worker/handlers_context.go
• internal/worker/handlers_scoring.go
• internal/worker/service.go
• plugin/engram/hooks/stop.js
• scripts/install.sh
• ui/src/components/layout/AppSidebar.vue
• ui/src/views/ObservationsView.vue
• ui/src/views/SystemView.vue
• ui/src/views/TokensView.vue

[thebtf]

🤖 PR Review MCP State (auto-managed, do not edit)

{
  "version": 2,
  "parentChildren": {},
  "resolvedNitpicks": {
    "coderabbit-nitpick-59b18d86-60": {
      "resolvedAt": "2026-03-24T23:09:49.627Z",
      "resolvedBy": "agent"
    },
    "coderabbit-nitpick-c15068bf-82": {
      "resolvedAt": "2026-03-24T23:09:55.297Z",
      "resolvedBy": "agent"
    },
    "coderabbit-nitpick-fef6a006-19": {
      "resolvedAt": "2026-03-24T23:10:38.039Z",
      "resolvedBy": "agent"
    },
    "coderabbit-nitpick-72d4b5d1-92": {
      "resolvedAt": "2026-03-24T23:11:22.670Z",
      "resolvedBy": "agent"
    },
    "coderabbit-nitpick-29056382-1663": {
      "resolvedAt": "2026-03-24T23:12:03.984Z",
      "resolvedBy": "agent"
    }
  },
  "updatedAt": "2026-03-24T23:12:04.448Z"
}