fix: audit findings — Postgres reclassify, batch completeness, entity noise

P1-1: reclassifyEntity() now works on Postgres (was SQLite-only syntax).
      Entities route dry-run preview also fixed for Postgres backend.

P1-2: Batch endpoint now includes supersedes logic (facts by key,
      statuses by subject), structured DB writes, relevance scoring,
      and entity linking — matching the single-store endpoint.

P2-1: Consolidated memories (merged facts, contradiction events) now
      indexed in keyword search and written to structured DB.

P2-2: cleanupOldEvents refactored to filter per-page instead of
      loading all events into memory (OOM risk eliminated).

P2-4: Internal _sessionKey/_sessionRank fields cleaned from search
      API response before sending to client.

P2-6: Entity extraction noise filters tightened — blocks shell commands,
      JS keywords, imperative instructions, marketing taglines, em-dash
      fragments, all-lowercase multi-word phrases, and measurements.
      Tested against 15 known garbage entities (15/15 blocked).

P3-2: knowledge_category enum validation added to validateMemoryInput.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Steven Lefebvre

AUDIT-2026-04-02.md

@@ -0,0 +1,233 @@
+# Zengram Full Audit Report — 2026-04-02
+
+**Audit scope**: Full codebase review + live database quality check  
+**Models**: Claude Opus 4.6 (primary), Codex GPT-5.4 xhigh (adversarial), Gemini 3.1 Pro (adversarial)  
+**Live instance**: 192.168.18.40:8084 — 521 memories, 787 entities, all retrieval paths active  
+**Tests**: 114 pass / 0 fail / 32 suites  
+**Codebase**: ~11K LOC across API, MCP server, 3 storage backends, 6 test suites
+
+---
+
+## P1 — High Severity (fix before next deploy)
+
+### P1-1: Entity reclassification broken on Postgres backend
+**File**: `api/src/services/entities.js:370-398`  
+**Also**: `api/src/routes/entities.js:115-117` (dry-run preview)
+
+`reclassifyEntity()` uses SQLite-specific `store.db.prepare()` syntax. The Beelink production deployment uses Postgres (`store.pool`), so `store.db` is `undefined`. The function silently returns `{ error: 'No writable store' }`.
+
+**Verified live**: `POST /entities/reclassify` dry-run returns `memories_affected: 0` for "Expert Local" (which has 13 mentions and many linked memories) — the Postgres path can't count.
+
+**Fix**: Add a Postgres code path using `store.pool.query()` for both the UPDATE and the COUNT:
+```javascript
+if (store.pool) {
+  await store.pool.query('UPDATE entities SET entity_type = $1 WHERE id = $2', [newType, entity.id]);
+  const linkCount = await store.pool.query('SELECT COUNT(*) as count FROM entity_memory_links WHERE entity_id = $1', [entity.id]);
+  // ...
+} else if (store.db) {
+  // existing SQLite code
+}
+```
+
+### P1-2: Batch endpoint skips critical write-time logic
+**File**: `api/src/routes/memory.js:847-971`
+
+`POST /memory/batch` is missing:
+1. **Supersedes logic** — batch fact/status ingestion with same key creates duplicates instead of superseding old versions
+2. **Structured DB writes** — memories are in Qdrant but NOT in events/facts/statuses tables (divergence)
+3. **Relevance scoring** — batch memories have no `relevance_score`, `auto_flagged`, or `auto_deprioritized` fields
+4. **Entity linking** — entities are extracted (payload only) but never linked in the entity graph
+
+If agents use `brain_batch` for bootstrap/migration, the structured DB will be missing those memories entirely.
+
+---
+
+## P2 — Medium Severity (fix in next sprint)
+
+### P2-1: Consolidated memories invisible to keyword search and structured queries
+**File**: `api/src/services/consolidation.js:334-372`
+
+When consolidation merges facts or creates contradiction events:
+- Stored in Qdrant ✓
+- **NOT indexed** in `memory_search` table → invisible to BM25 keyword search
+- **NOT written** to structured DB (events/facts/statuses) → invisible to `GET /memory/query`
+
+Consolidated memories can only be found via vector search, never via keyword or structured queries.
+
+### P2-2: cleanupOldEvents loads ALL events into memory
+**File**: `api/src/services/consolidation.js:533-561`
+
+Scrolls ALL event-type memories into an in-memory array before filtering for old/unused ones. With thousands of events, this could exhaust container memory.
+
+**Fix**: Use Qdrant compound filter to scroll only matching points:
+```javascript
+scrollPoints({ type: 'event', active: true }, 200, offset)
+// then filter access_count === 0 && created_at < cutoff per page
+```
+
+### P2-3: Race condition in fact/status supersedes
+**File**: `api/src/routes/memory.js:128-156`
+
+Two concurrent `POST /memory` with the same fact key:
+1. Both find the old fact via `findByPayload`
+2. Both try to supersede it (mark old as inactive, set `superseded_by`)
+3. Both create new points — one "wins" in Qdrant, but the old fact's `superseded_by` field may point to the wrong new memory
+
+Low probability in practice (agents rarely race on the same key) but possible during bulk operations.
+
+### P2-4: Internal fields leak in search API response
+**File**: `api/src/routes/memory.js:539-540`
+
+`_sessionKey` and `_sessionRank` are added to result objects during session diversity re-ranking and flow through to the JSON response when results > 3.
+
+**Verified live**: `GET /memory/search?q=...&limit=8` returns `_sessionKey: "ti-claude::2026-04-02"` and `_sessionRank: 0` in every result.
+
+**Fix**: Delete internal fields before sending response:
+```javascript
+for (const r of results) {
+  delete r._sessionKey;
+  delete r._sessionRank;
+}
+```
+
+### P2-5: Duplicate entities in production database
+Confirmed pairs that should be merged:
+| Entity A | Type | Mentions | Entity B | Type | Mentions |
+|----------|------|----------|----------|------|----------|
+| Expert Local | system | 13 | expert-local | client | 9 |
+| Claude Code | agent | 11 | claude-code | agent | 5 |
+| Dermka Clinik | system | 6 | dermka-clinik | client | 4 |
+| Mini-Claude | workflow | 7 | Mini Claude | system | 1 |
+
+Root cause: Entity extraction treats hyphenated client_id slugs and capitalized display names as separate entities. The `extractEntities()` function adds both `clientId` (line 298) and capitalized phrases (line 340) without cross-checking.
+
+### P2-6: Massive noise in workflow entity type (192 entities)
+Most workflow entities are garbage captured by the quoted name regex (`QUOTED_NAME_REGEX`). Examples:
+- `const viewportDefs` — code variable
+- `openclaw gateway restart` — shell command
+- `drop les emojis` — instruction
+- `Satisfaction Guaranteed or Money Back` — marketing copy
+- `NEVER build HTML yourself` — instruction
+
+The `isJunkQuotedName()` filter is good but doesn't catch:
+- Multi-word shell commands without recognized command prefixes
+- French instructions (`drop les emojis`)
+- Marketing taglines that happen to be quoted
+
+---
+
+## P3 — Low Severity / Polish
+
+### P3-1: 62 "system" entities with 1 mention (noise)
+Many are misclassified: "Maxime Fillion" (person), "Centre Morrin" (place), "Rebranded Prism" (action phrase), "Apple Vision Pro" (unrelated tech).
+
+### P3-2: No `knowledge_category` validation on store endpoint
+**File**: `api/src/middleware/validate.js`  
+`validateMemoryInput` doesn't validate `knowledge_category`. Any string passes through to Qdrant. MCP tool lists valid values but server doesn't enforce.
+
+### P3-3: Feedback loop scrolls ALL active memories twice
+**File**: `api/src/services/feedback-loop.js:27-48, 70-105`  
+Phase 1 (trust scores) and Phase 2 (stale detection) each scroll all active memories. Could be combined into one pass.
+
+### P3-4: CI doesn't test Postgres backend
+**File**: `.github/workflows/ci.yml`  
+All tests run SQLite only. Postgres-specific bugs (like P1-1) are never caught in CI.
+
+### P3-5: `npm audit || true` always passes CI
+**File**: `.github/workflows/ci.yml:30`  
+Security audit failures never fail the build.
+
+### P3-6: `EMBEDDING_DIMS` export always null
+**File**: `api/src/services/embedders/interface.js:63`  
+Legacy backwards-compat export that's never set. Any caller using it gets null.
+
+### P3-7: Collection name validation gap
+**File**: `api/src/services/collection-registry.js:18-27`  
+`resolveCollection()` doesn't call `validateCollectionSlug()`. Pre-prefixed names pass through to Qdrant URLs unvalidated. Qdrant likely rejects bad names, but defense-in-depth is missing.
+
+### P3-8: SQLite FTS5 keyword search doesn't support `source_agent` filter
+**File**: `api/src/services/keyword-search.js:142`  
+Postgres keyword search supports `client_id`, `type`, AND `source_agent` filters. SQLite only supports `client_id` and `type`. Agent-filtered keyword searches return different results on each backend.
+
+---
+
+## Architecture Highlights (Strengths)
+
+- **Auth**: Agent key identity binding with timing-safe comparison. Rate limiting on failed attempts. Identity enforcement on store/update/delete.
+- **Credential scrubbing**: Comprehensive regex patterns (API keys, JWTs, AWS keys, SSH keys, connection strings, Anthropic/OpenAI keys).
+- **Input validation**: Content max 10K chars, metadata max 10KB depth 3, agent names regex-validated, type/importance enum-checked.
+- **Multi-path retrieval**: Vector (semantic) + BM25 (keyword) + graph (entity BFS) → RRF fusion. Well-implemented with proper fallbacks.
+- **Consolidation defense-in-depth**: XML escaping, batch ID validation, hallucination stripping, enum whitelists for types.
+- **Relevance scoring**: Zero-latency (no extra embed call), near-duplicate detection, source trust, entity density.
+- **Session diversity re-ranking**: Smart round-robin across agent/date groups prevents search result clustering.
+- **Graceful degradation**: Every service (entities, keyword, graph, consolidation) is optional and degrades gracefully.
+- **LRU entity cache**: Bounded with pinned built-in entries, prevents unbounded memory growth.
+- **Test suite**: 114 tests / 32 suites / 0 failures. Good coverage of validation, scrubbing, RRF, entity extraction.
+
+---
+
+---
+
+## External Model Adversarial Review — Cross-Verification
+
+### Codex GPT-5.4 (xhigh) — FAILED
+Codex sandbox hit a `bwrap` loopback failure and could not read any source files. No findings produced.
+
+### Gemini 3.1 Pro (adversarial) — 20 findings, 10 verified
+
+The Gemini agent produced 20 findings (5 P0, 5 P1, 5 P2, 5 P3). After line-by-line verification against source code:
+
+| Finding | Gemini Severity | Verified | Actual Severity | Notes |
+|---------|----------------|----------|-----------------|-------|
+| P0-1: Race in dedup | P0 | REAL | **P2** | Already in report as P2-3. Low probability in practice |
+| P0-2: Timing side-channel on agent keys | P0 | **FALSE** | N/A | Map.get() on 256-bit keys not vulnerable |
+| P0-3: SQL wildcard injection via ILIKE | P0 | **FALSE** | N/A | Parameterized queries. Wildcards are intended search behavior |
+| P0-4: LLM output injection to DB | P0 | **FALSE** | N/A | Code has extensive validation (lines 252-300) |
+| P0-5: Collection name injection | P0 | REAL | **P3** | Already in report as P3-7. Qdrant rejects bad names |
+| P1-6: No timeout on findByPayload | P1 | **FALSE** | N/A | All Qdrant calls use `qdrantRequest()` with 10s timeout |
+| P1-7: Hardcoded LIMIT 50 | P1 | REAL | **P3** | Design choice, not a bug |
+| P1-8: Unbounded consolidation memory | P1 | REAL | **P2** | Already in report as P2-2 |
+| P1-9: LLM batch token overflow | P1 | **FALSE** | N/A | 50×10K chars = 125K tokens, Gemini Flash context = 1M |
+| P1-10: Exponential timeout backoff | P1 | **FALSE** | N/A | It's linear (not exponential), capped at 1 retry = 30s max |
+| P2-11: UUID collision | P2 | **FALSE** | N/A | Mathematically negligible (2^128 space) |
+| P2-12: Rate limiting not cluster-safe | P2 | REAL | **P3** | Single-instance deployment, not currently exploitable |
+| P2-13: Client resolver silent failure | P2 | **FALSE** | N/A | Code falls back to 'global' correctly (line 165) |
+| P2-14: No error recovery in batch consolidation | P2 | REAL | OK | Failed batches stay `consolidated=false`, retried next run |
+| P2-15: Embedding fallback | P2 | REAL | **P3** | Architectural limitation, not a bug |
+| P3-16: Incomplete input validation | P3 | **FALSE** | N/A | Didn't read validate.js. Validation IS thorough |
+| P3-17: Client_id in consolidation prompt | P3 | **FALSE** | N/A | Code preserves client_id correctly (line 338) |
+| P3-18: No logging | P3 | **FALSE** | N/A | Logging exists at lines 778, 832, 958 |
+| P3-19: Qdrant errors leak details | P3 | **FALSE** | N/A | All error handlers return generic messages |
+| P3-20: IP spoofing | P3 | REAL | **P3** | Internal API, not internet-facing |
+
+**Summary**: 10/20 findings were false positives (50% FP rate). Of the 10 real findings, 5 were already in the primary audit, 3 were P3 design choices, and 2 were correctly handled by existing code. **Zero confirmed P0 vulnerabilities.**
+
+### Claude Explore Agent — Architecture Analysis (47 tool calls, 537KB output)
+
+Comprehensive architecture map with 15 anomalies. Cross-verification:
+
+| Explore Claim | Verified | Notes |
+|--------------|----------|-------|
+| "No test files found" | **FALSE** | 6 test files in `api/tests/`, 114 tests pass |
+| "No batch size limit" | **FALSE** | `BATCH_MAX_SIZE=100` at `memory.js:849` |
+| "MCP consolidation async-only" | **FALSE** | `sync: boolean` param exists in MCP tool definition |
+| Confidence decay no lower bound | REAL (P3) | After 100 days: 0.98^100 = 13%. By design but could floor at 0.1 |
+| Temporal buffer inconsistency | REAL (P3) | ±2d for "days ago", ±5d for "last month", not documented |
+| Fire-and-forget lacks monitoring | REAL (P3) | Entity linking, keyword index, notifications — all silent on failure |
+| Client resolver MIN_THRESHOLD=2 | REAL (P3) | Permissive matching, could misattribute memories to wrong client |
+
+**Summary**: 3/7 key claims were false. 4 valid observations, all P3 severity. The architecture analysis was thorough but over-reported issues it hadn't fully verified.
+
+---
+
+## Recommended Fix Priority
+
+1. **P1-1**: Add Postgres path to `reclassifyEntity()` + entities route dry-run
+2. **P1-2**: Add supersedes, structured DB writes, and entity linking to batch endpoint
+3. **P2-1**: Add keyword indexing + structured DB writes to consolidation merged facts
+4. **P2-4**: Clean `_sessionKey`/`_sessionRank` from search response
+5. **P2-5**: Run entity merge for the 4 confirmed duplicate pairs
+6. **P2-6**: Tighten `isJunkQuotedName()` to reject more noise patterns
+7. **P2-2**: Refactor cleanupOldEvents to filter per-page instead of loading all
+8. **P3-2**: Add `knowledge_category` to `validateMemoryInput`
+9. **P3-4**: Add Postgres service to CI workflow

api/src/middleware/validate.js

@@ -3,6 +3,7 @@
 const AGENT_NAME_REGEX = /^[a-zA-Z0-9_-]{1,64}$/;
 const VALID_TYPES = ['event', 'fact', 'decision', 'status'];
 const VALID_IMPORTANCE = ['critical', 'high', 'medium', 'low'];
+const VALID_KNOWLEDGE_CATEGORIES = ['brand', 'strategy', 'meeting', 'content', 'technical', 'relationship', 'general'];
 const MAX_CONTENT_LENGTH = 10_000;
 const MAX_METADATA_SIZE = 10_240; // 10 KB serialized
 const MAX_METADATA_DEPTH = 3;
@@ -51,6 +52,12 @@ export function validateMetadata(metadata) {
   return null;
 }
 
+export function validateKnowledgeCategory(kc) {
+  if (kc === undefined || kc === null) return null; // optional, defaults to 'general'
+  if (!VALID_KNOWLEDGE_CATEGORIES.includes(kc)) return `Invalid knowledge_category: ${kc}. Must be one of: ${VALID_KNOWLEDGE_CATEGORIES.join(', ')}`;
+  return null;
+}
+
 export function validateStringField(value, name, maxLen = MAX_STRING_FIELD_LENGTH) {
   if (value === undefined || value === null) return null; // optional
   if (typeof value !== 'string') return `${name} must be a string`;
@@ -80,11 +87,12 @@ export function validateTemporalFields(valid_from, valid_to) {
 }
 
 // Validate all inputs for POST /memory and return first error or null
-export function validateMemoryInput({ type, content, source_agent, importance, metadata, client_id, key, subject, status_value, valid_from, valid_to }) {
+export function validateMemoryInput({ type, content, source_agent, importance, metadata, client_id, key, subject, status_value, valid_from, valid_to, knowledge_category }) {
   return validateType(type)
     || validateContent(content)
     || validateSourceAgent(source_agent)
     || validateImportance(importance)
+    || validateKnowledgeCategory(knowledge_category)
     || validateMetadata(metadata)
     || validateClientId(client_id)
     || validateStringField(key, 'key', 128)

api/src/routes/entities.js

@@ -112,15 +112,22 @@ entitiesRouter.post('/reclassify', async (req, res) => {
       if (isDryRun) {
         // Count linked memories for preview
         const store = _getStoreInstance();
-        const linkCount = store?.db
-          ? store.db.prepare('SELECT COUNT(*) as count FROM entity_memory_links WHERE entity_id = @id').get({ id: entity.id })
-          : { count: 0 };
+        let memoriesAffected = 0;
+        if (store?.pool) {
+          const result = await store.pool.query(
+            'SELECT COUNT(*) as count FROM entity_memory_links WHERE entity_id = $1', [entity.id]
+          );
+          memoriesAffected = parseInt(result.rows[0]?.count) || 0;
+        } else if (store?.db) {
+          const linkCount = store.db.prepare('SELECT COUNT(*) as count FROM entity_memory_links WHERE entity_id = @id').get({ id: entity.id });
+          memoriesAffected = linkCount?.count || 0;
+        }
 
         results.push({
           name: entity.canonical_name,
           old_type: oldType,
           new_type: entry.new_type,
-          memories_affected: linkCount?.count || 0,
+          memories_affected: memoriesAffected,
         });
       } else {
         // 1. Update structured store