Fix Wax audit remediation issues

[christopherkarani]

Summary

• fixes audit blockers across iOS availability, WAL payload validation, mmap durability, vector decode overflow, stale vector refill, and pending preview behavior
• hardens MCP/CLI broker behavior around bounded daemon envelopes, doctor timeout cleanup, JSON null validation, hidden flush rejection, and no-trait imports
• aligns public docs, demo package baselines, npm architecture metadata, launcher behavior, and release scripts

Stacking

• This PR is stacked on codex/zig / PR Add OpenClaw memory adapter and MiniLM fix #66. It should be retargeted to main after Add OpenClaw memory adapter and MiniLM fix #66 lands, or merged after Add OpenClaw memory adapter and MiniLM fix #66.

Verification

• swift build --disable-automatic-resolution
• xcodebuild -quiet -scheme Wax -destination 'generic/platform=iOS' -derivedDataPath .build-codex/FixAuditIOSDerivedData build
• swift test --filter 'CrashRecoveryTests|FDFileTests|VectorSerializerTests|UnifiedSearchTests' --disable-automatic-resolution (64 tests)
• swift test --traits default,MCPServer --filter WaxMCPServerTests --disable-automatic-resolution (75 tests)
• focused CLI/MCP/package/docs regressions
• swift build --package-path Resources/WaxDemo --disable-automatic-resolution
• (cd Resources/npm/waxmcp && npm pack --dry-run)
• git diff --check

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 52c0d9ccd2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore broker shutdown for brokers started by wax-mcp

This refactor removed the startup/teardown ownership tracking for the broker in runServer, so when wax-mcp starts a broker on demand via AgentBrokerClient.perform (the default path for tool calls), that broker is no longer shut down when the MCP server exits. In short-lived stdio sessions this leaves the broker process and store lock alive until idle timeout, which can block subsequent direct store access and make follow-up commands fail intermittently after server exit.

Useful? React with 👍 / 👎.

[christopherkarani]

Closing as stale/superseded. This branch was stacked on codex/zig, which has since landed, and current main contains newer follow-up work. The PR is now conflicting, so any remaining useful pieces should be reapplied selectively from a fresh branch off main.