refactor: rename recall→ask, fix multi-repo bootstrap, add security s… (#15)

* refactor: rename recall→ask, fix multi-repo bootstrap, add security scanning

Rename:
- DB column suggested_recall_queries → suggested_ask_queries with migration
- Go variable recallLimit → candidateLimit (IR terminology preserved)
- Stale comments referencing /tw-brief and recall updated throughout
- CLAUDE.md, AGENTS.md, GEMINI.md slash commands synced with registry
- Shell scripts, architecture docs, and training data updated

Bootstrap fixes:
- Fix 100% evidence rejection in multi-repo mode by prefixing evidence
  file paths with service-relative directory before verification
- Fix split-brain database: refresh project context after init creates
  local .taskwing/ so ingestion writes to correct DB
- Handle workspace-relative git paths in verification agent

Cleanup:
- Remove removedLegacySlashCommands backward compatibility mechanism
- Fix stale /tw-brief references in DemoSection, WORKFLOW_CONTRACT

Security:
- Add CodeQL workflow for Go static analysis
- Add Trivy workflow with filesystem and binary vulnerability scanning

* fix(ci): remove unused function and dead integration job

Remove newPostHogClientWithEnqueuer (unused after test file deletion)
and integration-opencode CI job (tests/integration/ no longer exists).

* fix(mcp): remember tool returns empty ID due to value receiver

UpsertNodeBySummary takes Node by value, so the ID generated inside
the store never propagates back to the caller. Generate node ID in
AddNode before passing to the store.

* fix(docs): sync managed markdown blocks with partials

Add missing `taskwing ask` to core_commands partial and re-sync all
target files (README, CLAUDE, GEMINI, TUTORIAL, PRODUCT_VISION) to
match the canonical partials.

Author: josephgoksu

.github/workflows/ci.yml

@@ -43,19 +43,3 @@ jobs:
       - name: Test
         run: go test ./...
 
-  # OpenCode integration tests - runs on main merges and PRs
-  integration-opencode:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '1.24'
-          cache: true
-
-      - name: Build binary for integration tests
-        run: make build
-
-      - name: Run OpenCode integration tests
-        run: go test -v ./tests/integration/... -run "TestOpenCode"

.github/workflows/codeql.yml

@@ -0,0 +1,42 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+    tags-ignore:
+      - 'v*'
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1' # Weekly Monday 06:00 UTC
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [go]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+          cache: true
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build
+        run: make build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/trivy.yml

@@ -0,0 +1,71 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: [main]
+    tags-ignore:
+      - 'v*'
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1' # Weekly Monday 06:00 UTC
+
+jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner (filesystem)
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-fs.sarif
+
+      - name: Upload Trivy filesystem results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-fs.sarif
+          category: trivy-filesystem
+
+  binary-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+          cache: true
+
+      - name: Build binary
+        run: |
+          make build
+          mkdir -p scan-target
+          cp taskwing scan-target/
+
+      - name: Run Trivy on compiled binary
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          scan-type: rootfs
+          scan-ref: ./scan-target
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-binary.sarif
+
+      - name: Upload Trivy binary results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-binary.sarif
+          category: trivy-binary

.taskwing.example.yaml

@@ -29,7 +29,7 @@ data:
 #   # Query uses cheap fast models for frequent context lookups
 #   models:
 #     bootstrap: "openai:gpt-5"           # Used by: tw bootstrap, tw plan
-#     query: "gemini:gemini-2.0-flash"    # Used by: tw context, recall MCP
+#     query: "gemini:gemini-2.0-flash"    # Used by: tw context, ask MCP
 #
 #   # API keys can also be set via environment variables:
 #   # OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY

AGENTS.md

@@ -67,20 +67,22 @@ Brand names and logos are trademarks of their respective owners; usage here indi
 <!-- TASKWING_LEGAL_END -->
 
 ### Slash Commands
-- /tw-brief - Use when you need a compact project brief.
-- /tw-next - Use when you are ready to start the next approved task.
-- /tw-done - Use when implementation is verified and ready to complete.
-- /tw-plan - Use when you need to clarify a goal and build a plan.
-- /tw-status - Use when you need current task progress.
-- /tw-debug - Use when debugging must start from root-cause evidence.
-- /tw-explain - Use when you need a deep symbol explanation.
-- /tw-simplify - Use when you want to simplify code without behavior changes.
+- /tw-ask - Use when you need to search project knowledge (decisions, patterns, constraints).
+- /tw-remember - Use when you want to persist a decision, pattern, or insight to project memory.
+- /tw-next - Use when you are ready to start the next approved TaskWing task with full context.
+- /tw-done - Use when implementation is verified and you are ready to complete the current task.
+- /tw-status - Use when you need current task progress and acceptance criteria status.
+- /tw-plan - Use when you need to clarify a goal and build an approved execution plan.
+- /tw-debug - Use when an issue requires root-cause-first debugging before proposing fixes.
+- /tw-explain - Use when you need a deep explanation of a code symbol and its call graph.
+- /tw-simplify - Use when you want to simplify code while preserving behavior.
 
 ### Core Commands
 
 <!-- TASKWING_COMMANDS_START -->
 - taskwing bootstrap
 - taskwing goal "<goal>"
+- taskwing ask "<query>"
 - taskwing task
 - taskwing plan status
 - taskwing slash
@@ -95,7 +97,7 @@ Brand names and logos are trademarks of their respective owners; usage here indi
 <!-- TASKWING_MCP_TOOLS_START -->
 | Tool | Description |
 |------|-------------|
-| recall | Retrieve project knowledge (decisions, patterns, constraints) |
+| ask | Search project knowledge (decisions, patterns, constraints) |
 | task | Unified task lifecycle (next, current, start, complete) |
 | plan | Plan management (clarify, decompose, expand, generate, finalize, audit) |
 | code | Code intelligence (find, search, explain, callers, impact, simplify) |

CLAUDE.md

@@ -142,13 +142,13 @@ Uses CloudWeGo Eino for multi-provider support:
 
 ### MCP Server
 
-`taskwing mcp` starts a JSON-RPC stdio server exposing `recall`, `task`, `plan`, `code`, `debug`, and `remember` tools.
+`taskwing mcp` starts a JSON-RPC stdio server exposing `ask`, `task`, `plan`, `code`, `debug`, and `remember` tools.
 
 ### Task Context Binding
 
 Tasks receive architectural context via a **hybrid early+late binding** approach:
 
-1. **Early binding** (at task creation): `TaskEnricher` executes recall queries and embeds results in `Task.ContextSummary`
+1. **Early binding** (at task creation): `TaskEnricher` executes ask queries and embeds results in `Task.ContextSummary`
 2. **Late binding** (at display): `FormatRichContext()` uses early-bound context or fetches fresh context as fallback
 
 This ensures tasks always have relevant architecture context while maintaining backward compatibility with older tasks.
@@ -323,40 +323,42 @@ Brand names and logos are trademarks of their respective owners; usage here indi
 <!-- TASKWING_LEGAL_END -->
 
 ### Slash Commands
-- /tw-brief - Use when you need a compact project brief.
-- /tw-next - Use when you are ready to start the next approved task.
-- /tw-done - Use when implementation is verified and ready to complete.
-- /tw-plan - Use when you need to clarify a goal and build a plan.
-- /tw-status - Use when you need current task progress.
-- /tw-debug - Use when debugging must start from root-cause evidence.
-- /tw-explain - Use when you need a deep symbol explanation.
-- /tw-simplify - Use when you want to simplify code without behavior changes.
+- /tw-ask - Use when you need to search project knowledge (decisions, patterns, constraints).
+- /tw-remember - Use when you want to persist a decision, pattern, or insight to project memory.
+- /tw-next - Use when you are ready to start the next approved TaskWing task with full context.
+- /tw-done - Use when implementation is verified and you are ready to complete the current task.
+- /tw-status - Use when you need current task progress and acceptance criteria status.
+- /tw-plan - Use when you need to clarify a goal and build an approved execution plan.
+- /tw-debug - Use when an issue requires root-cause-first debugging before proposing fixes.
+- /tw-explain - Use when you need a deep explanation of a code symbol and its call graph.
+- /tw-simplify - Use when you want to simplify code while preserving behavior.
 
 ### Core Commands
 
 <!-- TASKWING_COMMANDS_START -->
-- taskwing bootstrap
-- taskwing goal "<goal>"
-- taskwing task
-- taskwing plan status
-- taskwing slash
-- taskwing mcp
-- taskwing doctor
-- taskwing config
-- taskwing start
+- `taskwing bootstrap`
+- `taskwing goal "<goal>"`
+- `taskwing ask "<query>"`
+- `taskwing task`
+- `taskwing plan status`
+- `taskwing slash`
+- `taskwing mcp`
+- `taskwing doctor`
+- `taskwing config`
+- `taskwing start`
 <!-- TASKWING_COMMANDS_END -->
 
 ### MCP Tools (Canonical Contract)
 
 <!-- TASKWING_MCP_TOOLS_START -->
 | Tool | Description |
 |------|-------------|
-| recall | Retrieve project knowledge (decisions, patterns, constraints) |
-| task | Unified task lifecycle (next, current, start, complete) |
-| plan | Plan management (clarify, decompose, expand, generate, finalize, audit) |
-| code | Code intelligence (find, search, explain, callers, impact, simplify) |
-| debug | Diagnose issues systematically with AI-powered analysis |
-| remember | Store knowledge in project memory |
+| `ask` | Search project knowledge (decisions, patterns, constraints) |
+| `task` | Unified task lifecycle (`next`, `current`, `start`, `complete`) |
+| `plan` | Plan management (`clarify`, `decompose`, `expand`, `generate`, `finalize`, `audit`) |
+| `code` | Code intelligence (`find`, `search`, `explain`, `callers`, `impact`, `simplify`) |
+| `debug` | Diagnose issues systematically with AI-powered analysis |
+| `remember` | Store knowledge in project memory |
 <!-- TASKWING_MCP_TOOLS_END -->
 
 ### Autonomous Task Execution (Hooks)

GEMINI.md

@@ -100,7 +100,7 @@ The system is composed of a CLI tool with an embedded MCP server and a web dashb
 
 ## MCP Integration
 
-TaskWing exposes a `recall` tool. When working on this feature:
+TaskWing exposes an `ask` tool. When working on this feature:
 *   Ensure responses stay within token budgets (500-1000 tokens).
 *   Test with `taskwing mcp` locally or use `make test-mcp`.
 
@@ -211,40 +211,42 @@ Brand names and logos are trademarks of their respective owners; usage here indi
 <!-- TASKWING_LEGAL_END -->
 
 ### Slash Commands
-- /tw-brief - Use when you need a compact project brief.
-- /tw-next - Use when you are ready to start the next approved task.
-- /tw-done - Use when implementation is verified and ready to complete.
-- /tw-plan - Use when you need to clarify a goal and build a plan.
-- /tw-status - Use when you need current task progress.
-- /tw-debug - Use when debugging must start from root-cause evidence.
-- /tw-explain - Use when you need a deep symbol explanation.
-- /tw-simplify - Use when you want to simplify code without behavior changes.
+- /tw-ask - Use when you need to search project knowledge (decisions, patterns, constraints).
+- /tw-remember - Use when you want to persist a decision, pattern, or insight to project memory.
+- /tw-next - Use when you are ready to start the next approved TaskWing task with full context.
+- /tw-done - Use when implementation is verified and you are ready to complete the current task.
+- /tw-status - Use when you need current task progress and acceptance criteria status.
+- /tw-plan - Use when you need to clarify a goal and build an approved execution plan.
+- /tw-debug - Use when an issue requires root-cause-first debugging before proposing fixes.
+- /tw-explain - Use when you need a deep explanation of a code symbol and its call graph.
+- /tw-simplify - Use when you want to simplify code while preserving behavior.
 
 ### Core Commands
 
 <!-- TASKWING_COMMANDS_START -->
-- taskwing bootstrap
-- taskwing goal "<goal>"
-- taskwing task
-- taskwing plan status
-- taskwing slash
-- taskwing mcp
-- taskwing doctor
-- taskwing config
-- taskwing start
+- `taskwing bootstrap`
+- `taskwing goal "<goal>"`
+- `taskwing ask "<query>"`
+- `taskwing task`
+- `taskwing plan status`
+- `taskwing slash`
+- `taskwing mcp`
+- `taskwing doctor`
+- `taskwing config`
+- `taskwing start`
 <!-- TASKWING_COMMANDS_END -->
 
 ### MCP Tools (Canonical Contract)
 
 <!-- TASKWING_MCP_TOOLS_START -->
 | Tool | Description |
 |------|-------------|
-| recall | Retrieve project knowledge (decisions, patterns, constraints) |
-| task | Unified task lifecycle (next, current, start, complete) |
-| plan | Plan management (clarify, decompose, expand, generate, finalize, audit) |
-| code | Code intelligence (find, search, explain, callers, impact, simplify) |
-| debug | Diagnose issues systematically with AI-powered analysis |
-| remember | Store knowledge in project memory |
+| `ask` | Search project knowledge (decisions, patterns, constraints) |
+| `task` | Unified task lifecycle (`next`, `current`, `start`, `complete`) |
+| `plan` | Plan management (`clarify`, `decompose`, `expand`, `generate`, `finalize`, `audit`) |
+| `code` | Code intelligence (`find`, `search`, `explain`, `callers`, `impact`, `simplify`) |
+| `debug` | Diagnose issues systematically with AI-powered analysis |
+| `remember` | Store knowledge in project memory |
 <!-- TASKWING_MCP_TOOLS_END -->
 
 ### Autonomous Task Execution (Hooks)