API Hardening, bug fixes, code cleanup

[isTravis]

A broad maintenance pass over the server, CLI, and tooling, plus one protocol
addition: record-level public content-addresses.

Protocol: public record hashes

Records of types with private fields now have a second content-address — the SHA-256 of the record with those fields stripped. Public manifests list records by this public hash, and the record endpoints resolve either address, so any reader can verify that hashing the document they received reproduces the address they requested. The version-level public: hash now rolls up from stored per-record hashes instead of being recomputed from record bodies.

• New nullable public_record_hash column on version_records (additive migration, NULL when the type has no private fields — the common case)
• Computed once at commit; carried through metadata-only versions and forks
• Documented in /protocol and ai.txt; golden-value tests pin the format

Access control and hardening

• Consistent org-membership and role checks across collection, version, and push endpoints, with privacy filtering (private types/fields/records and the collection public flag) applied uniformly on every read path — manifests, diffs, batch fetch, provenance, SQLite exports, and ARK resolution
• Browser sessions now carry write scope; destructive actions are gated by per-resource org roles. Collection-scoped API keys are enforced on writes
• Mirror admin endpoints require an operator (MIRROR_ADMIN_EMAILS) or an admin API key; CORS uses an explicit origin allowlist (CORS_ORIGINS)
• README markdown is sanitized before rendering; SSR titles/descriptions are escaped; uploads capped (MAX_FILE_UPLOAD_BYTES, default 100 MB); pushed schemas are size/pattern-bounded before compilation; required secrets fail fast in production; generate-sql is rate-limited per user/IP

CLI

• pull rewritten: handles incremental (?since=) pulls, follows manifest pagination cursors, chunks batch fetches, streams responses, and never writes the manifest/HEAD if a fetch fails
• Version-hash logic moved into src/lib/core/ and shared with the server — the wire format is now defined in exactly one place, locked by tests
• Corrupt local-store files produce clear errors instead of raw stack traces

Ops tooling

• tool:backup streams to S3 (constant memory regardless of dump size)
• New tool:restore (lists backups; restores only with explicit --yes) and tool:pruneBackups (daily/weekly retention, --dry-run)
• New tool:cleanupSessions clears expired negotiate sessions; all three are scheduled via cron

Code quality

• First real test suite for src/lib/core/ (hashing, semver, privacy, validation, version hashes) — 72 tests
• Removed unused deps (bcrypt, nodemailer, @sinclair/typebox), dead modules, design-playground routes, and the stale package-lock.json; packages/cli is now a proper pnpm workspace member
• Deduplicated repeated queries/blocks into shared helpers; uniform { error, statusCode } response shape; previously-swallowed errors are logged (exports now report files_missing in their manifest)
• Lint config renamed so oxlint actually discovers it, with the typescript/react/import plugins enabled
• Auth redirect stub pages replaced with server-side 302s

Docs

README reconciled with the code (real push endpoints, full env-var table, accurate project structure and CLI examples); scaling plan rewritten in planning/.

Notes for deploy

• One additive migration (runs automatically at boot); no backfill needed
• New optional env vars: MIRROR_ADMIN_EMAILS, CORS_ORIGINS, MAX_FILE_UPLOAD_BYTES; SESSION_SECRET is now required in production