chore(agents): update CEO agent heartbeat log

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat(embedding): strip GitLab boilerplate from titles before embedding
2026-03-12 17:07:28 -04:00 · 2026-03-12 17:07:23 -04:00 · 2026-03-12 17:07:10 -04:00 · 2026-03-12 17:07:05 -04:00 · 2026-03-12 17:06:57 -04:00 · 2026-03-12 10:25:39 -04:00
277 changed files with 71588 additions and 29329 deletions
--- a/.beads/.br_history/issues.20260212_161438.jsonl
+++ b/.beads/.br_history/issues.20260212_161438.jsonl
--- a/.beads/.br_history/issues.20260212_171003.jsonl
+++ b/.beads/.br_history/issues.20260212_171003.jsonl
--- a/.beads/.br_history/issues.20260212_171103.jsonl
+++ b/.beads/.br_history/issues.20260212_171103.jsonl
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
--- a/.beads/last-touched
+++ b/.beads/last-touched
@@ -1 +1 @@
-bd-3hjh
+bd-1lj5
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -0,0 +1,5 @@
 # Force all builds (including worktrees) to share one target directory.
 # This prevents each Claude Code agent worktree from creating its own
 # ~3GB target/ directory, which was filling the disk.
 [build]
 target-dir = "/Users/tayloreernisse/projects/gitlore/target"
--- a/.claude/plan.md
+++ b/.claude/plan.md
@@ -0,0 +1,99 @@
 # Plan: Add Colors to Sync Command Output
 ## Current State
 The sync output has three layers, each needing color treatment:
 ### Layer 1: Stage Lines (during sync)
 ```
  ✓ Issues     10 issues from 2 projects  4.2s
  ✓ Status     3 statuses updated · 5 seen  4.2s
      vs/typescript-code              2 issues · 1 statuses updated
  ✓ MRs        5 merge requests from 2 projects  12.3s
      vs/python-code                  3 MRs · 10 discussions
  ✓ Docs       1,200 documents generated  8.1s
  ✓ Embed      3,400 chunks embedded  45.2s
 ```
 **What's uncolored:** icons, labels, numbers, elapsed times, sub-row project paths, failure counts in parentheses.
 ### Layer 2: Summary (after sync)
 ```
  Synced 10 issues and 5 MRs in 42.3s
  120 discussions · 45 events · 12 diffs · 3 statuses updated
  1,200 docs regenerated · 3,400 embedded
 ```
 **What's already colored:** headline ("Synced" = green bold, "Sync completed with issues" = warning bold), issue/MR counts (bold), error line (red). Detail lines are all dim.
 ### Layer 3: Timing breakdown (`-t` flag)
 ```
 ── Timing ──────────────────────
  issues .............. 4.2s
  merge_requests ...... 12.3s
 ```
 **What's already colored:** dots (dim), time (bold), errors (red), rate limits (warning).
 ---
 ## Color Plan
 Using only existing `Theme` methods — no new colors needed.
 ### Stage Lines (`format_stage_line` + callers in sync.rs)
 | Element | Current | Proposed | Theme method |
 |---------|---------|----------|-------------|
 | Icon (✓/⚠) | plain | green for success, yellow for warning | `Theme::success()` / `Theme::warning()` |
 | Label ("Issues", "MRs", etc.) | plain | bold | `Theme::bold()` |
 | Numbers in summary text | plain | bold | `Theme::bold()` (just the count) |
 | Elapsed time | plain | muted gray | `Theme::timing()` |
 | Failure text in parens | plain | warning/error color | `Theme::warning()` |
 ### Sub-rows (project breakdown lines)
 | Element | Current | Proposed |
 |---------|---------|----------|
 | Project path | dim | `Theme::muted()` (slightly brighter than dim) |
 | Counts (numbers only) | dim | `Theme::dim()` but numbers in normal weight |
 | Error/failure counts | dim | `Theme::warning()` |
 | Middle dots | dim | keep dim (they're separators, should recede) |
 ### Summary (`print_sync`)
 | Element | Current | Proposed |
 |---------|---------|----------|
 | Issue/MR counts in headline | bold only | `Theme::info()` + bold (cyan numbers pop) |
 | Time in headline | plain | `Theme::timing()` |
 | Detail line numbers | all dim | numbers in `Theme::info()`, rest stays dim |
 | Doc line numbers | all dim | numbers in `Theme::info()`, rest stays dim |
 | "Already up to date" time | plain | `Theme::timing()` |
 ---
 ## Files to Change
 1. **`src/cli/progress.rs`** — `format_stage_line()`: apply color to icon, bold to label, `Theme::timing()` to elapsed
 2. **`src/cli/commands/sync.rs`** —
   - Pass colored icons to `format_stage_line` / `emit_stage_line` / `emit_stage_block`
   - Color failure text in `append_failures()`
   - Color numbers and time in `print_sync()`
   - Color error/failure counts in sub-row functions (`issue_sub_rows`, `mr_sub_rows`, `status_sub_rows`)
 ## Approach
 - `format_stage_line` already receives the icon string — color it before passing
 - Add a `color_icon` helper that applies success/warning color to the icon glyph
 - Bold the label in `format_stage_line`
 - Apply `Theme::timing()` to elapsed in `format_stage_line`
 - In `append_failures`, wrap failure text in `Theme::warning()`
 - In `print_sync`, wrap count numbers with `Theme::info().bold()`
 - In sub-row functions, apply `Theme::warning()` to error/failure parts only (keep rest dim)
 ## Non-goals
 - No changes to robot mode (JSON output)
 - No changes to dry-run output (already reasonably colored)
 - No new Theme colors — use existing palette
 - No changes to timing breakdown (already colored)
--- a/.github/workflows/roam.yml
+++ b/.github/workflows/roam.yml
@@ -0,0 +1,21 @@
 name: Roam Code Analysis
 on:
  pull_request:
    branches: [main, master]
 permissions:
  contents: read
  pull-requests: write
 jobs:
  roam:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - run: pip install roam-code
      - run: roam index
      - run: roam fitness
      - run: roam pr-risk --json
--- a/.gitignore
+++ b/.gitignore
@@ -31,6 +31,7 @@ yarn-error.log*
 # Local config files
 lore.config.json
 .liquid-mail.toml
 # beads
 .bv/
@@ -41,6 +42,9 @@ lore.config.json
 *.db-shm
 # Mock seed data
 tools/mock-seed/
 # Added by cargo
 /target
--- a/.opencode/rules
+++ b/.opencode/rules
@@ -1,50 +0,0 @@
 ````markdown
 ## UBS Quick Reference for AI Agents
 UBS stands for "Ultimate Bug Scanner": **The AI Coding Agent's Secret Weapon: Flagging Likely Bugs for Fixing Early On**
 **Install:** `curl -sSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/install.sh | bash`
 **Golden Rule:** `ubs <changed-files>` before every commit. Exit 0 = safe. Exit >0 = fix & re-run.
 **Commands:**
 ```bash
 ubs file.ts file2.py                    # Specific files (< 1s) — USE THIS
 ubs $(git diff --name-only --cached)    # Staged files — before commit
 ubs --only=js,python src/               # Language filter (3-5x faster)
 ubs --ci --fail-on-warning .            # CI mode — before PR
 ubs --help                              # Full command reference
 ubs sessions --entries 1                # Tail the latest install session log
 ubs .                                   # Whole project (ignores things like .venv and node_modules automatically)
 ```
 **Output Format:**
 ```
 ⚠️  Category (N errors)
    file.ts:42:5 – Issue description
    💡 Suggested fix
 Exit code: 1
 ```
 Parse: `file:line:col` → location | 💡 → how to fix | Exit 0/1 → pass/fail
 **Fix Workflow:**
 1. Read finding → category + fix suggestion
 2. Navigate `file:line:col` → view context
 3. Verify real issue (not false positive)
 4. Fix root cause (not symptom)
 5. Re-run `ubs <file>` → exit 0
 6. Commit
 **Speed Critical:** Scope to changed files. `ubs src/file.ts` (< 1s) vs `ubs .` (30s). Never full scan for small edits.
 **Bug Severity:**
 - **Critical** (always fix): Null safety, XSS/injection, async/await, memory leaks
 - **Important** (production): Type narrowing, division-by-zero, resource leaks
 - **Contextual** (judgment): TODO/FIXME, console logs
 **Anti-Patterns:**
 - ❌ Ignore findings → ✅ Investigate each
 - ❌ Full scan per edit → ✅ Scope to file
 - ❌ Fix symptom (`if (x) { x.y }`) → ✅ Root cause (`x?.y`)
 ````
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -127,66 +127,17 @@ Prefer deterministic lab-runtime tests for concurrency-sensitive behavior.
 ---
 ## MCP Agent Mail — Multi-Agent Coordination
 A mail-like layer that lets coding agents coordinate asynchronously via MCP tools and resources. Provides identities, inbox/outbox, searchable threads, and advisory file reservations with human-auditable artifacts in Git.
 ### Why It's Useful
 - **Prevents conflicts:** Explicit file reservations (leases) for files/globs
 - **Token-efficient:** Messages stored in per-project archive, not in context
 - **Quick reads:** `resource://inbox/...`, `resource://thread/...`
 ### Same Repository Workflow
 1. **Register identity:**
   ```
   ensure_project(project_key=<abs-path>)
   register_agent(project_key, program, model)
   ```
 2. **Reserve files before editing:**
   ```
   file_reservation_paths(project_key, agent_name, ["src/**"], ttl_seconds=3600, exclusive=true)
   ```
 3. **Communicate with threads:**
   ```
   send_message(..., thread_id="FEAT-123")
   fetch_inbox(project_key, agent_name)
   acknowledge_message(project_key, agent_name, message_id)
   ```
 4. **Quick reads:**
   ```
   resource://inbox/{Agent}?project=<abs-path>&limit=20
   resource://thread/{id}?project=<abs-path>&include_bodies=true
   ```
 ### Macros vs Granular Tools
 - **Prefer macros for speed:** `macro_start_session`, `macro_prepare_thread`, `macro_file_reservation_cycle`, `macro_contact_handshake`
 - **Use granular tools for control:** `register_agent`, `file_reservation_paths`, `send_message`, `fetch_inbox`, `acknowledge_message`
 ### Common Pitfalls
 - `"from_agent not registered"`: Always `register_agent` in the correct `project_key` first
 - `"FILE_RESERVATION_CONFLICT"`: Adjust patterns, wait for expiry, or use non-exclusive reservation
 - **Auth errors:** If JWT+JWKS enabled, include bearer token with matching `kid`
 ---
 ## Beads (br) — Dependency-Aware Issue Tracking
-Beads provides a lightweight, dependency-aware issue database and CLI (`br` / beads_rust) for selecting "ready work," setting priorities, and tracking status. It complements MCP Agent Mail's messaging and file reservations.
+Beads provides a lightweight, dependency-aware issue database and CLI (`br` / beads_rust) for selecting "ready work," setting priorities, and tracking status. It complements Liquid Mail's shared log for progress, decisions, and cross-session context.
 **Note:** `br` is non-invasive—it never executes git commands directly. You must run git commands manually after `br sync --flush-only`.
 ### Conventions
- **Single source of truth:** Beads for task status/priority/dependencies; Agent Mail for conversation and audit
+- **Single source of truth:** Beads for task status/priority/dependencies; Liquid Mail for conversation/decisions
- **Shared identifiers:** Use Beads issue ID (e.g., `br-123`) as Mail `thread_id` and prefix subjects with `[br-123]`
+- **Shared identifiers:** Include the Beads issue ID in posts (e.g., `[br-123] Topic validation rules`)
- **Reservations:** When starting a task, call `file_reservation_paths()` with the issue ID in `reason`
+- **Decisions before action:** Post `DECISION:` messages before risky changes, not after
 ### Typical Agent Flow
@@ -195,35 +146,34 @@ Beads provides a lightweight, dependency-aware issue database and CLI (`br` / be
   br ready --json  # Choose highest priority, no blockers
   ```
-2. **Reserve edit surface (Mail):**
+2. **Check context (Liquid Mail):**
-   ```
+   ```bash
-   file_reservation_paths(project_key, agent_name, ["src/**"], ttl_seconds=3600, exclusive=true, reason="br-123")
+   liquid-mail notify                # See what changed since last session
   liquid-mail query "br-123"        # Find prior discussion on this issue
   ```
-3. **Announce start (Mail):**
+3. **Work and log progress:**
-   ```
+   ```bash
-   send_message(..., thread_id="br-123", subject="[br-123] Start: <title>", ack_required=true)
+   liquid-mail post --topic <workstream> "[br-123] START: <description>"
   liquid-mail post "[br-123] FINDING: <what you discovered>"
   liquid-mail post --decision "[br-123] DECISION: <what you decided and why>"
   ```
-4. **Work and update:** Reply in-thread with progress
+4. **Complete (Beads is authority):**
 5. **Complete and release:**
   ```bash
   br close br-123 --reason "Completed"
   liquid-mail post "[br-123] Completed: <summary with commit ref>"
   ```
   ```
   release_file_reservations(project_key, agent_name, paths=["src/**"])
   ```
   Final Mail reply: `[br-123] Completed` with summary
 ### Mapping Cheat Sheet
-| Concept | Value |
+| Concept | In Beads | In Liquid Mail |
-|---------|-------|
+|---------|----------|----------------|
-| Mail `thread_id` | `br-###` |
+| Work item | `br-###` (issue ID) | Include `[br-###]` in posts |
-| Mail subject | `[br-###] ...` |
+| Workstream | — | `--topic auth-system` |
-| File reservation `reason` | `br-###` |
+| Subject prefix | — | `[br-###] ...` |
-| Commit messages | Include `br-###` for traceability |
+| Commit message | Include `br-###` | — |
 | Status | `br update --status` | Post progress messages |
 ---
@@ -231,7 +181,7 @@ Beads provides a lightweight, dependency-aware issue database and CLI (`br` / be
 bv is a graph-aware triage engine for Beads projects (`.beads/beads.jsonl`). It computes PageRank, betweenness, critical path, cycles, HITS, eigenvector, and k-core metrics deterministically.
-**Scope boundary:** bv handles *what to work on* (triage, priority, planning). For agent-to-agent coordination (messaging, work claiming, file reservations), use MCP Agent Mail.
+**Scope boundary:** bv handles *what to work on* (triage, priority, planning). For agent-to-agent coordination (progress logging, decisions, cross-session context), use Liquid Mail.
 **CRITICAL: Use ONLY `--robot-*` flags. Bare `bv` launches an interactive TUI that blocks your session.**
@@ -324,7 +274,7 @@ bv --robot-insights | jq '.Cycles'                         # Circular deps (must
 ```bash
 ubs file.rs file2.rs                    # Specific files (< 1s) — USE THIS
-ubs $(git diff --name-only --cached)    # Staged files — before commit
+ubs $(jj diff --name-only)              # Changed files — before commit
 ubs --only=rust,toml src/               # Language filter (3-5x faster)
 ubs --ci --fail-on-warning .            # CI mode — before PR
 ubs .                                   # Whole project (ignores target/, Cargo.lock)
@@ -436,9 +386,9 @@ Returns structured results with file paths, line ranges, and extracted code snip
 ## Beads Workflow Integration
-This project uses [beads_viewer](https://github.com/Dicklesworthstone/beads_viewer) for issue tracking. Issues are stored in `.beads/` and tracked in git.
+This project uses [beads_viewer](https://github.com/Dicklesworthstone/beads_viewer) for issue tracking. Issues are stored in `.beads/` and tracked in version control.
-**Note:** `br` is non-invasive—it never executes git commands directly. You must run git commands manually after `br sync --flush-only`.
+**Note:** `br` is non-invasive—it never executes VCS commands directly. You must commit manually after `br sync --flush-only`.
 ### Essential Commands
@@ -454,7 +404,7 @@ br create --title="..." --type=task --priority=2
 br update <id> --status=in_progress
 br close <id> --reason="Completed"
 br close <id1> <id2>  # Close multiple issues at once
-br sync --flush-only  # Export to JSONL (then manually: git add .beads/ && git commit)
+br sync --flush-only  # Export to JSONL (then: jj commit -m "Update beads")
 ```
 ### Workflow Pattern
@@ -474,15 +424,14 @@ br sync --flush-only  # Export to JSONL (then manually: git add .beads/ && git c
 ### Session Protocol
-**Before ending any session, run this checklist:**
+**Before ending any session, run this checklist (solo/lead only — workers skip VCS):**
 ```bash
-git status              # Check what changed
+jj status                        # Check what changed
-git add <files>         # Stage code changes
+br sync --flush-only             # Export beads to JSONL
-br sync --flush-only    # Export beads to JSONL
+jj commit -m "..."               # Commit code and beads (jj auto-tracks all changes)
-git add .beads/         # Stage beads changes
+jj bookmark set <name> -r @-     # Point bookmark at committed work
-git commit -m "..."     # Commit code and beads
+jj git push -b <name>            # Push to remote
 git push                # Push to remote
 ```
 ### Best Practices
@@ -491,13 +440,15 @@ git push                # Push to remote
 - Update status as you work (in_progress → closed)
 - Create new issues with `br create` when you discover tasks
 - Use descriptive titles and set appropriate priority/type
- Always run `br sync --flush-only` then commit .beads/ before ending session
+- Always run `br sync --flush-only` then commit before ending session (jj auto-tracks .beads/)
 <!-- end-bv-agent-instructions -->
 ## Landing the Plane (Session Completion)
-**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
+**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until push succeeds.
 **WHO RUNS THIS:** Solo agents run it themselves. In multi-agent sessions, ONLY the team lead runs this. Workers skip VCS entirely.
 **MANDATORY WORKFLOW:**
@@ -506,19 +457,20 @@ git push                # Push to remote
 3. **Update issue status** - Close finished work, update in-progress items
 4. **PUSH TO REMOTE** - This is MANDATORY:
   ```bash
-   git pull --rebase
+   jj git fetch                       # Get latest remote state
-   br sync --flush-only
+   jj rebase -d trunk()               # Rebase onto latest trunk if needed
-   git add .beads/
+   br sync --flush-only               # Export beads to JSONL
-   git commit -m "Update beads"
+   jj commit -m "Update beads"        # Commit (jj auto-tracks .beads/ changes)
-   git push
+   jj bookmark set <name> -r @-       # Point bookmark at committed work
-   git status  # MUST show "up to date with origin"
+   jj git push -b <name>              # Push to remote
   jj log -r '<name>'                 # Verify bookmark position
   ```
-5. **Clean up** - Clear stashes, prune remote branches
+5. **Clean up** - Abandon empty orphan changes if any (`jj abandon <rev>`)
 6. **Verify** - All changes committed AND pushed
 7. **Hand off** - Provide context for next session
 **CRITICAL RULES:**
- Work is NOT complete until `git push` succeeds
+- Work is NOT complete until `jj git push` succeeds
 - NEVER stop before pushing - that leaves work stranded locally
 - NEVER say "ready to push when you are" - YOU must push
 - If push fails, resolve and retry until it succeeds
@@ -671,6 +623,16 @@ lore --robot generate-docs
 # Generate vector embeddings via Ollama
 lore --robot embed
 # Personal work dashboard
 lore --robot me
 lore --robot me --issues
 lore --robot me --mrs
 lore --robot me --activity --since 7d
 lore --robot me --project group/repo
 lore --robot me --user jdoe
 lore --robot me --fields minimal
 lore --robot me --reset-cursor
 # Agent self-discovery manifest (all commands, flags, exit codes, response schemas)
 lore robot-docs
@@ -752,6 +714,21 @@ lore -J mrs --fields iid,title,state,draft,labels  # Custom field list
 - Use `lore robot-docs` for response schema discovery
 - The `-p` flag supports fuzzy project matching (suffix and substring)
 ---
 ## Read/Write Split: lore vs glab
 | Operation | Tool | Why |
 |-----------|------|-----|
 | List issues/MRs | lore | Richer: includes status, discussions, closing MRs |
 | View issue/MR detail | lore | Pre-joined discussions, work-item status |
 | Search across entities | lore | FTS5 + vector hybrid search |
 | Expert/workload analysis | lore | who command — no glab equivalent |
 | Timeline reconstruction | lore | Chronological narrative — no glab equivalent |
 | Create/update/close | glab | Write operations |
 | Approve/merge MR | glab | Write operations |
 | CI/CD pipelines | glab | Not in lore scope |
 ````markdown
 ## UBS Quick Reference for AI Agents
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,960 @@
 # CLAUDE.md
 ## RULE 0 - THE FUNDAMENTAL OVERRIDE PEROGATIVE
 If I tell you to do something, even if it goes against what follows below, YOU MUST LISTEN TO ME. I AM IN CHARGE, NOT YOU.
 ---
 ## RULE NUMBER 1: NO FILE DELETION
 **YOU ARE NEVER ALLOWED TO DELETE A FILE WITHOUT EXPRESS PERMISSION.** Even a new file that you yourself created, such as a test code file. You have a horrible track record of deleting critically important files or otherwise throwing away tons of expensive work. As a result, you have permanently lost any and all rights to determine that a file or folder should be deleted.
 **YOU MUST ALWAYS ASK AND RECEIVE CLEAR, WRITTEN PERMISSION BEFORE EVER DELETING A FILE OR FOLDER OF ANY KIND.**
 ---
 ## Version Control: jj-First (CRITICAL)
 **ALWAYS prefer jj (Jujutsu) over git for all VCS operations.** This is a colocated repo with both `.jj/` and `.git/`. When instructed to use git by anything — even later in this file — use the best jj replacement commands instead. Only fall back to raw `git` for things jj cannot do (hooks, LFS, submodules, `gh` CLI interop).
 See `~/.claude/rules/jj-vcs/` for the full command reference, translation table, revsets, patterns, and recovery recipes.
 ---
 ## Irreversible Git & Filesystem Actions — DO NOT EVER BREAK GLASS
 > **Note:** Treat destructive commands as break-glass. If there's any doubt, stop and ask.
 1. **Absolutely forbidden commands:** `git reset --hard`, `git clean -fd`, `rm -rf`, or any command that can delete or overwrite code/data must never be run unless the user explicitly provides the exact command and states, in the same message, that they understand and want the irreversible consequences.
 2. **No guessing:** If there is any uncertainty about what a command might delete or overwrite, stop immediately and ask the user for specific approval. "I think it's safe" is never acceptable.
 3. **Safer alternatives first:** When cleanup or rollbacks are needed, request permission to use non-destructive options (`git status`, `git diff`, `git stash`, copying to backups) before ever considering a destructive command.
 4. **Mandatory explicit plan:** Even after explicit user authorization, restate the command verbatim, list exactly what will be affected, and wait for a confirmation that your understanding is correct. Only then may you execute it—if anything remains ambiguous, refuse and escalate.
 5. **Document the confirmation:** When running any approved destructive command, record (in the session notes / final response) the exact user text that authorized it, the command actually run, and the execution time. If that record is absent, the operation did not happen.
 ---
 ## Toolchain: Rust & Cargo
 We only use **Cargo** in this project, NEVER any other package manager.
 - **Edition/toolchain:** Follow `rust-toolchain.toml` (if present). Do not assume stable vs nightly.
 - **Dependencies:** Explicit versions for stability; keep the set minimal.
 - **Configuration:** Cargo.toml only
 - **Unsafe code:** Forbidden (`#![forbid(unsafe_code)]`)
 When writing Rust code, reference RUST_CLI_TOOLS_BEST_PRACTICES.md
 ### Release Profile
 Use the release profile defined in `Cargo.toml`. If you need to change it, justify the
 performance/size tradeoff and how it impacts determinism and cancellation behavior.
 ---
 ## Code Editing Discipline
 ### No Script-Based Changes
 **NEVER** run a script that processes/changes code files in this repo. Brittle regex-based transformations create far more problems than they solve.
 - **Always make code changes manually**, even when there are many instances
 - For many simple changes: use parallel subagents
 - For subtle/complex changes: do them methodically yourself
 ### No File Proliferation
 If you want to change something or add a feature, **revise existing code files in place**.
 **NEVER** create variations like:
 - `mainV2.rs`
 - `main_improved.rs`
 - `main_enhanced.rs`
 New files are reserved for **genuinely new functionality** that makes zero sense to include in any existing file. The bar for creating new files is **incredibly high**.
 ---
 ## Backwards Compatibility
 We do not care about backwards compatibility—we're in early development with no users. We want to do things the **RIGHT** way with **NO TECH DEBT**.
 - Never create "compatibility shims"
 - Never create wrapper functions for deprecated APIs
 - Just fix the code directly
 ---
 ## Compiler Checks (CRITICAL)
 **After any substantive code changes, you MUST verify no errors were introduced:**
 ```bash
 # Check for compiler errors and warnings
 cargo check --all-targets
 # Check for clippy lints (pedantic + nursery are enabled)
 cargo clippy --all-targets -- -D warnings
 # Verify formatting
 cargo fmt --check
 ```
 If you see errors, **carefully understand and resolve each issue**. Read sufficient context to fix them the RIGHT way.
 ---
 ## Testing
 ### Unit & Property Tests
 ```bash
 # Run all tests
 cargo test
 # Run with output
 cargo test -- --nocapture
 ```
 When adding or changing primitives, add tests that assert the core invariants:
 - no task leaks
 - no obligation leaks
 - losers are drained after races
 - region close implies quiescence
 Prefer deterministic lab-runtime tests for concurrency-sensitive behavior.
 ---
 ---
 ## Beads (br) — Dependency-Aware Issue Tracking
 Beads provides a lightweight, dependency-aware issue database and CLI (`br` / beads_rust) for selecting "ready work," setting priorities, and tracking status. It complements Liquid Mail's shared log for progress, decisions, and cross-session context.
 **Note:** `br` is non-invasive—it never executes git commands directly. You must run git commands manually after `br sync --flush-only`.
 ### Conventions
 - **Single source of truth:** Beads for task status/priority/dependencies; Liquid Mail for conversation/decisions
 - **Shared identifiers:** Include the Beads issue ID in posts (e.g., `[br-123] Topic validation rules`)
 - **Decisions before action:** Post `DECISION:` messages before risky changes, not after
 ### Typical Agent Flow
 1. **Pick ready work (Beads):**
   ```bash
   br ready --json  # Choose highest priority, no blockers
   ```
 2. **Check context (Liquid Mail):**
   ```bash
   liquid-mail notify                # See what changed since last session
   liquid-mail query "br-123"        # Find prior discussion on this issue
   ```
 3. **Work and log progress:**
   ```bash
   liquid-mail post --topic <workstream> "[br-123] START: <description>"
   liquid-mail post "[br-123] FINDING: <what you discovered>"
   liquid-mail post --decision "[br-123] DECISION: <what you decided and why>"
   ```
 4. **Complete (Beads is authority):**
   ```bash
   br close br-123 --reason "Completed"
   liquid-mail post "[br-123] Completed: <summary with commit ref>"
   ```
 ### Mapping Cheat Sheet
 | Concept | In Beads | In Liquid Mail |
 |---------|----------|----------------|
 | Work item | `br-###` (issue ID) | Include `[br-###]` in posts |
 | Workstream | — | `--topic auth-system` |
 | Subject prefix | — | `[br-###] ...` |
 | Commit message | Include `br-###` | — |
 | Status | `br update --status` | Post progress messages |
 ---
 ## bv — Graph-Aware Triage Engine
 bv is a graph-aware triage engine for Beads projects (`.beads/beads.jsonl`). It computes PageRank, betweenness, critical path, cycles, HITS, eigenvector, and k-core metrics deterministically.
 **Scope boundary:** bv handles *what to work on* (triage, priority, planning). For agent-to-agent coordination (progress logging, decisions, cross-session context), use Liquid Mail.
 **CRITICAL: Use ONLY `--robot-*` flags. Bare `bv` launches an interactive TUI that blocks your session.**
 ### The Workflow: Start With Triage
 **`bv --robot-triage` is your single entry point.** It returns:
 - `quick_ref`: at-a-glance counts + top 3 picks
 - `recommendations`: ranked actionable items with scores, reasons, unblock info
 - `quick_wins`: low-effort high-impact items
 - `blockers_to_clear`: items that unblock the most downstream work
 - `project_health`: status/type/priority distributions, graph metrics
 - `commands`: copy-paste shell commands for next steps
 ```bash
 bv --robot-triage        # THE MEGA-COMMAND: start here
 bv --robot-next          # Minimal: just the single top pick + claim command
 ```
 ### Command Reference
 **Planning:**
 | Command | Returns |
 |---------|---------|
 | `--robot-plan` | Parallel execution tracks with `unblocks` lists |
 | `--robot-priority` | Priority misalignment detection with confidence |
 **Graph Analysis:**
 | Command | Returns |
 |---------|---------|
 | `--robot-insights` | Full metrics: PageRank, betweenness, HITS, eigenvector, critical path, cycles, k-core, articulation points, slack |
 | `--robot-label-health` | Per-label health: `health_level`, `velocity_score`, `staleness`, `blocked_count` |
 | `--robot-label-flow` | Cross-label dependency: `flow_matrix`, `dependencies`, `bottleneck_labels` |
 | `--robot-label-attention [--attention-limit=N]` | Attention-ranked labels |
 **History & Change Tracking:**
 | Command | Returns |
 |---------|---------|
 | `--robot-history` | Bead-to-commit correlations |
 | `--robot-diff --diff-since <ref>` | Changes since ref: new/closed/modified issues, cycles |
 **Other:**
 | Command | Returns |
 |---------|---------|
 | `--robot-burndown <sprint>` | Sprint burndown, scope changes, at-risk items |
 | `--robot-forecast <id\|all>` | ETA predictions with dependency-aware scheduling |
 | `--robot-alerts` | Stale issues, blocking cascades, priority mismatches |
 | `--robot-suggest` | Hygiene: duplicates, missing deps, label suggestions |
 | `--robot-graph [--graph-format=json\|dot\|mermaid]` | Dependency graph export |
 | `--export-graph <file.html>` | Interactive HTML visualization |
 ### Scoping & Filtering
 ```bash
 bv --robot-plan --label backend              # Scope to label's subgraph
 bv --robot-insights --as-of HEAD~30          # Historical point-in-time
 bv --recipe actionable --robot-plan          # Pre-filter: ready to work
 bv --recipe high-impact --robot-triage       # Pre-filter: top PageRank
 bv --robot-triage --robot-triage-by-track    # Group by parallel work streams
 bv --robot-triage --robot-triage-by-label    # Group by domain
 ```
 ### Understanding Robot Output
 **All robot JSON includes:**
 - `data_hash` — Fingerprint of source beads.jsonl
 - `status` — Per-metric state: `computed|approx|timeout|skipped` + elapsed ms
 - `as_of` / `as_of_commit` — Present when using `--as-of`
 **Two-phase analysis:**
 - **Phase 1 (instant):** degree, topo sort, density
 - **Phase 2 (async, 500ms timeout):** PageRank, betweenness, HITS, eigenvector, cycles
 ### jq Quick Reference
 ```bash
 bv --robot-triage | jq '.quick_ref'                        # At-a-glance summary
 bv --robot-triage | jq '.recommendations[0]'               # Top recommendation
 bv --robot-plan | jq '.plan.summary.highest_impact'        # Best unblock target
 bv --robot-insights | jq '.status'                         # Check metric readiness
 bv --robot-insights | jq '.Cycles'                         # Circular deps (must fix!)
 ```
 ---
 ## UBS — Ultimate Bug Scanner
 **Golden Rule:** `ubs <changed-files>` before every commit. Exit 0 = safe. Exit >0 = fix & re-run.
 ### Commands
 ```bash
 ubs file.rs file2.rs                    # Specific files (< 1s) — USE THIS
 ubs $(jj diff --name-only)              # Changed files — before commit
 ubs --only=rust,toml src/               # Language filter (3-5x faster)
 ubs --ci --fail-on-warning .            # CI mode — before PR
 ubs .                                   # Whole project (ignores target/, Cargo.lock)
 ```
 ### Output Format
 ```
 ⚠️  Category (N errors)
    file.rs:42:5 – Issue description
    💡 Suggested fix
 Exit code: 1
 ```
 Parse: `file:line:col` → location | 💡 → how to fix | Exit 0/1 → pass/fail
 ### Fix Workflow
 1. Read finding → category + fix suggestion
 2. Navigate `file:line:col` → view context
 3. Verify real issue (not false positive)
 4. Fix root cause (not symptom)
 5. Re-run `ubs <file>` → exit 0
 6. Commit
 ### Bug Severity
 - **Critical (always fix):** Memory safety, use-after-free, data races, SQL injection
 - **Important (production):** Unwrap panics, resource leaks, overflow checks
 - **Contextual (judgment):** TODO/FIXME, println! debugging
 ---
 ## ast-grep vs ripgrep
 **Use `ast-grep` when structure matters.** It parses code and matches AST nodes, ignoring comments/strings, and can **safely rewrite** code.
 - Refactors/codemods: rename APIs, change import forms
 - Policy checks: enforce patterns across a repo
 - Editor/automation: LSP mode, `--json` output
 **Use `ripgrep` when text is enough.** Fastest way to grep literals/regex.
 - Recon: find strings, TODOs, log lines, config values
 - Pre-filter: narrow candidate files before ast-grep
 ### Rule of Thumb
 - Need correctness or **applying changes** → `ast-grep`
 - Need raw speed or **hunting text** → `rg`
 - Often combine: `rg` to shortlist files, then `ast-grep` to match/modify
 ### Rust Examples
 ```bash
 # Find structured code (ignores comments)
 ast-grep run -l Rust -p 'fn $NAME($$$ARGS) -> $RET { $$$BODY }'
 # Find all unwrap() calls
 ast-grep run -l Rust -p '$EXPR.unwrap()'
 # Quick textual hunt
 rg -n 'println!' -t rust
 # Combine speed + precision
 rg -l -t rust 'unwrap\(' | xargs ast-grep run -l Rust -p '$X.unwrap()' --json
 ```
 ---
 ## Morph Warp Grep — AI-Powered Code Search
 **Use `mcp__morph-mcp__warp_grep` for exploratory "how does X work?" questions.** An AI agent expands your query, greps the codebase, reads relevant files, and returns precise line ranges with full context.
 **Use `ripgrep` for targeted searches.** When you know exactly what you're looking for.
 **Use `ast-grep` for structural patterns.** When you need AST precision for matching/rewriting.
 ### When to Use What
 | Scenario | Tool | Why |
 |----------|------|-----|
 | "How is pattern matching implemented?" | `warp_grep` | Exploratory; don't know where to start |
 | "Where is the quick reject filter?" | `warp_grep` | Need to understand architecture |
 | "Find all uses of `Regex::new`" | `ripgrep` | Targeted literal search |
 | "Find files with `println!`" | `ripgrep` | Simple pattern |
 | "Replace all `unwrap()` with `expect()`" | `ast-grep` | Structural refactor |
 ### warp_grep Usage
 ```
 mcp__morph-mcp__warp_grep(
  repoPath: "/path/to/dcg",
  query: "How does the safe pattern whitelist work?"
 )
 ```
 Returns structured results with file paths, line ranges, and extracted code snippets.
 ### Anti-Patterns
 - **Don't** use `warp_grep` to find a specific function name → use `ripgrep`
 - **Don't** use `ripgrep` to understand "how does X work" → wastes time with manual reads
 - **Don't** use `ripgrep` for codemods → risks collateral edits
 <!-- bv-agent-instructions-v1 -->
 ---
 ## Beads Workflow Integration
 This project uses [beads_viewer](https://github.com/Dicklesworthstone/beads_viewer) for issue tracking. Issues are stored in `.beads/` and tracked in version control.
 **Note:** `br` is non-invasive—it never executes VCS commands directly. You must commit manually after `br sync --flush-only`.
 ### Essential Commands
 ```bash
 # View issues (launches TUI - avoid in automated sessions)
 bv
 # CLI commands for agents (use these instead)
 br ready              # Show issues ready to work (no blockers)
 br list --status=open # All open issues
 br show <id>          # Full issue details with dependencies
 br create --title="..." --type=task --priority=2
 br update <id> --status=in_progress
 br close <id> --reason="Completed"
 br close <id1> <id2>  # Close multiple issues at once
 br sync --flush-only  # Export to JSONL (then: jj commit -m "Update beads")
 ```
 ### Workflow Pattern
 1. **Start**: Run `br ready` to find actionable work
 2. **Claim**: Use `br update <id> --status=in_progress`
 3. **Work**: Implement the task
 4. **Complete**: Use `br close <id>`
 5. **Sync**: Run `br sync --flush-only`, then `git add .beads/ && git commit -m "Update beads"`
 ### Key Concepts
 - **Dependencies**: Issues can block other issues. `br ready` shows only unblocked work.
 - **Priority**: P0=critical, P1=high, P2=medium, P3=low, P4=backlog (use numbers, not words)
 - **Types**: task, bug, feature, epic, question, docs
 - **Blocking**: `br dep add <issue> <depends-on>` to add dependencies
 ### Session Protocol
 **Before ending any session, run this checklist (solo/lead only — workers skip VCS):**
 ```bash
 jj status                        # Check what changed
 br sync --flush-only             # Export beads to JSONL
 jj commit -m "..."               # Commit code and beads (jj auto-tracks all changes)
 jj bookmark set <name> -r @-     # Point bookmark at committed work
 jj git push -b <name>            # Push to remote
 ```
 ### Best Practices
 - Check `br ready` at session start to find available work
 - Update status as you work (in_progress → closed)
 - Create new issues with `br create` when you discover tasks
 - Use descriptive titles and set appropriate priority/type
 - Always run `br sync --flush-only` then commit before ending session (jj auto-tracks .beads/)
 <!-- end-bv-agent-instructions -->
 ## Landing the Plane (Session Completion)
 **When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until push succeeds.
 **WHO RUNS THIS:** Solo agents run it themselves. In multi-agent sessions, ONLY the team lead runs this. Workers skip VCS entirely.
 **MANDATORY WORKFLOW:**
 1. **File issues for remaining work** - Create issues for anything that needs follow-up
 2. **Run quality gates** (if code changed) - Tests, linters, builds
 3. **Update issue status** - Close finished work, update in-progress items
 4. **PUSH TO REMOTE** - This is MANDATORY:
   ```bash
   jj git fetch                       # Get latest remote state
   jj rebase -d trunk()               # Rebase onto latest trunk if needed
   br sync --flush-only               # Export beads to JSONL
   jj commit -m "Update beads"        # Commit (jj auto-tracks .beads/ changes)
   jj bookmark set <name> -r @-       # Point bookmark at committed work
   jj git push -b <name>              # Push to remote
   jj log -r '<name>'                 # Verify bookmark position
   ```
 5. **Clean up** - Abandon empty orphan changes if any (`jj abandon <rev>`)
 6. **Verify** - All changes committed AND pushed
 7. **Hand off** - Provide context for next session
 **CRITICAL RULES:**
 - Work is NOT complete until `jj git push` succeeds
 - NEVER stop before pushing - that leaves work stranded locally
 - NEVER say "ready to push when you are" - YOU must push
 - If push fails, resolve and retry until it succeeds
 ---
 ## cass — Cross-Agent Session Search
 `cass` indexes prior agent conversations (Claude Code, Codex, Cursor, Gemini, ChatGPT, etc.) so we can reuse solved problems.
 **Rules:** Never run bare `cass` (TUI). Always use `--robot` or `--json`.
 ### Examples
 ```bash
 cass health
 cass search "async runtime" --robot --limit 5
 cass view /path/to/session.jsonl -n 42 --json
 cass expand /path/to/session.jsonl -n 42 -C 3 --json
 cass capabilities --json
 cass robot-docs guide
 ```
 ### Tips
 - Use `--fields minimal` for lean output
 - Filter by agent with `--agent`
 - Use `--days N` to limit to recent history
 stdout is data-only, stderr is diagnostics; exit code 0 means success.
 Treat cass as a way to avoid re-solving problems other agents already handled.
 ---
 ## Note for Codex/GPT-5.2
 You constantly bother me and stop working with concerned questions that look similar to this:
 ```
 Unexpected changes (need guidance)
 - Working tree still shows edits I did not make in Cargo.toml, Cargo.lock, src/runtime.rs, src/scope.rs. Please advise whether to keep/commit/revert these before any further work. I did not touch them.
 Next steps (pick one)
 1. Decide how to handle the unrelated modified files above so we can resume cleanly.
 ```
 NEVER EVER DO THAT AGAIN. The answer is literally ALWAYS the same: those are changes created by the potentially dozen of other agents working on the project at the same time. This is not only a common occurence, it happens multiple times PER MINUTE. The way to deal with it is simple: you NEVER, under ANY CIRCUMSTANCE, stash, revert, overwrite, or otherwise disturb in ANY way the work of other agents. Just treat those changes identically to changes that you yourself made. Just fool yourself into thinking YOU made the changes and simply don't recall it for some reason.
 ---
 ## Note on Built-in TODO Functionality
 Also, if I ask you to explicitly use your built-in TODO functionality, don't complain about this and say you need to use beads. You can use built-in TODOs if I tell you specifically to do so. Always comply with such orders.
 ## TDD Requirements
 Test-first development is mandatory:
 1. **RED** - Write failing test first
 2. **GREEN** - Minimal implementation to pass
 3. **REFACTOR** - Clean up while green
 ## Key Patterns
 Find the simplest solution that meets all acceptance criteria.
 Use third party libraries whenever there's a well-maintained, active, and widely adopted solution (for example, date-fns for TS date math)
 Build extensible pieces of logic that can easily be integrated with other pieces.
 DRY principles should be loosely held.
 Architecture MUST be clear and well thought-out. Ask the user for clarification whenever ambiguity is discovered around architecture, or you think a better approach than planned exists.
 ---
 ## Third-Party Library Usage
 If you aren't 100% sure how to use a third-party library, **SEARCH ONLINE** to find the latest documentation and mid-2025 best practices.
 ---
 ## Gitlore Robot Mode
 The `lore` CLI has a robot mode optimized for AI agent consumption with compact JSON output, structured errors with machine-actionable recovery steps, meaningful exit codes, response timing metadata, field selection for token efficiency, and TTY auto-detection.
 ### Activation
 ```bash
 # Explicit flag
 lore --robot issues -n 10
 # JSON shorthand (-J)
 lore -J issues -n 10
 # Auto-detection (when stdout is not a TTY)
 lore issues | jq .
 # Environment variable
 LORE_ROBOT=1 lore issues
 ```
 ### Robot Mode Commands
 ```bash
 # List issues/MRs with JSON output
 lore --robot issues -n 10
 lore --robot mrs -s opened
 # Filter issues by work item status (case-insensitive)
 lore --robot issues --status "In progress"
 # List with field selection (reduces token usage ~60%)
 lore --robot issues --fields minimal
 lore --robot mrs --fields iid,title,state,draft
 # Show detailed entity info
 lore --robot issues 123
 lore --robot mrs 456 -p group/repo
 # Count entities
 lore --robot count issues
 lore --robot count discussions --for mr
 # Search indexed documents
 lore --robot search "authentication bug"
 # Check sync status
 lore --robot status
 # Run full sync pipeline
 lore --robot sync
 # Run sync without resource events
 lore --robot sync --no-events
 # Surgical sync: specific entities by IID
 lore --robot sync --issue 42 -p group/repo
 lore --robot sync --mr 99 --mr 100 -p group/repo
 # Run ingestion only
 lore --robot ingest issues
 # Trace why code was introduced
 lore --robot trace src/main.rs -p group/repo
 # File-level MR history
 lore --robot file-history src/auth/ -p group/repo
 # Manage cron-based auto-sync (Unix)
 lore --robot cron status
 lore --robot cron install --interval 15
 # Token management
 lore --robot token show
 # Check environment health
 lore --robot doctor
 # Document and index statistics
 lore --robot stats
 # Quick health pre-flight check (exit 0 = healthy, 19 = unhealthy)
 lore --robot health
 # Generate searchable documents from ingested data
 lore --robot generate-docs
 # Generate vector embeddings via Ollama
 lore --robot embed
 # Personal work dashboard
 lore --robot me
 lore --robot me --issues
 lore --robot me --mrs
 lore --robot me --activity --since 7d
 lore --robot me --project group/repo
 lore --robot me --user jdoe
 lore --robot me --fields minimal
 lore --robot me --reset-cursor
 # Find semantically related entities
 lore --robot related issues 42
 lore --robot related "authentication flow"
 # Re-register projects from config
 lore --robot init --refresh
 # Agent self-discovery manifest (all commands, flags, exit codes, response schemas)
 lore robot-docs
 # Version information
 lore --robot version
 ```
 ### Response Format
 All commands return compact JSON with a uniform envelope and timing metadata:
 ```json
 {"ok":true,"data":{...},"meta":{"elapsed_ms":42}}
 ```
 Errors return structured JSON to stderr with machine-actionable recovery steps:
 ```json
 {"error":{"code":"CONFIG_NOT_FOUND","message":"...","suggestion":"Run 'lore init'","actions":["lore init"]}}
 ```
 The `actions` array contains executable shell commands for automated recovery. It is omitted when empty.
 ### Field Selection
 The `--fields` flag on `issues` and `mrs` list commands controls which fields appear in the JSON response:
 ```bash
 lore -J issues --fields minimal                    # Preset: iid, title, state, updated_at_iso
 lore -J mrs --fields iid,title,state,draft,labels  # Custom field list
 ```
 ### Exit Codes
 | Code | Meaning |
 |------|---------|
 | 0 | Success |
 | 1 | Internal error / not implemented |
 | 2 | Usage error (invalid flags or arguments) |
 | 3 | Config invalid |
 | 4 | Token not set |
 | 5 | GitLab auth failed |
 | 6 | Resource not found |
 | 7 | Rate limited |
 | 8 | Network error |
 | 9 | Database locked |
 | 10 | Database error |
 | 11 | Migration failed |
 | 12 | I/O error |
 | 13 | Transform error |
 | 14 | Ollama unavailable |
 | 15 | Ollama model not found |
 | 16 | Embedding failed |
 | 17 | Not found (entity does not exist) |
 | 18 | Ambiguous match (use `-p` to specify project) |
 | 19 | Health check failed |
 | 20 | Config not found |
 ### Configuration Precedence
 1. CLI flags (highest priority)
 2. Environment variables (`LORE_ROBOT`, `GITLAB_TOKEN`, `LORE_CONFIG_PATH`)
 3. Config file (`~/.config/lore/config.json`)
 4. Built-in defaults (lowest priority)
 ### Best Practices
 - Use `lore --robot` or `lore -J` for all agent interactions
 - Check exit codes for error handling
 - Parse JSON errors from stderr; use `actions` array for automated recovery
 - Use `--fields minimal` to reduce token usage (~60% fewer tokens)
 - Use `-n` / `--limit` to control response size
 - Use `-q` / `--quiet` to suppress progress bars and non-essential output
 - Use `--color never` in non-TTY automation for ANSI-free output
 - Use `-v` / `-vv` / `-vvv` for increasing verbosity (debug/trace logging)
 - Use `--log-format json` for machine-readable log output to stderr
 - TTY detection handles piped commands automatically
 - Use `lore --robot health` as a fast pre-flight check before queries
 - Use `lore robot-docs` for response schema discovery
 - The `-p` flag supports fuzzy project matching (suffix and substring)
 ---
 ## Read/Write Split: lore vs glab
 | Operation | Tool | Why |
 |-----------|------|-----|
 | List issues/MRs | lore | Richer: includes status, discussions, closing MRs |
 | View issue/MR detail | lore | Pre-joined discussions, work-item status |
 | Search across entities | lore | FTS5 + vector hybrid search |
 | Expert/workload analysis | lore | who command — no glab equivalent |
 | Timeline reconstruction | lore | Chronological narrative — no glab equivalent |
 | Create/update/close | glab | Write operations |
 | Approve/merge MR | glab | Write operations |
 | CI/CD pipelines | glab | Not in lore scope |
 ````markdown
 ## UBS Quick Reference for AI Agents
 UBS stands for "Ultimate Bug Scanner": **The AI Coding Agent's Secret Weapon: Flagging Likely Bugs for Fixing Early On**
 **Install:** `curl -sSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/install.sh | bash`
 **Golden Rule:** `ubs <changed-files>` before every commit. Exit 0 = safe. Exit >0 = fix & re-run.
 **Commands:**
 ```bash
 ubs file.ts file2.py                    # Specific files (< 1s) — USE THIS
 ubs $(git diff --name-only --cached)    # Staged files — before commit
 ubs --only=js,python src/               # Language filter (3-5x faster)
 ubs --ci --fail-on-warning .            # CI mode — before PR
 ubs --help                              # Full command reference
 ubs sessions --entries 1                # Tail the latest install session log
 ubs .                                   # Whole project (ignores things like .venv and node_modules automatically)
 ```
 **Output Format:**
 ```
 ⚠️  Category (N errors)
    file.ts:42:5 – Issue description
    💡 Suggested fix
 Exit code: 1
 ```
 Parse: `file:line:col` → location | 💡 → how to fix | Exit 0/1 → pass/fail
 **Fix Workflow:**
 1. Read finding → category + fix suggestion
 2. Navigate `file:line:col` → view context
 3. Verify real issue (not false positive)
 4. Fix root cause (not symptom)
 5. Re-run `ubs <file>` → exit 0
 6. Commit
 **Speed Critical:** Scope to changed files. `ubs src/file.ts` (< 1s) vs `ubs .` (30s). Never full scan for small edits.
 **Bug Severity:**
 - **Critical** (always fix): Null safety, XSS/injection, async/await, memory leaks
 - **Important** (production): Type narrowing, division-by-zero, resource leaks
 - **Contextual** (judgment): TODO/FIXME, console logs
 **Anti-Patterns:**
 - ❌ Ignore findings → ✅ Investigate each
 - ❌ Full scan per edit → ✅ Scope to file
 - ❌ Fix symptom (`if (x) { x.y }`) → ✅ Root cause (`x?.y`)
 ````
 <!-- BEGIN LIQUID MAIL (v:48d7b3fc) -->
 ## Integrating Liquid Mail with Beads
 **Beads** manages task status, priority, and dependencies (`br` CLI).
 **Liquid Mail** provides the shared log—progress, decisions, and context that survives sessions.
 ### Conventions
 - **Single source of truth**: Beads owns task state; Liquid Mail owns conversation/decisions
 - **Shared identifiers**: Include the Beads issue ID in posts (e.g., `[lm-jht] Topic validation rules`)
 - **Decisions before action**: Post `DECISION:` messages before risky changes, not after
 - **Identity in user updates**: In every user-facing reply, include your window-name (derived from `LIQUID_MAIL_WINDOW_ID`) so humans can distinguish concurrent agents.
 ### Typical Flow
 **1. Pick ready work (Beads)**
 ```bash
 br ready                    # Find available work (no blockers)
 br show lm-jht              # Review details
 br update lm-jht --status in_progress
 ```
 **2. Check context (Liquid Mail)**
 ```bash
 liquid-mail notify          # See what changed since last session
 liquid-mail query "lm-jht"  # Find prior discussion on this issue
 ```
 **3. Work and log progress (topic required)**
 The `--topic` flag is required for your first post. After that, the topic is pinned to your window.
 ```bash
 liquid-mail post --topic auth-system "[lm-jht] START: Reviewing current topic id patterns"
 liquid-mail post "[lm-jht] FINDING: IDs like lm3189... are being used as topic names"
 liquid-mail post "[lm-jht] NEXT: Add validation + rename guidance"
 ```
 **4. Decisions before risky changes**
 ```bash
 liquid-mail post --decision "[lm-jht] DECISION: Reject UUID-like topic names; require slugs"
 # Then implement
 ```
 ### Decision Conflicts (Preflight)
 When you post a decision (via `--decision` or a `DECISION:` line), Liquid Mail can preflight-check for conflicts with prior decisions **in the same topic**.
 - If a conflict is detected, `liquid-mail post` fails with `DECISION_CONFLICT`.
 - Review prior decisions: `liquid-mail decisions --topic <topic>`.
 - If you intend to supersede the old decision, re-run with `--yes` and include what changed and why.
 **5. Complete (Beads is authority)**
 ```bash
 br close lm-jht             # Mark complete in Beads
 liquid-mail post "[lm-jht] Completed: Topic validation shipped in 177267d"
 ```
 ### Posting Format
 - **Short** (5-15 lines, not walls of text)
 - **Prefixed** with ALL-CAPS tags: `FINDING:`, `DECISION:`, `QUESTION:`, `NEXT:`
 - **Include file paths** so others can jump in: `src/services/auth.ts:42`
 - **Include issue IDs** in brackets: `[lm-jht]`
 - **User-facing replies**: include `AGENT: <window-name>` near the top. Get it with `liquid-mail window name`.
 ### Topics (Required)
 Liquid Mail organizes messages into **topics** (Honcho sessions). Topics are **soft boundaries**—search spans all topics by default.
 **Rule:** `liquid-mail post` requires a topic:
 - Provide `--topic <name>`, OR
 - Post inside a window that already has a pinned topic.
 Topic names must be:
 - 4–50 characters
 - lowercase letters/numbers with hyphens
 - start with a letter, end with a letter/number
 - no consecutive hyphens
 - not reserved (`all`, `new`, `help`, `merge`, `rename`, `list`)
 - not UUID-like (`lm<32-hex>` or standard UUIDs)
 Good examples: `auth-system`, `db-system`, `dashboards`
 Commands:
 - **List topics (newest first)**: `liquid-mail topics`
 - **Find context across topics**: `liquid-mail query "auth"`, then pick a topic name
 - **Rename a topic (alias)**: `liquid-mail topic rename <old> <new>`
 - **Merge two topics into a new one**: `liquid-mail topic merge <A> <B> --into <C>`
 Examples (component topic + Beads id in the subject):
 ```bash
 liquid-mail post --topic auth-system "[lm-jht] START: Investigating token refresh failures"
 liquid-mail post --topic auth-system "[lm-jht] FINDING: refresh happens in middleware, not service layer"
 liquid-mail post --topic auth-system --decision "[lm-jht] DECISION: Move refresh logic into AuthService"
 liquid-mail post --topic dashboards "[lm-1p5] START: Adding latency panel"
 ```
 ### Context Refresh (Before New Work / After Redirects)
 If you see redirect/merge messages, refresh context before acting:
 ```bash
 liquid-mail notify
 liquid-mail window status --json
 liquid-mail summarize --topic <topic>
 liquid-mail decisions --topic <topic>
 ```
 If you discover a newer "canonical" topic (for example after a topic merge), switch to it explicitly:
 ```bash
 liquid-mail post --topic <new-topic> "[lm-xxxx] CONTEXT: Switching topics (rename/merge)"
 ```
 ### Live Updates (Polling)
 Liquid Mail is pull-based by default (you run `notify`). For near-real-time updates:
 ```bash
 liquid-mail watch --topic <topic>   # watch a topic
 liquid-mail watch                   # or watch your pinned topic
 ```
 ### Mapping Cheat-Sheet
 | Concept | In Beads | In Liquid Mail |
 |---------|----------|----------------|
 | Work item | `lm-jht` (issue ID) | Include `[lm-jht]` in posts |
 | Workstream | — | `--topic auth-system` |
 | Subject prefix | — | `[lm-jht] ...` |
 | Commit message | Include `lm-jht` | — |
 | Status | `br update --status` | Post progress messages |
 ### Pitfalls
 - **Don't manage tasks in Liquid Mail**—Beads is the single task queue
 - **Always include `lm-xxx`** in posts to avoid ID drift across tools
 - **Don't dump logs**—keep posts short and structured
 ### Quick Reference
 | Need | Command |
 |------|---------|
 | What changed? | `liquid-mail notify` |
 | Log progress | `liquid-mail post "[lm-xxx] ..."` |
 | Before risky change | `liquid-mail post --decision "[lm-xxx] DECISION: ..."` |
 | Find history | `liquid-mail query "search term"` |
 | Prior decisions | `liquid-mail decisions --topic <topic>` |
 | Show config | `liquid-mail config` |
 | List topics | `liquid-mail topics` |
 | Rename topic | `liquid-mail topic rename <old> <new>` |
 | Merge topics | `liquid-mail topic merge <A> <B> --into <C>` |
 | Polling watch | `liquid-mail watch [--topic <topic>]` |
 <!-- END LIQUID MAIL -->
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "lore"
-version = "0.6.1"
+version = "0.9.4"
 edition = "2024"
 description = "Gitlore - Local GitLab data management with semantic search"
 authors = ["Taylor Eernisse"]
@@ -25,16 +25,15 @@ clap_complete = "4"
 dialoguer = "0.12"
 console = "0.16"
 indicatif = "0.18"
-comfy-table = "7"
+lipgloss = { package = "charmed-lipgloss", version = "0.2", default-features = false, features = ["native"] }
 open = "5"
 # HTTP
-reqwest = { version = "0.12", features = ["json"] }
+asupersync = { version = "0.2", features = ["tls", "tls-native-roots"] }
 tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "signal"] }
 # Async streaming for pagination
 async-stream = "0.3"
-futures = { version = "0.3", default-features = false, features = ["alloc"] }
+futures = { version = "0.3", default-features = false, features = ["alloc", "async-await"] }
 # Utilities
 thiserror = "2"
@@ -60,6 +59,7 @@ tracing-appender = "0.2"
 [dev-dependencies]
 tempfile = "3"
 tokio = { version = "1", features = ["rt", "rt-multi-thread", "macros"] }
 wiremock = "0.6"
 [profile.release]
--- a/PROPOSED_CODE_FILE_REORGANIZATION_PLAN.md
+++ b/PROPOSED_CODE_FILE_REORGANIZATION_PLAN.md
@@ -0,0 +1,636 @@
 # Proposed Code File Reorganization Plan
 ## 1. Scope, Audit Method, and Constraints
 This plan is based on a full audit of the `src/` tree (all 131 Rust files) plus integration tests in `tests/` that import `src` modules.
 What I audited:
 - module/file inventory (`src/**.rs`)
 - line counts and hotspot analysis
 - crate-internal import graph (`use crate::...`)
 - public API surface (public structs/enums/functions by file)
 - command routing and re-export topology (`main.rs`, `lib.rs`, `cli/mod.rs`, `cli/commands/mod.rs`)
 - cross-module coupling and test coupling
 Constraints followed for this proposal:
 - no implementation yet (plan only)
 - keep nesting shallow and intuitive
 - optimize for discoverability for humans and coding agents
 - no compatibility shims as a long-term strategy
 - every structural change includes explicit call-site update tracking
 ---
 ## 2. Current State (Measured)
 ### 2.1 Size by top-level module (`src/`)
 | Module | Files | Lines | Prod Files | Prod Lines | Test Files | Test Lines |
 |---|---:|---:|---:|---:|---:|---:|
 | `cli` | 41 | 29,131 | 37 | 23,068 | 4 | 6,063 |
 | `core` | 39 | 12,493 | 27 | 7,599 | 12 | 4,894 |
 | `ingestion` | 15 | 6,935 | 10 | 5,259 | 5 | 1,676 |
 | `documents` | 6 | 3,657 | 4 | 1,749 | 2 | 1,908 |
 | `gitlab` | 11 | 3,607 | 8 | 2,391 | 3 | 1,216 |
 | `embedding` | 10 | 1,878 | 7 | 1,327 | 3 | 551 |
 | `search` | 6 | 1,115 | 6 | 1,115 | 0 | 0 |
 | `main.rs` | 1 | 3,744 | 1 | 3,744 | 0 | 0 |
 | `lib.rs` | 1 | 9 | 1 | 9 | 0 | 0 |
 Total in `src/`: **131 files / 62,569 lines**.
 ### 2.2 Largest production hotspots
 | File | Lines | Why it matters |
 |---|---:|---|
 | `src/main.rs` | 3,744 | Binary entrypoint is doing too much dispatch and formatting work |
 | `src/cli/autocorrect.rs` | 1,865 | Large parsing/correction ruleset in one file |
 | `src/ingestion/orchestrator.rs` | 1,753 | Multi-stage ingestion orchestration and persistence mixed together |
 | `src/cli/commands/show.rs` | 1,544 | Issue/MR retrieval + rendering + JSON conversion all in one file |
 | `src/cli/render.rs` | 1,482 | Theme, table layout, formatting utilities bundled together |
 | `src/cli/commands/list.rs` | 1,383 | Issues + MRs + notes listing/query/printing in one file |
 | `src/cli/mod.rs` | 1,268 | Clap root parser plus every args struct |
 | `src/cli/commands/sync.rs` | 1,201 | Sync flow + human rendering + JSON output |
 | `src/cli/commands/me/queries.rs` | 1,135 | Multiple query families and post-processing logic |
 | `src/cli/commands/ingest.rs` | 1,116 | Ingest flow + dry-run + presentation concerns |
 | `src/documents/extractor.rs` | 1,059 | Four document source extractors in one file |
 ### 2.3 High-level dependency flow (top modules)
 Observed module coupling from imports:
 - `cli -> core` (very heavy, 33 files)
 - `cli -> documents/embedding/gitlab/ingestion/search` (command-dependent)
 - `ingestion -> core` (12 files), `ingestion -> gitlab` (10 files)
 - `search -> core` and `search -> embedding`
 - `timeline` logic currently located under `core/*timeline*` but semantically acts as its own subsystem
 ### 2.4 Structural pain points
 1. `main.rs` is overloaded with command handlers, robot output envelope types, clap error mapping, and domain invocation.
 2. `cli/mod.rs` mixes root parser concerns with command-specific argument schemas.
 3. `core/` still holds domain-specific subsystems (`timeline`, cross-reference extraction, ingestion persistence helpers) that are not truly "core infra".
 4. Several large command files combine query/build/fetch/render/json responsibilities.
 5. Test helper setup is duplicated heavily in large test files (`who_tests`, `list_tests`, `me_tests`).
 ---
 ## 3. Reorganization Principles
 1. Keep top-level domains explicit: `cli`, `core` (infra), `gitlab`, `ingestion`, `documents`, `embedding`, `search`, plus extracted domain modules where justified.
 2. Keep nesting shallow: max 2-3 levels in normal workflow paths.
 3. Co-locate command-specific args/types/rendering with the command implementation.
 4. Separate orchestration from formatting from data-access code.
 5. Prefer module boundaries that map to runtime pipeline boundaries.
 6. Make import paths reveal ownership directly.
 ---
 ## 4. Proposed Target Structure (End State)
 ```text
 src/
  main.rs                      # thin binary entrypoint
  lib.rs
  app/                         # NEW: runtime dispatch/orchestration glue
    mod.rs
    dispatch.rs
    errors.rs
    robot_docs.rs
  cli/
    mod.rs                     # Cli + Commands only
    args.rs                    # shared args structs used by Commands variants
    render/
      mod.rs
      format.rs
      table.rs
      theme.rs
    autocorrect/
      mod.rs
      flags.rs
      enums.rs
      fuzzy.rs
    commands/
      mod.rs
      list/
        mod.rs
        issues.rs
        mrs.rs
        notes.rs
        render.rs
      show/
        mod.rs
        issue.rs
        mr.rs
        render.rs
      me/                      # keep existing folder, retain split style
      who/                     # keep existing folder, retain split style
      ingest/
        mod.rs
        run.rs
        dry_run.rs
        render.rs
      sync/
        mod.rs
        run.rs
        render.rs
        surgical.rs
      # smaller focused commands can stay single-file for now
  core/                        # infra-only boundary after moves
    mod.rs
    backoff.rs
    config.rs
    cron.rs
    cursor.rs
    db.rs
    error.rs
    file_history.rs
    lock.rs
    logging.rs
    metrics.rs
    path_resolver.rs
    paths.rs
    project.rs
    shutdown.rs
    time.rs
    trace.rs
  timeline/                    # NEW: extracted domain subsystem
    mod.rs
    types.rs
    seed.rs
    expand.rs
    collect.rs
  xref/                        # NEW: extracted cross-reference subsystem
    mod.rs
    note_parser.rs
    references.rs
  ingestion/
    mod.rs
    issues.rs
    merge_requests.rs
    discussions.rs
    mr_discussions.rs
    mr_diffs.rs
    dirty_tracker.rs
    discussion_queue.rs
    orchestrator/
      mod.rs
      issues_flow.rs
      mrs_flow.rs
      resource_events.rs
      closes_issues.rs
      diff_jobs.rs
      progress.rs
    storage/                   # NEW: ingestion-owned persistence helpers
      mod.rs
      payloads.rs              # from core/payloads.rs
      events.rs                # from core/events_db.rs
      queue.rs                 # from core/dependent_queue.rs
      sync_run.rs              # from core/sync_run.rs
  documents/
    mod.rs
    extractor/
      mod.rs
      issues.rs
      mrs.rs
      discussions.rs
      notes.rs
      common.rs
    regenerator.rs
    truncation.rs
  embedding/
    mod.rs
    change_detector.rs
    chunks.rs                  # merge chunk_ids.rs + chunking.rs
    ollama.rs
    pipeline.rs
    similarity.rs
  gitlab/
    # mostly keep as-is (already coherent)
  search/
    # mostly keep as-is (already coherent)
 ```
 Notes:
 - `gitlab/` and `search/` are already cohesive and should largely remain unchanged.
 - `who/` and `me/` command families are already split well relative to other commands.
 ---
 ## 5. Detailed Change Plan (Phased)
 ## Phase 1: Domain Boundary Extraction (lowest conceptual risk, high clarity gain)
 ### 5.1 Extract timeline subsystem from `core`
 Move:
 - `src/core/timeline.rs` -> `src/timeline/types.rs`
 - `src/core/timeline_seed.rs` -> `src/timeline/seed.rs`
 - `src/core/timeline_expand.rs` -> `src/timeline/expand.rs`
 - `src/core/timeline_collect.rs` -> `src/timeline/collect.rs`
 - add `src/timeline/mod.rs`
 Why:
 - Timeline is a full pipeline domain (seed -> expand -> collect), not core infra.
 - Improves discoverability for `lore timeline` and timeline tests.
 Calling-code updates required:
 - `src/cli/commands/timeline.rs`
  - `crate::core::timeline::*` -> `crate::timeline::*`
  - `crate::core::timeline_seed::*` -> `crate::timeline::seed::*`
  - `crate::core::timeline_expand::*` -> `crate::timeline::expand::*`
  - `crate::core::timeline_collect::*` -> `crate::timeline::collect::*`
 - `tests/timeline_pipeline_tests.rs`
  - `lore::core::timeline*` imports -> `lore::timeline::*`
 - internal references among moved files update from `crate::core::timeline` to `crate::timeline::types`
 - `src/core/mod.rs`: remove `timeline*` module declarations
 - `src/lib.rs`: add `pub mod timeline;`
 ### 5.2 Extract cross-reference subsystem from `core`
 Move:
 - `src/core/note_parser.rs` -> `src/xref/note_parser.rs`
 - `src/core/references.rs` -> `src/xref/references.rs`
 - add `src/xref/mod.rs`
 Why:
 - Cross-reference extraction is a domain subsystem feeding ingestion and timeline.
 - Current placement in `core/` obscures data flow.
 Calling-code updates required:
 - `src/ingestion/orchestrator.rs`
  - `crate::core::references::*` -> `crate::xref::references::*`
  - `crate::core::note_parser::*` -> `crate::xref::note_parser::*`
 - `src/core/mod.rs`: remove `note_parser` and `references`
 - `src/lib.rs`: add `pub mod xref;`
 - tests referencing old paths update to `crate::xref::*`
 ### 5.3 Move ingestion-owned persistence helpers out of `core`
 Move:
 - `src/core/payloads.rs` -> `src/ingestion/storage/payloads.rs`
 - `src/core/events_db.rs` -> `src/ingestion/storage/events.rs`
 - `src/core/dependent_queue.rs` -> `src/ingestion/storage/queue.rs`
 - `src/core/sync_run.rs` -> `src/ingestion/storage/sync_run.rs`
 - add `src/ingestion/storage/mod.rs`
 Why:
 - These files primarily support ingestion/sync runtime behavior and ingestion persistence.
 - Consolidates ingestion runtime + ingestion storage into one domain area.
 Calling-code updates required:
 - `src/ingestion/discussions.rs`, `issues.rs`, `merge_requests.rs`, `mr_discussions.rs`
  - `core::payloads::*` -> `ingestion::storage::payloads::*`
 - `src/ingestion/orchestrator.rs`
  - `core::dependent_queue::*` -> `ingestion::storage::queue::*`
  - `core::events_db::*` -> `ingestion::storage::events::*`
 - `src/main.rs`
  - `core::dependent_queue::release_all_locked_jobs` -> `ingestion::storage::queue::release_all_locked_jobs`
  - `core::sync_run::SyncRunRecorder` -> `ingestion::storage::sync_run::SyncRunRecorder`
 - `src/cli/commands/count.rs`
  - `core::events_db::*` -> `ingestion::storage::events::*`
 - `src/cli/commands/sync_surgical.rs`
  - `core::sync_run::SyncRunRecorder` -> `ingestion::storage::sync_run::SyncRunRecorder`
 - `src/core/mod.rs`: remove moved modules
 - `src/ingestion/mod.rs`: export `pub mod storage;`
 ---
 ## Phase 2: CLI Structure Cleanup (high dev ergonomics impact)
 ### 5.4 Split `cli/mod.rs` responsibilities
 Current:
 - root parser (`Cli`, `Commands`)
 - all args structs (`IssuesArgs`, `WhoArgs`, `MeArgs`, etc.)
 Proposed:
 - `src/cli/mod.rs`: only `Cli`, `Commands`, top-level parser behavior
 - `src/cli/args.rs`: all args structs and command-local enums (`CronAction`, `TokenAction`)
 Why:
 - keeps parser root small and readable
 - one canonical place for args schemas
 Calling-code updates required:
 - `src/main.rs`
  - `use lore::cli::{..., WhoArgs, ...}` -> `use lore::cli::args::{...}` (or re-export from `cli/mod.rs`)
 - `src/cli/commands/who/mod.rs`
  - `use crate::cli::WhoArgs;` -> `use crate::cli::args::WhoArgs;`
 - `src/cli/commands/me/mod.rs`
  - `use crate::cli::MeArgs;` -> `use crate::cli::args::MeArgs;`
 ### 5.5 Make `main.rs` thin by moving dispatch logic to `app/`
 Proposed splits from `main.rs`:
 - `app/dispatch.rs`: all `handle_*` command handlers
 - `app/errors.rs`: clap error mapping, correction warning formatting
 - `app/robot_docs.rs`: robot docs schema/data envelope generation
 - keep `main.rs`: startup, logging init, parse, delegate to dispatcher
 Why:
 - reduces entrypoint complexity and improves testability of dispatch behavior
 - isolates robot docs machinery from runtime bootstrapping
 Calling-code updates required:
 - `main.rs`: replace direct handler function definitions with calls into `app::*`
 - `lib.rs`: add `pub mod app;` if shared imports needed by tests
 ---
 ## Phase 3: Split Large Command Files by Responsibility
 ### 5.6 Split `cli/commands/list.rs`
 Proposed:
 - `commands/list/issues.rs` (issue queries + issue output)
 - `commands/list/mrs.rs` (MR queries + MR output)
 - `commands/list/notes.rs` (note queries + note output)
 - `commands/list/render.rs` (shared formatting helpers)
 - `commands/list/mod.rs` (public API and re-exports)
 Why:
 - list concerns are already logically tripartite
 - better locality for bugfixes and feature additions
 Calling-code updates required:
 - `src/cli/commands/mod.rs`: import module folder and re-export unchanged API names
 - `src/main.rs`: ideally no change if `commands/mod.rs` re-exports remain stable
 ### 5.7 Split `cli/commands/show.rs`
 Proposed:
 - `commands/show/issue.rs`
 - `commands/show/mr.rs`
 - `commands/show/render.rs`
 - `commands/show/mod.rs`
 Why:
 - issue and MR detail assembly have separate SQL and shape logic
 - rendering concerns can be isolated from data retrieval
 Calling-code updates required:
 - `src/cli/commands/mod.rs` re-exports preserved (`run_show_issue`, `run_show_mr`, printers)
 - `src/main.rs` remains stable if re-exports preserved
 ### 5.8 Split `cli/commands/ingest.rs` and `cli/commands/sync.rs`
 Proposed:
 - `commands/ingest/run.rs`, `dry_run.rs`, `render.rs`, `mod.rs`
 - `commands/sync/run.rs`, `render.rs`, `surgical.rs`, `mod.rs`
 Why:
 - orchestration, preview generation, and output rendering are currently intertwined
 - surgical sync is semantically part of sync command family
 Calling-code updates required:
 - update `src/cli/commands/mod.rs` exports
 - update `src/cli/commands/sync_surgical.rs` path if merged into `commands/sync/surgical.rs`
 - no CLI UX changes expected if external API names remain
 ### 5.9 Split `documents/extractor.rs`
 Proposed:
 - `documents/extractor/issues.rs`
 - `documents/extractor/mrs.rs`
 - `documents/extractor/discussions.rs`
 - `documents/extractor/notes.rs`
 - `documents/extractor/common.rs`
 - `documents/extractor/mod.rs`
 Why:
 - extractor currently contains four independent source-type extraction paths
 - per-source unit tests become easier to target
 Calling-code updates required:
 - `src/documents/mod.rs` re-export surface remains stable
 - `src/documents/regenerator.rs` imports update only if internal re-export paths change
 ---
 ## Phase 4: Opportunistic Consolidations
 ### 5.10 Merge tiny embedding chunk helpers
 Merge:
 - `src/embedding/chunk_ids.rs`
 - `src/embedding/chunking.rs`
 - into `src/embedding/chunks.rs`
 Why:
 - both represent one conceptual concern: chunk partitioning and chunk identity mapping
 - avoids tiny-file scattering
 Calling-code updates required:
 - `src/embedding/pipeline.rs`
 - `src/embedding/change_detector.rs`
 - `src/search/vector.rs`
 - `src/embedding/mod.rs` exports
 ### 5.11 Test helper de-duplication
 Add a shared test support module for repeated DB fixture setup currently duplicated in:
 - `src/cli/commands/who_tests.rs`
 - `src/cli/commands/list_tests.rs`
 - `src/cli/commands/me/me_tests.rs`
 - multiple `core/*_tests.rs`
 Why:
 - lower maintenance cost and fewer fixture drift bugs
 Calling-code updates required:
 - test-only imports in affected files
 ---
 ## 6. File-Level Recommendation Matrix
 Legend:
 - `KEEP`: structure is already coherent
 - `MOVE`: relocate without major logic split
 - `SPLIT`: divide into focused files/modules
 - `MERGE`: consolidate tiny related files
 ### 6.1 `core/`
 - `backoff.rs` -> KEEP
 - `config.rs` -> KEEP (large but cohesive)
 - `cron.rs` -> KEEP
 - `cursor.rs` -> KEEP
 - `db.rs` -> KEEP
 - `dependent_queue.rs` -> MOVE to `ingestion/storage/queue.rs`
 - `error.rs` -> KEEP
 - `events_db.rs` -> MOVE to `ingestion/storage/events.rs`
 - `file_history.rs` -> KEEP
 - `lock.rs` -> KEEP
 - `logging.rs` -> KEEP
 - `metrics.rs` -> KEEP
 - `note_parser.rs` -> MOVE to `xref/note_parser.rs`
 - `path_resolver.rs` -> KEEP
 - `paths.rs` -> KEEP
 - `payloads.rs` -> MOVE to `ingestion/storage/payloads.rs`
 - `project.rs` -> KEEP
 - `references.rs` -> MOVE to `xref/references.rs`
 - `shutdown.rs` -> KEEP
 - `sync_run.rs` -> MOVE to `ingestion/storage/sync_run.rs`
 - `time.rs` -> KEEP
 - `timeline.rs`, `timeline_seed.rs`, `timeline_expand.rs`, `timeline_collect.rs` -> MOVE to `timeline/`
 - `trace.rs` -> KEEP
 ### 6.2 `cli/`
 - `mod.rs` -> SPLIT (`mod.rs` + `args.rs`)
 - `autocorrect.rs` -> SPLIT into `autocorrect/` submodules
 - `render.rs` -> SPLIT into `render/` submodules
 - `commands/list.rs` -> SPLIT into `commands/list/`
 - `commands/show.rs` -> SPLIT into `commands/show/`
 - `commands/ingest.rs` -> SPLIT into `commands/ingest/`
 - `commands/sync.rs` + `commands/sync_surgical.rs` -> SPLIT/MERGE into `commands/sync/`
 - `commands/me/*` -> KEEP (already good shape)
 - `commands/who/*` -> KEEP (already good shape)
 - small focused commands (`auth_test`, `embed`, `trace`, etc.) -> KEEP
 ### 6.3 `documents/`
 - `extractor.rs` -> SPLIT into extractor folder
 - `regenerator.rs` -> KEEP
 - `truncation.rs` -> KEEP
 ### 6.4 `embedding/`
 - `change_detector.rs` -> KEEP
 - `chunk_ids.rs` + `chunking.rs` -> MERGE into `chunks.rs`
 - `ollama.rs` -> KEEP
 - `pipeline.rs` -> KEEP for now (already a pipeline-centric file)
 - `similarity.rs` -> KEEP
 ### 6.5 `gitlab/`, `search/`
 - KEEP as-is except minor internal refactors only when touched by feature work
 ---
 ## 7. Import/Call-Site Impact Tracker (must-update list)
 This section tracks files that must be updated when moves happen to avoid broken builds.
 ### 7.1 For timeline extraction
 Must update:
 - `src/cli/commands/timeline.rs`
 - `tests/timeline_pipeline_tests.rs`
 - moved timeline module internals (`seed`, `expand`, `collect`)
 - `src/core/mod.rs`
 - `src/lib.rs`
 ### 7.2 For xref extraction
 Must update:
 - `src/ingestion/orchestrator.rs` (all `core::references` and `core::note_parser` paths)
 - tests importing moved modules
 - `src/core/mod.rs`
 - `src/lib.rs`
 ### 7.3 For ingestion storage move
 Must update:
 - `src/ingestion/discussions.rs`
 - `src/ingestion/issues.rs`
 - `src/ingestion/merge_requests.rs`
 - `src/ingestion/mr_discussions.rs`
 - `src/ingestion/orchestrator.rs`
 - `src/cli/commands/count.rs`
 - `src/cli/commands/sync_surgical.rs`
 - `src/main.rs`
 - `src/core/mod.rs`
 - `src/ingestion/mod.rs`
 ### 7.4 For CLI args split
 Must update:
 - `src/main.rs`
 - `src/cli/commands/who/mod.rs`
 - `src/cli/commands/me/mod.rs`
 - any command file importing args directly from `crate::cli::*Args`
 ### 7.5 For command file splits
 Must update:
 - `src/cli/commands/mod.rs` re-exports
 - tests that import command internals by file/module path
 - `src/main.rs` only if re-export names change (recommended: keep names stable)
 ---
 ## 8. Execution Strategy (Safe Order)
 Recommended order:
 1. Phase 1 (`timeline`, `xref`, `ingestion/storage`) with no behavior changes.
 2. Phase 2 (`cli/mod.rs` split, `main.rs` thinning) while preserving command signatures.
 3. Phase 3 (`list`, `show`, `ingest`, `sync`, `extractor` splits).
 4. Phase 4 opportunistic merges and test helper dedupe.
 For each phase:
 - complete file moves/splits and import rewrites in one cohesive change
 - run quality gates
 - only then proceed to next phase
 ---
 ## 9. Verification and Non-Regression Checklist
 After each phase, run:
 ```bash
 cargo check --all-targets
 cargo clippy --all-targets -- -D warnings
 cargo fmt --check
 cargo test
 cargo test -- --nocapture
 ```
 Targeted suites to run when relevant:
 - timeline moves: `cargo test timeline_pipeline_tests`
 - who/me/list splits: `cargo test who_tests`, `cargo test list_tests`, `cargo test me_tests`
 - ingestion storage moves: `cargo test ingestion`
 Before each commit, run UBS on changed files:
 ```bash
 ubs <changed-files>
 ```
 ---
 ## 10. Risks and Mitigations
 Primary risks:
 1. Import path churn causing compile errors.
 2. Accidental visibility changes (`pub`/`pub(crate)`) during file splits.
 3. Re-export drift breaking `main.rs` or tests.
 4. Behavioral drift from mixed refactor + logic changes.
 Mitigations:
 - refactor-only phases (no feature changes)
 - keep public API names stable during directory reshapes
 - preserve command re-exports in `cli/commands/mod.rs`
 - run full quality gates after each phase
 ---
 ## 11. Recommendation
 Start with **Phase 1 only** in the first implementation pass. It yields major clarity gains with relatively constrained blast radius.
 If Phase 1 lands cleanly, proceed with Phase 2. Phase 3 should be done in smaller PR-sized chunks (`list` first, then `show`, then `ingest/sync`, then `documents/extractor`).
 No code/file moves have been executed yet; this document is the proposal for review and approval.
--- a/README.md
+++ b/README.md
@@ -12,6 +12,9 @@ Local GitLab data management with semantic search, people intelligence, and temp
 - **Hybrid search**: Combines FTS5 lexical search with Ollama-powered vector embeddings via Reciprocal Rank Fusion
 - **People intelligence**: Expert discovery, workload analysis, review patterns, active discussions, and code ownership overlap
 - **Timeline pipeline**: Reconstructs chronological event histories by combining search, graph traversal, and event aggregation across related entities
 - **Code provenance tracing**: Traces why code was introduced by linking files to MRs, MRs to issues, and issues to discussion threads
 - **File-level history**: Shows which MRs touched a file with rename-chain resolution and inline DiffNote snippets
 - **Surgical sync**: Sync specific issues or MRs by IID without running a full incremental sync, with preflight validation
 - **Git history linking**: Tracks merge and squash commit SHAs to connect MRs with git history
 - **File change tracking**: Records which files each MR touches, enabling file-level history queries
 - **Raw payload storage**: Preserves original GitLab API responses for debugging
@@ -19,8 +22,14 @@ Local GitLab data management with semantic search, people intelligence, and temp
 - **Cross-reference tracking**: Automatic extraction of "closes", "mentioned" relationships between MRs and issues
 - **Work item status enrichment**: Fetches issue statuses (e.g., "To do", "In progress", "Done") from GitLab's GraphQL API with adaptive page sizing, color-coded display, and case-insensitive filtering
 - **Resource event history**: Tracks state changes, label events, and milestone events for issues and MRs
 - **Note querying**: Rich filtering over discussion notes by author, type, path, resolution status, time range, and body content
 - **Discussion drift detection**: Semantic analysis of how discussions diverge from original issue intent
 - **Automated sync scheduling**: Cron-based automatic syncing with configurable intervals (Unix)
 - **Token management**: Secure interactive or piped token storage with masked display
 - **Robot mode**: Machine-readable JSON output with structured errors, meaningful exit codes, and actionable recovery steps
 - **Error tolerance**: Auto-corrects common CLI mistakes (case, typos, single-dash flags, value casing) with teaching feedback
 - **Observability**: Verbosity controls, JSON log format, structured metrics, and stage timing
 - **Icon system**: Configurable icon sets (Nerd Fonts, Unicode, ASCII) with automatic detection
 ## Installation
@@ -71,6 +80,27 @@ lore who @asmith
 # Timeline of events related to deployments
 lore timeline "deployment"
 # Timeline for a specific issue
 lore timeline issue:42
 # Personal work dashboard
 lore me
 # Find semantically related entities
 lore related issues 42
 # Why was this file changed? (file -> MR -> issue -> discussion)
 lore trace src/features/auth/login.ts
 # Which MRs touched this file?
 lore file-history src/features/auth/
 # Sync a specific issue without full sync
 lore sync --issue 42 -p group/repo
 # Query notes by author
 lore notes --author alice --since 7d
 # Robot mode (machine-readable JSON)
 lore -J issues -n 5 | jq .
 ```
@@ -109,6 +139,15 @@ Configuration is stored in `~/.config/lore/config.json` (or `$XDG_CONFIG_HOME/lo
    "model": "nomic-embed-text",
    "baseUrl": "http://localhost:11434",
    "concurrency": 4
  },
  "scoring": {
    "authorWeight": 25,
    "reviewerWeight": 10,
    "noteBonus": 1,
    "authorHalfLifeDays": 180,
    "reviewerHalfLifeDays": 90,
    "noteHalfLifeDays": 45,
    "excludedUsernames": ["bot-user"]
  }
 }
 ```
@@ -135,6 +174,15 @@ Configuration is stored in `~/.config/lore/config.json` (or `$XDG_CONFIG_HOME/lo
 | `embedding` | `model` | `nomic-embed-text` | Model name for embeddings |
 | `embedding` | `baseUrl` | `http://localhost:11434` | Ollama server URL |
 | `embedding` | `concurrency` | `4` | Concurrent embedding requests |
 | `scoring` | `authorWeight` | `25` | Points per MR where the user authored code touching the path |
 | `scoring` | `reviewerWeight` | `10` | Points per MR where the user reviewed code touching the path |
 | `scoring` | `noteBonus` | `1` | Bonus per inline review comment (DiffNote) |
 | `scoring` | `reviewerAssignmentWeight` | `3` | Points per MR where the user was assigned as reviewer |
 | `scoring` | `authorHalfLifeDays` | `180` | Half-life in days for author contribution decay |
 | `scoring` | `reviewerHalfLifeDays` | `90` | Half-life in days for reviewer contribution decay |
 | `scoring` | `noteHalfLifeDays` | `45` | Half-life in days for note/comment decay |
 | `scoring` | `closedMrMultiplier` | `0.5` | Score multiplier for closed (not merged) MRs |
 | `scoring` | `excludedUsernames` | `[]` | Usernames excluded from expert results (e.g., bots) |
 ### Config File Resolution
@@ -163,6 +211,8 @@ Create a personal access token with `read_api` scope:
 | `XDG_DATA_HOME` | XDG Base Directory for data (fallback: `~/.local/share`) | No |
 | `NO_COLOR` | Disable color output when set (any value) | No |
 | `CLICOLOR` | Standard color control (0 to disable) | No |
 | `LORE_ICONS` | Override icon set: `nerd`, `unicode`, or `ascii` | No |
 | `NERD_FONTS` | Enable Nerd Font icons when set to a non-empty value | No |
 | `RUST_LOG` | Logging level filter (e.g., `lore=debug`) | No |
 ## Commands
@@ -262,18 +312,21 @@ lore search "login flow" --mode semantic      # Vector similarity only
 lore search "auth" --type issue               # Filter by source type
 lore search "auth" --type mr                  # MR documents only
 lore search "auth" --type discussion          # Discussion documents only
 lore search "auth" --type note               # Individual notes only
 lore search "deploy" --author username        # Filter by author
 lore search "deploy" -p group/repo           # Filter by project
 lore search "deploy" --label backend          # Filter by label (AND logic)
 lore search "deploy" --path src/             # Filter by file path (trailing / for prefix)
-lore search "deploy" --after 7d              # Created after (7d, 2w, 1m, or YYYY-MM-DD)
+lore search "deploy" --since 7d              # Created since (7d, 2w, 1m, or YYYY-MM-DD)
-lore search "deploy" --updated-after 2w      # Updated after
+lore search "deploy" --updated-since 2w      # Updated since
 lore search "deploy" -n 50                    # Limit results (default 20, max 100)
 lore search "deploy" --explain               # Show ranking explanation per result
 lore search "deploy" --fts-mode raw          # Raw FTS5 query syntax (advanced)
 ```
-The `--fts-mode` flag defaults to `safe`, which sanitizes user input into valid FTS5 queries with automatic fallback. Use `raw` for advanced FTS5 query syntax (AND, OR, NOT, phrase matching, prefix queries).
+The `--fts-mode` flag defaults to `safe`, which sanitizes user input into valid FTS5 queries with automatic fallback. FTS5 boolean operators (`AND`, `OR`, `NOT`, `NEAR`) are passed through in safe mode, so queries like `"switch AND health"` work without switching to raw mode. Use `raw` for advanced FTS5 query syntax (phrase matching, column filters, prefix queries).
 A progress spinner displays during search, showing the active mode (e.g., `Searching (hybrid)...`). In robot mode, spinners are suppressed for clean JSON output.
 Requires `lore generate-docs` (or `lore sync`) to have been run at least once. Semantic and hybrid modes require `lore embed` (or `lore sync`) to have generated vector embeddings via Ollama.
@@ -283,7 +336,7 @@ People intelligence: discover experts, analyze workloads, review patterns, activ
 #### Expert Mode
-Find who has expertise in a code area based on authoring and reviewing history (DiffNote analysis).
+Find who has expertise in a code area based on authoring and reviewing history (DiffNote analysis). Scores use exponential half-life decay so recent contributions count more than older ones. Scoring weights and half-life periods are configurable via the `scoring` config section.
 ```bash
 lore who src/features/auth/           # Who knows about this directory?
@@ -292,6 +345,9 @@ lore who --path README.md             # Root files need --path flag
 lore who --path Makefile              # Dotless root files too
 lore who src/ --since 3m              # Limit to recent 3 months
 lore who src/ -p group/repo           # Scope to project
 lore who src/ --explain-score         # Show per-component score breakdown
 lore who src/ --as-of 30d            # Score as if "now" was 30 days ago
 lore who src/ --include-bots          # Include bot users in results
 ```
 The target is auto-detected as a path when it contains `/`. For root files without `/` (e.g., `README.md`), use the `--path` flag. Default time window: 6 months.
@@ -320,12 +376,13 @@ Shows: total DiffNotes, categorized by code area with percentage breakdown.
 #### Active Mode
-Surface unresolved discussions needing attention.
+Surface unresolved discussions needing attention. By default, only discussions on open issues and non-merged MRs are shown.
 ```bash
 lore who --active                     # Unresolved discussions (last 7 days)
 lore who --active --since 30d        # Wider time window
 lore who --active -p group/repo      # Scoped to project
 lore who --active --include-closed   # Include discussions on closed/merged entities
 ```
 Shows: discussion threads with participants and last activity timestamps.
@@ -348,21 +405,65 @@ Shows: users with touch counts (author vs. review), linked MR references. Defaul
 | `-p` / `--project` | Scope to a project (fuzzy match) |
 | `--since` | Time window (7d, 2w, 6m, YYYY-MM-DD). Default varies by mode. |
 | `-n` / `--limit` | Max results per section (1-500, default 20) |
 | `--all-history` | Remove the default time window, query all history |
 | `--include-closed` | Include discussions on closed issues and merged/closed MRs (active mode) |
 | `--detail` | Show per-MR detail breakdown (expert mode only) |
 | `--explain-score` | Show per-component score breakdown (expert mode only) |
 | `--as-of` | Score as if "now" is a past date (ISO 8601 or duration like 30d, expert mode only) |
 | `--include-bots` | Include bot users normally excluded via `scoring.excludedUsernames` |
 ### `lore me`
 Personal work dashboard showing open issues, authored/reviewing MRs, and activity feed. Designed for quick daily check-ins.
 ```bash
 lore me                                 # Full dashboard
 lore me --issues                        # Open issues section only
 lore me --mrs                           # Authored + reviewing MRs only
 lore me --activity                      # Activity feed only
 lore me --mentions                      # Items you're @mentioned in (not assigned/authored/reviewing)
 lore me --since 7d                      # Activity window (default: 30d)
 lore me --project group/repo            # Scope to one project
 lore me --all                           # All synced projects (overrides default_project)
 lore me --user jdoe                     # Override configured username
 lore me --reset-cursor                  # Reset since-last-check cursor
 ```
 The dashboard detects the current user from GitLab authentication and shows:
 - **Issues section**: Open issues assigned to you
 - **MRs section**: Open MRs you authored + open MRs where you're a reviewer
 - **Activity section**: Recent events (state changes, comments, labels, milestones, assignments) on your items regardless of state — including closed issues and merged/closed MRs
 - **Mentions section**: Items where you're @mentioned but not assigned/authoring/reviewing
 - **Since last check**: Cursor-based inbox of actionable events from others since your last check, covering items in any state
 The `--since` flag affects only the activity section. The issues and MRs sections show open items only. The since-last-check inbox uses a persistent cursor (reset with `--reset-cursor`).
 #### Field Selection (Robot Mode)
 ```bash
 lore -J me --fields minimal             # Compact output for agents
 ```
 ### `lore timeline`
 Reconstruct a chronological timeline of events matching a keyword query. The pipeline discovers related entities through cross-reference graph traversal and assembles a unified, time-ordered event stream.
 ```bash
-lore timeline "deployment"                    # Events related to deployments
+lore timeline "deployment"                    # Search-based seeding (hybrid search)
 lore timeline issue:42                        # Direct entity seeding by issue IID
 lore timeline i:42                            # Shorthand for issue:42
 lore timeline mr:99                           # Direct entity seeding by MR IID
 lore timeline m:99                            # Shorthand for mr:99
 lore timeline "auth" -p group/repo           # Scoped to a project
 lore timeline "auth" --since 30d             # Only recent events
 lore timeline "migration" --depth 2          # Deeper cross-reference expansion
-lore timeline "migration" --expand-mentions  # Follow 'mentioned' edges (high fan-out)
+lore timeline "migration" --no-mentions      # Skip 'mentioned' edges (reduces fan-out)
 lore timeline "deploy" -n 50                 # Limit event count
 lore timeline "auth" --max-seeds 5           # Fewer seed entities
 ```
 The query can be either a search string (hybrid search finds matching entities) or an entity reference (`issue:N`, `i:N`, `mr:N`, `m:N`) which directly seeds the timeline from a specific entity and its cross-references.
 #### Flags
 | Flag | Default | Description |
@@ -370,18 +471,21 @@ lore timeline "auth" --max-seeds 5           # Fewer seed entities
 | `-p` / `--project` | all | Scope to a specific project (fuzzy match) |
 | `--since` | none | Only events after this date (7d, 2w, 6m, YYYY-MM-DD) |
 | `--depth` | `1` | Cross-reference expansion depth (0 = seeds only) |
-| `--expand-mentions` | off | Also follow "mentioned" edges during expansion |
+| `--no-mentions` | off | Skip "mentioned" edges during expansion (reduces fan-out) |
 | `-n` / `--limit` | `100` | Maximum events to display |
 | `--max-seeds` | `10` | Maximum seed entities from search |
 | `--max-entities` | `50` | Maximum entities discovered via cross-references |
 | `--max-evidence` | `10` | Maximum evidence notes included |
 | `--fields` | all | Select output fields (comma-separated, or 'minimal' preset) |
 #### Pipeline Stages
-1. **SEED** -- Full-text search identifies the most relevant issues and MRs matching the query. Documents are ranked by BM25 relevance.
+Each stage displays a numbered progress spinner (e.g., `[1/3] Seeding timeline...`). In robot mode, spinners are suppressed for clean JSON output.
-2. **HYDRATE** -- Evidence notes are extracted: the top FTS-matched discussion notes with 200-character snippets explaining *why* each entity was surfaced.
+
-3. **EXPAND** -- Breadth-first traversal over the `entity_references` graph discovers related entities via "closes", "related", and optionally "mentioned" references up to the configured depth.
+1. **SEED** -- Hybrid search (FTS5 lexical + Ollama vector similarity via Reciprocal Rank Fusion) identifies the most relevant issues and MRs. Falls back to lexical-only if Ollama is unavailable. Discussion notes matching the query are also discovered and attached to their parent entities.
-4. **COLLECT** -- Events are gathered for all discovered entities. Event types include: creation, state changes, label adds/removes, milestone assignments, merge events, and evidence notes. Events are sorted chronologically with stable tiebreaking.
+2. **HYDRATE** -- Evidence notes are extracted: the top search-matched discussion notes with 200-character snippets explaining *why* each entity was surfaced. Matched discussions are collected as full thread candidates.
 3. **EXPAND** -- Breadth-first traversal over the `entity_references` graph discovers related entities via "closes", "related", and "mentioned" references up to the configured depth. Use `--no-mentions` to exclude "mentioned" edges and reduce fan-out.
 4. **COLLECT** -- Events are gathered for all discovered entities. Event types include: creation, state changes, label adds/removes, milestone assignments, merge events, evidence notes, and full discussion threads. Events are sorted chronologically with stable tiebreaking.
 5. **RENDER** -- Events are formatted as human-readable text or structured JSON (robot mode).
 #### Event Types
@@ -395,16 +499,159 @@ lore timeline "auth" --max-seeds 5           # Fewer seed entities
 | `MilestoneSet` | Milestone assigned |
 | `MilestoneRemoved` | Milestone removed |
 | `Merged` | MR merged (deduplicated against state events) |
-| `NoteEvidence` | Discussion note matched by FTS, with snippet |
+| `NoteEvidence` | Discussion note matched by search, with snippet |
 | `DiscussionThread` | Full discussion thread with all non-system notes |
 | `CrossReferenced` | Reference to another entity |
 #### Unresolved References
 When graph expansion encounters cross-project references to entities not yet synced locally, these are collected as unresolved references in the output. This enables discovery of external dependencies and can inform future sync targets.
 ### `lore notes`
 Query individual notes from discussions with rich filtering options.
 ```bash
 lore notes                                    # List 50 most recent notes
 lore notes --author alice --since 7d         # Notes by alice in last 7 days
 lore notes --for-issue 42 -p group/repo      # Notes on issue #42
 lore notes --for-mr 99 -p group/repo         # Notes on MR !99
 lore notes --path src/ --resolution unresolved  # Unresolved diff notes in src/
 lore notes --note-type DiffNote              # Only inline code review comments
 lore notes --contains "TODO"                 # Substring search in note body
 lore notes --include-system                  # Include system-generated notes
 lore notes --since 2w --until 2024-12-31     # Time-bounded range
 lore notes --sort updated --asc              # Sort by update time, ascending
 lore notes -o                                # Open first result in browser
 # Field selection (robot mode)
 lore -J notes --fields minimal               # Compact: id, author_username, body, created_at_iso
 ```
 #### Filters
 | Flag | Description |
 |------|-------------|
 | `-a` / `--author` | Filter by note author username |
 | `--note-type` | Filter by note type (DiffNote, DiscussionNote) |
 | `--contains` | Substring search in note body |
 | `--note-id` | Filter by internal note ID |
 | `--gitlab-note-id` | Filter by GitLab note ID |
 | `--discussion-id` | Filter by discussion ID |
 | `--include-system` | Include system notes (excluded by default) |
 | `--for-issue` | Notes on a specific issue IID (requires `-p`) |
 | `--for-mr` | Notes on a specific MR IID (requires `-p`) |
 | `-p` / `--project` | Scope to a project (fuzzy match) |
 | `--since` | Notes created since (7d, 2w, 1m, or YYYY-MM-DD) |
 | `--until` | Notes created until (YYYY-MM-DD, inclusive end-of-day) |
 | `--path` | Filter by file path (DiffNotes only; trailing `/` for prefix match) |
 | `--resolution` | Filter by resolution status (`any`, `unresolved`, `resolved`) |
 | `--sort` | Sort by `created` (default) or `updated` |
 | `--asc` | Sort ascending (default: descending) |
 | `-o` / `--open` | Open first result in browser |
 ### `lore file-history`
 Show which merge requests touched a file, with rename-chain resolution and optional DiffNote discussion snippets.
 ```bash
 lore file-history src/main.rs                         # MRs that touched this file
 lore file-history src/auth/ -p group/repo             # Scoped to project
 lore file-history src/foo.rs --discussions             # Include DiffNote snippets
 lore file-history src/bar.rs --no-follow-renames       # Skip rename chain resolution
 lore file-history src/bar.rs --merged                  # Only merged MRs
 lore file-history src/bar.rs -n 100                    # More results
 ```
 Rename-chain resolution follows file renames through `mr_file_changes` so that querying a renamed file also surfaces MRs that touched previous names. Disable with `--no-follow-renames`.
 | Flag | Default | Description |
 |------|---------|-------------|
 | `-p` / `--project` | all | Scope to a specific project (fuzzy match) |
 | `--discussions` | off | Include DiffNote discussion snippets on the file |
 | `--no-follow-renames` | off | Disable rename chain resolution |
 | `--merged` | off | Only show merged MRs |
 | `-n` / `--limit` | `50` | Maximum results |
 ### `lore trace`
 Trace why code was introduced by building provenance chains: file -> MR -> issue -> discussion threads.
 ```bash
 lore trace src/main.rs                         # Why was this file changed?
 lore trace src/auth/ -p group/repo             # Scoped to project
 lore trace src/foo.rs --discussions             # Include DiffNote context
 lore trace src/bar.rs:42                        # Line hint (future Tier 2)
 lore trace src/bar.rs --no-follow-renames       # Skip rename chain resolution
 ```
 Each trace chain links a file change to the MR that introduced it, the issue(s) that motivated it (via "closes" references), and the discussion threads on those entities. Line-level hints (`:line` suffix) are accepted but produce an advisory message until Tier 2 git-blame integration is available.
 | Flag | Default | Description |
 |------|---------|-------------|
 | `-p` / `--project` | all | Scope to a specific project (fuzzy match) |
 | `--discussions` | off | Include DiffNote discussion snippets |
 | `--no-follow-renames` | off | Disable rename chain resolution |
 | `-n` / `--limit` | `20` | Maximum trace chains to display |
 ### `lore drift`
 Detect discussion divergence from the original intent of an issue by comparing the semantic similarity of discussion content against the issue description.
 ```bash
 lore drift issues 42                         # Check divergence on issue #42
 lore drift issues 42 --threshold 0.6        # Higher threshold (stricter)
 lore drift issues 42 -p group/repo          # Scope to project
 ```
 ### `lore related`
 Find semantically related entities via vector search. Accepts either an entity reference or a free text query.
 ```bash
 lore related issues 42                       # Find entities related to issue #42
 lore related mrs 99 -p group/repo            # Related to MR #99 in specific project
 lore related "authentication flow"           # Find entities matching free text query
 lore related issues 42 -n 5                  # Limit results
 ```
 In entity mode (`issues N` or `mrs N`), the command embeds the entity's content and finds similar documents via vector similarity. In query mode (free text), the query is embedded directly.
 | Flag | Default | Description |
 |------|---------|-------------|
 | `-p` / `--project` | all | Scope to a specific project (fuzzy match) |
 | `-n` / `--limit` | `10` | Maximum results |
 Requires embeddings to have been generated via `lore embed` or `lore sync`.
 ### `lore cron`
 Manage cron-based automatic syncing (Unix only). Installs a crontab entry that runs `lore sync --lock -q` at a configurable interval.
 ```bash
 lore cron install                     # Install cron job (every 8 minutes)
 lore cron install --interval 15       # Custom interval in minutes
 lore cron status                      # Check if cron is installed
 lore cron uninstall                   # Remove cron job
 ```
 The `--lock` flag on the auto-sync ensures that if a sync is already running, the cron invocation exits cleanly rather than competing for the database lock.
 ### `lore token`
 Manage the stored GitLab token. Supports interactive entry with validation, non-interactive piped input, and masked display.
 ```bash
 lore token set                         # Interactive token entry + validation
 lore token set --token glpat-xxx       # Non-interactive token storage
 echo glpat-xxx | lore token set        # Pipe token from stdin
 lore token show                        # Show token (masked)
 lore token show --unmask               # Show full token
 ```
 ### `lore sync`
-Run the full sync pipeline: ingest from GitLab (including work item status enrichment via GraphQL), generate searchable documents, and compute embeddings.
+Run the full sync pipeline: ingest from GitLab (including work item status enrichment via GraphQL), generate searchable documents, and compute embeddings. Supports both incremental (cursor-based) and surgical (per-IID) modes.
 ```bash
 lore sync                    # Full pipeline
@@ -413,11 +660,30 @@ lore sync --force            # Override stale lock
 lore sync --no-embed         # Skip embedding step
 lore sync --no-docs          # Skip document regeneration
 lore sync --no-events        # Skip resource event fetching
 lore sync --no-file-changes  # Skip MR file change fetching
 lore sync --no-status        # Skip work-item status enrichment via GraphQL
 lore sync --dry-run          # Preview what would be synced
 lore sync --timings          # Show detailed timing breakdown per stage
 lore sync --lock             # Acquire file lock (skip if another sync is running)
 # Surgical sync: fetch specific entities by IID
 lore sync --issue 42 -p group/repo               # Sync a single issue
 lore sync --mr 99 -p group/repo                  # Sync a single MR
 lore sync --issue 42 --mr 99 -p group/repo       # Mix issues and MRs
 lore sync --issue 1 --issue 2 -p group/repo      # Multiple issues
 lore sync --issue 42 -p group/repo --preflight-only  # Validate without writing
 ```
 The sync command displays animated progress bars for each stage and outputs timing metrics on completion. In robot mode (`-J`), detailed stage timing is included in the JSON response.
 #### Surgical Sync
 When `--issue` or `--mr` flags are provided, sync switches to surgical mode which fetches only the specified entities and their dependents (discussions, events, file changes) from GitLab. This is faster than a full incremental sync and useful for refreshing specific entities on demand.
 Surgical mode requires `-p` / `--project` to scope the operation. Each entity goes through preflight validation against the GitLab API, then ingestion, document regeneration, and embedding. Entities that haven't changed since the last sync are skipped (TOCTOU check).
 Use `--preflight-only` to validate that entities exist on GitLab without writing to the database.
 ### `lore ingest`
 Sync data from GitLab to local database. Runs only the ingestion step (no doc generation or embeddings). For issue ingestion, this includes a status enrichment phase that fetches work item statuses via the GitLab GraphQL API.
@@ -502,16 +768,35 @@ Displays:
 ### `lore init`
-Initialize configuration and database interactively.
+Initialize configuration and database interactively, or refresh the database to match an existing config.
 ```bash
 lore init                    # Interactive setup
 lore init --refresh          # Register new projects from existing config
 lore init --force            # Overwrite existing config
 lore init --non-interactive  # Fail if prompts needed
 ```
 When multiple projects are configured, `init` prompts whether to set a default project (used when `-p` is omitted). This can also be set via the `--default-project` flag.
 #### Refreshing Project Registration
 When projects are added to the config file, `lore sync` does not automatically pick them up because project discovery only happens during `lore init`. Use `--refresh` to register new projects without modifying the config file:
 ```bash
 lore init --refresh              # Interactive: registers new projects, prompts to delete orphans
 lore -J init --refresh           # Robot mode: returns JSON with orphan info
 ```
 The `--refresh` flag:
 - Validates GitLab authentication before processing
 - Registers new projects from config into the database
 - Detects orphan projects (in database but removed from config)
 - In interactive mode: prompts to delete orphans (default: No)
 - In robot mode: returns JSON with orphan info without prompting
 Use `--force` to completely overwrite the config file with fresh interactive setup. The `--refresh` and `--force` flags are mutually exclusive.
 In robot mode, `init` supports non-interactive setup via flags:
 ```bash
@@ -571,6 +856,7 @@ Machine-readable command manifest for agent self-discovery. Returns a JSON schem
 ```bash
 lore robot-docs                   # Pretty-printed JSON
 lore --robot robot-docs           # Compact JSON for parsing
 lore robot-docs --brief           # Omit response_schema (~60% smaller)
 ```
 ### `lore version`
@@ -579,7 +865,7 @@ Show version information including the git commit hash.
 ```bash
 lore version
-# lore version 0.1.0 (abc1234)
+# lore version 0.9.2 (571c304)
 ```
 ## Robot Mode
@@ -622,7 +908,7 @@ The `actions` array contains executable shell commands an agent can run to recov
 ### Field Selection
-The `--fields` flag on `issues` and `mrs` list commands controls which fields appear in the JSON response, reducing token usage for AI agent workflows:
+The `--fields` flag controls which fields appear in the JSON response, reducing token usage for AI agent workflows. Supported on `issues`, `mrs`, `notes`, `me`, `search`, `timeline`, and `who` list commands:
 ```bash
 # Minimal preset (~60% fewer tokens)
@@ -639,6 +925,48 @@ Valid fields for issues: `iid`, `title`, `state`, `author_username`, `labels`, `
 Valid fields for MRs: `iid`, `title`, `state`, `author_username`, `labels`, `draft`, `target_branch`, `source_branch`, `discussion_count`, `unresolved_count`, `created_at_iso`, `updated_at_iso`, `web_url`, `project_path`, `reviewers`
 ### Error Tolerance
 The CLI auto-corrects common mistakes before parsing, emitting a teaching note to stderr. Corrections work in both human and robot modes:
 | Correction | Example | Mode |
 |-----------|---------|------|
 | Single-dash long flag | `-robot` -> `--robot` | All |
 | Case normalization | `--Robot` -> `--robot` | All |
 | Flag prefix expansion | `--proj` -> `--project`, `--no-color` -> `--color never` (unambiguous only) | All |
 | Fuzzy flag match | `--projct` -> `--project` | All (threshold 0.9 in robot, 0.8 in human) |
 | Subcommand alias | `merge_requests` -> `mrs`, `robotdocs` -> `robot-docs` | All |
 | Value normalization | `--state Opened` -> `--state opened` | All |
 | Value fuzzy match | `--state opend` -> `--state opened` | All |
 | Subcommand prefix | `lore iss` -> `lore issues` (unambiguous only, via clap) | All |
 In robot mode, corrections emit structured JSON to stderr:
 ```json
 {"warning":{"type":"ARG_CORRECTED","corrections":[...],"teaching":["Use double-dash for long flags: --robot (not -robot)"]}}
 ```
 When a command or flag is still unrecognized after corrections, the error response includes a fuzzy suggestion and, for enum-like flags, lists valid values:
 ```json
 {"error":{"code":"UNKNOWN_COMMAND","message":"...","suggestion":"Did you mean 'lore issues'? Example: lore --robot issues -n 10. Run 'lore robot-docs' for all commands"}}
 ```
 ### Command Aliases
 Commands accept aliases for common variations:
 | Primary | Aliases |
 |---------|---------|
 | `issues` | `issue` |
 | `mrs` | `mr`, `merge-requests`, `merge-request` |
 | `notes` | `note` |
 | `search` | `find`, `query` |
 | `stats` | `stat` |
 | `status` | `st` |
 Unambiguous prefixes also work via subcommand inference (e.g., `lore iss` -> `lore issues`, `lore time` -> `lore timeline`, `lore tra` -> `lore trace`).
 ### Agent Self-Discovery
 The `robot-docs` command provides a complete machine-readable manifest including response schemas for every command:
@@ -692,6 +1020,8 @@ lore --robot <command>                    # Machine-readable JSON
 lore -J <command>                         # JSON shorthand
 lore --color never <command>              # Disable color output
 lore --color always <command>             # Force color output
 lore --icons nerd <command>               # Nerd Font icons
 lore --icons ascii <command>              # ASCII-only icons (no Unicode)
 lore -q <command>                         # Suppress non-essential output
 lore -v <command>                         # Debug logging
 lore -vv <command>                        # More verbose debug logging
@@ -699,7 +1029,7 @@ lore -vvv <command>                       # Trace-level logging
 lore --log-format json <command>          # JSON-formatted log output to stderr
 ```
-Color output respects `NO_COLOR` and `CLICOLOR` environment variables in `auto` mode (the default).
+Color output respects `NO_COLOR` and `CLICOLOR` environment variables in `auto` mode (the default). Icon sets default to `unicode` and can be overridden via `--icons`, `LORE_ICONS`, or `NERD_FONTS` environment variables.
 ## Shell Completions
@@ -747,7 +1077,7 @@ Data is stored in SQLite with WAL mode and foreign keys enabled. Main tables:
 | `embeddings` | Vector embeddings for semantic search |
 | `dirty_sources` | Entities needing document regeneration after ingest |
 | `pending_discussion_fetches` | Queue for discussion fetch operations |
-| `sync_runs` | Audit trail of sync operations |
+| `sync_runs` | Audit trail of sync operations (supports surgical mode tracking with per-entity results) |
 | `sync_cursors` | Cursor positions for incremental sync |
 | `app_locks` | Crash-safe single-flight lock |
 | `raw_payloads` | Compressed original API responses |
--- a/acceptance-criteria.md
+++ b/acceptance-criteria.md
@@ -0,0 +1,64 @@
 # Trace/File-History Empty-Result Diagnostics
 ## AC-1: Human mode shows searched paths on empty results
 When `lore trace <path>` returns 0 chains in human mode, the output includes the resolved path(s) that were searched. If renames were followed, show the full rename chain.
 ## AC-2: Human mode shows actionable reason on empty results
 When 0 chains are found, the hint message distinguishes between:
 - "No MR file changes synced yet" (mr_file_changes table is empty for this project) -> suggest `lore sync`
 - "File paths not found in MR file changes" (sync has run but this file has no matches) -> suggest checking the path or that the file may predate the sync window
 ## AC-3: Robot mode includes diagnostics object on empty results
 When `total_chains == 0` in robot JSON output, add a `"diagnostics"` key to `"meta"` containing:
 - `paths_searched: [...]` (already present as `resolved_paths` in data -- no duplication needed)
 - `hints: [string]` -- same actionable reasons as AC-2 but machine-readable
 ## AC-4: Info-level logging at each pipeline stage
 Add `tracing::info!` calls visible with `-v`:
 - After rename resolution: number of paths found
 - After MR query: number of MRs found
 - After issue/discussion enrichment: counts per MR
 ## AC-5: Apply same pattern to `lore file-history`
 All of the above (AC-1 through AC-4) also apply to `lore file-history` empty results.
 ---
 # Secure Token Resolution for Cron
 ## AC-6: Stored token in config
 The configuration file supports an optional `token` field in the `gitlab` section, allowing users to persist their GitLab personal access token alongside other settings. Existing configuration files that omit this field continue to load and function normally.
 ## AC-7: Token resolution precedence
 Lore resolves the GitLab token by checking the environment variable first, then falling back to the stored config token. This means environment variables always take priority, preserving CI/CD workflows and one-off overrides, while the stored token provides a reliable default for non-interactive contexts like cron jobs. If neither source provides a non-empty value, the user receives a clear `TOKEN_NOT_SET` error with guidance on how to fix it.
 ## AC-8: `lore token set` command
 The `lore token set` command provides a secure, guided workflow for storing a GitLab token. It accepts the token via a `--token` flag, standard input (for piped automation), or an interactive masked prompt. Before storing, it validates the token against the GitLab API to catch typos and expired credentials early. After writing the token to the configuration file, it restricts file permissions to owner-only read/write (mode 0600) to prevent other users on the system from reading the token. The command supports both human and robot output modes.
 ## AC-9: `lore token show` command
 The `lore token show` command displays the currently active token along with its source ("config file" or "environment variable"). By default the token value is masked for safety; the `--unmask` flag reveals the full value when needed. The command supports both human and robot output modes.
 ## AC-10: Consistent token resolution across all commands
 Every command that requires a GitLab token uses the same two-step resolution logic described in AC-7. This ensures that storing a token once via `lore token set` is sufficient to make all commands work, including background cron syncs that have no access to shell environment variables.
 ## AC-11: Cron install warns about missing stored token
 When `lore cron install` completes, it checks whether a token is available in the configuration file. If not, it displays a prominent warning explaining that cron jobs cannot access shell environment variables and directs the user to run `lore token set` to ensure unattended syncs will authenticate successfully.
 ## AC-12: `TOKEN_NOT_SET` error recommends `lore token set`
 The `TOKEN_NOT_SET` error message recommends `lore token set` as the primary fix for missing credentials, with the environment variable export shown as an alternative for users who prefer that approach. In robot mode, the `actions` array lists both options so that automated recovery workflows can act on them.
 ## AC-13: Doctor reports token source
 The `lore doctor` command includes the token's source in its GitLab connectivity check, reporting whether the token was found in the configuration file or an environment variable. This makes it straightforward to verify that cron jobs will have access to the token without relying on the user's interactive shell environment.
--- a/agents/ceo/AGENTS.md
+++ b/agents/ceo/AGENTS.md
@@ -0,0 +1,24 @@
 You are the CEO.
 Your home directory is $AGENT_HOME. Everything personal to you -- life, memory, knowledge -- lives there. Other agents may have their own folders and you may update them when necessary.
 Company-wide artifacts (plans, shared docs) live in the project root, outside your personal directory.
 ## Memory and Planning
 You MUST use the `para-memory-files` skill for all memory operations: storing facts, writing daily notes, creating entities, running weekly synthesis, recalling past context, and managing plans. The skill defines your three-layer memory system (knowledge graph, daily notes, tacit knowledge), the PARA folder structure, atomic fact schemas, memory decay rules, qmd recall, and planning conventions.
 Invoke it whenever you need to remember, retrieve, or organize anything.
 ## Safety Considerations
 - Never exfiltrate secrets or private data.
 - Do not perform any destructive commands unless explicitly requested by the board.
 ## References
 These files are essential. Read them.
 - `$AGENT_HOME/HEARTBEAT.md` -- execution and extraction checklist. Run every heartbeat.
 - `$AGENT_HOME/SOUL.md` -- who you are and how you should act.
 - `$AGENT_HOME/TOOLS.md` -- tools you have access to
--- a/agents/ceo/HEARTBEAT.md
+++ b/agents/ceo/HEARTBEAT.md
@@ -0,0 +1,72 @@
 # HEARTBEAT.md -- CEO Heartbeat Checklist
 Run this checklist on every heartbeat. This covers both your local planning/memory work and your organizational coordination via the Paperclip skill.
 ## 1. Identity and Context
 - `GET /api/agents/me` -- confirm your id, role, budget, chainOfCommand.
 - Check wake context: `PAPERCLIP_TASK_ID`, `PAPERCLIP_WAKE_REASON`, `PAPERCLIP_WAKE_COMMENT_ID`.
 ## 2. Local Planning Check
 1. Read today's plan from `$AGENT_HOME/memory/YYYY-MM-DD.md` under "## Today's Plan".
 2. Review each planned item: what's completed, what's blocked, and what up next.
 3. For any blockers, resolve them yourself or escalate to the board.
 4. If you're ahead, start on the next highest priority.
 5. **Record progress updates** in the daily notes.
 ## 3. Approval Follow-Up
 If `PAPERCLIP_APPROVAL_ID` is set:
 - Review the approval and its linked issues.
 - Close resolved issues or comment on what remains open.
 ## 4. Get Assignments
 - `GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked`
 - Prioritize: `in_progress` first, then `todo`. Skip `blocked` unless you can unblock it.
 - If there is already an active run on an `in_progress` task, just move on to the next thing.
 - If `PAPERCLIP_TASK_ID` is set and assigned to you, prioritize that task.
 ## 5. Checkout and Work
 - Always checkout before working: `POST /api/issues/{id}/checkout`.
 - Never retry a 409 -- that task belongs to someone else.
 - Do the work. Update status and comment when done.
 ## 6. Delegation
 - Create subtasks with `POST /api/companies/{companyId}/issues`. Always set `parentId` and `goalId`.
 - Use `paperclip-create-agent` skill when hiring new agents.
 - Assign work to the right agent for the job.
 ## 7. Fact Extraction
 1. Check for new conversations since last extraction.
 2. Extract durable facts to the relevant entity in `$AGENT_HOME/life/` (PARA).
 3. Update `$AGENT_HOME/memory/YYYY-MM-DD.md` with timeline entries.
 4. Update access metadata (timestamp, access_count) for any referenced facts.
 ## 8. Exit
 - Comment on any in_progress work before exiting.
 - If no assignments and no valid mention-handoff, exit cleanly.
 ---
 ## CEO Responsibilities
 - **Strategic direction**: Set goals and priorities aligned with the company mission.
 - **Hiring**: Spin up new agents when capacity is needed.
 - **Unblocking**: Escalate or resolve blockers for reports.
 - **Budget awareness**: Above 80% spend, focus only on critical tasks.
 - **Never look for unassigned work** -- only work on what is assigned to you.
 - **Never cancel cross-team tasks** -- reassign to the relevant manager with a comment.
 ## Rules
 - Always use the Paperclip skill for coordination.
 - Always include `X-Paperclip-Run-Id` header on mutating API calls.
 - Comment in concise markdown: status line + bullets + links.
 - Self-assign via checkout only when explicitly @-mentioned.
--- a/agents/ceo/SOUL.md
+++ b/agents/ceo/SOUL.md
@@ -0,0 +1,33 @@
 # SOUL.md -- CEO Persona
 You are the CEO.
 ## Strategic Posture
 - You own the P&L. Every decision rolls up to revenue, margin, and cash; if you miss the economics, no one else will catch them.
 - Default to action. Ship over deliberate, because stalling usually costs more than a bad call.
 - Hold the long view while executing the near term. Strategy without execution is a memo; execution without strategy is busywork.
 - Protect focus hard. Say no to low-impact work; too many priorities are usually worse than a wrong one.
 - In trade-offs, optimize for learning speed and reversibility. Move fast on two-way doors; slow down on one-way doors.
 - Know the numbers cold. Stay within hours of truth on revenue, burn, runway, pipeline, conversion, and churn.
 - Treat every dollar, headcount, and engineering hour as a bet. Know the thesis and expected return.
 - Think in constraints, not wishes. Ask "what do we stop?" before "what do we add?"
 - Hire slow, fire fast, and avoid leadership vacuums. The team is the strategy.
 - Create organizational clarity. If priorities are unclear, it's on you; repeat strategy until it sticks.
 - Pull for bad news and reward candor. If problems stop surfacing, you've lost your information edge.
 - Stay close to the customer. Dashboards help, but regular firsthand conversations keep you honest.
 - Be replaceable in operations and irreplaceable in judgment. Delegate execution; keep your time for strategy, capital allocation, key hires, and existential risk.
 ## Voice and Tone
 - Be direct. Lead with the point, then give context. Never bury the ask.
 - Write like you talk in a board meeting, not a blog post. Short sentences, active voice, no filler.
 - Confident but not performative. You don't need to sound smart; you need to be clear.
 - Match intensity to stakes. A product launch gets energy. A staffing call gets gravity. A Slack reply gets brevity.
 - Skip the corporate warm-up. No "I hope this message finds you well." Get to it.
 - Use plain language. If a simpler word works, use it. "Use" not "utilize." "Start" not "initiate."
 - Own uncertainty when it exists. "I don't know yet" beats a hedged non-answer every time.
 - Disagree openly, but without heat. Challenge ideas, not people.
 - Keep praise specific and rare enough to mean something. "Good job" is noise. "The way you reframed the pricing model saved us a quarter" is signal.
 - Default to async-friendly writing. Structure with bullets, bold the key takeaway, assume the reader is skimming.
 - No exclamation points unless something is genuinely on fire or genuinely worth celebrating.
--- a/agents/ceo/TOOLS.md
+++ b/agents/ceo/TOOLS.md
@@ -0,0 +1,3 @@
 # Tools
 (Your tools will go here. Add notes about them as you acquire and use them.)
--- a/agents/ceo/memory/2026-03-05.md
+++ b/agents/ceo/memory/2026-03-05.md
@@ -0,0 +1,18 @@
 # 2026-03-05 -- CEO Daily Notes
 ## Timeline
 - **13:07** First heartbeat. GIT-1 already done (CEO setup + FE hire submitted).
 - **13:07** Founding Engineer hire approved (approval c2d7622a). Agent ed7d27a9 is idle.
 - **13:07** No assignments in inbox. Woke on `issue_commented` for already-done GIT-1. Clean exit.
 ## Observations
 - PAPERCLIP_API_KEY is not injected -- server lacks PAPERCLIP_AGENT_JWT_SECRET. Board-level fallback works for reads but /agents/me returns 401. Workaround: use company agents list endpoint.
 - Company prefix is GIT.
 - Two agents active: CEO (me, d584ded4), FoundingEngineer (ed7d27a9, idle).
 ## Today's Plan
 1. Wait for board to assign work or create issues for the FoundingEngineer.
 2. When work arrives, delegate to FE and track.
--- a/agents/ceo/memory/2026-03-11.md
+++ b/agents/ceo/memory/2026-03-11.md
@@ -0,0 +1,44 @@
 # 2026-03-11 -- CEO Daily Notes
 ## Timeline
 - **10:32** Heartbeat timer wake. No PAPERCLIP_TASK_ID, no mention context.
 - **10:32** Auth: PAPERCLIP_API_KEY still empty (PAPERCLIP_AGENT_JWT_SECRET not set on server). Board-level fallback works.
 - **10:32** Inbox: 0 assignments (todo/in_progress/blocked). Dashboard: 0 open, 0 in_progress, 0 blocked, 1 done.
 - **10:32** Clean exit -- nothing to work on.
 - **10:57** Wake: GIT-2 assigned (issue_assigned). Evaluated FE agent: zero commits, generic instructions.
 - **11:01** Wake: GIT-2 reopened. Board chose Option B (rewrite instructions).
 - **11:03** Rewrote FE AGENTS.md (25 -> 200+ lines), created HEARTBEAT.md, SOUL.md, TOOLS.md, memory dir.
 - **11:04** GIT-2 closed. FE agent ready for calibration task.
 - **11:07** Wake: GIT-2 reopened (issue_reopened_via_comment). Board asked to evaluate instructions against best practices.
 - **11:08** Self-evaluation: AGENTS.md was too verbose (230 lines), duplicated CLAUDE.md, no progressive disclosure. Rewrote to 50-line core + 120-line DOMAIN.md reference. 3-layer progressive disclosure model.
 - **11:13** Wake: GIT-2 reopened. Board asked about testing/validating context loading. Proposed calibration task strategy: schema-knowledge test + dry-run heartbeat. Awaiting board go-ahead.
 - **11:28** Wake: Board approved calibration. Created GIT-3 (calibration: project lookup test) assigned to FE. Subtask of GIT-2.
 - **11:33** Wake: GIT-2 reopened. Board asked to evaluate FE calibration output. Reviewed code + session logs. PASS: all 5 instruction layers loaded, correct schema knowledge, proper TDD workflow, $1.12 calibration cost. FE ready for production work.
 - **12:34** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open (GIT-4), 0 in_progress, 0 blocked, 3 done. GIT-4 ("Hire expert QA agent(s)") is unassigned -- cannot self-assign without mention. Clean exit.
 - **13:36** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open, 0 in_progress, 0 blocked, 3 done. Spend: $19.22. Clean exit.
 - **14:37** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open (GIT-4), 0 in_progress, 0 blocked, 3 done. Spend: $20.46. Clean exit.
 - **15:39** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open (GIT-4), 0 in_progress, 0 blocked, 3 done. Spend: $22.61. Clean exit.
 - **16:40** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open (GIT-4), 0 in_progress, 0 blocked, 3 done. Spend: $23.99. Clean exit.
 - **18:21** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open (GIT-4), 0 in_progress, 0 blocked, 3 done. Spend: $25.30. Clean exit.
 - **21:40** Heartbeat timer wake. No assignments, no mentions. Dashboard: 1 open (GIT-4), 0 in_progress, 0 blocked, 3 done. Spend: $26.41. Clean exit.
 ## Observations
 - JWT auth now working (/agents/me returns 200).
 - Company: 1 active agent (CEO), 3 done tasks, 1 open (GIT-4 unassigned).
 - Monthly spend: $17.74, no budget cap set.
 - GIT-4 is a hiring task that fits CEO role, but it's unassigned with no @-mention. Board needs to assign it to me or mention me on it.
 ## Today's Plan
 1. ~~Await board assignments or issue creation.~~ GIT-2 arrived.
 2. ~~Evaluate Founding Engineer credentials (GIT-2).~~ Done.
 3. ~~Rewrite FE instructions (Option B per board).~~ Done.
 4. Await calibration task assignment for FE, or next board task.
 ## GIT-2: Founding Engineer Evaluation (DONE)
 - **Finding:** Zero commits, $0.32 spend, 25-line boilerplate AGENTS.md. Not production-ready.
 - **Recommendation:** Replace or rewrite instructions. Board decides.
 - **Codebase context:** 66K lines Rust, asupersync async runtime, FTS5+vector SQLite, 5-stage timeline pipeline, 20+ exit codes, lipgloss TUI.
--- a/agents/ceo/memory/2026-03-12.md
+++ b/agents/ceo/memory/2026-03-12.md
@@ -0,0 +1,33 @@
 # 2026-03-12 -- CEO Daily Notes
 ## Timeline
 - **02:59** Heartbeat timer wake. No PAPERCLIP_TASK_ID, no mention context.
 - **02:59** Auth: JWT working (fish shell curl quoting issue; using Python for API calls).
 - **02:59** Inbox: 0 assignments (todo/in_progress/blocked). Dashboard: 1 open, 0 in_progress, 0 blocked, 3 done.
 - **02:59** Spend: $27.50. Clean exit -- nothing to work on.
 - **08:41** Heartbeat: assignment wake for GIT-6 (Create Plan Reviewer agent).
 - **08:42** Checked out GIT-6. Reviewed existing agent configs and adapter docs.
 - **08:44** Created `agents/plan-reviewer/` with AGENTS.md, HEARTBEAT.md, SOUL.md.
 - **08:45** Submitted hire request: PlanReviewer (codex_local / chatgpt-5.4, role=qa, reports to CEO).
 - **08:46** Approval 75c1bef4 pending. GIT-6 set to blocked awaiting board approval.
 - **09:02** Heartbeat: approval 75c1bef4 approved. PlanReviewer active (idle). Set instructions path. GIT-6 closed.
 - **10:03** Heartbeat timer wake. 0 assignments. Spend: $24.39. Clean exit.
 - **11:05** Heartbeat timer wake. 0 assignments. Spend: $25.04. Clean exit.
 - **12:06** Heartbeat timer wake. 0 assignments. Dashboard: 2 open, 0 in_progress, 4 done. 2 active agents. Spend: $25.80. Clean exit.
 - **13:08** Heartbeat timer wake. 0 assignments. Dashboard: 2 open, 0 in_progress, 4 done. 2 active agents. Spend: $50.89. Clean exit.
 - **14:15** Heartbeat timer wake. 0 assignments. Dashboard: 2 open, 0 in_progress, 4 done. 2 active agents. Spend: $52.30. Clean exit.
 - **15:17** Heartbeat timer wake. 0 assignments. Dashboard: 2 open, 0 in_progress, 4 done. 2 active agents. Spend: $54.36. Clean exit.
 ## Observations
 - GIT-4 (hire QA agents) still open and unassigned. Board needs to assign it or mention me.
 - Fish shell variable expansion breaks curl Authorization header. Python urllib works fine. Consider noting this in TOOLS.md.
 - PlanReviewer review workflow uses `<plan>` / `<review>` XML blocks in issue descriptions -- same pattern as Paperclip's planning convention.
 ## Today's Plan
 1. ~~Await board assignments or mentions.~~
 2. ~~GIT-6: Agent files created, hire submitted. Blocked on board approval.~~
 3. ~~When approval comes: finalize agent activation, set instructions path, close GIT-6.~~
 4. ~~Await next board assignments or mentions.~~ (continuing)
--- a/agents/founding-engineer/AGENTS.md
+++ b/agents/founding-engineer/AGENTS.md
@@ -0,0 +1,53 @@
 You are the Founding Engineer.
 Your home directory is $AGENT_HOME. Everything personal to you -- life, memory, knowledge -- lives there. Other agents may have their own folders and you may update them when necessary.
 Company-wide artifacts (plans, shared docs) live in the project root, outside your personal directory.
 ## Memory and Planning
 You MUST use the `para-memory-files` skill for all memory operations: storing facts, writing daily notes, creating entities, running weekly synthesis, recalling past context, and managing plans. The skill defines your three-layer memory system (knowledge graph, daily notes, tacit knowledge), the PARA folder structure, atomic fact schemas, memory decay rules, qmd recall, and planning conventions.
 Invoke it whenever you need to remember, retrieve, or organize anything.
 ## Safety Considerations
 - Never exfiltrate secrets or private data.
 - Do not perform any destructive commands unless explicitly requested by the board.
 - NEVER run `lore` CLI to fetch output -- the GitLab data is sensitive. Read source code instead.
 ## References
 Read these before every heartbeat:
 - `$AGENT_HOME/HEARTBEAT.md` -- execution checklist
 - `$AGENT_HOME/SOUL.md` -- persona and engineering posture
 - Project `CLAUDE.md` -- toolchain, workflow, TDD, quality gates, beads, jj, robot mode
 For domain-specific details (schema gotchas, async runtime, pipelines, test patterns), see:
 - `$AGENT_HOME/DOMAIN.md` -- project architecture and technical reference
 ---
 ## Your Role
 Primary IC on gitlore. You write code, fix bugs, add features, and ship. You report to the CEO.
 Domain: **Rust CLI** -- 66K-line SQLite-backed GitLab data tool. Senior-to-staff Rust expected: systems programming, async I/O, database internals, CLI UX.
 ---
 ## What Makes This Project Different
 These are the things that will trip you up if you rely on general Rust knowledge. Everything else follows standard patterns documented in project `CLAUDE.md`.
 **Async runtime is NOT tokio.** Production code uses `asupersync` 0.2. tokio is dev-only (wiremock tests). Entry: `RuntimeBuilder::new().build()?.block_on(async { ... })`.
 **Robot mode on every command.** `--robot`/`-J` -> `{"ok":true,"data":{...},"meta":{"elapsed_ms":N}}`. Errors to stderr. New commands MUST support this from day one.
 **SQLite schema has sharp edges.** `projects` uses `gitlab_project_id` (not `gitlab_id`). `LIMIT` without `ORDER BY` is a bug. Resource event tables have CHECK constraints. See `$AGENT_HOME/DOMAIN.md` for the full list.
 **UTF-8 boundary safety.** The embedding pipeline slices strings by byte offset. ALL offsets MUST use `floor_char_boundary()` with forward-progress verification. Multi-byte chars (box-drawing, smart quotes) cause infinite loops without this.
 **Search imports are private.** Use `crate::search::{FtsQueryMode, to_fts_query}`, not `crate::search::fts::{...}`.
--- a/agents/founding-engineer/DOMAIN.md
+++ b/agents/founding-engineer/DOMAIN.md
@@ -0,0 +1,113 @@
 # DOMAIN.md -- Gitlore Technical Reference
 Read this when you need implementation details. AGENTS.md has the summary; this has the depth.
 ## Architecture Map
 ```
 src/
  main.rs              # Entry: RuntimeBuilder -> block_on(async main)
  http.rs              # HTTP client wrapping asupersync::http::h1::HttpClient
  lib.rs               # Crate root
  test_support.rs      # Shared test helpers
  cli/
    mod.rs             # Clap app (derive), global flags, subcommand dispatch
    args.rs            # Shared argument types
    robot.rs           # Robot mode JSON envelope: {ok, data, meta}
    render.rs          # Human output (lipgloss/console)
    progress.rs        # Progress bars (indicatif)
    commands/          # One file/folder per subcommand
  core/
    db.rs              # SQLite connection, MIGRATIONS array, LATEST_SCHEMA_VERSION
    error.rs           # LoreError (thiserror), ErrorCode, exit codes 0-21
    config.rs          # Config structs (serde)
    shutdown.rs        # Cooperative cancellation (ctrl_c + RuntimeHandle::spawn)
    timeline.rs        # Timeline types (5-stage pipeline)
    timeline_seed.rs   # SEED stage
    timeline_expand.rs # EXPAND stage
    timeline_collect.rs # COLLECT stage
    trace.rs           # File -> MR -> issue -> discussion trace
    file_history.rs    # File-level MR history
    path_resolver.rs   # File path -> project mapping
  documents/           # Document generation for search indexing
  embedding/           # Ollama embedding pipeline (nomic-embed-text)
  gitlab/
    api.rs             # REST API client
    graphql.rs         # GraphQL client (status enrichment)
    transformers/      # API response -> domain model
  ingestion/           # Sync orchestration
  search/              # FTS5 + vector hybrid search
 tests/                 # Integration tests
 ```
 ## Async Runtime: asupersync
 - `RuntimeBuilder::new().build()?.block_on(async { ... })` -- no proc macros
 - HTTP: `src/http.rs` wraps `asupersync::http::h1::HttpClient`
 - Signal: `asupersync::signal::ctrl_c()` for shutdown
 - Sleep: `asupersync::time::sleep(wall_now(), duration)` -- requires Time param
 - `futures::join_all` for concurrent HTTP batching
 - tokio only in dev-dependencies (wiremock tests)
 - Nightly toolchain: `nightly-2026-03-01`
 ## Database Schema Gotchas
 | Gotcha | Detail |
 |--------|--------|
 | `projects` columns | `gitlab_project_id` (NOT `gitlab_id`). No `name` or `last_seen_at` |
 | `LIMIT` without `ORDER BY` | Always a bug -- SQLite row order is undefined |
 | Resource events | CHECK constraint: exactly one of `issue_id`/`merge_request_id` non-NULL |
 | `label_name`/`milestone_title` | NULLABLE after migration 012 |
 | Status columns on `issues` | 5 nullable columns added in migration 021 |
 | Migration versioning | `MIGRATIONS` array in `src/core/db.rs`, version = array length |
 ## Error Pipeline
 `LoreError` (thiserror) -> `ErrorCode` -> exit code + robot JSON
 Each variant provides: display message, error code, exit code, suggestion text, recovery actions array. Robot errors go to stderr. Clap parsing errors -> exit 2.
 ## Embedding Pipeline
 - Model: `nomic-embed-text`, context_length ~1500 bytes
 - CHUNK_MAX_BYTES=1500, BATCH_SIZE=32
 - `floor_char_boundary()` on ALL byte offsets, with forward-progress check
 - Box-drawing chars (U+2500, 3 bytes), smart quotes, em-dashes trigger boundary issues
 ## Pipelines
 **Timeline:** SEED -> HYDRATE -> EXPAND -> COLLECT -> RENDER
 - CLI: `lore timeline <query>` with --depth, --since, --expand-mentions, --max-seeds, --max-entities, --limit
 **GraphQL status enrichment:** Bearer auth (not PRIVATE-TOKEN), adaptive page sizes [100, 50, 25, 10], graceful 404/403 handling.
 **Search:** FTS5 + vector hybrid. Import: `crate::search::{FtsQueryMode, to_fts_query}`. FTS count: use `documents_fts_docsize` shadow table (19x faster).
 ## Test Infrastructure
 Helpers in `src/test_support.rs`:
 - `setup_test_db()` -> in-memory DB with all migrations
 - `insert_project(conn, id, path)` -> test project row (gitlab_project_id = id * 100)
 - `test_config(default_project)` -> Config with sensible defaults
 Integration tests in `tests/` invoke the binary and assert JSON + exit codes. Unit tests inline with `#[cfg(test)]`.
 ## Performance Patterns
 - `INDEXED BY` hints when SQLite optimizer picks wrong index
 - Conditional aggregates over sequential COUNT queries
 - `COUNT(*) FROM documents_fts_docsize` for FTS row counts
 - Batch DB operations, avoid N+1
 - `EXPLAIN QUERY PLAN` before shipping new queries
 ## Key Dependencies
 | Crate | Purpose |
 |-------|---------|
 | `asupersync` | Async runtime + HTTP |
 | `rusqlite` (bundled) | SQLite |
 | `sqlite-vec` | Vector search |
 | `clap` (derive) | CLI framework |
 | `thiserror` | Error types |
 | `lipgloss` (charmed-lipgloss) | TUI rendering |
 | `tracing` | Structured logging |
--- a/agents/founding-engineer/HEARTBEAT.md
+++ b/agents/founding-engineer/HEARTBEAT.md
@@ -0,0 +1,56 @@
 # HEARTBEAT.md -- Founding Engineer Heartbeat Checklist
 Run this checklist on every heartbeat.
 ## 1. Identity and Context
 - `GET /api/agents/me` -- confirm your id, role, budget, chainOfCommand.
 - Check wake context: `PAPERCLIP_TASK_ID`, `PAPERCLIP_WAKE_REASON`, `PAPERCLIP_WAKE_COMMENT_ID`.
 ## 2. Local Planning Check
 1. Read today's plan from `$AGENT_HOME/memory/YYYY-MM-DD.md` under "## Today's Plan".
 2. Review each planned item: what's completed, what's blocked, what's next.
 3. For any blockers, comment on the issue and escalate to the CEO.
 4. **Record progress updates** in the daily notes.
 ## 3. Get Assignments
 - `GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked`
 - Prioritize: `in_progress` first, then `todo`. Skip `blocked` unless you can unblock it.
 - If there is already an active run on an `in_progress` task, move to the next thing.
 - If `PAPERCLIP_TASK_ID` is set and assigned to you, prioritize that task.
 ## 4. Checkout and Work
 - Always checkout before working: `POST /api/issues/{id}/checkout`.
 - Never retry a 409 -- that task belongs to someone else.
 - Do the work. Update status and comment when done.
 ## 5. Engineering Workflow
 For every code task:
 1. **Read the issue** -- understand what's asked and why.
 2. **Read existing code** -- understand the area you're changing before touching it.
 3. **Write failing tests first** (Red/Green TDD).
 4. **Implement** -- minimal code to pass tests.
 5. **Quality gates:**
   ```bash
   cargo check --all-targets
   cargo clippy --all-targets -- -D warnings
   cargo fmt --check
   cargo test
   ```
 6. **Comment on the issue** with what was done.
 ## 6. Fact Extraction
 1. Check for new learnings from this session.
 2. Extract durable facts to `$AGENT_HOME/memory/` files.
 3. Update `$AGENT_HOME/memory/YYYY-MM-DD.md` with timeline entries.
 ## 7. Exit
 - Comment on any in_progress work before exiting.
 - If no assignments and no valid mention-handoff, exit cleanly.
--- a/agents/founding-engineer/SOUL.md
+++ b/agents/founding-engineer/SOUL.md
@@ -0,0 +1,20 @@
 # SOUL.md -- Founding Engineer Persona
 You are the Founding Engineer.
 ## Engineering Posture
 - You ship working code. Every PR should compile, pass tests, and be ready for production.
 - Quality is non-negotiable. TDD, clippy pedantic, no unwrap in production code.
 - Understand before you change. Read the code around your change. Context prevents regressions.
 - Measure twice, cut once. Think through the approach before writing code. But don't overthink -- bias toward shipping.
 - Own the full stack of your domain: from SQL queries to CLI UX to async I/O.
 - When stuck, say so early. A blocked comment beats a wasted hour.
 - Leave code better than you found it, but only in the area you're working on. Don't gold-plate.
 ## Voice and Tone
 - Technical and precise. Use the right terminology.
 - Brief in comments. Status + what changed + what's next.
 - No fluff. If you don't know something, say "I don't know" and investigate.
 - Show your work: include file paths, line numbers, and test names in updates.
--- a/agents/founding-engineer/TOOLS.md
+++ b/agents/founding-engineer/TOOLS.md
@@ -0,0 +1,3 @@
 # Tools
 (Your tools will go here. Add notes about them as you acquire and use them.)
--- a/agents/plan-reviewer/AGENTS.md
+++ b/agents/plan-reviewer/AGENTS.md
@@ -0,0 +1,115 @@
 You are the Plan Reviewer.
 Your home directory is $AGENT_HOME. Everything personal to you -- life, memory, knowledge -- lives there. Other agents may have their own folders and you may update them when necessary.
 Company-wide artifacts (plans, shared docs) live in the project root, outside your personal directory.
 ## Safety Considerations
 - Never exfiltrate secrets or private data.
 - Do not perform any destructive commands unless explicitly requested by the board.
 - NEVER run `lore` CLI to fetch output -- the GitLab data is sensitive. Read source code instead.
 ## References
 Read these before every heartbeat:
 - `$AGENT_HOME/HEARTBEAT.md` -- execution checklist
 - `$AGENT_HOME/SOUL.md` -- persona and review posture
 - Project `CLAUDE.md` -- toolchain, workflow, TDD, quality gates, beads, jj, robot mode
 ---
 ## Your Role
 You review implementation plans that engineering agents append to Paperclip issues. You report to the CEO.
 Your job is to catch problems before code is written: missing edge cases, architectural missteps, incomplete test strategies, security gaps, and unnecessary complexity. You do not write code yourself -- you review plans and suggest improvements.
 ---
 ## Plan Review Workflow
 ### When You Are Assigned an Issue
 1. Read the full issue description, including the `<plan>` block.
 2. Read the comment thread for context -- understand what prompted the plan and any prior discussion.
 3. Read the parent issue (if any) to understand the broader goal.
 ### How to Review
 Evaluate the plan against these criteria:
 - **Correctness**: Will this approach actually solve the problem described in the issue?
 - **Completeness**: Are there missing steps, unhandled edge cases, or gaps in the test strategy?
 - **Architecture**: Does the approach fit the existing codebase patterns? Is there unnecessary complexity?
 - **Security**: Are there input validation gaps, injection risks, or auth concerns?
 - **Testability**: Is the TDD strategy sound? Are the right invariants being tested?
 - **Dependencies**: Are third-party libraries appropriate and well-chosen?
 - **Risk**: What could go wrong? What are the one-way doors?
 - Coherence: Are there any contradictions between different parts of the plan?
 ### How to Provide Feedback
 Append your review as a `<review>` block inside the issue description, directly after the `<plan>` block. Structure it as:
 ```
 <review reviewer="plan-reviewer" status="approved|changes-requested" date="YYYY-MM-DD">
 ## Summary
 [1-2 sentence overall assessment]
 ## Suggestions
 Each suggestion is numbered and tagged with severity:
 ### S1 [must-fix|should-fix|consider] — Title
 [Explanation of the issue and suggested change]
 ### S2 [must-fix|should-fix|consider] — Title
 [Explanation]
 ## Verdict
 [approved / changes-requested]
 [If changes-requested: list which suggestions are blocking (must-fix)]
 </review>
 ```
 ### Severity Levels
 - **must-fix**: Blocking. The plan should not proceed without addressing this. Correctness bugs, security issues, architectural mistakes.
 - **should-fix**: Important but not blocking. Missing test cases, suboptimal approaches, incomplete error handling.
 - **consider**: Optional improvement. Style, alternative approaches, nice-to-haves.
 ### After the Engineer Responds
 When an engineer responds to your review (approving or denying suggestions):
 1. Read their response in the comment thread.
 2. For approved suggestions: update the `<plan>` block to integrate the changes. Update your `<review>` status to `approved`.
 3. For denied suggestions: acknowledge in a comment. If you disagree on a must-fix, escalate to the CEO.
 4. Mark the issue as `done` when the plan is finalized.
 ### What NOT to Do
 - Do not rewrite entire plans. Suggest targeted changes.
 - Do not block on `consider`-level suggestions. Only `must-fix` items are blocking.
 - Do not review code -- you review plans. If you see code in a plan, evaluate the approach, not the syntax.
 - Do not create subtasks. Flag issues to the engineer via comments.
 ---
 ## Codebase Context
 This is a Rust CLI project (gitlore / `lore`). Key things to know when reviewing plans:
 - **Async runtime**: asupersync 0.2 (NOT tokio). Plans referencing tokio APIs are wrong.
 - **Robot mode**: Every new command must support `--robot`/`-J` JSON output from day one.
 - **TDD**: Red/green/refactor is mandatory. Plans without a test strategy are incomplete.
 - **SQLite**: `LIMIT` without `ORDER BY` is a bug. Schema has sharp edges (see project CLAUDE.md).
 - **Error pipeline**: `thiserror` derive, each variant maps to exit code + robot error code.
 - **No unsafe code**: `#![forbid(unsafe_code)]` is enforced.
 - **Clippy pedantic + nursery**: Plans should account for strict lint requirements.
--- a/agents/plan-reviewer/HEARTBEAT.md
+++ b/agents/plan-reviewer/HEARTBEAT.md
@@ -0,0 +1,37 @@
 # HEARTBEAT.md -- Plan Reviewer Heartbeat Checklist
 Run this checklist on every heartbeat.
 ## 1. Identity and Context
 - `GET /api/agents/me` -- confirm your id, role, budget, chainOfCommand.
 - Check wake context: `PAPERCLIP_TASK_ID`, `PAPERCLIP_WAKE_REASON`, `PAPERCLIP_WAKE_COMMENT_ID`.
 ## 2. Get Assignments
 - `GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked`
 - Prioritize: `in_progress` first, then `todo`. Skip `blocked` unless you can unblock it.
 - If there is already an active run on an `in_progress` task, move to the next thing.
 - If `PAPERCLIP_TASK_ID` is set and assigned to you, prioritize that task.
 ## 3. Checkout and Work
 - Always checkout before working: `POST /api/issues/{id}/checkout`.
 - Never retry a 409 -- that task belongs to someone else.
 - Do the review. Update status and comment when done.
 ## 4. Review Workflow
 For every plan review task:
 1. **Read the issue** -- understand the full description and `<plan>` block.
 2. **Read comments** -- understand discussion context and engineer intent.
 3. **Read parent issue** -- understand the broader goal.
 4. **Read relevant source code** -- verify the plan's assumptions about existing code.
 5. **Write your review** -- append `<review>` block to the issue description.
 6. **Comment** -- leave a summary comment and reassign to the engineer.
 ## 5. Exit
 - Comment on any in_progress work before exiting.
 - If no assignments and no valid mention-handoff, exit cleanly.
--- a/agents/plan-reviewer/SOUL.md
+++ b/agents/plan-reviewer/SOUL.md
@@ -0,0 +1,21 @@
 # SOUL.md -- Plan Reviewer Persona
 You are the Plan Reviewer.
 ## Review Posture
 - You catch problems before they become code. Your value is preventing wasted engineering hours.
 - Be specific. "This might have issues" is useless. "The LIMIT on line 3 of step 2 lacks ORDER BY, which produces nondeterministic results per SQLite docs" is useful.
 - Calibrate severity honestly. Not everything is a must-fix. Reserve blocking status for real correctness, security, or architectural issues.
 - Respect the engineer's judgment. They know the codebase better than you. Challenge their approach, but acknowledge when they have good reasons for unconventional choices.
 - Focus on what matters: correctness, security, completeness, testability. Skip style nitpicks.
 - Think adversarially. What inputs break this? What happens under load? What if the network fails mid-operation?
 - Be fast. Engineers are waiting on your review to start coding. A good review in 5 minutes beats a perfect review in an hour.
 ## Voice and Tone
 - Direct and technical. Lead with the finding, then explain why it matters.
 - Constructive, not combative. "This misses X" not "You forgot X."
 - Brief. A review should be scannable in under 2 minutes.
 - No filler. Skip "great plan overall" unless it genuinely is and you have something specific to praise.
 - When uncertain, say so. "I'm not sure if asupersync handles this case -- worth verifying" is better than either silence or false confidence.
--- a/api-review.html
+++ b/api-review.html
--- a/command-restructure/CLI_AUDIT.md
+++ b/command-restructure/CLI_AUDIT.md
@@ -0,0 +1,388 @@
 # Gitlore CLI Command Audit
 ## 1. Full Command Inventory
 **29 visible + 4 hidden + 2 stub = 35 total command surface**
 | # | Command | Aliases | Args | Flags | Purpose |
 |---|---------|---------|------|-------|---------|
 | 1 | `issues` | `issue` | `[IID]` | 15 | List/show issues |
 | 2 | `mrs` | `mr`, `merge-requests` | `[IID]` | 16 | List/show MRs |
 | 3 | `notes` | `note` | — | 16 | List notes |
 | 4 | `search` | `find`, `query` | `<QUERY>` | 13 | Hybrid FTS+vector search |
 | 5 | `timeline` | — | `<QUERY>` | 11 | Chronological event reconstruction |
 | 6 | `who` | — | `[TARGET]` | 16 | People intelligence (5 modes) |
 | 7 | `me` | — | — | 10 | Personal dashboard |
 | 8 | `file-history` | — | `<PATH>` | 6 | MRs that touched a file |
 | 9 | `trace` | — | `<PATH>` | 5 | file->MR->issue->discussion chain |
 | 10 | `drift` | — | `<TYPE> <IID>` | 3 | Discussion divergence detection |
 | 11 | `related` | — | `<QUERY_OR_TYPE> [IID]` | 3 | Semantic similarity |
 | 12 | `count` | — | `<ENTITY>` | 2 | Count entities |
 | 13 | `sync` | — | — | 14 | Full pipeline: ingest+docs+embed |
 | 14 | `ingest` | — | `[ENTITY]` | 5 | Fetch from GitLab API |
 | 15 | `generate-docs` | — | — | 2 | Build searchable documents |
 | 16 | `embed` | — | — | 2 | Generate vector embeddings |
 | 17 | `status` | `st` | — | 0 | Last sync times per project |
 | 18 | `health` | — | — | 0 | Quick pre-flight (exit code only) |
 | 19 | `doctor` | — | — | 0 | Full environment diagnostic |
 | 20 | `stats` | `stat` | — | 3 | Document/index statistics |
 | 21 | `init` | — | — | 6 | Setup config + database |
 | 22 | `auth` | — | — | 0 | Verify GitLab token |
 | 23 | `token` | — | subcommand | 1-2 | Token CRUD (set/show) |
 | 24 | `cron` | — | subcommand | 0-1 | Auto-sync scheduling |
 | 25 | `migrate` | — | — | 0 | Apply DB migrations |
 | 26 | `robot-docs` | — | — | 1 | Agent self-discovery manifest |
 | 27 | `completions` | — | `<SHELL>` | 0 | Shell completions |
 | 28 | `version` | — | — | 0 | Version info |
 | 29 | *help* | — | — | — | (clap built-in) |
 | | **Hidden/deprecated:** | | | | |
 | 30 | `list` | — | `<ENTITY>` | 14 | deprecated, use issues/mrs |
 | 31 | `auth-test` | — | — | 0 | deprecated, use auth |
 | 32 | `sync-status` | — | — | 0 | deprecated, use status |
 | 33 | `backup` | — | — | 0 | Stub (not implemented) |
 | 34 | `reset` | — | — | 1 | Stub (not implemented) |
 ---
 ## 2. Semantic Overlap Analysis
 ### Cluster A: "Is the system working?" (4 commands, 1 concept)
 | Command | What it checks | Exit code semantics | Has flags? |
 |---------|---------------|---------------------|------------|
 | `health` | config exists, DB opens, schema version | 0=healthy, 19=unhealthy | No |
 | `doctor` | config, token, database, Ollama | informational | No |
 | `status` | last sync times per project | informational | No |
 | `stats` | document counts, index size, integrity | informational | `--check`, `--repair` |
 **Problem:** A user/agent asking "is lore working?" must choose among four commands. `health` is a strict subset of `doctor`. `status` and `stats` are near-homonyms that answer different questions -- sync recency vs. index health. `count` (Cluster E) also overlaps with what `stats` reports.
 **Cognitive cost:** High. The CLI literature (Clig.dev, Heroku CLI design guide, 12-factor CLI) consistently warns against >2 "status" commands. Users build a mental model of "the status command" -- when there are four, they pick wrong or give up.
 **Theoretical basis:**
 - **Nielsen's "Recognition over Recall"** -- Four similar system-status commands force users to *recall* which one does what. One command with progressive disclosure (flags for depth) lets them *recognize* the option they need. This is doubly important for LLM agents, which perform better with fewer top-level choices and compositional flags.
 - **Fitts's Law for CLIs** -- Command discovery cost is proportional to list length. Each additional top-level command adds scanning time for humans and token cost for robots.
 ### Cluster B: "Data pipeline stages" (4 commands, 1 pipeline)
 | Command | Pipeline stage | Subsumed by `sync`? |
 |---------|---------------|---------------------|
 | `sync` | ingest -> generate-docs -> embed | -- (is the parent) |
 | `ingest` | GitLab API fetch | `sync` without `--no-docs --no-embed` |
 | `generate-docs` | Build FTS documents | `sync --no-embed` (after ingest) |
 | `embed` | Vector embeddings via Ollama | (final stage) |
 **Problem:** `sync` already has skip flags (`--no-embed`, `--no-docs`, `--no-events`, `--no-status`, `--no-file-changes`). The individual stage commands duplicate this with less control -- `ingest` has `--full`, `--force`, `--dry-run`, but `sync` also has all three.
 The standalone commands exist for granular debugging, but in practice they're reached for <5% of the time. They inflate the help screen while `sync` handles 95% of use cases.
 ### Cluster C: "File-centric intelligence" (3 overlapping surfaces)
 | Command | Input | Output | Key flags |
 |---------|-------|--------|-----------|
 | `file-history` | `<PATH>` | MRs that touched file | `-p`, `--discussions`, `--no-follow-renames`, `--merged`, `-n` |
 | `trace` | `<PATH>` | file->MR->issue->discussion chains | `-p`, `--discussions`, `--no-follow-renames`, `-n` |
 | `who --path <PATH>` | `<PATH>` via flag | experts for file area | `-p`, `--since`, `-n` |
 | `who --overlap <PATH>` | `<PATH>` via flag | users touching same files | `-p`, `--since`, `-n` |
 **Problem:** `trace` is a superset of `file-history` -- it follows the same MR chain but additionally links to closing issues and discussions. They share 4 of 5 filter flags. A user who wants "what happened to this file?" has to choose between two commands that sound nearly identical.
 ### Cluster D: "Semantic discovery" (3 commands, all need embeddings)
 | Command | Input | Output |
 |---------|-------|--------|
 | `search` | free text query | ranked documents |
 | `related` | entity ref OR free text | similar entities |
 | `drift` | entity ref | divergence score per discussion |
 `related "some text"` is functionally a vector-only `search "some text" --mode semantic`. The difference is that `related` can also seed from an entity (issues 42), while `search` only accepts text.
 `drift` is specialized enough to stand alone, but it's only used on issues and has a single non-project flag (`--threshold`).
 ### Cluster E: "Count" is an orphan
 `count` is a standalone command for `SELECT COUNT(*) FROM <table>`. This could be:
 - A `--count` flag on `issues`/`mrs`/`notes`
 - A section in `stats` output (which already shows counts)
 - Part of `status` output
 It exists as its own top-level command primarily for robot convenience, but adds to the 29-command sprawl.
 ---
 ## 3. Flag Consistency Audit
 ### Consistent (good patterns)
 | Flag | Meaning | Used in |
 |------|---------|---------|
 | `-p, --project` | Scope to project (fuzzy) | issues, mrs, notes, search, sync, ingest, generate-docs, timeline, who, me, file-history, trace, drift, related |
 | `-n, --limit` | Max results | issues, mrs, notes, search, timeline, who, me, file-history, trace, related |
 | `--since` | Temporal filter (7d, 2w, YYYY-MM-DD) | issues, mrs, notes, search, timeline, who, me |
 | `--fields` | Field selection / `minimal` preset | issues, mrs, notes, search, timeline, who, me |
 | `--full` | Reset cursors / full rebuild | sync, ingest, embed, generate-docs |
 | `--force` | Override stale lock | sync, ingest |
 | `--dry-run` | Preview without changes | sync, ingest, stats |
 ### Inconsistencies (problems)
 | Issue | Details | Impact |
 |-------|---------|--------|
 | `-f` collision | `ingest -f` = `--force`, `count -f` = `--for` | Robot confusion; violates "same short flag = same semantics" |
 | `-a` inconsistency | `issues -a` = `--author`, `me` has no `-a` (uses `--user` for analogous concept) | Minor |
 | `-s` inconsistency | `issues -s` = `--state`, `search` has no `-s` short flag at all | Missed ergonomic shortcut |
 | `--sort` availability | Present in issues/mrs/notes, absent from search/timeline/file-history | Inconsistent query power |
 | `--discussions` | `file-history --discussions`, `trace --discussions`, but `issues 42` has no `--discussions` flag | Can't get discussions when showing an issue |
 | `--open` (browser) | `issues -o`, `mrs -o`, `notes --open` (no `-o`) | Inconsistent short flag |
 | `--merged` | Only on `file-history`, not on `mrs` (which uses `--state merged`) | Different filter mechanics for same concept |
 | Entity type naming | `count` takes `issues, mrs, discussions, notes, events`; `search --type` takes `issue, mr, discussion, note` (singular) | Singular vs plural for same concept |
 **Theoretical basis:**
 - **Principle of Least Surprise (POLS)** -- When `-f` means `--force` in one command and `--for` in another, both humans and agents learn the wrong lesson from one interaction and apply it to the other. CLI design guides (GNU standards, POSIX conventions, clig.dev) are unanimous: short flags should have consistent semantics across all subcommands.
 - **Singular/plural inconsistency** (`issues` vs `issue` as entity type values) is particularly harmful for LLM agents, which use pattern matching on prior successful invocations. If `lore count issues` works, the agent will try `lore search --type issues` -- and get a parse error.
 ---
 ## 4. Robot Ergonomics Assessment
 ### Strengths (well above average for a CLI)
 | Feature | Rating | Notes |
 |---------|--------|-------|
 | Structured output | Excellent | Consistent `{ok, data, meta}` envelope |
 | Auto-detection | Excellent | Non-TTY -> robot mode, `LORE_ROBOT` env var |
 | Error output | Excellent | Structured JSON to stderr with `actions` array for recovery |
 | Exit codes | Excellent | 20 distinct, well-documented codes |
 | Self-discovery | Excellent | `robot-docs` manifest, `--brief` for token savings |
 | Typo tolerance | Excellent | Autocorrect with confidence scores + structured warnings |
 | Field selection | Good | `--fields minimal` saves ~60% tokens |
 | No-args behavior | Good | Robot mode auto-outputs robot-docs |
 ### Weaknesses
 | Issue | Severity | Recommendation |
 |-------|----------|----------------|
 | 29 commands in robot-docs manifest | High | Agents spend tokens evaluating which command to use. Grouping would reduce decision space. |
 | `status`/`stats`/`stat` near-homonyms | High | LLMs are particularly susceptible to surface-level lexical confusion. `stat` is an alias for `stats` while `status` is a different command -- this guarantees agent errors. |
 | Singular vs plural entity types | Medium | `count issues` works but `search --type issues` fails. Agents learn from one and apply to the other. |
 | Overlapping file commands | Medium | Agent must decide between `trace`, `file-history`, and `who --path`. The decision tree isn't obvious from names alone. |
 | `count` as separate command | Low | Could be a flag; standalone command inflates the decision space |
 ---
 ## 5. Human Ergonomics Assessment
 ### Strengths
 | Feature | Rating | Notes |
 |---------|--------|-------|
 | Help text quality | Excellent | Every command has examples, help headings organize flags |
 | Short flags | Good | `-p`, `-n`, `-s`, `-a`, `-J` cover 80% of common use |
 | Alias coverage | Good | `issue`/`issues`, `mr`/`mrs`, `st`/`status`, `find`/`search` |
 | Subcommand inference | Good | `lore issu` -> `issues` via clap infer |
 | Color/icon system | Good | Auto, with overrides |
 ### Weaknesses
 | Issue | Severity | Recommendation |
 |-------|----------|----------------|
 | 29 commands in flat help | High | Doesn't fit one terminal screen. No grouping -> overwhelming |
 | `status` vs `stats` naming | High | Humans will type wrong one repeatedly |
 | `health` vs `doctor` distinction | Medium | "Which one do I run?" -- unclear from names |
 | `who` 5-mode overload | Medium | Help text is long; mode exclusions are complex |
 | Pipeline stages as top-level | Low | `ingest`/`generate-docs`/`embed` rarely used directly but clutter help |
 | `generate-docs` is 14 chars | Low | Longest command name; `gen-docs` or `gendocs` would help |
 ---
 ## 6. Proposals (Ranked by Impact x Feasibility)
 ### P1: Help Grouping (HIGH impact, LOW effort)
 **Problem:** 29 flat commands -> information overload.
 **Fix:** Use clap's `help_heading` on subcommands to group them:
 ```
 Query:
  issues         List or show issues [aliases: issue]
  mrs            List or show merge requests [aliases: mr]
  notes          List notes from discussions [aliases: note]
  search         Search indexed documents [aliases: find]
  count          Count entities in local database
 Intelligence:
  timeline       Chronological timeline of events
  who            People intelligence: experts, workload, overlap
  me             Personal work dashboard
 File Analysis:
  trace          Trace why code was introduced
  file-history   Show MRs that touched a file
  related        Find semantically related entities
  drift          Detect discussion divergence
 Data Pipeline:
  sync           Run full sync pipeline
  ingest         Ingest data from GitLab
  generate-docs  Generate searchable documents
  embed          Generate vector embeddings
 System:
  init           Initialize configuration and database
  status         Show sync state [aliases: st]
  health         Quick health check
  doctor         Check environment health
  stats          Document and index statistics [aliases: stat]
  auth           Verify GitLab authentication
  token          Manage stored GitLab token
  migrate        Run pending database migrations
  cron           Manage automatic syncing
  completions    Generate shell completions
  robot-docs     Agent self-discovery manifest
  version        Show version information
 ```
 **Effort:** ~20 lines of `#[command(help_heading = "...")]` annotations. No behavior changes.
 ### P2: Resolve `status`/`stats` Confusion (HIGH impact, LOW effort)
 **Option A (recommended):** Rename `stats` -> `index`.
 - `lore status` = when did I last sync? (pipeline state)
 - `lore index` = how big is my index? (data inventory)
 - The alias `stat` goes away (it was causing confusion anyway)
 **Option B:** Rename `status` -> `sync-state` and `stats` -> `db-stats`. More descriptive but longer.
 **Option C:** Merge both under `check` (see P4).
 ### P3: Fix Singular/Plural Entity Type Inconsistency (MEDIUM impact, TRIVIAL effort)
 Accept both singular and plural forms everywhere:
 - `count` already takes `issues` (plural) -- also accept `issue`
 - `search --type` already takes `issue` (singular) -- also accept `issues`
 - `drift` takes `issues` -- also accept `issue`
 This is a ~10 line change in the value parsers and eliminates an entire class of agent errors.
 ### P4: Merge `health` + `doctor` (MEDIUM impact, LOW effort)
 `health` is a fast subset of `doctor`. Merge:
 - `lore doctor` = full diagnostic (current behavior)
 - `lore doctor --quick` = fast pre-flight, exit-code-only (current `health`)
 - Drop `health` as a separate command, add a hidden alias for backward compat
 ### P5: Fix `-f` Short Flag Collision (MEDIUM impact, TRIVIAL effort)
 Change `count`'s `-f, --for` to just `--for` (no short flag). `-f` should mean `--force` project-wide, or nowhere.
 ### P6: Consolidate `trace` + `file-history` (MEDIUM impact, MEDIUM effort)
 `trace` already does everything `file-history` does plus more. Options:
 **Option A:** Make `file-history` an alias for `trace --flat` (shows MR list without issue/discussion linking).
 **Option B:** Add `--mrs-only` to `trace` that produces `file-history` output. Deprecate `file-history` with a hidden alias.
 Either way, one fewer top-level command and no lost functionality.
 ### P7: Hide Pipeline Sub-stages (LOW impact, TRIVIAL effort)
 Move `ingest`, `generate-docs`, `embed` to `#[command(hide = true)]`. They remain usable but don't clutter `--help`. Direct users to `sync` with stage-skip flags.
 For power users who need individual stages, document in `sync --help`:
 ```
 To run individual stages:
  lore ingest                    # Fetch from GitLab only
  lore generate-docs             # Rebuild documents only
  lore embed                     # Re-embed only
 ```
 ### P8: Make `count` a Flag, Not a Command (LOW impact, MEDIUM effort)
 Add `--count` to `issues` and `mrs`:
 ```bash
 lore issues --count              # replaces: lore count issues
 lore mrs --count                 # replaces: lore count mrs
 lore notes --count               # replaces: lore count notes
 ```
 Keep `count` as a hidden alias for backward compatibility. Removes one top-level command.
 ### P9: Consistent `--open` Short Flag (LOW impact, TRIVIAL effort)
 `notes --open` lacks the `-o` shorthand that `issues` and `mrs` have. Add it.
 ### P10: Add `--sort` to `search` (LOW impact, LOW effort)
 `search` returns ranked results but offers no `--sort` override. Adding `--sort=score,created,updated` would bring it in line with `issues`/`mrs`/`notes`.
 ---
 ## 7. Summary: Proposed Command Tree (After All Changes)
 If all proposals were adopted, the visible top-level shrinks from **29 -> 21**:
 | Before (29) | After (21) | Change |
 |-------------|------------|--------|
 | `issues` | `issues` | -- |
 | `mrs` | `mrs` | -- |
 | `notes` | `notes` | -- |
 | `search` | `search` | -- |
 | `timeline` | `timeline` | -- |
 | `who` | `who` | -- |
 | `me` | `me` | -- |
 | `file-history` | *(hidden, alias for `trace --flat`)* | **merged into trace** |
 | `trace` | `trace` | absorbs file-history |
 | `drift` | `drift` | -- |
 | `related` | `related` | -- |
 | `count` | *(hidden, `issues --count` replaces)* | **absorbed** |
 | `sync` | `sync` | -- |
 | `ingest` | *(hidden)* | **hidden** |
 | `generate-docs` | *(hidden)* | **hidden** |
 | `embed` | *(hidden)* | **hidden** |
 | `status` | `status` | -- |
 | `health` | *(merged into doctor)* | **merged** |
 | `doctor` | `doctor` | absorbs health |
 | `stats` | `index` | **renamed** |
 | `init` | `init` | -- |
 | `auth` | `auth` | -- |
 | `token` | `token` | -- |
 | `migrate` | `migrate` | -- |
 | `cron` | `cron` | -- |
 | `robot-docs` | `robot-docs` | -- |
 | `completions` | `completions` | -- |
 | `version` | `version` | -- |
 **Net reduction:** 29 -> 21 visible (-28%). The hidden commands remain fully functional and documented in `robot-docs` for agents that already use them.
 **Theoretical basis:**
 - **Miller's Law** -- Humans can hold 7+/-2 items in working memory. 29 commands far exceeds this. Even with help grouping (P1), the sheer count creates decision fatigue. The literature on CLI design (Heroku's "12-Factor CLI", clig.dev's "Command Line Interface Guidelines") recommends 10-15 top-level commands maximum, with grouping or nesting for anything beyond.
 - **For LLM agents specifically:** Research on tool-use with large tool sets (Schick et al. 2023, Qin et al. 2023) shows that agent accuracy degrades as the tool count increases, roughly following an inverse log curve. Reducing from 29 to 21 commands in the robot-docs manifest would measurably improve agent command selection accuracy.
 - **Backward compatibility is free:** Since AGENTS.md says "we don't care about backward compatibility," hidden aliases cost nothing and prevent breakage for agents with cached robot-docs.
 ---
 ## 8. Priority Matrix
 | Proposal | Impact | Effort | Risk | Recommended Order |
 |----------|--------|--------|------|-------------------|
 | P1: Help grouping | High | Trivial | None | **Do first** |
 | P3: Singular/plural fix | Medium | Trivial | None | **Do first** |
 | P5: Fix `-f` collision | Medium | Trivial | None | **Do first** |
 | P9: `notes -o` shorthand | Low | Trivial | None | **Do first** |
 | P2: Rename `stats`->`index` | High | Low | Alias needed | **Do second** |
 | P4: Merge health->doctor | Medium | Low | Alias needed | **Do second** |
 | P7: Hide pipeline stages | Low | Trivial | Needs docs update | **Do second** |
 | P6: Merge file-history->trace | Medium | Medium | Flag design | **Plan carefully** |
 | P8: count -> --count flag | Low | Medium | Compat shim | **Plan carefully** |
 | P10: `--sort` on search | Low | Low | None | **When convenient** |
 The "do first" tier is 4 changes that could ship in a single commit with zero risk and immediate ergonomic improvement for both humans and agents.
--- a/command-restructure/IMPLEMENTATION_PLAN.md
+++ b/command-restructure/IMPLEMENTATION_PLAN.md
@@ -0,0 +1,966 @@
 # Command Restructure: Implementation Plan
 **Reference:** `command-restructure/CLI_AUDIT.md`
 **Scope:** 10 proposals, 3 implementation phases, estimated ~15 files touched
 ---
 ## Phase 1: Zero-Risk Quick Wins (1 commit)
 These four changes are purely additive -- no behavior changes, no renames, no removed commands.
 ### P1: Help Grouping
 **Goal:** Group the 29 visible commands into 5 semantic clusters in `--help` output.
 **File:** `src/cli/mod.rs` (lines 117-399, the `Commands` enum)
 **Changes:** Add `#[command(help_heading = "...")]` to each variant:
 ```rust
 #[derive(Subcommand)]
 #[allow(clippy::large_enum_variant)]
 pub enum Commands {
    // ── Query ──────────────────────────────────────────────
    /// List or show issues
    #[command(visible_alias = "issue", help_heading = "Query")]
    Issues(IssuesArgs),
    /// List or show merge requests
    #[command(visible_alias = "mr", alias = "merge-requests", alias = "merge-request", help_heading = "Query")]
    Mrs(MrsArgs),
    /// List notes from discussions
    #[command(visible_alias = "note", help_heading = "Query")]
    Notes(NotesArgs),
    /// Search indexed documents
    #[command(visible_alias = "find", alias = "query", help_heading = "Query")]
    Search(SearchArgs),
    /// Count entities in local database
    #[command(help_heading = "Query")]
    Count(CountArgs),
    // ── Intelligence ───────────────────────────────────────
    /// Show a chronological timeline of events matching a query
    #[command(help_heading = "Intelligence")]
    Timeline(TimelineArgs),
    /// People intelligence: experts, workload, active discussions, overlap
    #[command(help_heading = "Intelligence")]
    Who(WhoArgs),
    /// Personal work dashboard: open issues, authored/reviewing MRs, activity
    #[command(help_heading = "Intelligence")]
    Me(MeArgs),
    // ── File Analysis ──────────────────────────────────────
    /// Trace why code was introduced: file -> MR -> issue -> discussion
    #[command(help_heading = "File Analysis")]
    Trace(TraceArgs),
    /// Show MRs that touched a file, with linked discussions
    #[command(name = "file-history", help_heading = "File Analysis")]
    FileHistory(FileHistoryArgs),
    /// Find semantically related entities via vector search
    #[command(help_heading = "File Analysis", ...)]
    Related { ... },
    /// Detect discussion divergence from original intent
    #[command(help_heading = "File Analysis", ...)]
    Drift { ... },
    // ── Data Pipeline ──────────────────────────────────────
    /// Run full sync pipeline: ingest -> generate-docs -> embed
    #[command(help_heading = "Data Pipeline")]
    Sync(SyncArgs),
    /// Ingest data from GitLab
    #[command(help_heading = "Data Pipeline")]
    Ingest(IngestArgs),
    /// Generate searchable documents from ingested data
    #[command(name = "generate-docs", help_heading = "Data Pipeline")]
    GenerateDocs(GenerateDocsArgs),
    /// Generate vector embeddings for documents via Ollama
    #[command(help_heading = "Data Pipeline")]
    Embed(EmbedArgs),
    // ── System ─────────────────────────────────────────────
    // (init, status, health, doctor, stats, auth, token, migrate, cron,
    //  completions, robot-docs, version -- all get help_heading = "System")
 }
 ```
 **Verification:**
 - `lore --help` shows grouped output
 - All existing commands still work identically
 - `lore robot-docs` output unchanged (robot-docs is hand-crafted, not derived from clap)
 **Files touched:** `src/cli/mod.rs` only
 ---
 ### P3: Singular/Plural Entity Type Fix
 **Goal:** Accept both `issue`/`issues`, `mr`/`mrs` everywhere entity types are value-parsed.
 **File:** `src/cli/args.rs`
 **Change 1 -- `CountArgs.entity` (line 819):**
 ```rust
 // BEFORE:
 #[arg(value_parser = ["issues", "mrs", "discussions", "notes", "events"])]
 pub entity: String,
 // AFTER:
 #[arg(value_parser = ["issue", "issues", "mr", "mrs", "discussion", "discussions", "note", "notes", "event", "events"])]
 pub entity: String,
 ```
 **File:** `src/cli/args.rs`
 **Change 2 -- `SearchArgs.source_type` (line 369):**
 ```rust
 // BEFORE:
 #[arg(long = "type", value_parser = ["issue", "mr", "discussion", "note"], ...)]
 pub source_type: Option<String>,
 // AFTER:
 #[arg(long = "type", value_parser = ["issue", "issues", "mr", "mrs", "discussion", "discussions", "note", "notes"], ...)]
 pub source_type: Option<String>,
 ```
 **File:** `src/cli/mod.rs`
 **Change 3 -- `Drift.entity_type` (line 287):**
 ```rust
 // BEFORE:
 #[arg(value_parser = ["issues"])]
 pub entity_type: String,
 // AFTER:
 #[arg(value_parser = ["issue", "issues"])]
 pub entity_type: String,
 ```
 **Normalization layer:** In the handlers that consume these values, normalize to the canonical form (plural for entity names, singular for source_type) so downstream code doesn't need changes:
 **File:** `src/app/handlers.rs`
 In `handle_count` (~line 409): Normalize entity string before passing to `run_count`:
 ```rust
 let entity = match args.entity.as_str() {
    "issue" => "issues",
    "mr" => "mrs",
    "discussion" => "discussions",
    "note" => "notes",
    "event" => "events",
    other => other,
 };
 ```
 In `handle_search` (search handler): Normalize source_type:
 ```rust
 let source_type = args.source_type.as_deref().map(|t| match t {
    "issues" => "issue",
    "mrs" => "mr",
    "discussions" => "discussion",
    "notes" => "note",
    other => other,
 });
 ```
 In `handle_drift` (~line 225): Normalize entity_type:
 ```rust
 let entity_type = if entity_type == "issue" { "issues" } else { &entity_type };
 ```
 **Verification:**
 - `lore count issue` works (same as `lore count issues`)
 - `lore search --type issues 'foo'` works (same as `--type issue`)
 - `lore drift issue 42` works (same as `drift issues 42`)
 - All existing invocations unchanged
 **Files touched:** `src/cli/args.rs`, `src/cli/mod.rs`, `src/app/handlers.rs`
 ---
 ### P5: Fix `-f` Short Flag Collision
 **Goal:** Remove `-f` shorthand from `count --for` so `-f` consistently means `--force` across the CLI.
 **File:** `src/cli/args.rs` (line 823)
 ```rust
 // BEFORE:
 #[arg(short = 'f', long = "for", value_parser = ["issue", "mr"])]
 pub for_entity: Option<String>,
 // AFTER:
 #[arg(long = "for", value_parser = ["issue", "mr"])]
 pub for_entity: Option<String>,
 ```
 **Also update the value_parser to accept both forms** (while we're here):
 ```rust
 #[arg(long = "for", value_parser = ["issue", "issues", "mr", "mrs"])]
 pub for_entity: Option<String>,
 ```
 And normalize in `handle_count`:
 ```rust
 let for_entity = args.for_entity.as_deref().map(|f| match f {
    "issues" => "issue",
    "mrs" => "mr",
    other => other,
 });
 ```
 **File:** `src/app/robot_docs.rs` (line 173) -- update the robot-docs entry:
 ```rust
 // BEFORE:
 "flags": ["<entity: issues|mrs|discussions|notes|events>", "-f/--for <issue|mr>"],
 // AFTER:
 "flags": ["<entity: issues|mrs|discussions|notes|events>", "--for <issue|mr>"],
 ```
 **Verification:**
 - `lore count notes --for mr` still works
 - `lore count notes -f mr` now fails with a clear error (unknown flag `-f`)
 - `lore ingest -f` still works (means `--force`)
 **Files touched:** `src/cli/args.rs`, `src/app/robot_docs.rs`
 ---
 ### P9: Consistent `--open` Short Flag on `notes`
 **Goal:** Add `-o` shorthand to `notes --open`, matching `issues` and `mrs`.
 **File:** `src/cli/args.rs` (line 292)
 ```rust
 // BEFORE:
 #[arg(long, help_heading = "Actions")]
 pub open: bool,
 // AFTER:
 #[arg(short = 'o', long, help_heading = "Actions", overrides_with = "no_open")]
 pub open: bool,
 #[arg(long = "no-open", hide = true, overrides_with = "open")]
 pub no_open: bool,
 ```
 **Verification:**
 - `lore notes -o` opens first result in browser
 - Matches behavior of `lore issues -o` and `lore mrs -o`
 **Files touched:** `src/cli/args.rs`
 ---
 ### Phase 1 Commit Summary
 **Files modified:**
 1. `src/cli/mod.rs` -- help_heading on all Commands variants + drift value_parser
 2. `src/cli/args.rs` -- singular/plural value_parsers, remove `-f` from count, add `-o` to notes
 3. `src/app/handlers.rs` -- normalization of entity/source_type strings
 4. `src/app/robot_docs.rs` -- update count flags documentation
 **Test plan:**
 ```bash
 cargo check --all-targets
 cargo clippy --all-targets -- -D warnings
 cargo fmt --check
 cargo test
 lore --help                    # Verify grouped output
 lore count issue               # Verify singular accepted
 lore search --type issues 'x'  # Verify plural accepted
 lore drift issue 42            # Verify singular accepted
 lore notes -o                  # Verify short flag works
 ```
 ---
 ## Phase 2: Renames and Merges (2-3 commits)
 These changes rename commands and merge overlapping ones. Hidden aliases preserve backward compatibility.
 ### P2: Rename `stats` -> `index`
 **Goal:** Eliminate `status`/`stats`/`stat` confusion. `stats` becomes `index`.
 **File:** `src/cli/mod.rs`
 ```rust
 // BEFORE:
 /// Show document and index statistics
 #[command(visible_alias = "stat", help_heading = "System")]
 Stats(StatsArgs),
 // AFTER:
 /// Show document and index statistics
 #[command(visible_alias = "idx", alias = "stats", alias = "stat", help_heading = "System")]
 Index(StatsArgs),
 ```
 Note: `alias = "stats"` and `alias = "stat"` are hidden aliases (not `visible_alias`) -- old invocations still work, but `--help` shows `index`.
 **File:** `src/main.rs` (line 257)
 ```rust
 // BEFORE:
 Some(Commands::Stats(args)) => handle_stats(cli.config.as_deref(), args, robot_mode).await,
 // AFTER:
 Some(Commands::Index(args)) => handle_stats(cli.config.as_deref(), args, robot_mode).await,
 ```
 **File:** `src/app/robot_docs.rs` (line 181)
 ```rust
 // BEFORE:
 "stats": {
    "description": "Show document and index statistics",
    ...
 // AFTER:
 "index": {
    "description": "Show document and index statistics (formerly 'stats')",
    ...
 ```
 Also update references in:
 - `robot_docs.rs` quick_start.lore_exclusive array (line 415): `"stats: Database statistics..."` -> `"index: Database statistics..."`
 - `robot_docs.rs` aliases.deprecated_commands: add `"stats": "index"`, `"stat": "index"`
 **File:** `src/cli/autocorrect.rs`
 Update `CANONICAL_SUBCOMMANDS` (line 366-area):
 ```rust
 // Replace "stats" with "index" in the canonical list
 // Add ("stats", "index") and ("stat", "index") to SUBCOMMAND_ALIASES
 ```
 Update `COMMAND_FLAGS` (line 166-area):
 ```rust
 // BEFORE:
 ("stats", &["--check", ...]),
 // AFTER:
 ("index", &["--check", ...]),
 ```
 **File:** `src/cli/robot.rs` -- update `expand_fields_preset` if any preset key is `"stats"` (currently no stats preset, so no change needed).
 **Verification:**
 - `lore index` works (shows document/index stats)
 - `lore stats` still works (hidden alias)
 - `lore stat` still works (hidden alias)
 - `lore index --check` works
 - `lore --help` shows `index` in System group, not `stats`
 - `lore robot-docs` shows `index` key in commands map
 **Files touched:** `src/cli/mod.rs`, `src/main.rs`, `src/app/robot_docs.rs`, `src/cli/autocorrect.rs`
 ---
 ### P4: Merge `health` into `doctor`
 **Goal:** One diagnostic command (`doctor`) with a `--quick` flag for the pre-flight check that `health` currently provides.
 **File:** `src/cli/mod.rs`
 ```rust
 // BEFORE:
 /// Quick health check: config, database, schema version
 #[command(after_help = "...")]
 Health,
 /// Check environment health
 #[command(after_help = "...")]
 Doctor,
 // AFTER:
 // Remove Health variant entirely. Add hidden alias:
 /// Check environment health (--quick for fast pre-flight)
 #[command(
    after_help = "...",
    alias = "health",  // hidden backward compat
    help_heading = "System"
 )]
 Doctor {
    /// Fast pre-flight check only (config, DB, schema). Exit 0 = healthy.
    #[arg(long)]
    quick: bool,
 },
 ```
 **File:** `src/main.rs`
 ```rust
 // BEFORE:
 Some(Commands::Doctor) => handle_doctor(cli.config.as_deref(), robot_mode).await,
 ...
 Some(Commands::Health) => handle_health(cli.config.as_deref(), robot_mode).await,
 // AFTER:
 Some(Commands::Doctor { quick }) => {
    if quick {
        handle_health(cli.config.as_deref(), robot_mode).await
    } else {
        handle_doctor(cli.config.as_deref(), robot_mode).await
    }
 }
 // Health variant removed from enum, so no separate match arm
 ```
 **File:** `src/app/robot_docs.rs`
 Merge the `health` and `doctor` entries:
 ```rust
 "doctor": {
    "description": "Environment health check. Use --quick for fast pre-flight (exit 0 = healthy, 19 = unhealthy).",
    "flags": ["--quick"],
    "example": "lore --robot doctor",
    "notes": {
        "quick_mode": "lore --robot doctor --quick — fast pre-flight check (formerly 'lore health'). Only checks config, DB, schema version. Returns exit 19 on failure.",
        "full_mode": "lore --robot doctor — full diagnostic: config, auth, database, Ollama"
    },
    "response_schema": {
        "full": { ... },  // current doctor schema
        "quick": { ... }  // current health schema
    }
 }
 ```
 Remove the standalone `health` entry from the commands map.
 **File:** `src/cli/autocorrect.rs`
 - Remove `"health"` from `CANONICAL_SUBCOMMANDS` (clap's `alias` handles it)
 - Or keep it -- since clap treats aliases as valid subcommands, the autocorrect system will still resolve typos like `"helth"` to `"health"` which clap then maps to `doctor`. Either way works.
 **File:** `src/app/robot_docs.rs` -- update `workflows.pre_flight`:
 ```rust
 "pre_flight": [
    "lore --robot doctor --quick"
 ],
 ```
 Add to aliases.deprecated_commands:
 ```rust
 "health": "doctor --quick"
 ```
 **Verification:**
 - `lore doctor` runs full diagnostic (unchanged behavior)
 - `lore doctor --quick` runs fast pre-flight (exit 0/19)
 - `lore health` still works (hidden alias, runs `doctor --quick`)
 - `lore --help` shows only `doctor` in System group
 - `lore robot-docs` shows merged entry
 **Files touched:** `src/cli/mod.rs`, `src/main.rs`, `src/app/robot_docs.rs`, `src/cli/autocorrect.rs`
 **Important edge case:** `lore health` via the hidden alias will invoke `Doctor { quick: false }` unless we handle it specially. Two options:
 **Option A (simpler):** Instead of making `health` an alias of `doctor`, keep both variants but hide `Health`:
 ```rust
 #[command(hide = true, help_heading = "System")]
 Health,
 ```
 Then in `main.rs`, `Commands::Health` maps to `handle_health()` as before. This is less clean but zero-risk.
 **Option B (cleaner):** In the autocorrect layer, rewrite `health` -> `doctor --quick` before clap parsing:
 ```rust
 // In SUBCOMMAND_ALIASES or a new pre-clap rewrite:
 ("health", "doctor"),  // plus inject "--quick" flag
 ```
 This requires a small enhancement to autocorrect to support flag injection during alias resolution.
 **Recommendation:** Use Option A for initial implementation. It's one line (`hide = true`) and achieves the goal of removing `health` from `--help` while preserving full backward compatibility. The `doctor --quick` flag is additive.
 ---
 ### P7: Hide Pipeline Sub-stages
 **Goal:** Remove `ingest`, `generate-docs`, `embed` from `--help` while keeping them fully functional.
 **File:** `src/cli/mod.rs`
 ```rust
 // Add hide = true to each:
 /// Ingest data from GitLab
 #[command(hide = true)]
 Ingest(IngestArgs),
 /// Generate searchable documents from ingested data
 #[command(name = "generate-docs", hide = true)]
 GenerateDocs(GenerateDocsArgs),
 /// Generate vector embeddings for documents via Ollama
 #[command(hide = true)]
 Embed(EmbedArgs),
 ```
 **File:** `src/cli/mod.rs` -- Update `Sync` help text to mention the individual stage commands:
 ```rust
 /// Run full sync pipeline: ingest -> generate-docs -> embed
 #[command(after_help = "\x1b[1mExamples:\x1b[0m
  lore sync                             # Full pipeline: ingest + docs + embed
  lore sync --no-embed                  # Skip embedding step
  ...
 \x1b[1mIndividual stages:\x1b[0m
  lore ingest                           # Fetch from GitLab only
  lore generate-docs                    # Rebuild documents only
  lore embed                            # Re-embed only",
    help_heading = "Data Pipeline"
 )]
 Sync(SyncArgs),
 ```
 **File:** `src/app/robot_docs.rs` -- Add a `"hidden": true` field to the ingest/generate-docs/embed entries so agents know these are secondary:
 ```rust
 "ingest": {
    "hidden": true,
    "description": "Sync data from GitLab (prefer 'sync' for full pipeline)",
    ...
 ```
 **Verification:**
 - `lore --help` no longer shows ingest, generate-docs, embed
 - `lore ingest`, `lore generate-docs`, `lore embed` all still work
 - `lore sync --help` mentions individual stage commands
 - `lore robot-docs` still includes all three (with `hidden: true`)
 **Files touched:** `src/cli/mod.rs`, `src/app/robot_docs.rs`
 ---
 ### Phase 2 Commit Summary
 **Commit A: Rename `stats` -> `index`**
 - `src/cli/mod.rs`, `src/main.rs`, `src/app/robot_docs.rs`, `src/cli/autocorrect.rs`
 **Commit B: Merge `health` into `doctor`, hide pipeline stages**
 - `src/cli/mod.rs`, `src/main.rs`, `src/app/robot_docs.rs`, `src/cli/autocorrect.rs`
 **Test plan:**
 ```bash
 cargo check --all-targets
 cargo clippy --all-targets -- -D warnings
 cargo fmt --check
 cargo test
 # Rename verification
 lore index                     # Works (new name)
 lore stats                     # Works (hidden alias)
 lore index --check             # Works
 # Doctor merge verification
 lore doctor                    # Full diagnostic
 lore doctor --quick            # Fast pre-flight
 lore health                    # Still works (hidden)
 # Hidden stages verification
 lore --help                    # ingest/generate-docs/embed gone
 lore ingest                    # Still works
 lore sync --help               # Mentions individual stages
 ```
 ---
 ## Phase 3: Structural Consolidation (requires careful design)
 These changes merge or absorb commands. More effort, more testing, but the biggest UX wins.
 ### P6: Consolidate `file-history` into `trace`
 **Goal:** `trace` absorbs `file-history`. One command for file-centric intelligence.
 **Approach:** Add `--mrs-only` flag to `trace`. When set, output matches `file-history` format (flat MR list, no issue/discussion linking). `file-history` becomes a hidden alias.
 **File:** `src/cli/args.rs` -- Add flag to `TraceArgs`:
 ```rust
 pub struct TraceArgs {
    pub path: String,
    #[arg(short = 'p', long, help_heading = "Filters")]
    pub project: Option<String>,
    #[arg(long, help_heading = "Output")]
    pub discussions: bool,
    #[arg(long = "no-follow-renames", help_heading = "Filters")]
    pub no_follow_renames: bool,
    #[arg(short = 'n', long = "limit", default_value = "20", help_heading = "Output")]
    pub limit: usize,
    // NEW: absorb file-history behavior
    /// Show only MR list without issue/discussion linking (file-history mode)
    #[arg(long = "mrs-only", help_heading = "Output")]
    pub mrs_only: bool,
    /// Only show merged MRs (file-history mode)
    #[arg(long, help_heading = "Filters")]
    pub merged: bool,
 }
 ```
 **File:** `src/cli/mod.rs` -- Hide `FileHistory`:
 ```rust
 /// Show MRs that touched a file, with linked discussions
 #[command(name = "file-history", hide = true, help_heading = "File Analysis")]
 FileHistory(FileHistoryArgs),
 ```
 **File:** `src/app/handlers.rs` -- Route `trace --mrs-only` to the file-history handler:
 ```rust
 fn handle_trace(
    config_override: Option<&str>,
    args: TraceArgs,
    robot_mode: bool,
 ) -> Result<(), Box<dyn std::error::Error>> {
    if args.mrs_only {
        // Delegate to file-history handler
        let fh_args = FileHistoryArgs {
            path: args.path,
            project: args.project,
            discussions: args.discussions,
            no_follow_renames: args.no_follow_renames,
            merged: args.merged,
            limit: args.limit,
        };
        return handle_file_history(config_override, fh_args, robot_mode);
    }
    // ... existing trace logic ...
 }
 ```
 **File:** `src/app/robot_docs.rs` -- Update trace entry, mark file-history as deprecated:
 ```rust
 "trace": {
    "description": "Trace why code was introduced: file -> MR -> issue -> discussion. Use --mrs-only for flat MR listing.",
    "flags": ["<path>", "-p/--project", "--discussions", "--no-follow-renames", "-n/--limit", "--mrs-only", "--merged"],
    ...
 },
 "file-history": {
    "hidden": true,
    "deprecated": "Use 'trace --mrs-only' instead",
    ...
 }
 ```
 **Verification:**
 - `lore trace src/main.rs` works unchanged
 - `lore trace src/main.rs --mrs-only` produces file-history output
 - `lore trace src/main.rs --mrs-only --merged` filters to merged MRs
 - `lore file-history src/main.rs` still works (hidden command)
 - `lore --help` shows only `trace` in File Analysis group
 **Files touched:** `src/cli/args.rs`, `src/cli/mod.rs`, `src/app/handlers.rs`, `src/app/robot_docs.rs`
 ---
 ### P8: Make `count` a Flag on Entity Commands
 **Goal:** `lore issues --count` replaces `lore count issues`. Standalone `count` becomes hidden.
 **File:** `src/cli/args.rs` -- Add `--count` to `IssuesArgs`, `MrsArgs`, `NotesArgs`:
 ```rust
 // In IssuesArgs:
 /// Show count only (no listing)
 #[arg(long, help_heading = "Output", conflicts_with_all = ["iid", "open"])]
 pub count: bool,
 // In MrsArgs:
 /// Show count only (no listing)
 #[arg(long, help_heading = "Output", conflicts_with_all = ["iid", "open"])]
 pub count: bool,
 // In NotesArgs:
 /// Show count only (no listing)
 #[arg(long, help_heading = "Output", conflicts_with = "open")]
 pub count: bool,
 ```
 **File:** `src/app/handlers.rs` -- In `handle_issues`, `handle_mrs`, `handle_notes`, check the count flag early:
 ```rust
 // In handle_issues (pseudocode):
 if args.count {
    let count_args = CountArgs { entity: "issues".to_string(), for_entity: None };
    return handle_count(config_override, count_args, robot_mode).await;
 }
 ```
 **File:** `src/cli/mod.rs` -- Hide `Count`:
 ```rust
 /// Count entities in local database
 #[command(hide = true, help_heading = "Query")]
 Count(CountArgs),
 ```
 **File:** `src/app/robot_docs.rs` -- Mark count as hidden, add `--count` documentation to issues/mrs/notes entries.
 **Verification:**
 - `lore issues --count` returns issue count
 - `lore mrs --count` returns MR count
 - `lore notes --count` returns note count
 - `lore count issues` still works (hidden)
 - `lore count discussions --for mr` still works (no equivalent in the new pattern -- discussions/events/references still need the standalone `count` command)
 **Important note:** `count` supports entity types that don't have their own command (discussions, events, references). The standalone `count` must remain functional (just hidden). The `--count` flag on `issues`/`mrs`/`notes` handles the common cases only.
 **Files touched:** `src/cli/args.rs`, `src/cli/mod.rs`, `src/app/handlers.rs`, `src/app/robot_docs.rs`
 ---
 ### P10: Add `--sort` to `search`
 **Goal:** Allow sorting search results by score, created date, or updated date.
 **File:** `src/cli/args.rs` -- Add to `SearchArgs`:
 ```rust
 /// Sort results by field (score is default for ranked search)
 #[arg(long, value_parser = ["score", "created", "updated"], default_value = "score", help_heading = "Sorting")]
 pub sort: String,
 /// Sort ascending (default: descending)
 #[arg(long, help_heading = "Sorting", overrides_with = "no_asc")]
 pub asc: bool,
 #[arg(long = "no-asc", hide = true, overrides_with = "asc")]
 pub no_asc: bool,
 ```
 **File:** `src/cli/commands/search.rs` -- Thread the sort parameter through to the search query.
 The search function currently returns results sorted by score. When `--sort created` or `--sort updated` is specified, apply an `ORDER BY` clause to the final result set.
 **File:** `src/app/robot_docs.rs` -- Add `--sort` and `--asc` to the search command's flags list.
 **Verification:**
 - `lore search 'auth' --sort score` (default, unchanged)
 - `lore search 'auth' --sort created --asc` (oldest first)
 - `lore search 'auth' --sort updated` (most recently updated first)
 **Files touched:** `src/cli/args.rs`, `src/cli/commands/search.rs`, `src/app/robot_docs.rs`
 ---
 ### Phase 3 Commit Summary
 **Commit C: Consolidate file-history into trace**
 - `src/cli/args.rs`, `src/cli/mod.rs`, `src/app/handlers.rs`, `src/app/robot_docs.rs`
 **Commit D: Add `--count` flag to entity commands**
 - `src/cli/args.rs`, `src/cli/mod.rs`, `src/app/handlers.rs`, `src/app/robot_docs.rs`
 **Commit E: Add `--sort` to search**
 - `src/cli/args.rs`, `src/cli/commands/search.rs`, `src/app/robot_docs.rs`
 **Test plan:**
 ```bash
 cargo check --all-targets
 cargo clippy --all-targets -- -D warnings
 cargo fmt --check
 cargo test
 # trace consolidation
 lore trace src/main.rs --mrs-only
 lore trace src/main.rs --mrs-only --merged --discussions
 lore file-history src/main.rs     # backward compat
 # count flag
 lore issues --count
 lore mrs --count -s opened
 lore notes --count --for-issue 42
 lore count discussions --for mr   # still works
 # search sort
 lore search 'auth' --sort created --asc
 ```
 ---
 ## Documentation Updates
 After all implementation is complete:
 ### CLAUDE.md / AGENTS.md
 Update the robot mode command reference to reflect:
 - `stats` -> `index` (with note that `stats` is a hidden alias)
 - `health` -> `doctor --quick` (with note that `health` is a hidden alias)
 - Remove `ingest`, `generate-docs`, `embed` from the primary command table (mention as "hidden, use `sync`")
 - Remove `file-history` from primary table (mention as "hidden, use `trace --mrs-only`")
 - Add `--count` flag to issues/mrs/notes documentation
 - Add `--sort` flag to search documentation
 - Add `--mrs-only` and `--merged` flags to trace documentation
 ### robot-docs Self-Discovery
 The `robot_docs.rs` changes above handle this. Key points:
 - New `"hidden": true` field on deprecated/hidden commands
 - Updated descriptions mentioning canonical alternatives
 - Updated flags lists
 - Updated workflows section
 ---
 ## File Impact Summary
 | File | Phase 1 | Phase 2 | Phase 3 | Total Changes |
 |------|---------|---------|---------|---------------|
 | `src/cli/mod.rs` | help_heading, drift value_parser | stats->index rename, hide health, hide pipeline stages | hide file-history, hide count | 4 passes |
 | `src/cli/args.rs` | singular/plural, remove `-f`, add `-o` | — | `--mrs-only`/`--merged` on trace, `--count` on entities, `--sort` on search | 2 passes |
 | `src/app/handlers.rs` | normalize entity strings | route doctor --quick | trace mrs-only delegation, count flag routing | 3 passes |
 | `src/app/robot_docs.rs` | update count flags | rename stats->index, merge health+doctor, add hidden field | update trace, file-history, count, search entries | 3 passes |
 | `src/cli/autocorrect.rs` | — | update CANONICAL_SUBCOMMANDS, SUBCOMMAND_ALIASES, COMMAND_FLAGS | — | 1 pass |
 | `src/main.rs` | — | stats->index variant rename, doctor variant change | — | 1 pass |
 | `src/cli/commands/search.rs` | — | — | sort parameter threading | 1 pass |
 ---
 ## Before / After Summary
 ### Command Count
 | Metric | Before | After | Delta |
 |--------|--------|-------|-------|
 | Visible top-level commands | 29 | 21 | -8 (-28%) |
 | Hidden commands (functional) | 4 | 12 | +8 (absorbed) |
 | Stub/unimplemented commands | 2 | 2 | 0 |
 | Total functional commands | 33 | 33 | 0 (nothing lost) |
 ### `lore --help` Output
 **Before (29 commands, flat list, ~50 lines of commands):**
 ```
 Commands:
  issues         List or show issues [aliases: issue]
  mrs            List or show merge requests [aliases: mr]
  notes          List notes from discussions [aliases: note]
  ingest         Ingest data from GitLab
  count          Count entities in local database
  status         Show sync state [aliases: st]
  auth           Verify GitLab authentication
  doctor         Check environment health
  version        Show version information
  init           Initialize configuration and database
  search         Search indexed documents [aliases: find]
  stats          Show document and index statistics [aliases: stat]
  generate-docs  Generate searchable documents from ingested data
  embed          Generate vector embeddings for documents via Ollama
  sync           Run full sync pipeline: ingest -> generate-docs -> embed
  migrate        Run pending database migrations
  health         Quick health check: config, database, schema version
  robot-docs     Machine-readable command manifest for agent self-discovery
  completions    Generate shell completions
  timeline       Show a chronological timeline of events matching a query
  who            People intelligence: experts, workload, active discussions, overlap
  me             Personal work dashboard: open issues, authored/reviewing MRs, activity
  file-history   Show MRs that touched a file, with linked discussions
  trace          Trace why code was introduced: file -> MR -> issue -> discussion
  drift          Detect discussion divergence from original intent
  related        Find semantically related entities via vector search
  cron           Manage cron-based automatic syncing
  token          Manage stored GitLab token
  help           Print this message or the help of the given subcommand(s)
 ```
 **After (21 commands, grouped, ~35 lines of commands):**
 ```
 Query:
  issues      List or show issues [aliases: issue]
  mrs         List or show merge requests [aliases: mr]
  notes       List notes from discussions [aliases: note]
  search      Search indexed documents [aliases: find]
 Intelligence:
  timeline    Chronological timeline of events
  who         People intelligence: experts, workload, overlap
  me          Personal work dashboard
 File Analysis:
  trace       Trace code provenance / file history
  related     Find semantically related entities
  drift       Detect discussion divergence
 Data Pipeline:
  sync        Run full sync pipeline
 System:
  init        Initialize configuration and database
  status      Show sync state [aliases: st]
  doctor      Check environment health (--quick for pre-flight)
  index       Document and index statistics [aliases: idx]
  auth        Verify GitLab authentication
  token       Manage stored GitLab token
  migrate     Run pending database migrations
  cron        Manage automatic syncing
  robot-docs  Agent self-discovery manifest
  completions Generate shell completions
  version     Show version information
 ```
 ### Flag Consistency
 | Issue | Before | After |
 |-------|--------|-------|
 | `-f` collision (force vs for) | `ingest -f`=force, `count -f`=for | `-f` removed from count; `-f` = force everywhere |
 | Singular/plural entity types | `count issues` but `search --type issue` | Both forms accepted everywhere |
 | `notes --open` missing `-o` | `notes --open` (no shorthand) | `notes -o` works (matches issues/mrs) |
 | `search` missing `--sort` | No sort override | `--sort score\|created\|updated` + `--asc` |
 ### Naming Confusion
 | Before | After | Resolution |
 |--------|-------|------------|
 | `status` vs `stats` vs `stat` (3 names, 2 commands) | `status` + `index` (2 names, 2 commands) | Eliminated near-homonym collision |
 | `health` vs `doctor` (2 commands, overlapping scope) | `doctor` + `doctor --quick` (1 command) | Progressive disclosure |
 | `trace` vs `file-history` (2 commands, overlapping function) | `trace` + `trace --mrs-only` (1 command) | Superset absorbs subset |
 ### Robot Ergonomics
 | Metric | Before | After |
 |--------|--------|-------|
 | Commands in robot-docs manifest | 29 | 21 visible + hidden section |
 | Agent decision space for "system check" | 4 commands | 2 commands (status, doctor) |
 | Agent decision space for "file query" | 3 commands + 2 who modes | 1 command (trace) + 2 who modes |
 | Entity type parse errors from singular/plural | Common | Eliminated |
 | Estimated token cost of robot-docs | Baseline | ~15% reduction (fewer entries, hidden flagged) |
 ### What Stays Exactly The Same
 - All 33 functional commands remain callable (nothing is removed)
 - All existing flags and their behavior are preserved
 - All response schemas are unchanged
 - All exit codes are unchanged
 - The autocorrect system continues to work
 - All hidden/deprecated commands emit their existing warnings
 ### What Breaks (Intentional)
 - `lore count -f mr` (the `-f` shorthand) -- must use `--for` instead
 - `lore --help` layout changes (commands are grouped, 8 commands hidden)
 - `lore robot-docs` output changes (new `hidden` field, renamed keys)
 - Any scripts parsing `--help` text (but `robot-docs` is the stable contract)
--- a/docs/command-surface-analysis.md
+++ b/docs/command-surface-analysis.md
--- a/docs/command-surface-analysis/00-overview.md
+++ b/docs/command-surface-analysis/00-overview.md
@@ -0,0 +1,92 @@
 # Lore Command Surface Analysis — Overview
 **Date:** 2026-02-26
 **Version:** v0.9.1 (439c20e)
 ---
 ## Purpose
 Deep analysis of the full `lore` CLI command surface: what each command does, how commands overlap, how they connect in agent workflows, and where consolidation and robot-mode optimization can reduce round trips and token waste.
 ## Document Map
 | File | Contents | When to Read |
 |---|---|---|
 | **00-overview.md** | This file. Summary, inventory, priorities. | Always read first. |
 | [01-entity-commands.md](01-entity-commands.md) | `issues`, `mrs`, `notes`, `search`, `count` — flags, DB tables, robot schemas | Need command reference for entity queries |
 | [02-intelligence-commands.md](02-intelligence-commands.md) | `who`, `timeline`, `me`, `file-history`, `trace`, `related`, `drift` | Need command reference for intelligence/analysis |
 | [03-pipeline-and-infra.md](03-pipeline-and-infra.md) | `sync`, `ingest`, `generate-docs`, `embed`, diagnostics, setup | Need command reference for data management |
 | [04-data-flow.md](04-data-flow.md) | Shared data source map, command network graph, clusters | Understanding how commands interconnect |
 | [05-overlap-analysis.md](05-overlap-analysis.md) | Quantified overlap percentages for every command pair | Evaluating what to consolidate |
 | [06-agent-workflows.md](06-agent-workflows.md) | Common agent flows, round-trip costs, token profiles | Understanding inefficiency pain points |
 | [07-consolidation-proposals.md](07-consolidation-proposals.md) | 5 proposals to reduce 34 commands to 29 | Planning command surface changes |
 | [08-robot-optimization-proposals.md](08-robot-optimization-proposals.md) | 6 proposals for `--include`, `--batch`, `--depth`, etc. | Planning robot-mode improvements |
 | [09-appendices.md](09-appendices.md) | Robot output envelope, field presets, exit codes | Reference material |
 ---
 ## Command Inventory (34 commands)
 | Category | Commands | Count |
 |---|---|---|
 | Entity Query | `issues`, `mrs`, `notes`, `search`, `count` | 5 |
 | Intelligence | `who` (5 modes), `timeline`, `related`, `drift`, `me`, `file-history`, `trace` | 7 (11 with who sub-modes) |
 | Data Pipeline | `sync`, `ingest`, `generate-docs`, `embed` | 4 |
 | Diagnostics | `health`, `auth`, `doctor`, `status`, `stats` | 5 |
 | Setup | `init`, `token`, `cron`, `migrate` | 4 |
 | Meta | `version`, `completions`, `robot-docs` | 3 |
 ---
 ## Key Findings
 ### High-Overlap Pairs
 | Pair | Overlap | Recommendation |
 |---|---|---|
 | `who workload` vs `me` | ~85% | Workload is a strict subset of me |
 | `health` vs `doctor` | ~90% | Health is a strict subset of doctor |
 | `file-history` vs `trace` | ~75% | Trace is a superset minus `--merged` |
 | `related` query-mode vs `search --mode semantic` | ~80% | Related query-mode is search without filters |
 | `auth` vs `doctor` | ~100% of auth | Auth is fully contained within doctor |
 ### Agent Workflow Pain Points
 | Workflow | Current Round Trips | With Optimizations |
 |---|---|---|
 | "Understand this issue" | 4 calls | 1 call (`--include`) |
 | "Why was code changed?" | 3 calls | 1 call (`--include`) |
 | "What should I work on?" | 4 calls | 2 calls |
 | "Find and understand" | 4 calls | 2 calls |
 | "Is system healthy?" | 2-4 calls | 1 call |
 ---
 ## Priority Ranking
 | Pri | Proposal | Category | Effort | Impact |
 |---|---|---|---|---|
 | **P0** | `--include` flag on detail commands | Robot optimization | High | Eliminates 2-3 round trips per workflow |
 | **P0** | `--depth` on `me` command | Robot optimization | Low | 60-80% token reduction on most-used command |
 | **P1** | `--batch` for detail views | Robot optimization | Medium | Eliminates N+1 after search/timeline |
 | **P1** | Absorb `file-history` into `trace` | Consolidation | Low | Cleaner surface, shared code |
 | **P1** | Merge `who overlap` into `who expert` | Consolidation | Low | -1 round trip in review flows |
 | **P2** | `context` composite command | Robot optimization | Medium | Single entry point for entity understanding |
 | **P2** | Merge `count`+`status` into `stats` | Consolidation | Medium | -2 commands, progressive disclosure |
 | **P2** | Absorb `auth` into `doctor` | Consolidation | Low | -1 command |
 | **P2** | Remove `related` query-mode | Consolidation | Low | -1 confusing choice |
 | **P3** | `--max-tokens` budget | Robot optimization | High | Flexible but complex to implement |
 | **P3** | `--format tsv` | Robot optimization | Medium | High savings, limited applicability |
 ### Consolidation Summary
 | Before | After | Removed |
 |---|---|---|
 | `file-history` + `trace` | `trace` (+ `--shallow`) | -1 |
 | `auth` + `doctor` | `doctor` (+ `--auth`) | -1 |
 | `related` query-mode | `search --mode semantic` | -1 mode |
 | `who overlap` + `who expert` | `who expert` (+ touch_count) | -1 sub-mode |
 | `count` + `status` + `stats` | `stats` (+ `--entities`, `--sync`) | -2 |
 **Total: 34 commands -> 29 commands**
--- a/docs/command-surface-analysis/01-entity-commands.md
+++ b/docs/command-surface-analysis/01-entity-commands.md
@@ -0,0 +1,308 @@
 # Entity Query Commands
 Reference for: `issues`, `mrs`, `notes`, `search`, `count`
 ---
 ## `issues` (alias: `issue`)
 List or show issues from local database.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `[IID]` | positional | — | Omit to list, provide to show detail |
 | `-n, --limit` | int | 50 | Max results |
 | `--fields` | string | — | Select output columns (preset: `minimal`) |
 | `-s, --state` | enum | — | `opened\|closed\|all` |
 | `-p, --project` | string | — | Filter by project (fuzzy) |
 | `-a, --author` | string | — | Filter by author username |
 | `-A, --assignee` | string | — | Filter by assignee username |
 | `-l, --label` | string[] | — | Filter by labels (AND logic, repeatable) |
 | `-m, --milestone` | string | — | Filter by milestone title |
 | `--status` | string[] | — | Filter by work-item status (COLLATE NOCASE, OR logic) |
 | `--since` | duration/date | — | Filter by created date (`7d`, `2w`, `YYYY-MM-DD`) |
 | `--due-before` | date | — | Filter by due date |
 | `--has-due` | flag | — | Show only issues with due dates |
 | `--sort` | enum | `updated` | `updated\|created\|iid` |
 | `--asc` | flag | — | Sort ascending |
 | `-o, --open` | flag | — | Open first match in browser |
 **DB tables:** `issues`, `projects`, `issue_assignees`, `issue_labels`, `labels`
 **Detail mode adds:** `discussions`, `notes`, `entity_references` (closing MRs)
 ### Robot Output (list mode)
 ```json
 {
  "ok": true,
  "data": {
    "issues": [
      {
        "iid": 42, "title": "Fix auth", "state": "opened",
        "author_username": "jdoe", "labels": ["backend"],
        "assignees": ["jdoe"], "discussion_count": 3,
        "unresolved_count": 1, "created_at_iso": "...",
        "updated_at_iso": "...", "web_url": "...",
        "project_path": "group/repo",
        "status_name": "In progress"
      }
    ],
    "total_count": 150, "showing": 50
  },
  "meta": { "elapsed_ms": 40, "available_statuses": ["Open", "In progress", "Closed"] }
 }
 ```
 ### Robot Output (detail mode — `issues <IID>`)
 ```json
 {
  "ok": true,
  "data": {
    "id": 12345, "iid": 42, "title": "Fix auth",
    "description": "Full markdown body...",
    "state": "opened", "author_username": "jdoe",
    "created_at": "...", "updated_at": "...", "closed_at": null,
    "confidential": false, "web_url": "...", "project_path": "group/repo",
    "references_full": "group/repo#42",
    "labels": ["backend"], "assignees": ["jdoe"],
    "due_date": null, "milestone": null,
    "user_notes_count": 5, "merge_requests_count": 1,
    "closing_merge_requests": [
      { "iid": 99, "title": "Refactor auth", "state": "merged", "web_url": "..." }
    ],
    "discussions": [
      {
        "notes": [
          { "author_username": "jdoe", "body": "...", "created_at": "...", "is_system": false }
        ],
        "individual_note": false
      }
    ],
    "status_name": "In progress", "status_color": "#1068bf"
  }
 }
 ```
 **Minimal preset:** `iid`, `title`, `state`, `updated_at_iso`
 ---
 ## `mrs` (aliases: `mr`, `merge-request`, `merge-requests`)
 List or show merge requests.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `[IID]` | positional | — | Omit to list, provide to show detail |
 | `-n, --limit` | int | 50 | Max results |
 | `--fields` | string | — | Select output columns (preset: `minimal`) |
 | `-s, --state` | enum | — | `opened\|merged\|closed\|locked\|all` |
 | `-p, --project` | string | — | Filter by project |
 | `-a, --author` | string | — | Filter by author |
 | `-A, --assignee` | string | — | Filter by assignee |
 | `-r, --reviewer` | string | — | Filter by reviewer |
 | `-l, --label` | string[] | — | Filter by labels (AND) |
 | `--since` | duration/date | — | Filter by created date |
 | `-d, --draft` | flag | — | Draft MRs only |
 | `-D, --no-draft` | flag | — | Exclude drafts |
 | `--target` | string | — | Filter by target branch |
 | `--source` | string | — | Filter by source branch |
 | `--sort` | enum | `updated` | `updated\|created\|iid` |
 | `--asc` | flag | — | Sort ascending |
 | `-o, --open` | flag | — | Open in browser |
 **DB tables:** `merge_requests`, `projects`, `mr_reviewers`, `mr_labels`, `labels`, `mr_assignees`
 **Detail mode adds:** `discussions`, `notes`, `mr_diffs`
 ### Robot Output (list mode)
 ```json
 {
  "ok": true,
  "data": {
    "mrs": [
      {
        "iid": 99, "title": "Refactor auth", "state": "merged",
        "draft": false, "author_username": "jdoe",
        "source_branch": "feat/auth", "target_branch": "main",
        "labels": ["backend"], "assignees": ["jdoe"], "reviewers": ["reviewer"],
        "discussion_count": 5, "unresolved_count": 0,
        "created_at_iso": "...", "updated_at_iso": "...",
        "web_url": "...", "project_path": "group/repo"
      }
    ],
    "total_count": 500, "showing": 50
  }
 }
 ```
 ### Robot Output (detail mode — `mrs <IID>`)
 ```json
 {
  "ok": true,
  "data": {
    "id": 67890, "iid": 99, "title": "Refactor auth",
    "description": "Full markdown body...",
    "state": "merged", "draft": false, "author_username": "jdoe",
    "source_branch": "feat/auth", "target_branch": "main",
    "created_at": "...", "updated_at": "...",
    "merged_at": "...", "closed_at": null,
    "web_url": "...", "project_path": "group/repo",
    "labels": ["backend"], "assignees": ["jdoe"], "reviewers": ["reviewer"],
    "discussions": [
      {
        "notes": [
          {
            "author_username": "reviewer", "body": "...",
            "created_at": "...", "is_system": false,
            "position": { "new_path": "src/auth.rs", "new_line": 42 }
          }
        ],
        "individual_note": false
      }
    ]
  }
 }
 ```
 **Minimal preset:** `iid`, `title`, `state`, `updated_at_iso`
 ---
 ## `notes` (alias: `note`)
 List discussion notes/comments with fine-grained filters.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `-n, --limit` | int | 50 | Max results |
 | `--fields` | string | — | Preset: `minimal` |
 | `-a, --author` | string | — | Filter by author |
 | `--note-type` | enum | — | `DiffNote\|DiscussionNote` |
 | `--contains` | string | — | Body text substring filter |
 | `--note-id` | int | — | Internal note ID |
 | `--gitlab-note-id` | int | — | GitLab note ID |
 | `--discussion-id` | string | — | Discussion ID filter |
 | `--include-system` | flag | — | Include system notes |
 | `--for-issue` | int | — | Notes on specific issue (requires `-p`) |
 | `--for-mr` | int | — | Notes on specific MR (requires `-p`) |
 | `-p, --project` | string | — | Scope to project |
 | `--since` | duration/date | — | Created after |
 | `--until` | date | — | Created before (inclusive) |
 | `--path` | string | — | File path filter (exact or prefix with `/`) |
 | `--resolution` | enum | — | `any\|unresolved\|resolved` |
 | `--sort` | enum | `created` | `created\|updated` |
 | `--asc` | flag | — | Sort ascending |
 | `--open` | flag | — | Open in browser |
 **DB tables:** `notes`, `discussions`, `projects`, `issues`, `merge_requests`
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "notes": [
      {
        "id": 1234, "gitlab_id": 56789,
        "author_username": "reviewer", "body": "...",
        "note_type": "DiffNote", "is_system": false,
        "created_at_iso": "...", "updated_at_iso": "...",
        "position_new_path": "src/auth.rs", "position_new_line": 42,
        "resolvable": true, "resolved": false,
        "noteable_type": "MergeRequest", "parent_iid": 99,
        "parent_title": "Refactor auth", "project_path": "group/repo"
      }
    ],
    "total_count": 1000, "showing": 50
  }
 }
 ```
 **Minimal preset:** `id`, `author_username`, `body`, `created_at_iso`
 ---
 ## `search` (aliases: `find`, `query`)
 Semantic + full-text search across indexed documents.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<QUERY>` | positional | required | Search query string |
 | `--mode` | enum | `hybrid` | `lexical\|hybrid\|semantic` |
 | `--type` | enum | — | `issue\|mr\|discussion\|note` |
 | `--author` | string | — | Filter by author |
 | `-p, --project` | string | — | Scope to project |
 | `--label` | string[] | — | Filter by labels (AND) |
 | `--path` | string | — | File path filter |
 | `--since` | duration/date | — | Created after |
 | `--updated-since` | duration/date | — | Updated after |
 | `-n, --limit` | int | 20 | Max results (max: 100) |
 | `--fields` | string | — | Preset: `minimal` |
 | `--explain` | flag | — | Show ranking breakdown |
 | `--fts-mode` | enum | `safe` | `safe\|raw` |
 **DB tables:** `documents`, `documents_fts` (FTS5), `embeddings` (vec0), `document_labels`, `document_paths`, `projects`
 **Search modes:**
 - **lexical** — FTS5 with BM25 ranking (fastest, no Ollama needed)
 - **hybrid** — RRF combination of lexical + semantic (default)
 - **semantic** — Vector similarity only (requires Ollama)
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "query": "authentication bug",
    "mode": "hybrid",
    "total_results": 15,
    "results": [
      {
        "document_id": 1234, "source_type": "issue",
        "title": "Fix SSO auth", "url": "...",
        "author": "jdoe", "project_path": "group/repo",
        "labels": ["auth"], "paths": ["src/auth/"],
        "snippet": "...matching text...",
        "score": 0.85,
        "explain": { "vector_rank": 2, "fts_rank": 1, "rrf_score": 0.85 }
      }
    ],
    "warnings": []
  }
 }
 ```
 **Minimal preset:** `document_id`, `title`, `source_type`, `score`
 ---
 ## `count`
 Count entities in local database.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<ENTITY>` | positional | required | `issues\|mrs\|discussions\|notes\|events\|references` |
 | `-f, --for` | enum | — | Parent type: `issue\|mr` |
 **DB tables:** Conditional aggregation on entity tables
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "entity": "merge_requests",
    "count": 1234,
    "system_excluded": 5000,
    "breakdown": { "opened": 100, "closed": 50, "merged": 1084 }
  }
 }
 ```
--- a/docs/command-surface-analysis/02-intelligence-commands.md
+++ b/docs/command-surface-analysis/02-intelligence-commands.md
@@ -0,0 +1,452 @@
 # Intelligence Commands
 Reference for: `who`, `timeline`, `me`, `file-history`, `trace`, `related`, `drift`
 ---
 ## `who` (People Intelligence)
 Five sub-modes, dispatched by argument shape.
 | Mode | Trigger | Purpose |
 |---|---|---|
 | **expert** | `who <path>` or `who --path <path>` | Who knows about a code area? |
 | **workload** | `who @username` | What is this person working on? |
 | **reviews** | `who @username --reviews` | Review pattern analysis |
 | **active** | `who --active` | Unresolved discussions needing attention |
 | **overlap** | `who --overlap <path>` | Who else touches these files? |
 ### Shared Flags
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `-p, --project` | string | — | Scope to project |
 | `-n, --limit` | int | varies | Max results (1-500) |
 | `--fields` | string | — | Preset: `minimal` |
 | `--since` | duration/date | — | Time window |
 | `--include-bots` | flag | — | Include bot users |
 | `--include-closed` | flag | — | Include closed issues/MRs |
 | `--all-history` | flag | — | Query all history |
 ### Expert-Only Flags
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `--detail` | flag | — | Per-MR breakdown |
 | `--as-of` | date/duration | — | Score at point in time |
 | `--explain-score` | flag | — | Score breakdown |
 ### DB Tables by Mode
 | Mode | Primary Tables |
 |---|---|
 | expert | `notes` (INDEXED BY idx_notes_diffnote_path_created), `merge_requests`, `mr_reviewers` |
 | workload | `issues`, `merge_requests`, `mr_reviewers` |
 | reviews | `merge_requests`, `discussions`, `notes` |
 | active | `discussions`, `notes`, `issues`, `merge_requests` |
 | overlap | `notes`, `mr_file_changes`, `merge_requests` |
 ### Robot Output (expert)
 ```json
 {
  "ok": true,
  "data": {
    "mode": "expert",
    "input": { "target": "src/auth/", "path": "src/auth/" },
    "resolved_input": { "mode": "expert", "project_id": 1, "project_path": "group/repo" },
    "result": {
      "experts": [
        {
          "username": "jdoe", "score": 42.5,
          "detail": { "mr_ids_author": [99, 101], "mr_ids_reviewer": [88] }
        }
      ]
    }
  }
 }
 ```
 ### Robot Output (workload)
 ```json
 {
  "data": {
    "mode": "workload",
    "result": {
      "assigned_issues": [{ "iid": 42, "title": "Fix auth", "state": "opened" }],
      "authored_mrs": [{ "iid": 99, "title": "Refactor auth", "state": "merged" }],
      "review_mrs": [{ "iid": 88, "title": "Add SSO", "state": "opened" }]
    }
  }
 }
 ```
 ### Robot Output (reviews)
 ```json
 {
  "data": {
    "mode": "reviews",
    "result": {
      "categories": [
        {
          "category": "approval_rate",
          "reviewers": [{ "name": "jdoe", "count": 15, "percentage": 85.0 }]
        }
      ]
    }
  }
 }
 ```
 ### Robot Output (active)
 ```json
 {
  "data": {
    "mode": "active",
    "result": {
      "discussions": [
        { "entity_type": "mr", "iid": 99, "title": "Refactor auth", "participants": ["jdoe", "reviewer"] }
      ]
    }
  }
 }
 ```
 ### Robot Output (overlap)
 ```json
 {
  "data": {
    "mode": "overlap",
    "result": {
      "users": [{ "username": "jdoe", "touch_count": 15 }]
    }
  }
 }
 ```
 ### Minimal Presets
 | Mode | Fields |
 |---|---|
 | expert | `username`, `score` |
 | workload | `iid`, `title`, `state` |
 | reviews | `name`, `count`, `percentage` |
 | active | `entity_type`, `iid`, `title`, `participants` |
 | overlap | `username`, `touch_count` |
 ---
 ## `timeline`
 Reconstruct chronological event history for a topic/entity with cross-reference expansion.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<QUERY>` | positional | required | Search text or entity ref (`issue:42`, `mr:99`) |
 | `-p, --project` | string | — | Scope to project |
 | `--since` | duration/date | — | Filter events after |
 | `--depth` | int | 1 | Cross-ref expansion depth (0=none) |
 | `--no-mentions` | flag | — | Skip "mentioned" edges, keep "closes"/"related" |
 | `-n, --limit` | int | 100 | Max events |
 | `--fields` | string | — | Preset: `minimal` |
 | `--max-seeds` | int | 10 | Max seed entities from search |
 | `--max-entities` | int | 50 | Max expanded entities |
 | `--max-evidence` | int | 10 | Max evidence notes |
 **Pipeline:** SEED -> HYDRATE -> EXPAND -> COLLECT -> RENDER
 **DB tables:** `issues`, `merge_requests`, `discussions`, `notes`, `entity_references`, `resource_state_events`, `resource_label_events`, `resource_milestone_events`, `documents` (for search seeding)
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "query": "authentication", "event_count": 25,
    "seed_entities": [{ "type": "issue", "iid": 42, "project": "group/repo" }],
    "expanded_entities": [
      {
        "type": "mr", "iid": 99, "project": "group/repo", "depth": 1,
        "via": {
          "from": { "type": "issue", "iid": 42 },
          "reference_type": "closes"
        }
      }
    ],
    "unresolved_references": [
      {
        "source": { "type": "issue", "iid": 42, "project": "group/repo" },
        "target_type": "mr", "target_iid": 200, "reference_type": "mentioned"
      }
    ],
    "events": [
      {
        "timestamp": "2026-01-15T10:30:00Z",
        "entity_type": "issue", "entity_iid": 42, "project": "group/repo",
        "event_type": "state_changed", "summary": "Reopened",
        "actor": "jdoe", "is_seed": true,
        "evidence_notes": [{ "author": "jdoe", "snippet": "..." }]
      }
    ]
  },
  "meta": {
    "elapsed_ms": 150, "search_mode": "fts",
    "expansion_depth": 1, "include_mentions": true,
    "total_entities": 5, "total_events": 25,
    "evidence_notes_included": 8, "discussion_threads_included": 3,
    "unresolved_references": 1, "showing": 25
  }
 }
 ```
 **Minimal preset:** `timestamp`, `type`, `entity_iid`, `detail`
 ---
 ## `me` (Personal Dashboard)
 Personal work dashboard with issues, MRs, activity, and since-last-check inbox.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `--issues` | flag | — | Open issues section only |
 | `--mrs` | flag | — | MRs section only |
 | `--activity` | flag | — | Activity feed only |
 | `--since` | duration/date | `30d` | Activity window |
 | `-p, --project` | string | — | Scope to one project |
 | `--all` | flag | — | All synced projects |
 | `--user` | string | — | Override configured username |
 | `--fields` | string | — | Preset: `minimal` |
 | `--reset-cursor` | flag | — | Clear since-last-check cursor |
 **Sections (no flags = all):** Issues, MRs authored, MRs reviewing, Activity, Inbox
 **DB tables:** `issues`, `merge_requests`, `resource_state_events`, `projects`, `issue_labels`, `mr_labels`
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "username": "jdoe",
    "summary": {
      "project_count": 3, "open_issue_count": 5,
      "authored_mr_count": 2, "reviewing_mr_count": 1,
      "needs_attention_count": 3
    },
    "since_last_check": {
      "cursor_iso": "2026-02-25T18:00:00Z",
      "total_event_count": 8,
      "groups": [
        {
          "entity_type": "issue", "entity_iid": 42,
          "entity_title": "Fix auth", "project": "group/repo",
          "events": [
            { "timestamp_iso": "...", "event_type": "comment",
              "actor": "reviewer", "summary": "New comment" }
          ]
        }
      ]
    },
    "open_issues": [
      {
        "project": "group/repo", "iid": 42, "title": "Fix auth",
        "state": "opened", "attention_state": "needs_attention",
        "status_name": "In progress", "labels": ["auth"],
        "updated_at_iso": "..."
      }
    ],
    "open_mrs_authored": [
      {
        "project": "group/repo", "iid": 99, "title": "Refactor auth",
        "state": "opened", "attention_state": "needs_attention",
        "draft": false, "labels": ["backend"], "updated_at_iso": "..."
      }
    ],
    "reviewing_mrs": [],
    "activity": [
      {
        "timestamp_iso": "...", "event_type": "state_changed",
        "entity_type": "issue", "entity_iid": 42, "project": "group/repo",
        "actor": "jdoe", "is_own": true, "summary": "Closed"
      }
    ]
  }
 }
 ```
 **Minimal presets:** Items: `iid, title, attention_state, updated_at_iso` | Activity: `timestamp_iso, event_type, entity_iid, actor`
 ---
 ## `file-history`
 Show which MRs touched a file, with linked discussions.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<PATH>` | positional | required | File path to trace |
 | `-p, --project` | string | — | Scope to project |
 | `--discussions` | flag | — | Include DiffNote snippets |
 | `--no-follow-renames` | flag | — | Skip rename chain resolution |
 | `--merged` | flag | — | Only merged MRs |
 | `-n, --limit` | int | 50 | Max MRs |
 **DB tables:** `mr_file_changes`, `merge_requests`, `notes` (DiffNotes), `projects`
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "path": "src/auth/middleware.rs",
    "rename_chain": [
      { "previous_path": "src/auth.rs", "mr_iid": 55, "merged_at": "..." }
    ],
    "merge_requests": [
      {
        "iid": 99, "title": "Refactor auth", "state": "merged",
        "author": "jdoe", "merged_at": "...", "change_type": "modified"
      }
    ],
    "discussions": [
      {
        "discussion_id": 123, "mr_iid": 99, "author": "reviewer",
        "body_snippet": "...", "path": "src/auth/middleware.rs"
      }
    ]
  },
  "meta": { "elapsed_ms": 30, "total_mrs": 5, "renames_followed": true }
 }
 ```
 ---
 ## `trace`
 File -> MR -> issue -> discussion chain to understand why code was introduced.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<PATH>` | positional | required | File path (future: `:line` suffix) |
 | `-p, --project` | string | — | Scope to project |
 | `--discussions` | flag | — | Include DiffNote snippets |
 | `--no-follow-renames` | flag | — | Skip rename chain |
 | `-n, --limit` | int | 20 | Max chains |
 **DB tables:** `mr_file_changes`, `merge_requests`, `issues`, `discussions`, `notes`, `entity_references`
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "path": "src/auth/middleware.rs",
    "resolved_paths": ["src/auth/middleware.rs", "src/auth.rs"],
    "trace_chains": [
      {
        "mr_iid": 99, "mr_title": "Refactor auth", "mr_state": "merged",
        "mr_author": "jdoe", "change_type": "modified",
        "merged_at_iso": "...", "web_url": "...",
        "issues": [42],
        "discussions": [
          {
            "discussion_id": 123, "author_username": "reviewer",
            "body_snippet": "...", "path": "src/auth/middleware.rs"
          }
        ]
      }
    ]
  },
  "meta": { "tier": "api_only", "total_chains": 3, "renames_followed": 1 }
 }
 ```
 ---
 ## `related`
 Find semantically related entities via vector search.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<QUERY_OR_TYPE>` | positional | required | Entity type (`issues`, `mrs`) or free text |
 | `[IID]` | positional | — | Entity IID (required with entity type) |
 | `-n, --limit` | int | 10 | Max results |
 | `-p, --project` | string | — | Scope to project |
 **Two modes:**
 - **Entity mode:** `related issues 42` — find entities similar to issue #42
 - **Query mode:** `related "auth flow"` — find entities matching free text
 **DB tables:** `documents`, `embeddings` (vec0), `projects`
 **Requires:** Ollama running (for query mode embedding)
 ### Robot Output (entity mode)
 ```json
 {
  "ok": true,
  "data": {
    "query_entity_type": "issue",
    "query_entity_iid": 42,
    "query_entity_title": "Fix SSO authentication",
    "similar_entities": [
      {
        "entity_type": "mr", "entity_iid": 99,
        "entity_title": "Refactor auth module",
        "project_path": "group/repo", "state": "merged",
        "similarity_score": 0.87,
        "shared_labels": ["auth"], "shared_authors": ["jdoe"]
      }
    ]
  }
 }
 ```
 ---
 ## `drift`
 Detect discussion divergence from original intent.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `<ENTITY_TYPE>` | positional | required | Currently only `issues` |
 | `<IID>` | positional | required | Entity IID |
 | `--threshold` | f32 | 0.4 | Similarity threshold (0.0-1.0) |
 | `-p, --project` | string | — | Scope to project |
 **DB tables:** `issues`, `discussions`, `notes`, `embeddings`
 **Requires:** Ollama running
 ### Robot Output
 ```json
 {
  "ok": true,
  "data": {
    "entity_type": "issue", "entity_iid": 42,
    "total_notes": 15,
    "detected_drift": true,
    "drift_point": {
      "note_index": 8, "similarity": 0.32,
      "author": "someone", "created_at": "..."
    },
    "similarity_curve": [
      { "note_index": 0, "similarity": 0.95, "author": "jdoe", "created_at": "..." },
      { "note_index": 1, "similarity": 0.88, "author": "reviewer", "created_at": "..." }
    ]
  }
 }
 ```
--- a/docs/command-surface-analysis/03-pipeline-and-infra.md
+++ b/docs/command-surface-analysis/03-pipeline-and-infra.md
@@ -0,0 +1,210 @@
 # Pipeline & Infrastructure Commands
 Reference for: `sync`, `ingest`, `generate-docs`, `embed`, `health`, `auth`, `doctor`, `status`, `stats`, `init`, `token`, `cron`, `migrate`, `version`, `completions`, `robot-docs`
 ---
 ## Data Pipeline
 ### `sync` (Full Pipeline)
 Complete sync: ingest -> generate-docs -> embed.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `--full` | flag | — | Full re-sync (reset cursors) |
 | `-f, --force` | flag | — | Override stale lock |
 | `--no-embed` | flag | — | Skip embedding |
 | `--no-docs` | flag | — | Skip doc generation |
 | `--no-events` | flag | — | Skip resource events |
 | `--no-file-changes` | flag | — | Skip MR file changes |
 | `--no-status` | flag | — | Skip work-item status enrichment |
 | `--dry-run` | flag | — | Preview without changes |
 | `-t, --timings` | flag | — | Show timing breakdown |
 | `--lock` | flag | — | Acquire file lock |
 | `--issue` | int[] | — | Surgically sync specific issues (repeatable) |
 | `--mr` | int[] | — | Surgically sync specific MRs (repeatable) |
 | `-p, --project` | string | — | Required with `--issue`/`--mr` |
 | `--preflight-only` | flag | — | Validate without DB writes |
 **Stages:** GitLab REST ingest -> GraphQL status enrichment -> Document generation -> Ollama embedding
 **Surgical sync:** `lore sync --issue 42 --mr 99 -p group/repo` fetches only specific entities.
 ### `ingest`
 Fetch data from GitLab API only (no docs, no embeddings).
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `[ENTITY]` | positional | — | `issues` or `mrs` (omit for all) |
 | `-p, --project` | string | — | Single project |
 | `-f, --force` | flag | — | Override stale lock |
 | `--full` | flag | — | Full re-sync |
 | `--dry-run` | flag | — | Preview |
 **Fetches from GitLab:**
 - Issues + discussions + notes
 - MRs + discussions + notes
 - Resource events (state, label, milestone)
 - MR file changes (for DiffNote tracking)
 - Work-item statuses (via GraphQL)
 ### `generate-docs`
 Create searchable documents from ingested data.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `--full` | flag | — | Full rebuild |
 | `-p, --project` | string | — | Single project rebuild |
 **Writes:** `documents`, `document_labels`, `document_paths`
 ### `embed`
 Generate vector embeddings via Ollama.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `--full` | flag | — | Re-embed all |
 | `--retry-failed` | flag | — | Retry failed embeddings |
 **Requires:** Ollama running with `nomic-embed-text`
 **Writes:** `embeddings`, `embedding_metadata`
 ---
 ## Diagnostics
 ### `health`
 Quick pre-flight check (~50ms). Exit 0 = healthy, exit 19 = unhealthy.
 **Checks:** config found, DB found, schema version current.
 ```json
 {
  "ok": true,
  "data": {
    "healthy": true,
    "config_found": true, "db_found": true,
    "schema_current": true, "schema_version": 28
  }
 }
 ```
 ### `auth`
 Verify GitLab authentication.
 **Checks:** token set, GitLab reachable, user identity.
 ### `doctor`
 Comprehensive environment check.
 **Checks:** config validity, token, GitLab connectivity, DB health, migration status, Ollama availability + model status.
 ```json
 {
  "ok": true,
  "data": {
    "config": { "valid": true, "path": "~/.config/lore/config.json" },
    "token": { "set": true, "gitlab": { "reachable": true, "user": "jdoe" } },
    "database": { "exists": true, "version": 28, "tables": 25 },
    "ollama": { "available": true, "model_ready": true }
  }
 }
 ```
 ### `status` (alias: `st`)
 Show sync state per project.
 ```json
 {
  "ok": true,
  "data": {
    "projects": [
      {
        "project_path": "group/repo",
        "last_synced_at": "2026-02-26T10:00:00Z",
        "document_count": 5000, "discussion_count": 2000, "notes_count": 15000
      }
    ]
  }
 }
 ```
 ### `stats` (alias: `stat`)
 Document and index statistics with optional integrity checks.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `--check` | flag | — | Run integrity checks |
 | `--repair` | flag | — | Fix issues (implies `--check`) |
 | `--dry-run` | flag | — | Preview repairs |
 ```json
 {
  "ok": true,
  "data": {
    "documents": { "total": 61652, "issues": 5000, "mrs": 2000, "notes": 50000 },
    "embeddings": { "total": 80000, "synced": 79500, "pending": 500, "failed": 0 },
    "fts": { "total_docs": 61652 },
    "queues": { "pending": 0, "in_progress": 0, "failed": 0, "max_attempts": 0 },
    "integrity": {
      "ok": true, "fts_doc_mismatch": 0, "orphan_embeddings": 0,
      "stale_metadata": 0, "orphan_state_events": 0
    }
  }
 }
 ```
 ---
 ## Setup
 ### `init`
 Initialize configuration and database.
 | Flag | Type | Default | Purpose |
 |---|---|---|---|
 | `-f, --force` | flag | — | Skip overwrite confirmation |
 | `--non-interactive` | flag | — | Fail if prompts needed |
 | `--gitlab-url` | string | — | GitLab base URL (required in robot mode) |
 | `--token-env-var` | string | — | Env var holding token (required in robot mode) |
 | `--projects` | string | — | Comma-separated project paths (required in robot mode) |
 | `--default-project` | string | — | Default project path |
 ### `token`
 | Subcommand | Flags | Purpose |
 |---|---|---|
 | `token set` | `--token <TOKEN>` | Store token (reads stdin if omitted) |
 | `token show` | `--unmask` | Display token (masked by default) |
 ### `cron`
 | Subcommand | Flags | Purpose |
 |---|---|---|
 | `cron install` | `--interval <MINUTES>` (default: 8) | Schedule auto-sync |
 | `cron uninstall` | — | Remove cron job |
 | `cron status` | — | Check installation |
 ### `migrate`
 Run pending database migrations. No flags.
 ---
 ## Meta
 | Command | Purpose |
 |---|---|
 | `version` | Show version string |
 | `completions <shell>` | Generate shell completions (bash/zsh/fish/powershell) |
 | `robot-docs` | Machine-readable command manifest (`--brief` for ~60% smaller) |
--- a/docs/command-surface-analysis/04-data-flow.md
+++ b/docs/command-surface-analysis/04-data-flow.md
@@ -0,0 +1,179 @@
 # Data Flow & Command Network
 How commands interconnect through shared data sources and output-to-input dependencies.
 ---
 ## 1. Command Network Graph
 Arrows mean "output of A feeds as input to B":
 ```
                    ┌─────────┐
                    │ search  │─────────────────────────────┐
                    └────┬────┘                             │
                         │ iid                              │ topic
                    ┌────▼────┐                        ┌────▼─────┐
              ┌─────│ issues  │◄───────────────────────│ timeline │
              │     │ mrs     │ (detail)               └──────────┘
              │     └────┬────┘                             ▲
              │          │ iid                              │ entity ref
              │     ┌────▼────┐     ┌──────────────┐       │
              │     │ related │     │ file-history  │───────┘
              │     │ drift   │     └──────┬───────┘
              │     └─────────┘            │ MR iids
              │                       ┌────▼────┐
              │                       │  trace  │──── issues (linked)
              │                       └────┬────┘
              │                            │ paths
              │                       ┌────▼────┐
              │                       │   who   │
              │                       │ (expert)│
              │                       └─────────┘
              │
         file paths                   ┌─────────┐
              │                       │   me    │──── issues, mrs (dashboard)
              ▼                       └─────────┘
        ┌──────────┐                       ▲
        │  notes   │                       │ (~same data)
        └──────────┘                  ┌────┴──────┐
                                      │who workload│
                                      └───────────┘
 ```
 ### Feed Chains (output of A -> input of B)
 | From | To | What Flows |
 |---|---|---|
 | `search` | `issues`, `mrs` | IIDs from search results -> detail lookup |
 | `search` | `timeline` | Topic/query -> chronological history |
 | `search` | `related` | Entity IID -> semantic similarity |
 | `me` | `issues`, `mrs` | IIDs from dashboard -> detail lookup |
 | `trace` | `issues` | Linked issue IIDs -> detail lookup |
 | `trace` | `who` | File paths -> expert lookup |
 | `file-history` | `mrs` | MR IIDs -> detail lookup |
 | `file-history` | `timeline` | Entity refs -> chronological events |
 | `timeline` | `issues`, `mrs` | Referenced IIDs -> detail lookup |
 | `who expert` | `who reviews` | Username -> review patterns |
 | `who expert` | `mrs` | MR IIDs from expert detail -> MR detail |
 ---
 ## 2. Shared Data Source Map
 Which DB tables power which commands. Higher overlap = stronger consolidation signal.
 ### Primary Entity Tables
 | Table | Read By |
 |---|---|
 | `issues` | issues, me, who-workload, search, timeline, trace, count, stats |
 | `merge_requests` | mrs, me, who-workload, search, timeline, trace, file-history, count, stats |
 | `notes` | notes, issues-detail, mrs-detail, who-expert, who-active, search, timeline, trace, file-history |
 | `discussions` | notes, issues-detail, mrs-detail, who-active, who-reviews, timeline, trace |
 ### Relationship Tables
 | Table | Read By |
 |---|---|
 | `entity_references` | trace, timeline |
 | `mr_file_changes` | trace, file-history, who-overlap |
 | `issue_labels` | issues, me |
 | `mr_labels` | mrs, me |
 | `issue_assignees` | issues, me |
 | `mr_reviewers` | mrs, who-expert, who-workload |
 ### Event Tables
 | Table | Read By |
 |---|---|
 | `resource_state_events` | timeline, me-activity |
 | `resource_label_events` | timeline |
 | `resource_milestone_events` | timeline |
 ### Document/Search Tables
 | Table | Read By |
 |---|---|
 | `documents` + `documents_fts` | search, stats |
 | `embeddings` | search, related, drift |
 | `document_labels` | search |
 | `document_paths` | search |
 ### Infrastructure Tables
 | Table | Read By |
 |---|---|
 | `sync_cursors` | status |
 | `dirty_sources` | stats |
 | `embedding_metadata` | stats, embed |
 ---
 ## 3. Shared-Data Clusters
 Commands that read from the same primary tables form natural clusters:
 ### Cluster A: Issue/MR Entities
 `issues`, `mrs`, `me`, `who workload`, `count`
 All read `issues` + `merge_requests` with similar filter patterns (state, author, labels, project). These commands share the same underlying WHERE-clause builder logic.
 ### Cluster B: Notes/Discussions
 `notes`, `issues detail`, `mrs detail`, `who expert`, `who active`, `timeline`
 All traverse the `discussions` -> `notes` join path. The `notes` command does it with independent filters; the others embed notes within parent context.
 ### Cluster C: File Genealogy
 `trace`, `file-history`, `who overlap`
 All use `mr_file_changes` with rename chain BFS (forward: old_path -> new_path, backward: new_path -> old_path). Shared `resolve_rename_chain()` function.
 ### Cluster D: Semantic/Vector
 `search`, `related`, `drift`
 All use `documents` + `embeddings` via Ollama. `search` adds FTS component; `related` is pure vector; `drift` uses vector for divergence scoring.
 ### Cluster E: Diagnostics
 `health`, `auth`, `doctor`, `status`, `stats`
 All check system state. `health` < `doctor` (strict subset). `status` checks sync cursors. `stats` checks document/index health. `auth` checks token/connectivity.
 ---
 ## 4. Query Pattern Sharing
 ### Dynamic Filter Builder (used by issues, mrs, notes)
 All three list commands use the same pattern: build a WHERE clause dynamically from filter flags with parameterized tokens. Labels use EXISTS subquery against junction table.
 ### Rename Chain BFS (used by trace, file-history, who overlap)
 Forward query:
 ```sql
 SELECT DISTINCT new_path FROM mr_file_changes
 WHERE project_id = ?1 AND old_path = ?2 AND change_type = 'renamed'
 ```
 Backward query:
 ```sql
 SELECT DISTINCT old_path FROM mr_file_changes
 WHERE project_id = ?1 AND new_path = ?2 AND change_type = 'renamed'
 ```
 Cycle detection via `HashSet` of visited paths, `MAX_RENAME_HOPS = 10`.
 ### Hybrid Search (used by search, timeline seeding)
 RRF ranking: `score = (60 / fts_rank) + (60 / vector_rank)`
 FTS5 queries go through `to_fts_query()` which sanitizes input and builds MATCH expressions. Vector search calls Ollama to embed the query, then does cosine similarity against `embeddings` vec0 table.
 ### Project Resolution (used by most commands)
 `resolve_project(conn, project_filter)` does fuzzy matching on `path_with_namespace` — suffix and substring matching. Returns `(project_id, path_with_namespace)`.
--- a/docs/command-surface-analysis/05-overlap-analysis.md
+++ b/docs/command-surface-analysis/05-overlap-analysis.md
@@ -0,0 +1,170 @@
 # Overlap Analysis
 Quantified functional duplication between commands.
 ---
 ## 1. High Overlap (>70%)
 ### `who workload` vs `me` — 85% overlap
 | Dimension | `who @user` (workload) | `me --user @user` |
 |---|---|---|
 | Assigned issues | Yes | Yes |
 | Authored MRs | Yes | Yes |
 | Reviewing MRs | Yes | Yes |
 | Attention state | No | **Yes** |
 | Activity feed | No | **Yes** |
 | Since-last-check inbox | No | **Yes** |
 | Cross-project | Yes | **Yes** |
 **Verdict:** `who workload` is a strict subset of `me`. The only reason to use `who workload` is if you DON'T want attention_state/activity/inbox — but `me --issues --mrs --fields minimal` achieves the same thing.
 ### `health` vs `doctor` — 90% overlap
 | Check | `health` | `doctor` |
 |---|---|---|
 | Config found | Yes | Yes |
 | DB exists | Yes | Yes |
 | Schema current | Yes | Yes |
 | Token valid | No | **Yes** |
 | GitLab reachable | No | **Yes** |
 | Ollama available | No | **Yes** |
 **Verdict:** `health` is a strict subset of `doctor`. However, `health` has unique value as a ~50ms pre-flight with clean exit 0/19 semantics for scripting.
 ### `file-history` vs `trace` — 75% overlap
 | Feature | `file-history` | `trace` |
 |---|---|---|
 | Find MRs for file | Yes | Yes |
 | Rename chain BFS | Yes | Yes |
 | DiffNote discussions | `--discussions` | `--discussions` |
 | Follow to linked issues | No | **Yes** |
 | `--merged` filter | **Yes** | No |
 **Verdict:** `trace` is a superset of `file-history` minus the `--merged` filter. Both use the same `resolve_rename_chain()` function and query `mr_file_changes`.
 ### `related` query-mode vs `search --mode semantic` — 80% overlap
 | Feature | `related "text"` | `search "text" --mode semantic` |
 |---|---|---|
 | Vector similarity | Yes | Yes |
 | FTS component | No | No (semantic mode skips FTS) |
 | Filters (labels, author, since) | No | **Yes** |
 | Explain ranking | No | **Yes** |
 | Field selection | No | **Yes** |
 | Requires Ollama | Yes | Yes |
 **Verdict:** `related "text"` is `search --mode semantic` without any filter capabilities. The entity-seeded mode (`related issues 42`) is NOT duplicated — it seeds from an existing entity's embedding.
 ---
 ## 2. Medium Overlap (40-70%)
 ### `who expert` vs `who overlap` — 50%
 Both answer "who works on this file" but with different scoring:
 | Aspect | `who expert` | `who overlap` |
 |---|---|---|
 | Scoring | Half-life decay, signal types (diffnote_author, reviewer, etc.) | Raw touch count |
 | Output | Ranked experts with scores | Users with touch counts |
 | Use case | "Who should review this?" | "Who else touches this?" |
 **Verdict:** Overlap is a simplified version of expert. Expert could include touch_count as a field.
 ### `timeline` vs `trace` — 45%
 Both follow `entity_references` to discover connected entities, but from different entry points:
 | Aspect | `timeline` | `trace` |
 |---|---|---|
 | Entry point | Entity (issue/MR) or search query | File path |
 | Direction | Entity -> cross-refs -> events | File -> MRs -> issues -> discussions |
 | Output | Chronological events | Causal chains (why code changed) |
 | Expansion | Depth-controlled cross-ref following | MR -> issue via entity_references |
 **Verdict:** Complementary, not duplicative. Different questions, shared plumbing.
 ### `auth` vs `doctor` — 100% of auth
 `auth` checks: token set + GitLab reachable + user identity.
 `doctor` checks: all of the above + DB + schema + Ollama.
 **Verdict:** `auth` is completely contained within `doctor`.
 ### `count` vs `stats` — 40%
 Both answer "how much data?":
 | Aspect | `count` | `stats` |
 |---|---|---|
 | Layer | Entity (issues, MRs, notes) | Document index |
 | State breakdown | Yes (opened/closed/merged) | No |
 | Integrity checks | No | Yes |
 | Queue status | No | Yes |
 **Verdict:** Different layers. Could be unified under `stats --entities`.
 ### `notes` vs `issues/mrs detail` — 50%
 Both return note content:
 | Aspect | `notes` command | Detail view discussions |
 |---|---|---|
 | Independent filtering | **Yes** (author, path, resolution, contains, type) | No |
 | Parent context | Minimal (parent_iid, parent_title) | **Full** (complete entity + all discussions) |
 | Cross-entity queries | **Yes** (all notes matching criteria) | No (one entity only) |
 **Verdict:** `notes` is for filtered queries across entities. Detail views are for complete context on one entity. Different use cases.
 ---
 ## 3. No Significant Overlap
 | Command | Why It's Unique |
 |---|---|
 | `drift` | Only command doing semantic divergence detection |
 | `timeline` | Only command doing multi-entity chronological reconstruction with expansion |
 | `search` (hybrid) | Only command combining FTS + vector with RRF ranking |
 | `me` (inbox) | Only command with cursor-based since-last-check tracking |
 | `who expert` | Only command with half-life decay scoring by signal type |
 | `who reviews` | Only command analyzing review patterns (approval rate, latency) |
 | `who active` | Only command surfacing unresolved discussions needing attention |
 ---
 ## 4. Overlap Adjacency Matrix
 Rows/columns are commands. Values are estimated functional overlap percentage.
 ```
              issues  mrs  notes  search  who-e  who-w  who-r  who-a  who-o  timeline  me  fh  trace  related  drift  count  status  stats  health  doctor
 issues          -     30    50      20      5      40      0      5      0       15    40    0     10      10      0     20       0      10      0       0
 mrs            30      -    50      20      5      40      0      5      0       15    40    5     10      10      0     20       0      10      0       0
 notes          50     50     -      15     15       0      5     10      0       10     0    5      5       0      0      0       0       0      0       0
 search         20     20    15       -      0       0      0      0      0       15     0    0      0      80      0      0       0       5      0       0
 who-expert      5      5    15       0      -       0     10      0     50        0     0   10     10       0      0      0       0       0      0       0
 who-workload   40     40     0       0      0       -      0      0      0        0    85    0      0       0      0      0       0       0      0       0
 who-reviews     0      0     5       0     10       0      -      0      0        0     0    0      0       0      0      0       0       0      0       0
 who-active      5      5    10       0      0       0      0      -      0        5     0    0      0       0      0      0       0       0      0       0
 who-overlap     0      0     0       0     50       0      0      0      -        0     0   10      5       0      0      0       0       0      0       0
 timeline       15     15    10      15      0       0      0      5      0        -     5    5     45       0      0      0       0       0      0       0
 me             40     40     0       0      0      85      0      0      0        5     -    0      0       0      0      0       5       0      5       5
 file-history    0      5     5       0     10       0      0      0     10        5     0    -     75       0      0      0       0       0      0       0
 trace          10     10     5       0     10       0      0      0      5       45     0   75      -       0      0      0       0       0      0       0
 related        10     10     0      80      0       0      0      0      0        0     0    0      0       -      0      0       0       0      0       0
 drift           0      0     0       0      0       0      0      0      0        0     0    0      0       0      -      0       0       0      0       0
 count          20     20     0       0      0       0      0      0      0        0     0    0      0       0      0      -       0      40      0       0
 status          0      0     0       0      0       0      0      0      0        0     5    0      0       0      0      0       -      20     30      40
 stats          10     10     0       5      0       0      0      0      0        0     0    0      0       0      0     40      20       -      0      15
 health          0      0     0       0      0       0      0      0      0        0     5    0      0       0      0      0      30       0      -      90
 doctor          0      0     0       0      0       0      0      0      0        0     5    0      0       0      0      0      40      15     90       -
 ```
 **Highest overlap pairs (>= 75%):**
 1. `health` / `doctor` — 90%
 2. `who workload` / `me` — 85%
 3. `related` query-mode / `search semantic` — 80%
 4. `file-history` / `trace` — 75%
--- a/docs/command-surface-analysis/06-agent-workflows.md
+++ b/docs/command-surface-analysis/06-agent-workflows.md
@@ -0,0 +1,216 @@
 # Agent Workflow Analysis
 Common agent workflows, round-trip costs, and token profiles.
 ---
 ## 1. Common Workflows
 ### Flow 1: "What should I work on?" — 4 round trips
 ```
 me                            → dashboard overview (which items need attention?)
 issues <iid> -p proj         → detail on picked issue (full context + discussions)
 trace src/relevant/file.rs    → understand code context (why was it written?)
 who src/relevant/file.rs      → find domain experts (who can help?)
 ```
 **Total tokens (minimal):** ~800 + ~2000 + ~1000 + ~400 = ~4200
 **Total tokens (full):** ~3000 + ~6000 + ~1500 + ~800 = ~11300
 **Latency:** 4 serial round trips
 ### Flow 2: "What happened with this feature?" — 3 round trips
 ```
 search "feature name"         → find relevant entities
 timeline "feature name"       → reconstruct chronological history
 related issues 42             → discover connected work
 ```
 **Total tokens (minimal):** ~600 + ~1500 + ~400 = ~2500
 **Total tokens (full):** ~2000 + ~5000 + ~1000 = ~8000
 **Latency:** 3 serial round trips
 ### Flow 3: "Why was this code changed?" — 3 round trips
 ```
 trace src/file.rs             → file -> MR -> issue chain
 issues <iid> -p proj         → full issue detail
 timeline "issue:42"           → full history with cross-refs
 ```
 **Total tokens (minimal):** ~800 + ~2000 + ~1500 = ~4300
 **Total tokens (full):** ~1500 + ~6000 + ~5000 = ~12500
 **Latency:** 3 serial round trips
 ### Flow 4: "Is the system healthy?" — 2-4 round trips
 ```
 health                        → quick pre-flight (pass/fail)
 doctor                        → detailed diagnostics (if health fails)
 status                        → sync state per project
 stats                         → document/index health
 ```
 **Total tokens:** ~100 + ~300 + ~200 + ~400 = ~1000
 **Latency:** 2-4 serial round trips (often 1 if health passes)
 ### Flow 5: "Who can review this?" — 2-3 round trips
 ```
 who src/auth/                 → find file experts
 who @jdoe --reviews           → check reviewer's patterns
 ```
 **Total tokens (minimal):** ~300 + ~300 = ~600
 **Latency:** 2 serial round trips
 ### Flow 6: "Find and understand an issue" — 4 round trips
 ```
 search "query"                → discover entities (get IIDs)
 issues <iid>                  → full detail with discussions
 timeline "issue:42"           → chronological context
 related issues 42             → connected entities
 ```
 **Total tokens (minimal):** ~600 + ~2000 + ~1500 + ~400 = ~4500
 **Total tokens (full):** ~2000 + ~6000 + ~5000 + ~1000 = ~14000
 **Latency:** 4 serial round trips
 ---
 ## 2. Token Cost Profiles
 Measured typical response sizes in robot mode with default settings:
 | Command | Typical Tokens (full) | With `--fields minimal` | Dominant Cost Driver |
 |---|---|---|---|
 | `me` (all sections) | 2000-5000 | 500-1500 | Open items count |
 | `issues` (list, n=50) | 1500-3000 | 400-800 | Labels arrays |
 | `issues <iid>` (detail) | 1000-8000 | N/A (no minimal for detail) | Discussion depth |
 | `mrs <iid>` (detail) | 1000-8000 | N/A | Discussion depth, DiffNote positions |
 | `timeline` (limit=100) | 2000-6000 | 800-1500 | Event count + evidence |
 | `search` (n=20) | 1000-3000 | 300-600 | Snippet length |
 | `who expert` | 300-800 | 150-300 | Expert count |
 | `who workload` | 500-1500 | 200-500 | Open items count |
 | `trace` | 500-2000 | 300-800 | Chain depth |
 | `file-history` | 300-1500 | 200-500 | MR count |
 | `related` | 300-1000 | 200-400 | Result count |
 | `drift` | 200-800 | N/A | Similarity curve length |
 | `notes` (n=50) | 1500-5000 | 500-1000 | Body length |
 | `count` | ~100 | N/A | Fixed structure |
 | `stats` | ~500 | N/A | Fixed structure |
 | `health` | ~100 | N/A | Fixed structure |
 | `doctor` | ~300 | N/A | Fixed structure |
 | `status` | ~200 | N/A | Project count |
 ### Key Observations
 1. **Detail commands are expensive.** `issues <iid>` and `mrs <iid>` can hit 8000 tokens due to discussions. This is the content agents actually need, but most of it is discussion body text.
 2. **`me` is the most-called command** and ranges 2000-5000 tokens. Agents often just need "do I have work?" which is ~100 tokens (summary counts only).
 3. **Lists with labels are wasteful.** Every issue/MR in a list carries its full label array. With 50 items x 5 labels each, that's 250 strings of overhead.
 4. **`--fields minimal` helps a lot** — 50-70% reduction on list commands. But it's not available on detail views.
 5. **Timeline scales linearly** with event count and evidence notes. The `--max-evidence` flag helps cap the expensive part.
 ---
 ## 3. Round-Trip Inefficiency Patterns
 ### Pattern A: Discovery -> Detail (N+1)
 Agent searches, gets 5 results, then needs detail on each:
 ```
 search "auth bug"              → 5 results
 issues 42 -p proj             → detail
 issues 55 -p proj             → detail
 issues 71 -p proj             → detail
 issues 88 -p proj             → detail
 issues 95 -p proj             → detail
 ```
 **6 round trips** for what should be 2 (search + batch detail).
 ### Pattern B: Detail -> Context Gathering
 Agent gets issue detail, then needs timeline + related + trace:
 ```
 issues 42 -p proj             → detail
 timeline "issue:42" -p proj   → events
 related issues 42 -p proj     → similar
 trace src/file.rs -p proj     → code provenance
 ```
 **4 round trips** for what should be 1 (detail with embedded context).
 ### Pattern C: Health Check Cascade
 Agent checks health, discovers issue, drills down:
 ```
 health                         → unhealthy (exit 19)
 doctor                         → token OK, Ollama missing
 stats --check                  → 5 orphan embeddings
 stats --repair                 → fixed
 ```
 **4 round trips** but only 2 are actually needed (doctor covers health).
 ### Pattern D: Dashboard -> Action
 Agent checks dashboard, picks item, needs full context:
 ```
 me                             → 5 open issues, 2 MRs
 issues 42 -p proj             → picked issue detail
 who src/auth/ -p proj         → expert for help
 timeline "issue:42" -p proj   → history
 ```
 **4 round trips.** With `--include`, could be 2 (me with inline detail + who).
 ---
 ## 4. Optimized Workflow Vision
 What the same workflows look like with proposed optimizations:
 ### Flow 1 Optimized: "What should I work on?" — 2 round trips
 ```
 me --depth titles              → 400 tokens: counts + item titles with attention_state
 issues 42 --include timeline,trace  → 1 call: detail + events + code provenance
 ```
 ### Flow 2 Optimized: "What happened with this feature?" — 1-2 round trips
 ```
 search "feature" -n 5          → find entities
 issues 42 --include timeline,related → everything in one call
 ```
 ### Flow 3 Optimized: "Why was this code changed?" — 1 round trip
 ```
 trace src/file.rs --include experts,timeline → full chain + experts + events
 ```
 ### Flow 4 Optimized: "Is the system healthy?" — 1 round trip
 ```
 doctor                         → covers health + auth + connectivity
 # status + stats only if doctor reveals issues
 ```
 ### Flow 6 Optimized: "Find and understand" — 2 round trips
 ```
 search "query" -n 5            → discover entities
 issues --batch 42,55,71 --include timeline → batch detail with events
 ```
--- a/docs/command-surface-analysis/07-consolidation-proposals.md
+++ b/docs/command-surface-analysis/07-consolidation-proposals.md
@@ -0,0 +1,198 @@
 # Consolidation Proposals
 5 proposals to reduce 34 commands to 29 by merging high-overlap commands.
 ---
 ## A. Absorb `file-history` into `trace --shallow`
 **Overlap:** 75%. Both do rename chain BFS on `mr_file_changes`, both optionally include DiffNote discussions. `trace` follows `entity_references` to linked issues; `file-history` stops at MRs.
 **Current state:**
 ```bash
 # These do nearly the same thing:
 lore file-history src/auth/ -p proj --discussions
 lore trace src/auth/ -p proj --discussions
 # trace just adds: issues linked via entity_references
 ```
 **Proposed change:**
 - `trace <path>` — full chain: file -> MR -> issue -> discussions (existing behavior)
 - `trace <path> --shallow` — MR-only, no issue following (replaces `file-history`)
 - Move `--merged` flag from `file-history` to `trace`
 - Deprecate `file-history` as an alias that maps to `trace --shallow`
 **Migration path:**
 1. Add `--shallow` and `--merged` flags to `trace`
 2. Make `file-history` an alias with deprecation warning
 3. Update robot-docs to point to `trace`
 4. Remove alias after 2 releases
 **Breaking changes:** Robot output shape differs slightly (`trace_chains` vs `merge_requests` key name). The `--shallow` variant should match `file-history`'s output shape for compatibility.
 **Effort:** Low. Most code is already shared via `resolve_rename_chain()`.
 ---
 ## B. Absorb `auth` into `doctor`
 **Overlap:** 100% of `auth` is contained within `doctor`.
 **Current state:**
 ```bash
 lore auth     # checks: token set, GitLab reachable, user identity
 lore doctor   # checks: all of above + DB + schema + Ollama
 ```
 **Proposed change:**
 - `doctor` — full check (existing behavior)
 - `doctor --auth` — token + GitLab only (replaces `auth`)
 - Keep `health` separate (fast pre-flight, different exit code contract: 0/19)
 - Deprecate `auth` as alias for `doctor --auth`
 **Migration path:**
 1. Add `--auth` flag to `doctor`
 2. Make `auth` an alias with deprecation warning
 3. Remove alias after 2 releases
 **Breaking changes:** None for robot mode (same JSON shape). Exit code mapping needs verification.
 **Effort:** Low. Doctor already has the auth check logic.
 ---
 ## C. Remove `related` query-mode
 **Overlap:** 80% with `search --mode semantic`.
 **Current state:**
 ```bash
 # These are functionally equivalent:
 lore related "authentication flow"
 lore search "authentication flow" --mode semantic
 # This is UNIQUE (no overlap):
 lore related issues 42
 ```
 **Proposed change:**
 - Keep entity-seeded mode: `related issues 42` (seeds from existing entity embedding)
 - Remove free-text mode: `related "text"` -> error with suggestion: "Use `search --mode semantic`"
 - Alternatively: keep as sugar but document it as equivalent to search
 **Migration path:**
 1. Add deprecation warning when query-mode is used
 2. After 2 releases, remove query-mode parsing
 3. Entity-mode stays unchanged
 **Breaking changes:** Agents using `related "text"` must switch to `search --mode semantic`. This is a strict improvement since search has filters.
 **Effort:** Low. Just argument validation change.
 ---
 ## D. Merge `who overlap` into `who expert`
 **Overlap:** 50% functional, but overlap is a strict simplification of expert.
 **Current state:**
 ```bash
 lore who src/auth/               # expert mode: scored rankings
 lore who --overlap src/auth/     # overlap mode: raw touch counts
 ```
 **Proposed change:**
 - `who <path>` (expert) adds `touch_count` and `last_touch_at` fields to each expert row
 - `who --overlap <path>` becomes an alias for `who <path> --fields username,touch_count`
 - Eventually remove `--overlap` flag
 **New expert output:**
 ```json
 {
  "experts": [
    {
      "username": "jdoe", "score": 42.5,
      "touch_count": 15, "last_touch_at": "2026-02-20",
      "detail": { "mr_ids_author": [99, 101] }
    }
  ]
 }
 ```
 **Migration path:**
 1. Add `touch_count` and `last_touch_at` to expert output
 2. Make `--overlap` an alias with deprecation warning
 3. Remove `--overlap` after 2 releases
 **Breaking changes:** Expert output gains new fields (non-breaking for JSON consumers). Overlap output shape changes if agents were parsing `{ "users": [...] }` vs `{ "experts": [...] }`.
 **Effort:** Low. Expert query already touches the same tables; just need to add a COUNT aggregation.
 ---
 ## E. Merge `count` and `status` into `stats`
 **Overlap:** `count` and `stats` both answer "how much data?"; `status` and `stats` both report system state.
 **Current state:**
 ```bash
 lore count issues           # entity count + state breakdown
 lore count mrs              # entity count + state breakdown
 lore status                 # sync cursors per project
 lore stats                  # document/index counts + integrity
 ```
 **Proposed change:**
 - `stats` — document/index health (existing behavior, default)
 - `stats --entities` — adds entity counts (replaces `count`)
 - `stats --sync` — adds sync cursor positions (replaces `status`)
 - `stats --all` — everything: entities + sync + documents + integrity
 - `stats --check` / `--repair` — unchanged
 **New `--all` output:**
 ```json
 {
  "data": {
    "entities": {
      "issues": { "total": 5000, "opened": 200, "closed": 4800 },
      "merge_requests": { "total": 1234, "opened": 100, "closed": 50, "merged": 1084 },
      "discussions": { "total": 8000 },
      "notes": { "total": 282000, "system_excluded": 50000 }
    },
    "sync": {
      "projects": [
        { "project_path": "group/repo", "last_synced_at": "...", "document_count": 5000 }
      ]
    },
    "documents": { "total": 61652, "issues": 5000, "mrs": 2000, "notes": 50000 },
    "embeddings": { "total": 80000, "synced": 79500, "pending": 500 },
    "fts": { "total_docs": 61652 },
    "queues": { "pending": 0, "in_progress": 0, "failed": 0 },
    "integrity": { "ok": true }
  }
 }
 ```
 **Migration path:**
 1. Add `--entities`, `--sync`, `--all` flags to `stats`
 2. Make `count` an alias for `stats --entities` with deprecation warning
 3. Make `status` an alias for `stats --sync` with deprecation warning
 4. Remove aliases after 2 releases
 **Breaking changes:** `count` output currently has `{ "entity": "issues", "count": N, "breakdown": {...} }`. Under `stats --entities`, this becomes nested under `data.entities`. Alias can preserve old shape during deprecation period.
 **Effort:** Medium. Need to compose three query paths into one response builder.
 ---
 ## Summary
 | Consolidation | Removes | Effort | Breaking? |
 |---|---|---|---|
 | `file-history` -> `trace --shallow` | -1 command | Low | Alias redirect, output shape compat |
 | `auth` -> `doctor --auth` | -1 command | Low | Alias redirect |
 | `related` query-mode removal | -1 mode | Low | Must switch to `search --mode semantic` |
 | `who overlap` -> `who expert` | -1 sub-mode | Low | Output gains fields |
 | `count` + `status` -> `stats` | -2 commands | Medium | Output nesting changes |
 **Total: 34 commands -> 29 commands.** All changes use deprecation-with-alias pattern for gradual migration.
--- a/docs/command-surface-analysis/08-robot-optimization-proposals.md
+++ b/docs/command-surface-analysis/08-robot-optimization-proposals.md
@@ -0,0 +1,347 @@
 # Robot-Mode Optimization Proposals
 6 proposals to reduce round trips and token waste for agent consumers.
 ---
 ## A. `--include` flag for embedded sub-queries (P0)
 **Problem:** The #1 agent inefficiency. Every "understand this entity" workflow requires 3-4 serial round trips: detail + timeline + related + trace.
 **Proposal:** Add `--include` flag to detail commands that embeds sub-query results in the response.
 ```bash
 # Before: 4 round trips, ~12000 tokens
 lore -J issues 42 -p proj
 lore -J timeline "issue:42" -p proj --limit 20
 lore -J related issues 42 -p proj -n 5
 lore -J trace src/auth/ -p proj
 # After: 1 round trip, ~5000 tokens (sub-queries use reduced limits)
 lore -J issues 42 -p proj --include timeline,related
 ```
 ### Include Matrix
 | Base Command | Valid Includes | Default Limits |
 |---|---|---|
 | `issues <iid>` | `timeline`, `related`, `trace` | 20 events, 5 related, 5 chains |
 | `mrs <iid>` | `timeline`, `related`, `file-changes` | 20 events, 5 related |
 | `trace <path>` | `experts`, `timeline` | 5 experts, 20 events |
 | `me` | `detail` (inline top-N item details) | 3 items detailed |
 | `search` | `detail` (inline top-N result details) | 3 results detailed |
 ### Response Shape
 Included data uses `_` prefix to distinguish from base fields:
 ```json
 {
  "ok": true,
  "data": {
    "iid": 42, "title": "Fix auth", "state": "opened",
    "discussions": [...],
    "_timeline": {
      "event_count": 15,
      "events": [...]
    },
    "_related": {
      "similar_entities": [...]
    }
  },
  "meta": {
    "elapsed_ms": 200,
    "_timeline_ms": 45,
    "_related_ms": 120
  }
 }
 ```
 ### Error Handling
 Sub-query errors are non-fatal. If Ollama is down, `_related` returns an error instead of failing the whole request:
 ```json
 {
  "_related_error": "Ollama unavailable — related results skipped"
 }
 ```
 ### Limit Control
 ```bash
 # Custom limits for included data
 lore -J issues 42 --include timeline:50,related:10
 ```
 ### Round-Trip Savings
 | Workflow | Before | After | Savings |
 |---|---|---|---|
 | Understand an issue | 4 calls | 1 call | **75%** |
 | Why was code changed | 3 calls | 1 call | **67%** |
 | Find and understand | 4 calls | 2 calls | **50%** |
 **Effort:** High. Each include needs its own sub-query executor, error isolation, and limit enforcement. But the payoff is massive — this single feature halves agent round trips.
 ---
 ## B. `--depth` control on `me` (P0)
 **Problem:** `me` returns 2000-5000 tokens. Agents checking "do I have work?" only need ~100 tokens.
 **Proposal:** Add `--depth` flag with three levels.
 ```bash
 # Counts only (~100 tokens) — "do I have work?"
 lore -J me --depth counts
 # Titles (~400 tokens) — "what work do I have?"
 lore -J me --depth titles
 # Full (current behavior, 2000+ tokens) — "give me everything"
 lore -J me --depth full
 lore -J me  # same as --depth full
 ```
 ### Depth Levels
 | Level | Includes | Typical Tokens |
 |---|---|---|
 | `counts` | `summary` block only (counts, no items) | ~100 |
 | `titles` | summary + item lists with minimal fields (iid, title, attention_state) | ~400 |
 | `full` | Everything: items, activity, inbox, discussions | ~2000-5000 |
 ### Response at `--depth counts`
 ```json
 {
  "ok": true,
  "data": {
    "username": "jdoe",
    "summary": {
      "project_count": 3,
      "open_issue_count": 5,
      "authored_mr_count": 2,
      "reviewing_mr_count": 1,
      "needs_attention_count": 3
    }
  }
 }
 ```
 ### Response at `--depth titles`
 ```json
 {
  "ok": true,
  "data": {
    "username": "jdoe",
    "summary": { ... },
    "open_issues": [
      { "iid": 42, "title": "Fix auth", "attention_state": "needs_attention" }
    ],
    "open_mrs_authored": [
      { "iid": 99, "title": "Refactor auth", "attention_state": "needs_attention" }
    ],
    "reviewing_mrs": []
  }
 }
 ```
 **Effort:** Low. The data is already available; just need to gate serialization by depth level.
 ---
 ## C. `--batch` flag for multi-entity detail (P1)
 **Problem:** After search/timeline, agents discover N entity IIDs and need detail on each. Currently N round trips.
 **Proposal:** Add `--batch` flag to `issues` and `mrs` detail mode.
 ```bash
 # Before: 3 round trips
 lore -J issues 42 -p proj
 lore -J issues 55 -p proj
 lore -J issues 71 -p proj
 # After: 1 round trip
 lore -J issues --batch 42,55,71 -p proj
 ```
 ### Response
 ```json
 {
  "ok": true,
  "data": {
    "results": [
      { "iid": 42, "title": "Fix auth", "state": "opened", ... },
      { "iid": 55, "title": "Add SSO", "state": "opened", ... },
      { "iid": 71, "title": "Token refresh", "state": "closed", ... }
    ],
    "errors": [
      { "iid": 99, "error": "Not found" }
    ]
  }
 }
 ```
 ### Constraints
 - Max 20 IIDs per batch
 - Individual errors don't fail the batch (partial results returned)
 - Works with `--include` for maximum efficiency: `--batch 42,55 --include timeline`
 - Works with `--fields minimal` for token control
 **Effort:** Medium. Need to loop the existing detail handler and compose results.
 ---
 ## D. Composite `context` command (P2)
 **Problem:** Agents need full context on an entity but must learn `--include` syntax. A purpose-built command is more discoverable.
 **Proposal:** Add `context` command that returns detail + timeline + related in one call.
 ```bash
 lore -J context issues 42 -p proj
 lore -J context mrs 99 -p proj
 ```
 ### Equivalent To
 ```bash
 lore -J issues 42 -p proj --include timeline,related
 ```
 But with optimized defaults:
 - Timeline: 20 most recent events, max 3 evidence notes
 - Related: top 5 entities
 - Discussions: truncated after 5 threads
 - Non-fatal: Ollama-dependent parts gracefully degrade
 ### Response Shape
 Same as `issues <iid> --include timeline,related` but with the reduced defaults applied.
 ### Relationship to `--include`
 `context` is sugar for the most common `--include` pattern. Both mechanisms can coexist:
 - `context` for the 80% case (agents wanting full entity understanding)
 - `--include` for custom combinations
 **Effort:** Medium. Thin wrapper around detail + include pipeline.
 ---
 ## E. `--max-tokens` response budget (P3)
 **Problem:** Response sizes vary wildly (100 to 8000 tokens). Agents can't predict cost in advance.
 **Proposal:** Let agents cap response size. Server truncates to fit.
 ```bash
 lore -J me --max-tokens 500
 lore -J timeline "feature" --max-tokens 1000
 lore -J context issues 42 --max-tokens 2000
 ```
 ### Truncation Strategy (priority order)
 1. Apply `--fields minimal` if not already set
 2. Reduce array lengths (newest/highest-score items survive)
 3. Truncate string fields (descriptions, snippets) to 200 chars
 4. Omit null/empty fields
 5. Drop included sub-queries (if using `--include`)
 ### Meta Notice
 ```json
 {
  "meta": {
    "elapsed_ms": 50,
    "truncated": true,
    "original_tokens": 3500,
    "budget_tokens": 1000,
    "dropped": ["_related", "discussions[5:]", "activity[10:]"]
  }
 }
 ```
 ### Implementation Notes
 Token estimation: rough heuristic based on JSON character count / 4. Doesn't need to be exact — the goal is "roughly this size" not "exactly N tokens."
 **Effort:** High. Requires token estimation, progressive truncation logic, and tracking what was dropped.
 ---
 ## F. `--format tsv` for list commands (P3)
 **Problem:** JSON is verbose for tabular data. List commands return arrays of objects with repeated key names.
 **Proposal:** Add `--format tsv` for list commands.
 ```bash
 lore -J issues --format tsv --fields iid,title,state -n 10
 ```
 ### Output
 ```
 iid	title	state
 42	Fix auth	opened
 55	Add SSO	opened
 71	Token refresh	closed
 ```
 ### Token Savings
 | Command | JSON tokens | TSV tokens | Savings |
 |---|---|---|---|
 | `issues -n 50 --fields minimal` | ~800 | ~250 | **69%** |
 | `mrs -n 50 --fields minimal` | ~800 | ~250 | **69%** |
 | `who expert -n 10` | ~300 | ~100 | **67%** |
 | `notes -n 50 --fields minimal` | ~1000 | ~350 | **65%** |
 ### Applicable Commands
 TSV works well for flat, tabular data:
 - `issues` (list), `mrs` (list), `notes` (list)
 - `who expert`, `who overlap`, `who reviews`
 - `count`
 TSV does NOT work for nested/complex data:
 - Detail views (discussions are nested)
 - Timeline (events have nested evidence)
 - Search (nested explain, labels arrays)
 - `me` (multiple sections)
 ### Agent Parsing
 Most LLMs parse TSV naturally. Agents that need structured data can still use JSON.
 **Effort:** Medium. Tab-separated serialization for flat structs is straightforward. Need to handle escaping for body text containing tabs/newlines.
 ---
 ## Impact Summary
 | Optimization | Priority | Effort | Round-Trip Savings | Token Savings |
 |---|---|---|---|---|
 | `--include` | P0 | High | **50-75%** | Moderate |
 | `--depth` on `me` | P0 | Low | None | **60-80%** |
 | `--batch` | P1 | Medium | **N-1 per batch** | Moderate |
 | `context` command | P2 | Medium | **67-75%** | Moderate |
 | `--max-tokens` | P3 | High | None | **Variable** |
 | `--format tsv` | P3 | Medium | None | **65-69% on lists** |
 ### Implementation Order
 1. **`--depth` on `me`** — lowest effort, high value, no risk
 2. **`--include` on `issues`/`mrs` detail** — highest impact, start with `timeline` include only
 3. **`--batch`** — eliminates N+1 pattern
 4. **`context` command** — sugar on top of `--include`
 5. **`--format tsv`** — nice-to-have, easy to add incrementally
 6. **`--max-tokens`** — complex, defer until demand is clear
--- a/docs/command-surface-analysis/09-appendices.md
+++ b/docs/command-surface-analysis/09-appendices.md
@@ -0,0 +1,181 @@
 # Appendices
 ---
 ## A. Robot Output Envelope
 All robot-mode responses follow this structure:
 ```json
 {
  "ok": true,
  "data": { /* command-specific */ },
  "meta": { "elapsed_ms": 42 }
 }
 ```
 Errors (to stderr):
 ```json
 {
  "error": {
    "code": "CONFIG_NOT_FOUND",
    "message": "Configuration file not found",
    "suggestion": "Run 'lore init'",
    "actions": ["lore init"]
  }
 }
 ```
 The `actions` array contains copy-paste shell commands for automated recovery. Omitted when empty.
 ---
 ## B. Exit Codes
 | Code | Meaning | Retryable |
 |---|---|---|
 | 0 | Success | N/A |
 | 1 | Internal error / not implemented | Maybe |
 | 2 | Usage error (invalid flags or arguments) | No (fix syntax) |
 | 3 | Config invalid | No (fix config) |
 | 4 | Token not set | No (set token) |
 | 5 | GitLab auth failed | Maybe (token expired?) |
 | 6 | Resource not found (HTTP 404) | No |
 | 7 | Rate limited | Yes (wait) |
 | 8 | Network error | Yes (retry) |
 | 9 | Database locked | Yes (wait) |
 | 10 | Database error | Maybe |
 | 11 | Migration failed | No (investigate) |
 | 12 | I/O error | Maybe |
 | 13 | Transform error | No (bug) |
 | 14 | Ollama unavailable | Yes (start Ollama) |
 | 15 | Ollama model not found | No (pull model) |
 | 16 | Embedding failed | Yes (retry) |
 | 17 | Not found (entity does not exist) | No |
 | 18 | Ambiguous match (use `-p` to specify project) | No (be specific) |
 | 19 | Health check failed | Yes (fix issues first) |
 | 20 | Config not found | No (run init) |
 ---
 ## C. Field Selection Presets
 The `--fields` flag supports both presets and custom field lists:
 ```bash
 lore -J issues --fields minimal              # Preset
 lore -J mrs --fields iid,title,state,draft   # Custom comma-separated
 ```
 | Command | Minimal Preset Fields |
 |---|---|
 | `issues` (list) | `iid`, `title`, `state`, `updated_at_iso` |
 | `mrs` (list) | `iid`, `title`, `state`, `updated_at_iso` |
 | `notes` (list) | `id`, `author_username`, `body`, `created_at_iso` |
 | `search` | `document_id`, `title`, `source_type`, `score` |
 | `timeline` | `timestamp`, `type`, `entity_iid`, `detail` |
 | `who expert` | `username`, `score` |
 | `who workload` | `iid`, `title`, `state` |
 | `who reviews` | `name`, `count`, `percentage` |
 | `who active` | `entity_type`, `iid`, `title`, `participants` |
 | `who overlap` | `username`, `touch_count` |
 | `me` (items) | `iid`, `title`, `attention_state`, `updated_at_iso` |
 | `me` (activity) | `timestamp_iso`, `event_type`, `entity_iid`, `actor` |
 ---
 ## D. Configuration Precedence
 1. CLI flags (highest priority)
 2. Environment variables (`LORE_ROBOT`, `GITLAB_TOKEN`, `LORE_CONFIG_PATH`)
 3. Config file (`~/.config/lore/config.json`)
 4. Built-in defaults (lowest priority)
 ---
 ## E. Time Parsing
 All commands accepting `--since`, `--until`, `--as-of` support:
 | Format | Example | Meaning |
 |---|---|---|
 | Relative days | `7d` | 7 days ago |
 | Relative weeks | `2w` | 2 weeks ago |
 | Relative months | `1m`, `6m` | 1/6 months ago |
 | Absolute date | `2026-01-15` | Specific date |
 Internally converted to Unix milliseconds for DB queries.
 ---
 ## F. Database Schema (28 migrations)
 ### Primary Entity Tables
 | Table | Key Columns | Notes |
 |---|---|---|
 | `projects` | `gitlab_project_id`, `path_with_namespace`, `web_url` | No `name` or `last_seen_at` |
 | `issues` | `iid`, `title`, `state`, `author_username`, 5 status columns | Status columns nullable (migration 021) |
 | `merge_requests` | `iid`, `title`, `state`, `draft`, `source_branch`, `target_branch` | `last_seen_at INTEGER NOT NULL` |
 | `discussions` | `gitlab_discussion_id` (text), `issue_id`/`merge_request_id` | One FK must be set |
 | `notes` | `gitlab_id`, `author_username`, `body`, DiffNote position columns | `type` column for DiffNote/DiscussionNote |
 ### Relationship Tables
 | Table | Purpose |
 |---|---|
 | `issue_labels`, `mr_labels` | Label junction (DELETE+INSERT for stale removal) |
 | `issue_assignees`, `mr_assignees` | Assignee junction |
 | `mr_reviewers` | Reviewer junction |
 | `entity_references` | Cross-refs: closes, mentioned, related (with `source_method`) |
 | `mr_file_changes` | File diffs: old_path, new_path, change_type |
 ### Event Tables
 | Table | Constraint |
 |---|---|
 | `resource_state_events` | CHECK: exactly one of issue_id/merge_request_id NOT NULL |
 | `resource_label_events` | Same CHECK constraint; `label_name` nullable (migration 012) |
 | `resource_milestone_events` | Same CHECK constraint; `milestone_title` nullable |
 ### Document/Search Pipeline
 | Table | Purpose |
 |---|---|
 | `documents` | Unified searchable content (source_type: issue/merge_request/discussion) |
 | `documents_fts` | FTS5 virtual table for text search |
 | `documents_fts_docsize` | FTS5 shadow B-tree (19x faster for COUNT) |
 | `document_labels` | Fast label filtering (indexed exact-match) |
 | `document_paths` | File path association for DiffNote filtering |
 | `embeddings` | vec0 virtual table; rowid = document_id * 1000 + chunk_index |
 | `embedding_metadata` | Chunk provenance + staleness tracking (document_hash) |
 | `dirty_sources` | Documents needing regeneration (with backoff via next_attempt_at) |
 ### Infrastructure
 | Table | Purpose |
 |---|---|
 | `sync_runs` | Sync history with metrics |
 | `sync_cursors` | Per-resource sync position (updated_at cursor + tie_breaker_id) |
 | `app_locks` | Crash-safe single-flight lock |
 | `raw_payloads` | Raw JSON storage for debugging |
 | `pending_discussion_fetches` | Dependent discussion fetch queue |
 | `pending_dependent_fetches` | Job queue for resource_events, mr_closes, mr_diffs |
 | `schema_version` | Migration tracking |
 ---
 ## G. Glossary
 | Term | Definition |
 |---|---|
 | **IID** | Issue/MR number within a project (not globally unique) |
 | **FTS5** | SQLite full-text search extension (BM25 ranking) |
 | **vec0** | SQLite extension for vector similarity search |
 | **RRF** | Reciprocal Rank Fusion — combines FTS and vector rankings |
 | **DiffNote** | Comment attached to a specific line in a merge request diff |
 | **Entity reference** | Cross-reference between issues/MRs (closes, mentioned, related) |
 | **Rename chain** | BFS traversal of mr_file_changes to follow file renames |
 | **Attention state** | Computed field on `me` items: needs_attention, not_started, stale, etc. |
 | **Surgical sync** | Fetching specific entities by IID instead of full incremental sync |
--- a/docs/lore-me-spec.md
+++ b/docs/lore-me-spec.md
@@ -0,0 +1,290 @@
 # `lore me` — Personal Work Dashboard
 ## Overview
 A personal dashboard command that shows everything relevant to the configured user: open issues, authored MRs, MRs under review, and recent activity. Attention state is computed from GitLab interaction data (comments) with no local state tracking.
 ## Command Interface
 ```
 lore me                              # Full dashboard (default project or all)
 lore me --issues                     # Issues section only
 lore me --mrs                        # MRs section only (authored + reviewing)
 lore me --activity                   # Activity feed only
 lore me --issues --mrs               # Multiple sections (combinable)
 lore me --all                        # All synced projects (overrides default_project)
 lore me --since 2d                   # Activity window (default: 30d)
 lore me --project group/repo         # Scope to one project
 lore me --user jdoe                  # Override configured username
 ```
 Standard global flags: `--robot`/`-J`, `--fields`, `--color`, `--icons`.
 ---
 ## Acceptance Criteria
 ### AC-1: Configuration
 - **AC-1.1**: New optional field `gitlab.username` (string) in config.json
 - **AC-1.2**: Resolution order: `--user` CLI flag > `config.gitlab.username` > exit code 2 with actionable error message suggesting how to set it
 - **AC-1.3**: Username is case-sensitive (matches GitLab usernames exactly)
 ### AC-2: Command Interface
 - **AC-2.1**: New command `lore me` — single command with flags (matches `who` pattern)
 - **AC-2.2**: Section filter flags: `--issues`, `--mrs`, `--activity` — combinable. Passing multiple shows those sections. No flags = full dashboard (all sections).
 - **AC-2.3**: `--since <duration>` controls activity feed window, default 30 days. Only affects the activity section; work item sections always show all open items regardless of `--since`.
 - **AC-2.4**: `--project <path>` scopes to a single project
 - **AC-2.5**: `--user <username>` overrides configured username
 - **AC-2.6**: `--all` flag shows all synced projects (overrides default_project)
 - **AC-2.7**: `--project` and `--all` are mutually exclusive — passing both is exit code 2
 - **AC-2.8**: Standard global flags: `--robot`/`-J`, `--fields`, `--color`, `--icons`
 ### AC-3: "My Items" Definition
 - **AC-3.1**: Issues assigned to me (`issue_assignees.username`). Authorship alone does NOT qualify an issue.
 - **AC-3.2**: MRs authored by me (`merge_requests.author_username`)
 - **AC-3.3**: MRs where I'm a reviewer (`mr_reviewers.username`)
 - **AC-3.4**: Scope is **Assigned (issues) + Authored/Reviewing (MRs)** — no participation/mention expansion
 - **AC-3.5**: MR assignees (`mr_assignees`) are NOT used — in Pattern 1 workflows (author = assignee), this is redundant with authorship
 - **AC-3.6**: Activity feed uses CURRENT association only — if you've been unassigned from an issue, activity on it no longer appears. This keeps the query simple and the feed relevant.
 ### AC-4: Attention State Model
 - **AC-4.1**: Computed per-item from synced GitLab data, no local state tracking
 - **AC-4.2**: Interaction signal: notes authored by the user (`notes.author_username = me` where `is_system = 0`)
 - **AC-4.3**: Future: award emoji will extend interaction signals (separate bead)
 - **AC-4.4**: States (evaluated in this order — first match wins):
  1. `not_ready`: MR only — `draft=1` AND zero entries in `mr_reviewers`
  2. `needs_attention`: Others' latest non-system note > user's latest non-system note
  3. `stale`: Entity has at least one non-system note from someone, but the most recent note from anyone is older than 30 days. Items with ZERO notes are NOT stale — they're `not_started`.
  4. `not_started`: User has zero non-system notes on this entity (regardless of whether others have commented)
  5. `awaiting_response`: User's latest non-system note timestamp >= all others' latest non-system note timestamps (including when user is the only commenter)
 - **AC-4.5**: Applied to all item types (issues, authored MRs, reviewing MRs)
 ### AC-5: Dashboard Sections
 **AC-5.1: Open Issues**
 - Source: `issue_assignees.username = me`, state = opened
 - Fields: project path, iid, title, status_name (work item status), attention state, relative time since updated
 - Sort: attention-first (needs_attention > not_started > awaiting_response > stale), then most recently updated within same state
 - No limit, no truncation — show all
 **AC-5.2: Open MRs — Authored**
 - Source: `merge_requests.author_username = me`, state = opened
 - Fields: project path, iid, title, draft indicator, detailed_merge_status, attention state, relative time
 - Sort: same as issues
 **AC-5.3: Open MRs — Reviewing**
 - Source: `mr_reviewers.username = me`, state = opened
 - Fields: project path, iid, title, MR author username, draft indicator, attention state, relative time
 - Sort: same as issues
 **AC-5.4: Activity Feed**
 - Sources (all within `--since` window, default 30d):
  - Human comments (`notes.is_system = 0`) on my items
  - State events (`resource_state_events`) on my items
  - Label events (`resource_label_events`) on my items
  - Milestone events (`resource_milestone_events`) on my items
  - Assignment/reviewer system notes (see AC-12 for patterns) on my items
 - "My items" for the activity feed = items I'm CURRENTLY associated with per AC-3 (current assignment state, not historical)
 - Includes activity on items regardless of open/closed state
 - Own actions included but flagged (`is_own: true` in robot, `(you)` suffix + dimmed in human)
 - Sort: newest first (chronological descending)
 - No limit, no truncation — show all events
 **AC-5.5: Summary Header**
 - Counts: projects, open issues, authored MRs, reviewing MRs, needs_attention count
 - Attention legend (human mode): icon + label for each state
 ### AC-6: Human Output — Visual Design
 **AC-6.1: Layout**
 - Section card style with `section_divider` headers
 - Legend at top explains attention icons
 - Two-line per item: main data on line 1, project path on line 2 (indented)
 - When scoped to single project (`--project`), suppress project path line (redundant)
 **AC-6.2: Attention Icons (three tiers)**
 | State | Nerd Font | Unicode | ASCII | Color |
 |-------|-----------|---------|-------|-------|
 | needs_attention | `\uf0f3` bell | `◆` | `[!]` | amber (warning) |
 | not_started | `\uf005` star | `★` | `[*]` | cyan (info) |
 | awaiting_response | `\uf017` clock | `◷` | `[~]` | dim (muted) |
 | stale | `\uf54c` skull | `☠` | `[x]` | dim (muted) |
 **AC-6.3: Color Vocabulary** (matches existing lore palette)
 - Issue refs (#N): cyan
 - MR refs (!N): purple
 - Usernames (@name): cyan
 - Opened state: green
 - Merged state: purple
 - Closed state: dim
 - Draft indicator: gray
 - Own actions: dimmed + `(you)` suffix
 - Timestamps: dim (relative time)
 **AC-6.4: Activity Event Badges**
 | Event | Nerd/Unicode (colored bg) | ASCII fallback |
 |-------|--------------------------|----------------|
 | note | cyan bg, dark text | `[note]` cyan text |
 | status | amber bg, dark text | `[status]` amber text |
 | label | purple bg, white text | `[label]` purple text |
 | assign | green bg, dark text | `[assign]` green text |
 | milestone | magenta bg, white text | `[milestone]` magenta text |
 Fallback: when background colors aren't available (ASCII mode), use colored text with brackets instead of background pills.
 **AC-6.5: Labels**
 - Human mode: not shown
 - Robot mode: included in JSON
 ### AC-7: Robot Output
 - **AC-7.1**: Standard `{ok, data, meta}` envelope
 - **AC-7.2**: `data` contains: `username`, `since_iso`, `summary` (counts + `needs_attention_count`), `open_issues[]`, `open_mrs_authored[]`, `reviewing_mrs[]`, `activity[]`
 - **AC-7.3**: Each item includes: project, iid, title, state, attention_state (programmatic: `needs_attention`, `not_started`, `awaiting_response`, `stale`, `not_ready`), labels, updated_at_iso, web_url
 - **AC-7.4**: Issues include `status_name` (work item status)
 - **AC-7.5**: MRs include `draft`, `detailed_merge_status`, `author_username` (reviewing section)
 - **AC-7.6**: Activity items include: `timestamp_iso`, `event_type`, `entity_type`, `entity_iid`, `project`, `actor`, `is_own`, `summary`, `body_preview` (for notes, truncated to 200 chars)
 - **AC-7.7**: `--fields minimal` preset: `iid`, `title`, `attention_state`, `updated_at_iso` (work items); `timestamp_iso`, `event_type`, `entity_iid`, `actor` (activity)
 - **AC-7.8**: Metadata-only depth — agents drill into specific items with `timeline`, `issues`, `mrs` for full context
 - **AC-7.9**: No limits, no truncation on any array
 ### AC-8: Cross-Project Behavior
 - **AC-8.1**: If `config.default_project` is set, scope to that project by default. If no default project, show all synced projects.
 - **AC-8.2**: `--all` flag overrides default project and shows all synced projects
 - **AC-8.3**: `--project` flag narrows to a specific project (supports fuzzy match like other commands)
 - **AC-8.4**: `--project` and `--all` are mutually exclusive (exit 2 if both passed)
 - **AC-8.5**: Project path shown per-item in both human and robot output (suppressed in human when single-project scoped per AC-6.1)
 ### AC-9: Sort Order
 - **AC-9.1**: Work item sections: attention-first, then most recently updated
 - **AC-9.2**: Attention priority: `needs_attention` > `not_started` > `awaiting_response` > `stale` > `not_ready`
 - **AC-9.3**: Activity feed: chronological descending (newest first)
 ### AC-10: Error Handling
 - **AC-10.1**: No username configured and no `--user` flag → exit 2 with suggestion
 - **AC-10.2**: No synced data → exit 17 with suggestion to run `lore sync`
 - **AC-10.3**: Username found but no matching items → empty sections with summary showing zeros
 - **AC-10.4**: `--project` and `--all` both passed → exit 2 with message
 ### AC-11: Relationship to Existing Commands
 - **AC-11.1**: `who @username` remains for looking at anyone's workload
 - **AC-11.2**: `lore me` is the self-view with attention intelligence
 - **AC-11.3**: No deprecation of `who` — they serve different purposes
 ### AC-12: New Assignments Detection
 - **AC-12.1**: Detect from system notes (`notes.is_system = 1`) matching these body patterns:
  - `"assigned to @username"` — issue/MR assignment
  - `"unassigned @username"` — removal (shown as `unassign` event type)
  - `"requested review from @username"` — reviewer assignment (shown as `review_request` event type)
 - **AC-12.2**: These appear in the activity feed with appropriate event types
 - **AC-12.3**: Shows who performed the action (note author from the associated non-system context, or "system" if unavailable) and when (note created_at)
 - **AC-12.4**: Pattern matching is case-insensitive and matches username at word boundary
 ---
 ## Out of Scope (Follow-Up Work)
 - **Award emoji sync**: Extends attention signal with reaction timestamps. Requires new table + GitLab REST API integration. Note-level emoji sync has N+1 concern requiring smart batching.
 - **Participation/mention expansion**: Broadening "my items" beyond assigned+authored.
 - **Label filtering**: `--label` flag to scope dashboard by label.
 ---
 ## Design Notes
 ### Why No High-Water Mark
 GitLab itself is the source of truth for "what I've engaged with." The attention state is computed by comparing the user's latest comment timestamp against others' latest comment timestamps on each item. No local cursor or mark is needed.
 ### Why Comments-Only (For Now)
 Award emoji (reactions) are a valid "I've engaged" signal but aren't currently synced. The attention model is designed to incorporate emoji timestamps when available — adding them later requires no model changes.
 ### Why MR Assignees Are Excluded
 GitLab MR workflows have three role fields: Author, Assignee, and Reviewer. In Pattern 1 workflows (the most common post-2020), the author assigns themselves — making assignee redundant with authorship. The Reviewing section uses `mr_reviewers` as the review signal.
 ### Attention State Evaluation Order
 States are evaluated in priority order (first match wins):
 ```
 1. not_ready    — MR-only: draft=1 AND no reviewers
 2. needs_attention — others commented after me
 3. stale        — had activity, but nothing in 30d (NOT for zero-comment items)
 4. not_started  — I have zero comments (may or may not have others' comments)
 5. awaiting_response — I commented last (or I'm the only commenter)
 ```
 Edge cases:
 - Zero comments from anyone → `not_started` (NOT stale)
 - Only my comments, none from others → `awaiting_response`
 - Only others' comments, none from me → `not_started` (I haven't engaged)
  - Wait: this conflicts with `needs_attention` (step 2). If others have commented and I haven't, then others' latest > my latest (NULL). This should be `needs_attention`, not `not_started`.
 Corrected logic:
 - `needs_attention` takes priority over `not_started` when others HAVE commented but I haven't. The distinction: `not_started` only applies when NOBODY has commented.
 ```
 1. not_ready         — MR-only: draft=1 AND no reviewers
 2. needs_attention   — others have non-system notes AND (I have none OR others' latest > my latest)
 3. stale             — latest note from anyone is older than 30 days
 4. awaiting_response — my latest >= others' latest (I'm caught up)
 5. not_started       — zero non-system notes from anyone
 ```
 ### Attention State Computation (SQL Sketch)
 ```sql
 WITH my_latest AS (
    SELECT d.issue_id, d.merge_request_id, MAX(n.created_at) AS ts
    FROM notes n
    JOIN discussions d ON n.discussion_id = d.id
    WHERE n.author_username = ?me AND n.is_system = 0
    GROUP BY d.issue_id, d.merge_request_id
 ),
 others_latest AS (
    SELECT d.issue_id, d.merge_request_id, MAX(n.created_at) AS ts
    FROM notes n
    JOIN discussions d ON n.discussion_id = d.id
    WHERE n.author_username != ?me AND n.is_system = 0
    GROUP BY d.issue_id, d.merge_request_id
 ),
 any_latest AS (
    SELECT d.issue_id, d.merge_request_id, MAX(n.created_at) AS ts
    FROM notes n
    JOIN discussions d ON n.discussion_id = d.id
    WHERE n.is_system = 0
    GROUP BY d.issue_id, d.merge_request_id
 )
 SELECT
    CASE
        -- MR-only: draft with no reviewers
        WHEN entity_type = 'mr' AND draft = 1
             AND NOT EXISTS (SELECT 1 FROM mr_reviewers WHERE merge_request_id = entity_id)
            THEN 'not_ready'
        -- Others commented and I haven't caught up (or never engaged)
        WHEN others.ts IS NOT NULL AND (my.ts IS NULL OR others.ts > my.ts)
            THEN 'needs_attention'
        -- Had activity but gone quiet for 30d
        WHEN any.ts IS NOT NULL AND any.ts < ?now_minus_30d
            THEN 'stale'
        -- I've responded and I'm caught up
        WHEN my.ts IS NOT NULL AND my.ts >= COALESCE(others.ts, 0)
            THEN 'awaiting_response'
        -- Nobody has commented at all
        ELSE 'not_started'
    END AS attention_state
 FROM ...
 ```
--- a/docs/plan-expose-discussion-ids.feedback-1.md
+++ b/docs/plan-expose-discussion-ids.feedback-1.md
@@ -0,0 +1,202 @@
 No `## Rejected Recommendations` section appears in the plan you pasted, so the revisions below are all net-new.
 1. **Add an explicit “Bridge Contract” and fix scope inconsistency**
 Analysis: The plan says “Three changes” but defines four. More importantly, identifier requirements are scattered. A single contract section prevents drift and makes every new read surface prove it can drive a write call.
 ```diff
@@
 -**Scope**: Three changes, delivered in order:
 +**Scope**: Four workstreams, delivered in order:
 1. Add `gitlab_discussion_id` to notes output
 2. Add `gitlab_discussion_id` to show command discussion groups
 3. Add a standalone `discussions` list command
 4. Fix robot-docs to list actual field names instead of opaque type references
 +
 +## Bridge Contract (Cross-Cutting)
 +Every read payload that surfaces notes/discussions MUST include:
 +- `project_path`
 +- `noteable_type`
 +- `parent_iid`
 +- `gitlab_discussion_id`
 +- `gitlab_note_id` (when note-level data is returned)
 +This contract is required so agents can deterministically construct `glab api` write calls.
 ```
 2. **Normalize identifier naming now (break ambiguous names)**
 Analysis: Current `id`/`gitlab_id` naming is ambiguous in mixed payloads. Rename to explicit `note_id` and `gitlab_note_id` now (you explicitly don’t care about backward compatibility). This reduces automation mistakes.
 ```diff
@@ 1b. Add field to `NoteListRow`
 -pub struct NoteListRow {
 -    pub id: i64,
 -    pub gitlab_id: i64,
 +pub struct NoteListRow {
 +    pub note_id: i64,           // local DB id
 +    pub gitlab_note_id: i64,    // GitLab note id
@@
@@ 1c. Add field to `NoteListRowJson`
 -pub struct NoteListRowJson {
 -    pub id: i64,
 -    pub gitlab_id: i64,
 +pub struct NoteListRowJson {
 +    pub note_id: i64,
 +    pub gitlab_note_id: i64,
@@
 -#### 2f. Add `gitlab_note_id` to note detail structs in show
 -While we're here, add `gitlab_id` to `NoteDetail`, `MrNoteDetail`, and their JSON
 +#### 2f. Add `gitlab_note_id` to note detail structs in show
 +While we're here, add `gitlab_note_id` to `NoteDetail`, `MrNoteDetail`, and their JSON
 counterparts.
 ```
 3. **Stop positional column indexing for these changes**
 Analysis: In `list.rs`, row extraction is positional (`row.get(18)`, etc.). Adding fields is fragile and easy to break silently. Use named aliases and named lookup for robustness.
 ```diff
@@ 1a/1b SQL + query_map
 -    p.path_with_namespace AS project_path
 +    p.path_with_namespace AS project_path,
 +    d.gitlab_discussion_id AS gitlab_discussion_id
@@
 -    project_path: row.get(18)?,
 -    gitlab_discussion_id: row.get(19)?,
 +    project_path: row.get("project_path")?,
 +    gitlab_discussion_id: row.get("gitlab_discussion_id")?,
 ```
 4. **Redesign `discussions` query to avoid correlated subquery fanout**
 Analysis: Proposed query uses many correlated subqueries per row. That’s acceptable for tiny MR-scoped sets, but degrades for project-wide scans. Use a base CTE + one rollup pass over notes.
 ```diff
@@ 3c. SQL Query
 -SELECT
 -    d.id,
 -    ...
 -    (SELECT COUNT(*) FROM notes n2 WHERE n2.discussion_id = d.id AND n2.is_system = 0) AS note_count,
 -    (SELECT n3.author_username FROM notes n3 WHERE n3.discussion_id = d.id ORDER BY n3.position LIMIT 1) AS first_author,
 -    ...
 -FROM discussions d
 +WITH base AS (
 +  SELECT d.id, d.gitlab_discussion_id, d.noteable_type, d.project_id, d.issue_id, d.merge_request_id,
 +         d.individual_note, d.first_note_at, d.last_note_at, d.resolvable, d.resolved
 +  FROM discussions d
 +  {where_sql}
 +),
 +note_rollup AS (
 +  SELECT n.discussion_id,
 +         COUNT(*) FILTER (WHERE n.is_system = 0) AS user_note_count,
 +         COUNT(*) AS total_note_count,
 +         MIN(CASE WHEN n.is_system = 0 THEN n.position END) AS first_user_pos
 +  FROM notes n
 +  JOIN base b ON b.id = n.discussion_id
 +  GROUP BY n.discussion_id
 +)
 +SELECT ...
 +FROM base b
 +LEFT JOIN note_rollup r ON r.discussion_id = b.id
 ```
 5. **Add explicit index work for new access patterns**
 Analysis: Existing indexes are good but not ideal for new list patterns (`project + last_note`, note position ordering inside discussion). Add migration entries to keep latency stable.
 ```diff
@@ ## 3. Add Standalone `discussions` List Command
 +#### 3h. Add migration for discussion-list performance
 +**File**: `migrations/027_discussions_list_indexes.sql`
 +```sql
 +CREATE INDEX IF NOT EXISTS idx_discussions_project_last_note
 +  ON discussions(project_id, last_note_at DESC, id DESC);
 +CREATE INDEX IF NOT EXISTS idx_discussions_project_first_note
 +  ON discussions(project_id, first_note_at DESC, id DESC);
 +CREATE INDEX IF NOT EXISTS idx_notes_discussion_position
 +  ON notes(discussion_id, position);
 +```
 ```
 6. **Add keyset pagination (critical for agent workflows)**
 Analysis: `--limit` alone is not enough for automation over large datasets. Add cursor-based pagination with deterministic sort keys and `next_cursor` in JSON.
 ```diff
@@ 3a. CLI Args
 +    /// Keyset cursor from previous response
 +    #[arg(long, help_heading = "Output")]
 +    pub cursor: Option<String>,
@@
@@ Response Schema
 -    "total_count": 15,
 -    "showing": 15
 +    "total_count": 15,
 +    "showing": 15,
 +    "next_cursor": "eyJsYXN0X25vdGVfYXQiOjE3MDAwMDAwMDAwMDAsImlkIjoxMjN9"
@@
@@ Validation Criteria
 +7. `lore -J discussions ... --cursor <token>` returns the next stable page without duplicates/skips
 ```
 7. **Fix semantic ambiguities in discussion summary fields**
 Analysis: `note_count` is ambiguous, and `first_author` can accidentally be a system note author. Make fields explicit and consistent with non-system default behavior.
 ```diff
@@ Response Schema
 -        "note_count": 3,
 -        "first_author": "elovegrove",
 +        "user_note_count": 3,
 +        "total_note_count": 4,
 +        "first_user_author": "elovegrove",
@@
@@ 3d. Filters struct / path behavior
 -- `path` → `EXISTS (SELECT 1 FROM notes n WHERE n.discussion_id = d.id AND n.position_new_path LIKE ?)`
 +- `path` → match on BOTH `position_new_path` and `position_old_path` (exact/prefix)
 ```
 8. **Enrich show outputs with actionable thread metadata**
 Analysis: Adding only discussion id helps, but agents still need thread state and note ids to pick targets correctly. Add `resolvable`, `resolved`, `last_note_at_iso`, and `gitlab_note_id` in show discussion payloads.
 ```diff
@@ 2a/2b show discussion structs
 pub struct DiscussionDetailJson {
     pub gitlab_discussion_id: String,
 +    pub resolvable: bool,
 +    pub resolved: bool,
 +    pub last_note_at_iso: String,
     pub notes: Vec<NoteDetailJson>,
@@
 pub struct NoteDetailJson {
 +    pub gitlab_note_id: i64,
     pub author_username: String,
 ```
 9. **Harden robot-docs against schema drift with tests**
 Analysis: Static JSON in `main.rs` will drift again. Add a lightweight contract test that asserts docs include required fields for `notes`, `discussions`, and show payloads.
 ```diff
@@ 4. Fix Robot-Docs Response Schemas
 +#### 4f. Add robot-docs contract tests
 +**File**: `src/main.rs` (or dedicated test module)
 +- Assert `robot-docs` contains `gitlab_discussion_id` and `gitlab_note_id` in:
 +  - `notes.response_schema`
 +  - `issues.response_schema.show`
 +  - `mrs.response_schema.show`
 +  - `discussions.response_schema`
 ```
 10. **Adjust delivery order to reduce rework and include missing CSV path**
 Analysis: In your sample `handle_discussions`, `csv` is declared in args but not handled. Also, robot-docs should land after all payload changes. Sequence should minimize churn.
 ```diff
@@ Delivery Order
 -3. **Change 4** (robot-docs) — depends on 1 and 2 being done so schemas are accurate.
 -4. **Change 3** (discussions command) — largest change, depends on 1 for design consistency.
 +3. **Change 3** (discussions command + indexes + pagination) — largest change.
 +4. **Change 4** (robot-docs + contract tests) — last, after payloads are final.
@@ 3e. Handler wiring
 -    match format {
 +    match format {
         "json" => ...
         "jsonl" => ...
 +        "csv" => print_list_discussions_csv(&result),
         _ => ...
     }
 ```
 If you want, I can produce a single consolidated revised plan markdown with these edits applied so you can drop it in directly.
--- a/docs/plan-expose-discussion-ids.feedback-2.md
+++ b/docs/plan-expose-discussion-ids.feedback-2.md
@@ -0,0 +1,162 @@
 Best non-rejected upgrades I’d make to this plan are below. They focus on reducing schema drift, making robot output safer to consume, and improving performance behavior at scale.
 1. Add a shared contract model and field constants first (before workstreams 1-4)  
 Rationale: Right now each command has its own structs and ad-hoc mapping. That is exactly how drift happens. A single contract definition reused by `notes`, `show`, `discussions`, and robot-docs gives compile-time coupling between output payloads and docs. It also makes future fields cheaper and safer to add.
 ```diff
@@ Scope: Four workstreams, delivered in order:
 -1. Add `gitlab_discussion_id` to notes output
 -2. Add `gitlab_discussion_id` to show command discussion groups
 -3. Add a standalone `discussions` list command
 -4. Fix robot-docs to list actual field names instead of opaque type references
 +0. Introduce shared Bridge Contract model/constants used by notes/show/discussions/robot-docs
 +1. Add `gitlab_discussion_id` to notes output
 +2. Add `gitlab_discussion_id` to show command discussion groups
 +3. Add a standalone `discussions` list command
 +4. Fix robot-docs to list actual field names instead of opaque type references
 +## 0. Shared Contract Model (Cross-Cutting)
 +Define canonical required-field constants and shared mapping helpers, then consume them in:
 +- `src/cli/commands/list.rs`
 +- `src/cli/commands/show.rs`
 +- `src/cli/robot.rs`
 +- `src/main.rs` robot-docs builder
 +This removes duplicated field-name strings and prevents docs/output mismatch.
 ```
 2. Make bridge fields “non-droppable” in robot mode  
 Rationale: The current plan adds fields, but `--fields` can still remove them. That breaks the core read/write bridge contract in exactly the workflows this change is trying to fix. In robot mode, contract fields should always be force-included.
 ```diff
@@ ## Bridge Contract (Cross-Cutting)
 Every read payload that surfaces notes or discussions **MUST** include:
 - `project_path`
 - `noteable_type`
 - `parent_iid`
 - `gitlab_discussion_id`
 - `gitlab_note_id` (when note-level data is returned — i.e., in notes list and show detail)
 +### Field Filtering Guardrail
 +In robot mode, `filter_fields` must force-include Bridge Contract fields even when users pass a narrower `--fields` list.
 +Human/table mode keeps existing behavior.
 ```
 3. Replace correlated subqueries in `discussions` rollup with a single-pass window/aggregate pattern  
 Rationale: Your CTE is better than naive fanout, but it still uses multiple correlated sub-selects per discussion for first author/body/path. At 200K+ discussions this can regress badly depending on cache/index state. A window-ranked `notes` CTE with grouped aggregates is usually faster and more predictable in SQLite.
 ```diff
@@ #### 3c. SQL Query
 -Core query uses a CTE + rollup to avoid correlated subquery fanout on larger result sets:
 +Core query uses a CTE + ranked-notes rollup (window function) to avoid per-row correlated subqueries:
 -WITH filtered_discussions AS (...),
 -note_rollup AS (
 -    SELECT
 -        n.discussion_id,
 -        SUM(...) AS note_count,
 -        (SELECT ... LIMIT 1) AS first_author,
 -        (SELECT ... LIMIT 1) AS first_note_body,
 -        (SELECT ... LIMIT 1) AS position_new_path,
 -        (SELECT ... LIMIT 1) AS position_new_line
 -    FROM notes n
 -    ...
 -)
 +WITH filtered_discussions AS (...),
 +ranked_notes AS (
 +    SELECT
 +        n.*,
 +        ROW_NUMBER() OVER (PARTITION BY n.discussion_id ORDER BY n.position, n.id) AS rn
 +    FROM notes n
 +    WHERE n.discussion_id IN (SELECT id FROM filtered_discussions)
 +),
 +note_rollup AS (
 +    SELECT
 +        discussion_id,
 +        SUM(CASE WHEN is_system = 0 THEN 1 ELSE 0 END) AS note_count,
 +        MAX(CASE WHEN rn = 1 AND is_system = 0 THEN author_username END) AS first_author,
 +        MAX(CASE WHEN rn = 1 AND is_system = 0 THEN body END) AS first_note_body,
 +        MAX(CASE WHEN position_new_path IS NOT NULL THEN position_new_path END) AS position_new_path,
 +        MAX(CASE WHEN position_new_line IS NOT NULL THEN position_new_line END) AS position_new_line
 +    FROM ranked_notes
 +    GROUP BY discussion_id
 +)
 ```
 4. Add direct GitLab ID filters for deterministic bridging  
 Rationale: Bridge workflows often start from one known ID. You already have `gitlab_note_id` in notes filters, but discussion filtering still looks internal-ID-centric. Add explicit GitLab-ID filters so agents do not need extra translation calls.
 ```diff
@@ #### 3a. CLI Args
 pub struct DiscussionsArgs {
 +    /// Filter by GitLab discussion ID
 +    #[arg(long, help_heading = "Filters")]
 +    pub gitlab_discussion_id: Option<String>,
@@
@@ #### 3d. Filters struct
 pub struct DiscussionListFilters {
 +    pub gitlab_discussion_id: Option<String>,
@@
 }
 ```
 ```diff
@@ ## 1. Add `gitlab_discussion_id` to Notes Output
 +#### 1g. Add `--gitlab-discussion-id` filter to notes
 +Allow filtering notes directly by GitLab thread ID (not only internal discussion ID).
 +This enables one-hop note retrieval from external references.
 ```
 5. Add optional note expansion to `discussions` for fewer round-trips  
 Rationale: Today the agent flow is often `discussions -> show`. Optional embedded notes (`--include-notes N`) gives a fast path for “list unresolved threads with latest context” without forcing full show payloads.
 ```diff
@@ ### Design
 lore -J discussions --for-mr 99 --resolution unresolved
 +lore -J discussions --for-mr 99 --resolution unresolved --include-notes 2
@@ #### 3a. CLI Args
 +    /// Include up to N latest notes per discussion (0 = none)
 +    #[arg(long, default_value = "0", help_heading = "Output")]
 +    pub include_notes: usize,
 ```
 6. Upgrade robot-docs from string blobs to structured schema + explicit contract block  
 Rationale: `contains("gitlab_discussion_id")` tests on schema strings are brittle. A structured schema object gives machine-checked docs and reliable test assertions. Add a contract section for agent consumers.
 ```diff
@@ ## 4. Fix Robot-Docs Response Schemas
 -#### 4a. Notes response_schema
 -Replace stringly-typed schema snippets...
 +#### 4a. Notes response_schema (structured)
 +Represent response fields as JSON objects (field -> type/nullable), not freeform strings.
 +#### 4g. Add `bridge_contract` section in robot-docs
 +Publish canonical required fields per entity:
 +- notes
 +- discussions
 +- show.discussions
 +- show.notes
 ```
 7. Strengthen validation: add CLI-level contract tests and perf guardrails  
 Rationale: Most current tests are unit-level struct/query checks. Add end-to-end JSON contract tests via command handlers, plus a benchmark-style regression test (ignored by default) so performance work stays intentional.
 ```diff
@@ ## Validation Criteria
 8. Bridge Contract fields (...) are present in every applicable read payload
 +9. Contract fields remain present even with `--fields` in robot mode
 +10. `discussions` query meets performance guardrail on representative fixture (documented threshold)
@@ ### Tests
 +#### Test: robot-mode fields cannot drop bridge contract keys
 +Run notes/discussions JSON output through `filter_fields` path and assert required keys remain.
 +
 +#### Test: CLI contract integration
 +Invoke command handlers for `notes`, `discussions`, `mrs <iid>`, parse JSON, assert required keys and types.
 +
 +#### Test (ignored): large-fixture performance regression
 +Generate representative fixture and assert `query_discussions` stays under target elapsed time.
 ```
 If you want, I can now produce a full “v2 plan” document that applies these diffs end-to-end (including revised delivery order and complete updated sections).
--- a/docs/plan-expose-discussion-ids.feedback-3.md
+++ b/docs/plan-expose-discussion-ids.feedback-3.md
@@ -0,0 +1,147 @@
 1. **Make `gitlab_note_id` explicit in all note-level payloads without breaking existing consumers**
 Rationale: Your Bridge Contract already requires `gitlab_note_id`, but current plan keeps `gitlab_id` only in `notes` list while adding `gitlab_note_id` only in detail views. That forces agents to special-case commands. Add `gitlab_note_id` as an alias field everywhere note-level data appears, while keeping `gitlab_id` for compatibility.
 ```diff
@@ Bridge Contract (Cross-Cutting)
 -Every read payload that surfaces notes or discussions MUST include:
 +Every read payload that surfaces notes or discussions MUST include:
   - project_path
   - noteable_type
   - parent_iid
   - gitlab_discussion_id
   - gitlab_note_id (when note-level data is returned — i.e., in notes list and show detail)
 +  - Back-compat rule: note payloads may continue exposing `gitlab_id`, but MUST also expose `gitlab_note_id` with the same value.
@@ 1. Add `gitlab_discussion_id` to Notes Output
 -#### 1c. Add field to `NoteListRowJson`
 +#### 1c. Add fields to `NoteListRowJson`
 +Add `gitlab_note_id` alias in addition to existing `gitlab_id` (no rename, no breakage).
@@ 1f. Update `--fields minimal` preset
 -"notes" => ["id", "author_username", "body", "created_at_iso", "gitlab_discussion_id"]
 +"notes" => ["id", "gitlab_note_id", "author_username", "body", "created_at_iso", "gitlab_discussion_id"]
 ```
 2. **Avoid duplicate flag semantics for discussion filtering**
 Rationale: `notes` already has `--discussion-id` and it already maps to `d.gitlab_discussion_id`. Adding a second independent flag/field (`--gitlab-discussion-id`) increases complexity and precedence bugs. Keep one backing filter field and make the new flag an alias.
 ```diff
@@ 1g. Add `--gitlab-discussion-id` filter to notes
 -Allow filtering notes directly by GitLab discussion thread ID...
 +Normalize discussion ID flags:
 +- Keep one backing filter field (`discussion_id`)
 +- Support both `--discussion-id` (existing) and `--gitlab-discussion-id` (alias)
 +- If both are provided, clap should reject as duplicate/alias conflict
 ```
 3. **Add ambiguity guardrails for cross-project discussion IDs**
 Rationale: `gitlab_discussion_id` is unique per project, not globally. Filtering by discussion ID without project can return multiple rows across repos, which breaks deterministic write bridging. Fail fast with an `Ambiguous` error and actionable fix (`--project`).
 ```diff
@@ Bridge Contract (Cross-Cutting)
 +### Ambiguity Guardrail
 +When filtering by `gitlab_discussion_id` without `--project`, if multiple projects match:
 +- return `Ambiguous` error
 +- include matching project paths in message
 +- suggest retry with `--project <path>`
 ```
 4. **Replace `--include-notes` N+1 retrieval with one batched top-N query**
 Rationale: The current plan’s per-discussion follow-up query scales poorly and creates latency spikes. Use a single window-function query over selected discussion IDs and group rows in Rust. This is both faster and more predictable.
 ```diff
@@ 3c-ii. Note expansion query (--include-notes)
 -When `include_notes > 0`, after the main discussion query, run a follow-up query per discussion...
 +When `include_notes > 0`, run one batched query:
 +WITH ranked_notes AS (
 +  SELECT
 +    n.*,
 +    d.gitlab_discussion_id,
 +    ROW_NUMBER() OVER (
 +      PARTITION BY n.discussion_id
 +      ORDER BY n.created_at DESC, n.id DESC
 +    ) AS rn
 +  FROM notes n
 +  JOIN discussions d ON d.id = n.discussion_id
 +  WHERE n.discussion_id IN ( ...selected discussion ids... )
 +)
 +SELECT ... FROM ranked_notes WHERE rn <= ?
 +ORDER BY discussion_id, rn;
 +
 +Group by `discussion_id` in Rust and attach notes arrays without per-thread round-trips.
 ```
 5. **Add hard output guardrails and explicit truncation metadata**
 Rationale: `--limit` and `--include-notes` are unbounded today. For robot workflows this can accidentally generate huge payloads. Cap values and surface effective limits plus truncation state in `meta`.
 ```diff
@@ 3a. CLI Args
 -    pub limit: usize,
 +    pub limit: usize, // clamp to max (e.g., 500)
 -    pub include_notes: usize,
 +    pub include_notes: usize, // clamp to max (e.g., 20)
@@ Response Schema
 -  "meta": { "elapsed_ms": 12 }
 +  "meta": {
 +    "elapsed_ms": 12,
 +    "effective_limit": 50,
 +    "effective_include_notes": 2,
 +    "has_more": true
 +  }
 ```
 6. **Strengthen deterministic ordering and null handling**
 Rationale: `first_note_at`, `last_note_at`, and note `position` can be null/incomplete during partial sync states. Add null-safe ordering to avoid unstable output and flaky automation.
 ```diff
@@ 2c. Update queries to SELECT new fields
 -... ORDER BY first_note_at
 +... ORDER BY COALESCE(first_note_at, last_note_at, 0), id
@@ show note query
 -ORDER BY position
 +ORDER BY COALESCE(position, 9223372036854775807), created_at, id
@@ 3c. SQL Query
 -ORDER BY {sort_column} {order}
 +ORDER BY COALESCE({sort_column}, 0) {order}, fd.id {order}
 ```
 7. **Make write-bridging more useful with optional command hints**
 Rationale: Exposing IDs is necessary but not sufficient; agents still need to assemble endpoints repeatedly. Add optional `--with-write-hints` that injects compact endpoint templates (`reply`, `resolve`) derived from row context. This improves usability without bloating default output.
 ```diff
@@ 3a. CLI Args
 +    /// Include machine-actionable glab write hints per row
 +    #[arg(long, help_heading = "Output")]
 +    pub with_write_hints: bool,
@@ Response Schema (notes/discussions/show)
 +    "write_hints?": {
 +      "reply_endpoint": "string",
 +      "resolve_endpoint?": "string"
 +    }
 ```
 8. **Upgrade robot-docs/contract validation from string-contains to parity checks**
 Rationale: `contains("gitlab_discussion_id")` catches very little and allows schema drift. Build field-set parity tests that compare actual serialized JSON keys to robot-docs declared fields for `notes`, `discussions`, and `show` discussion nodes.
 ```diff
@@ 4f. Add robot-docs contract tests
 -assert!(notes_schema.contains("gitlab_discussion_id"));
 +let declared = parse_schema_field_list(notes_schema);
 +let sample = sample_notes_row_json_keys();
 +assert_required_subset(&declared, &["project_path","noteable_type","parent_iid","gitlab_discussion_id","gitlab_note_id"]);
 +assert_schema_matches_payload(&declared, &sample);
@@ 4g. Add CLI-level contract integration tests
 +Add parity tests for:
 +- notes list JSON
 +- discussions list JSON
 +- issues show discussions[*]
 +- mrs show discussions[*]
 ```
 If you want, I can produce a full revised v3 plan text with these edits merged end-to-end so it’s ready to execute directly.
--- a/docs/plan-expose-discussion-ids.feedback-4.md
+++ b/docs/plan-expose-discussion-ids.feedback-4.md
@@ -0,0 +1,207 @@
 Below are the highest-impact revisions I’d make to this plan. I excluded everything listed in your `## Rejected Recommendations` section.
 **1. Fix a correctness bug in the ambiguity guardrail (must run before `LIMIT`)**
 The current post-query ambiguity check can silently fail when `--limit` truncates results to one project even though multiple projects match the same `gitlab_discussion_id`. That creates non-deterministic write targeting risk.
 ```diff
@@ ## Ambiguity Guardrail
 -**Implementation**: After the main query, if `gitlab_discussion_id` is set and no `--project`
 -was provided, check if the result set spans multiple `project_path` values.
 +**Implementation**: Run a preflight distinct-project check when `gitlab_discussion_id` is set
 +and `--project` was not provided, before the main list query applies `LIMIT`.
 +Use:
 +```sql
 +SELECT DISTINCT p.path_with_namespace
 +FROM discussions d
 +JOIN projects p ON p.id = d.project_id
 +WHERE d.gitlab_discussion_id = ?
 +LIMIT 3
 +```
 +If more than one project is found, return `LoreError::Ambiguous` (exit code 18) with project
 +paths and suggestion to retry with `--project <path>`.
 ```
 ---
 **2. Add `gitlab_project_id` to the Bridge Contract**
 `project_path` is human-friendly but mutable (renames/transfers). `gitlab_project_id` gives a stable write target and avoids path re-resolution failures.
 ```diff
@@ ## Bridge Contract (Cross-Cutting)
 Every read payload that surfaces notes or discussions **MUST** include:
 - `project_path`
 +- `gitlab_project_id`
 - `noteable_type`
 - `parent_iid`
 - `gitlab_discussion_id`
 - `gitlab_note_id`
@@
 const BRIDGE_FIELDS_NOTES: &[&str] = &[
 -    "project_path", "noteable_type", "parent_iid",
 +    "project_path", "gitlab_project_id", "noteable_type", "parent_iid",
     "gitlab_discussion_id", "gitlab_note_id",
 ];
 const BRIDGE_FIELDS_DISCUSSIONS: &[&str] = &[
 -    "project_path", "noteable_type", "parent_iid",
 +    "project_path", "gitlab_project_id", "noteable_type", "parent_iid",
     "gitlab_discussion_id",
 ];
 ```
 ---
 **3. Replace stringly-typed filter/sort fields with enums end-to-end**
 Right now `sort`, `order`, `resolution`, `noteable_type` are mostly `String`. This is fragile and risks unsafe SQL interpolation drift over time. Typed enums make invalid states unrepresentable.
 ```diff
@@ ## 3a. CLI Args
 -    pub resolution: Option<String>,
 +    pub resolution: Option<ResolutionFilter>,
@@
 -    pub noteable_type: Option<String>,
 +    pub noteable_type: Option<NoteableTypeFilter>,
@@
 -    pub sort: String,
 +    pub sort: DiscussionSortField,
@@
 -    pub asc: bool,
 +    pub order: SortDirection,
@@ ## 3d. Filters struct
 -    pub resolution: Option<String>,
 -    pub noteable_type: Option<String>,
 -    pub sort: String,
 -    pub order: String,
 +    pub resolution: Option<ResolutionFilter>,
 +    pub noteable_type: Option<NoteableTypeFilter>,
 +    pub sort: DiscussionSortField,
 +    pub order: SortDirection,
@@
 +Map enum -> SQL fragment via `match` in query builder; never interpolate raw strings.
 ```
 ---
 **4. Enforce snapshot consistency for multi-query commands**
 `discussions` with `--include-notes` does multiple reads. Without a single read transaction, concurrent ingest can produce mismatched `total_count`, row set, and expanded notes.
 ```diff
@@ ## 3c. SQL Query
 -pub fn query_discussions(...)
 +pub fn query_discussions(...)
 {
 +    // Run count query + page query + note expansion under one deferred read transaction
 +    // so output is a single consistent snapshot.
 +    let tx = conn.transaction_with_behavior(rusqlite::TransactionBehavior::Deferred)?;
     ...
 +    tx.commit()?;
 }
@@ ## 1. Add `gitlab_discussion_id` to Notes Output
 +Apply the same snapshot rule to `query_notes` when returning `total_count` + paged rows.
 ```
 ---
 **5. Correct first-note rollup semantics (current CTE can return null/incorrect `first_author`)**
 In the proposed SQL, `rn=1` is computed over all notes but then filtered with `is_system=0`, so threads with a leading system note may incorrectly lose `first_author`/snippet. Also path rollup uses non-deterministic `MAX(...)`.
 ```diff
@@ ## 3c. SQL Query
 -ranked_notes AS (
 +ranked_notes AS (
     SELECT
         n.discussion_id,
         n.author_username,
         n.body,
         n.is_system,
         n.position_new_path,
         n.position_new_line,
 -        ROW_NUMBER() OVER (
 -            PARTITION BY n.discussion_id
 -            ORDER BY n.position, n.id
 -        ) AS rn
 +        ROW_NUMBER() OVER (
 +            PARTITION BY n.discussion_id
 +            ORDER BY CASE WHEN n.is_system = 0 THEN 0 ELSE 1 END, n.created_at, n.id
 +        ) AS rn_first_note,
 +        ROW_NUMBER() OVER (
 +            PARTITION BY n.discussion_id
 +            ORDER BY CASE WHEN n.position_new_path IS NULL THEN 1 ELSE 0 END, n.created_at, n.id
 +        ) AS rn_first_position
@@
 -        MAX(CASE WHEN rn = 1 AND is_system = 0 THEN author_username END) AS first_author,
 -        MAX(CASE WHEN rn = 1 AND is_system = 0 THEN body END) AS first_note_body,
 -        MAX(CASE WHEN position_new_path IS NOT NULL THEN position_new_path END) AS position_new_path,
 -        MAX(CASE WHEN position_new_line IS NOT NULL THEN position_new_line END) AS position_new_line
 +        MAX(CASE WHEN rn_first_note = 1 AND is_system = 0 THEN author_username END) AS first_author,
 +        MAX(CASE WHEN rn_first_note = 1 AND is_system = 0 THEN body END) AS first_note_body,
 +        MAX(CASE WHEN rn_first_position = 1 THEN position_new_path END) AS position_new_path,
 +        MAX(CASE WHEN rn_first_position = 1 THEN position_new_line END) AS position_new_line
 ```
 ---
 **6. Add per-discussion truncation signals for `--include-notes`**
 Top-level `has_more` is useful, but agents also need to know if an individual thread’s notes were truncated. Otherwise they can’t tell if a thread is complete.
 ```diff
@@ ## Response Schema
       {
         "gitlab_discussion_id": "...",
         ...
 -        "notes": []
 +        "included_note_count": 0,
 +        "has_more_notes": false,
 +        "notes": []
       }
@@ ## 3b. Domain Structs
 pub struct DiscussionListRowJson {
@@
 +    pub included_note_count: usize,
 +    pub has_more_notes: bool,
     #[serde(skip_serializing_if = "Vec::is_empty")]
     pub notes: Vec<NoteListRowJson>,
 }
@@ ## 3c-ii. Note expansion query (--include-notes)
 -Group by `discussion_id` in Rust and attach notes arrays...
 +Group by `discussion_id` in Rust, attach notes arrays, and set:
 +`included_note_count = notes.len()`,
 +`has_more_notes = note_count > included_note_count`.
 ```
 ---
 **7. Add explicit query-plan gate and targeted index workstream (measured, not speculative)**
 This plan introduces heavy discussion-centric reads. You should bake in deterministic performance validation with `EXPLAIN QUERY PLAN` and only then add indexes if missing.
 ```diff
@@ ## Scope: Four workstreams, delivered in order:
 -4. Fix robot-docs to list actual field names instead of opaque type references
 +4. Add query-plan validation + targeted index updates for new discussion queries
 +5. Fix robot-docs to list actual field names instead of opaque type references
@@
 +## 4. Query-Plan Validation and Targeted Indexes
 +
 +Before and after implementing `query_discussions`, capture `EXPLAIN QUERY PLAN` for:
 +- `--for-mr <iid> --resolution unresolved`
 +- `--project <path> --since 7d --sort last_note`
 +- `--gitlab-discussion-id <id>`
 +
 +If plans show table scans on `notes`/`discussions`, add indexes in `MIGRATIONS` array:
 +- `discussions(project_id, gitlab_discussion_id)`
 +- `discussions(merge_request_id, last_note_at, id)`
 +- `notes(discussion_id, created_at DESC, id DESC)`
 +- `notes(discussion_id, position, id)`
 +
 +Tests: assert the new query paths return expected rows under indexed schema and no regressions.
 ```
 ---
 If you want, I can produce a single consolidated “iteration 4” version of the plan text with all seven revisions merged in place.
--- a/docs/plan-expose-discussion-ids.feedback-4.md.bak
+++ b/docs/plan-expose-discussion-ids.feedback-4.md.bak
@@ -0,0 +1,160 @@
 I reviewed the plan end-to-end and focused only on new improvements (none of the items in `## Rejected Recommendations` are re-proposed).
 1. Add direct `--discussion-id` retrieval paths
 Rationale: This removes a full discovery hop for the exact workflow that failed (replying to a known thread). It also reduces ambiguity and query cost when an agent already has the thread ID.
 ```diff
@@ Core Changes
 | 7 | Fix robot-docs to list actual field names | Docs | Small |
 +| 8 | Add direct `--discussion-id` filter to notes/discussions/show | Core | Small |
@@ Change 3: Add Standalone `discussions` List Command
 lore -J discussions --for-mr 99 --cursor <token>       # keyset pagination
 +lore -J discussions --discussion-id 6a9c1750b37d...    # direct lookup
@@ 3a. CLI Args
 +    #[arg(long, conflicts_with_all = ["for_issue", "for_mr"], help_heading = "Filters")]
 +    pub discussion_id: Option<String>,
@@ Change 1: Add `gitlab_discussion_id` to Notes Output
 +Add `--discussion-id <hex>` filter to `notes` for direct note retrieval within one thread.
 ```
 2. Add a shared filter compiler to eliminate count/query drift
 Rationale: The plan currently repeats filters across data query, `total_count`, and `incomplete_rows` count queries. That is a classic reliability bug source. A single compiled filter object makes count semantics provably consistent.
 ```diff
@@ Count Semantics (Cross-Cutting Convention)
 +## Filter Compiler (NEW, Cross-Cutting Convention)
 +All list commands must build predicates via a shared `CompiledFilters` object that emits:
 +- SQL predicate fragment
 +- bind parameters
 +- canonical filter string (for cursor hash)
 +The same compiled object is reused by:
 +- page data query
 +- `total_count` query
 +- `incomplete_rows` query
 ```
 3. Harden keyset pagination semantics for `DESC`, limits, and client ergonomics
 Rationale: `(sort_value, id) > (?, ?)` is only correct for ascending order. Descending sort needs `<`. Also add explicit `has_more` so clients don’t infer from cursor nullability.
 ```diff
@@ Keyset Pagination (Cross-Cutting, Change B)
 -```sql
 -WHERE (sort_value, id) > (?, ?)
 -```
 +Use comparator by order:
 +- ASC: `(sort_value, id) > (?, ?)`
 +- DESC: `(sort_value, id) < (?, ?)`
@@ 3a. CLI Args
 +    #[arg(short = 'n', long = "limit", default_value = "50", value_parser = clap::value_parser!(usize).range(1..=500), help_heading = "Output")]
 +    pub limit: usize,
@@ Response Schema
 -    "next_cursor": "aW...xyz=="
 +    "next_cursor": "aW...xyz==",
 +    "has_more": true
 ```
 4. Add DB-level entity integrity invariants (not just response invariants)
 Rationale: Response-side filtering is good, but DB correctness should also be guarded. This prevents silent corruption and bad joins from ingestion or future migrations.
 ```diff
@@ Contract Invariants (NEW)
 +### Entity Integrity Invariants (DB + Ingest)
 +1. `discussions` must belong to exactly one parent (`issue_id XOR merge_request_id`).
 +2. `discussions.noteable_type` must match the populated parent column.
 +3. Natural-key uniqueness is enforced where valid:
 +   - `(project_id, gitlab_discussion_id)` unique for discussions.
 +4. Ingestion must reject/quarantine rows violating invariants and report counts.
@@ Supporting Indexes (Cross-Cutting, Change D)
 +CREATE UNIQUE INDEX IF NOT EXISTS idx_discussions_project_gitlab_discussion_id
 +    ON discussions(project_id, gitlab_discussion_id);
 ```
 5. Switch bulk note loading to streaming grouping (avoid large intermediate vecs)
 Rationale: Current bulk strategy still materializes all notes before grouping. Streaming into the map cuts peak memory and improves large-MR stability.
 ```diff
@@ Change 2e. Constructor — use bulk notes map
 -let all_note_rows: Vec<MrNoteDetail> = ...  // From bulk query above
 -let notes_by_discussion: HashMap<i64, Vec<MrNoteDetail>> = 
 -    all_note_rows.into_iter().fold(HashMap::new(), |mut map, note| {
 -        map.entry(note.discussion_id).or_insert_with(Vec::new).push(note);
 -        map
 -    });
 +let mut notes_by_discussion: HashMap<i64, Vec<MrNoteDetail>> = HashMap::new();
 +for row in bulk_note_stmt.query_map(params, map_note_row)? {
 +    let note = row?;
 +    notes_by_discussion.entry(note.discussion_id).or_default().push(note);
 +}
 ```
 6. Make freshness tri-state (`fresh|stale|unknown`) and fail closed on unknown with `--require-fresh`
 Rationale: `stale: bool` alone cannot represent “never synced / unknown project freshness.” For write safety, unknown freshness should be explicit and reject under freshness constraints.
 ```diff
@@ Freshness Metadata & Staleness Guards
 pub struct ResponseMeta {
     pub elapsed_ms: i64,
     pub data_as_of_iso: String,
     pub sync_lag_seconds: i64,
     pub stale: bool,
 +    pub freshness_state: String, // "fresh" | "stale" | "unknown"
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub freshness_reason: Option<String>,
     pub incomplete_rows: i64,
@@
 -if sync_lag_seconds > max_age_secs {
 +if freshness_state == "unknown" || sync_lag_seconds > max_age_secs {
 ```
 7. Tune indexes to match actual ORDER BY paths in window queries
 Rationale: `idx_notes_discussion_position` is likely insufficient for the two window orderings. A covering-style index aligned with partition/order keys reduces random table lookups.
 ```diff
@@ Supporting Indexes (Cross-Cutting, Change D)
 --- Notes: window function ORDER BY (discussion_id, position) for ROW_NUMBER()
 -CREATE INDEX IF NOT EXISTS idx_notes_discussion_position
 -    ON notes(discussion_id, position);
 +-- Notes: support dual ROW_NUMBER() orderings and reduce table lookups
 +CREATE INDEX IF NOT EXISTS idx_notes_discussion_window
 +    ON notes(discussion_id, is_system, position, created_at, gitlab_id);
 ```
 8. Add a phased rollout gate before strict exclusion becomes default
 Rationale: Enforcing `gitlab_* IS NOT NULL` immediately can hide data if existing rows are incomplete. A short observation gate prevents sudden regressions while preserving the end-state contract.
 ```diff
@@ Delivery Order
 +Batch 0: Observability gate (NEW)
 +- Ship `incomplete_rows` and freshness meta first
 +- Measure incomplete rate across real datasets
 +- If incomplete ratio <= threshold, enable strict exclusion defaults
 +- If above threshold, block rollout and fix ingestion quality first
 +
 Change 1 (notes output)       ──┐
 ```
 9. Add property-based invariants for pagination/count correctness
 Rationale: Your current tests are scenario-based and good, but randomized property tests are much better at catching edge-case cursor/count bugs.
 ```diff
@@ Tests (Change 3 / Change B)
 +**Test 12**: Property-based pagination invariants (`proptest`)
 +```rust
 +#[test]
 +fn prop_discussion_cursor_no_overlap_no_gap_under_random_data() { /* ... */ }
 +```
 +
 +**Test 13**: Property-based count invariants
 +```rust
 +#[test]
 +fn prop_total_count_and_incomplete_rows_match_filter_partition() { /* ... */ }
 +```
 ```
 If you want, I can now produce a fully consolidated “Plan v4” that applies these diffs cleanly into your original document so it reads as a single coherent spec.
--- a/docs/plan-expose-discussion-ids.feedback-5.md
+++ b/docs/plan-expose-discussion-ids.feedback-5.md
@@ -0,0 +1,140 @@
 Your iteration 4 plan is already strong. The highest-impact revisions are around query shape, transaction boundaries, and contract stability for agents.
 1. **Switch discussions query to a two-phase page-first architecture**
 Analysis: Current `ranked_notes` runs over every filtered discussion before `LIMIT`, which can explode on project-wide queries. A page-first plan keeps complexity proportional to `limit`, improves tail latency, and reduces memory churn.
 ```diff
@@ ## 3c. SQL Query
 -Core query uses a CTE + ranked-notes rollup (window function) to avoid per-row correlated
 -subqueries.
 +Core query is split into two phases for scalability:
 +1) `paged_discussions` applies filters/sort/LIMIT and returns only page IDs.
 +2) Note rollups and optional `--include-notes` expansion run only for those page IDs.
 +This bounds note scanning to visible results and stabilizes latency on large projects.
 -WITH filtered_discussions AS (
 +WITH filtered_discussions AS (
   ...
 ),
 -ranked_notes AS (
 +paged_discussions AS (
 +    SELECT id
 +    FROM filtered_discussions
 +    ORDER BY COALESCE({sort_column}, 0) {order}, id {order}
 +    LIMIT ?
 +),
 +ranked_notes AS (
   ...
 -    WHERE n.discussion_id IN (SELECT id FROM filtered_discussions)
 +    WHERE n.discussion_id IN (SELECT id FROM paged_discussions)
 )
 ```
 2. **Move snapshot transaction ownership to handlers (not query helpers)**
 Analysis: This avoids nested transaction edge cases, keeps function signatures clean, and guarantees one snapshot across count + page + include-notes + serialization metadata.
 ```diff
@@ ## Cross-cutting: snapshot consistency
 -Wrap `query_notes` and `query_discussions` in a deferred read transaction.
 +Open one deferred read transaction in each handler (`handle_notes`, `handle_discussions`)
 +and pass `&Transaction` into query helpers. Query helpers do not open/commit transactions.
 +This guarantees a single snapshot across all subqueries and avoids nested tx pitfalls.
 -pub fn query_discussions(conn: &Connection, ...)
 +pub fn query_discussions(tx: &rusqlite::Transaction<'_>, ...)
 ```
 3. **Add immutable input filter `--project-id` across notes/discussions/show**
 Analysis: You already expose `gitlab_project_id` because paths are mutable; input should support the same immutable selector. This removes failure modes after project renames/transfers.
 ```diff
@@ ## 3a. CLI Args
 +    /// Filter by immutable GitLab project ID
 +    #[arg(long, help_heading = "Filters", conflicts_with = "project")]
 +    pub project_id: Option<i64>,
@@ ## Bridge Contract
 +Input symmetry rule: commands that accept `--project` should also accept `--project-id`.
 +If both are present, return usage error (exit code 2).
 ```
 4. **Enforce bridge fields for nested notes in `discussions --include-notes`**
 Analysis: Current guardrail is entity-level; nested notes can still lose required IDs under aggressive filtering. This is a contract hole for write-bridging.
 ```diff
@@ ### Field Filtering Guardrail
 -In robot mode, `filter_fields` MUST force-include Bridge Contract fields...
 +In robot mode, `filter_fields` MUST force-include Bridge Contract fields at all returned levels:
 +- discussion row fields
 +- nested note fields when `discussions --include-notes` is used
 +const BRIDGE_FIELDS_DISCUSSION_NOTES: &[&str] = &[
 +    "project_path", "gitlab_project_id", "noteable_type", "parent_iid",
 +    "gitlab_discussion_id", "gitlab_note_id",
 +];
 ```
 5. **Make ambiguity preflight scope-aware and machine-actionable**
 Analysis: Current preflight checks only `gitlab_discussion_id`, which can produce false ambiguity when additional filters already narrow to one project. Also, agents need structured candidates, not only free-text.
 ```diff
@@ ### Ambiguity Guardrail
 -SELECT DISTINCT p.path_with_namespace
 +SELECT DISTINCT p.path_with_namespace, p.gitlab_project_id
 FROM discussions d
 JOIN projects p ON p.id = d.project_id
 -WHERE d.gitlab_discussion_id = ?
 +WHERE d.gitlab_discussion_id = ?
 +  /* plus active scope filters: noteable_type, for_issue/for_mr, since/path when present */
 LIMIT 3
 -Return LoreError::Ambiguous with message
 +Return LoreError::Ambiguous with structured details:
 +`{ code, message, candidates:[{project_path, gitlab_project_id}], suggestion }`
 ```
 6. **Add `--contains` filter to `discussions`**
 Analysis: This is a high-utility agent workflow gap. Agents frequently need “find thread by text then reply”; forcing a separate `notes` search round-trip is unnecessary.
 ```diff
@@ ## 3a. CLI Args
 +    /// Filter discussions whose notes contain text
 +    #[arg(long, help_heading = "Filters")]
 +    pub contains: Option<String>,
@@ ## 3d. Filters struct
 +    pub contains: Option<String>,
@@ ## 3d. Where-clause construction
 +- `path` -> EXISTS (...)
 +- `path` -> EXISTS (...)
 +- `contains` -> EXISTS (
 +    SELECT 1 FROM notes n
 +    WHERE n.discussion_id = d.id
 +      AND n.body LIKE ?
 +  )
 ```
 7. **Promote two baseline indexes from “candidate” to “required”**
 Analysis: These are directly hit by new primary paths; waiting for post-merge profiling risks immediate perf cliffs in real usage.
 ```diff
@@ ## 3h. Query-plan validation
 -Candidate indexes (add only if EXPLAIN QUERY PLAN shows they're needed):
 -- discussions(project_id, gitlab_discussion_id)
 -- notes(discussion_id, created_at DESC, id DESC)
 +Required baseline indexes for this feature:
 +- discussions(project_id, gitlab_discussion_id)
 +- notes(discussion_id, created_at DESC, id DESC)
 +Keep other indexes conditional on EXPLAIN QUERY PLAN.
 ```
 8. **Add schema versioning and remove contradictory rejected items**
 Analysis: `robot-docs` contract drift is a long-term agent risk; explicit schema versions let clients fail safely. Also, rejected items currently contradict active sections, which creates implementation ambiguity.
 ```diff
@@ ## 4. Fix Robot-Docs Response Schemas
 "meta": {"elapsed_ms": "int", ...}
 +"meta": {"elapsed_ms":"int", ..., "schema_version":"string"}
 +
 +Schema version policy:
 +- bump minor on additive fields
 +- bump major on removals/renames
 +- expose per-command versions in `robot-docs`
@@ ## Rejected Recommendations
 -- Add `gitlab_note_id` to show-command note detail structs ... rejected ...
 -- Add `gitlab_discussion_id` to show-command discussion detail structs ... rejected ...
 -- Add `gitlab_project_id` to show-command discussion detail structs ... rejected ...
 +Remove stale rejected entries that conflict with accepted workstreams in this plan iteration.
 ```
 If you want, I can produce a fully rewritten iteration 5 plan document that applies all of the above edits cleanly end-to-end.
--- a/docs/plan-expose-discussion-ids.feedback-5.md.bak
+++ b/docs/plan-expose-discussion-ids.feedback-5.md.bak
@@ -0,0 +1,158 @@
 I reviewed the whole plan and only proposed changes that are not in your `## Rejected Recommendations`.
 1. **Fix plan-internal inconsistencies first**
 Analysis: The plan currently has a few self-contradictions (`8` vs `9` cross-cutting improvements, `stale` still referenced after moving to tri-state freshness). Cleaning this prevents implementation drift and bad AC validation.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@
 -**Scope**: 8 core changes + 8 cross-cutting architectural improvements across 3 tiers:
 +**Scope**: 8 core changes + 9 cross-cutting architectural improvements across 3 tiers:
@@ AC-7: Freshness Metadata Present & Staleness Guards Work
 -lore -J notes -n 1 | jq '.meta | {data_as_of_iso, sync_lag_seconds, stale}'
 -# All fields present, stale=false if recently synced
 +lore -J notes -n 1 | jq '.meta | {data_as_of_iso, sync_lag_seconds, freshness_state}'
 +# All fields present, freshness_state is one of fresh|stale|unknown
@@ Change 6 Response Schema example
 -    "stale": false,
 +    "freshness_state": "fresh",
 ```
 2. **Require snapshot-consistent list responses (page + counts)**
 Analysis: `total_count`, `incomplete_rows`, and page rows can drift if sync writes between queries. Enforcing a single read snapshot for all list commands makes pagination and counts deterministic.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Count Semantics (Cross-Cutting Convention)
 All list commands use consistent count fields:
 +All three queries (`page`, `total_count`, `incomplete_rows`) MUST execute inside one read transaction/snapshot.
 +This guarantees count/page consistency under concurrent sync writes.
 ```
 3. **Use RAII transactions instead of manual `BEGIN/COMMIT`**
 Analysis: Manual `execute_batch("BEGIN...")` is fragile on early returns. `rusqlite::Transaction` guarantees rollback on error and removes transaction-leak risk.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Change 2: Consistency guarantee
 -conn.execute_batch("BEGIN DEFERRED")?;
 -// ... discussion query ...
 -// ... bulk note query ...
 -conn.execute_batch("COMMIT")?;
 +let tx = conn.transaction_with_behavior(rusqlite::TransactionBehavior::Deferred)?;
 +// ... discussion query ...
 +// ... bulk note query ...
 +tx.commit()?;
 ```
 4. **Allow small focused new modules for query infrastructure**
 Analysis: Keeping everything in `list.rs`/`show.rs` will become a maintenance hotspot as filters/cursors/freshness expand. A small module split reduces coupling and regression risk.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Change 3: File Architecture
 -**No new files.** Follow existing patterns:
 +Allow focused infra modules for shared logic:
 +- `src/cli/query/filters.rs` (CompiledFilters + builders)
 +- `src/cli/query/cursor.rs` (encode/decode/validate v2 cursors)
 +- `src/cli/query/freshness.rs` (freshness computation + guards)
 +Command handlers remain in existing files.
 ```
 5. **Add ingest-time `discussion_rollups` to avoid repeated heavy window scans**
 Analysis: Window functions are good, but doing them on every read over large note volumes is still expensive. Precomputing rollups during ingest gives lower and more predictable p95 latency while keeping read paths simpler.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Architectural Improvements (Cross-Cutting)
 +| J | Ingest-time discussion rollups (`discussion_rollups`) | Performance | Medium |
@@ Change 3 SQL strategy
 -Use `ROW_NUMBER()` window function instead of correlated subqueries...
 +Primary path: join precomputed `discussion_rollups` for `note_count`, `first_author`,
 +`first_note_body`, `position_new_path`, `position_new_line`.
 +Fallback path: window-function recompute if rollup row is missing (defensive correctness).
 ```
 6. **Add deterministic numeric project selector `--project-id`**
 Analysis: `-p group/repo` is human-friendly, but numeric project IDs are safer for robots and avoid fuzzy/project-path ambiguity. This reduces false ambiguity failures and lookup overhead.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ DiscussionsArgs
     #[arg(short = 'p', long, help_heading = "Filters")]
     pub project: Option<String>,
 +    #[arg(long, conflicts_with = "project", help_heading = "Filters")]
 +    pub project_id: Option<i64>,
@@ Ambiguity handling
 +If `--project-id` is provided, IID resolution is scoped directly to that project.
 +`--project-id` takes precedence over path-based project matching.
 ```
 7. **Make path filtering rename-aware (`old` + `new`)**
 Analysis: Current `--path` strategy only using `position_new_path` misses deleted/renamed-file discussions. Supporting side selection makes the feature materially more useful for review workflows.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ DiscussionsArgs
     #[arg(long, help_heading = "Filters")]
     pub path: Option<String>,
 +    #[arg(long, value_parser = ["either", "new", "old"], default_value = "either", help_heading = "Filters")]
 +    pub path_side: String,
@@ Change 3 filtering
 -Path filter matches `position_new_path`.
 +Path filter semantics:
 +- `either` (default): match `position_new_path` OR `position_old_path`
 +- `new`: match only `position_new_path`
 +- `old`: match only `position_old_path`
 ```
 8. **Add explicit freshness behavior for empty-result queries + bootstrap backfill**
 Analysis: Freshness based only on “participating rows” is undefined when results are empty. Define deterministic behavior and backfill `project_sync_state` on migration so `unknown` doesn’t spike unexpectedly after deploy.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Freshness state logic
 +Empty-result rules:
 +- If query is project-scoped (`-p` or `--project-id`), freshness is computed from that project even when no rows match.
 +- If query is unscoped and returns zero rows, freshness is computed from all tracked projects.
@@ A1. Track per-project sync timestamp
 +Migration step: seed `project_sync_state` from latest known sync metadata where available
 +to avoid mass `unknown` freshness immediately after rollout.
 ```
 9. **Upgrade `--discussion-id` from filter-only to first-class thread retrieval**
 Analysis: Filtering list output by discussion ID still returns list-shaped data and partial note context. A direct thread retrieval mode is faster for agent workflows and avoids extra commands.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Core Changes
 -| 8 | Add direct `--discussion-id` filter to notes/discussions/show | Core | Small |
 +| 8 | Add direct `--discussion-id` filter + single-thread retrieval mode | Core | Medium |
@@ Change 8
 +lore -J discussions --discussion-id <id> --full-thread
 +# Returns one discussion with full notes payload (same note schema as show command).
 ```
 10. **Replace ad-hoc AC performance timing with repeatable perf harness**
 Analysis: `time lore ...` is noisy and machine-dependent. A reproducible seeded benchmark test gives stable guardrails and catches regressions earlier.
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ AC-10: Performance Budget
 -time lore -J discussions --for-mr <iid> -n 100
 -# real  0m0.100s (p95 < 150ms)
 +cargo test --test perf_discussions -- --ignored --nocapture
 +# Uses seeded fixture DB and N repeated runs; asserts p95 < 150ms for target query shape.
 ```
 If you want, I can also produce a fully merged “iteration 5” rewritten plan document with these edits applied end-to-end so it’s directly executable by an implementation agent.
--- a/docs/plan-expose-discussion-ids.feedback-6.md.bak
+++ b/docs/plan-expose-discussion-ids.feedback-6.md.bak
@@ -0,0 +1,143 @@
 Strong plan overall. The biggest gaps I’d fix are around sync-health correctness, idempotency/integrity under repeated ingests, deleted-entity lifecycle, and reducing schema drift risk without heavy reflection machinery.
 I avoided everything in your `## Rejected Recommendations` section.
 **1. Add Sync Health Semantics (not just age)**
 Time freshness alone can mislead after partial/failed syncs. Agents need to know whether data is both recent and complete.
 ```diff
@@ ## Freshness Metadata & Staleness Guards (Cross-Cutting, Change A/F/G)
 -    pub freshness_state: String,      // "fresh" | "stale" | "unknown"
 +    pub freshness_state: String,      // "fresh" | "stale" | "unknown"
 +    pub sync_status: String,          // "ok" | "partial" | "failed" | "never"
 +    pub last_successful_sync_run_id: Option<i64>,
 +    pub last_attempted_sync_run_id: Option<i64>,
@@
 -#[arg(long, help_heading = "Freshness")]
 -pub require_fresh: Option<String>,
 +#[arg(long, help_heading = "Freshness")]
 +pub require_fresh: Option<String>,
 +#[arg(long, help_heading = "Freshness")]
 +pub require_sync_ok: bool,
 ```
 Rationale: this prevents false confidence when one project is fresh-by-time but latest sync actually failed or was partial.
 ---
 **2. Add `--require-complete` Guard for Missing Required IDs**
 You already expose `meta.incomplete_rows`; add a hard gate for automation.
 ```diff
@@ ## Count Semantics (Cross-Cutting Convention)
 `incomplete_rows` is computed via a dedicated COUNT query...
 +Add CLI guard:
 +`--require-complete` fails with exit code 19 when `meta.incomplete_rows > 0`.
 +Suggested action: `lore sync --full`.
 ```
 Rationale: agents can fail fast instead of silently acting on partial datasets.
 ---
 **3. Strengthen Ingestion Idempotency + Referential Integrity for Notes**
 You added natural-key uniqueness for discussions; do the same for notes and enforce parent integrity at DB level.
 ```diff
@@ ## Supporting Indexes (Cross-Cutting, Change D)
 CREATE UNIQUE INDEX IF NOT EXISTS idx_discussions_project_gitlab_discussion_id
     ON discussions(project_id, gitlab_discussion_id);
 +CREATE UNIQUE INDEX IF NOT EXISTS idx_notes_project_gitlab_id
 +    ON notes(project_id, gitlab_id);
 +
 +-- Referential integrity
 +-- notes.discussion_id REFERENCES discussions(id)
 +-- notes.project_id REFERENCES projects(id)
 ```
 Rationale: repeated syncs and retries won’t duplicate notes, and orphaned rows can’t accumulate.
 ---
 **4. Add Deleted/Tombstoned Entity Lifecycle**
 Current plan excludes null IDs but doesn’t define behavior when GitLab entities are deleted after sync.
 ```diff
@@ ## Contract Invariants (NEW)
 +### Deletion Lifecycle Invariant
 +1. Notes/discussions deleted upstream are tombstoned locally (`deleted_at`), not hard-deleted.
 +2. All list/show commands exclude tombstoned rows by default.
 +3. Optional flag `--include-deleted` exposes tombstoned rows for audit/debug.
 ```
 Rationale: preserves auditability, prevents ghost actions on deleted objects, and avoids destructive resync behavior.
 ---
 **5. Expand Discussions Payload for Rename Accuracy + Better Triage**
 `--path-side old` is great, but output currently only returns `position_new_*`.
 ```diff
@@ ## Change 3: Add Standalone `discussions` List Command
     pub position_new_path: Option<String>,
     pub position_new_line: Option<i64>,
 +    pub position_old_path: Option<String>,
 +    pub position_old_line: Option<i64>,
 +    pub last_author: Option<String>,
 +    pub participant_usernames: Vec<String>,
 ```
 Rationale: for renamed/deleted files, agents need old and new coordinates to act confidently; participants/last_author improve thread routing and prioritization.
 ---
 **6. Add SQLite Busy Handling + Retry Policy**
 Read transactions + concurrent sync writes can still produce `SQLITE_BUSY` under load.
 ```diff
@@ ## Count Semantics (Cross-Cutting Convention)
 **Snapshot consistency**: All three queries ... inside a single read transaction ...
 +**Busy handling**: set `PRAGMA busy_timeout` (e.g. 5000ms) and retry transient
 +`SQLITE_BUSY` errors up to 3 times with jittered backoff for read commands.
 ```
 Rationale: improves reliability in real multi-agent usage without changing semantics.
 ---
 **7. Make Field Definitions Single-Source (Lightweight Drift Prevention)**
 You rejected full schema generation from code; a lower-cost middle ground is shared field manifests used by both docs and `--fields` validation.
 ```diff
@@ ## Change 7: Fix Robot-Docs Response Schemas
 +#### 7h. Single-source field manifests (no reflection)
 +Define per-command field constants (e.g. `NOTES_FIELDS`, `DISCUSSIONS_FIELDS`)
 +used by:
 +1) `--fields` validation/filtering
 +2) `--fields minimal` expansion
 +3) `robot-docs` schema rendering
 ```
 Rationale: cuts drift risk materially while staying much simpler than reflection/snapshot infra.
 ---
 **8. De-duplicate and Upgrade Test Strategy Around Concurrency**
 There are duplicated tests across Change 2 and Change 3; add explicit race tests where sync writes happen between list subqueries to prove tx consistency.
 ```diff
@@ ## Tests
 -**Test 6**: `--project-id` scopes IID resolution directly
 -**Test 7**: `--path-side old` matches renamed file discussions
 -**Test 8**: `--path-side either` matches both old and new paths
 +Move shared discussion-filter tests to a single section under Change 3.
 +Add concurrency tests:
 +1) count/page/incomplete consistency under concurrent sync writes
 +2) show discussion+notes snapshot consistency under concurrent writes
 ```
 Rationale: less maintenance noise, better coverage of your highest-risk correctness path.
 ---
 If you want, I can also produce a single consolidated patch block that rewrites your plan text end-to-end with these edits applied in-place.
--- a/docs/plan-expose-discussion-ids.md
+++ b/docs/plan-expose-discussion-ids.md
--- a/docs/plan-surgical-sync.feedback-3.md
+++ b/docs/plan-surgical-sync.feedback-3.md
@@ -0,0 +1,169 @@
 Below are the strongest **new** revisions I’d make (excluding everything in your rejected list), with rationale and plan-level diffs.
 ### 1. Add a durable run ledger (`sync_runs`) with phase state
 This makes surgical sync crash-resumable, auditable, and safer under Ctrl+C. Right now `run_id` is mostly ephemeral; persisting phase state removes ambiguity about what completed.
 ```diff
@@ Design Constraints
 +9. **Durable run state**: Surgical sync MUST persist a `sync_runs` row keyed by `run_id`
 +   with phase transitions (`preflight`, `ingest`, `dependents`, `docs`, `embed`, `done`, `failed`).
 +   This is required for crash recovery, observability, and deterministic retries.
@@ Step 9: Create `run_sync_surgical`
 +Before Stage 0, insert `sync_runs(run_id, project_id, mode='surgical', requested_counts, started_at)`.
 +After each stage, update `sync_runs.phase`, counters, and `last_error` if present.
 +On success/failure, set terminal state (`done`/`failed`) and `finished_at`.
 ```
 ### 2. Add `--preflight-only` (network validation without writes)
 `--dry-run` is intentionally zero-network, so it cannot validate IIDs. `--preflight-only` is high-value for agents: verifies existence/permissions quickly with no DB mutation.
 ```diff
@@ CLI Interface
 lore sync --dry-run --issue 123 -p myproject
 +lore sync --preflight-only --issue 123 -p myproject
@@ Step 2: Add `--issue`, `--mr`, `-p` to `SyncArgs`
 +    /// Validate remote entities and auth without any DB writes
 +    #[arg(long, default_value_t = false)]
 +    pub preflight_only: bool,
@@ Step 10: Add branch in `run_sync`
 +if options.preflight_only && options.is_surgical() {
 +    return run_sync_surgical_preflight_only(config, &options, run_id, signal).await;
 +}
 ```
 ### 3. Preflight should aggregate all missing/failed IIDs, not fail-fast
 Fail-fast causes repeated reruns. Aggregating errors gives one-shot correction and better robot automation.
 ```diff
@@ Step 7: Create `src/ingestion/surgical.rs`
 -/// Returns the fetched payloads. If ANY fetch fails, the entire operation should abort.
 +/// Returns fetched payloads plus per-IID failures; caller aborts writes if failures exist.
 pub async fn preflight_fetch(...) -> Result<PreflightResult> {
@@
 #[derive(Debug, Default)]
 pub struct PreflightResult {
     pub issues: Vec<GitLabIssue>,
     pub merge_requests: Vec<GitLabMergeRequest>,
 +    pub failures: Vec<EntityFailure>, // stage="fetch"
 }
@@ Step 9: Create `run_sync_surgical`
 -let preflight = preflight_fetch(...).await?;
 +let preflight = preflight_fetch(...).await?;
 +if !preflight.failures.is_empty() {
 +    result.entity_failures = preflight.failures;
 +    return Err(LoreError::Other("Surgical preflight failed for one or more IIDs".into()).into());
 +}
 ```
 ### 4. Stop filtering scoped queue drains with raw `json_extract` scans
 `json_extract(payload_json, '$.scope_run_id')` in hot drain queries will degrade as queue grows. Use indexed scope metadata.
 ```diff
@@ Step 9b: Implement scoped drain helpers
 -// claim query adds:
 -// AND json_extract(payload_json, '$.scope_run_id') = ?
 +// Add migration:
 +// 1) Add `scope_run_id` generated/stored column derived from payload_json (or explicit column)
 +// 2) Create index on (project_id, job_type, scope_run_id, status, id)
 +// Scoped drains filter by indexed `scope_run_id`, not full-table JSON extraction.
 ```
 ### 5. Replace `dirty_source_ids` collection-by-query with explicit run scoping
 Current approach can accidentally include prior dirty rows for same source and can duplicate work. Tag dirty rows with `origin_run_id` and consume by run.
 ```diff
@@ Design Constraints
 -2. **Dirty queue scoping**: ... MUST call ... `run_generate_docs_for_dirty_ids`
 +2. **Dirty queue scoping**: Surgical sync MUST scope docs by `origin_run_id` on `dirty_sources`
 +   (or equivalent exact run marker) and MUST NOT drain unrelated dirty rows.
@@ Step 7: `SurgicalIngestResult`
 -    pub dirty_source_ids: Vec<i64>,
 +    pub origin_run_id: String,
@@ Step 9a: Implement `run_generate_docs_for_dirty_ids`
 -pub fn run_generate_docs_for_dirty_ids(config: &Config, dirty_source_ids: &[i64]) -> Result<...>
 +pub fn run_generate_docs_for_run_id(config: &Config, run_id: &str) -> Result<...>
 ```
 ### 6. Enforce transaction safety at the type boundary
 `unchecked_transaction()` + `&Connection` signatures is fragile. Accept `&Transaction` for ingest internals and use `TransactionBehavior::Immediate` for deterministic lock behavior.
 ```diff
@@ Step 7: Create `src/ingestion/surgical.rs`
 -pub fn ingest_issue_by_iid_from_payload(conn: &Connection, ...)
 +pub fn ingest_issue_by_iid_from_payload(tx: &rusqlite::Transaction<'_>, ...)
 -pub fn ingest_mr_by_iid_from_payload(conn: &Connection, ...)
 +pub fn ingest_mr_by_iid_from_payload(tx: &rusqlite::Transaction<'_>, ...)
 -let tx = conn.unchecked_transaction()?;
 +let tx = conn.transaction_with_behavior(rusqlite::TransactionBehavior::Immediate)?;
 ```
 ### 7. Acquire sync lock only for mutation phases, not remote preflight
 This materially reduces lock contention and keeps normal sync throughput higher, while still guaranteeing mutation serialization.
 ```diff
@@ Design Constraints
 +10. **Lock window minimization**: Preflight fetch runs without sync lock; lock is acquired immediately
 +    before first DB mutation and held through all mutation stages.
@@ Step 9: Create `run_sync_surgical`
 -// ── Acquire sync lock ──
 -...
 -// ── Stage 0: Preflight fetch ──
 +// ── Stage 0: Preflight fetch (no lock, no writes) ──
 ...
 +// ── Acquire sync lock just before Stage 1 mutation ──
 ```
 ### 8. Add explicit transient retry policy beyond 429
 Client already handles rate limits; surgical reliability improves a lot if 5xx/timeouts are retried with bounded backoff.
 ```diff
@@ Design Constraints
 +11. **Transient retry policy**: Preflight and dependent remote fetches MUST retry boundedly on
 +    timeout/5xx with jittered backoff; permanent errors (404/401/403) fail immediately.
@@ Step 5: Add `get_issue_by_iid` / `get_mr_by_iid`
 +Document retry behavior for transient transport/server failures.
 ```
 ### 9. Tighten automated tests around scoping invariants
 You already list manual checks; these should be enforced in unit/integration tests to prevent regressions.
 ```diff
@@ Step 1: TDD — Write Failing Tests First
 +### 1d. New invariants tests
 +- `surgical_docs_scope_ignores_preexisting_dirty_rows`
 +- `scoped_queue_drain_ignores_orphaned_jobs`
 +- `preflight_aggregates_multiple_missing_iids`
 +- `preflight_only_performs_zero_writes`
 +- `dry_run_performs_zero_network_calls`
 +- `lock_window_does_not_block_during_preflight`
@@ Acceptance Criteria
 +32. Scoped queue/docs invariants are covered by automated tests (not manual-only verification).
 ```
 ### 10. Make robot-mode surgical output first-class
 For agent workflows, include full stage telemetry and actionable recovery commands.
 ```diff
@@ Step 15: Update `SyncResult` for robot mode structured output
 +    /// Per-stage elapsed ms for deterministic performance tracking
 +    pub stage_timings_ms: std::collections::BTreeMap<String, u64>,
 +    /// Suggested recovery commands (robot ergonomics)
 +    pub recovery_actions: Vec<String>,
@@ Step 14: Update `robot-docs` manifest
 +Document surgical-specific error codes and `actions` schema for automated recovery.
 ```
 If you want, I can now produce a fully rewritten **iteration 3** plan that merges these into your current structure end-to-end.
--- a/docs/plan-surgical-sync.feedback-4.md
+++ b/docs/plan-surgical-sync.feedback-4.md
@@ -0,0 +1,212 @@
 1. **Resolve the current contract contradictions (`preflight-only`, `dry-run`, `sync_runs`)**
 Why this improves the plan:
 - Right now constraints conflict: “zero DB writes before commit” vs inserting `sync_runs` during preflight.
 - This ambiguity will cause implementation drift and flaky acceptance tests.
 - Splitting control-plane writes from content-plane writes keeps safety guarantees strict while preserving observability.
 ```diff
@@ ## Design Constraints
 -6. **Preflight-then-commit**: All remote fetches happen BEFORE any DB writes. If any IID fetch fails (404, network error), the entire operation aborts with zero DB mutations.
 +6. **Preflight-then-commit (content-plane)**: All remote fetches happen BEFORE any writes to content tables (`issues`, `merge_requests`, `discussions`, `resource_events`, `documents`, `embeddings`).
 +7. **Control-plane exception**: `sync_runs` / `sync_run_entities` writes are allowed during preflight for observability and crash diagnostics.
@@
 -11. **Preflight-only mode**: `--preflight-only` validates remote entity existence and permissions with zero DB writes.
 +11. **Preflight-only mode**: `--preflight-only` performs zero content writes; control-plane run-ledger writes are allowed.
@@ ### For me to evaluate (functional):
 -24. **Preflight-only mode** ... no DB mutations beyond the sync_runs ledger entry
 +24. **Preflight-only mode** ... no content DB mutations; only run-ledger rows may be written
 ```
 ---
 2. **Add stale-write protection to avoid TOCTOU regressions during unlocked preflight**
 Why this improves the plan:
 - You intentionally preflight without lock; that’s good for throughput but introduces race risk.
 - Without a guard, a slower surgical run can overwrite newer data ingested by a concurrent normal sync.
 - This is a correctness bug under contention, not a nice-to-have.
 ```diff
@@ ## Design Constraints
 +12. **Stale-write protection**: Surgical ingest MUST NOT overwrite fresher local rows. If local `updated_at` is newer than the preflight payload’s `updated_at`, skip that entity and record `skipped_stale`.
@@ ## Step 7: Create `src/ingestion/surgical.rs`
 -    let labels_created = process_single_issue(conn, config, project_id, issue)?;
 +    // Skip stale payloads to avoid TOCTOU overwrite after unlocked preflight.
 +    if is_local_newer_issue(conn, project_id, issue.iid, issue.updated_at)? {
 +        result.skipped_stale += 1;
 +        return Ok(result);
 +    }
 +    let labels_created = process_single_issue(conn, config, project_id, issue)?;
@@
 +// same guard for MR path
@@ ## Step 15: Update `SyncResult`
 +    /// Entities skipped because local row was newer than preflight payload
 +    pub skipped_stale: usize,
@@ ### Edge cases to verify:
 +38. **TOCTOU safety**: if a normal sync updates entity after preflight but before ingest, surgical run skips stale payload (no overwrite)
 ```
 ---
 3. **Make dirty-source scoping exact (do not capture pre-existing rows for same entity)**
 Why this improves the plan:
 - Current “query dirty rows by `source_id` after ingest” can accidentally include older dirty rows for the same entity.
 - That silently violates strict run scoping and can delete unrelated backlog rows.
 - You can fix this without adding `origin_run_id` to `dirty_sources` (which you already rejected).
 ```diff
@@ ## Step 7: Create `src/ingestion/surgical.rs`
 -    // Collect dirty_source rows for this entity
 -    let mut stmt = conn.prepare(
 -        "SELECT id FROM dirty_sources WHERE source_type = 'issue' AND source_id = ?1"
 -    )?;
 +    // Capture only rows inserted by THIS call using high-water mark.
 +    let before_dirty_id: i64 = conn.query_row(
 +        "SELECT COALESCE(MAX(id), 0) FROM dirty_sources",
 +        [], |r| r.get(0),
 +    )?;
 +    // ... call process_single_issue ...
 +    let mut stmt = conn.prepare(
 +        "SELECT id FROM dirty_sources
 +         WHERE id > ?1 AND source_type = 'issue' AND source_id = ?2"
 +    )?;
@@
 +    // same pattern for MR
@@ ### 1d. Scoping invariant tests
 +#[test]
 +fn surgical_docs_scope_ignores_preexisting_dirty_rows_for_same_entity() {
 +    // pre-insert dirty row for iid=7, then surgical ingest iid=7
 +    // assert result.dirty_source_ids only contains newly inserted rows
 +}
 ```
 ---
 4. **Fix embed-stage leakage when `--no-docs` is used in surgical mode**
 Why this improves the plan:
 - Current design can run global embed even when docs stage is skipped, which may embed unrelated backlog docs.
 - That breaks the surgical “scope only this run” promise.
 - This is both correctness and operator-trust critical.
 ```diff
@@ ## Step 9: Create `run_sync_surgical`
 -        if !options.no_embed {
 +        // Surgical embed only runs when surgical docs actually regenerated docs in this run.
 +        if !options.no_embed && !options.no_docs && result.documents_regenerated > 0 {
@@ ## Step 4: Wire new fields in `handle_sync_cmd`
 +        if options.is_surgical() && options.no_docs && !options.no_embed {
 +            return Err(Box::new(LoreError::Other(
 +                "In surgical mode, --no-docs requires --no-embed (to preserve scoping guarantees)".to_string()
 +            )));
 +        }
@@ ### For me to evaluate
 +39. **No embed leakage**: `sync --issue X --no-docs` never embeds unrelated unembedded docs
 ```
 ---
 5. **Add queue-failure hygiene so scoped jobs do not leak forever**
 Why this improves the plan:
 - Scoped drains prevent accidental processing, but failed runs can strand pending jobs permanently.
 - You need explicit terminalization (`aborted`) and optional replay mechanics.
 - Otherwise queue bloat and confusing diagnostics accumulate.
 ```diff
@@ ## Step 8a: Add `sync_runs` table migration
 +ALTER TABLE dependent_queue ADD COLUMN aborted_reason TEXT;
 +-- status domain now includes: pending, claimed, done, failed, aborted
@@ ## Step 9: run_sync_surgical failure paths
 +// On run failure/cancel:
 +conn.execute(
 +  "UPDATE dependent_queue
 +   SET status='aborted', aborted_reason=?1
 +   WHERE project_id=?2 AND scope_run_id=?3 AND status='pending'",
 +  rusqlite::params![failure_summary, project_id, run_id],
 +)?;
@@ ## Acceptance Criteria
 +40. **No stranded scoped jobs**: failed surgical runs leave no `pending` rows for their `scope_run_id`
 ```
 ---
 6. **Persist per-entity lifecycle (`sync_run_entities`) for real observability and deterministic retry**
 Why this improves the plan:
 - `sync_runs` alone gives aggregate counters but not which IID failed at which stage.
 - Per-entity records make retries deterministic and robot output far more useful.
 - This is the missing piece for your stated “deterministic retry decisions.”
 ```diff
@@ ## Step 8a: Add `sync_runs` table migration
 +CREATE TABLE IF NOT EXISTS sync_run_entities (
 +  id INTEGER PRIMARY KEY,
 +  run_id TEXT NOT NULL REFERENCES sync_runs(run_id),
 +  entity_type TEXT NOT NULL CHECK(entity_type IN ('issue','merge_request')),
 +  iid INTEGER NOT NULL,
 +  stage TEXT NOT NULL,
 +  status TEXT NOT NULL CHECK(status IN ('ok','failed','skipped_stale')),
 +  error_code TEXT,
 +  error_message TEXT,
 +  updated_at INTEGER NOT NULL
 +);
 +CREATE INDEX IF NOT EXISTS idx_sync_run_entities_run ON sync_run_entities(run_id, entity_type, iid);
@@ ## Step 15: Update `SyncResult`
 +    pub failed_iids: Vec<(String, u64)>,
 +    pub skipped_stale_iids: Vec<(String, u64)>,
@@ ## CLI Interface
 +lore --robot sync-runs --run-id <id>
 +lore --robot sync-runs --run-id <id> --retry-failed
 ```
 ---
 7. **Use explicit error type for surgical preflight failures (not `LoreError::Other`)**
 Why this improves the plan:
 - `Other(String)` loses machine semantics, weakens robot mode, and leads to bad exit-code behavior.
 - A typed error preserves structured failures and enables actionable recovery commands.
 ```diff
@@ ## Step 9: run_sync_surgical
 -            return Err(LoreError::Other(
 -                format!("Surgical preflight failed for {} of {} IIDs: {}", ...)
 -            ).into());
 +            return Err(LoreError::SurgicalPreflightFailed {
 +                run_id: run_id.to_string(),
 +                total: total_items,
 +                failures: preflight.failures.clone(),
 +            }.into());
@@ ## Step 15: Update `SyncResult`
 +    /// Machine-actionable error summary for robot mode
 +    pub error_code: Option<String>,
@@ ## Acceptance Criteria
 +41. **Typed failure**: preflight failures serialize structured errors (not generic `Other`) with machine-usable codes/actions
 ```
 ---
 8. **Strengthen tests for rollback, contention, and stale-skip guarantees**
 Why this improves the plan:
 - Current tests cover many happy-paths and scoping invariants, but key race/rollback behaviors are still under-tested.
 - These are exactly where regressions will appear first in production.
 ```diff
@@ ## Step 1: TDD — Write Failing Tests First
 +### 1f. Transactional rollback + TOCTOU tests
 +1. `preflight_success_then_ingest_failure_rolls_back_all_content_writes`
 +2. `stale_payload_is_skipped_when_local_updated_at_is_newer`
 +3. `failed_run_aborts_pending_scoped_jobs`
 +4. `surgical_no_docs_requires_no_embed`
@@ ### Automated scoping invariants
 -38. **Scoped queue/docs invariants are enforced by automated tests**
 +42. **Rollback and race invariants are enforced by automated tests** (no partial writes on ingest failure, no stale overwrite)
 ```
 ---
 These eight revisions keep your core approach intact, avoid your explicitly rejected ideas, and close the biggest correctness/operability gaps before implementation.
--- a/docs/plan-surgical-sync.feedback-5.md
+++ b/docs/plan-surgical-sync.feedback-5.md
@@ -0,0 +1,130 @@
 **Critical Gaps In Current Plan**
 1. `dirty_sources` scoping is based on `id`, but `dirty_sources` has no `id` column and uses `(source_type, source_id)` UPSERT semantics.
 2. Plan assumes a new `dependent_queue` with `status`, but current code uses `pending_dependent_fetches` (delete-on-complete), so queue-scoping design conflicts with existing invariants.
 3. Constraint 6 says all remote fetches happen before any content writes, but the proposed surgical flow fetches discussions/events/diffs after ingest writes.
 4. `sync_runs` is already an existing table and already used by `SyncRunRecorder`; the plan currently treats it like a new table.
 **Best Revisions**
 1. **Fix dirty-source scoping to match real schema (queued-at watermark, not `id` high-water).**  
 Why this is better: This removes a correctness bug and makes same-entity re-ingest deterministic under UPSERT behavior.
 ```diff
@@ Design Constraints
 -2. Dirty queue scoping: ... capture MAX(id) FROM dirty_sources ... run_generate_docs_for_dirty_ids ...
 +2. Dirty queue scoping: `dirty_sources` is keyed by `(source_type, source_id)` and updated via UPSERT.
 +   Surgical scoping MUST use:
 +   1) a run-level `run_dirty_floor_ms` captured before surgical ingest, and
 +   2) explicit touched source keys from ingest (`(source_type, source_id)`).
 +   Surgical docs MUST call a scoped API (e.g. `run_generate_docs_for_sources`) and MUST NOT drain global dirty queue.
@@ Step 9a
 -pub fn run_generate_docs_for_dirty_ids(config: &Config, dirty_source_ids: &[i64]) -> Result<GenerateDocsResult>
 +pub fn run_generate_docs_for_sources(config: &Config, sources: &[(SourceType, i64)]) -> Result<GenerateDocsResult>
 ```
 2. **Bypass shared dependent queue in surgical mode; run dependents inline per target.**  
 Why this is better: Avoids queue migration churn, avoids run-scope conflicts with existing unique constraints, and removes orphan-job hygiene complexity entirely.
 ```diff
@@ Design Constraints
 -4. Dependent queue scoping: ... scope_run_id indexed column on dependent_queue ...
 +4. Surgical dependent execution: surgical mode MUST bypass `pending_dependent_fetches`.
 +   Dependents (resource_events, mr_closes_issues, mr_diffs) run inline for targeted entities only.
 +   Global queue remains for normal sync only.
@@ Design Constraints
 -14. Queue failure hygiene: ... pending scoped jobs ... terminalized to aborted ...
 +14. Surgical failure hygiene: surgical mode MUST leave no queue artifacts because it does not enqueue dependent jobs.
@@ Step 9b / 9c / Step 13
 -Implement scoped drain helpers and enqueue_job scope_run_id plumbing
 +Replace with direct per-entity helpers in ingestion layer:
 +  - sync_issue_resource_events_direct(...)
 +  - sync_mr_resource_events_direct(...)
 +  - sync_mr_closes_issues_direct(...)
 +  - sync_mr_diffs_direct(...)
 ```
 3. **Clarify atomicity contract to “primary-entity atomicity” (remove contradiction).**  
 Why this is better: Keeps strong zero-write guarantees for missing IIDs while matching practical staged pipeline behavior.
 ```diff
@@ Design Constraints
 -6. Preflight-then-commit (content-plane): All remote fetches happen BEFORE any writes to content tables ...
 +6. Primary-entity atomicity: all requested issue/MR payload fetches complete before first content write.
 +   If any primary IID fetch fails, primary ingest does zero content writes.
 +   Dependent stages (discussions/events/diffs/closes) are post-ingest and best-effort, with structured per-stage failure reporting.
 ```
 4. **Extend existing `sync_runs` schema instead of redefining it.**  
 Why this is better: Preserves compatibility with current `SyncRunRecorder`, `sync_status`, and existing historical data.
 ```diff
@@ Step 8a
 -Add `sync_runs` table migration (CREATE TABLE sync_runs ...)
 +Add migration 027 to extend existing `sync_runs` table:
 +  - ADD COLUMN mode TEXT NULL            -- 'standard' | 'surgical'
 +  - ADD COLUMN phase TEXT NULL           -- preflight|ingest|dependents|docs|embed|done|failed
 +  - ADD COLUMN surgical_summary_json TEXT NULL
 +Reuse `SyncRunRecorder` row lifecycle; do not introduce a parallel run-ledger model.
 ```
 5. **Strengthen TOCTOU stale protection for equal timestamps.**  
 Why this is better: Prevents regressions when `updated_at` is equal but a fresher local fetch already happened.
 ```diff
@@ Design Constraints
 -13. ... If local `updated_at` is newer than preflight payload `updated_at`, skip ...
 +13. ... Skip stale when:
 +    a) local.updated_at > payload.updated_at, OR
 +    b) local.updated_at == payload.updated_at AND local.last_seen_at > preflight_started_at_ms.
 +    This prevents equal-timestamp regressions under concurrent sync.
@@ Step 1f tests
 +Add test: `equal_updated_at_but_newer_last_seen_is_skipped`.
 ```
 6. **Shrink lock window further: release `sync` lock before embed; use dedicated embed lock.**  
 Why this is better: Prevents long embedding from blocking unrelated syncs and avoids concurrent embed writers.
 ```diff
@@ Design Constraints
 -11. Lock ... held through all mutation stages.
 +11. Lock ... held through ingest/dependents/docs only.
 +    Release `AppLock("sync")` before embed.
 +    Embed stage uses `AppLock("embed")` for single-flight embedding writes.
@@ Step 9
 -Embed runs inside the same sync lock window
 +Embed runs after sync lock release, under dedicated embed lock
 ```
 7. **Add the missing `sync-runs` robot read path (the plan references it but doesn’t define it).**  
 Why this is better: Makes durable run-state actually useful for recovery automation and observability.
 ```diff
@@ Step 14 (new)
 +## Step 14a: Add `sync-runs` read command
 +
 +CLI:
 +  lore --robot sync-runs --limit 20
 +  lore --robot sync-runs --run-id <id>
 +  lore --robot sync-runs --state failed
 +
 +Robot response fields:
 +  run_id, mode, phase, status, started_at, finished_at, counters, failures, suggested_retry_command
 ```
 8. **Add URL-native surgical targets (`--issue-url`, `--mr-url`) with project inference.**  
 Why this is better: Much more agent-friendly and reduces project-resolution errors from copy/paste workflows.
 ```diff
@@ CLI Interface
 lore sync --issue 123 --issue 456 -p myproject
 +lore sync --issue-url https://gitlab.example.com/group/proj/-/issues/123
 +lore sync --mr-url https://gitlab.example.com/group/proj/-/merge_requests/789
@@ Step 2
 +Add repeatable flags:
 +  --issue-url <url>
 +  --mr-url <url>
 +Parse URL into (project_path, iid). If all targets are URL-derived and same project, `-p` is optional.
 +If mixed projects are provided in one command, reject with clear error.
 ```
 If you want, I can produce a single consolidated patched version of your plan (iteration 5 draft) with these revisions already merged.
--- a/docs/plan-surgical-sync.feedback-6.md
+++ b/docs/plan-surgical-sync.feedback-6.md
@@ -0,0 +1,152 @@
 Highest-impact revisions after reviewing your v5 plan:
 1. **Fix a real scoping hole: embed can still process unrelated docs**
 Rationale: Current plan assumes scoped docs implies scoped embed, but that only holds while no other run creates unembedded docs. You explicitly release sync lock before embed, so another sync can enqueue/regenerate docs in between, and `run_embed` may embed unrelated backlog. This breaks surgical isolation and can hide backlog debt.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Design Constraints
 -3. Embed scoping: Embedding runs only for documents regenerated by this surgical run. Because `run_embed` processes only unembedded docs, scoping is automatic IF docs are scoped correctly...
 +3. Embed scoping: Embedding MUST be explicitly scoped to documents regenerated by this surgical run.
 +   `run_generate_docs_for_sources` returns regenerated `document_ids`; surgical mode calls
 +   `run_embed_for_document_ids(document_ids)` and never global `run_embed`.
 +   This remains true even after lock release and under concurrent normal sync activity.
@@ Step 9a: Implement `run_generate_docs_for_sources`
 -pub fn run_generate_docs_for_sources(...) -> Result<GenerateDocsResult> {
 +pub fn run_generate_docs_for_sources(...) -> Result<GenerateDocsResult> {
 +    // Return regenerated document IDs for scoped embedding.
 +    // GenerateDocsResult { regenerated, errored, regenerated_document_ids: Vec<i64> }
@@ Step 9: Embed stage
 - match run_embed(config, false, false, None, signal).await {
 + match run_embed_for_document_ids(config, &result.regenerated_document_ids, signal).await {
 ```
 2. **Make run-ledger lifecycle actually durable (and consistent with your own constraint 10)**
 Rationale: Plan text says “reuse `SyncRunRecorder`”, but Step 9 writes raw SQL directly. That creates lifecycle drift, missing heartbeats, and inconsistent failure handling as code evolves.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Design Constraints
 -10. Durable run state: ... Reuses `SyncRunRecorder` row lifecycle ...
 +10. Durable run state: surgical sync MUST use `SyncRunRecorder` end-to-end (no ad-hoc SQL updates).
 +    Add recorder APIs for `set_mode`, `set_phase`, `set_counters`, `finish_succeeded`,
 +    `finish_failed`, `finish_cancelled`, and periodic `heartbeat`.
@@ Step 9: Create `run_sync_surgical`
 - conn.execute("INSERT INTO sync_runs ...")
 - conn.execute("UPDATE sync_runs SET phase = ...")
 + let mut recorder = SyncRunRecorder::start_surgical(...)?;
 + recorder.set_phase("preflight")?;
 + recorder.heartbeat_if_due()?;
 + recorder.set_phase("ingest")?;
 + ...
 + recorder.finish_succeeded_with_warnings(...)?;
 ```
 3. **Add explicit `cancelled` terminal state**
 Rationale: Current early cancellation branches return `Ok(result)` without guaranteed run-row finalization. That leaves misleading `running` rows and weak crash diagnostics.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Design Constraints
 +15. Cancellation semantics: If shutdown is observed after run start, phase is set to `cancelled`,
 +    status is `cancelled`, `finished_at` is written, and lock is released before return.
@@ Step 8a migration
 +ALTER TABLE sync_runs ADD COLUMN warnings_count INTEGER NOT NULL DEFAULT 0;
 +ALTER TABLE sync_runs ADD COLUMN cancelled_at INTEGER;
@@ Acceptance Criteria
 +47. Cancellation durability: Ctrl+C during surgical sync records `status='cancelled'`,
 +    `phase='cancelled'`, and `finished_at` in `sync_runs`.
 ```
 4. **Reduce lock contention further by separating dependent fetch and dependent write**
 Rationale: You currently hold lock through network-heavy dependent stages. That maximizes contention and increases lock timeout risk. Better: fetch dependents unlocked, write in short locked transactions with per-entity freshness guards.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Design Constraints
 -11. Lock window minimization: ... held through ingest, dependents, and docs stages.
 +11. Lock window minimization: lock is held only for DB mutation windows.
 +    Dependents run in two phases:
 +    (a) fetch from GitLab without lock,
 +    (b) write results under lock in short transactions.
 +    Apply per-entity freshness checks before dependent writes.
@@ Step 9: Dependent stages
 - // All dependents run INLINE per-entity ... while lock is held
 + // Dependents fetch outside lock, then write under lock with CAS-style watermark guards.
 ```
 5. **Introduce stage timeout budgets to prevent hung surgical runs**
 Rationale: A single slow GitLab endpoint can stall the whole run and hold resources too long. Timeout budgets plus per-entity failure recording keep the run bounded and predictable.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Design Constraints
 +16. Stage timeout budgets: each dependent fetch has a per-entity timeout and a global stage budget.
 +    Timed-out entities are recorded in `entity_failures` with code `TIMEOUT` and run continues best-effort.
@@ Step 9 notes
 + - Wrap dependent network calls with `tokio::time::timeout`.
 + - Add config knobs:
 +   `sync.surgical_entity_timeout_seconds` (default 20),
 +   `sync.surgical_dependents_budget_seconds` (default 120).
 ```
 6. **Add payload integrity checks (project mismatch hard-fail)**
 Rationale: Surgical mode is precision tooling. If API/proxy misconfiguration returns payloads from wrong project, you should fail preflight loudly, not trust downstream assumptions.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Step 7: preflight_fetch
 + // Integrity check: payload.project_id must equal requested gitlab_project_id.
 + // On mismatch, record EntityFailure { code: "PROJECT_MISMATCH", stage: "fetch" }.
@@ Step 9d: error codes
 +PROJECT_MISMATCH -> usage/config data integrity failure (typed, machine-readable)
@@ Acceptance Criteria
 +48. Project integrity: payloads with unexpected `project_id` are rejected in preflight
 +    and produce zero content writes.
 ```
 7. **Upgrade robot output from aggregate-only to per-entity lifecycle**
 Rationale: `entity_failures` alone is not enough for robust automation. Agents need a complete entity outcome map (fetched, ingested, stale-skipped, dependent failures) to retry deterministically.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Step 15: Update `SyncResult`
 +pub struct EntityOutcome {
 +    pub entity_type: String,
 +    pub iid: u64,
 +    pub fetched: bool,
 +    pub ingested: bool,
 +    pub stale_skipped: bool,
 +    pub dependent_failures: Vec<EntityFailure>,
 +}
@@
 +pub entity_outcomes: Vec<EntityOutcome>,
 +pub completion_status: String, // succeeded | succeeded_with_warnings | failed | cancelled
@@ Robot mode
 - enables agents to detect partial failures via `entity_failures`
 + enables deterministic, per-IID retry and richer UI messaging.
 ```
 8. **Index `sync_runs` for real observability at scale**
 Rationale: You’re adding mode/phase/counters and then querying recent surgical runs. Without indexes, this degrades as run history grows.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Step 8a migration
 +CREATE INDEX IF NOT EXISTS idx_sync_runs_mode_started
 +    ON sync_runs(mode, started_at DESC);
 +CREATE INDEX IF NOT EXISTS idx_sync_runs_status_phase_started
 +    ON sync_runs(status, phase, started_at DESC);
 ```
 9. **Add tests specifically for the new failure-prone paths**
 Rationale: Current tests are strong on ingest and scoping, but still miss new high-risk runtime behavior (cancel state, timeout handling, scoped embed under concurrency).
 ```diff
 diff --git a/plan.md b/plan.md
@@ Step 1f tests
 +#[tokio::test]
 +async fn cancellation_marks_sync_run_cancelled() { ... }
 +
 +#[tokio::test]
 +async fn dependent_timeout_records_entity_failure_and_continues() { ... }
 +
 +#[tokio::test]
 +async fn scoped_embed_does_not_embed_unrelated_docs_created_after_docs_stage() { ... }
@@ Acceptance Criteria
 +49. Scoped embed isolation under concurrency is verified by automated test.
 +50. Timeout path is verified (TIMEOUT code + continued processing).
 ```
 These revisions keep your core direction intact, avoid every rejected recommendation, and materially improve correctness under concurrency, operational observability, and agent automation quality.
--- a/docs/plan-surgical-sync.md
+++ b/docs/plan-surgical-sync.md
--- a/docs/prd-per-note-search.feedback-1.md
+++ b/docs/prd-per-note-search.feedback-1.md
@@ -1,174 +0,0 @@
 Highest-impact gaps I see in the current plan:
 1. `for-issue` / `for-mr` filtering is ambiguous across projects and can return incorrect rows.
 2. `lore notes` has no pagination contract, so large exports and deterministic resumption are weak.
 3. Migration `022` is high-risk (table rebuild + FTS + junction tables) without explicit integrity gates.
 4. Note-doc freshness is incomplete for upstream note deletions and parent metadata changes (labels/title).
 Below are my best revisions, each with rationale and a git-diff-style plan edit.
 ---
 1. **Add gated rollout + rollback controls**
 Rationale: You can still “ship together” while reducing blast radius. This makes recovery fast if note-doc generation causes DB/embedding pressure.
 ```diff
@@ ## Design
 -Two phases, shipped together as one feature:
 +Two phases, shipped together as one feature, but with runtime gates:
 +
 +- `feature.notes_cli` (Phase 1 surface)
 +- `feature.note_documents` (Phase 2 indexing/extraction path)
 +
 +Rollout order:
 +1) Enable `notes_cli`
 +2) Run note-doc backfill in bounded batches
 +3) Enable `note_documents` for continuous updates
 +
 +Rollback:
 +- Disabling `feature.note_documents` stops new note-doc generation without affecting issue/MR/discussion docs.
 ```
 2. **Add keyset pagination + deterministic ordering**
 Rationale: Needed for year-long reviewer analysis and reliable “continue where I left off” behavior under concurrent updates.
 ```diff
@@ pub struct NoteListFilters<'a> {
     pub limit: usize,
 +    pub cursor: Option<&'a str>,        // keyset token "<sort_ms>:<id>"
 +    pub include_total_count: bool,      // avoid COUNT(*) in hot paths
@@
 -    pub sort: &'a str,                  // "created" (default) | "updated"
 +    pub sort: &'a str,                  // "created" | "updated"
@@ query_notes SQL
 -ORDER BY {sort_column} {order}
 +ORDER BY {sort_column} {order}, n.id {order}
 LIMIT ?
 ```
 3. **Make `for-issue` / `for-mr` project-scoped**
 Rationale: IIDs are not globally unique. Requiring project avoids false positives and hard-to-debug cross-project leakage.
 ```diff
@@ pub struct NotesArgs {
 -    #[arg(long = "for-issue", help_heading = "Filters", conflicts_with = "for_mr")]
 +    #[arg(long = "for-issue", help_heading = "Filters", conflicts_with = "for_mr", requires = "project")]
     pub for_issue: Option<i64>,
@@
 -    #[arg(long = "for-mr", help_heading = "Filters", conflicts_with = "for_issue")]
 +    #[arg(long = "for-mr", help_heading = "Filters", conflicts_with = "for_issue", requires = "project")]
     pub for_mr: Option<i64>,
 ```
 4. **Upgrade path filtering semantics**
 Rationale: Review comments often reference renames/moves. Restricting to `position_new_path` misses relevant notes.
 ```diff
@@ pub struct NotesArgs {
 -    /// Filter by file path (trailing / for prefix match)
 +    /// Filter by file path
     #[arg(long, help_heading = "Filters")]
     pub path: Option<String>,
 +    /// Path mode: exact|prefix|glob
 +    #[arg(long = "path-mode", value_parser = ["exact","prefix","glob"], default_value = "exact", help_heading = "Filters")]
 +    pub path_mode: String,
 +    /// Match against old path as well as new path
 +    #[arg(long = "match-old-path", help_heading = "Filters")]
 +    pub match_old_path: bool,
@@ query_notes filter mappings
 -- `path` ... n.position_new_path ...
 +- `path` applies to `n.position_new_path` and optionally `n.position_old_path`.
 +- `glob` mode translates `*`/`?` to SQL LIKE with escaping.
 ```
 5. **Add explicit performance indexes (new migration)**
 Rationale: `notes` becomes a first-class query surface; without indexes, filters degrade quickly at 10k+ note scale.
 ```diff
@@ ## Phase 1: `lore notes` Command
 +### Work Chunk 1E: Query Performance Indexes
 +**Files:** `migrations/023_notes_query_indexes.sql`, `src/core/db.rs`
 +
 +Add indexes:
 +- `notes(project_id, created_at DESC, id DESC)`
 +- `notes(author_username, created_at DESC, id DESC) WHERE is_system = 0`
 +- `notes(discussion_id)`
 +- `notes(position_new_path)`
 +- `notes(position_old_path)`
 +- `discussions(issue_id)`
 +- `discussions(merge_request_id)`
 ```
 6. **Harden migration 022 with transactional integrity checks**
 Rationale: This is the riskiest part of the plan. Add hard fail-fast checks so corruption cannot silently pass.
 ```diff
@@ ### Work Chunk 2A: Schema Migration (022)
 +Migration safety requirements:
 +- Execute in a single `BEGIN IMMEDIATE ... COMMIT` transaction.
 +- Capture and compare pre/post row counts for `documents`, `document_labels`, `document_paths`, `dirty_sources`.
 +- Run `PRAGMA foreign_key_check` and abort on any violation.
 +- Run `PRAGMA integrity_check` and abort on non-`ok`.
 +- Rebuild FTS and assert `documents_fts` rowcount equals `documents` rowcount.
 ```
 7. **Add note deletion + parent-change propagation**
 Rationale: Current plan handles create/update ingestion but not all staleness paths. Without this, note documents drift.
 ```diff
@@ ## Phase 2: Per-Note Documents
 +### Work Chunk 2G: Freshness Propagation
 +**Files:** `src/ingestion/discussions.rs`, `src/ingestion/mr_discussions.rs`, `src/documents/regenerator.rs`
 +
 +Rules:
 +- If a previously stored note is missing from upstream payload, delete local note row and enqueue `(note, id)` for document deletion.
 +- When parent issue/MR title or labels change, enqueue descendant note docs dirty (notes inherit parent metadata).
 +- Keep idempotent behavior for repeated syncs.
 ```
 8. **Separate FTS coverage from embedding coverage**
 Rationale: Biggest cost/perf risk is embeddings. Index all notes in FTS, but embed selectively with policy knobs.
 ```diff
@@ ## Estimated Document Volume Impact
 -FTS5 handles this comfortably. Embedding generation time scales linearly (~4x increase).
 +FTS5 handles this comfortably. Embedding generation is policy-controlled:
 +- FTS: index all non-system note docs
 +- Embeddings default: only notes with body length >= 40 chars (configurable)
 +- Add config: `documents.note_embeddings.min_chars`, `documents.note_embeddings.enabled`
 +- Prioritize unresolved DiffNotes before other notes during embedding backfill
 ```
 9. **Bring structured reviewer profiling into scope (not narrative reporting)**
 Rationale: This directly serves the stated use case and makes the feature compelling immediately.
 ```diff
@@ ## Non-Goals
 -- Adding a "reviewer profile" report command (that's a downstream use case built on this infrastructure)
 +- Generating free-form narrative reviewer reports.
 +  A structured profiling command is in scope.
 +
 +## Phase 3: Structured Reviewer Profiling
 +Add `lore notes profile --author <user> --since <window>` returning:
 +- top commented paths
 +- top parent labels
 +- unresolved-comment ratio
 +- note-type distribution
 +- median comment length
 ```
 10. **Add operational SLOs + robot-mode status for note pipeline**
 Rationale: Reliability improves when regressions are observable, not inferred from failures.
 ```diff
@@ ## Verification Checklist
 +Operational checks:
 +- `lore -J stats` includes per-`source_type` document counts (including `note`)
 +- Add queue lag metrics: oldest dirty note age, retry backlog size
 +- Add extraction error breakdown by `source_type`
 +- Add smoke assertion: disabling `feature.note_documents` leaves other source regeneration unaffected
 ```
 ---
 If you want, I can produce a single consolidated revised PRD draft (fully merged text, not just diffs) as the next step.
--- a/docs/prd-per-note-search.feedback-2.md
+++ b/docs/prd-per-note-search.feedback-2.md
@@ -1,200 +0,0 @@
 Below are the strongest revisions I’d make, excluding everything in your `## Rejected Recommendations` list.
 1. **Add a Phase 0 for stable note identity before any note-doc generation**
 Rationale: your current plan still allows note document churn because Issue discussion ingestion is delete/reinsert-based. That makes local `notes.id` unstable, causing unnecessary dirtying/regeneration and potential stale-doc edge cases. Stabilizing identity first (upsert-by-GitLab-ID + sweep stale) improves correctness and cuts repeated work.
 ```diff
@@ ## Design
 -Two phases, shipped together as one feature:
 +Three phases, shipped together as one feature:
 +- **Phase 0 (Foundation):** Stable note identity in local DB (upsert + sweep, no delete/reinsert churn)
 - **Phase 1 (Option A):** `lore notes` command — direct SQL query over the `notes` table with rich filtering
 - **Phase 2 (Option B):** Per-note documents — each non-system note becomes its own searchable document in the FTS/embedding pipeline
@@
 +## Phase 0: Stable Note Identity
 +
 +### Work Chunk 0A: Upsert/Sweep for Issue Discussion Notes
 +**Files:** `src/ingestion/discussions.rs`, `migrations/022_notes_identity_index.sql`, `src/core/db.rs`
 +**Implementation:**
 +- Add unique index: `UNIQUE(project_id, gitlab_id)` on `notes`
 +- Replace delete/reinsert issue-note flow with upsert + `last_seen_at` sweep (same durability model as MR note sweep)
 +- Ensure `insert_note/upsert_note` returns the stable local row id for both insert and update paths
 ```
 2. **Replace `source_type` CHECK constraints with a registry table + FK in migration**
 Rationale: table CHECKs force full table rebuild for every new source type forever. A `source_types` table with FK keeps DB-level integrity and future extensibility without rebuilding `documents`/`dirty_sources` every time. This is a major architecture hardening win.
 ```diff
@@ ### Work Chunk 2A: Schema Migration (023)
 -Current migration ... CHECK constraints limiting `source_type` ...
 +Current migration ... CHECK constraints limiting `source_type` ...
 +Revision: migrate to `source_types` registry table + FK constraints.
@@
 -1. `dirty_sources` — add `'note'` to source_type CHECK
 -2. `documents` — add `'note'` to source_type CHECK
 +1. Create `source_types(name TEXT PRIMARY KEY)` and seed: `issue, merge_request, discussion, note`
 +2. Rebuild `dirty_sources` and `documents` to replace CHECK with `REFERENCES source_types(name)`
 +3. Future source-type additions become `INSERT INTO source_types(name) VALUES (?)` (no table rebuild)
@@
 +#### Additional integrity tests
 +#[test]
 +fn test_source_types_registry_contains_note() { ... }
 +#[test]
 +fn test_documents_source_type_fk_enforced() { ... }
 +#[test]
 +fn test_dirty_sources_source_type_fk_enforced() { ... }
 ```
 3. **Mark note documents dirty only when note semantics actually changed**
 Rationale: current loops mark every non-system note dirty every sync. With 8k+ notes this creates avoidable queue pressure and regeneration time. Change-aware dirtying (inserted/changed only) gives major performance and stability improvements.
 ```diff
@@ ### Work Chunk 2D: Regenerator & Dirty Tracking Integration
 -for note in notes {
 -    let local_note_id = insert_note(&tx, local_discussion_id, &note, None)?;
 -    if !note.is_system {
 -        dirty_tracker::mark_dirty_tx(&tx, SourceType::Note, local_note_id)?;
 -    }
 -}
 +for note in notes {
 +    let outcome = upsert_note(&tx, local_discussion_id, &note, None)?;
 +    if !note.is_system && outcome.changed_semantics {
 +        dirty_tracker::mark_dirty_tx(&tx, SourceType::Note, outcome.local_note_id)?;
 +    }
 +}
@@
 +// changed_semantics should include: body, note_type, path/line positions, resolvable/resolved/resolved_by, updated_at
 ```
 4. **Expand filters to support real analysis windows and resolution state**
 Rationale: reviewer profiling usually needs bounded windows and both resolved/unresolved views. Current `unresolved: bool` is too narrow and one-sided. Add `--until` and tri-state resolution filtering for better analytical power.
 ```diff
@@ pub struct NoteListFilters<'a> {
 -    pub since: Option<&'a str>,
 +    pub since: Option<&'a str>,
 +    pub until: Option<&'a str>,
@@
 -    pub unresolved: bool,
 +    pub resolution: &'a str, // "any" (default) | "unresolved" | "resolved"
@@
 -    pub author: Option<&'a str>,
 +    pub author: Option<&'a str>, // case-insensitive match
@@
 -    // Filter by time (7d, 2w, 1m, or YYYY-MM-DD)
 +    // Filter by start time (7d, 2w, 1m, or YYYY-MM-DD)
     pub since: Option<String>,
 +    /// Filter by end time (7d, 2w, 1m, or YYYY-MM-DD)
 +    #[arg(long, help_heading = "Filters")]
 +    pub until: Option<String>,
@@
 -    /// Only show unresolved review comments
 -    pub unresolved: bool,
 +    /// Resolution filter: any, unresolved, resolved
 +    #[arg(long, value_parser = ["any", "unresolved", "resolved"], default_value = "any", help_heading = "Filters")]
 +    pub resolution: String,
 ```
 5. **Broaden index strategy to match actual query shapes, not just author queries**
 Rationale: `idx_notes_user_created` helps one path, but common usage also includes project+time scans and unresolved filters. Add two more partial composites for high-selectivity paths.
 ```diff
@@ ### Work Chunk 1E: Composite Query Index
 CREATE INDEX IF NOT EXISTS idx_notes_user_created
 ON notes(project_id, author_username, created_at DESC, id DESC)
 WHERE is_system = 0;
 +
 +CREATE INDEX IF NOT EXISTS idx_notes_project_created
 +ON notes(project_id, created_at DESC, id DESC)
 +WHERE is_system = 0;
 +
 +CREATE INDEX IF NOT EXISTS idx_notes_unresolved_project_created
 +ON notes(project_id, created_at DESC, id DESC)
 +WHERE is_system = 0 AND resolvable = 1 AND resolved = 0;
@@
 +#[test]
 +fn test_notes_query_plan_uses_project_created_index_for_default_listing() { ... }
 +#[test]
 +fn test_notes_query_plan_uses_unresolved_index_when_resolution_unresolved() { ... }
 ```
 6. **Improve per-note document payload with structured metadata header + minimal thread context**
 Rationale: isolated single-note docs can lose meaning. A small structured header plus lightweight context (parent + one preceding note excerpt) improves semantic retrieval quality substantially without re-bundling full threads.
 ```diff
@@ ### Work Chunk 2C: Note Document Extractor
 -// 6. Format content:
 -//    [[Note]] {note_type or "Comment"} on {parent_type_prefix}: {parent_title}
 -//    Project: {path_with_namespace}
 -//    URL: {url}
 -//    Author: @{author}
 -//    Date: {format_date(created_at)}
 -//    Labels: {labels_json}
 -//    File: {position_new_path}:{position_new_line}  (if DiffNote)
 -//
 -//    --- Body ---
 -//
 -//    {body}
 +// 6. Format content with machine-readable header:
 +//    [[Note]]
 +//    source_type: note
 +//    note_gitlab_id: {gitlab_id}
 +//    project: {path_with_namespace}
 +//    parent_type: {Issue|MergeRequest}
 +//    parent_iid: {iid}
 +//    note_type: {DiffNote|DiscussionNote|Comment}
 +//    author: @{author}
 +//    created_at: {iso8601}
 +//    resolved: {true|false}
 +//    path: {position_new_path}:{position_new_line}
 +//    url: {url}
 +//
 +//    --- Context ---
 +//    parent_title: {title}
 +//    previous_note_excerpt: {optional, max 200 chars}
 +//
 +//    --- Body ---
 +//    {body}
 ```
 7. **Add first-class export modes for downstream profiling pipelines**
 Rationale: this makes the feature much more useful immediately (LLM prompts, notebook analysis, external scripts) without adding a profiling command. It stays within your non-goals and increases adoption.
 ```diff
@@ pub struct NotesArgs {
 +    /// Output format
 +    #[arg(long, value_parser = ["table", "json", "jsonl", "csv"], default_value = "table", help_heading = "Output")]
 +    pub format: String,
@@
 -    if robot_mode {
 +    if robot_mode || args.format == "json" || args.format == "jsonl" || args.format == "csv" {
         print_list_notes_json(...)
     } else {
         print_list_notes(&result);
     }
@@ ### Work Chunk 1C: Human & Robot Output Formatting
 +Add `print_list_notes_csv()` and `print_list_notes_jsonl()`:
 +- CSV columns mirror `NoteListRowJson` field names
 +- JSONL emits one note object per line for streaming pipelines
 ```
 8. **Strengthen verification with idempotence + migration data-preservation checks**
 Rationale: this feature touches ingestion, migrations, indexing, and regeneration. Add explicit idempotence/perf checks so regressions surface early.
 ```diff
@@ ## Verification Checklist
 cargo test
 cargo clippy --all-targets -- -D warnings
 cargo fmt --check
 +cargo test test_note_ingestion_idempotent_across_two_syncs
 +cargo test test_note_document_count_stable_after_second_generate_docs_full
@@
 +lore sync
 +lore generate-docs --full
 +lore -J stats > /tmp/stats1.json
 +lore generate-docs --full
 +lore -J stats > /tmp/stats2.json
 +# assert note doc count unchanged and dirty queue drains to zero
 ```
 If you want, I can turn this into a fully rewritten PRD v2 draft with these changes merged in-place and renumbered work chunks end-to-end.
--- a/docs/prd-per-note-search.feedback-3.md
+++ b/docs/prd-per-note-search.feedback-3.md
@@ -1,162 +0,0 @@
 These are the highest-impact revisions I’d make. They avoid everything in your `## Rejected Recommendations` list.
 1. Add immediate note-document deletion propagation (don’t wait for `generate-docs --full`)
 Why: right now, deleted notes can leave stale `source_type='note'` documents until a full rebuild. That creates incorrect search/reporting results and weakens trust in the dataset.
 ```diff
@@ Phase 0: Stable Note Identity
 +### Work Chunk 0B: Immediate Deletion Propagation
 +
 +When sweep deletes stale notes, propagate deletion to documents in the same transaction.
 +Do not rely on eventual cleanup via `generate-docs --full`.
 +
 +#### Tests to Write First
 +#[test]
 +fn test_issue_note_sweep_deletes_note_documents_immediately() { ... }
 +#[test]
 +fn test_mr_note_sweep_deletes_note_documents_immediately() { ... }
 +
 +#### Implementation
 +Use `DELETE ... RETURNING id, is_system` in note sweep functions.
 +For returned non-system note ids:
 +1) `DELETE FROM documents WHERE source_type='note' AND source_id=?`
 +2) `DELETE FROM dirty_sources WHERE source_type='note' AND source_id=?`
 ```
 2. Add one-time upgrade backfill for existing notes (migration 024)
 Why: existing DBs will otherwise only get note-documents for changed/new notes. Historical notes remain invisible unless users manually run full rebuild.
 ```diff
@@ Phase 2: Per-Note Documents
 +### Work Chunk 2H: Backfill Existing Notes After Upgrade (Migration 024)
 +
 +Create migration `024_note_dirty_backfill.sql`:
 +INSERT INTO dirty_sources (source_type, source_id, queued_at)
 +SELECT 'note', n.id, unixepoch('now') * 1000
 +FROM notes n
 +LEFT JOIN documents d
 +  ON d.source_type='note' AND d.source_id=n.id
 +WHERE n.is_system=0 AND d.id IS NULL
 +ON CONFLICT(source_type, source_id) DO NOTHING;
 +
 +Add migration test asserting idempotence and expected queue size.
 ```
 3. Fix `--since/--until` semantics and validation
 Why: reusing `parse_since` for `until` creates ambiguous windows and off-by-boundary behavior; your own example `--since 90d --until 180d` is chronologically reversed.
 ```diff
@@ Work Chunk 1A: Data Types & Query Layer
 - since: parse_since(since_str) then n.created_at >= ?
 - until: parse_since(until_str) then n.created_at <= ?
 + since: parse_since_start_bound(since_str) then n.created_at >= ?
 + until: parse_until_end_bound(until_str) then n.created_at <= ?
 + Validate since <= until; otherwise return a clear user error.
 +
 +#### Tests to Write First
 +#[test] fn test_query_notes_invalid_time_window_rejected() { ... }
 +#[test] fn test_query_notes_until_date_is_end_of_day_inclusive() { ... }
 ```
 4. Separate semantic-change detection from housekeeping updates
 Why: current proposed `WHERE` includes `updated_at`, which will cause unnecessary dirty churn. You want `last_seen_at` to always refresh, but regeneration only when searchable semantics changed.
 ```diff
@@ Work Chunk 0A: Upsert/Sweep for Issue Discussion Notes
 - OR notes.updated_at IS NOT excluded.updated_at
 + -- updated_at-only changes should not mark semantic dirty
 +
 +Perform two-step logic:
 +1) Upsert always updates persistence/housekeeping fields (`updated_at`, `last_seen_at`).
 +2) `changed_semantics` is computed only from fields used by note documents/search filters
 +   (body, note_type, resolved flags, paths, author, parent linkage).
 +
 +#### Tests to Write First
 +#[test]
 +fn test_issue_note_upsert_updated_at_only_does_not_mark_semantic_change() { ... }
 ```
 5. Make indexes align with actual query collation and join strategy
 Why: `author` uses `COLLATE NOCASE`; without collation-aware index, SQLite can skip index use. Also, IID filters via scalar subqueries are harder for planner than direct join predicates.
 ```diff
@@ Work Chunk 1E: Composite Query Index
 -CREATE INDEX ... ON notes(project_id, author_username, created_at DESC, id DESC) WHERE is_system = 0;
 +CREATE INDEX ... ON notes(project_id, author_username COLLATE NOCASE, created_at DESC, id DESC) WHERE is_system = 0;
 +
 +CREATE INDEX IF NOT EXISTS idx_discussions_issue_id ON discussions(issue_id);
 +CREATE INDEX IF NOT EXISTS idx_discussions_mr_id ON discussions(merge_request_id);
 ```
 ```diff
@@ Work Chunk 1A: query_notes()
 - d.issue_id = (SELECT id FROM issues WHERE iid = ? AND project_id = ?)
 + i.iid = ? AND i.project_id = ?
 - d.merge_request_id = (SELECT id FROM merge_requests WHERE iid = ? AND project_id = ?)
 + m.iid = ? AND m.project_id = ?
 ```
 6. Replace manual CSV escaping with `csv` crate
 Why: manual RFC4180 escaping is fragile (quotes/newlines/multi-byte edge cases). This is exactly where a mature library reduces long-term bug risk.
 ```diff
@@ Work Chunk 1C: Human & Robot Output Formatting
 - Uses a minimal CSV writer (no external dependency — the format is simple enough for manual escaping).
 + Uses `csv::Writer` for RFC4180-compliant escaping and stable output across edge cases.
 +
 +#### Tests to Write First
 +#[test] fn test_csv_output_multiline_and_quotes_roundtrip() { ... }
 ```
 7. Add `--contains` lexical body filter to `lore notes`
 Why: useful middle ground between metadata filtering and semantic search; great for reviewer-pattern mining without requiring FTS query syntax.
 ```diff
@@ Work Chunk 1B: CLI Arguments & Command Wiring
 +/// Filter by case-insensitive substring in note body
 +#[arg(long, help_heading = "Filters")]
 +pub contains: Option<String>;
 ```
 ```diff
@@ Work Chunk 1A: NoteListFilters
 + pub contains: Option<&'a str>,
@@ query_notes dynamic filters
 + if contains.is_some() {
 +   where_clauses.push("n.body LIKE ? COLLATE NOCASE");
 +   params.push(format!("%{}%", escape_like(contains.unwrap())));
 + }
 ```
 8. Reduce note-document embedding noise by slimming metadata header
 Why: current verbose key-value header repeats low-signal tokens and consumes embedding budget. Keep context, but bias tokens toward actual review text.
 ```diff
@@ Work Chunk 2C: Note Document Extractor
 - Build content with structured metadata header:
 - [[Note]]
 - source_type: note
 - note_gitlab_id: ...
 - project: ...
 - ...
 - --- Body ---
 - {body}
 + Build content with compact, high-signal layout:
 + [[Note]]
 + @{author} on {Issue#|MR!}{iid} in {project_path}
 + path: {path:line}            (only when available)
 + state: {resolved|unresolved} (only when resolvable)
 +
 + {body}
 +
 +Keep detailed metadata in structured document columns/labels/paths/url,
 +not repeated in verbose text.
 ```
 9. Add explicit performance regression checks for the new hot paths
 Why: this feature increases document volume ~4x; you should pin acceptable query behavior now so future changes don’t silently degrade.
 ```diff
@@ Verification Checklist
 +Performance/plan checks:
 +1) `EXPLAIN QUERY PLAN` for:
 +   - author+since query
 +   - project+date query
 +   - for-mr / for-issue query
 +2) Seed 50k-note synthetic fixture and assert:
 +   - `lore notes --author ... --limit 100` stays under agreed local threshold
 +   - `lore search --type note ...` remains deterministic and completes successfully
 ```
 If you want, I can also provide a fully merged “iteration 3” PRD text with these edits applied end-to-end so you can drop it in directly.
--- a/docs/prd-per-note-search.feedback-4.md
+++ b/docs/prd-per-note-search.feedback-4.md
@@ -1,187 +0,0 @@
 1. **Canonical note identity for documents: use `notes.gitlab_id` as `source_id`**
 Why this is better: the current plan still couples document identity to local row IDs. Even with upsert+sweep, local IDs are a storage artifact and can be reused in edge cases. Using GitLab note IDs as canonical document IDs makes regeneration, backfill, and deletion propagation more stable and portable.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Phase 0: Stable Note Identity
 -Phase 2 depends on `notes.id` as the `source_id` for note documents.
 +Phase 2 uses `notes.gitlab_id` as the `source_id` for note documents.
 +`notes.id` remains an internal relational key only.
@@ Work Chunk 0A
 pub struct NoteUpsertOutcome {
     pub local_note_id: i64,
 +    pub document_source_id: i64, // notes.gitlab_id
     pub changed_semantics: bool,
 }
@@ Work Chunk 2D
 -if !note.is_system && outcome.changed_semantics {
 -    dirty_tracker::mark_dirty_tx(&tx, SourceType::Note, outcome.local_note_id)?;
 +if !note.is_system && outcome.changed_semantics {
 +    dirty_tracker::mark_dirty_tx(&tx, SourceType::Note, outcome.document_source_id)?;
 }
@@ Work Chunk 2E
 -SELECT 'note', n.id, ?1
 +SELECT 'note', n.gitlab_id, ?1
@@ Work Chunk 2H
 -ON d.source_type = 'note' AND d.source_id = n.id
 +ON d.source_type = 'note' AND d.source_id = n.gitlab_id
 ```
 2. **Prevent false deletions on partial/incomplete syncs**
 Why this is better: sweep-based deletion is correct only when a discussion’s notes were fully fetched. If a page fails mid-fetch, current logic can incorrectly delete valid notes. Add an explicit “fetch complete” guard before sweep.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Phase 0
 +### Work Chunk 0C: Sweep Safety Guard (Partial Fetch Protection)
 +
 +Only run stale-note sweep when note pagination completed successfully for that discussion.
 +If fetch is partial/interrupted, skip sweep and keep prior notes intact.
 +#### Tests to Write First
 +#[test]
 +fn test_partial_fetch_does_not_sweep_notes() { /* ... */ }
 +
 +#[test]
 +fn test_complete_fetch_runs_sweep_notes() { /* ... */ }
 +#### Implementation
 +if discussion_fetch_complete {
 +    sweep_stale_issue_notes(...)?;
 +} else {
 +    tracing::warn!("Skipping stale sweep for discussion {} due to partial fetch", discussion_gitlab_id);
 +}
 ```
 3. **Make deletion propagation set-based (not per-note loop)**
 Why this is better: the current per-note DELETE loop is O(N) statements and gets slow on large threads. A temp-table/CTE set-based delete is faster, simpler to reason about, and remains atomic.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Work Chunk 0B Implementation
 -    for note_id in stale_note_ids {
 -        conn.execute("DELETE FROM documents WHERE source_type = 'note' AND source_id = ?", [note_id])?;
 -        conn.execute("DELETE FROM dirty_sources WHERE source_type = 'note' AND source_id = ?", [note_id])?;
 -    }
 +    CREATE TEMP TABLE _stale_note_source_ids(source_id INTEGER PRIMARY KEY) WITHOUT ROWID;
 +    INSERT INTO _stale_note_source_ids
 +    SELECT gitlab_id
 +    FROM notes
 +    WHERE discussion_id = ? AND last_seen_at < ? AND is_system = 0;
 +
 +    DELETE FROM notes
 +    WHERE discussion_id = ? AND last_seen_at < ?;
 +
 +    DELETE FROM documents
 +    WHERE source_type = 'note'
 +      AND source_id IN (SELECT source_id FROM _stale_note_source_ids);
 +
 +    DELETE FROM dirty_sources
 +    WHERE source_type = 'note'
 +      AND source_id IN (SELECT source_id FROM _stale_note_source_ids);
 +
 +    DROP TABLE _stale_note_source_ids;
 ```
 4. **Fix project-scoping and time-window semantics in `lore notes`**
 Why this is better: the plan currently has a contradiction: clap `requires = "project"` blocks use of `defaultProject`, while query layer says default fallback is allowed. Also, `since/until` parsing should use one shared “now” to avoid subtle drift and inverted windows.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Work Chunk 1B NotesArgs
 -#[arg(long = "for-issue", ..., requires = "project")]
 +#[arg(long = "for-issue", ...)]
 pub for_issue: Option<i64>;
 -#[arg(long = "for-mr", ..., requires = "project")]
 +#[arg(long = "for-mr", ...)]
 pub for_mr: Option<i64>;
@@ Work Chunk 1A Query Notes
 -- `since`: `parse_since(since_str)` then `n.created_at >= ?`
 -- `until`: `parse_since(until_str)` then `n.created_at <= ?`
 +- Parse `since` and `until` with a single anchored `now_ms` captured once per command.
 +- If user supplies `YYYY-MM-DD` for `--until`, interpret as end-of-day (23:59:59.999 UTC).
 +- Validate `since <= until` after both parse with same anchor.
 ```
 5. **Add an analytics mode (not a profile command): `lore notes --aggregate`**
 Why this is better: this directly supports the stated use case (review patterns) without introducing the rejected “profile report” command. It keeps scope narrow and reuses existing filters.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Phase 1
 +### Work Chunk 1F: Aggregation Mode for Notes Listing
 +
 +Add optional aggregation on top of `lore notes`:
 +- `--aggregate author|note_type|path|resolution`
 +- `--top N` (default 20)
 +
 +Behavior:
 +- Reuses all existing filters (`--since`, `--project`, `--for-mr`, etc.)
 +- Returns grouped counts (+ percentage of filtered corpus)
 +- Works in table/json/jsonl/csv
 +
 +Non-goal alignment:
 +- This is not a narrative “reviewer profile” command.
 +- It is a query primitive for downstream analysis.
 ```
 6. **Prevent note backfill from starving other document regeneration**
 Why this is better: after migration/backfill, note dirty entries can dominate the queue and delay issue/MR/discussion updates. Add source-type fairness in regenerator scheduling.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Work Chunk 2D
 +#### Scheduling Revision
 +Process dirty sources with weighted fairness instead of strict FIFO:
 +- issue: 3
 +- merge_request: 3
 +- discussion: 2
 +- note: 1
 +
 +Implementation sketch:
 +- fetch next batch by source_type buckets
 +- interleave according to weights
 +- preserve retry semantics per source
 +#### Tests to Write First
 +#[test]
 +fn test_note_backfill_does_not_starve_issue_and_mr_regeneration() { /* ... */ }
 ```
 7. **Harden migration 023: remove invalid SQL assertions and move integrity checks to tests**
 Why this is better: `RAISE(ABORT, ...)` in standalone `SELECT` is not valid SQLite usage outside triggers/check expressions. Keep migration SQL minimal/portable and enforce invariants in migration tests.
 ```diff
 --- a/PRD.md
 +++ b/PRD.md
@@ Work Chunk 2A Migration SQL
 --- Step 10: Integrity verification
 -SELECT CASE
 -    WHEN ... THEN RAISE(ABORT, '...')
 -END;
 +-- Step 10 removed from SQL migration.
 +-- Integrity verification is enforced in migration tests:
 +-- 1) pre/post row-count equality
 +-- 2) `PRAGMA foreign_key_check` is empty
 +-- 3) documents_fts row count matches documents row count after rebuild
@@ Work Chunk 2A Tests
 +#[test]
 +fn test_migration_023_integrity_checks_pass() {
 +    // pre/post counts, foreign_key_check empty, fts parity
 +}
 ```
 These 7 revisions improve correctness under failure, reduce churn risk, improve large-sync performance, and make the feature materially more useful for reviewer-analysis workflows without reintroducing any rejected recommendations.
--- a/docs/prd-per-note-search.feedback-5.md
+++ b/docs/prd-per-note-search.feedback-5.md
@@ -1,190 +0,0 @@
 Here are the highest-impact revisions I’d make. None of these repeat anything in your `## Rejected Recommendations`.
 1. **Add immutable reviewer identity (`author_id`) as a first-class key**
 Why this improves the plan: the PRD’s core use case is year-scale reviewer profiling. Usernames are mutable in GitLab, so username-only filtering will fragment one reviewer into multiple identities over time. Adding `author_id` closes that correctness hole and makes historical analysis reliable.
 ```diff
@@ Problem Statement
 -1. **Query individual notes by author** — the `--author` filter on `lore search` only matches the first note's author per discussion thread
 +1. **Query individual notes by reviewer identity** — support both mutable username and immutable GitLab `author_id` for stable longitudinal analysis
@@ Phase 0: Stable Note Identity
 +### Work Chunk 0D: Immutable Author Identity Capture
 +**Files:** `migrations/025_notes_author_id.sql`, `src/ingestion/discussions.rs`, `src/ingestion/mr_discussions.rs`, `src/cli/commands/list.rs`
 +
 +#### Implementation
 +- Add nullable `notes.author_id INTEGER` and backfill from future syncs.
 +- Populate `author_id` from GitLab note payload (`note.author.id`) on both issue and MR note ingestion paths.
 +- Add `--author-id <int>` filter to `lore notes`.
 +- Keep `--author` for ergonomics; when both provided, require both to match.
 +
 +#### Indexing
 +- Add `idx_notes_author_id_created ON notes(project_id, author_id, created_at DESC, id DESC) WHERE is_system = 0;`
 +
 +#### Tests
 +- `test_query_notes_filter_author_id_survives_username_change`
 +- `test_query_notes_author_and_author_id_intersection`
 ```
 2. **Strengthen partial-fetch safety from a boolean to an explicit fetch state contract**
 Why this improves the plan: `fetch_complete: bool` is easy to misuse and fragile under retries/crashes. A run-scoped state model makes sweep correctness auditable and prevents accidental deletions when ingestion aborts midway.
 ```diff
@@ Phase 0: Stable Note Identity
 -### Work Chunk 0C: Sweep Safety Guard (Partial Fetch Protection)
 +### Work Chunk 0C: Sweep Safety Guard with Run-Scoped Fetch State
@@ Implementation
 -Add a `fetch_complete` parameter to the discussion ingestion functions. Only run the stale-note sweep when the fetch completed successfully:
 +Add a run-scoped fetch state:
 +- `FetchState::Complete`
 +- `FetchState::Partial`
 +- `FetchState::Failed`
 +
 +Only run sweep on `FetchState::Complete`.
 +Persist `run_seen_at` once per sync run and pass unchanged through all discussion/note upserts.
 +Require `run_seen_at` monotonicity per discussion before sweep (skip and warn otherwise).
@@ Tests to Write First
 +#[test]
 +fn test_failed_fetch_never_sweeps_even_after_partial_upserts() { ... }
 +#[test]
 +fn test_non_monotonic_run_seen_at_skips_sweep() { ... }
 +#[test]
 +fn test_retry_after_failed_fetch_then_complete_sweeps_correctly() { ... }
 ```
 3. **Add DB-level cleanup triggers for note-document referential integrity**
 Why this improves the plan: Work Chunk 0B handles the sweep path, but not every possible delete path. DB triggers give defense-in-depth so stale note docs cannot survive even if a future code path deletes notes differently.
 ```diff
@@ Work Chunk 0B: Immediate Deletion Propagation
 -Update both sweep functions to propagate deletion to documents and dirty_sources using set-based SQL
 +Keep set-based SQL in sweep functions, and add DB-level cleanup triggers as a safety net.
@@ Work Chunk 2A: Schema Migration (023)
 +-- Cleanup trigger: deleting a non-system note must delete note document + dirty queue row
 +CREATE TRIGGER notes_ad_cleanup AFTER DELETE ON notes
 +WHEN old.is_system = 0
 +BEGIN
 +  DELETE FROM documents
 +   WHERE source_type = 'note' AND source_id = old.id;
 +  DELETE FROM dirty_sources
 +   WHERE source_type = 'note' AND source_id = old.id;
 +END;
 +
 +-- Cleanup trigger: if note flips to system, remove its document artifacts
 +CREATE TRIGGER notes_au_system_cleanup AFTER UPDATE OF is_system ON notes
 +WHEN old.is_system = 0 AND new.is_system = 1
 +BEGIN
 +  DELETE FROM documents
 +   WHERE source_type = 'note' AND source_id = new.id;
 +  DELETE FROM dirty_sources
 +   WHERE source_type = 'note' AND source_id = new.id;
 +END;
 ```
 4. **Eliminate N+1 extraction cost with parent metadata caching in regeneration**
 Why this improves the plan: backfilling ~8k notes with per-note parent/label lookups creates avoidable query amplification. Batch caching turns repeated joins into one-time lookups per parent entity and materially reduces rebuild time.
 ```diff
@@ Phase 2: Per-Note Documents
 +### Work Chunk 2I: Batch Parent Metadata Cache for Note Regeneration
 +**Files:** `src/documents/regenerator.rs`, `src/documents/extractor.rs`
 +
 +#### Implementation
 +- Add `NoteExtractionContext` cache keyed by `(noteable_type, parent_id)` containing:
 +  - parent iid/title/url
 +  - parent labels
 +  - project path
 +- In batch regeneration, prefetch parent metadata for note IDs in the current chunk.
 +- Use cached metadata in `extract_note_document()` to avoid repeated parent/label queries.
 +
 +#### Tests
 +- `test_note_regeneration_uses_parent_cache_consistently`
 +- `test_note_regeneration_cache_hit_preserves_hash_determinism`
 ```
 5. **Add embedding dedup cache keyed by semantic text hash**
 Why this improves the plan: note docs will contain repeated short comments (“LGTM”, “nit: …”). Current doc-level hashing includes metadata, so identical semantic comments still re-embed many times. A semantic embedding hash cache cuts cost and speeds full rebuild/backfill without changing search behavior.
 ```diff
@@ Phase 2: Per-Note Documents
 +### Work Chunk 2J: Semantic Embedding Dedup for Notes
 +**Files:** `migrations/026_embedding_cache.sql`, embedding pipeline module(s), `src/documents/extractor.rs`
 +
 +#### Implementation
 +- Compute `embedding_text` for notes as: normalized note body + compact stable context (`parent_type`, `path`, `resolution`), excluding volatile fields.
 +- Compute `embedding_hash = sha256(embedding_text)`.
 +- Before embedding generation, lookup existing vector by `(model, embedding_hash)`.
 +- Reuse cached vector when present; only call embedding model on misses.
 +
 +#### Tests
 +- `test_identical_note_bodies_reuse_embedding_vector`
 +- `test_embedding_hash_changes_when_semantic_context_changes`
 ```
 6. **Add deterministic review-signal tags as derived labels**
 Why this improves the plan: this makes output immediately more useful for reviewer-pattern analysis without adding a profile command (which is explicitly out of scope). It increases practical value of both `lore notes` and `lore search --type note` with low complexity.
 ```diff
@@ Non-Goals
 -- Adding a "reviewer profile" report command (that's a downstream use case built on this infrastructure)
 +- Adding a "reviewer profile" report command (downstream), while allowing low-level derived signal tags as indexing primitives
@@ Phase 2: Per-Note Documents
 +### Work Chunk 2K: Derived Review Signal Labels
 +**Files:** `src/documents/extractor.rs`
 +
 +#### Implementation
 +- Derive deterministic labels from note text + metadata:
 +  - `signal:nit`
 +  - `signal:blocking`
 +  - `signal:security`
 +  - `signal:performance`
 +  - `signal:testing`
 +- Attach via existing `document_labels` flow for note documents.
 +- No new CLI mode required; existing label filters can consume these labels.
 +
 +#### Tests
 +- `test_note_document_derives_signal_labels_nit`
 +- `test_note_document_derives_signal_labels_security`
 +- `test_signal_label_derivation_is_deterministic`
 ```
 7. **Add high-precision note targeting filters (`--note-id`, `--gitlab-note-id`, `--discussion-id`)**
 Why this improves the plan: debugging, incident response, and reproducibility all benefit from exact addressing. This is especially useful when validating sync correctness and cross-checking a specific note/document lifecycle.
 ```diff
@@ Work Chunk 1B: CLI Arguments & Command Wiring
 pub struct NotesArgs {
 +    /// Filter by local note row id
 +    #[arg(long = "note-id", help_heading = "Filters")]
 +    pub note_id: Option<i64>,
 +
 +    /// Filter by GitLab note id
 +    #[arg(long = "gitlab-note-id", help_heading = "Filters")]
 +    pub gitlab_note_id: Option<i64>,
 +
 +    /// Filter by local discussion id
 +    #[arg(long = "discussion-id", help_heading = "Filters")]
 +    pub discussion_id: Option<i64>,
 }
@@ Work Chunk 1A: Filter struct
 pub struct NoteListFilters<'a> {
 +    pub note_id: Option<i64>,
 +    pub gitlab_note_id: Option<i64>,
 +    pub discussion_id: Option<i64>,
 }
@@ Tests to Write First
 +#[test]
 +fn test_query_notes_filter_note_id_exact() { ... }
 +#[test]
 +fn test_query_notes_filter_gitlab_note_id_exact() { ... }
 +#[test]
 +fn test_query_notes_filter_discussion_id_exact() { ... }
 ```
 If you want, I can produce a single consolidated “iteration 5” PRD diff that merges these into your exact section ordering and updates the dependency graph/migration numbering end-to-end.
--- a/docs/who-command-design.feedback-1.md
+++ b/docs/who-command-design.feedback-1.md
@@ -1,434 +0,0 @@
 Below are the highest-leverage revisions I’d make to this plan. I’m focusing on correctness pitfalls, SQLite gotchas, query performance on 280K notes, and reducing “dynamic SQL + param juggling” complexity—without turning this into a new ingestion project.
 Change 1 — Fix a hard SQLite bug in --active (GROUP_CONCAT DISTINCT + separator)
 Why
 SQLite does not allow GROUP_CONCAT(DISTINCT x, sep). With DISTINCT, SQLite only permits a single argument (GROUP_CONCAT(DISTINCT x)). Your current query will error at runtime in many SQLite versions.
 Revision
 Use a subquery that selects distinct participants, then GROUP_CONCAT with your separator.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ fn query_active(...)
 -            (SELECT GROUP_CONCAT(DISTINCT n.author_username, X'1F')
 -             FROM notes n
 -             WHERE n.discussion_id = d.id
 -               AND n.is_system = 0
 -               AND n.author_username IS NOT NULL) AS participants
 +            (SELECT GROUP_CONCAT(username, X'1F') FROM (
 +               SELECT DISTINCT n.author_username AS username
 +               FROM notes n
 +               WHERE n.discussion_id = d.id
 +                 AND n.is_system = 0
 +                 AND n.author_username IS NOT NULL
 +               ORDER BY username
 +            )) AS participants
 Change 2 — Replace “contains('.') => exact file match” with segment-aware path classification
 Why
 path.contains('.') misclassifies directories like:
 .github/workflows/
 src/v1.2/auth/
 It also fails the “root file” case (README.md) because your mode discriminator only treats paths as paths if they contain /.
 Revision
 Add explicit --path to force Expert mode (covers root files cleanly).
 Classify file-vs-dir by checking last path segment for a dot, and whether the input ends with /.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ pub struct WhoArgs {
 -    /// Username or file path (path if contains /)
 -    pub target: Option<String>,
 +    /// Username or file path shorthand (ambiguous for root files like README.md)
 +    pub target: Option<String>,
 +
 +    /// Force expert mode for a file/directory path (supports root files like README.md)
 +    #[arg(long, help_heading = "Mode", conflicts_with_all = ["active", "overlap", "reviews"])]
 +    pub path: Option<String>,
@@ fn resolve_mode<'a>(args: &'a WhoArgs) -> Result<WhoMode<'a>> {
 -    if let Some(target) = &args.target {
 +    if let Some(p) = &args.path {
 +        return Ok(WhoMode::Expert { path: p });
 +    }
 +    if let Some(target) = &args.target {
         let clean = target.strip_prefix('@').unwrap_or(target);
         if args.reviews {
             return Ok(WhoMode::Reviews { username: clean });
         }
 -        // Disambiguation: if target contains '/', it's a file path.
 -        // GitLab usernames never contain '/'.
 -        if target.contains('/') {
 +        // Disambiguation:
 +        // - treat as path if it contains '/'
 +        // - otherwise treat as username (root files require --path)
 +        if target.contains('/') {
             return Ok(WhoMode::Expert { path: target });
         }
         return Ok(WhoMode::Workload { username: clean });
     }
 And update the path pattern logic used by Expert/Overlap:
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ fn query_expert(...)
 -    // Normalize path for LIKE matching: add trailing % if no extension
 -    let path_pattern = if path.contains('.') {
 -        path.to_string() // Exact file match
 -    } else {
 -        let trimmed = path.trim_end_matches('/');
 -        format!("{trimmed}/%")
 -    };
 +    // Normalize:
 +    // - if ends_with('/') => directory prefix
 +    // - else if last segment contains '.' => file exact match
 +    // - else => directory prefix
 +    let trimmed = path.trim_end_matches('/');
 +    let last = trimmed.rsplit('/').next().unwrap_or(trimmed);
 +    let is_file = !path.ends_with('/') && last.contains('.');
 +    let path_pattern = if is_file { trimmed.to_string() } else { format!("{trimmed}/%") };
 Change 3 — Stop building dynamic SQL strings for optional filters; always bind params
 Why
 Right now you’re mixing:
 dynamic project_clause string fragments
 ad-hoc param vectors
 placeholder renumbering by branch
 That’s brittle and easy to regress (especially when you add more conditions later). SQLite/rusqlite can bind Option<T> to NULL, which enables a simple pattern:
 sql
 Copy code
 AND (?3 IS NULL OR n.project_id = ?3)
 Revision (representative; apply to all queries)
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ fn query_expert(...)
 -    let project_clause = if project_id.is_some() {
 -        "AND n.project_id = ?3"
 -    } else {
 -        ""
 -    };
 -
 -    let sql = format!(
 +    let sql = format!(
         "SELECT username, role, activity_count, last_active_at FROM (
@@
             FROM notes n
             WHERE n.position_new_path LIKE ?1
               AND n.is_system = 0
               AND n.author_username IS NOT NULL
               AND n.created_at >= ?2
 -              {project_clause}
 +              AND (?3 IS NULL OR n.project_id = ?3)
@@
             WHERE n.position_new_path LIKE ?1
               AND m.author_username IS NOT NULL
               AND m.updated_at >= ?2
 -              {project_clause}
 +              AND (?3 IS NULL OR n.project_id = ?3)
             GROUP BY m.author_username
 -        )"
 +        ) t"
     );
 -
 -    let mut params: Vec<Box<dyn rusqlite::ToSql>> = Vec::new();
 -    params.push(Box::new(path_pattern.clone()));
 -    params.push(Box::new(since_ms));
 -    if let Some(pid) = project_id {
 -        params.push(Box::new(pid));
 -    }
 -    let param_refs: Vec<&dyn rusqlite::ToSql> = params.iter().map(|p| p.as_ref()).collect();
 +    let param_refs = rusqlite::params![path_pattern, since_ms, project_id];
 Notes:
 Adds required derived-table alias t (some SQLite configurations are stricter).
 Eliminates the dynamic param vector and placeholder gymnastics.
 Change 4 — Filter “path touch” queries to DiffNotes and escape LIKE properly
 Why
 Only DiffNotes reliably have position_new_path; including other note types can skew counts and harm performance.
 LIKE treats % and _ as wildcards—rare in file paths, but not impossible (generated files, templates). Escaping is a low-cost robustness win.
 Revision
 Add note_type='DiffNote' and LIKE ... ESCAPE '\' plus a tiny escape helper.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ fn query_expert(...)
 -            FROM notes n
 -            WHERE n.position_new_path LIKE ?1
 +            FROM notes n
 +            WHERE n.note_type = 'DiffNote'
 +              AND n.position_new_path LIKE ?1 ESCAPE '\'
               AND n.is_system = 0
@@
 diff --git a/Plan.md b/Plan.md
@@ Helper Functions
 +fn escape_like(input: &str) -> String {
 +    input.replace('\\', "\\\\").replace('%', "\\%").replace('_', "\\_")
 +}
 And when building patterns:
 diff
 Copy code
 -    let path_pattern = if is_file { trimmed.to_string() } else { format!("{trimmed}/%") };
 +    let base = escape_like(trimmed);
 +    let path_pattern = if is_file { base } else { format!("{base}/%") };
 Apply the same changes to query_overlap and any other position_new_path LIKE ....
 Change 5 — Use note timestamps for “touch since” semantics (Expert/Overlap author branch)
 Why
 In Expert/Overlap “author” branches you filter by m.updated_at >= since. That answers “MR updated recently” rather than “MR touched at this path recently”, which can surface stale ownership.
 Revision
 Filter by the note creation time (and use it for “last touch” where relevant). You can still compute author activity, but anchor it to note activity.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ fn query_overlap(...)
 -            WHERE n.position_new_path LIKE ?1
 +            WHERE n.note_type = 'DiffNote'
 +              AND n.position_new_path LIKE ?1 ESCAPE '\'
               AND m.state IN ('opened', 'merged')
               AND m.author_username IS NOT NULL
 -              AND m.updated_at >= ?2
 +              AND n.created_at >= ?2
               AND (?3 IS NULL OR m.project_id = ?3)
 Same idea in Expert mode’s “MR authors” branch.
 Change 6 — Workload mode: apply --since consistently to unresolved discussions
 Why
 Workload’s unresolved discussions ignore since_ms. That makes --since partially misleading and can dump very old threads.
 Revision
 Filter on d.last_note_at when since_ms is set.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ fn query_workload(...)
 -    let disc_sql = format!(
 +    let disc_since = if since_ms.is_some() {
 +        "AND d.last_note_at >= ?2"
 +    } else { "" };
 +    let disc_sql = format!(
         "SELECT d.noteable_type,
@@
          WHERE d.resolvable = 1 AND d.resolved = 0
            AND EXISTS (
@@
            )
            {disc_project_filter}
 +           {disc_since}
          ORDER BY d.last_note_at DESC
          LIMIT {limit}"
     );
@@
 -    // Rebuild params for discussion query (only username + optional project_id)
 -    let mut disc_params: Vec<Box<dyn rusqlite::ToSql>> = Vec::new();
 -    disc_params.push(Box::new(username.to_string()));
 -    if let Some(pid) = project_id {
 -        disc_params.push(Box::new(pid));
 -    }
 +    // Params: username, since_ms, project_id (NULLs ok)
 +    let disc_param_refs = rusqlite::params![username, since_ms, project_id];
 (If you adopt Change 3 fully, this becomes very clean.)
 Change 7 — Make Overlap results represent “both roles” instead of collapsing to one
 Why
 Collapsing to a single role loses valuable info (“they authored and reviewed”). Also your current “prefer author” rule is arbitrary for the “who else is touching this” question.
 Revision
 Track role counts separately and render as A, R, or A+R.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ pub struct OverlapUser {
     pub username: String,
 -    pub role: String,
 -    pub touch_count: u32,
 +    pub author_touch_count: u32,
 +    pub review_touch_count: u32,
 +    pub touch_count: u32,
     pub last_touch_at: i64,
     pub mr_iids: Vec<i64>,
 }
@@ fn query_overlap(...)
 -        let entry = user_map.entry(username.clone()).or_insert_with(|| OverlapUser {
 +        let entry = user_map.entry(username.clone()).or_insert_with(|| OverlapUser {
             username: username.clone(),
 -            role: role.clone(),
 +            author_touch_count: 0,
 +            review_touch_count: 0,
             touch_count: 0,
             last_touch_at: 0,
             mr_iids: Vec::new(),
         });
         entry.touch_count += count;
 +        if role == "author" { entry.author_touch_count += count; }
 +        if role == "reviewer" { entry.review_touch_count += count; }
@@ human output
 -        println!(
 -            "  {:<16} {:<8} {:>7}  {:<12}  {}",
 +        println!(
 +            "  {:<16} {:<6} {:>7}  {:<12}  {}",
             ...
         );
@@
 -            user.role,
 +            format_roles(user.author_touch_count, user.review_touch_count),
 Change 8 — Add an “Index Audit + optional migration” step (big perf win, low blast radius)
 Why
 With 280K notes, the path/timestamp queries will degrade quickly without indexes. This isn’t “scope creep”; it’s making the feature usable.
 Revision (plan-level)
 Add a non-breaking migration that only creates indexes if missing.
 Optionally add a runtime check: if EXPLAIN QUERY PLAN indicates full table scan on notes, print a dim warning in human mode.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ Implementation Order
 -| Step | What | Files |
 +| Step | What | Files |
 | 1 | CLI skeleton: `WhoArgs` + `Commands::Who` + dispatch + stub | `cli/mod.rs`, `commands/mod.rs`, `main.rs` |
 +| 1.5 | Index audit + add `CREATE INDEX IF NOT EXISTS` migration for who hot paths | `migrations/0xx_who_indexes.sql` |
@@
 Suggested indexes (tune names to your conventions):
 notes(note_type, position_new_path, created_at)
 notes(discussion_id, is_system, author_username)
 discussions(resolvable, resolved, last_note_at, project_id)
 merge_requests(project_id, state, updated_at, author_username)
 issue_assignees(username, issue_id)
 Even if SQLite can’t perfectly index LIKE, these still help with join and timestamp filters.
 Change 9 — Make robot JSON reproducible by echoing the effective query inputs
 Why
 Agent workflows benefit from a stable “query record”: what mode ran, what path/user, resolved project, effective since, limit.
 Revision
 Include an input object in JSON output.
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ struct WhoJsonData {
     mode: String,
 +    input: serde_json::Value,
     #[serde(flatten)]
     result: serde_json::Value,
 }
@@ pub fn print_who_json(...)
 -    let output = WhoJsonEnvelope {
 +    let input = serde_json::json!({
 +        "project": /* resolved or raw args.project */,
 +        "since": /* resolved since ISO */,
 +        "limit": /* args.limit */,
 +    });
 +    let output = WhoJsonEnvelope {
         ok: true,
         data: WhoJsonData {
             mode: mode.to_string(),
 +            input,
             result: data,
         },
         meta: RobotMeta { elapsed_ms },
     };
 Change 10 — Tighten clap constraints so invalid combinations never reach resolve_mode
 Why
 Right now conflicts are enforced manually (or not at all). Clamp the invalid combos at the CLI layer:
 --active should conflict with target, --overlap, --reviews, --path
 --reviews should require a username (and should conflict with Expert path modes)
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@ pub struct WhoArgs {
 -    pub active: bool,
 +    #[arg(long, help_heading = "Mode", conflicts_with_all = ["target", "overlap", "reviews", "path"])]
 +    pub active: bool,
@@
 -    pub overlap: Option<String>,
 +    #[arg(long, help_heading = "Mode", conflicts_with_all = ["target", "active", "reviews", "path"])]
 +    pub overlap: Option<String>,
@@
 -    pub reviews: bool,
 +    #[arg(long, help_heading = "Mode", requires = "target", conflicts_with_all = ["active", "overlap", "path"])]
 +    pub reviews: bool,
 Summary of what I’d definitely change
 If you do nothing else, do these first:
 Fix GROUP_CONCAT(DISTINCT ..., sep) in Active mode (runtime error).
 Path classification: add --path, and stop using contains('.') globally.
 Remove dynamic SQL + param vectors: always bind project_id as nullable and use (? IS NULL OR ...).
 Filter to DiffNotes + LIKE escaping for correctness and fewer rows scanned.
 Optional index migration: otherwise this will feel slow/non-deterministically slow depending on local DB state.
 If you want, I can also provide a consolidated “v2 plan” as a single unified patch (one diff) rather than per-change snippets.
--- a/docs/who-command-design.feedback-2.md
+++ b/docs/who-command-design.feedback-2.md
@@ -1,303 +0,0 @@
 Below are the highest-leverage revisions I’d make to iteration 1 to tighten correctness, performance, and “agent usefulness” without blowing up scope. For each change: (1) rationale, (2) a focused unified diff against the plan you pasted.
 Change 1 — Make robot “input echo” actually resolved (project_id, project_path, since_ms/iso, mode)
 Why
 Your Design Principle #5 says the robot envelope should echo resolved inputs (“effective since, resolved project”), but the current input object echoes only raw CLI strings. Agents can’t reliably reproduce or compare runs (e.g., fuzzy project resolution may map differently over time).
 This is also a reliability improvement: “what ran” should be computed once and propagated, not recomputed in output.
 Plan diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@
 -5. **Robot-first reproducibility.** Robot JSON output includes an `input` object echoing the resolved query parameters (effective since, resolved project, limit) so agents can trace exactly what ran.
 +5. **Robot-first reproducibility.** Robot JSON output includes a `resolved_input` object (mode, since_ms + since_iso, resolved project_id + project_path, limit, db_path) so agents can trace exactly what ran.
@@
 -/// Main entry point. Resolves mode from args and dispatches.
 -pub fn run_who(config: &Config, args: &WhoArgs) -> Result<WhoResult> {
 +/// Main entry point. Resolves mode + resolved inputs once, then dispatches.
 +pub fn run_who(config: &Config, args: &WhoArgs) -> Result<WhoRun> {
     let db_path = get_db_path(config.storage.db_path.as_deref());
     let conn = create_connection(&db_path)?;
 -    let project_id = args
 +    let project_id = args
         .project
         .as_deref()
         .map(|p| resolve_project(&conn, p))
         .transpose()?;
 +    let project_path = project_id
 +        .map(|id| lookup_project_path(&conn, id))
 +        .transpose()?;
     let mode = resolve_mode(args)?;
     match mode {
         WhoMode::Expert { path } => {
             let since_ms = resolve_since(args.since.as_deref(), "6m")?;
             let result = query_expert(&conn, path, project_id, since_ms, args.limit)?;
 -            Ok(WhoResult::Expert(result))
 +            Ok(WhoRun::new("expert", &db_path, project_id, project_path, since_ms, args.limit, WhoResult::Expert(result)))
         }
@@
     }
 }
 +
 +/// Wrapper that carries resolved inputs for reproducible output.
 +pub struct WhoRun {
 +    pub mode: String,
 +    pub resolved_input: WhoResolvedInput,
 +    pub result: WhoResult,
 +}
 +
 +pub struct WhoResolvedInput {
 +    pub db_path: String,
 +    pub project_id: Option<i64>,
 +    pub project_path: Option<String>,
 +    pub since_ms: i64,
 +    pub since_iso: String,
 +    pub limit: usize,
 +}
@@
 -pub fn print_who_json(result: &WhoResult, args: &WhoArgs, elapsed_ms: u64) {
 -    let (mode, data) = match result {
 +pub fn print_who_json(run: &WhoRun, args: &WhoArgs, elapsed_ms: u64) {
 +    let (mode, data) = match &run.result {
         WhoResult::Expert(r) => ("expert", expert_to_json(r)),
@@
 -    let input = serde_json::json!({
 +    let input = serde_json::json!({
         "target": args.target,
         "path": args.path,
         "project": args.project,
         "since": args.since,
         "limit": args.limit,
     });
 +
 +    let resolved_input = serde_json::json!({
 +        "mode": run.mode,
 +        "db_path": run.resolved_input.db_path,
 +        "project_id": run.resolved_input.project_id,
 +        "project_path": run.resolved_input.project_path,
 +        "since_ms": run.resolved_input.since_ms,
 +        "since_iso": run.resolved_input.since_iso,
 +        "limit": run.resolved_input.limit,
 +    });
@@
 -        data: WhoJsonData {
 -            mode: mode.to_string(),
 -            input,
 -            result: data,
 -        },
 +        data: WhoJsonData { mode: mode.to_string(), input, resolved_input, result: data },
         meta: RobotMeta { elapsed_ms },
     };
@@
 struct WhoJsonData {
     mode: String,
     input: serde_json::Value,
 +    resolved_input: serde_json::Value,
     #[serde(flatten)]
     result: serde_json::Value,
 }
 Change 2 — Remove dynamic SQL format!(..LIMIT {limit}) and parameterize LIMIT everywhere
 Why
 You explicitly prefer static SQL ((?N IS NULL OR ...)) to avoid subtle bugs; but Workload/Active use format! for LIMIT. Even though limit is typed, it’s an inconsistency that complicates statement caching and encourages future string assembly creep.
 SQLite supports LIMIT ? with bound parameters; rusqlite can bind an i64.
 Plan diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@
 -    let issues_sql = format!(
 -        "SELECT ... 
 -         ORDER BY i.updated_at DESC
 -         LIMIT {limit}"
 -    );
 -    let mut stmt = conn.prepare(&issues_sql)?;
 +    let issues_sql =
 +        "SELECT ...
 +         ORDER BY i.updated_at DESC
 +         LIMIT ?4";
 +    let mut stmt = conn.prepare(issues_sql)?;
     let assigned_issues: Vec<WorkloadIssue> = stmt
 -        .query_map(rusqlite::params![username, project_id, since_ms], |row| {
 +        .query_map(rusqlite::params![username, project_id, since_ms, limit as i64], |row| {
@@
 -    let authored_sql = format!(
 -        "SELECT ...
 -         ORDER BY m.updated_at DESC
 -         LIMIT {limit}"
 -    );
 -    let mut stmt = conn.prepare(&authored_sql)?;
 +    let authored_sql =
 +        "SELECT ...
 +         ORDER BY m.updated_at DESC
 +         LIMIT ?4";
 +    let mut stmt = conn.prepare(authored_sql)?;
@@
 -        .query_map(rusqlite::params![username, project_id, since_ms], |row| {
 +        .query_map(rusqlite::params![username, project_id, since_ms, limit as i64], |row| {
@@
 -    let reviewing_sql = format!(
 -        "SELECT ...
 -         ORDER BY m.updated_at DESC
 -         LIMIT {limit}"
 -    );
 -    let mut stmt = conn.prepare(&reviewing_sql)?;
 +    let reviewing_sql =
 +        "SELECT ...
 +         ORDER BY m.updated_at DESC
 +         LIMIT ?4";
 +    let mut stmt = conn.prepare(reviewing_sql)?;
@@
 -        .query_map(rusqlite::params![username, project_id, since_ms], |row| {
 +        .query_map(rusqlite::params![username, project_id, since_ms, limit as i64], |row| {
@@
 -    let disc_sql = format!(
 -        "SELECT ...
 -         ORDER BY d.last_note_at DESC
 -         LIMIT {limit}"
 -    );
 -    let mut stmt = conn.prepare(&disc_sql)?;
 +    let disc_sql =
 +        "SELECT ...
 +         ORDER BY d.last_note_at DESC
 +         LIMIT ?4";
 +    let mut stmt = conn.prepare(disc_sql)?;
@@
 -        .query_map(rusqlite::params![username, project_id, since_ms], |row| {
 +        .query_map(rusqlite::params![username, project_id, since_ms, limit as i64], |row| {
@@
 -    let sql = format!(
 -        "SELECT ...
 -         ORDER BY d.last_note_at DESC
 -         LIMIT {limit}"
 -    );
 -    let mut stmt = conn.prepare(&sql)?;
 +    let sql =
 +        "SELECT ...
 +         ORDER BY d.last_note_at DESC
 +         LIMIT ?3";
 +    let mut stmt = conn.prepare(sql)?;
@@
 -        .query_map(rusqlite::params![since_ms, project_id], |row| {
 +        .query_map(rusqlite::params![since_ms, project_id, limit as i64], |row| {
 Change 3 — Fix path matching for dotless files (LICENSE/Makefile) via “exact OR prefix” (no new flags)
 Why
 Your improved “dot only in last segment” heuristic still fails on dotless files (LICENSE, Makefile, Dockerfile) which are common, especially at repo root. Right now they’ll be treated as directories (LICENSE/%) and silently return nothing.
 Best minimal UX: if user provides a path that’s ambiguous (no trailing slash), match either exact file OR directory prefix.
 Plan diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@
 -/// Build a LIKE pattern from a user-supplied path, with proper LIKE escaping.
 -///
 -/// Rules:
 -/// - If the path ends with `/`, it's a directory prefix → `escaped_path%`
 -/// - If the last path segment contains `.`, it's a file → exact match
 -/// - Otherwise, it's a directory prefix → `escaped_path/%`
 +/// Build an exact + prefix match from a user-supplied path, with proper LIKE escaping.
 +///
 +/// Rules:
 +/// - If the path ends with `/`, treat as directory-only (prefix match)
 +/// - Otherwise, treat as ambiguous: exact match OR directory prefix
 +///   (fixes dotless files like LICENSE/Makefile without requiring new flags)
@@
 -fn build_path_pattern(path: &str) -> String {
 +struct PathMatch {
 +    exact: String,
 +    prefix: String,
 +    dir_only: bool,
 +}
 +
 +fn build_path_match(path: &str) -> PathMatch {
     let trimmed = path.trim_end_matches('/');
 -    let last_segment = trimmed.rsplit('/').next().unwrap_or(trimmed);
 -    let is_file = !path.ends_with('/') && last_segment.contains('.');
     let escaped = escape_like(trimmed);
 -
 -    if is_file {
 -        escaped
 -    } else {
 -        format!("{escaped}/%")
 -    }
 +    PathMatch {
 +        exact: escaped.clone(),
 +        prefix: format!("{escaped}/%"),
 +        dir_only: path.ends_with('/'),
 +    }
 }
@@
 -    let path_pattern = build_path_pattern(path);
 +    let pm = build_path_match(path);
@@
 -              AND n.position_new_path LIKE ?1 ESCAPE '\\'
 +              AND (
 +                    (?4 = 1 AND n.position_new_path LIKE ?2 ESCAPE '\\')
 +                 OR (?4 = 0 AND (n.position_new_path = ?1 OR n.position_new_path LIKE ?2 ESCAPE '\\'))
 +              )
@@
 -    let rows: Vec<(String, String, u32, i64)> = stmt
 -        .query_map(rusqlite::params![path_pattern, since_ms, project_id], |row| {
 +    let rows: Vec<(String, String, u32, i64)> = stmt
 +        .query_map(rusqlite::params![pm.exact, pm.prefix, since_ms, i32::from(pm.dir_only), project_id], |row| {
             Ok((row.get(0)?, row.get(1)?, row.get(2)?, row.get(3)?))
         })?
 (Apply the same pattern to Overlap mode.)
 Change 4 — Consistently exclude system notes in all DiffNote-based branches (Expert/Overlap author branches currently don’t)
 Why
 You filter n.is_system = 0 for reviewer branches, but not in the author branches of Expert/Overlap. That can skew “author touch” via system-generated diff notes or bot activity.
 Consistency here improves correctness and also enables more aggressive partial indexing.
 Plan diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@
 -            WHERE n.note_type = 'DiffNote'
 +            WHERE n.note_type = 'DiffNote'
               AND n.position_new_path LIKE ?1 ESCAPE '\\'
 +              AND n.is_system = 0
               AND m.author_username IS NOT NULL
               AND n.created_at >= ?2
               AND (?3 IS NULL OR m.project_id = ?3)
@@
 -            WHERE n.note_type = 'DiffNote'
 +            WHERE n.note_type = 'DiffNote'
               AND n.position_new_path LIKE ?1 ESCAPE '\\'
 +              AND n.is_system = 0
               AND m.state IN ('opened', 'merged')
               AND m.author_username IS NOT NULL
               AND n.created_at >= ?2
               AND (?3 IS NULL OR m.project_id = ?3)
 Change 5 — Rework Migration 017 indexes to match real predicates + add one critical notes index for discussion participation
 Why
 (a) idx_notes_diffnote_path_created currently leads with note_type even though it’s constant via partial index. You want the leading columns to match your most selective predicates: position_new_path prefix + created_at range, with optional project_id.
 (b) Active + Workload discussion participation repeatedly hits notes by (discussion_id, author_username); you only guarantee notes(discussion_id) is indexed. Adding a narrow partial composite index pays off immediately for both “participants” and “EXISTS user participated” checks.
 (c) The discussions index should focus on (project_id, last_note_at) with a partial predicate; resolvable/resolved a_
--- a/docs/who-command-design.feedback-3.md
+++ b/docs/who-command-design.feedback-3.md
@@ -1,471 +0,0 @@
 Below are the revisions I’d make to iteration 2 to improve correctness, determinism, query-plan quality, and multi-project usability without turning this into a bigger product.
 I’m treating your plan as the “source of truth” and showing git-diff style patches against the plan text/code blocks you included.
 Change 1 — Fix project scoping to hit the right index (DiffNote branches)
 Why
 Your hot-path index is:
 idx_notes_diffnote_path_created ON notes(position_new_path, created_at, project_id) WHERE note_type='DiffNote' AND is_system=0
 But in Expert/Overlap you sometimes scope by m.project_id = ?3 (MR table), not n.project_id = ?3 (notes table). That weakens the optimizer’s ability to use the composite notes index (and can force broader joins before filtering).
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ Query: Expert Mode @@
 -              AND (?3 IS NULL OR m.project_id = ?3)
 +              -- IMPORTANT: scope on notes.project_id to maximize use of
 +              -- idx_notes_diffnote_path_created (notes is the selective table)
 +              AND (?3 IS NULL OR n.project_id = ?3)
@@ Query: Overlap Mode @@
 -              AND (?3 IS NULL OR m.project_id = ?3)
 +              AND (?3 IS NULL OR n.project_id = ?3)
@@ Query: Overlap Mode (author branch) @@
 -              AND (?3 IS NULL OR m.project_id = ?3)
 +              AND (?3 IS NULL OR n.project_id = ?3)
 Change 2 — Introduce a “prefix vs exact” path query to avoid LIKE when you don’t need it
 Why
 For exact file paths (e.g. src/auth/login.rs), you currently do:
 position_new_path LIKE ?1 ESCAPE '\' where ?1 has no wildcard
 That’s logically fine, but it’s a worse signal to the planner than = and can degrade performance depending on collation/case settings.
 This doesn’t violate “static SQL” — you can pick between two static query strings.
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ Helper: Path Pattern Construction @@
 -fn build_path_pattern(path: &str) -> String {
 +struct PathQuery {
 +    /// The parameter value to bind.
 +    value: String,
 +    /// If true: use LIKE value || '%'. If false: use '='.
 +    is_prefix: bool,
 +}
 +
 +fn build_path_query(path: &str) -> PathQuery {
     let trimmed = path.trim_end_matches('/');
     let last_segment = trimmed.rsplit('/').next().unwrap_or(trimmed);
     let is_file = !path.ends_with('/') && last_segment.contains('.');
     let escaped = escape_like(trimmed);
     if is_file {
 -        escaped
 +        PathQuery { value: escaped, is_prefix: false }
     } else {
 -        format!("{escaped}/%")
 +        PathQuery { value: format!("{escaped}/%"), is_prefix: true }
     }
 }
 And then (example for DiffNote predicates):
 diff
 Copy code
@@ Query: Expert Mode @@
 -    let path_pattern = build_path_pattern(path);
 +    let pq = build_path_query(path);
 -    let sql = " ... n.position_new_path LIKE ?1 ESCAPE '\\' ... ";
 +    let sql_prefix = " ... n.position_new_path LIKE ?1 ESCAPE '\\' ... ";
 +    let sql_exact  = " ... n.position_new_path = ?1 ... ";
 -    let mut stmt = conn.prepare(sql)?;
 +    let mut stmt = if pq.is_prefix { conn.prepare_cached(sql_prefix)? }
 +                   else { conn.prepare_cached(sql_exact)? };
     let rows = stmt.query_map(params![... pq.value ...], ...);
 Change 3 — Push Expert aggregation into SQL (less Rust, fewer rows, SQL-level LIMIT)
 Why
 Right now Expert does:
 UNION ALL
 return per-role rows
 HashMap merge
 score compute
 sort/truncate
 You can do all of that in SQL deterministically, then LIMIT ?N actually works.
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ Query: Expert Mode @@
 -    let sql = "SELECT username, role, activity_count, last_active_at FROM (
 -            ...
 -        )";
 +    let sql = "
 +      WITH activity AS (
 +        SELECT
 +          n.author_username AS username,
 +          'reviewer' AS role,
 +          COUNT(*) AS cnt,
 +          MAX(n.created_at) AS last_active_at
 +        FROM notes n
 +        WHERE n.note_type = 'DiffNote'
 +          AND n.is_system = 0
 +          AND n.author_username IS NOT NULL
 +          AND n.created_at >= ?2
 +          AND (?3 IS NULL OR n.project_id = ?3)
 +          AND (
 +            (?4 = 1 AND n.position_new_path LIKE ?1 ESCAPE '\\') OR
 +            (?4 = 0 AND n.position_new_path = ?1)
 +          )
 +        GROUP BY n.author_username
 +
 +        UNION ALL
 +
 +        SELECT
 +          m.author_username AS username,
 +          'author' AS role,
 +          COUNT(DISTINCT m.id) AS cnt,
 +          MAX(n.created_at) AS last_active_at
 +        FROM merge_requests m
 +        JOIN discussions d ON d.merge_request_id = m.id
 +        JOIN notes n ON n.discussion_id = d.id
 +        WHERE n.note_type = 'DiffNote'
 +          AND n.is_system = 0
 +          AND m.author_username IS NOT NULL
 +          AND n.created_at >= ?2
 +          AND (?3 IS NULL OR n.project_id = ?3)
 +          AND (
 +            (?4 = 1 AND n.position_new_path LIKE ?1 ESCAPE '\\') OR
 +            (?4 = 0 AND n.position_new_path = ?1)
 +          )
 +        GROUP BY m.author_username
 +      )
 +      SELECT
 +        username,
 +        SUM(CASE WHEN role='reviewer' THEN cnt ELSE 0 END) AS review_count,
 +        SUM(CASE WHEN role='author' THEN cnt ELSE 0 END) AS author_count,
 +        MAX(last_active_at) AS last_active_at,
 +        (SUM(CASE WHEN role='reviewer' THEN cnt ELSE 0 END) * 3.0) +
 +        (SUM(CASE WHEN role='author' THEN cnt ELSE 0 END) * 2.0) AS score
 +      FROM activity
 +      GROUP BY username
 +      ORDER BY score DESC, last_active_at DESC, username ASC
 +      LIMIT ?5
 +    ";
 -    // Aggregate by username: combine reviewer + author counts
 -    let mut user_map: HashMap<...> = HashMap::new();
 -    ...
 -    experts.sort_by(...); experts.truncate(limit);
 +    // No Rust-side merge/sort needed; SQL already returns final rows.
 Change 4 — Overlap output is ambiguous across projects: include stable MR refs (project_path!iid)
 Why
 mr_iids: Vec<i64> is ambiguous in a multi-project DB. !123 only means something with a project.
 Also: your MR IID dedup is currently Vec.contains() inside a loop (O(n²)). Use a HashSet.
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ OverlapResult @@
 pub struct OverlapUser {
     pub username: String,
@@
 -    pub mr_iids: Vec<i64>,
 +    /// Stable MR references like "group/project!123"
 +    pub mr_refs: Vec<String>,
 }
@@ Query: Overlap Mode (SQL) @@
 -                GROUP_CONCAT(DISTINCT m.iid) AS mr_iids
 +                GROUP_CONCAT(DISTINCT (p.path_with_namespace || '!' || m.iid)) AS mr_refs
             FROM notes n
             JOIN discussions d ON n.discussion_id = d.id
             JOIN merge_requests m ON d.merge_request_id = m.id
 +            JOIN projects p ON m.project_id = p.id
@@
 -                GROUP_CONCAT(DISTINCT m.iid) AS mr_iids
 +                GROUP_CONCAT(DISTINCT (p.path_with_namespace || '!' || m.iid)) AS mr_refs
             FROM merge_requests m
             JOIN discussions d ON d.merge_request_id = m.id
             JOIN notes n ON n.discussion_id = d.id
 +            JOIN projects p ON m.project_id = p.id
@@ Query: Overlap Mode (Rust merge) @@
 -    let mr_iids: Vec<i64> = mr_iids_csv ...
 +    let mr_refs: Vec<String> = mr_refs_csv
 +      .as_deref()
 +      .map(|csv| csv.split(',').map(|s| s.trim().to_string()).collect())
 +      .unwrap_or_default();
@@
 -        // Merge MR IIDs, deduplicate
 -        for iid in &mr_iids {
 -            if !entry.mr_iids.contains(iid) {
 -                entry.mr_iids.push(*iid);
 -            }
 -        }
 +        // Merge MR refs, deduplicate
 +        use std::collections::HashSet;
 +        let mut set: HashSet<String> = entry.mr_refs.drain(..).collect();
 +        for r in mr_refs { set.insert(r); }
 +        entry.mr_refs = set.into_iter().collect();
 Change 5 — Active mode: avoid correlated subqueries by preselecting discussions, then aggregating notes once
 Why
 Your Active query does two correlated subqueries per discussion row:
 note_count
 participants
 With LIMIT 20 it’s not catastrophic, but it is still unnecessary work and creates “spiky” behavior if the planner chooses poorly.
 Pattern to use:
 CTE selects the limited set of discussions
 Join notes once, aggregate with GROUP BY
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ Query: Active Mode @@
 -    let sql =
 -        "SELECT
 -            d.noteable_type,
 -            ...
 -            (SELECT COUNT(*) FROM notes n
 -             WHERE n.discussion_id = d.id AND n.is_system = 0) AS note_count,
 -            (SELECT GROUP_CONCAT(username, X'1F') FROM (
 -               SELECT DISTINCT n.author_username AS username
 -               FROM notes n
 -               WHERE n.discussion_id = d.id
 -                 AND n.is_system = 0
 -                 AND n.author_username IS NOT NULL
 -               ORDER BY username
 -            )) AS participants
 -         FROM discussions d
 -         ...
 -         LIMIT ?3";
 +    let sql = "
 +      WITH picked AS (
 +        SELECT d.id, d.noteable_type, d.issue_id, d.merge_request_id, d.project_id, d.last_note_at
 +        FROM discussions d
 +        WHERE d.resolvable = 1 AND d.resolved = 0
 +          AND d.last_note_at >= ?1
 +          AND (?2 IS NULL OR d.project_id = ?2)
 +        ORDER BY d.last_note_at DESC
 +        LIMIT ?3
 +      ),
 +      note_agg AS (
 +        SELECT
 +          n.discussion_id,
 +          COUNT(*) AS note_count,
 +          GROUP_CONCAT(n.author_username, X'1F') AS participants
 +        FROM (
 +          SELECT DISTINCT discussion_id, author_username
 +          FROM notes
 +          WHERE is_system = 0 AND author_username IS NOT NULL
 +        ) n
 +        JOIN picked p ON p.id = n.discussion_id
 +        GROUP BY n.discussion_id
 +      )
 +      SELECT
 +        p.noteable_type,
 +        COALESCE(i.iid, m.iid) AS entity_iid,
 +        COALESCE(i.title, m.title) AS entity_title,
 +        proj.path_with_namespace,
 +        p.last_note_at,
 +        COALESCE(na.note_count, 0) AS note_count,
 +        COALESCE(na.participants, '') AS participants
 +      FROM picked p
 +      JOIN projects proj ON p.project_id = proj.id
 +      LEFT JOIN issues i ON p.issue_id = i.id
 +      LEFT JOIN merge_requests m ON p.merge_request_id = m.id
 +      LEFT JOIN note_agg na ON na.discussion_id = p.id
 +      ORDER BY p.last_note_at DESC
 +    ";
 Change 6 — Use prepare_cached() everywhere (cheap perf win, no scope creep)
 Why
 You already worked hard to keep SQL static. Taking advantage of sqlite statement caching completes the loop.
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ Query functions @@
 -    let mut stmt = conn.prepare(sql)?;
 +    let mut stmt = conn.prepare_cached(sql)?;
 Apply in all query fns (query_workload, query_reviews, query_active, query_expert, query_overlap, lookup_project_path).
 Change 7 — Human output: show project_path where ambiguity exists (Workload + Overlap)
 Why
 When not project-scoped, #42 and !100 aren’t unique. You already have project paths in the query results — you’re just not printing them.
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ print_workload_human @@
 -            println!(
 -                "    {} {}  {}",
 +            println!(
 +                "    {} {}  {}  {}",
                 style(format!("#{:<5}", item.iid)).cyan(),
                 truncate_str(&item.title, 45),
                 style(format_relative_time(item.updated_at)).dim(),
 +                style(&item.project_path).dim(),
             );
@@ print_workload_human (MRs) @@
 -            println!(
 -                "    {} {}{}  {}",
 +            println!(
 +                "    {} {}{}  {}  {}",
                 style(format!("!{:<5}", mr.iid)).cyan(),
                 truncate_str(&mr.title, 40),
                 style(draft).dim(),
                 style(format_relative_time(mr.updated_at)).dim(),
 +                style(&mr.project_path).dim(),
             );
@@ print_overlap_human @@
 -        let mr_str = user.mr_iids.iter().take(5).map(|iid| format!("!{iid}")).collect::<Vec<_>>().join(", ");
 +        let mr_str = user.mr_refs.iter().take(5).cloned().collect::<Vec<_>>().join(", ");
 Change 8 — Robot JSON: add stable IDs + “defaulted” flags for reproducibility
 Why
 You already added resolved_input — good. Two more reproducibility gaps remain:
 Agents can’t reliably “open” an entity without IDs (discussion_id, mr_id, issue_id).
 Agents can’t tell whether since was user-provided vs defaulted (important when replaying intent).
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ WhoResolvedInput @@
 pub struct WhoResolvedInput {
@@
     pub since_ms: Option<i64>,
     pub since_iso: Option<String>,
 +    pub since_was_default: bool,
     pub limit: usize,
 }
@@ run_who @@
 -            let since_ms = resolve_since(args.since.as_deref(), "6m")?;
 +            let since_was_default = args.since.is_none();
 +            let since_ms = resolve_since(args.since.as_deref(), "6m")?;
             Ok(WhoRun {
                 resolved_input: WhoResolvedInput {
@@
                     since_ms: Some(since_ms),
                     since_iso: Some(ms_to_iso(since_ms)),
 +                    since_was_default,
                     limit: args.limit,
                 },
@@ print_who_json resolved_input @@
     let resolved_input = serde_json::json!({
@@
         "since_ms": run.resolved_input.since_ms,
         "since_iso": run.resolved_input.since_iso,
 +        "since_was_default": run.resolved_input.since_was_default,
         "limit": run.resolved_input.limit,
     });
 And for Active/Workload discussion items, add IDs in SQL and JSON:
 diff
 Copy code
@@ ActiveDiscussion @@
 pub struct ActiveDiscussion {
 +    pub discussion_id: i64,
@@
 }
@@ query_active SELECT @@
 -      SELECT
 -        p.noteable_type,
 +      SELECT
 +        p.id AS discussion_id,
 +        p.noteable_type,
@@ active_to_json @@
 -        "discussions": r.discussions.iter().map(|d| json!({
 +        "discussions": r.discussions.iter().map(|d| json!({
 +            "discussion_id": d.discussion_id,
             ...
         }))
 Change 9 — Make performance verification explicit: require EXPLAIN QUERY PLAN checks for each mode
 Why
 You’re adding indexes specifically for these queries. The only way to ensure the planner is doing what you think is to lock in a short perf checklist (especially after schema drift or SQLite version differences).
 Diff
 diff
 Copy code
 --- a/who-command-design.md
 +++ b/who-command-design.md
@@ Verification @@
 # Manual verification against real data
 cargo run --release -- who src/features/global-search/
@@
 cargo run --release -- who src/features/global-search/ -p typescript  # project scoped
 +
 +# Perf verification (required before merge):
 +# Confirm idx_notes_diffnote_path_created is used for Expert/Overlap and
 +# idx_discussions_unresolved_recent is used for Active.
 +sqlite3 path/to/db.sqlite "
 +  EXPLAIN QUERY PLAN
 +  SELECT ... -- paste final Expert SQL with representative bindings
 +";
 (Keep it lightweight: one representative query per mode is enough.)
 Net effect
 Correctness: project scoping hits the notes index; IDs added for agent workflows.
 Performance: fewer rows/materialization in Expert; statement caching everywhere; Active avoids correlated subqueries.
 UX: human output no longer ambiguous across projects; Overlap MR references become actionable.
 Reproducibility: agents can distinguish defaults vs explicit inputs; can dereference entities reliably.
 If you want one “highest ROI” subset to implement first: Change 1 + Change 4 + Change 6 + Change 7. That’s where the real operational value lands.
--- a/docs/who-command-design.feedback-4.md
+++ b/docs/who-command-design.feedback-4.md
@@ -1,3 +0,0 @@
 ChatGPT said:
 Proposing code revisions for performance and determinism
 Answer now
--- a/docs/who-command-design.feedback-5.md
+++ b/docs/who-command-design.feedback-5.md
@@ -1,356 +0,0 @@
 Below are the highest-leverage revisions I’d make. They’re tightly scoped (no new tables/APIs), but fix a few real correctness issues and make the outputs more actionable.
 1) Fix a correctness bug in PathQuery: don’t escape for =, and make --path Makefile actually work
 Why
 Bug: build_path_query() currently runs escape_like() even when is_prefix = false (exact match). That will break exact matches for paths containing _, %, or \ because = does not treat those as metacharacters (so the escaped string won’t equal the stored path).
 UX mismatch: The plan says --path handles dotless root files (Makefile/LICENSE), but the current logic still treats them as directory prefixes (Makefile/%) → zero results.
 Change
 Only escape for LIKE.
 Treat root paths (no /) passed via --path as exact matches by default (unless they end with /).
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 -/// Build a path query from a user-supplied path.
 -///
 -/// Rules:
 -/// - If the path ends with `/`, it's a directory prefix -> `escaped_path%` (LIKE)
 -/// - If the last path segment contains `.`, it's a file -> exact match (=)
 -/// - Otherwise, it's a directory prefix -> `escaped_path/%` (LIKE)
 +/// Build a path query from a user-supplied path.
 +///
 +/// Rules:
 +/// - If the path ends with `/`, it's a directory prefix -> `escaped_path/%` (LIKE)
 +/// - If the path is a root path (no `/`) and does NOT end with `/`, treat as exact (=)
 +///   (this makes `--path Makefile` and `--path LICENSE` work as intended)
 +/// - Else if the last path segment contains `.`, treat as exact (=)
 +/// - Otherwise, treat as directory prefix -> `escaped_path/%` (LIKE)
@@
 -fn build_path_query(path: &str) -> PathQuery {
 +fn build_path_query(path: &str) -> PathQuery {
     let trimmed = path.trim_end_matches('/');
     let last_segment = trimmed.rsplit('/').next().unwrap_or(trimmed);
 -    let is_file = !path.ends_with('/') && last_segment.contains('.');
 -    let escaped = escape_like(trimmed);
 +    let is_root = !trimmed.contains('/');
 +    let is_file = !path.ends_with('/') && (is_root || last_segment.contains('.'));
     if is_file {
         PathQuery {
 -            value: escaped,
 +            // IMPORTANT: do NOT escape for exact match (=)
 +            value: trimmed.to_string(),
             is_prefix: false,
         }
     } else {
 +        let escaped = escape_like(trimmed);
         PathQuery {
             value: format!("{escaped}/%"),
             is_prefix: true,
         }
     }
 }
@@
 -/// **Known limitation:** Dotless root files (LICENSE, Makefile, Dockerfile)
 -/// without a trailing `/` will be treated as directory prefixes. Use `--path`
 -/// for these — the `--path` flag passes through to Expert mode directly,
 -/// and the `build_path_query` output for "LICENSE" is a prefix `LICENSE/%`
 -/// which will simply return zero results (a safe, obvious failure mode that the
 -/// help text addresses).
 +/// Note: Root file paths passed via `--path` (including dotless files like Makefile/LICENSE)
 +/// are treated as exact matches unless they end with `/`.
 Also update the --path help text to be explicit:
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 -    /// Force expert mode for a file/directory path (handles root files like
 -    /// README.md, LICENSE, Makefile that lack a / and can't be auto-detected)
 +    /// Force expert mode for a file/directory path.
 +    /// Root files (README.md, LICENSE, Makefile) are treated as exact matches.
 +    /// Use a trailing `/` to force directory-prefix matching.
 2) Fix Active mode: your note_count is currently counting participants, and the CTE scans too broadly
 Why
 In note_agg, you do SELECT DISTINCT discussion_id, author_username and then COUNT(*) AS note_count. That’s participant count, not note count.
 The current note_agg also builds the DISTINCT set from all notes then joins to picked. It’s avoidable work.
 Change
 Split into two aggregations scoped to picked:
 note_counts: counts non-system notes per picked discussion.
 participants: distinct usernames per picked discussion, then GROUP_CONCAT.
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 -        note_agg AS (
 -            SELECT
 -                n.discussion_id,
 -                COUNT(*) AS note_count,
 -                GROUP_CONCAT(n.author_username, X'1F') AS participants
 -            FROM (
 -                SELECT DISTINCT discussion_id, author_username
 -                FROM notes
 -                WHERE is_system = 0 AND author_username IS NOT NULL
 -            ) n
 -            JOIN picked p ON p.id = n.discussion_id
 -            GROUP BY n.discussion_id
 -        )
 +        note_counts AS (
 +            SELECT
 +                n.discussion_id,
 +                COUNT(*) AS note_count
 +            FROM notes n
 +            JOIN picked p ON p.id = n.discussion_id
 +            WHERE n.is_system = 0
 +            GROUP BY n.discussion_id
 +        ),
 +        participants AS (
 +            SELECT
 +                x.discussion_id,
 +                GROUP_CONCAT(x.author_username, X'1F') AS participants
 +            FROM (
 +                SELECT DISTINCT n.discussion_id, n.author_username
 +                FROM notes n
 +                JOIN picked p ON p.id = n.discussion_id
 +                WHERE n.is_system = 0 AND n.author_username IS NOT NULL
 +            ) x
 +            GROUP BY x.discussion_id
 +        )
@@
 -        LEFT JOIN note_agg na ON na.discussion_id = p.id
 +        LEFT JOIN note_counts nc ON nc.discussion_id = p.id
 +        LEFT JOIN participants pa ON pa.discussion_id = p.id
@@
 -            COALESCE(na.note_count, 0) AS note_count,
 -            COALESCE(na.participants, '') AS participants
 +            COALESCE(nc.note_count, 0) AS note_count,
 +            COALESCE(pa.participants, '') AS participants
 Net effect: correctness fix + more predictable perf.
 Add a test that would have failed before:
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
     #[test]
     fn test_active_query() {
@@
 -        insert_diffnote(&conn, 1, 1, 1, "reviewer_b", "src/foo.rs", "needs work");
 +        insert_diffnote(&conn, 1, 1, 1, "reviewer_b", "src/foo.rs", "needs work");
 +        insert_diffnote(&conn, 2, 1, 1, "reviewer_b", "src/foo.rs", "follow-up");
@@
 -        assert_eq!(result.discussions[0].participants, vec!["reviewer_b"]);
 +        assert_eq!(result.discussions[0].participants, vec!["reviewer_b"]);
 +        assert_eq!(result.discussions[0].note_count, 2);
 3) Index fix: idx_discussions_unresolved_recent won’t help global --active ordering
 Why
 Your index is (project_id, last_note_at) with WHERE resolvable=1 AND resolved=0.
 When --active is not project-scoped (common default), SQLite can’t use (project_id, last_note_at) to satisfy ORDER BY last_note_at DESC efficiently because project_id isn’t constrained.
 This can turn into a scan+sort over potentially large unresolved sets.
 Change
 Keep the project-scoped index, but add a global ordering index (partial, still small):
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 CREATE INDEX IF NOT EXISTS idx_discussions_unresolved_recent
     ON discussions(project_id, last_note_at)
     WHERE resolvable = 1 AND resolved = 0;
 +
 +-- Active (global): unresolved discussions by recency (no project scope).
 +-- Supports ORDER BY last_note_at DESC LIMIT N when project_id is unconstrained.
 +CREATE INDEX IF NOT EXISTS idx_discussions_unresolved_recent_global
 +    ON discussions(last_note_at)
 +    WHERE resolvable = 1 AND resolved = 0;
 4) Make Overlap “touches” coherent: count MRs for reviewers, not DiffNotes
 Why
 Overlap’s question is “Who else has MRs touching my files?” but:
 reviewer branch uses COUNT(*) (DiffNotes)
 author branch uses COUNT(DISTINCT m.id) (MRs)
 Those are different units; summing them into touch_count is misleading.
 Change
 Count distinct MRs on the reviewer branch too:
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 -                COUNT(*) AS touch_count,
 +                COUNT(DISTINCT m.id) AS touch_count,
                 MAX(n.created_at) AS last_touch_at,
                 GROUP_CONCAT(DISTINCT (p.path_with_namespace || '!' || m.iid)) AS mr_refs
 Also update human output labeling:
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 -        style("Touches").bold(),
 +        style("MRs").bold(),
 (You still preserve “strength” via mr_refs and last_touch_at.)
 5) Make outputs more actionable: add a canonical ref field (group/project!iid, group/project#iid)
 Why
 You already do this for Overlap (mr_refs). Doing the same for Workload and Active reduces friction for both humans and agents:
 humans can copy/paste a single token
 robots don’t need to stitch project_path + iid + prefix
 Change (Workload structs + SQL)
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 pub struct WorkloadIssue {
     pub iid: i64,
 +    pub ref_: String,
     pub title: String,
     pub project_path: String,
     pub updated_at: i64,
 }
@@
 pub struct WorkloadMr {
     pub iid: i64,
 +    pub ref_: String,
     pub title: String,
     pub draft: bool,
     pub project_path: String,
@@
 -    let issues_sql =
 -        "SELECT i.iid, i.title, p.path_with_namespace, i.updated_at
 +    let issues_sql =
 +        "SELECT i.iid,
 +                (p.path_with_namespace || '#' || i.iid) AS ref,
 +                i.title, p.path_with_namespace, i.updated_at
@@
 -                iid: row.get(0)?,
 -                title: row.get(1)?,
 -                project_path: row.get(2)?,
 -                updated_at: row.get(3)?,
 +                iid: row.get(0)?,
 +                ref_: row.get(1)?,
 +                title: row.get(2)?,
 +                project_path: row.get(3)?,
 +                updated_at: row.get(4)?,
             })
@@
 -    let authored_sql =
 -        "SELECT m.iid, m.title, m.draft, p.path_with_namespace, m.updated_at
 +    let authored_sql =
 +        "SELECT m.iid,
 +                (p.path_with_namespace || '!' || m.iid) AS ref,
 +                m.title, m.draft, p.path_with_namespace, m.updated_at
@@
 -                iid: row.get(0)?,
 -                title: row.get(1)?,
 -                draft: row.get::<_, i32>(2)? != 0,
 -                project_path: row.get(3)?,
 +                iid: row.get(0)?,
 +                ref_: row.get(1)?,
 +                title: row.get(2)?,
 +                draft: row.get::<_, i32>(3)? != 0,
 +                project_path: row.get(4)?,
                 author_username: None,
 -                updated_at: row.get(4)?,
 +                updated_at: row.get(5)?,
             })
 Then use ref_ in human output + robot JSON.
 6) Reviews mode: tolerate leading whitespace before **prefix**
 Why
 Many people write " **suggestion**: ...". Current LIKE '**%**%' misses that.
 Change
 Use ltrim(n.body) consistently:
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
 -           AND n.body LIKE '**%**%'
 +           AND ltrim(n.body) LIKE '**%**%'
@@
 -            SUBSTR(n.body, 3, INSTR(SUBSTR(n.body, 3), '**') - 1) AS raw_prefix,
 +            SUBSTR(ltrim(n.body), 3, INSTR(SUBSTR(ltrim(n.body), 3), '**') - 1) AS raw_prefix,
 7) Add two small tests that catch the above regressions
 Why
 These are exactly the kind of issues that slip through without targeted tests.
 diff
 Copy code
 diff --git a/plan.md b/plan.md
@@
     #[test]
     fn test_escape_like() {
@@
     }
 +
 +    #[test]
 +    fn test_build_path_query_exact_does_not_escape() {
 +        // '_' must not be escaped for '='
 +        let pq = build_path_query("README_with_underscore.md");
 +        assert_eq!(pq.value, "README_with_underscore.md");
 +        assert!(!pq.is_prefix);
 +    }
 +
 +    #[test]
 +    fn test_path_flag_dotless_root_file_is_exact() {
 +        let pq = build_path_query("Makefile");
 +        assert_eq!(pq.value, "Makefile");
 +        assert!(!pq.is_prefix);
 +    }
 Summary of net effect
 Correctness fixes: exact-path escaping bug; Active.note_count bug.
 Perf fixes: global --active index; avoid broad note scans in Active.
 Usefulness upgrades: coherent overlap “touch” metric; canonical refs everywhere; reviews prefix more robust.
 If you want one extra “stretch” that still isn’t scope creep: add an unscoped warning line in human output when project_id == None (e.g., “Aggregated across projects; use -p to scope”) for Expert/Overlap/Active. That’s pure presentation, but prevents misinterpretation in multi-project DBs.
--- a/docs/who-command-design.feedback-6.md
+++ b/docs/who-command-design.feedback-6.md
@@ -1,471 +0,0 @@
 Proposed revisions (Iteration 6)
 Below are the highest-leverage changes I’d make on top of your current Iteration 5 plan, with rationale and git-diff style edits to the plan text/snippets.
 1) Fix a real edge case: dotless non-root files (src/Dockerfile, infra/Makefile, etc.)
 Why
 Your current build_path_query() treats dotless last segments as directories (prefix match) unless the path is root. That misclassifies legitimate dotless files inside directories and silently produces path/% (zero hits or wrong hits).
 Best minimal fix: keep your static SQL approach, but add a DB existence probe (static SQL) for path queries:
 If user didn’t force directory (/), and exact path exists in DiffNotes, treat as exact =.
 Otherwise use prefix LIKE 'dir/%'.
 This avoids new CLI flags, avoids heuristics lists, and uses your existing partial index (idx_notes_diffnote_path_created) efficiently.
 Diff
 diff
 Copy code
 diff --git a/Plan.md b/Plan.md
@@
 -struct PathQuery {
 +struct PathQuery {
     /// The parameter value to bind.
     value: String,
     /// If true: use `LIKE value ESCAPE '\'`. If false: use `= value`.
     is_prefix: bool,
 }
 -/// Build a path query from a user-supplied path.
 +/// Build a path query from a user-supplied path, with a DB probe for dotless files.
@@
 -fn build_path_query(path: &str) -> PathQuery {
 +fn build_path_query(conn: &Connection, path: &str) -> Result<PathQuery> {
     let trimmed = path.trim_end_matches('/');
     let last_segment = trimmed.rsplit('/').next().unwrap_or(trimmed);
     let is_root = !trimmed.contains('/');
 -    let is_file = !path.ends_with('/') && (is_root || last_segment.contains('.'));
 +    let forced_dir = path.ends_with('/');
 +    let looks_like_file = !forced_dir && (is_root || last_segment.contains('.'));
 +
 +    // If it doesn't "look like a file" but the exact path exists in DiffNotes,
 +    // treat as exact (handles src/Dockerfile, infra/Makefile, etc.).
 +    let exact_exists = if !looks_like_file && !forced_dir {
 +        conn.query_row(
 +            "SELECT 1
 +             FROM notes
 +             WHERE note_type = 'DiffNote'
 +               AND is_system = 0
 +               AND position_new_path = ?1
 +             LIMIT 1",
 +            rusqlite::params![trimmed],
 +            |_| Ok(()),
 +        ).is_ok()
 +    } else {
 +        false
 +    };
 +
 +    let is_file = looks_like_file || exact_exists;
     if is_file {
         PathQuery {
             value: trimmed.to_string(),
             is_prefix: false,
         }
     } else {
         let escaped = escape_like(trimmed);
         PathQuery {
             value: format!("{escaped}/%"),
             is_prefix: true,
         }
     }
 }
 Also update callers:
 diff
 Copy code
@@
 -    let pq = build_path_query(path);
 +    let pq = build_path_query(conn, path)?;
@@
 -    let pq = build_path_query(path);
 +    let pq = build_path_query(conn, path)?;
 And tests:
 diff
 Copy code
@@
 -    fn test_build_path_query() {
 +    fn test_build_path_query() {
@@
 -        // Dotless root file -> exact match (root path without '/')
 +        // Dotless root file -> exact match (root path without '/')
         let pq = build_path_query("Makefile");
         assert_eq!(pq.value, "Makefile");
         assert!(!pq.is_prefix);
 +
 +        // Dotless file in subdir should become exact if DB contains it (probe)
 +        // (set up: insert one DiffNote with position_new_path = "src/Dockerfile")
 2) Make “reviewer” semantics correct: exclude MR authors commenting on their own diffs
 Why
 Right now, Overlap (and Expert reviewer branch) will count MR authors as “reviewers” if they leave DiffNotes in their own MR (clarifications / replies), inflating A+R and contaminating “who reviewed here” signals.
 You already enforce this in --reviews mode (m.author_username != ?1). Apply the same principle consistently:
 Reviewer branch: only count notes where n.author_username != m.author_username (when both non-NULL).
 Diff (Overlap reviewer branch)
 diff
 Copy code
@@
 -            WHERE n.note_type = 'DiffNote'
 +            WHERE n.note_type = 'DiffNote'
               AND n.position_new_path LIKE ?1 ESCAPE '\\'
               AND n.is_system = 0
               AND n.author_username IS NOT NULL
 +              AND (m.author_username IS NULL OR n.author_username != m.author_username)
               AND n.created_at >= ?2
               AND (?3 IS NULL OR n.project_id = ?3)
 Same change for sql_exact.
 3) Expert mode scoring: align units + reduce single-MR “comment storms”
 Why
 Expert currently mixes units:
 reviewer side: DiffNote count
 author side: distinct MR count
 That makes score noisy and can crown “someone who wrote 30 comments on one MR” as top expert.
 Fix: make both sides primarily MR-breadth:
 reviewer: COUNT(DISTINCT m.id) as review_mr_count
 author: COUNT(DISTINCT m.id) as author_mr_count
 Optionally keep review_note_count as a secondary intensity signal (but not the main driver).
 Diff (types + SQL)
 diff
 Copy code
@@
 pub struct Expert {
     pub username: String,
 -    pub score: f64,
 -    pub review_count: u32,
 -    pub author_count: u32,
 +    pub score: i64,
 +    pub review_mr_count: u32,
 +    pub review_note_count: u32,
 +    pub author_mr_count: u32,
     pub last_active_ms: i64,
 }
 Reviewer branch now joins to MR so it can count distinct MRs and exclude self-comments:
 diff
 Copy code
@@
 -            SELECT
 -                n.author_username AS username,
 -                'reviewer' AS role,
 -                COUNT(*) AS cnt,
 -                MAX(n.created_at) AS last_active_at
 -            FROM notes n
 +            SELECT
 +                n.author_username AS username,
 +                'reviewer' AS role,
 +                COUNT(DISTINCT m.id) AS mr_cnt,
 +                COUNT(*) AS note_cnt,
 +                MAX(n.created_at) AS last_active_at
 +            FROM notes n
 +            JOIN discussions d ON n.discussion_id = d.id
 +            JOIN merge_requests m ON d.merge_request_id = m.id
             WHERE n.note_type = 'DiffNote'
               AND n.is_system = 0
               AND n.author_username IS NOT NULL
 +              AND (m.author_username IS NULL OR n.author_username != m.author_username)
               AND n.position_new_path LIKE ?1 ESCAPE '\\'
               AND n.created_at >= ?2
               AND (?3 IS NULL OR n.project_id = ?3)
             GROUP BY n.author_username
 Update author branch payload to match shape:
 diff
 Copy code
@@
             SELECT
                 m.author_username AS username,
                 'author' AS role,
 -                COUNT(DISTINCT m.id) AS cnt,
 +                COUNT(DISTINCT m.id) AS mr_cnt,
 +                0 AS note_cnt,
                 MAX(n.created_at) AS last_active_at
 Aggregate:
 diff
 Copy code
@@
         SELECT
             username,
 -            SUM(CASE WHEN role = 'reviewer' THEN cnt ELSE 0 END) AS review_count,
 -            SUM(CASE WHEN role = 'author' THEN cnt ELSE 0 END) AS author_count,
 +            SUM(CASE WHEN role = 'reviewer' THEN mr_cnt ELSE 0 END) AS review_mr_count,
 +            SUM(CASE WHEN role = 'reviewer' THEN note_cnt ELSE 0 END) AS review_note_count,
 +            SUM(CASE WHEN role = 'author' THEN mr_cnt ELSE 0 END) AS author_mr_count,
             MAX(last_active_at) AS last_active_at,
 -            (SUM(CASE WHEN role = 'reviewer' THEN cnt ELSE 0 END) * 3.0) +
 -            (SUM(CASE WHEN role = 'author' THEN cnt ELSE 0 END) * 2.0) AS score
 +            (
 +              (SUM(CASE WHEN role = 'reviewer' THEN mr_cnt ELSE 0 END) * 20) +
 +              (SUM(CASE WHEN role = 'author' THEN mr_cnt ELSE 0 END) * 12) +
 +              (SUM(CASE WHEN role = 'reviewer' THEN note_cnt ELSE 0 END) * 1)
 +            ) AS score
 Human header:
 diff
 Copy code
@@
 -        style("Reviews").bold(),
 -        style("Authored").bold(),
 +        style("Reviewed(MRs)").bold(),
 +        style("Notes").bold(),
 +        style("Authored(MRs)").bold(),
 4) Deterministic output: participants + MR refs + tie-breakers
 Why
 You’ve correctly focused on reproducibility (resolved_input), but you still have nondeterministic lists:
 participants: GROUP_CONCAT order is undefined → vector order changes run-to-run.
 mr_refs: you dedup via HashSet then iterate → undefined order.
 user sorting in overlap is missing stable tie-breakers.
 This is a real “robot mode flake” source.
 Diff (Active participants sort)
 diff
 Copy code
@@
 -            let participants: Vec<String> = participants_csv
 +            let mut participants: Vec<String> = participants_csv
                 .as_deref()
                 .filter(|s| !s.is_empty())
                 .map(|csv| csv.split('\x1F').map(String::from).collect())
                 .unwrap_or_default();
 +            participants.sort(); // stable, deterministic
 Diff (Overlap MR refs sort + stable user sort)
 diff
 Copy code
@@
 -    users.sort_by(|a, b| b.touch_count.cmp(&a.touch_count));
 +    users.sort_by(|a, b| {
 +        b.touch_count.cmp(&a.touch_count)
 +            .then_with(|| b.last_touch_at.cmp(&a.last_touch_at))
 +            .then_with(|| a.username.cmp(&b.username))
 +    });
@@
 -        entry.mr_refs = set.into_iter().collect();
 +        let mut v: Vec<String> = set.into_iter().collect();
 +        v.sort();
 +        entry.mr_refs = v;
 5) Make --limit actionable: surface truncation explicitly (human + robot)
 Why
 Agents (and humans) need to know if results were cut off so they can rerun with a bigger -n.
 Right now there’s no signal.
 Minimal pattern: query limit + 1, set truncated = true if you got > limit, then truncate.
 Diff (result types)
 diff
 Copy code
@@
 pub struct ExpertResult {
     pub path_query: String,
     pub experts: Vec<Expert>,
 +    pub truncated: bool,
 }
@@
 pub struct ActiveResult {
     pub discussions: Vec<ActiveDiscussion>,
     pub total_unresolved: u32,
 +    pub truncated: bool,
 }
@@
 pub struct OverlapResult {
     pub path_query: String,
     pub users: Vec<OverlapUser>,
 +    pub truncated: bool,
 }
 Diff (query pattern example)
 diff
 Copy code
@@
 -    let limit_i64 = limit as i64;
 +    let limit_plus_one = (limit + 1) as i64;
@@
 -        LIMIT ?4
 +        LIMIT ?4
@@
 -            rusqlite::params![pq.value, since_ms, project_id, limit_i64],
 +            rusqlite::params![pq.value, since_ms, project_id, limit_plus_one],
@@
 -    Ok(ExpertResult {
 +    let truncated = experts.len() > limit;
 +    let experts = experts.into_iter().take(limit).collect();
 +    Ok(ExpertResult {
         path_query: path.to_string(),
         experts,
 +        truncated,
     })
 Human output hint:
 diff
 Copy code
@@
     if r.experts.is_empty() { ... }
 +    if r.truncated {
 +        println!("  {}", style("(showing first -n; rerun with a higher --limit)").dim());
 +    }
 Robot output field:
 diff
 Copy code
@@
 fn expert_to_json(r: &ExpertResult) -> serde_json::Value {
     serde_json::json!({
         "path_query": r.path_query,
 +        "truncated": r.truncated,
         "experts": ...
     })
 }
 6) Overlap merge hot loop: avoid repeated HashSet rebuild per row
 Why
 This line is expensive in a UNION result with many rows:
 rust
 Copy code
 let mut set: HashSet<String> = entry.mr_refs.drain(..).collect();
 It reallocates and rehashes every time.
 Fix: store an accumulator with HashSet during merge, convert once at end.
 Diff (internal accumulator)
 diff
 Copy code
@@
 -    let mut user_map: HashMap<String, OverlapUser> = HashMap::new();
 +    struct OverlapAcc {
 +        username: String,
 +        author_touch_count: u32,
 +        review_touch_count: u32,
 +        touch_count: u32,
 +        last_touch_at: i64,
 +        mr_refs: HashSet<String>,
 +    }
 +    let mut user_map: HashMap<String, OverlapAcc> = HashMap::new();
@@
 -        let entry = user_map.entry(username.clone()).or_insert_with(|| OverlapUser {
 +        let entry = user_map.entry(username.clone()).or_insert_with(|| OverlapAcc {
             username: username.clone(),
             author_touch_count: 0,
             review_touch_count: 0,
             touch_count: 0,
             last_touch_at: 0,
 -            mr_refs: Vec::new(),
 +            mr_refs: HashSet::new(),
         });
@@
 -        let mut set: HashSet<String> = entry.mr_refs.drain(..).collect();
 -        for r in mr_refs { set.insert(r); }
 -        entry.mr_refs = set.into_iter().collect();
 +        for r in mr_refs { entry.mr_refs.insert(r); }
@@
 -    let mut users: Vec<OverlapUser> = user_map.into_values().collect();
 +    let mut users: Vec<OverlapUser> = user_map.into_values().map(|a| {
 +        let mut mr_refs: Vec<String> = a.mr_refs.into_iter().collect();
 +        mr_refs.sort();
 +        OverlapUser {
 +            username: a.username,
 +            author_touch_count: a.author_touch_count,
 +            review_touch_count: a.review_touch_count,
 +            touch_count: a.touch_count,
 +            last_touch_at: a.last_touch_at,
 +            mr_refs,
 +        }
 +    }).collect();
 7) Tests to lock these behaviors
 Add tests (high value)
 dotless subdir file uses DB probe → exact match
 self-review exclusion prevents MR author showing up as reviewer
 deterministic ordering for participants and mr_refs (sort)
 Diff (test additions outline)
 diff
 Copy code
@@
     #[test]
 +    fn test_build_path_query_dotless_subdir_file_uses_probe() {
 +        let conn = setup_test_db();
 +        insert_project(&conn, 1, "team/backend");
 +        insert_mr(&conn, 1, 1, 100, "author_a", "opened");
 +        insert_discussion(&conn, 1, 1, Some(1), None, true, false);
 +        insert_diffnote(&conn, 1, 1, 1, "reviewer_b", "src/Dockerfile", "note");
 +
 +        let pq = build_path_query(&conn, "src/Dockerfile").unwrap();
 +        assert_eq!(pq.value, "src/Dockerfile");
 +        assert!(!pq.is_prefix);
 +    }
 +
 +    #[test]
 +    fn test_overlap_excludes_self_review_notes() {
 +        let conn = setup_test_db();
 +        insert_project(&conn, 1, "team/backend");
 +        insert_mr(&conn, 1, 1, 100, "author_a", "opened");
 +        insert_discussion(&conn, 1, 1, Some(1), None, true, false);
 +        // author_a comments on their own MR diff
 +        insert_diffnote(&conn, 1, 1, 1, "author_a", "src/auth/login.rs", "clarification");
 +
 +        let result = query_overlap(&conn, "src/auth/", None, 0, 20).unwrap();
 +        let u = result.users.iter().find(|u| u.username == "author_a");
 +        // should not be credited as reviewer touch
 +        assert!(u.map(|x| x.review_touch_count).unwrap_or(0) == 0);
 +    }
 Net effect
 Correctness: fixes dotless subdir files + self-review pollution.
 Signal quality: Expert ranking becomes harder to game by comment volume.
 Robot reproducibility: deterministic ordering + explicit truncation.
 Performance: avoids rehash loops in overlap merges; path probe uses indexed equality.
 If you want one “single best” change: #1 (DB probe exact-match) is the most likely to prevent confusing “why is this empty?” behavior without adding any user-facing complexity.
--- a/docs/who-command-design.feedback-7.md
+++ b/docs/who-command-design.feedback-7.md
@@ -1,353 +0,0 @@
 Below are the highest-leverage revisions I’d make to iteration 6 to improve correctness (multi-project edge cases), robot-mode reliability (bounded payloads + truncation), and signal quality—without changing the fundamental scope (still pure SQL over existing tables).
 1) Make build_path_query project-aware and two-way probe (exact and prefix)
 Why
 Your DB probe currently answers: “does this exact file exist anywhere in DiffNotes?” That can misclassify in a project-scoped run:
 Path exists as a dotless file in Project A → probe returns true
 User runs -p Project B where the path is a directory (or different shape) → you switch to exact, return empty, and miss valid prefix hits.
 Also, you still have a minor heuristic fragility for dot directories when the user omits trailing / (e.g., .github/workflows): last segment has a dot → you treat as file unless forced dir.
 Revision
 Thread project_id into build_path_query(conn, path, project_id)
 Probe exact first (scoped), then probe prefix (scoped)
 Only fall back to heuristics if both probes fail
 This keeps “static SQL, no dynamic assembly,” and costs at most 2 indexed existence queries per invocation.
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 - fn build_path_query(conn: &Connection, path: &str) -> Result<PathQuery> {
 + fn build_path_query(conn: &Connection, path: &str, project_id: Option<i64>) -> Result<PathQuery> {
     let trimmed = path.trim_end_matches('/');
     let last_segment = trimmed.rsplit('/').next().unwrap_or(trimmed);
     let is_root = !trimmed.contains('/');
     let forced_dir = path.ends_with('/');
 -    let looks_like_file = !forced_dir && (is_root || last_segment.contains('.'));
 +    // Heuristic is now only a fallback; probes decide first.
 +    let looks_like_file = !forced_dir && (is_root || last_segment.contains('.'));
 -    let exact_exists = if !looks_like_file && !forced_dir {
 -        conn.query_row(
 -            "SELECT 1 FROM notes
 -             WHERE note_type = 'DiffNote'
 -               AND is_system = 0
 -               AND position_new_path = ?1
 -             LIMIT 1",
 -            rusqlite::params![trimmed],
 -            |_| Ok(()),
 -        )
 -        .is_ok()
 -    } else {
 -        false
 -    };
 +    // Probe 1: exact file exists (scoped)
 +    let exact_exists = conn.query_row(
 +        "SELECT 1 FROM notes
 +         WHERE note_type = 'DiffNote'
 +           AND is_system = 0
 +           AND position_new_path = ?1
 +           AND (?2 IS NULL OR project_id = ?2)
 +         LIMIT 1",
 +        rusqlite::params![trimmed, project_id],
 +        |_| Ok(()),
 +    ).is_ok();
 +
 +    // Probe 2: directory prefix exists (scoped)
 +    let prefix_exists = if !forced_dir {
 +        let escaped = escape_like(trimmed);
 +        let pat = format!("{escaped}/%");
 +        conn.query_row(
 +            "SELECT 1 FROM notes
 +             WHERE note_type = 'DiffNote'
 +               AND is_system = 0
 +               AND position_new_path LIKE ?1 ESCAPE '\\'
 +               AND (?2 IS NULL OR project_id = ?2)
 +             LIMIT 1",
 +            rusqlite::params![pat, project_id],
 +            |_| Ok(()),
 +        ).is_ok()
 +    } else { false };
 -    let is_file = looks_like_file || exact_exists;
 +    // Forced directory always wins; otherwise: exact > prefix > heuristic
 +    let is_file = if forced_dir { false }
 +                  else if exact_exists { true }
 +                  else if prefix_exists { false }
 +                  else { looks_like_file };
     if is_file {
         Ok(PathQuery { value: trimmed.to_string(), is_prefix: false })
     } else {
         let escaped = escape_like(trimmed);
         Ok(PathQuery { value: format!("{escaped}/%"), is_prefix: true })
     }
 }
@@
 - let pq = build_path_query(conn, path)?;
 + let pq = build_path_query(conn, path, project_id)?;
 Add test coverage for the multi-project misclassification case:
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
     #[test]
     fn test_build_path_query_dotless_subdir_file_uses_db_probe() {
@@
 -        let pq = build_path_query(&conn, "src/Dockerfile").unwrap();
 +        let pq = build_path_query(&conn, "src/Dockerfile", None).unwrap();
@@
 -        let pq2 = build_path_query(&conn2, "src/Dockerfile").unwrap();
 +        let pq2 = build_path_query(&conn2, "src/Dockerfile", None).unwrap();
     }
 +
 +    #[test]
 +    fn test_build_path_query_probe_is_project_scoped() {
 +        // Path exists as a dotless file in project 1; project 2 should not
 +        // treat it as an exact file unless it exists there too.
 +        let conn = setup_test_db();
 +        insert_project(&conn, 1, "team/a");
 +        insert_project(&conn, 2, "team/b");
 +        insert_mr(&conn, 1, 1, 10, "author_a", "opened");
 +        insert_discussion(&conn, 1, 1, Some(1), None, true, false);
 +        insert_diffnote(&conn, 1, 1, 1, "rev", "infra/Makefile", "note");
 +
 +        let pq_scoped = build_path_query(&conn, "infra/Makefile", Some(2)).unwrap();
 +        assert!(pq_scoped.is_prefix); // should fall back to prefix in project 2
 +    }
 2) Bound robot payload sizes for participants and mr_refs (with totals + truncation)
 Why
 mr_refs and participants can become unbounded arrays in robot mode, which is a real operational hazard:
 huge JSON → slow, noisy diffs, brittle downstream pipelines
 potential SQLite group_concat truncation becomes invisible (and you can’t distinguish “no refs” vs “refs truncated”)
 Revision
 Introduce hard caps and explicit metadata:
 participants_total, participants_truncated
 mr_refs_total, mr_refs_truncated
 This is not scope creep—it’s defensive output hygiene.
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 pub struct ActiveDiscussion {
@@
     pub participants: Vec<String>,
 +    pub participants_total: u32,
 +    pub participants_truncated: bool,
 }
@@
 pub struct OverlapUser {
@@
     pub mr_refs: Vec<String>,
 +    pub mr_refs_total: u32,
 +    pub mr_refs_truncated: bool,
 }
 Implementation sketch (Rust-side, deterministic):
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 fn query_active(...) -> Result<ActiveResult> {
 +    const MAX_PARTICIPANTS: usize = 50;
@@
 -            participants.sort();
 +            participants.sort();
 +            let participants_total = participants.len() as u32;
 +            let participants_truncated = participants.len() > MAX_PARTICIPANTS;
 +            if participants_truncated {
 +                participants.truncate(MAX_PARTICIPANTS);
 +            }
@@
             Ok(ActiveDiscussion {
@@
                 participants,
 +                participants_total,
 +                participants_truncated,
             })
@@
 fn query_overlap(...) -> Result<OverlapResult> {
 +    const MAX_MR_REFS_PER_USER: usize = 50;
@@
         .map(|a| {
             let mut mr_refs: Vec<String> = a.mr_refs.into_iter().collect();
             mr_refs.sort();
 +            let mr_refs_total = mr_refs.len() as u32;
 +            let mr_refs_truncated = mr_refs.len() > MAX_MR_REFS_PER_USER;
 +            if mr_refs_truncated {
 +                mr_refs.truncate(MAX_MR_REFS_PER_USER);
 +            }
             OverlapUser {
@@
                 mr_refs,
 +                mr_refs_total,
 +                mr_refs_truncated,
             }
         })
 Update robot JSON accordingly:
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 fn active_to_json(r: &ActiveResult) -> serde_json::Value {
@@
             "participants": d.participants,
 +            "participants_total": d.participants_total,
 +            "participants_truncated": d.participants_truncated,
         }))
@@
 fn overlap_to_json(r: &OverlapResult) -> serde_json::Value {
@@
             "mr_refs": u.mr_refs,
 +            "mr_refs_total": u.mr_refs_total,
 +            "mr_refs_truncated": u.mr_refs_truncated,
         }))
 Also update robot-docs manifest schema snippet for who.active.discussions[] and who.overlap.users[].
 3) Add truncation metadata to Workload sections (same LIMIT+1 pattern)
 Why
 Workload is the mode most likely to be consumed by agents, and right now it has silent truncation (each section is LIMIT N with no signal). Your plan already treats truncation as a first-class contract elsewhere; Workload should match.
 Revision
 For each workload query:
 request LIMIT + 1
 set *_truncated booleans
 trim to requested limit
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 pub struct WorkloadResult {
     pub username: String,
     pub assigned_issues: Vec<WorkloadIssue>,
     pub authored_mrs: Vec<WorkloadMr>,
     pub reviewing_mrs: Vec<WorkloadMr>,
     pub unresolved_discussions: Vec<WorkloadDiscussion>,
 +    pub assigned_issues_truncated: bool,
 +    pub authored_mrs_truncated: bool,
 +    pub reviewing_mrs_truncated: bool,
 +    pub unresolved_discussions_truncated: bool,
 }
 And in JSON include the booleans (plus you already have summary.counts).
 This is mechanically repetitive but extremely valuable for automation.
 4) Rename “Last Active” → “Last Seen” for Expert/Overlap
 Why
 For “author” rows, the timestamp is derived from review activity on their MR (via MAX(n.created_at)), not necessarily that person’s direct action. Calling that “active” is semantically misleading. “Last seen” is accurate across both reviewer+author branches.
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 pub struct Expert {
@@
 -    pub last_active_ms: i64,
 +    pub last_seen_ms: i64,
 }
@@
 pub struct OverlapUser {
@@
 -    pub last_touch_at: i64,
 +    pub last_seen_at: i64,
@@
 fn print_expert_human(...) {
@@
 -        style("Last Active").bold(),
 +        style("Last Seen").bold(),
@@
 -        style(format_relative_time(expert.last_active_ms)).dim(),
 +        style(format_relative_time(expert.last_seen_ms)).dim(),
 (Keep internal SQL aliases consistent: last_seen_at everywhere.)
 5) Make MR state filtering consistent in Expert/Overlap reviewer branches
 Why
 You already restrict Overlap author branch to opened|merged, but reviewer branches can include closed/unmerged noise. Consistency improves signal quality and can reduce scan churn.
 Low-risk revision: apply the same state filter to reviewer branches (Expert + Overlap). You can keep “closed” excluded by default without adding new flags.
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 WHERE n.note_type = 'DiffNote'
   AND n.is_system = 0
@@
 -  AND n.created_at >= ?2
 +  AND m.state IN ('opened','merged')
 +  AND n.created_at >= ?2
 This is a semantic choice; if you later want archaeology across closed/unmerged, that belongs in a separate mode/flag, but I would not add it now.
 6) Add a design principle for bounded outputs (aligns with robot-first reproducibility)
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 10. **Truncation transparency.** Result types carry a `truncated: bool` flag...
 +11. **Bounded payloads.** Robot JSON must never emit unbounded arrays (participants, refs).
 +    Large list fields are capped with `*_total` + `*_truncated` so agents can page/retry.
 Consolidated plan metadata bump (Iteration 7)
 diff
 Copy code
 diff --git a/who-command-design.md b/who-command-design.md
@@
 -iteration: 6
 +iteration: 7
 updated: 2026-02-07
 Net effect (what you get)
 Correct path classification under -p scoping (no cross-project probe leakage)
 Deterministic + bounded robot payloads (no giant JSON surprises)
 Uniform truncation contract across all modes (Workload no longer silently truncates)
 Clearer semantics (“Last Seen” avoids misinterpretation)
 Cleaner signals (reviewer branches ignore closed/unmerged by default)
 If you want, I can also produce a second diff that updates the robot-docs schema block and the Verification EXPLAIN expectations to reflect the new probe queries and the state filter.
--- a/gitlore-sync-explorer.html
+++ b/gitlore-sync-explorer.html
@@ -1,844 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>Gitlore Sync Pipeline Explorer</title>
 <style>
  :root {
    --bg: #0d1117;
    --bg-secondary: #161b22;
    --bg-tertiary: #1c2129;
    --border: #30363d;
    --text: #c9d1d9;
    --text-dim: #8b949e;
    --text-bright: #f0f6fc;
    --cyan: #58a6ff;
    --green: #3fb950;
    --amber: #d29922;
    --red: #f85149;
    --purple: #bc8cff;
    --pink: #f778ba;
    --cyan-dim: rgba(88,166,255,0.15);
    --green-dim: rgba(63,185,80,0.15);
    --amber-dim: rgba(210,153,34,0.15);
    --red-dim: rgba(248,81,73,0.15);
    --purple-dim: rgba(188,140,255,0.15);
  }
  * { margin: 0; padding: 0; box-sizing: border-box; }
  body {
    font-family: 'SF Mono', 'Cascadia Code', 'Fira Code', 'JetBrains Mono', monospace;
    background: var(--bg); color: var(--text);
    display: flex; height: 100vh; overflow: hidden;
  }
  .sidebar {
    width: 220px; min-width: 220px; background: var(--bg-secondary);
    border-right: 1px solid var(--border); display: flex; flex-direction: column; padding: 16px 0;
  }
  .sidebar-title {
    font-size: 11px; font-weight: 700; text-transform: uppercase;
    letter-spacing: 1.2px; color: var(--text-dim); padding: 0 16px 12px;
  }
  .logo {
    padding: 0 16px 20px; font-size: 15px; font-weight: 700; color: var(--cyan);
    display: flex; align-items: center; gap: 8px;
  }
  .logo svg { width: 20px; height: 20px; }
  .nav-item {
    padding: 10px 16px; cursor: pointer; font-size: 13px; color: var(--text-dim);
    transition: all 0.15s; border-left: 3px solid transparent;
    display: flex; align-items: center; gap: 10px;
  }
  .nav-item:hover { background: var(--bg-tertiary); color: var(--text); }
  .nav-item.active { background: var(--cyan-dim); color: var(--cyan); border-left-color: var(--cyan); }
  .nav-dot { width: 8px; height: 8px; border-radius: 50%; flex-shrink: 0; }
  .main { flex: 1; display: flex; flex-direction: column; overflow: hidden; }
  .header {
    padding: 16px 24px; border-bottom: 1px solid var(--border);
    display: flex; align-items: center; justify-content: space-between;
  }
  .header h1 { font-size: 16px; font-weight: 600; color: var(--text-bright); }
  .header-badge {
    font-size: 11px; padding: 3px 10px; border-radius: 12px;
    background: var(--cyan-dim); color: var(--cyan);
  }
  .canvas-wrapper { flex: 1; overflow: auto; position: relative; }
  .canvas { padding: 32px; min-height: 100%; }
  .flow-container { display: none; }
  .flow-container.active { display: block; }
  .phase { margin-bottom: 32px; }
  .phase-header { display: flex; align-items: center; gap: 12px; margin-bottom: 16px; }
  .phase-number {
    width: 28px; height: 28px; border-radius: 50%; display: flex; align-items: center;
    justify-content: center; font-size: 13px; font-weight: 700; flex-shrink: 0;
  }
  .phase-title { font-size: 14px; font-weight: 600; color: var(--text-bright); }
  .phase-subtitle { font-size: 11px; color: var(--text-dim); margin-left: 4px; font-weight: 400; }
  .flow-row {
    display: flex; align-items: stretch; gap: 0; flex-wrap: wrap;
    margin-left: 14px; padding-left: 26px; border-left: 2px solid var(--border);
  }
  .flow-row:last-child { border-left-color: transparent; }
  .node {
    position: relative; padding: 12px 16px; border-radius: 8px;
    border: 1px solid var(--border); background: var(--bg-secondary);
    font-size: 12px; cursor: pointer; transition: all 0.2s;
    min-width: 180px; max-width: 260px; margin: 4px 0;
  }
  .node:hover {
    border-color: var(--cyan); transform: translateY(-1px);
    box-shadow: 0 4px 12px rgba(0,0,0,0.3);
  }
  .node.selected {
    border-color: var(--cyan);
    box-shadow: 0 0 0 1px var(--cyan), 0 4px 16px rgba(88,166,255,0.15);
  }
  .node-title { font-weight: 600; font-size: 12px; margin-bottom: 4px; color: var(--text-bright); }
  .node-desc { font-size: 11px; color: var(--text-dim); line-height: 1.5; }
  .node.api { border-left: 3px solid var(--cyan); }
  .node.transform { border-left: 3px solid var(--purple); }
  .node.db { border-left: 3px solid var(--green); }
  .node.decision { border-left: 3px solid var(--amber); }
  .node.error { border-left: 3px solid var(--red); }
  .node.queue { border-left: 3px solid var(--pink); }
  .arrow {
    display: flex; align-items: center; padding: 0 6px;
    color: var(--text-dim); font-size: 16px; flex-shrink: 0;
  }
  .arrow-down {
    display: flex; justify-content: center; padding: 4px 0;
    color: var(--text-dim); font-size: 16px; margin-left: 14px;
    padding-left: 26px; border-left: 2px solid var(--border);
  }
  .branch-container {
    margin-left: 14px; padding-left: 26px;
    border-left: 2px solid var(--border); padding-bottom: 8px;
  }
  .branch-row { display: flex; gap: 12px; margin: 8px 0; flex-wrap: wrap; }
  .branch-label {
    font-size: 11px; font-weight: 600; margin: 8px 0 4px;
    display: flex; align-items: center; gap: 6px;
  }
  .branch-label.success { color: var(--green); }
  .branch-label.error { color: var(--red); }
  .branch-label.retry { color: var(--amber); }
  .diff-badge {
    display: inline-block; font-size: 10px; padding: 2px 6px;
    border-radius: 4px; margin-top: 6px; font-weight: 600;
  }
  .diff-badge.changed { background: var(--amber-dim); color: var(--amber); }
  .diff-badge.same { background: var(--green-dim); color: var(--green); }
  .detail-panel {
    position: fixed; right: 0; top: 0; bottom: 0; width: 380px;
    background: var(--bg-secondary); border-left: 1px solid var(--border);
    transform: translateX(100%); transition: transform 0.25s ease;
    z-index: 100; display: flex; flex-direction: column; overflow: hidden;
  }
  .detail-panel.open { transform: translateX(0); }
  .detail-header {
    padding: 16px 20px; border-bottom: 1px solid var(--border);
    display: flex; align-items: center; justify-content: space-between;
  }
  .detail-header h2 { font-size: 14px; font-weight: 600; color: var(--text-bright); }
  .detail-close {
    cursor: pointer; color: var(--text-dim); font-size: 18px;
    background: none; border: none; padding: 4px 8px; border-radius: 4px;
  }
  .detail-close:hover { background: var(--bg-tertiary); color: var(--text); }
  .detail-body { flex: 1; overflow-y: auto; padding: 20px; }
  .detail-section { margin-bottom: 20px; }
  .detail-section h3 {
    font-size: 11px; text-transform: uppercase; letter-spacing: 0.8px;
    color: var(--text-dim); margin-bottom: 8px;
  }
  .detail-section p { font-size: 12px; line-height: 1.7; color: var(--text); }
  .sql-block {
    background: var(--bg); border: 1px solid var(--border); border-radius: 6px;
    padding: 12px; font-size: 11px; line-height: 1.6; color: var(--green);
    overflow-x: auto; white-space: pre; margin-top: 8px;
  }
  .detail-tag {
    display: inline-block; font-size: 10px; padding: 2px 8px;
    border-radius: 10px; margin: 2px 4px 2px 0;
  }
  .detail-tag.file { background: var(--purple-dim); color: var(--purple); }
  .detail-tag.type-api { background: var(--cyan-dim); color: var(--cyan); }
  .detail-tag.type-db { background: var(--green-dim); color: var(--green); }
  .detail-tag.type-transform { background: var(--purple-dim); color: var(--purple); }
  .detail-tag.type-decision { background: var(--amber-dim); color: var(--amber); }
  .detail-tag.type-error { background: var(--red-dim); color: var(--red); }
  .detail-tag.type-queue { background: rgba(247,120,186,0.15); color: var(--pink); }
  .watermark-panel { border-top: 1px solid var(--border); background: var(--bg-secondary); }
  .watermark-toggle {
    padding: 10px 24px; cursor: pointer; font-size: 12px; color: var(--text-dim);
    display: flex; align-items: center; gap: 8px; user-select: none;
  }
  .watermark-toggle:hover { color: var(--text); }
  .watermark-toggle .chevron { transition: transform 0.2s; font-size: 10px; }
  .watermark-toggle .chevron.open { transform: rotate(180deg); }
  .watermark-content { display: none; padding: 0 24px 16px; max-height: 260px; overflow-y: auto; }
  .watermark-content.open { display: block; }
  .wm-table { width: 100%; border-collapse: collapse; font-size: 11px; }
  .wm-table th {
    text-align: left; padding: 6px 12px; color: var(--text-dim); font-weight: 600;
    border-bottom: 1px solid var(--border); font-size: 10px;
    text-transform: uppercase; letter-spacing: 0.5px;
  }
  .wm-table td { padding: 6px 12px; border-bottom: 1px solid var(--border); color: var(--text); }
  .wm-table td:first-child { color: var(--cyan); font-weight: 600; }
  .wm-table td:nth-child(2) { color: var(--green); }
  .overview-pipeline { display: flex; gap: 0; align-items: stretch; margin: 24px 0; flex-wrap: wrap; }
  .overview-stage {
    flex: 1; min-width: 200px; background: var(--bg-secondary);
    border: 1px solid var(--border); border-radius: 10px; padding: 20px;
    cursor: pointer; transition: all 0.2s;
  }
  .overview-stage:hover {
    border-color: var(--cyan); transform: translateY(-2px);
    box-shadow: 0 6px 20px rgba(0,0,0,0.3);
  }
  .overview-arrow { display: flex; align-items: center; padding: 0 8px; font-size: 20px; color: var(--text-dim); }
  .stage-num { font-size: 10px; font-weight: 700; text-transform: uppercase; letter-spacing: 1px; margin-bottom: 8px; }
  .stage-title { font-size: 15px; font-weight: 700; color: var(--text-bright); margin-bottom: 6px; }
  .stage-desc { font-size: 11px; color: var(--text-dim); line-height: 1.6; }
  .stage-detail {
    margin-top: 12px; padding-top: 12px; border-top: 1px solid var(--border);
    font-size: 11px; color: var(--text-dim); line-height: 1.6;
  }
  .stage-detail code {
    color: var(--amber); background: var(--amber-dim); padding: 1px 5px;
    border-radius: 3px; font-size: 10px;
  }
  .info-box {
    background: var(--bg-tertiary); border: 1px solid var(--border);
    border-radius: 8px; padding: 16px; margin: 16px 0; font-size: 12px; line-height: 1.7;
  }
  .info-box-title { font-weight: 600; color: var(--cyan); margin-bottom: 6px; display: flex; align-items: center; gap: 6px; }
  .info-box ul { margin-left: 16px; color: var(--text-dim); }
  .info-box li { margin: 4px 0; }
  .info-box code {
    color: var(--amber); background: var(--amber-dim);
    padding: 1px 5px; border-radius: 3px; font-size: 11px;
  }
  .legend {
    display: flex; gap: 16px; flex-wrap: wrap; margin-bottom: 24px;
    padding: 12px 16px; background: var(--bg-secondary);
    border: 1px solid var(--border); border-radius: 8px;
  }
  .legend-item { display: flex; align-items: center; gap: 6px; font-size: 11px; color: var(--text-dim); }
  .legend-color { width: 12px; height: 3px; border-radius: 2px; }
  ::-webkit-scrollbar { width: 8px; height: 8px; }
  ::-webkit-scrollbar-track { background: transparent; }
  ::-webkit-scrollbar-thumb { background: var(--border); border-radius: 4px; }
  ::-webkit-scrollbar-thumb:hover { background: var(--text-dim); }
 </style>
 </head>
 <body>
 <div class="sidebar">
  <div class="logo">
    <svg viewBox="0 0 20 20" fill="none" stroke="currentColor" stroke-width="1.5">
      <circle cx="10" cy="10" r="8"/><path d="M10 6v4l3 2"/>
    </svg>
    lore sync
  </div>
  <div class="sidebar-title">Entity Flows</div>
  <div class="nav-item active" data-view="overview" onclick="switchView('overview')">
    <div class="nav-dot" style="background:var(--cyan)"></div>Full Sync Overview
  </div>
  <div class="nav-item" data-view="issues" onclick="switchView('issues')">
    <div class="nav-dot" style="background:var(--green)"></div>Issues
  </div>
  <div class="nav-item" data-view="mrs" onclick="switchView('mrs')">
    <div class="nav-dot" style="background:var(--purple)"></div>Merge Requests
  </div>
  <div class="nav-item" data-view="docs" onclick="switchView('docs')">
    <div class="nav-dot" style="background:var(--amber)"></div>Documents
  </div>
  <div class="nav-item" data-view="embed" onclick="switchView('embed')">
    <div class="nav-dot" style="background:var(--pink)"></div>Embeddings
  </div>
 </div>
 <div class="main">
  <div class="header">
    <h1 id="view-title">Full Sync Overview</h1>
    <span class="header-badge" id="view-badge">4 stages</span>
  </div>
  <div class="canvas-wrapper"><div class="canvas">
    <!-- OVERVIEW -->
    <div class="flow-container active" id="view-overview">
      <div class="overview-pipeline">
        <div class="overview-stage" onclick="switchView('issues')">
          <div class="stage-num" style="color:var(--green)">Stage 1</div>
          <div class="stage-title">Ingest Issues</div>
          <div class="stage-desc">Fetch issues + discussions + resource events from GitLab API</div>
          <div class="stage-detail">Cursor-based incremental sync.<br>Sequential discussion fetch.<br>Queue-based resource events.</div>
        </div>
        <div class="overview-arrow">&rarr;</div>
        <div class="overview-stage" onclick="switchView('mrs')">
          <div class="stage-num" style="color:var(--purple)">Stage 2</div>
          <div class="stage-title">Ingest MRs</div>
          <div class="stage-desc">Fetch merge requests + discussions + resource events</div>
          <div class="stage-detail">Page-based incremental sync.<br>Parallel prefetch discussions.<br>Queue-based resource events.</div>
        </div>
        <div class="overview-arrow">&rarr;</div>
        <div class="overview-stage" onclick="switchView('docs')">
          <div class="stage-num" style="color:var(--amber)">Stage 3</div>
          <div class="stage-title">Generate Docs</div>
          <div class="stage-desc">Regenerate searchable documents for changed entities</div>
          <div class="stage-detail">Driven by <code>dirty_sources</code> table.<br>Triple-hash skip optimization.<br>FTS5 index auto-updated.</div>
        </div>
        <div class="overview-arrow">&rarr;</div>
        <div class="overview-stage" onclick="switchView('embed')">
          <div class="stage-num" style="color:var(--pink)">Stage 4</div>
          <div class="stage-title">Embed</div>
          <div class="stage-desc">Generate vector embeddings via Ollama for semantic search</div>
          <div class="stage-detail">Hash-based change detection.<br>Chunked, batched API calls.<br><b>Non-fatal</b> &mdash; graceful if Ollama down.</div>
        </div>
      </div>
      <div class="info-box">
        <div class="info-box-title">Concurrency Model</div>
        <ul>
          <li>Stages 1 &amp; 2 process <b>projects concurrently</b> via <code>buffer_unordered(primary_concurrency)</code></li>
          <li>Each project gets its own <b>SQLite connection</b>; rate limiter is <b>shared</b></li>
          <li>Discussions: <b>sequential</b> (issues) or <b>batched parallel prefetch</b> (MRs)</li>
          <li>Resource events use a <b>persistent job queue</b> with atomic claim + exponential backoff</li>
        </ul>
      </div>
      <div class="info-box">
        <div class="info-box-title">Sync Flags</div>
        <ul>
          <li><code>--full</code> &mdash; Resets all cursors &amp; watermarks, forces complete re-fetch</li>
          <li><code>--no-docs</code> &mdash; Skips Stage 3 (document generation)</li>
          <li><code>--no-embed</code> &mdash; Skips Stage 4 (embedding generation)</li>
          <li><code>--force</code> &mdash; Overrides stale single-flight lock</li>
          <li><code>--project &lt;path&gt;</code> &mdash; Sync only one project (fuzzy matching)</li>
        </ul>
      </div>
      <div class="info-box">
        <div class="info-box-title">Single-Flight Lock</div>
        <ul>
          <li>Table-based lock (<code>AppLock</code>) prevents concurrent syncs</li>
          <li>Heartbeat keeps the lock alive; stale locks auto-detected</li>
          <li>Use <code>--force</code> to override a stale lock</li>
        </ul>
      </div>
    </div>
    <!-- ISSUES -->
    <div class="flow-container" id="view-issues">
      <div class="legend">
        <div class="legend-item"><div class="legend-color" style="background:var(--cyan)"></div>API Call</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--purple)"></div>Transform</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--green)"></div>Database</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--amber)"></div>Decision</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--red)"></div>Error Path</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--pink)"></div>Queue</div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--cyan-dim);color:var(--cyan)">1</div>
          <div class="phase-title">Fetch Issues <span class="phase-subtitle">Cursor-Based Incremental Sync</span></div>
        </div>
        <div class="flow-row">
          <div class="node api" data-detail="issue-api-call"><div class="node-title">GitLab API Call</div><div class="node-desc">paginate_issues() with<br>updated_after = cursor - rewind</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="issue-cursor-filter"><div class="node-title">Cursor Filter</div><div class="node-desc">updated_at &gt; cursor_ts<br>OR tie_breaker check</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node transform" data-detail="issue-transform"><div class="node-title">transform_issue()</div><div class="node-desc">GitLab API shape &rarr;<br>local DB row shape</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="issue-transaction"><div class="node-title">Transaction</div><div class="node-desc">store_payload &rarr; upsert &rarr;<br>mark_dirty &rarr; relink</div></div>
        </div>
        <div class="arrow-down">&darr;</div>
        <div class="flow-row">
          <div class="node db" data-detail="issue-cursor-update"><div class="node-title">Update Cursor</div><div class="node-desc">Every 100 issues + final<br>sync_cursors table</div></div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--green-dim);color:var(--green)">2</div>
          <div class="phase-title">Discussion Sync <span class="phase-subtitle">Sequential, Watermark-Based</span></div>
        </div>
        <div class="flow-row">
          <div class="node db" data-detail="issue-disc-query"><div class="node-title">Query Stale Issues</div><div class="node-desc">updated_at &gt; COALESCE(<br>discussions_synced_for_<br>updated_at, 0)</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node api" data-detail="issue-disc-fetch"><div class="node-title">Paginate Discussions</div><div class="node-desc">Sequential per issue<br>paginate_issue_discussions()</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node transform" data-detail="issue-disc-transform"><div class="node-title">Transform</div><div class="node-desc">transform_discussion()<br>transform_notes()</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="issue-disc-write"><div class="node-title">Write Discussion</div><div class="node-desc">store_payload &rarr; upsert<br>DELETE notes &rarr; INSERT notes</div></div>
        </div>
        <div class="branch-container">
          <div class="branch-label success">&#10003; On Success (all pages fetched)</div>
          <div class="branch-row">
            <div class="node db" data-detail="issue-disc-stale"><div class="node-title">Remove Stale</div><div class="node-desc">DELETE discussions not<br>seen in this fetch</div></div>
            <div class="arrow">&rarr;</div>
            <div class="node db" data-detail="issue-disc-watermark"><div class="node-title">Advance Watermark</div><div class="node-desc">discussions_synced_for_<br>updated_at = updated_at</div></div>
          </div>
          <div class="branch-label error">&#10007; On Pagination Error</div>
          <div class="branch-row">
            <div class="node error" data-detail="issue-disc-fail"><div class="node-title">Skip Stale Removal</div><div class="node-desc">Watermark NOT advanced<br>Will retry next sync</div></div>
          </div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:rgba(247,120,186,0.15);color:var(--pink)">3</div>
          <div class="phase-title">Resource Events <span class="phase-subtitle">Queue-Based, Concurrent Fetch</span></div>
        </div>
        <div class="flow-row">
          <div class="node queue" data-detail="re-cleanup"><div class="node-title">Cleanup Obsolete</div><div class="node-desc">DELETE jobs where entity<br>watermark is current</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node queue" data-detail="re-enqueue"><div class="node-title">Enqueue Jobs</div><div class="node-desc">INSERT for entities where<br>updated_at &gt; watermark</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node queue" data-detail="re-claim"><div class="node-title">Claim Jobs</div><div class="node-desc">Atomic UPDATE...RETURNING<br>with lock acquisition</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node api" data-detail="re-fetch"><div class="node-title">Fetch Events</div><div class="node-desc">3 concurrent: state +<br>label + milestone</div></div>
        </div>
        <div class="branch-container">
          <div class="branch-label success">&#10003; On Success</div>
          <div class="branch-row">
            <div class="node db" data-detail="re-store"><div class="node-title">Store Events</div><div class="node-desc">Transaction: upsert all<br>3 event types</div></div>
            <div class="arrow">&rarr;</div>
            <div class="node db" data-detail="re-complete"><div class="node-title">Complete + Watermark</div><div class="node-desc">DELETE job row<br>Advance watermark</div></div>
          </div>
          <div class="branch-label error">&#10007; Permanent Error (404 / 403)</div>
          <div class="branch-row">
            <div class="node error" data-detail="re-permanent"><div class="node-title">Skip Permanently</div><div class="node-desc">complete_job + advance<br>watermark (coalesced)</div></div>
          </div>
          <div class="branch-label retry">&#8635; Transient Error</div>
          <div class="branch-row">
            <div class="node error" data-detail="re-transient"><div class="node-title">Backoff Retry</div><div class="node-desc">fail_job: 30s x 2^(n-1)<br>capped at 480s</div></div>
          </div>
        </div>
      </div>
    </div>
    <!-- MERGE REQUESTS -->
    <div class="flow-container" id="view-mrs">
      <div class="legend">
        <div class="legend-item"><div class="legend-color" style="background:var(--cyan)"></div>API Call</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--purple)"></div>Transform</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--green)"></div>Database</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--amber)"></div>Diff from Issues</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--red)"></div>Error Path</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--pink)"></div>Queue</div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--cyan-dim);color:var(--cyan)">1</div>
          <div class="phase-title">Fetch MRs <span class="phase-subtitle">Page-Based Incremental Sync</span></div>
        </div>
        <div class="flow-row">
          <div class="node api" data-detail="mr-api-call"><div class="node-title">GitLab API Call</div><div class="node-desc">fetch_merge_requests_page()<br>with cursor rewind</div><div class="diff-badge changed">Page-based, not streaming</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="mr-cursor-filter"><div class="node-title">Cursor Filter</div><div class="node-desc">Same logic as issues:<br>timestamp + tie-breaker</div><div class="diff-badge same">Same as issues</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node transform" data-detail="mr-transform"><div class="node-title">transform_merge_request()</div><div class="node-desc">Maps API shape &rarr;<br>local DB row</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="mr-transaction"><div class="node-title">Transaction</div><div class="node-desc">store &rarr; upsert &rarr; dirty &rarr;<br>labels + assignees + reviewers</div><div class="diff-badge changed">3 junction tables (not 2)</div></div>
        </div>
        <div class="arrow-down">&darr;</div>
        <div class="flow-row">
          <div class="node db" data-detail="mr-cursor-update"><div class="node-title">Update Cursor</div><div class="node-desc">Per page (not every 100)</div><div class="diff-badge changed">Per page boundary</div></div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--green-dim);color:var(--green)">2</div>
          <div class="phase-title">MR Discussion Sync <span class="phase-subtitle">Parallel Prefetch + Serial Write</span></div>
        </div>
        <div class="info-box" style="margin-left:40px;margin-bottom:16px;">
          <div class="info-box-title">Key Differences from Issue Discussions</div>
          <ul>
            <li><b>Parallel prefetch</b> &mdash; fetches all discussions for a batch concurrently via <code>join_all()</code></li>
            <li><b>Upsert pattern</b> &mdash; notes use INSERT...ON CONFLICT (not delete-all + re-insert)</li>
            <li><b>Sweep stale</b> &mdash; uses <code>last_seen_at</code> timestamp comparison (not set difference)</li>
            <li><b>Sync health tracking</b> &mdash; records <code>discussions_sync_attempts</code> and <code>last_error</code></li>
          </ul>
        </div>
        <div class="flow-row">
          <div class="node db" data-detail="mr-disc-query"><div class="node-title">Query Stale MRs</div><div class="node-desc">updated_at &gt; COALESCE(<br>discussions_synced_for_<br>updated_at, 0)</div><div class="diff-badge same">Same watermark logic</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="mr-disc-batch"><div class="node-title">Batch by Concurrency</div><div class="node-desc">dependent_concurrency<br>MRs per batch</div><div class="diff-badge changed">Batched processing</div></div>
        </div>
        <div class="arrow-down">&darr;</div>
        <div class="flow-row">
          <div class="node api" data-detail="mr-disc-prefetch"><div class="node-title">Parallel Prefetch</div><div class="node-desc">join_all() fetches all<br>discussions for batch</div><div class="diff-badge changed">Parallel (not sequential)</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node transform" data-detail="mr-disc-transform"><div class="node-title">Transform In-Memory</div><div class="node-desc">transform_mr_discussion()<br>+ diff position notes</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="mr-disc-write"><div class="node-title">Serial Write</div><div class="node-desc">upsert discussion<br>upsert notes (ON CONFLICT)</div><div class="diff-badge changed">Upsert, not delete+insert</div></div>
        </div>
        <div class="branch-container">
          <div class="branch-label success">&#10003; On Full Success</div>
          <div class="branch-row">
            <div class="node db" data-detail="mr-disc-sweep"><div class="node-title">Sweep Stale</div><div class="node-desc">DELETE WHERE last_seen_at<br>&lt; run_seen_at (disc + notes)</div><div class="diff-badge changed">last_seen_at sweep</div></div>
            <div class="arrow">&rarr;</div>
            <div class="node db" data-detail="mr-disc-watermark"><div class="node-title">Advance Watermark</div><div class="node-desc">discussions_synced_for_<br>updated_at = updated_at</div></div>
          </div>
          <div class="branch-label error">&#10007; On Failure</div>
          <div class="branch-row">
            <div class="node error" data-detail="mr-disc-fail"><div class="node-title">Record Sync Health</div><div class="node-desc">Watermark NOT advanced<br>Tracks attempts + last_error</div><div class="diff-badge changed">Health tracking</div></div>
          </div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:rgba(247,120,186,0.15);color:var(--pink)">3</div>
          <div class="phase-title">Resource Events <span class="phase-subtitle">Same as Issues</span></div>
        </div>
        <div class="info-box" style="margin-left:40px">
          <div class="info-box-title">Identical to Issue Resource Events</div>
          <ul>
            <li>Same queue-based approach: cleanup &rarr; enqueue &rarr; claim &rarr; fetch &rarr; store/fail</li>
            <li>Same watermark column: <code>resource_events_synced_for_updated_at</code></li>
            <li>Same error handling: 404/403 coalesced to empty, transient errors get backoff</li>
            <li>entity_type = <code>"merge_request"</code> instead of <code>"issue"</code></li>
          </ul>
        </div>
      </div>
    </div>
    <!-- DOCUMENTS -->
    <div class="flow-container" id="view-docs">
      <div class="legend">
        <div class="legend-item"><div class="legend-color" style="background:var(--cyan)"></div>Trigger</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--purple)"></div>Extract</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--green)"></div>Database</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--amber)"></div>Decision</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--red)"></div>Error</div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--cyan-dim);color:var(--cyan)">1</div>
          <div class="phase-title">Dirty Source Queue <span class="phase-subtitle">Populated During Ingestion</span></div>
        </div>
        <div class="flow-row">
          <div class="node api" data-detail="doc-trigger"><div class="node-title">mark_dirty_tx()</div><div class="node-desc">Called during every issue/<br>MR/discussion upsert</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="doc-dirty-table"><div class="node-title">dirty_sources Table</div><div class="node-desc">INSERT (source_type, source_id)<br>ON CONFLICT reset backoff</div></div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--amber-dim);color:var(--amber)">2</div>
          <div class="phase-title">Drain Loop <span class="phase-subtitle">Batch 500, Respects Backoff</span></div>
        </div>
        <div class="flow-row">
          <div class="node db" data-detail="doc-drain"><div class="node-title">Get Dirty Sources</div><div class="node-desc">Batch 500, ORDER BY<br>attempt_count, queued_at</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="doc-dispatch"><div class="node-title">Dispatch by Type</div><div class="node-desc">issue / mr / discussion<br>&rarr; extract function</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="doc-deleted-check"><div class="node-title">Source Exists?</div><div class="node-desc">If deleted: remove doc row<br>(cascade cleans FTS + embeds)</div></div>
        </div>
        <div class="arrow-down">&darr;</div>
        <div class="flow-row">
          <div class="node transform" data-detail="doc-extract"><div class="node-title">Extract Content</div><div class="node-desc">Structured text:<br>header + metadata + body</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="doc-triple-hash"><div class="node-title">Triple-Hash Check</div><div class="node-desc">content_hash + labels_hash<br>+ paths_hash all match?</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="doc-write"><div class="node-title">SAVEPOINT Write</div><div class="node-desc">Atomic: document row +<br>labels + paths</div></div>
        </div>
        <div class="branch-container">
          <div class="branch-label success">&#10003; On Success</div>
          <div class="branch-row">
            <div class="node db" data-detail="doc-clear"><div class="node-title">clear_dirty()</div><div class="node-desc">Remove from dirty_sources</div></div>
          </div>
          <div class="branch-label error">&#10007; On Error</div>
          <div class="branch-row">
            <div class="node error" data-detail="doc-error"><div class="node-title">record_dirty_error()</div><div class="node-desc">Increment attempt_count<br>Exponential backoff</div></div>
          </div>
          <div class="branch-label" style="color:var(--purple)">&#8801; Triple-Hash Match (skip)</div>
          <div class="branch-row">
            <div class="node db" data-detail="doc-skip"><div class="node-title">Skip Write</div><div class="node-desc">All 3 hashes match &rarr;<br>no WAL churn, clear dirty</div></div>
          </div>
        </div>
      </div>
      <div class="info-box">
        <div class="info-box-title">Full Mode (<code>--full</code>)</div>
        <ul>
          <li>Seeds <b>ALL</b> entities into <code>dirty_sources</code> via keyset pagination</li>
          <li>Triple-hash optimization prevents redundant writes even in full mode</li>
          <li>Runs FTS <code>OPTIMIZE</code> after drain completes</li>
        </ul>
      </div>
    </div>
    <!-- EMBEDDINGS -->
    <div class="flow-container" id="view-embed">
      <div class="legend">
        <div class="legend-item"><div class="legend-color" style="background:var(--cyan)"></div>API (Ollama)</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--purple)"></div>Processing</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--green)"></div>Database</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--amber)"></div>Decision</div>
        <div class="legend-item"><div class="legend-color" style="background:var(--red)"></div>Error</div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--amber-dim);color:var(--amber)">1</div>
          <div class="phase-title">Change Detection <span class="phase-subtitle">Hash + Config Drift</span></div>
        </div>
        <div class="flow-row">
          <div class="node decision" data-detail="embed-detect"><div class="node-title">find_pending_documents()</div><div class="node-desc">No metadata row? OR<br>document_hash mismatch? OR<br>config drift?</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="embed-paginate"><div class="node-title">Keyset Pagination</div><div class="node-desc">500 documents per page<br>ordered by doc ID</div></div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--purple-dim);color:var(--purple)">2</div>
          <div class="phase-title">Chunking <span class="phase-subtitle">Split + Overflow Guard</span></div>
        </div>
        <div class="flow-row">
          <div class="node transform" data-detail="embed-chunk"><div class="node-title">split_into_chunks()</div><div class="node-desc">Split by paragraph boundaries<br>with configurable overlap</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node decision" data-detail="embed-overflow"><div class="node-title">Overflow Guard</div><div class="node-desc">Too many chunks?<br>Skip to prevent rowid collision</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node transform" data-detail="embed-work"><div class="node-title">Build ChunkWork</div><div class="node-desc">Assign encoded chunk IDs<br>per document</div></div>
        </div>
      </div>
      <div class="phase">
        <div class="phase-header">
          <div class="phase-number" style="background:var(--cyan-dim);color:var(--cyan)">3</div>
          <div class="phase-title">Ollama Embedding <span class="phase-subtitle">Batched API Calls</span></div>
        </div>
        <div class="flow-row">
          <div class="node api" data-detail="embed-batch"><div class="node-title">Batch Embed</div><div class="node-desc">32 chunks per Ollama<br>API call</div></div>
          <div class="arrow">&rarr;</div>
          <div class="node db" data-detail="embed-store"><div class="node-title">Store Vectors</div><div class="node-desc">sqlite-vec embeddings table<br>+ embedding_metadata</div></div>
        </div>
        <div class="branch-container">
          <div class="branch-label success">&#10003; On Success</div>
          <div class="branch-row">
            <div class="node db" data-detail="embed-success"><div class="node-title">SAVEPOINT Commit</div><div class="node-desc">Atomic per page:<br>clear old + write new</div></div>
          </div>
          <div class="branch-label retry">&#8635; Context-Length Error</div>
          <div class="branch-row">
            <div class="node error" data-detail="embed-ctx-error"><div class="node-title">Retry Individually</div><div class="node-desc">Re-embed each chunk solo<br>to isolate oversized one</div></div>
          </div>
          <div class="branch-label error">&#10007; Other Error</div>
          <div class="branch-row">
            <div class="node error" data-detail="embed-other-error"><div class="node-title">Record Error</div><div class="node-desc">Store in embedding_metadata<br>for retry next run</div></div>
          </div>
        </div>
      </div>
      <div class="info-box">
        <div class="info-box-title">Full Mode (<code>--full</code>)</div>
        <ul>
          <li>DELETEs all <code>embedding_metadata</code> and <code>embeddings</code> rows first</li>
          <li>Every document re-processed from scratch</li>
        </ul>
      </div>
      <div class="info-box">
        <div class="info-box-title">Non-Fatal in Sync</div>
        <ul>
          <li>Stage 4 failures (Ollama down, model missing) are <b>graceful</b></li>
          <li>Sync completes successfully; embeddings just won't be updated</li>
          <li>Semantic search degrades to FTS-only mode</li>
        </ul>
      </div>
    </div>
  </div></div>
  <!-- Watermark Panel -->
  <div class="watermark-panel">
    <div class="watermark-toggle" onclick="toggleWatermarks()">
      <span class="chevron" id="wm-chevron">&#9650;</span>
      Watermark &amp; Cursor Reference
    </div>
    <div class="watermark-content" id="wm-content">
      <table class="wm-table">
        <thead><tr><th>Table</th><th>Column(s)</th><th>Purpose</th></tr></thead>
        <tbody>
          <tr><td>sync_cursors</td><td>updated_at_cursor + tie_breaker_id</td><td>Incremental fetch: "last entity we saw" per project+type</td></tr>
          <tr><td>issues</td><td>discussions_synced_for_updated_at</td><td>Per-issue discussion watermark</td></tr>
          <tr><td>issues</td><td>resource_events_synced_for_updated_at</td><td>Per-issue resource event watermark</td></tr>
          <tr><td>merge_requests</td><td>discussions_synced_for_updated_at</td><td>Per-MR discussion watermark</td></tr>
          <tr><td>merge_requests</td><td>resource_events_synced_for_updated_at</td><td>Per-MR resource event watermark</td></tr>
          <tr><td>dirty_sources</td><td>queued_at + next_attempt_at</td><td>Document regeneration queue with backoff</td></tr>
          <tr><td>embedding_metadata</td><td>document_hash + chunk_max_bytes + model + dims</td><td>Embedding staleness detection</td></tr>
          <tr><td>pending_dependent_fetches</td><td>locked_at + next_retry_at + attempts</td><td>Resource event job queue with backoff</td></tr>
        </tbody>
      </table>
    </div>
  </div>
 </div>
 <!-- Detail Panel -->
 <div class="detail-panel" id="detail-panel">
  <div class="detail-header">
    <h2 id="detail-title">Node Details</h2>
    <button class="detail-close" onclick="closeDetail()">&times;</button>
  </div>
  <div class="detail-body" id="detail-body"></div>
 </div>
 <script>
 const viewTitles = {
  overview: 'Full Sync Overview', issues: 'Issue Ingestion Flow',
  mrs: 'Merge Request Ingestion Flow', docs: 'Document Generation Flow',
  embed: 'Embedding Generation Flow',
 };
 const viewBadges = {
  overview: '4 stages', issues: '3 phases', mrs: '3 phases',
  docs: '2 phases', embed: '3 phases',
 };
 function switchView(view) {
  document.querySelectorAll('.flow-container').forEach(function(el) { el.classList.remove('active'); });
  document.getElementById('view-' + view).classList.add('active');
  document.querySelectorAll('.nav-item').forEach(function(el) {
    el.classList.toggle('active', el.dataset.view === view);
  });
  document.getElementById('view-title').textContent = viewTitles[view];
  document.getElementById('view-badge').textContent = viewBadges[view];
  closeDetail();
 }
 function toggleWatermarks() {
  document.getElementById('wm-content').classList.toggle('open');
  document.getElementById('wm-chevron').classList.toggle('open');
 }
 var details = {
  'issue-api-call': { title: 'GitLab API: Paginate Issues', type: 'api', file: 'src/ingestion/issues.rs:51-140', desc: 'Streams issues from the GitLab API using cursor-based incremental sync. The API is called with updated_after set to the last known cursor minus a configurable rewind window (to handle clock skew between GitLab and the local database).', sql: 'GET /api/v4/projects/{id}/issues\n  ?updated_after={cursor - rewind_seconds}\n  &order_by=updated_at&sort=asc\n  &per_page=100' },
  'issue-cursor-filter': { title: 'Cursor Filter (Dedup)', type: 'decision', file: 'src/ingestion/issues.rs:95-110', desc: 'Because of the cursor rewind, some issues will be re-fetched that we already have. The cursor filter skips these using a two-part comparison: primary on updated_at timestamp, with gitlab_id as a tie-breaker when timestamps are equal.', sql: '// Pseudocode:\nif issue.updated_at > cursor_ts:\n    ACCEPT  // newer than cursor\nelif issue.updated_at == cursor_ts\n     AND issue.gitlab_id > tie_breaker_id:\n    ACCEPT  // same timestamp, higher ID\nelse:\n    SKIP    // already processed' },
  'issue-transform': { title: 'Transform Issue', type: 'transform', file: 'src/gitlab/transformers/issue.rs', desc: 'Maps the GitLab API response shape to the local database row shape. Parses ISO 8601 timestamps to milliseconds-since-epoch, extracts label names, assignee usernames, milestone info, and due dates.' },
  'issue-transaction': { title: 'Issue Write Transaction', type: 'db', file: 'src/ingestion/issues.rs:190-220', desc: 'All operations for a single issue are wrapped in one SQLite transaction for atomicity. If any step fails, the entire issue write is rolled back.', sql: 'BEGIN;\n-- 1. Store raw JSON payload (compressed, deduped)\nINSERT INTO payloads ...;\n-- 2. Upsert issue row\nINSERT INTO issues ... ON CONFLICT(gitlab_id)\n  DO UPDATE SET ...;\n-- 3. Mark dirty for document regen\nINSERT INTO dirty_sources ...;\n-- 4. Relink labels\nDELETE FROM issue_labels WHERE issue_id = ?;\nINSERT INTO labels ... ON CONFLICT DO UPDATE;\nINSERT INTO issue_labels ...;\n-- 5. Relink assignees\nDELETE FROM issue_assignees WHERE issue_id = ?;\nINSERT INTO issue_assignees ...;\nCOMMIT;' },
  'issue-cursor-update': { title: 'Update Sync Cursor', type: 'db', file: 'src/ingestion/issues.rs:130-140', desc: 'The sync cursor is updated every 100 issues (for crash recovery) and once at the end of the stream. If the process crashes mid-sync, it resumes from at most 100 issues back.', sql: 'INSERT INTO sync_cursors\n  (project_id, resource_type,\n   updated_at_cursor, tie_breaker_id)\nVALUES (?1, \'issues\', ?2, ?3)\nON CONFLICT(project_id, resource_type)\n  DO UPDATE SET\n    updated_at_cursor = ?2,\n    tie_breaker_id = ?3;' },
  'issue-disc-query': { title: 'Query Issues Needing Discussion Sync', type: 'db', file: 'src/ingestion/issues.rs:450-471', desc: 'Finds all issues in this project whose updated_at timestamp exceeds their per-row discussion watermark. Issues that have not changed since their last discussion sync are skipped entirely.', sql: 'SELECT id, iid, updated_at\nFROM issues\nWHERE project_id = ?1\n  AND updated_at > COALESCE(\n    discussions_synced_for_updated_at, 0\n  );' },
  'issue-disc-fetch': { title: 'Paginate Issue Discussions', type: 'api', file: 'src/ingestion/discussions.rs:73-205', desc: 'Discussions are fetched sequentially per issue (rusqlite Connection is not Send, so async parallelism is not possible here). Each issue\'s discussions are streamed page by page from the GitLab API.', sql: 'GET /api/v4/projects/{id}/issues/{iid}\n    /discussions?per_page=100' },
  'issue-disc-transform': { title: 'Transform Discussion + Notes', type: 'transform', file: 'src/gitlab/transformers/discussion.rs', desc: 'Transforms the raw GitLab discussion payload into normalized rows. Sets NoteableRef::Issue. Computes resolvable/resolved status, first_note_at/last_note_at timestamps, and per-note position indices.' },
  'issue-disc-write': { title: 'Write Discussion (Full Refresh)', type: 'db', file: 'src/ingestion/discussions.rs:140-180', desc: 'Issue discussions use a full-refresh pattern: all existing notes for a discussion are deleted and re-inserted. This is simpler than upsert but means partial failures lose the previous state.', sql: 'BEGIN;\nINSERT INTO payloads ...;\nINSERT INTO discussions ... ON CONFLICT DO UPDATE;\nINSERT INTO dirty_sources ...;\n-- Full refresh: delete all then re-insert\nDELETE FROM notes WHERE discussion_id = ?;\nINSERT INTO notes VALUES (...);\nCOMMIT;' },
  'issue-disc-stale': { title: 'Remove Stale Discussions', type: 'db', file: 'src/ingestion/discussions.rs:185-195', desc: 'After successfully fetching ALL discussion pages for an issue, any discussions in the DB that were not seen in this fetch are deleted. Uses a temp table for >500 IDs to avoid SQLite\'s 999-variable limit.', sql: '-- For small sets (<= 500):\nDELETE FROM discussions\nWHERE issue_id = ?\n  AND gitlab_id NOT IN (...);\n\n-- For large sets (> 500):\nCREATE TEMP TABLE seen_ids(id TEXT);\nINSERT INTO seen_ids ...;\nDELETE FROM discussions\nWHERE issue_id = ?\n  AND gitlab_id NOT IN\n    (SELECT id FROM seen_ids);\nDROP TABLE seen_ids;' },
  'issue-disc-watermark': { title: 'Advance Discussion Watermark', type: 'db', file: 'src/ingestion/discussions.rs:198', desc: 'Sets the per-issue watermark to the issue\'s current updated_at, signaling that discussions are now synced for this version of the issue.', sql: 'UPDATE issues\nSET discussions_synced_for_updated_at\n    = updated_at\nWHERE id = ?;' },
  'issue-disc-fail': { title: 'Pagination Error Handling', type: 'error', file: 'src/ingestion/discussions.rs:182', desc: 'If pagination fails mid-stream, stale discussion removal is skipped (we don\'t know the full set) and the watermark is NOT advanced. The issue will be retried on the next sync run.' },
  're-cleanup': { title: 'Cleanup Obsolete Jobs', type: 'queue', file: 'src/ingestion/orchestrator.rs:490-520', desc: 'Before enqueuing new jobs, delete any existing jobs for entities whose watermark is already current. These are leftover from a previous run.', sql: 'DELETE FROM pending_dependent_fetches\nWHERE project_id = ?\n  AND job_type = \'resource_events\'\n  AND entity_local_id IN (\n    SELECT id FROM issues\n    WHERE project_id = ?\n      AND updated_at <= COALESCE(\n        resource_events_synced_for_updated_at, 0\n      )\n  );' },
  're-enqueue': { title: 'Enqueue Resource Event Jobs', type: 'queue', file: 'src/ingestion/orchestrator.rs:525-555', desc: 'For each entity whose updated_at exceeds its resource event watermark, insert a job into the queue. Uses INSERT OR IGNORE for idempotency.', sql: 'INSERT OR IGNORE INTO pending_dependent_fetches\n  (project_id, entity_type, entity_iid,\n   entity_local_id, job_type, enqueued_at)\nSELECT project_id, \'issue\', iid, id,\n       \'resource_events\', ?now\nFROM issues\nWHERE project_id = ?\n  AND updated_at > COALESCE(\n    resource_events_synced_for_updated_at, 0\n  );' },
  're-claim': { title: 'Claim Jobs (Atomic Lock)', type: 'queue', file: 'src/core/dependent_queue.rs', desc: 'Atomically claims a batch of unlocked jobs whose backoff period has elapsed. Uses UPDATE...RETURNING for lock acquisition in a single statement.', sql: 'UPDATE pending_dependent_fetches\nSET locked_at = ?now\nWHERE rowid IN (\n  SELECT rowid\n  FROM pending_dependent_fetches\n  WHERE project_id = ?\n    AND job_type = \'resource_events\'\n    AND locked_at IS NULL\n    AND (next_retry_at IS NULL\n         OR next_retry_at <= ?now)\n  ORDER BY enqueued_at ASC\n  LIMIT ?batch_size\n)\nRETURNING *;' },
  're-fetch': { title: 'Fetch 3 Event Types Concurrently', type: 'api', file: 'src/gitlab/client.rs:732-771', desc: 'Uses tokio::join! (not try_join!) to fetch state, label, and milestone events concurrently. Permanent errors (404, 403) are coalesced to empty vecs via coalesce_inaccessible().', sql: 'tokio::join!(\n  fetch_issue_state_events(proj, iid),\n  fetch_issue_label_events(proj, iid),\n  fetch_issue_milestone_events(proj, iid),\n)\n// Each: coalesce_inaccessible()\n// 404/403 -> Ok(vec![])\n// Other errors -> propagated' },
  're-store': { title: 'Store Resource Events', type: 'db', file: 'src/ingestion/orchestrator.rs:620-640', desc: 'All three event types are upserted in a single transaction.', sql: 'BEGIN;\nINSERT INTO resource_state_events ...\n  ON CONFLICT DO UPDATE;\nINSERT INTO resource_label_events ...\n  ON CONFLICT DO UPDATE;\nINSERT INTO resource_milestone_events ...\n  ON CONFLICT DO UPDATE;\nCOMMIT;' },
  're-complete': { title: 'Complete Job + Advance Watermark', type: 'db', file: 'src/ingestion/orchestrator.rs:645-660', desc: 'After successful storage, the job row is deleted and the entity\'s watermark is advanced.', sql: 'DELETE FROM pending_dependent_fetches\n  WHERE rowid = ?;\n\nUPDATE issues\nSET resource_events_synced_for_updated_at\n    = updated_at\nWHERE id = ?;' },
  're-permanent': { title: 'Permanent Error: Skip Entity', type: 'error', file: 'src/ingestion/orchestrator.rs:665-680', desc: '404 (endpoint doesn\'t exist) and 403 (insufficient permissions) are permanent. The job is completed and watermark advanced, so this entity is permanently skipped until next updated on GitLab.' },
  're-transient': { title: 'Transient Error: Exponential Backoff', type: 'error', file: 'src/core/dependent_queue.rs', desc: 'Network errors, 500s, rate limits get exponential backoff. Formula: 30s * 2^(attempts-1), capped at 480s (8 minutes).', sql: 'UPDATE pending_dependent_fetches\nSET locked_at = NULL,\n    attempts = attempts + 1,\n    next_retry_at = ?now\n      + 30000 * pow(2, attempts),\n    -- capped at 480000ms (8 min)\n    last_error = ?error_msg\nWHERE rowid = ?;' },
  'mr-api-call': { title: 'GitLab API: Fetch MR Pages', type: 'api', file: 'src/ingestion/merge_requests.rs:51-151', desc: 'Unlike issues which stream, MRs use explicit page-based pagination via fetch_merge_requests_page(). Each page returns items plus a next_page indicator.', sql: 'GET /api/v4/projects/{id}/merge_requests\n  ?updated_after={cursor - rewind}\n  &order_by=updated_at&sort=asc\n  &per_page=100&page={n}' },
  'mr-cursor-filter': { title: 'Cursor Filter', type: 'decision', file: 'src/ingestion/merge_requests.rs:90-105', desc: 'Identical logic to issues: timestamp comparison with gitlab_id tie-breaker.' },
  'mr-transform': { title: 'Transform Merge Request', type: 'transform', file: 'src/gitlab/transformers/mr.rs', desc: 'Maps GitLab MR response to local row. Handles draft detection (prefers draft field, falls back to work_in_progress), detailed_merge_status, merge_user resolution, and reviewer extraction.' },
  'mr-transaction': { title: 'MR Write Transaction', type: 'db', file: 'src/ingestion/merge_requests.rs:170-210', desc: 'Same pattern as issues but with THREE junction tables: labels, assignees, AND reviewers.', sql: 'BEGIN;\nINSERT INTO payloads ...;\nINSERT INTO merge_requests ...\n  ON CONFLICT DO UPDATE;\nINSERT INTO dirty_sources ...;\n-- 3 junction tables:\nDELETE FROM mr_labels WHERE mr_id = ?;\nINSERT INTO mr_labels ...;\nDELETE FROM mr_assignees WHERE mr_id = ?;\nINSERT INTO mr_assignees ...;\nDELETE FROM mr_reviewers WHERE mr_id = ?;\nINSERT INTO mr_reviewers ...;\nCOMMIT;' },
  'mr-cursor-update': { title: 'Update Cursor Per Page', type: 'db', file: 'src/ingestion/merge_requests.rs:140-150', desc: 'Unlike issues (every 100 items), MR cursor is updated at each page boundary for better crash recovery.' },
  'mr-disc-query': { title: 'Query MRs Needing Discussion Sync', type: 'db', file: 'src/ingestion/merge_requests.rs:430-451', desc: 'Same watermark pattern as issues. Runs AFTER MR ingestion to avoid memory growth.', sql: 'SELECT id, iid, updated_at\nFROM merge_requests\nWHERE project_id = ?1\n  AND updated_at > COALESCE(\n    discussions_synced_for_updated_at, 0\n  );' },
  'mr-disc-batch': { title: 'Batch by Concurrency', type: 'decision', file: 'src/ingestion/orchestrator.rs:420-465', desc: 'MRs are processed in batches sized by dependent_concurrency. Each batch first prefetches all discussions in parallel, then writes serially.' },
  'mr-disc-prefetch': { title: 'Parallel Prefetch', type: 'api', file: 'src/ingestion/mr_discussions.rs:66-120', desc: 'All MRs in the batch have their discussions fetched concurrently via join_all(). Each MR\'s discussions are fetched in one call, transformed in memory, and returned as PrefetchedMrDiscussions.', sql: '// For each MR in batch, concurrently:\nGET /api/v4/projects/{id}/merge_requests\n    /{iid}/discussions?per_page=100\n\n// All fetched + transformed in memory\n// before any DB writes happen' },
  'mr-disc-transform': { title: 'Transform MR Discussions', type: 'transform', file: 'src/ingestion/mr_discussions.rs:125-160', desc: 'Uses transform_mr_discussion() which additionally handles DiffNote positions (file paths, line ranges, SHA triplets).' },
  'mr-disc-write': { title: 'Serial Write (Upsert Pattern)', type: 'db', file: 'src/ingestion/mr_discussions.rs:165-220', desc: 'Unlike issue discussions (delete-all + re-insert), MR discussions use INSERT...ON CONFLICT DO UPDATE for both discussions and notes. Safer for partial failures.', sql: 'BEGIN;\nINSERT INTO payloads ...;\nINSERT INTO discussions ...\n  ON CONFLICT DO UPDATE\n  SET ..., last_seen_at = ?run_ts;\nINSERT INTO dirty_sources ...;\n-- Upsert notes (not delete+insert):\nINSERT INTO notes ...\n  ON CONFLICT DO UPDATE\n  SET ..., last_seen_at = ?run_ts;\nCOMMIT;' },
  'mr-disc-sweep': { title: 'Sweep Stale (last_seen_at)', type: 'db', file: 'src/ingestion/mr_discussions.rs:225-245', desc: 'Staleness detected via last_seen_at timestamps. Both discussions AND notes are swept independently.', sql: '-- Sweep stale discussions:\nDELETE FROM discussions\nWHERE merge_request_id = ?\n  AND last_seen_at < ?run_seen_at;\n\n-- Sweep stale notes:\nDELETE FROM notes\nWHERE discussion_id IN (\n  SELECT id FROM discussions\n  WHERE merge_request_id = ?\n) AND last_seen_at < ?run_seen_at;' },
  'mr-disc-watermark': { title: 'Advance MR Discussion Watermark', type: 'db', file: 'src/ingestion/mr_discussions.rs:248', desc: 'Same as issues: stamps the per-MR watermark.', sql: 'UPDATE merge_requests\nSET discussions_synced_for_updated_at\n    = updated_at\nWHERE id = ?;' },
  'mr-disc-fail': { title: 'Failure: Sync Health Tracking', type: 'error', file: 'src/ingestion/mr_discussions.rs:252-260', desc: 'Unlike issues, MR discussion failures are tracked: discussions_sync_attempts is incremented and discussions_sync_last_error is recorded. Watermark is NOT advanced.' },
  'doc-trigger': { title: 'mark_dirty_tx()', type: 'api', file: 'src/ingestion/dirty_tracker.rs', desc: 'Called during every upsert in ingestion. Inserts into dirty_sources, or on conflict resets backoff. This bridges ingestion (stages 1-2) and document generation (stage 3).', sql: 'INSERT INTO dirty_sources\n  (source_type, source_id, queued_at)\nVALUES (?1, ?2, ?now)\nON CONFLICT(source_type, source_id)\n  DO UPDATE SET\n    queued_at = ?now,\n    attempt_count = 0,\n    next_attempt_at = NULL,\n    last_error = NULL;' },
  'doc-dirty-table': { title: 'dirty_sources Table', type: 'db', file: 'src/ingestion/dirty_tracker.rs', desc: 'Persistent queue of entities needing document regeneration. Supports exponential backoff for failed extractions.' },
  'doc-drain': { title: 'Get Dirty Sources (Batched)', type: 'db', file: 'src/documents/regenerator.rs:35-45', desc: 'Fetches up to 500 dirty entries per batch, prioritizing fewer attempts. Respects exponential backoff.', sql: 'SELECT source_type, source_id\nFROM dirty_sources\nWHERE next_attempt_at IS NULL\n   OR next_attempt_at <= ?now\nORDER BY attempt_count ASC,\n         queued_at ASC\nLIMIT 500;' },
  'doc-dispatch': { title: 'Dispatch by Source Type', type: 'decision', file: 'src/documents/extractor.rs', desc: 'Routes to the appropriate extraction function: "issue" -> extract_issue_document(), "merge_request" -> extract_mr_document(), "discussion" -> extract_discussion_document().' },
  'doc-deleted-check': { title: 'Source Exists Check', type: 'decision', file: 'src/documents/regenerator.rs:48-55', desc: 'If the source entity was deleted, the extractor returns None. The regenerator deletes the document row. FK cascades clean up FTS and embeddings.' },
  'doc-extract': { title: 'Extract Structured Content', type: 'transform', file: 'src/documents/extractor.rs', desc: 'Builds searchable text:\n[[Issue]] #42: Title\nProject: group/repo\nURL: ...\nLabels: [bug, urgent]\nState: opened\n\n--- Description ---\n...\n\nDiscussions inherit parent labels and extract DiffNote file paths.' },
  'doc-triple-hash': { title: 'Triple-Hash Write Optimization', type: 'decision', file: 'src/documents/regenerator.rs:55-62', desc: 'Checks content_hash + labels_hash + paths_hash against existing document. If ALL three match, write is completely skipped. Critical for --full mode performance.' },
  'doc-write': { title: 'SAVEPOINT Atomic Write', type: 'db', file: 'src/documents/regenerator.rs:58-65', desc: 'Document, labels, and paths written inside a SAVEPOINT for atomicity.', sql: 'SAVEPOINT doc_write;\nINSERT INTO documents ...\n  ON CONFLICT DO UPDATE SET\n    content = ?, content_hash = ?,\n    labels_hash = ?, paths_hash = ?;\nDELETE FROM document_labels\n  WHERE doc_id = ?;\nINSERT INTO document_labels ...;\nDELETE FROM document_paths\n  WHERE doc_id = ?;\nINSERT INTO document_paths ...;\nRELEASE doc_write;' },
  'doc-clear': { title: 'Clear Dirty Entry', type: 'db', file: 'src/ingestion/dirty_tracker.rs', desc: 'On success, the dirty_sources row is deleted.', sql: 'DELETE FROM dirty_sources\nWHERE source_type = ?\n  AND source_id = ?;' },
  'doc-error': { title: 'Record Error + Backoff', type: 'error', file: 'src/ingestion/dirty_tracker.rs', desc: 'Increments attempt_count, sets next_attempt_at with exponential backoff. Entry stays for retry.', sql: 'UPDATE dirty_sources\nSET attempt_count = attempt_count + 1,\n    next_attempt_at = ?now\n      + compute_backoff(attempt_count),\n    last_error = ?error_msg\nWHERE source_type = ?\n  AND source_id = ?;' },
  'doc-skip': { title: 'Skip Write (Hash Match)', type: 'db', file: 'src/documents/regenerator.rs:57', desc: 'When all three hashes match, the document has not actually changed. Common when updated_at changes but content/labels/paths remain the same. Dirty entry is cleared without writes.' },
  'embed-detect': { title: 'Change Detection', type: 'decision', file: 'src/embedding/change_detector.rs', desc: 'Document needs re-embedding if: (1) No embedding_metadata row, (2) document_hash mismatch, (3) Config drift in chunk_max_bytes, model, or dims.', sql: 'SELECT d.id, d.content, d.content_hash\nFROM documents d\nLEFT JOIN embedding_metadata em\n  ON em.document_id = d.id\nWHERE em.document_id IS NULL\n   OR em.document_hash != d.content_hash\n   OR em.chunk_max_bytes != ?config\n   OR em.model != ?model\n   OR em.dims != ?dims;' },
  'embed-paginate': { title: 'Keyset Pagination', type: 'db', file: 'src/embedding/pipeline.rs:80-100', desc: '500 documents per page using keyset pagination. Each page wrapped in a SAVEPOINT.' },
  'embed-chunk': { title: 'Split Into Chunks', type: 'transform', file: 'src/embedding/chunking.rs', desc: 'Splits content at paragraph boundaries with configurable max size and overlap.' },
  'embed-overflow': { title: 'Overflow Guard', type: 'decision', file: 'src/embedding/pipeline.rs:110-120', desc: 'If a document produces too many chunks, it is skipped to prevent rowid collisions in the encoded chunk ID scheme.' },
  'embed-work': { title: 'Build ChunkWork Items', type: 'transform', file: 'src/embedding/pipeline.rs:125-140', desc: 'Each chunk gets an encoded ID (document_id * 1000000 + chunk_index) for the sqlite-vec primary key.' },
  'embed-batch': { title: 'Batch Embed via Ollama', type: 'api', file: 'src/embedding/pipeline.rs:150-200', desc: 'Sends 32 chunks per Ollama API call. Model default: nomic-embed-text.', sql: 'POST http://localhost:11434/api/embed\n{\n  "model": "nomic-embed-text",\n  "input": ["chunk1...", "chunk2...", ...]\n}' },
  'embed-store': { title: 'Store Vectors', type: 'db', file: 'src/embedding/pipeline.rs:205-230', desc: 'Vectors stored in sqlite-vec virtual table. Metadata in embedding_metadata. Old embeddings cleared on first successful chunk.', sql: '-- Clear old embeddings:\nDELETE FROM embeddings\n  WHERE rowid / 1000000 = ?doc_id;\n\n-- Insert new vector:\nINSERT INTO embeddings(rowid, embedding)\nVALUES (?chunk_id, ?vector_blob);\n\n-- Update metadata:\nINSERT INTO embedding_metadata ...\n  ON CONFLICT DO UPDATE SET\n    document_hash = ?,\n    chunk_max_bytes = ?,\n    model = ?, dims = ?;' },
  'embed-success': { title: 'SAVEPOINT Commit', type: 'db', file: 'src/embedding/pipeline.rs:240-250', desc: 'Each page of 500 documents wrapped in a SAVEPOINT. Completed pages survive crashes.' },
  'embed-ctx-error': { title: 'Context-Length Retry', type: 'error', file: 'src/embedding/pipeline.rs:260-280', desc: 'If Ollama returns context-length error for a batch, each chunk is retried individually to isolate the oversized one.' },
  'embed-other-error': { title: 'Record Error for Retry', type: 'error', file: 'src/embedding/pipeline.rs:285-295', desc: 'Network/model errors recorded in embedding_metadata. Document detected as pending again on next run.' },
 };
 function escapeHtml(str) {
  var div = document.createElement('div');
  div.appendChild(document.createTextNode(str));
  return div.textContent;
 }
 function buildDetailContent(d) {
  var container = document.createDocumentFragment();
  // Tags section
  var tagSection = document.createElement('div');
  tagSection.className = 'detail-section';
  var typeTag = document.createElement('span');
  typeTag.className = 'detail-tag type-' + d.type;
  typeTag.textContent = d.type.toUpperCase();
  tagSection.appendChild(typeTag);
  if (d.file) {
    var fileTag = document.createElement('span');
    fileTag.className = 'detail-tag file';
    fileTag.textContent = d.file;
    tagSection.appendChild(fileTag);
  }
  container.appendChild(tagSection);
  // Description
  var descSection = document.createElement('div');
  descSection.className = 'detail-section';
  var descH3 = document.createElement('h3');
  descH3.textContent = 'Description';
  descSection.appendChild(descH3);
  var descP = document.createElement('p');
  descP.textContent = d.desc;
  descSection.appendChild(descP);
  container.appendChild(descSection);
  // SQL
  if (d.sql) {
    var sqlSection = document.createElement('div');
    sqlSection.className = 'detail-section';
    var sqlH3 = document.createElement('h3');
    sqlH3.textContent = 'Key Query / Code';
    sqlSection.appendChild(sqlH3);
    var sqlBlock = document.createElement('div');
    sqlBlock.className = 'sql-block';
    sqlBlock.textContent = d.sql;
    sqlSection.appendChild(sqlBlock);
    container.appendChild(sqlSection);
  }
  return container;
 }
 function showDetail(key) {
  var d = details[key];
  if (!d) return;
  var panel = document.getElementById('detail-panel');
  document.getElementById('detail-title').textContent = d.title;
  var body = document.getElementById('detail-body');
  while (body.firstChild) body.removeChild(body.firstChild);
  body.appendChild(buildDetailContent(d));
  document.querySelectorAll('.node.selected').forEach(function(n) { n.classList.remove('selected'); });
  var clicked = document.querySelector('[data-detail="' + key + '"]');
  if (clicked) clicked.classList.add('selected');
  panel.classList.add('open');
 }
 function closeDetail() {
  document.getElementById('detail-panel').classList.remove('open');
  document.querySelectorAll('.node.selected').forEach(function(n) { n.classList.remove('selected'); });
 }
 document.addEventListener('click', function(e) {
  var node = e.target.closest('.node[data-detail]');
  if (node) { showDetail(node.dataset.detail); return; }
  if (!e.target.closest('.detail-panel') && !e.target.closest('.node')) closeDetail();
 });
 document.addEventListener('keydown', function(e) { if (e.key === 'Escape') closeDetail(); });
 </script>
 </body>
 </html>
--- a/migrations/022_notes_query_index.sql
+++ b/migrations/022_notes_query_index.sql
@@ -0,0 +1,24 @@
 -- Migration 022: Composite query indexes for notes + author_id column
 -- Optimizes author-scoped and project-scoped date-range queries on notes.
 -- Adds discussion JOIN indexes and immutable author identity column.
 -- Composite index for author-scoped queries (who command, notes --author)
 CREATE INDEX IF NOT EXISTS idx_notes_user_created
 ON notes(project_id, author_username COLLATE NOCASE, created_at DESC, id DESC)
 WHERE is_system = 0;
 -- Composite index for project-scoped date-range queries
 CREATE INDEX IF NOT EXISTS idx_notes_project_created
 ON notes(project_id, created_at DESC, id DESC)
 WHERE is_system = 0;
 -- Discussion JOIN indexes
 CREATE INDEX IF NOT EXISTS idx_discussions_issue_id ON discussions(issue_id);
 CREATE INDEX IF NOT EXISTS idx_discussions_mr_id ON discussions(merge_request_id);
 -- Immutable author identity column (GitLab numeric user ID)
 ALTER TABLE notes ADD COLUMN author_id INTEGER;
 CREATE INDEX IF NOT EXISTS idx_notes_author_id ON notes(author_id) WHERE author_id IS NOT NULL;
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (22, strftime('%s', 'now') * 1000, '022_notes_query_index');
--- a/migrations/023_issue_detail_fields.sql
+++ b/migrations/023_issue_detail_fields.sql
@@ -0,0 +1,5 @@
 ALTER TABLE issues ADD COLUMN closed_at TEXT;
 ALTER TABLE issues ADD COLUMN confidential INTEGER NOT NULL DEFAULT 0;
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (23, strftime('%s', 'now') * 1000, 'Add closed_at and confidential to issues');
--- a/migrations/024_note_documents.sql
+++ b/migrations/024_note_documents.sql
@@ -0,0 +1,156 @@
 -- Migration 024: Add 'note' source_type to documents and dirty_sources
 -- SQLite does not support ALTER CONSTRAINT, so we use the table-rebuild pattern.
 -- ============================================================
 -- 1. Rebuild dirty_sources with updated CHECK constraint
 -- ============================================================
 CREATE TABLE dirty_sources_new (
  source_type TEXT NOT NULL CHECK (source_type IN ('issue','merge_request','discussion','note')),
  source_id INTEGER NOT NULL,
  queued_at INTEGER NOT NULL,
  attempt_count INTEGER NOT NULL DEFAULT 0,
  last_attempt_at INTEGER,
  last_error TEXT,
  next_attempt_at INTEGER,
  PRIMARY KEY(source_type, source_id)
 );
 INSERT INTO dirty_sources_new SELECT * FROM dirty_sources;
 DROP TABLE dirty_sources;
 ALTER TABLE dirty_sources_new RENAME TO dirty_sources;
 CREATE INDEX idx_dirty_sources_next_attempt ON dirty_sources(next_attempt_at);
 -- ============================================================
 -- 2. Rebuild documents with updated CHECK constraint
 -- ============================================================
 -- 2a. Backup junction table data
 CREATE TEMP TABLE _doc_labels_backup AS SELECT * FROM document_labels;
 CREATE TEMP TABLE _doc_paths_backup AS SELECT * FROM document_paths;
 -- 2b. Drop all triggers that reference documents
 DROP TRIGGER IF EXISTS documents_ai;
 DROP TRIGGER IF EXISTS documents_ad;
 DROP TRIGGER IF EXISTS documents_au;
 DROP TRIGGER IF EXISTS documents_embeddings_ad;
 -- 2c. Drop junction tables (they have FK references to documents)
 DROP TABLE IF EXISTS document_labels;
 DROP TABLE IF EXISTS document_paths;
 -- 2d. Create new documents table with 'note' in CHECK constraint
 CREATE TABLE documents_new (
  id INTEGER PRIMARY KEY,
  source_type TEXT NOT NULL CHECK (source_type IN ('issue','merge_request','discussion','note')),
  source_id INTEGER NOT NULL,
  project_id INTEGER NOT NULL REFERENCES projects(id),
  author_username TEXT,
  label_names TEXT,
  created_at INTEGER,
  updated_at INTEGER,
  url TEXT,
  title TEXT,
  content_text TEXT NOT NULL,
  content_hash TEXT NOT NULL,
  labels_hash TEXT NOT NULL DEFAULT '',
  paths_hash TEXT NOT NULL DEFAULT '',
  is_truncated INTEGER NOT NULL DEFAULT 0,
  truncated_reason TEXT CHECK (
    truncated_reason IN (
      'token_limit_middle_drop','single_note_oversized','first_last_oversized',
      'hard_cap_oversized'
    )
    OR truncated_reason IS NULL
  ),
  UNIQUE(source_type, source_id)
 );
 -- 2e. Copy all existing data
 INSERT INTO documents_new SELECT * FROM documents;
 -- 2f. Swap tables
 DROP TABLE documents;
 ALTER TABLE documents_new RENAME TO documents;
 -- 2g. Recreate all indexes on documents
 CREATE INDEX idx_documents_project_updated ON documents(project_id, updated_at);
 CREATE INDEX idx_documents_author ON documents(author_username);
 CREATE INDEX idx_documents_source ON documents(source_type, source_id);
 CREATE INDEX idx_documents_hash ON documents(content_hash);
 -- 2h. Recreate junction tables
 CREATE TABLE document_labels (
  document_id INTEGER NOT NULL REFERENCES documents(id) ON DELETE CASCADE,
  label_name TEXT NOT NULL,
  PRIMARY KEY(document_id, label_name)
 ) WITHOUT ROWID;
 CREATE INDEX idx_document_labels_label ON document_labels(label_name);
 CREATE TABLE document_paths (
  document_id INTEGER NOT NULL REFERENCES documents(id) ON DELETE CASCADE,
  path TEXT NOT NULL,
  PRIMARY KEY(document_id, path)
 ) WITHOUT ROWID;
 CREATE INDEX idx_document_paths_path ON document_paths(path);
 -- 2i. Restore junction table data from backups
 INSERT INTO document_labels SELECT * FROM _doc_labels_backup;
 INSERT INTO document_paths SELECT * FROM _doc_paths_backup;
 -- 2j. Recreate FTS triggers (from migration 008)
 CREATE TRIGGER documents_ai AFTER INSERT ON documents BEGIN
  INSERT INTO documents_fts(rowid, title, content_text)
  VALUES (new.id, COALESCE(new.title, ''), new.content_text);
 END;
 CREATE TRIGGER documents_ad AFTER DELETE ON documents BEGIN
  INSERT INTO documents_fts(documents_fts, rowid, title, content_text)
  VALUES('delete', old.id, COALESCE(old.title, ''), old.content_text);
 END;
 CREATE TRIGGER documents_au AFTER UPDATE ON documents
 WHEN old.title IS NOT new.title OR old.content_text != new.content_text
 BEGIN
  INSERT INTO documents_fts(documents_fts, rowid, title, content_text)
  VALUES('delete', old.id, COALESCE(old.title, ''), old.content_text);
  INSERT INTO documents_fts(rowid, title, content_text)
  VALUES (new.id, COALESCE(new.title, ''), new.content_text);
 END;
 -- 2k. Recreate embeddings cleanup trigger (from migration 009)
 CREATE TRIGGER documents_embeddings_ad AFTER DELETE ON documents BEGIN
  DELETE FROM embeddings
    WHERE rowid >= old.id * 1000
      AND rowid < (old.id + 1) * 1000;
 END;
 -- 2l. Rebuild FTS index to ensure consistency after table swap
 INSERT INTO documents_fts(documents_fts) VALUES('rebuild');
 -- ============================================================
 -- 3. Defense triggers: clean up documents when notes are
 --    deleted or flipped to system notes
 -- ============================================================
 CREATE TRIGGER notes_ad_cleanup AFTER DELETE ON notes
 WHEN old.is_system = 0
 BEGIN
  DELETE FROM documents WHERE source_type = 'note' AND source_id = old.id;
 END;
 CREATE TRIGGER notes_au_system_cleanup AFTER UPDATE OF is_system ON notes
 WHEN NEW.is_system = 1 AND OLD.is_system = 0
 BEGIN
  DELETE FROM documents WHERE source_type = 'note' AND source_id = OLD.id;
 END;
 -- ============================================================
 -- 4. Drop temp backup tables
 -- ============================================================
 DROP TABLE IF EXISTS _doc_labels_backup;
 DROP TABLE IF EXISTS _doc_paths_backup;
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (24, strftime('%s', 'now') * 1000, '024_note_documents');
--- a/migrations/025_note_dirty_backfill.sql
+++ b/migrations/025_note_dirty_backfill.sql
@@ -0,0 +1,11 @@
 -- Backfill existing non-system notes into dirty queue for document generation.
 -- Only seeds notes that don't already have documents and aren't already queued.
 INSERT INTO dirty_sources (source_type, source_id, queued_at)
 SELECT 'note', n.id, CAST(strftime('%s', 'now') AS INTEGER) * 1000
 FROM notes n
 LEFT JOIN documents d ON d.source_type = 'note' AND d.source_id = n.id
 WHERE n.is_system = 0 AND d.id IS NULL
 ON CONFLICT(source_type, source_id) DO NOTHING;
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (25, strftime('%s', 'now') * 1000, '025_note_dirty_backfill');
--- a/migrations/026_scoring_indexes.sql
+++ b/migrations/026_scoring_indexes.sql
@@ -0,0 +1,23 @@
 -- Indexes for time-decay expert scoring: dual-path matching and reviewer participation.
 CREATE INDEX IF NOT EXISTS idx_notes_old_path_author
  ON notes(position_old_path, author_username, created_at)
  WHERE note_type = 'DiffNote' AND is_system = 0 AND position_old_path IS NOT NULL;
 CREATE INDEX IF NOT EXISTS idx_mfc_old_path_project_mr
  ON mr_file_changes(old_path, project_id, merge_request_id)
  WHERE old_path IS NOT NULL;
 CREATE INDEX IF NOT EXISTS idx_mfc_new_path_project_mr
  ON mr_file_changes(new_path, project_id, merge_request_id);
 CREATE INDEX IF NOT EXISTS idx_notes_diffnote_discussion_author
  ON notes(discussion_id, author_username, created_at)
  WHERE note_type = 'DiffNote' AND is_system = 0;
 CREATE INDEX IF NOT EXISTS idx_notes_old_path_project_created
  ON notes(position_old_path, project_id, created_at)
  WHERE note_type = 'DiffNote' AND is_system = 0 AND position_old_path IS NOT NULL;
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (26, strftime('%s', 'now') * 1000, '026_scoring_indexes');
--- a/migrations/027_surgical_sync_runs.sql
+++ b/migrations/027_surgical_sync_runs.sql
@@ -0,0 +1,23 @@
 -- Migration 027: Extend sync_runs for surgical sync observability
 -- Adds mode/phase tracking and surgical-specific counters.
 ALTER TABLE sync_runs ADD COLUMN mode TEXT;
 ALTER TABLE sync_runs ADD COLUMN phase TEXT;
 ALTER TABLE sync_runs ADD COLUMN surgical_iids_json TEXT;
 ALTER TABLE sync_runs ADD COLUMN issues_fetched INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN mrs_fetched INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN issues_ingested INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN mrs_ingested INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN skipped_stale INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN docs_regenerated INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN docs_embedded INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN warnings_count INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE sync_runs ADD COLUMN cancelled_at INTEGER;
 CREATE INDEX IF NOT EXISTS idx_sync_runs_mode_started
    ON sync_runs(mode, started_at DESC);
 CREATE INDEX IF NOT EXISTS idx_sync_runs_status_phase_started
    ON sync_runs(status, phase, started_at DESC);
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (27, strftime('%s', 'now') * 1000, '027_surgical_sync_runs');
--- a/migrations/028_discussions_mr_fk.sql
+++ b/migrations/028_discussions_mr_fk.sql
@@ -0,0 +1,58 @@
 -- Migration 028: Add FK constraint on discussions.merge_request_id
 -- Schema version: 28
 -- Fixes missing foreign key that causes orphaned discussions when MRs are deleted
 -- SQLite doesn't support ALTER TABLE ADD CONSTRAINT, so we must recreate the table.
 -- Step 1: Create new table with the FK constraint
 CREATE TABLE discussions_new (
    id INTEGER PRIMARY KEY,
    gitlab_discussion_id TEXT NOT NULL,
    project_id INTEGER NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
    issue_id INTEGER REFERENCES issues(id) ON DELETE CASCADE,
    merge_request_id INTEGER REFERENCES merge_requests(id) ON DELETE CASCADE,  -- FK was missing!
    noteable_type TEXT NOT NULL CHECK (noteable_type IN ('Issue', 'MergeRequest')),
    individual_note INTEGER NOT NULL DEFAULT 0,
    first_note_at INTEGER,
    last_note_at INTEGER,
    last_seen_at INTEGER NOT NULL,
    resolvable INTEGER NOT NULL DEFAULT 0,
    resolved INTEGER NOT NULL DEFAULT 0,
    raw_payload_id INTEGER REFERENCES raw_payloads(id),  -- Added in migration 004
    CHECK (
        (noteable_type = 'Issue' AND issue_id IS NOT NULL AND merge_request_id IS NULL) OR
        (noteable_type = 'MergeRequest' AND merge_request_id IS NOT NULL AND issue_id IS NULL)
    )
 );
 -- Step 2: Copy data (only rows with valid FK references to avoid constraint violations)
 INSERT INTO discussions_new
 SELECT d.* FROM discussions d
 WHERE (d.merge_request_id IS NULL OR EXISTS (SELECT 1 FROM merge_requests m WHERE m.id = d.merge_request_id));
 -- Step 3: Drop old table and rename
 DROP TABLE discussions;
 ALTER TABLE discussions_new RENAME TO discussions;
 -- Step 4: Recreate ALL indexes that were on the discussions table
 -- From migration 002 (original table)
 CREATE UNIQUE INDEX uq_discussions_project_discussion_id ON discussions(project_id, gitlab_discussion_id);
 CREATE INDEX idx_discussions_issue ON discussions(issue_id);
 CREATE INDEX idx_discussions_mr ON discussions(merge_request_id);
 CREATE INDEX idx_discussions_last_note ON discussions(last_note_at);
 -- From migration 003 (orphan detection)
 CREATE INDEX idx_discussions_last_seen ON discussions(last_seen_at);
 -- From migration 006 (MR indexes)
 CREATE INDEX idx_discussions_mr_id ON discussions(merge_request_id);
 CREATE INDEX idx_discussions_mr_resolved ON discussions(merge_request_id, resolved, resolvable);
 -- From migration 017 (who command indexes)
 CREATE INDEX idx_discussions_unresolved_recent ON discussions(project_id, last_note_at) WHERE resolvable = 1 AND resolved = 0;
 CREATE INDEX idx_discussions_unresolved_recent_global ON discussions(last_note_at) WHERE resolvable = 1 AND resolved = 0;
 -- From migration 019 (list performance)
 CREATE INDEX idx_discussions_issue_resolved ON discussions(issue_id, resolvable, resolved);
 -- From migration 022 (notes query optimization)
 CREATE INDEX idx_discussions_issue_id ON discussions(issue_id);
 -- Record migration
 INSERT INTO schema_version (version, applied_at, description)
 VALUES (28, strftime('%s', 'now') * 1000, 'Add FK constraint on discussions.merge_request_id');
--- a/phase-a-review.html
+++ b/phase-a-review.html
--- a/plans/asupersync-migration.md
+++ b/plans/asupersync-migration.md
@@ -0,0 +1,867 @@
 # Plan: Replace Tokio + Reqwest with Asupersync
 **Date:** 2026-03-06
 **Status:** Draft
 **Decisions:** Adapter layer (yes), timeouts in adapter, deep Cx threading, reference doc only
 ---
 ## Context
 Gitlore uses tokio as its async runtime and reqwest as its HTTP client. Both work, but:
 - Ctrl+C during `join_all` silently drops in-flight HTTP requests with no cleanup
 - `ShutdownSignal` is a hand-rolled `AtomicBool` with no structured cancellation
 - No deterministic testing for concurrent ingestion patterns
 - tokio provides no structured concurrency guarantees
 Asupersync is a cancel-correct async runtime with region-owned tasks, obligation tracking, and deterministic lab testing. Replacing tokio+reqwest gives us structured shutdown, cancel-correct ingestion, and testable concurrency.
 **Trade-offs accepted:**
 - Nightly Rust required (asupersync dependency)
 - Pre-1.0 runtime dependency (mitigated by adapter layer + version pinning)
 - Deeper function signature changes for Cx threading
 ### Why not tokio CancellationToken + JoinSet?
 The core problems (Ctrl+C drops requests, no structured cancellation) *can* be fixed without replacing the runtime. Tokio's `CancellationToken` + `JoinSet` + explicit task tracking gives structured cancellation for fan-out patterns. This was considered and rejected for two reasons:
 1. **Obligation tracking is the real win.** CancellationToken/JoinSet fix the "cancel cleanly" problem but don't give us obligation tracking (compile-time proof that all spawned work is awaited) or deterministic lab testing. These are the features that prevent *future* concurrency bugs, not just the current Ctrl+C issue.
 2. **Separation of concerns.** Fixing Ctrl+C with tokio primitives first, then migrating the runtime second, doubles the migration effort (rewrite fan-out twice). Since we have no users and no backwards compatibility concerns, a single clean migration is lower total cost.
 If asupersync proves unviable (nightly breakage, API instability), the fallback is exactly this: tokio + CancellationToken + JoinSet.
 ---
 ## Current Tokio Usage Inventory
 ### Production code (must migrate)
 | Location | API | Purpose |
 |----------|-----|---------|
 | `main.rs:53` | `#[tokio::main]` | Runtime entrypoint |
 | `main.rs` (4 sites) | `tokio::spawn` + `tokio::signal::ctrl_c` | Ctrl+C signal handlers |
 | `gitlab/client.rs:9` | `tokio::sync::Mutex` | Rate limiter lock |
 | `gitlab/client.rs:10` | `tokio::time::sleep` | Rate limiter backoff |
 | `gitlab/client.rs:729,736` | `tokio::join!` | Parallel pagination |
 ### Production code (reqwest -- must replace)
 | Location | Usage |
 |----------|-------|
 | `gitlab/client.rs` | REST API: GET with headers/query, response status/headers/JSON, pagination via x-next-page and Link headers, retry on 429 |
 | `gitlab/graphql.rs` | GraphQL: POST with Bearer auth + JSON body, response JSON parsing |
 | `embedding/ollama.rs` | Ollama: GET health check, POST JSON embedding requests |
 ### Test code (keep on tokio via dev-dep)
 | File | Tests | Uses wiremock? |
 |------|-------|----------------|
 | `gitlab/graphql_tests.rs` | 30 | Yes |
 | `gitlab/client_tests.rs` | 4 | Yes |
 | `embedding/pipeline_tests.rs` | 4 | Yes |
 | `ingestion/surgical_tests.rs` | 4 async | Yes |
 ### Test code (switch to asupersync)
 | File | Tests | Why safe |
 |------|-------|----------|
 | `core/timeline_seed_tests.rs` | 13 | Pure CPU/SQLite, no HTTP, no tokio APIs |
 ### Test code (already sync `#[test]` -- no changes)
 ~35 test files across documents/, core/, embedding/, gitlab/transformers/, ingestion/, cli/commands/, tests/
 ---
 ## Phase 0: Preparation (no runtime change)
 Goal: Reduce tokio surface area before the swap. Each step is independently valuable.
 ### 0a. Extract signal handler
 The 4 identical Ctrl+C handlers in `main.rs` (lines 1020, 2341, 2493, 2524) become one function in `core/shutdown.rs`:
 ```rust
 pub fn install_ctrl_c_handler(signal: ShutdownSignal) {
    tokio::spawn(async move {
        let _ = tokio::signal::ctrl_c().await;
        eprintln!("\nInterrupted, finishing current batch... (Ctrl+C again to force quit)");
        signal.cancel();
        let _ = tokio::signal::ctrl_c().await;
        std::process::exit(130);
    });
 }
 ```
 4 spawn sites -> 1 function. The function body changes in Phase 3.
 ### 0b. Replace tokio::sync::Mutex with std::sync::Mutex
 In `gitlab/client.rs`, the rate limiter lock guards a tiny sync critical section (check `Instant::now()`, compute delay). No async work inside the lock. `std::sync::Mutex` is correct and removes a tokio dependency:
 ```rust
 // Before
 use tokio::sync::Mutex;
 let delay = self.rate_limiter.lock().await.check_delay();
 // After
 use std::sync::Mutex;
 let delay = self.rate_limiter.lock().expect("rate limiter poisoned").check_delay();
 ```
 Note: `.expect()` over `.unwrap()` for clarity. Poisoning is near-impossible here (the critical section is a trivial `Instant::now()` check), but the explicit message aids debugging if it ever fires.
 **Contention constraint:** `std::sync::Mutex` blocks the executor thread while held. This is safe *only* because the critical section is a single `Instant::now()` comparison with no I/O. If the rate limiter ever grows to include async work (HTTP calls, DB queries), it must move back to an async-aware lock. Document this constraint with a comment at the lock site.
 ### 0c. Replace tokio::join! with futures::join!
 In `gitlab/client.rs:729,736`. `futures::join!` is runtime-agnostic and already in deps.
 **After Phase 0, remaining tokio in production code:**
 - `#[tokio::main]` (1 site)
 - `tokio::spawn` + `tokio::signal::ctrl_c` (1 function)
 - `tokio::time::sleep` (1 import)
 ---
 ## Phase 0d: Error Type Migration (must precede adapter layer)
 The adapter layer (Phase 1) uses `GitLabNetworkError { detail: Option<String> }`, which requires this error type change before the adapter compiles. Placed here so Phases 1-3 compile as a unit.
 ### `src/core/error.rs`
 ```rust
 // Remove:
 #[error("HTTP error: {0}")]
 Http(#[from] reqwest::Error),
 // Change:
 #[error("Cannot connect to GitLab at {base_url}")]
 GitLabNetworkError {
    base_url: String,
    // Before: source: Option<reqwest::Error>
    // After:
    detail: Option<String>,
 },
 ```
 The adapter layer stringifies HTTP client errors at the boundary so `LoreError` doesn't depend on any HTTP client's error types. This also means the existing reqwest call sites that construct `GitLabNetworkError` must be updated to pass `detail: Some(format!("{e:?}"))` instead of `source: Some(e)` -- but those sites are rewritten in Phase 2 anyway, so no extra work.
 **Note on error granularity:** Flattening all HTTP errors to `detail: Option<String>` loses the distinction between timeouts, TLS failures, DNS resolution failures, and connection resets. To preserve actionable error categories without coupling `LoreError` to any HTTP client, add a lightweight `NetworkErrorKind` enum:
 ```rust
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum NetworkErrorKind {
    Timeout,
    ConnectionRefused,
    DnsResolution,
    Tls,
    Other,
 }
 #[error("Cannot connect to GitLab at {base_url}")]
 GitLabNetworkError {
    base_url: String,
    kind: NetworkErrorKind,
    detail: Option<String>,
 },
 ```
 The adapter's `execute()` method classifies errors at the boundary:
 - Timeout from `asupersync::time::timeout` → `NetworkErrorKind::Timeout`
 - Transport errors from the HTTP client → classified by error type into the appropriate kind
 - Unknown errors → `NetworkErrorKind::Other`
 This keeps `LoreError` client-agnostic while preserving the ability to make retry decisions based on error *type* (e.g., retry on timeout but not on TLS). The adapter's `execute()` method is the single place where this mapping happens, so adding new kinds is localized.
 ---
 ## Phase 1: Build the HTTP Adapter Layer
 ### Why
 Asupersync's `HttpClient` is lower-level than reqwest:
 - Headers: `Vec<(String, String)>` not typed `HeaderMap`/`HeaderValue`
 - Body: `Vec<u8>` not a builder with `.json()`
 - Status: raw `u16` not `StatusCode` enum
 - Response: body already buffered, no async `.json().await`
 - No per-request timeout
 Without an adapter, every call site becomes 5-6 lines of boilerplate. The adapter also isolates gitlore from asupersync's pre-1.0 HTTP API.
 ### New file: `src/http.rs` (~100 LOC)
 ```rust
 use asupersync::http::h1::{HttpClient, HttpClientConfig, PoolConfig};
 use asupersync::http::h1::types::Method;
 use asupersync::time::timeout;
 use serde::de::DeserializeOwned;
 use serde::Serialize;
 use std::time::Duration;
 use crate::core::error::{LoreError, Result};
 pub struct Client {
    inner: HttpClient,
    timeout: Duration,
 }
 pub struct Response {
    pub status: u16,
    pub reason: String,
    pub headers: Vec<(String, String)>,
    body: Vec<u8>,
 }
 impl Client {
    pub fn with_timeout(timeout: Duration) -> Self {
        Self {
            inner: HttpClient::with_config(HttpClientConfig {
                pool_config: PoolConfig::builder()
                    .max_connections_per_host(6)
                    .max_total_connections(100)
                    .idle_timeout(Duration::from_secs(90))
                    .build(),
                ..Default::default()
            }),
            timeout,
        }
    }
    pub async fn get(&self, url: &str, headers: &[(&str, &str)]) -> Result<Response> {
        self.execute(Method::Get, url, headers, Vec::new()).await
    }
    pub async fn get_with_query(
        &self,
        url: &str,
        params: &[(&str, String)],
        headers: &[(&str, &str)],
    ) -> Result<Response> {
        let full_url = append_query_params(url, params);
        self.execute(Method::Get, &full_url, headers, Vec::new()).await
    }
    pub async fn post_json<T: Serialize>(
        &self,
        url: &str,
        headers: &[(&str, &str)],
        body: &T,
    ) -> Result<Response> {
        let body_bytes = serde_json::to_vec(body)
            .map_err(|e| LoreError::Other(format!("JSON serialization failed: {e}")))?;
        let mut all_headers = headers.to_vec();
        all_headers.push(("Content-Type", "application/json"));
        self.execute(Method::Post, url, &all_headers, body_bytes).await
    }
    async fn execute(
        &self,
        method: Method,
        url: &str,
        headers: &[(&str, &str)],
        body: Vec<u8>,
    ) -> Result<Response> {
        let header_tuples: Vec<(String, String)> = headers
            .iter()
            .map(|(k, v)| ((*k).to_owned(), (*v).to_owned()))
            .collect();
        let raw = timeout(self.timeout, self.inner.request(method, url, header_tuples, body))
            .await
            .map_err(|_| LoreError::GitLabNetworkError {
                base_url: url.to_string(),
                kind: NetworkErrorKind::Timeout,
                detail: Some(format!("Request timed out after {:?}", self.timeout)),
            })?
            .map_err(|e| LoreError::GitLabNetworkError {
                base_url: url.to_string(),
                kind: classify_transport_error(&e),
                detail: Some(format!("{e:?}")),
            })?;
        Ok(Response {
            status: raw.status,
            reason: raw.reason,
            headers: raw.headers,
            body: raw.body,
        })
    }
 }
 impl Response {
    pub fn is_success(&self) -> bool {
        (200..300).contains(&self.status)
    }
    pub fn json<T: DeserializeOwned>(&self) -> Result<T> {
        serde_json::from_slice(&self.body)
            .map_err(|e| LoreError::Other(format!("JSON parse error: {e}")))
    }
    pub fn text(self) -> Result<String> {
        String::from_utf8(self.body)
            .map_err(|e| LoreError::Other(format!("UTF-8 decode error: {e}")))
    }
    pub fn header(&self, name: &str) -> Option<&str> {
        self.headers
            .iter()
            .find(|(k, _)| k.eq_ignore_ascii_case(name))
            .map(|(_, v)| v.as_str())
    }
    /// Returns all values for a header name (case-insensitive).
    /// Needed for multi-value headers like `Link` used in pagination.
    pub fn headers_all(&self, name: &str) -> Vec<&str> {
        self.headers
            .iter()
            .filter(|(k, _)| k.eq_ignore_ascii_case(name))
            .map(|(_, v)| v.as_str())
            .collect()
    }
 }
 /// Appends query parameters to a URL.
 ///
 /// Edge cases handled:
 /// - URLs with existing `?query` → appends with `&`
 /// - URLs with `#fragment` → inserts query before fragment
 /// - Empty params → returns URL unchanged
 /// - Repeated keys → preserved as-is (GitLab API uses repeated `labels[]`)
 fn append_query_params(url: &str, params: &[(&str, String)]) -> String {
    if params.is_empty() {
        return url.to_string();
    }
    let query: String = params
        .iter()
        .map(|(k, v)| format!("{}={}", urlencoding::encode(k), urlencoding::encode(v)))
        .collect::<Vec<_>>()
        .join("&");
    // Preserve URL fragments: split on '#', insert query, rejoin
    let (base, fragment) = match url.split_once('#') {
        Some((b, f)) => (b, Some(f)),
        None => (url, None),
    };
    let with_query = if base.contains('?') {
        format!("{base}&{query}")
    } else {
        format!("{base}?{query}")
    };
    match fragment {
        Some(f) => format!("{with_query}#{f}"),
        None => with_query,
    }
 }
 ```
 ### Response body size guard
 The adapter buffers entire response bodies in memory (`Vec<u8>`). A misconfigured endpoint or unexpected redirect to a large file could cause unbounded memory growth. Add a max response body size check in `execute()`:
 ```rust
 const MAX_RESPONSE_BODY_BYTES: usize = 64 * 1024 * 1024; // 64 MiB — generous for JSON, catches runaways
 // In execute(), after receiving raw response:
 if raw.body.len() > MAX_RESPONSE_BODY_BYTES {
    return Err(LoreError::Other(format!(
        "Response body too large: {} bytes (max {})",
        raw.body.len(),
        MAX_RESPONSE_BODY_BYTES,
    )));
 }
 ```
 This is a safety net, not a tight constraint. GitLab JSON responses are typically < 1 MiB. Ollama embedding responses are < 100 KiB per batch. The 64 MiB limit catches runaways without interfering with normal operation.
 ### Timeout behavior
 Every request is wrapped with `asupersync::time::timeout(self.timeout, ...)`. Default timeouts:
 - GitLab REST/GraphQL: 30s
 - Ollama: configurable (default 60s)
 - Ollama health check: 5s
 ---
 ## Phase 2: Migrate the 3 HTTP Modules
 ### 2a. `gitlab/client.rs` (REST API)
 **Imports:**
 ```rust
 // Remove
 use reqwest::header::{ACCEPT, HeaderMap, HeaderValue};
 use reqwest::{Client, Response, StatusCode};
 // Add
 use crate::http::{Client, Response};
 ```
 **Client construction** (lines 68-96):
 ```rust
 // Before: reqwest::Client::builder().default_headers(h).timeout(d).build()
 // After:
 let client = Client::with_timeout(Duration::from_secs(30));
 ```
 **request() method** (lines 129-170):
 ```rust
 // Before
 let response = self.client.get(&url)
    .header("PRIVATE-TOKEN", &self.token)
    .send().await
    .map_err(|e| LoreError::GitLabNetworkError { ... })?;
 // After
 let response = self.client.get(&url, &[
    ("PRIVATE-TOKEN", &self.token),
    ("Accept", "application/json"),
 ]).await?;
 ```
 **request_with_headers() method** (lines 510-559):
 ```rust
 // Before
 let response = self.client.get(&url)
    .query(params)
    .header("PRIVATE-TOKEN", &self.token)
    .send().await?;
 let headers = response.headers().clone();
 // After
 let response = self.client.get_with_query(&url, params, &[
    ("PRIVATE-TOKEN", &self.token),
    ("Accept", "application/json"),
 ]).await?;
 // headers already owned in response.headers
 ```
 **handle_response()** (lines 182-219):
 ```rust
 // Before: async fn (consumed body with .text().await)
 // After: sync fn (body already buffered in Response)
 fn handle_response<T: DeserializeOwned>(&self, response: Response, path: &str) -> Result<T> {
    match response.status {
        401 => Err(LoreError::GitLabAuthFailed),
        404 => Err(LoreError::GitLabNotFound { resource: path.into() }),
        429 => {
            let retry_after = response.header("retry-after")
                .and_then(|v| v.parse().ok())
                .unwrap_or(60);
            Err(LoreError::GitLabRateLimited { retry_after })
        }
        s if (200..300).contains(&s) => response.json::<T>(),
        s => Err(LoreError::Other(format!("GitLab API error: {} {}", s, response.reason))),
    }
 }
 ```
 **Pagination** -- No structural changes. `async_stream::stream!` and header parsing stay the same. Only the response type changes:
 ```rust
 // Before: headers.get("x-next-page").and_then(|v| v.to_str().ok())
 // After:  response.header("x-next-page")
 ```
 **parse_link_header_next** -- Change signature from `(headers: &HeaderMap)` to `(headers: &[(String, String)])` and find by case-insensitive name.
 ### 2b. `gitlab/graphql.rs`
 ```rust
 // Before
 let response = self.http.post(&url)
    .header("Authorization", format!("Bearer {}", self.token))
    .header("Content-Type", "application/json")
    .json(&body).send().await?;
 let json: Value = response.json().await?;
 // After
 let bearer = format!("Bearer {}", self.token);
 let response = self.http.post_json(&url, &[
    ("Authorization", &bearer),
 ], &body).await?;
 let json: Value = response.json()?;
 ```
 Status matching changes from `response.status().as_u16()` to `response.status` (already u16).
 ### 2c. `embedding/ollama.rs`
 ```rust
 // Health check
 let response = self.client.get(&url, &[]).await?;
 let tags: TagsResponse = response.json()?;
 // Embed batch
 let response = self.client.post_json(&url, &[], &request).await?;
 if !response.is_success() {
    let status = response.status; // capture before .text() consumes response
    let body = response.text()?;
    return Err(LoreError::EmbeddingFailed { document_id: 0, reason: format!("HTTP {status}: {body}") });
 }
 let embed_response: EmbedResponse = response.json()?;
 ```
 **Standalone health check** (`check_ollama_health`): Currently creates a temporary `reqwest::Client`. Replace with temporary `crate::http::Client`:
 ```rust
 pub async fn check_ollama_health(base_url: &str) -> bool {
    let client = Client::with_timeout(Duration::from_secs(5));
    let url = format!("{base_url}/api/tags");
    client.get(&url, &[]).await.map_or(false, |r| r.is_success())
 }
 ```
 ---
 ## Phase 3: Swap the Runtime + Deep Cx Threading
 ### 3a. Cargo.toml
 ```toml
 [dependencies]
 # Remove:
 # reqwest = { version = "0.12", features = ["json"] }
 # tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "signal"] }
 # Add:
 asupersync = { version = "0.2", features = ["tls", "tls-native-roots"] }
 # Keep unchanged:
 async-stream = "0.3"
 futures = { version = "0.3", default-features = false, features = ["alloc"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 urlencoding = "2"
 [dev-dependencies]
 tempfile = "3"
 wiremock = "0.6"
 tokio = { version = "1", features = ["rt", "macros"] }
 ```
 ### 3b. rust-toolchain.toml
 ```toml
 [toolchain]
 channel = "nightly-2026-03-01"  # Pin specific date to avoid surprise breakage
 ```
 Update the date as needed when newer nightlies are verified. Never use bare `"nightly"` in production.
 ### 3c. Entrypoint (`main.rs:53`)
 ```rust
 // Before
 #[tokio::main]
 async fn main() -> Result<()> { ... }
 // After
 #[asupersync::main]
 async fn main(cx: &Cx) -> Outcome<()> { ... }
 ```
 ### 3d. Signal handler (`core/shutdown.rs`)
 ```rust
 // After (Phase 0 extracted it; now rewrite for asupersync)
 pub async fn install_ctrl_c_handler(cx: &Cx, signal: ShutdownSignal) {
    cx.spawn("ctrl-c-handler", async move |cx| {
        cx.shutdown_signal().await;
        eprintln!("\nInterrupted, finishing current batch... (Ctrl+C again to force quit)");
        signal.cancel();
        // Preserve hard-exit on second Ctrl+C (same behavior as Phase 0a)
        cx.shutdown_signal().await;
        std::process::exit(130);
    });
 }
 ```
 **Cleanup concern:** `std::process::exit(130)` on second Ctrl+C bypasses all drop guards, flush operations, and asupersync region cleanup. This is intentional (user demanded hard exit) but means any in-progress DB transaction will be abandoned mid-write. SQLite's journaling makes this safe (uncommitted transactions are rolled back on next open), but verify this holds for WAL mode if enabled. Consider logging a warning before exit so users understand incomplete operations may need re-sync.
 ### 3e. Rate limiter sleep
 ```rust
 // Before
 use tokio::time::sleep;
 // After
 use asupersync::time::sleep;
 ```
 ### 3f. Deep Cx threading
 Thread `Cx` from `main()` through command dispatch into the orchestrator and ingestion modules. This enables region-scoped cancellation for `join_all` batches.
 **Function signatures that need `cx: &Cx` added:**
 | Module | Functions |
 |--------|-----------|
 | `main.rs` | Command dispatch match arms for `sync`, `ingest`, `embed` |
 | `cli/commands/sync.rs` | `run_sync()` |
 | `cli/commands/ingest.rs` | `run_ingest_command()`, `run_ingest()` |
 | `cli/commands/embed.rs` | `run_embed()` |
 | `cli/commands/sync_surgical.rs` | `run_sync_surgical()` |
 | `ingestion/orchestrator.rs` | `ingest_issues()`, `ingest_merge_requests()`, `ingest_discussions()`, etc. |
 | `ingestion/surgical.rs` | `surgical_sync()` |
 | `embedding/pipeline.rs` | `embed_documents()`, `embed_batch_group()` |
 **Region wrapping for join_all batches** (orchestrator.rs):
 ```rust
 // Before
 let prefetched_batch = join_all(prefetch_futures).await;
 // After -- cancel-correct region with result collection
 let (tx, rx) = std::sync::mpsc::channel();
 cx.region(|scope| async {
    for future in prefetch_futures {
        let tx = tx.clone();
        scope.spawn(async move |_cx| {
            let result = future.await;
            let _ = tx.send(result);
        });
    }
    drop(tx);
 }).await;
 let prefetched_batch: Vec<_> = rx.into_iter().collect();
 ```
 **IMPORTANT: Semantic differences beyond ordering.** Replacing `join_all` with region-spawned tasks changes three behaviors:
 1. **Ordering:** `join_all` preserves input order — results\[i\] corresponds to futures\[i\]. The `std::sync::mpsc` channel pattern does NOT (results arrive in completion order). If downstream logic assumes positional alignment (e.g., zipping results with input items by index), this is a silent correctness bug. Options:
   - Send `(index, result)` tuples through the channel and sort by index after collection.
   - If `scope.spawn()` returns a `JoinHandle<T>`, collect handles in order and await them sequentially.
 2. **Error aggregation:** `join_all` runs all futures to completion even if some fail, collecting all results. Region-spawned tasks with a channel will also run all tasks, but if the region is cancelled mid-flight (e.g., Ctrl+C), some results are lost. Decide per call site: should partial results be processed, or should the entire batch be retried?
 3. **Backpressure:** `join_all` with N futures creates N concurrent tasks. Region-spawned tasks behave similarly, but if the region has concurrency limits, backpressure semantics change. Verify asupersync's region API does not impose implicit concurrency caps.
 4. **Late result loss on cancellation:** When a region is cancelled, tasks that have completed but whose results haven't been received yet may have already sent to the channel. However, tasks that are mid-flight will be dropped, and their results never sent. The channel receiver must drain whatever was sent, but the caller must treat a cancelled region's results as incomplete — never assume all N results arrived. Document per call site whether partial results are safe to process or whether the entire batch should be discarded on cancellation.
 Audit every `join_all` call site for all four assumptions before choosing the pattern.
 Note: The exact result-collection pattern depends on asupersync's region API. If `scope.spawn()` returns a `JoinHandle<T>`, prefer collecting handles and awaiting them (preserves ordering and simplifies error handling).
 This is the biggest payoff: if Ctrl+C fires during a prefetch batch, the region cancels all in-flight HTTP requests with bounded cleanup instead of silently dropping them.
 **Estimated signature changes:** ~15 functions gain a `cx: &Cx` parameter.
 **Phasing the Cx threading (risk reduction):** Rather than threading `cx` through all ~15 functions at once, split into two steps:
 - **Step 1:** Thread `cx` through the orchestration path only (`main.rs` dispatch → `run_sync`/`run_ingest` → orchestrator functions). This is where region-wrapping `join_all` batches happens — the actual cancellation payoff. Verify invariants pass.
 - **Step 2:** Widen to the command layer and embedding pipeline (`run_embed`, `embed_documents`, `embed_batch_group`, `sync_surgical`). These are lower-risk since they don't have the same fan-out patterns.
 This reduces the blast radius of Step 1 and provides an earlier validation checkpoint. If Step 1 surfaces problems, Step 2 hasn't been started yet.
 ---
 ## Phase 4: Test Migration
 ### Keep on `#[tokio::test]` (wiremock tests -- 42 tests)
 No changes. `tokio` is in `[dev-dependencies]` with `features = ["rt", "macros"]`.
 **Coverage gap:** These tests validate protocol correctness (request format, response parsing, status code handling, pagination) through the adapter layer, but they do NOT exercise asupersync's runtime behavior (timeouts, connection pooling, cancellation). This is acceptable because:
 1. Protocol correctness is the higher-value test target — it catches most regressions
 2. Runtime-specific behavior is covered by the new cancellation integration tests (below)
 3. The adapter layer is thin enough that runtime differences are unlikely to affect request/response semantics
 **Adapter-layer test gap:** The 42 wiremock tests validate protocol correctness (request format, response parsing) but run on tokio, not asupersync. This means the adapter's actual behavior under the production runtime is untested by mocked-response tests. To close this gap, add 3-5 asupersync-native integration tests that exercise the adapter against a simple HTTP server (e.g., `hyper` or a raw TCP listener) rather than wiremock:
 1. **GET with headers + JSON response** — verify header passing and JSON deserialization through the adapter.
 2. **POST with JSON body** — verify Content-Type injection and body serialization.
 3. **429 + Retry-After** — verify the adapter surfaces rate-limit responses correctly.
 4. **Timeout** — verify the adapter's `asupersync::time::timeout` wrapper fires.
 5. **Large response rejection** — verify the body size guard triggers.
 These tests are cheap to write (~50 LOC each) and close the "works on tokio but does it work on asupersync?" gap that GPT 5.3 flagged.
 | File | Tests |
 |------|-------|
 | `gitlab/graphql_tests.rs` | 30 |
 | `gitlab/client_tests.rs` | 4 |
 | `embedding/pipeline_tests.rs` | 4 |
 | `ingestion/surgical_tests.rs` | 4 |
 ### Switch to `#[asupersync::test]` (no wiremock -- 13 tests)
 | File | Tests |
 |------|-------|
 | `core/timeline_seed_tests.rs` | 13 |
 ### Already `#[test]` (sync -- ~35 files)
 No changes needed.
 ### New: Cancellation integration tests (asupersync-native)
 Wiremock tests on tokio validate protocol/serialization correctness but cannot test asupersync's cancellation and region semantics. Add asupersync-native integration tests for:
 1. **Ctrl+C during fan-out:** Simulate cancellation mid-batch in orchestrator. Verify all in-flight tasks are drained, no task leaks, no obligation leaks.
 2. **Region quiescence:** Verify that after a region completes (normal or cancelled), no background tasks remain running.
 3. **Transaction integrity under cancellation:** Cancel during an ingestion batch that has fetched data but not yet written to DB. Verify no partial data is committed.
 These tests use asupersync's deterministic lab runtime, which is one of the primary motivations for this migration.
 ---
 ## Phase 5: Verify and Harden
 ### Verification checklist
 ```bash
 cargo check --all-targets
 cargo clippy --all-targets -- -D warnings
 cargo fmt --check
 cargo test
 ```
 ### Specific things to verify
 1. **async-stream on nightly** -- Does `async_stream 0.3` compile on current nightly?
 2. **TLS root certs on macOS** -- Does `tls-native-roots` pick up system CA certs?
 3. **Connection pool under concurrency** -- Do `join_all` batches (4-8 concurrent requests to same host) work without pool deadlock?
 4. **Pagination streams** -- Do `async_stream::stream!` pagination generators work unchanged?
 5. **Wiremock test isolation** -- Do wiremock tests pass with tokio only in dev-deps?
 ### HTTP behavior parity acceptance criteria
 reqwest provides several implicit behaviors that asupersync's h1 client may not. Each must pass a concrete acceptance test before the migration is considered complete:
 | reqwest default | Acceptance criterion | Pass/Fail test |
 |-----------------|---------------------|----------------|
 | Automatic redirect following (up to 10) | If GitLab returns 3xx, gitlore must not silently lose the response. Either follow the redirect or surface a clear error. | Send a request to wiremock returning 301 → verify adapter returns the redirect status (not an opaque failure) |
 | Automatic gzip/deflate decompression | Not required — JSON responses are small. | N/A (no test needed) |
 | Proxy from `HTTP_PROXY`/`HTTPS_PROXY` env | If `HTTP_PROXY` is set, requests must route through it. If asupersync lacks proxy support, document this as a known limitation. | Set `HTTP_PROXY=http://127.0.0.1:9999` → verify connection attempt targets the proxy, or document that proxy is unsupported |
 | Connection keep-alive | Pagination batches (4-8 sequential requests to same host) must reuse connections. | Measure with `ss`/`netstat`: 8 paginated requests should use ≤2 TCP connections |
 | System DNS resolution | Hostnames must resolve via OS resolver. | Verify `lore sync` works against a hostname (not just IP) |
 | Request body Content-Length | POST requests must include Content-Length header (some proxies/WAFs require it). | Inspect outgoing request headers in wiremock test |
 | TLS certificate validation | HTTPS requests must validate server certificates using system CA store. | Verify `lore sync` succeeds against production GitLab (valid cert) and fails against self-signed cert |
 ### Cancellation + DB transaction invariants
 Region-based cancellation stops HTTP tasks cleanly, but partial ingestion can leave the database in an inconsistent state if cancellation fires between "fetched data" and "wrote to DB". The following invariants must hold and be tested:
 **INV-1: Atomic batch writes.** Each ingestion batch (issues, MRs, discussions) writes to the DB inside a single `unchecked_transaction()`. If the transaction is not committed, no partial data from that batch is visible. This is already the case for most ingestion paths — audit all paths and fix any that write outside a transaction.
 **INV-2: Region cancellation cannot corrupt committed data.** A cancelled region may abandon in-flight HTTP requests, but it must not interrupt a DB transaction mid-write. This holds naturally because SQLite transactions are synchronous (not async) — once `tx.execute()` starts, it runs to completion on the current thread regardless of task cancellation. Verify this assumption holds for WAL mode.
 **Hard rule: no `.await` between transaction open and commit/rollback.** Cancellation can fire at any `.await` point. If an `.await` exists between `unchecked_transaction()` and `tx.commit()`, a cancelled region could drop the transaction guard mid-batch, rolling back partial writes silently. Audit all ingestion paths to confirm this invariant holds. If any path must do async work mid-transaction (e.g., fetching related data), restructure to fetch-then-write: complete all async work first, then open the transaction, write synchronously, and commit.
 **INV-3: No partial batch visibility.** If cancellation fires after fetching N items but before the batch transaction commits, zero items from that batch are persisted. The next sync picks up where it left off using cursor-based pagination.
 **INV-4: ShutdownSignal + region cancellation are complementary.** The existing `ShutdownSignal` check-before-write pattern in orchestrator loops (`if signal.is_cancelled() { break; }`) remains the first line of defense. Region cancellation is the second — it ensures in-flight HTTP tasks are drained even if the orchestrator loop has already moved past the signal check. Both mechanisms must remain active.
 **Test plan for invariants:**
 - INV-1: Cancellation integration test — cancel mid-batch, verify DB has zero partial rows from that batch
 - INV-2: Verify `unchecked_transaction()` commit is not interruptible by task cancellation (lab runtime test)
 - INV-3: Cancel after fetch, re-run sync, verify no duplicates and no gaps
 - INV-4: Verify both ShutdownSignal and region cancellation are triggered on Ctrl+C
 ---
 ## File Change Summary
 | File | Change | LOC |
 |------|--------|-----|
 | `Cargo.toml` | Swap deps | ~10 |
 | `rust-toolchain.toml` | NEW -- set nightly | 3 |
 | `src/http.rs` | NEW -- adapter layer | ~100 |
 | `src/main.rs` | Entrypoint macro, Cx threading, remove 4 signal handlers | ~40 |
 | `src/core/shutdown.rs` | Extract + rewrite signal handler | ~20 |
 | `src/core/error.rs` | Remove reqwest::Error, change GitLabNetworkError (Phase 0d) | ~10 |
 | `src/gitlab/client.rs` | Replace reqwest, remove tokio imports, adapt all methods | ~80 |
 | `src/gitlab/graphql.rs` | Replace reqwest | ~20 |
 | `src/embedding/ollama.rs` | Replace reqwest | ~20 |
 | `src/cli/commands/sync.rs` | Add Cx param | ~5 |
 | `src/cli/commands/ingest.rs` | Add Cx param | ~5 |
 | `src/cli/commands/embed.rs` | Add Cx param | ~5 |
 | `src/cli/commands/sync_surgical.rs` | Add Cx param | ~5 |
 | `src/ingestion/orchestrator.rs` | Add Cx param, region-wrap join_all | ~30 |
 | `src/ingestion/surgical.rs` | Add Cx param | ~10 |
 | `src/embedding/pipeline.rs` | Add Cx param | ~10 |
 | `src/core/timeline_seed_tests.rs` | Swap test macro | ~13 |
 **Total: ~16 files modified, 1 new file, ~400-500 LOC changed.**
 ---
 ## Execution Order
 ```
 Phase 0a-0c (prep, safe, independent)
  |
  v
 Phase 0d (error type migration -- required before adapter compiles)
  |
  v
 DECISION GATE: verify nightly + asupersync + tls-native-roots compile AND behavioral smoke tests pass
  |
  v
 Phase 1 (adapter layer, compiles but unused) ----+
  |                                               |
  v                                               |  These 3 are one
 Phase 2 (migrate 3 HTTP modules to adapter) ------+  atomic commit
  |                                               |
  v                                               |
 Phase 3 (swap runtime, Cx threading) ------------+
  |
  v
 Phase 4 (test migration)
  |
  v
 Phase 5 (verify + harden)
 ```
 Phase 0a-0c can be committed independently (good cleanup regardless).
 Phase 0d (error types) can also land independently, but MUST precede the adapter layer.
 **Decision gate:** After Phase 0d, create `rust-toolchain.toml` with nightly pin and verify `asupersync = "0.2"` compiles with `tls-native-roots` on macOS. Then run behavioral smoke tests in a throwaway binary or integration test:
 1. **TLS validation:** HTTPS GET to a public endpoint (e.g., `https://gitlab.com/api/v4/version`) succeeds with valid cert.
 2. **DNS resolution:** Request using hostname (not IP) resolves correctly.
 3. **Redirect handling:** GET to a 301/302 endpoint — verify the adapter returns the redirect status (not an opaque error) so call sites can decide whether to follow.
 4. **Timeout behavior:** Request to a slow/non-responsive endpoint times out within the configured duration.
 5. **Connection pooling:** 4 sequential requests to the same host reuse connections (verify via debug logging or `ss`/`netstat`).
 If compilation fails or any behavioral test reveals a showstopper (e.g., TLS doesn't work on macOS, timeouts don't fire), stop and evaluate the tokio CancellationToken fallback before investing in Phases 1-3.
 Compile-only gating is insufficient — this migration's failure modes are semantic (HTTP behavior parity), not just syntactic.
 Phases 1-3 must land together (removing reqwest requires both the adapter AND the new runtime).
 Phases 4-5 are cleanup that can be incremental.
 ---
 ## Rollback Strategy
 If the migration stalls or asupersync proves unviable after partial completion:
 - **Phase 0a-0c completed:** No rollback needed. These are independently valuable cleanup regardless of runtime choice.
 - **Phase 0d completed:** `GitLabNetworkError { detail }` is runtime-agnostic. Keep it.
 - **Phases 1-3 partially completed:** These must land atomically. If any phase in 1-3 fails, revert the entire atomic commit. The adapter layer (Phase 1) imports asupersync types, so it cannot exist without the runtime.
 - **Full rollback to tokio:** If asupersync is abandoned entirely, the fallback path is tokio + `CancellationToken` + `JoinSet` (see "Why not tokio CancellationToken + JoinSet?" above). The adapter layer design is still valid — swap `asupersync::http` for `reqwest` behind the same `crate::http::Client` API.
 **Decision point:** After Phase 0 is complete, verify asupersync compiles on the pinned nightly with `tls-native-roots` before committing to Phases 1-3. If TLS or nightly issues surface, stop and evaluate the tokio fallback.
 **Concrete escape hatch triggers (abandon asupersync, fall back to tokio + CancellationToken + JoinSet):**
 1. **Nightly breakage > 7 days:** If the pinned nightly breaks and no newer nightly restores compilation within 7 days, abort.
 2. **TLS incompatibility:** If `tls-native-roots` cannot validate certificates on macOS (system CA store) and `tls-webpki-roots` also fails, abort.
 3. **API instability:** If asupersync releases a breaking change to `HttpClient`, `region()`, or `Cx` APIs before our migration is complete, evaluate migration cost. If > 2 days of rework, abort.
 4. **Wiremock incompatibility:** If keeping wiremock tests on tokio while production runs asupersync causes test failures or flaky behavior that cannot be resolved in 1 day, abort.
 ---
 ## Risks
 | Risk | Severity | Mitigation |
 |------|----------|------------|
 | asupersync pre-1.0 API changes | High | Adapter layer isolates call sites. Pin exact version. |
 | Nightly Rust breakage | Medium-High | Pin nightly date in rust-toolchain.toml. CI tests on nightly. Coupling runtime + toolchain migration amplifies risk — escape hatch triggers defined in Rollback Strategy. |
 | TLS cert issues on macOS | Medium | Test early in Phase 5. Fallback: `tls-webpki-roots` (Mozilla bundle). |
 | Connection pool behavior under load | Medium | Stress test with `join_all` of 8+ concurrent requests in Phase 5. |
 | async-stream nightly compat | Low | Widely used crate, likely fine. Fallback: manual Stream impl. |
 | Build time increase | Low | Measure before/after. asupersync may be heavier than tokio. |
 | Reqwest behavioral drift | Medium | reqwest has implicit redirect/proxy/compression handling. Audit each (see Phase 5 table). GitLab API doesn't redirect, so low actual risk. |
 | Partial ingestion on cancel | Medium | Region cancellation can fire between HTTP fetch and DB write. Verify transaction boundaries align with region scope (see Phase 5). |
 | Unbounded response body buffering | Low | Adapter buffers full response bodies. Mitigated by 64 MiB size guard in adapter `execute()`. |
 | Manual URL/header handling correctness | Low-Medium | `append_query_params` and case-insensitive header scans replicate reqwest behavior manually. Mitigated by unit tests for edge cases (existing query params, fragments, repeated keys, case folding). |
--- a/plans/gitlab-todos-notifications-integration.md
+++ b/plans/gitlab-todos-notifications-integration.md
@@ -0,0 +1,652 @@
 ---
 plan: true
 title: "GitLab TODOs Integration"
 status: proposed
 iteration: 4
 target_iterations: 4
 beads_revision: 1
 related_plans: []
 created: 2026-02-23
 updated: 2026-02-26
 audit_revision: 4
 ---
 # GitLab TODOs Integration
 ## Summary
 Add GitLab TODO support to lore. Todos are fetched during sync, stored locally, and surfaced through a standalone `lore todos` command and integration into the `lore me` dashboard.
 **Scope:** Read-only. No mark-as-done operations.
 ---
 ## Workflows
 ### Workflow 1: Morning Triage (Human)
 1. User runs `lore me` to see personal dashboard
 2. Summary header shows "5 pending todos" alongside issue/MR counts
 3. Todos section groups items: 2 Assignments, 2 Mentions, 1 Approval Required
 4. User scans Assignments — sees issue #42 assigned by @manager
 5. User runs `lore todos` for full detail with body snippets
 6. User clicks target URL to address highest-priority item
 7. After marking done in GitLab, next `lore sync` removes it locally
 ### Workflow 2: Agent Polling (Robot Mode)
 1. Agent runs `lore --robot health` as pre-flight check
 2. Agent runs `lore --robot me --fields minimal` for dashboard
 3. Agent extracts `pending_todo_count` from summary — if 0, skip todos
 4. If count > 0, agent runs `lore --robot todos`
 5. Agent iterates `data.todos[]`, filtering by `action` type
 6. Agent prioritizes `approval_required` and `build_failed` for immediate attention
 7. Agent logs external todos (`is_external: true`) for manual review
 ### Workflow 3: Cross-Project Visibility
 1. User is mentioned in a project they don't sync (e.g., company-wide repo)
 2. `lore sync` fetches the todo anyway (account-wide fetch)
 3. `lore todos` shows item with `[external]` indicator and project path
 4. User can still click target URL to view in GitLab
 5. Target title may be unavailable — graceful fallback to "Untitled"
 ---
 ## Acceptance Criteria
 Behavioral contract. Each AC is a single testable statement.
 ### Storage
 | ID | Behavior |
 |----|----------|
 | AC-1 | Todos are persisted locally in SQLite |
 | AC-2 | Each todo is uniquely identified by its GitLab todo ID |
 | AC-3 | Todos from non-synced projects are stored with their project path |
 ### Sync
 | ID | Behavior |
 |----|----------|
 | AC-4 | `lore sync` fetches all pending todos from GitLab |
 | AC-5 | Sync fetches todos account-wide, not per-project |
 | AC-6 | Todos marked done in GitLab are removed locally on next sync |
 | AC-7 | Transient sync errors do not delete valid local todos |
 | AC-8 | `lore sync --no-todos` skips todo fetching |
 | AC-9 | Sync logs todo statistics (fetched, inserted, updated, deleted) |
 ### `lore todos` Command
 | ID | Behavior |
 |----|----------|
 | AC-10 | `lore todos` displays all pending todos |
 | AC-11 | Todos are grouped by action type: Assignments, Mentions, Approvals, Build Issues |
 | AC-12 | Each todo shows: target title, project path, author, age |
 | AC-13 | Non-synced project todos display `[external]` indicator |
 | AC-14 | `lore todos --limit N` limits output to N todos |
 | AC-15 | `lore --robot todos` returns JSON with standard `{ok, data, meta}` envelope |
 | AC-16 | `lore --robot todos --fields minimal` returns reduced field set |
 | AC-17 | `todo` and `td` are recognized as aliases for `todos` |
 ### `lore me` Integration
 | ID | Behavior |
 |----|----------|
 | AC-18 | `lore me` summary includes pending todo count |
 | AC-19 | `lore me` includes a todos section in the full dashboard |
 | AC-20 | `lore me --todos` shows only the todos section |
 | AC-21 | Todos are NOT filtered by `--project` flag (always account-wide) |
 | AC-22 | Warning is displayed if `--project` is passed with `--todos` |
 | AC-23 | Todo events appear in the activity feed for local entities |
 ### Action Types
 | ID | Behavior |
 |----|----------|
 | AC-24 | Core actions are displayed: assigned, mentioned, directly_addressed, approval_required, build_failed, unmergeable |
 | AC-25 | Niche actions are stored but not displayed: merge_train_removed, member_access_requested, marked |
 ### Attention State
 | ID | Behavior |
 |----|----------|
 | AC-26 | Todos do not affect attention state calculation |
 | AC-27 | Todos do not appear in "since last check" cursor-based inbox |
 ### Error Handling
 | ID | Behavior |
 |----|----------|
 | AC-28 | 403 Forbidden on todos API logs warning and continues sync |
 | AC-29 | 429 Rate Limited respects Retry-After header |
 | AC-30 | Malformed todo JSON logs warning, skips that item, and disables purge for that sync |
 ### Documentation
 | ID | Behavior |
 |----|----------|
 | AC-31 | `lore todos` appears in CLI help |
 | AC-32 | `lore robot-docs` includes todos schema |
 | AC-33 | CLAUDE.md documents the todos command |
 ### Quality
 | ID | Behavior |
 |----|----------|
 | AC-34 | All quality gates pass: check, clippy, fmt, test |
 ---
 ## Architecture
 Designed to fulfill the acceptance criteria above.
 ### Module Structure
 ```
 src/
 ├── gitlab/
 │   ├── client.rs      # fetch_todos() method (AC-4, AC-5)
 │   └── types.rs       # GitLabTodo struct
 ├── ingestion/
 │   └── todos.rs       # sync_todos(), purge-safe deletion (AC-6, AC-7)
 ├── cli/commands/
 │   ├── todos.rs       # lore todos command (AC-10-17)
 │   └── me/
 │       ├── types.rs   # MeTodo, extend MeSummary (AC-18)
 │       └── queries.rs # query_todos() (AC-19, AC-23)
 └── core/
    └── db.rs          # Migration 028 (AC-1, AC-2, AC-3)
 ```
 ### Data Flow
 ```
 GitLab API                Local SQLite              CLI Output
 ───────────               ────────────              ──────────
 GET /api/v4/todos    →    todos table          →   lore todos
 (account-wide)            (purge-safe sync)        lore me --todos
 ```
 ### Key Design Decisions
 | Decision | Rationale | ACs |
 |----------|-----------|-----|
 | Account-wide fetch | GitLab todos API is user-scoped, not project-scoped | AC-5, AC-21 |
 | Purge-safe deletion | Transient errors should not delete valid data | AC-7 |
 | Separate from attention | Todos are notifications, not engagement signals | AC-26, AC-27 |
 | Store all actions, display core | Future-proofs for new action types | AC-24, AC-25 |
 ### Existing Code to Extend
 | Type | Location | Extension |
 |------|----------|-----------|
 | `MeSummary` | `src/cli/commands/me/types.rs` | Add `pending_todo_count` field |
 | `ActivityEventType` | `src/cli/commands/me/types.rs` | Add `Todo` variant |
 | `MeDashboard` | `src/cli/commands/me/types.rs` | Add `todos: Vec<MeTodo>` field |
 | `SyncArgs` | `src/cli/mod.rs` | Add `--no-todos` flag |
 | `MeArgs` | `src/cli/mod.rs` | Add `--todos` flag |
 ---
 ## Implementation Specifications
 Each IMP section details HOW to fulfill specific ACs.
 ### IMP-1: Database Schema
 **Fulfills:** AC-1, AC-2, AC-3
 **Migration 028:**
 ```sql
 CREATE TABLE todos (
    id INTEGER PRIMARY KEY,
    gitlab_todo_id INTEGER NOT NULL UNIQUE,
    project_id INTEGER REFERENCES projects(id) ON DELETE SET NULL,
    gitlab_project_id INTEGER,
    target_type TEXT NOT NULL,
    target_id TEXT,
    target_iid INTEGER,
    target_url TEXT NOT NULL,
    target_title TEXT,
    action_name TEXT NOT NULL,
    author_id INTEGER,
    author_username TEXT,
    body TEXT,
    created_at INTEGER NOT NULL,
    updated_at INTEGER NOT NULL,
    synced_at INTEGER NOT NULL,
    sync_generation INTEGER NOT NULL DEFAULT 0,
    project_path TEXT
 );
 CREATE INDEX idx_todos_action_created ON todos(action_name, created_at DESC);
 CREATE INDEX idx_todos_target ON todos(target_type, target_id);
 CREATE INDEX idx_todos_created ON todos(created_at DESC);
 CREATE INDEX idx_todos_sync_gen ON todos(sync_generation);
 CREATE INDEX idx_todos_gitlab_project ON todos(gitlab_project_id);
 CREATE INDEX idx_todos_target_lookup ON todos(target_type, project_id, target_iid);
 ```
 **Notes:**
 - `project_id` nullable for non-synced projects (AC-3)
 - `gitlab_project_id` nullable — TODO targets include non-project entities (Namespace, etc.)
 - No `state` column — we only store pending todos
 - `sync_generation` enables two-generation grace purge (AC-7)
 ---
 ### IMP-2: GitLab API Client
 **Fulfills:** AC-4, AC-5
 **Endpoint:** `GET /api/v4/todos?state=pending`
 **Types to add in `src/gitlab/types.rs`:**
 ```rust
 #[derive(Debug, Deserialize)]
 pub struct GitLabTodo {
    pub id: i64,
    pub project: Option<GitLabTodoProject>,
    pub author: Option<GitLabTodoAuthor>,
    pub action_name: String,
    pub target_type: String,
    pub target: Option<GitLabTodoTarget>,
    pub target_url: String,
    pub body: Option<String>,
    pub state: String,
    pub created_at: String,
    pub updated_at: String,
 }
 #[derive(Debug, Deserialize)]
 pub struct GitLabTodoProject {
    pub id: i64,
    pub path_with_namespace: String,
 }
 #[derive(Debug, Deserialize)]
 pub struct GitLabTodoTarget {
    pub id: serde_json::Value,  // i64 or String (commit SHA)
    pub iid: Option<i64>,
    pub title: Option<String>,
 }
 #[derive(Debug, Deserialize)]
 pub struct GitLabTodoAuthor {
    pub id: i64,
    pub username: String,
 }
 ```
 **Client method in `src/gitlab/client.rs`:**
 ```rust
 pub fn fetch_todos(&self) -> impl Stream<Item = Result<GitLabTodo>> {
    self.paginate("/api/v4/todos?state=pending")
 }
 ```
 ---
 ### IMP-3: Sync Pipeline Integration
 **Fulfills:** AC-4, AC-5, AC-6, AC-7, AC-8, AC-9
 **New file: `src/ingestion/todos.rs`**
 **Sync position:** Account-wide step after per-project sync and status enrichment.
 ```
 Sync order:
 1. Issues (per project)
 2. MRs (per project)
 3. Status enrichment (account-wide GraphQL)
 4. Todos (account-wide REST) ← NEW
 ```
 **Purge-safe deletion pattern:**
 ```rust
 pub struct TodoSyncResult {
    pub fetched: usize,
    pub upserted: usize,
    pub deleted: usize,
    pub generation: i64,
    pub purge_allowed: bool,
 }
 pub fn sync_todos(conn: &Connection, client: &GitLabClient) -> Result<TodoSyncResult> {
    // 1. Get next generation
    let generation: i64 = conn.query_row(
        "SELECT COALESCE(MAX(sync_generation), 0) + 1 FROM todos",
        [], |r| r.get(0)
    )?;
    let mut fetched = 0;
    let mut purge_allowed = true;
    // 2. Fetch and upsert all todos
    for result in client.fetch_todos()? {
        match result {
            Ok(todo) => {
                upsert_todo_guarded(conn, &todo, generation)?;
                fetched += 1;
            }
            Err(e) => {
                // Malformed JSON: log warning, skip item, disable purge
                warn!("Skipping malformed todo: {e}");
                purge_allowed = false;
            }
        }
    }
    // 3. Two-generation grace purge: delete only if missing for 2+ consecutive syncs
    // This protects against pagination drift (new todos inserted during traversal)
    let deleted = if purge_allowed {
        conn.execute("DELETE FROM todos WHERE sync_generation < ? - 1", [generation])?
    } else {
        0
    };
    Ok(TodoSyncResult { fetched, upserted: fetched, deleted, generation, purge_allowed })
 }
 ```
 **Concurrent-safe upsert:**
 ```sql
 INSERT INTO todos (..., sync_generation) VALUES (?, ..., ?)
 ON CONFLICT(gitlab_todo_id) DO UPDATE SET
    ...,
    sync_generation = excluded.sync_generation,
    synced_at = excluded.synced_at
 WHERE excluded.sync_generation >= todos.sync_generation;
 ```
 **"Success" for purge (all must be true):**
 - Every page fetch completed without error
 - Every todo JSON decoded successfully (any decode failure sets `purge_allowed=false`)
 - Pagination traversal completed (not interrupted)
 - Response was not 401/403
 - Zero todos IS valid for purge when above conditions met
 **Two-generation grace purge:**
 Todos are deleted only if missing for 2 consecutive successful syncs (`sync_generation < current - 1`).
 This protects against false deletions from pagination drift (new todos inserted during traversal).
 ---
 ### IMP-4: Project Path Extraction
 **Fulfills:** AC-3, AC-13
 ```rust
 use once_cell::sync::Lazy;
 use regex::Regex;
 pub fn extract_project_path(url: &str) -> Option<&str> {
    static RE: Lazy<Regex> = Lazy::new(|| {
        Regex::new(r"https?://[^/]+/(.+?)/-/(?:issues|merge_requests|epics|commits)/")
            .expect("valid regex")
    });
    RE.captures(url)
        .and_then(|c| c.get(1))
        .map(|m| m.as_str())
 }
 ```
 **Usage:** Prefer `project.path_with_namespace` from API when available. Fall back to URL extraction for external projects.
 ---
 ### IMP-5: `lore todos` Command
 **Fulfills:** AC-10, AC-11, AC-12, AC-13, AC-14, AC-15, AC-16, AC-17
 **New file: `src/cli/commands/todos.rs`**
 **Args:**
 ```rust
 #[derive(Parser)]
 #[command(alias = "todo")]
 pub struct TodosArgs {
    #[arg(short = 'n', long)]
    pub limit: Option<usize>,
 }
 ```
 **Autocorrect aliases in `src/cli/mod.rs`:**
 ```rust
 ("td", "todos"),
 ("todo", "todos"),
 ```
 **Action type grouping:**
 | Group | Actions |
 |-------|---------|
 | Assignments | `assigned` |
 | Mentions | `mentioned`, `directly_addressed` |
 | Approvals | `approval_required` |
 | Build Issues | `build_failed`, `unmergeable` |
 **Robot mode schema:**
 ```json
 {
  "ok": true,
  "data": {
    "todos": [{
      "id": 123,
      "gitlab_todo_id": 456,
      "action": "mentioned",
      "target_type": "Issue",
      "target_iid": 42,
      "target_title": "Fix login bug",
      "target_url": "https://...",
      "project_path": "group/repo",
      "author_username": "jdoe",
      "body": "Hey @you, can you look at this?",
      "created_at_iso": "2026-02-20T10:00:00Z",
      "is_external": false
    }],
    "counts": {
      "total": 8,
      "assigned": 2,
      "mentioned": 5,
      "approval_required": 1,
      "build_failed": 0,
      "unmergeable": 0,
      "other": 0
    }
  },
  "meta": {"elapsed_ms": 42}
 }
 ```
 **Minimal fields:** `gitlab_todo_id`, `action`, `target_type`, `target_iid`, `project_path`, `is_external`
 ---
 ### IMP-6: `lore me` Integration
 **Fulfills:** AC-18, AC-19, AC-20, AC-21, AC-22, AC-23
 **Types to add/extend in `src/cli/commands/me/types.rs`:**
 ```rust
 // EXTEND
 pub struct MeSummary {
    // ... existing fields ...
    pub pending_todo_count: usize,  // ADD
 }
 // EXTEND
 pub enum ActivityEventType {
    // ... existing variants ...
    Todo,  // ADD
 }
 // EXTEND
 pub struct MeDashboard {
    // ... existing fields ...
    pub todos: Vec<MeTodo>,  // ADD
 }
 // NEW
 pub struct MeTodo {
    pub id: i64,
    pub gitlab_todo_id: i64,
    pub action: String,
    pub target_type: String,
    pub target_iid: Option<i64>,
    pub target_title: Option<String>,
    pub target_url: String,
    pub project_path: String,
    pub author_username: Option<String>,
    pub body: Option<String>,
    pub created_at: i64,
    pub is_external: bool,
 }
 ```
 **Warning for `--project` with `--todos` (AC-22):**
 ```rust
 if args.todos && args.project.is_some() {
    eprintln!("Warning: Todos are account-wide; project filter not applied");
 }
 ```
 ---
 ### IMP-7: Error Handling
 **Fulfills:** AC-28, AC-29, AC-30
 | Error | Behavior |
 |-------|----------|
 | 403 Forbidden | Log warning, skip todo sync, continue with other entities |
 | 429 Rate Limited | Respect `Retry-After` header using existing retry policy |
 | Malformed JSON | Log warning with todo ID, skip item, set `purge_allowed=false`, continue batch |
 **Rationale for purge disable on malformed JSON:** If we can't decode a todo, we don't know its `gitlab_todo_id`. Without that, we might accidentally purge a valid todo that was simply malformed in transit. Disabling purge for that sync is the safe choice.
 ---
 ### IMP-8: Test Fixtures
 **Fulfills:** AC-34
 **Location:** `tests/fixtures/todos/`
 **`todos_pending.json`:**
 ```json
 [
  {
    "id": 102,
    "project": {"id": 2, "path_with_namespace": "diaspora/client"},
    "author": {"id": 1, "username": "admin"},
    "action_name": "mentioned",
    "target_type": "Issue",
    "target": {"id": 11, "iid": 4, "title": "Inventory system"},
    "target_url": "https://gitlab.example.com/diaspora/client/-/issues/4",
    "body": "@user please review",
    "state": "pending",
    "created_at": "2026-02-20T10:00:00.000Z",
    "updated_at": "2026-02-20T10:00:00.000Z"
  }
 ]
 ```
 **`todos_empty.json`:** `[]`
 **`todos_commit_target.json`:** (target.id is string SHA)
 **`todos_niche_actions.json`:** (merge_train_removed, etc.)
 ---
 ## Rollout Slices
 ### Dependency Graph
 ```
 Slice A ──────► Slice B ──────┬──────► Slice C
 (Schema)        (Sync)        │        (`lore todos`)
                              │
                              └──────► Slice D
                                       (`lore me`)
                 Slice C ───┬───► Slice E
                 Slice D ───┘    (Polish)
 ```
 ### Slice A: Schema + Client
 **ACs:** AC-1, AC-2, AC-3, AC-4, AC-5
 **IMPs:** IMP-1, IMP-2, IMP-4
 **Deliverable:** Migration + client method + deserialization tests pass
 ### Slice B: Sync Integration
 **ACs:** AC-6, AC-7, AC-8, AC-9, AC-28, AC-29, AC-30
 **IMPs:** IMP-3, IMP-7
 **Deliverable:** `lore sync` fetches todos; `--no-todos` works
 ### Slice C: `lore todos` Command
 **ACs:** AC-10, AC-11, AC-12, AC-13, AC-14, AC-15, AC-16, AC-17, AC-24, AC-25
 **IMPs:** IMP-5
 **Deliverable:** `lore todos` and `lore --robot todos` work
 ### Slice D: `lore me` Integration
 **ACs:** AC-18, AC-19, AC-20, AC-21, AC-22, AC-23, AC-26, AC-27
 **IMPs:** IMP-6
 **Deliverable:** `lore me --todos` works; summary shows count
 ### Slice E: Polish
 **ACs:** AC-31, AC-32, AC-33, AC-34
 **IMPs:** IMP-8
 **Deliverable:** Docs updated; all quality gates pass
 ---
 ## Design Decisions
 | Decision | Choice | Rationale |
 |----------|--------|-----------|
 | Write operations | Read-only | Complexity; glab handles writes |
 | Storage | SQLite | Consistent with existing architecture |
 | Project filter | Account-wide only | GitLab API is user-scoped |
 | Action type display | Core only | Reduce noise; store all for future |
 | Attention state | Separate signal | Todos are notifications, not engagement |
 | History | Pending only | Simplicity; done todos have no value locally |
 | Grouping | By action type | Matches GitLab UI; aids triage |
 | Purge strategy | Two-generation grace | Protects against pagination drift during sync |
 ---
 ## Out of Scope
 - Write operations (mark as done)
 - Done todo history tracking
 - Filters beyond `--limit`
 - Todo-based attention state boosting
 - Notification settings API
 ---
 ## References
 - [GitLab To-Do List API](https://docs.gitlab.com/api/todos/)
 - [GitLab User Todos](https://docs.gitlab.com/user/todos/)
--- a/plans/init-refresh-flag.md
+++ b/plans/init-refresh-flag.md
@@ -0,0 +1,137 @@
 # Plan: `lore init --refresh`
 **Created:** 2026-03-02
 **Status:** Complete
 ## Problem
 When new repos are added to the config file, `lore sync` doesn't pick them up because project discovery only happens during `lore init`. Currently, users must use `--force` to overwrite their config, which is awkward.
 ## Solution
 Add `--refresh` flag to `lore init` that reads the existing config and updates the database to match, without overwriting the config file.
 ---
 ## Implementation Plan
 ### 1. CLI Changes (`src/cli/mod.rs`)
 Add to init subcommand:
 - `--refresh` flag (conflicts with `--force`)
 - Ensure `--robot` / `-J` propagates to init
 ### 2. Update `InitOptions` struct
 ```rust
 pub struct InitOptions {
    pub config_path: Option<String>,
    pub force: bool,
    pub non_interactive: bool,
    pub refresh: bool,       // NEW
    pub robot_mode: bool,    // NEW
 }
 ```
 ### 3. New `RefreshResult` struct
 ```rust
 pub struct RefreshResult {
    pub user: UserInfo,
    pub projects_registered: Vec<ProjectInfo>,
    pub projects_failed: Vec<ProjectFailure>,  // path + error message
    pub orphans_found: Vec<String>,            // paths in DB but not config
    pub orphans_deleted: Vec<String>,          // if user said yes
 }
 pub struct ProjectFailure {
    pub path: String,
    pub error: String,
 }
 ```
 ### 4. Main logic: `run_init_refresh()` (new function)
 ```
 1. Load config via Config::load()
 2. Resolve token, call get_current_user() → validate auth
 3. For each project in config.projects:
   - Call client.get_project(path)
   - On success: collect for DB upsert
   - On failure: collect in projects_failed
 4. Query DB for all existing projects
 5. Compute orphans = DB projects - config projects
 6. If orphans exist:
   - Robot mode: include in output, no prompt, no delete
   - Interactive: prompt "Delete N orphan projects? [y/N]"
     - Default N → skip deletion
     - Y → delete from DB
 7. Upsert validated projects into DB
 8. Return RefreshResult
 ```
 ### 5. Improve existing init error message
 In `run_init()`, when config exists and neither `--refresh` nor `--force`:
 **Current:**
 > Config file exists at ~/.config/lore/config.json. Use --force to overwrite.
 **New:**
 > Config already exists at ~/.config/lore/config.json.
 > - Use `--refresh` to register new projects from config
 > - Use `--force` to overwrite the config file
 ### 6. Robot mode output
 ```json
 {
  "ok": true,
  "data": {
    "mode": "refresh",
    "user": { "username": "...", "name": "..." },
    "projects_registered": [...],
    "projects_failed": [...],
    "orphans_found": ["old/project"],
    "orphans_deleted": []
  },
  "meta": { "elapsed_ms": 123 }
 }
 ```
 ### 7. Human output
 ```
  ✓ Authenticated as @username (Full Name)
  Projects
    ✓ group/project-a          registered
    ✓ group/project-b          registered
    ✗ group/nonexistent        not found
  Orphans
    • old/removed-project
  Delete 1 orphan project from database? [y/N]: n
  Registered 2 projects (1 failed, 1 orphan kept)
 ```
 ---
 ## Files to Touch
 1. **`src/cli/mod.rs`** — add `--refresh` and `--robot` to init subcommand args
 2. **`src/cli/commands/init.rs`** — add `RefreshResult`, `run_init_refresh()`, update error message
 3. **`src/main.rs`** (or CLI dispatch) — route `--refresh` to new function
 ---
 ## Acceptance Criteria
 - [x] `lore init --refresh` reads existing config and registers projects
 - [x] Validates GitLab auth before processing
 - [x] Orphan projects prompt with default N (interactive mode)
 - [x] Robot mode outputs JSON, no prompts, includes orphans in output
 - [x] Existing `lore init` (no flags) suggests `--refresh` when config exists
 - [x] `--refresh` and `--force` are mutually exclusive
--- a/plans/lore-service.feedback-1.md
+++ b/plans/lore-service.feedback-1.md
@@ -1,186 +0,0 @@
 1. **Isolate scheduled behavior from manual `sync`**
 Reasoning: Your current plan injects backoff into `handle_sync_cmd`, which affects all `lore sync` calls (including manual recovery runs). Scheduled behavior should be isolated so humans aren’t unexpectedly blocked by service backoff.
 ```diff
@@ Context
 -`lore sync` runs a 4-stage pipeline (issues, MRs, docs, embeddings) that takes 2-4 minutes.
 +`lore sync` remains the manual/operator command.
 +`lore service run` (hidden/internal) is the scheduled execution entrypoint.
@@ Commands & User Journeys
 +### `lore service run` (hidden/internal)
 +**What it does:** Executes one scheduled sync attempt with service-only policy:
 +- applies service backoff policy
 +- records service run state
 +- invokes sync pipeline with configured profile
 +- updates retry state on success/failure
 +
 +**Invocation:** scheduler always runs:
 +`lore --robot service run --reason timer`
@@ Backoff Integration into `handle_sync_cmd`
 -Insert **after** config load but **before** the dry_run check:
 +Do not add backoff checks to `handle_sync_cmd`.
 +Backoff logic lives only in `handle_service_run`.
 ```
 2. **Use DB as source-of-truth for service state (not a standalone JSON status file)**
 Reasoning: You already have `sync_runs` in SQLite. A separate JSON status file creates split-brain and race/corruption risk. Keep JSON as optional cache/export only.
 ```diff
@@ Status File
 -Location: `{get_data_dir()}/sync-status.json`
 +Primary state location: SQLite (`service_state` table) + existing `sync_runs`.
 +Optional mirror file: `{get_data_dir()}/sync-status.json` (best-effort export only).
@@ File-by-File Implementation Details
 -### `src/core/sync_status.rs` (NEW)
 +### `migrations/015_service_state.sql` (NEW)
 +CREATE TABLE service_state (
 +  id INTEGER PRIMARY KEY CHECK (id = 1),
 +  installed INTEGER NOT NULL DEFAULT 0,
 +  platform TEXT,
 +  interval_seconds INTEGER,
 +  profile TEXT NOT NULL DEFAULT 'balanced',
 +  consecutive_failures INTEGER NOT NULL DEFAULT 0,
 +  next_retry_at_ms INTEGER,
 +  last_error_code TEXT,
 +  last_error_message TEXT,
 +  updated_at_ms INTEGER NOT NULL
 +);
 +
 +### `src/core/service_state.rs` (NEW)
 +- read/write state row
 +- derive backoff/next_retry
 +- join with latest `sync_runs` for status output
 ```
 3. **Backoff policy should be configurable, jittered, and error-aware**
 Reasoning: Fixed hardcoded backoff (`base=1800`) is wrong when user sets another interval. Also permanent failures (bad token/config) should not burn retries forever; they should enter paused/error state.
 ```diff
@@ Backoff Logic
 -// Exponential: base * 2^failures, capped at 4 hours
 +// Exponential with jitter: base * 2^(failures-1), capped, ±20% jitter
 +// Applies only to transient errors.
 +// Permanent errors set `paused_reason` and stop retries until user action.
@@ CLI Definition Changes
 +ServiceCommand::Resume,   // clear paused state / failures
 +ServiceCommand::Run,      // hidden
@@ Error Types
 +ServicePaused,            // scheduler paused due to permanent error
 +ServiceCommandFailed,     // OS command failure with stderr context
 ```
 4. **Add a pipeline-level single-flight lock**
 Reasoning: Current locking is in ingest stages; there’s still overlap risk across full sync pipelines (docs/embed can overlap with another run). Add a top-level lock for scheduled/manual sync pipeline execution.
 ```diff
@@ Architecture
 +Add `sync_pipeline` lock at top-level sync execution.
 +Keep existing ingest lock (`sync`) for ingest internals.
@@ Backoff Integration into `handle_sync_cmd`
 +Before starting sync pipeline, acquire `AppLock` with:
 +name = "sync_pipeline"
 +stale_lock_minutes = config.sync.stale_lock_minutes
 +heartbeat_interval_seconds = config.sync.heartbeat_interval_seconds
 ```
 5. **Don’t embed token in service files by default**
 Reasoning: Embedding PAT into unit/plist is a high-risk secret leak path. Make secure storage explicit and default-safe.
 ```diff
@@ `lore service install [--interval 30m]`
 +`lore service install [--interval 30m] [--token-source env-file|embedded]`
 +Default: `env-file` (0600 perms, user-owned)
 +`embedded` allowed only with explicit opt-in and warning
@@ Robot output
 -    "token_embedded": true
 +    "token_source": "env_file"
@@ Human output
 -  Note: Your GITLAB_TOKEN is embedded in the service file.
 +  Note: Token is stored in a user-private env file (0600).
 ```
 6. **Introduce a command-runner abstraction with timeout + stderr capture**
 Reasoning: `launchctl/systemctl/schtasks` calls are failure-prone; you need consistent error mapping and deterministic tests.
 ```diff
@@ Platform Backends
 -exports free functions that dispatch via `#[cfg(target_os)]`
 +exports backend + shared `CommandRunner`:
 +- run(cmd, args, timeout)
 +- capture stdout/stderr/exit code
 +- map failure to `ServiceCommandFailed { cmd, exit_code, stderr }`
 ```
 7. **Persist install manifest to avoid brittle file parsing**
 Reasoning: Parsing timer/plist for interval/state is fragile and platform-format dependent. Persist a manifest with checksums and expected artifacts.
 ```diff
@@ Platform Backends
 -Same pattern for ... `get_interval_seconds()`
 +Add manifest: `{data_dir}/service-manifest.json`
 +Stores platform, interval, profile, generated files, and command.
 +`service status` reads manifest first, then verifies platform state.
@@ Acceptance criteria
 +Install is idempotent:
 +- if manifest+files already match, report `no_change: true`
 +- if drift detected, reconcile and rewrite
 ```
 8. **Make schedule profile explicit (`fast|balanced|full`)**
 Reasoning: This makes the feature more useful and performance-tunable without requiring users to understand internal flags.
 ```diff
@@ `lore service install [--interval 30m]`
 +`lore service install [--interval 30m] [--profile fast|balanced|full]`
 +
 +Profiles:
 +- fast: `sync --no-docs --no-embed`
 +- balanced (default): `sync --no-embed`
 +- full: `sync`
 ```
 9. **Upgrade `service status` to include scheduler health + recent run summary**
 Reasoning: Single last-sync snapshot is too shallow. Include recent attempts and whether scheduler is paused/backing off/running.
 ```diff
@@ `lore service status`
 -What it does: Shows whether the service is installed, its configuration, last sync result, and next scheduled run.
 +What it does: Shows install state, scheduler state (running/backoff/paused), recent runs, and next run estimate.
@@ Robot output
 -    "last_sync": { ... },
 -    "backoff": null
 +    "scheduler_state": "running|backoff|paused|idle",
 +    "last_sync": { ... },
 +    "recent_runs": [{"run_id":"...","status":"...","started_at_iso":"..."}],
 +    "backoff": null,
 +    "paused_reason": null
 ```
 10. **Strengthen tests around determinism and cross-platform generation**
 Reasoning: Time-based backoff and shell quoting are classic flaky points. Add fake clock + fake command runner for deterministic tests.
 ```diff
@@ Testing Strategy
 +Add deterministic test seams:
 +- `Clock` trait for backoff/now calculations
 +- `CommandRunner` trait for backend command execution
 +
 +Add tests:
 +- transient vs permanent error classification
 +- backoff schedule with jitter bounds
 +- manifest drift reconciliation
 +- quoting/escaping for paths with spaces and special chars
 +- `service run` does not modify manual `sync` behavior
 ```
 If you want, I can rewrite your full plan as a single clean revised document with these changes already integrated (instead of patch fragments).
--- a/plans/lore-service.feedback-2.md
+++ b/plans/lore-service.feedback-2.md
@@ -1,182 +0,0 @@
 **High-Impact Revisions (ordered by priority)**
 1. **Make service identity project-scoped (avoid collisions across repos/users)**
 Analysis: Current fixed names (`com.gitlore.sync`, `LoreSync`, `lore-sync.timer`) will collide when users run multiple gitlore workspaces. This causes silent overwrites and broken uninstall/status behavior.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Commands & User Journeys / install
 - lore service install [--interval 30m] [--profile balanced] [--token-source env-file]
 + lore service install [--interval 30m] [--profile balanced] [--token-source auto] [--name <optional>]
@@ Install Manifest Schema
 +    /// Stable per-install identity (default derived from project root hash)
 +    pub service_id: String,
@@ Platform Backends
 - Label: com.gitlore.sync
 + Label: com.gitlore.sync.{service_id}
 - Task name: LoreSync
 + Task name: LoreSync-{service_id}
 - ~/.config/systemd/user/lore-sync.service
 + ~/.config/systemd/user/lore-sync-{service_id}.service
 ```
 2. **Replace token model with secure per-OS defaults**
 Analysis: The current “env-file default” is not actually secure on macOS launchd (token still ends up in plist). On Windows, assumptions about inherited environment are fragile. Use OS-native secure stores by default and keep `embedded` as explicit opt-in only.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Token storage strategies
 -| env-file (default) | ...
 +| auto (default) | macOS: Keychain, Linux: env-file (0600), Windows: Credential Manager |
 +| env-file | Linux/systemd only |
 | embedded | ... explicit warning ...
@@ macOS launchd section
 - env-file strategy stores canonical token in service-env but embeds token in plist
 + default strategy is Keychain lookup at runtime; no token persisted in plist
 + env-file is not offered on macOS
@@ Windows schtasks section
 - token must be in user's system environment
 + default strategy stores token in Windows Credential Manager and injects at runtime
 ```
 3. **Version and atomically persist manifest/status**
 Analysis: `Option<Self>` on read hides corruption, and non-atomic writes risk truncated JSON on crashes. This will create false “not installed” and scheduler confusion.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Install Manifest Schema
 +    pub schema_version: u32, // start at 1
 +    pub updated_at_iso: String,
@@ Status File Schema
 +    pub schema_version: u32, // start at 1
 +    pub updated_at_iso: String,
@@ Read/Write
 - read(path) -> Option<Self>
 + read(path) -> Result<Option<Self>, LoreError>
 - write(...) -> std::io::Result<()>
 + write_atomic(...) -> std::io::Result<()> // tmp file + fsync + rename
 ```
 4. **Persist `next_retry_at_ms` instead of recomputing jitter**
 Analysis: Deterministic jitter from timestamp modulo is predictable and can herd retries. Persisting `next_retry_at_ms` at failure time makes status accurate, stable, and cheap to compute.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ SyncStatusFile
     pub consecutive_failures: u32,
 +    pub next_retry_at_ms: Option<i64>,
@@ Backoff Logic
 - compute backoff from last_run.timestamp_ms and deterministic jitter each read
 + compute backoff once on failure, store next_retry_at_ms, read-only comparison afterward
 + jitter algorithm: full jitter in [0, cap], injectable RNG for tests
 ```
 5. **Add circuit breaker for repeated transient failures**
 Analysis: Infinite transient retries can run forever on systemic failures (DB corruption, bad network policy). After N transient failures, pause with actionable reason.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Scheduler states
 - backoff — transient failures, waiting to retry
 + backoff — transient failures, waiting to retry
 + paused — permanent error OR circuit breaker tripped after N transient failures
@@ Service run flow
 - On transient failure: increment failures, compute backoff
 + On transient failure: increment failures, compute backoff, if failures >= max_transient_failures -> pause
 ```
 6. **Stage-aware outcome policy (core freshness over all-or-nothing)**
 Analysis: Failing embeddings/docs should not block issues/MRs freshness. Split stage outcomes and only treat core stages as hard-fail by default. This improves reliability and practical usefulness.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Context
 - lore sync runs a 4-stage pipeline ... treated as one run result
 + lore service run records per-stage outcomes (issues, mrs, docs, embeddings)
@@ Status File Schema
 +    pub stage_results: Vec<StageResult>,
@@ service run flow
 - Execute sync pipeline with flags derived from profile
 + Execute stage-by-stage and classify severity:
 +   - critical: issues, mrs
 +   - optional: docs, embeddings
 + optional stage failures mark run as degraded, not failed
 ```
 7. **Replace cfg free-function backend with trait-based backend**
 Analysis: Current backend API is hard to test end-to-end without real OS commands. A `SchedulerBackend` trait enables deterministic integration tests and cleaner architecture.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Platform Backends / Architecture
 - exports free functions dispatched via #[cfg]
 + define trait SchedulerBackend { install, uninstall, state, file_paths, next_run }
 + provide LaunchdBackend, SystemdBackend, SchtasksBackend implementations
 + include FakeBackend for integration tests
 ```
 8. **Harden platform units and detect scheduler prerequisites**
 Analysis: systemd user timers often fail silently without user manager/linger; launchd context can be wrong in headless sessions. Add explicit diagnostics and unit hardening.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Linux systemd unit
 [Service]
 Type=oneshot
 ExecStart=...
 +TimeoutStartSec=900
 +NoNewPrivileges=true
 +PrivateTmp=true
 +ProtectSystem=strict
 +ProtectHome=read-only
@@ Linux install/status
 + detect user manager availability and linger state; surface warning/action
@@ macOS install/status
 + detect non-GUI bootstrap context and return actionable error
 ```
 9. **Add operational commands: `trigger`, `doctor`, and non-interactive log tail**
 Analysis: `logs` opening an editor is weak for automation and incident response. Operators need a preflight and immediate controlled run.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ ServiceCommand
 + Trigger, // run one attempt through service policy now
 + Doctor,  // validate scheduler, token, paths, permissions
@@ logs
 - opens editor
 + supports --tail <n> and --follow in human mode
 + robot mode can return last_n lines optionally
 ```
 10. **Fix plan inconsistencies and edge-case correctness**
 Analysis: There are internal mismatches that will cause implementation drift.  
 Diff:
 ```diff
 --- a/plan.md
 +++ b/plan.md
@@ Interval Parsing
 - supports 's' suffix
 + remove 's' suffix (acceptance only allows 5m..24h)
@@ uninstall acceptance
 - removes ALL service files only
 + explicitly also remove service-manifest and service-env (status/logs retained)
@@ SyncStatusFile schema
 - pub last_run: SyncRunRecord
 + pub last_run: Option<SyncRunRecord> // matches idle/no runs state
 ```
 ---
 **Recommended Architecture Upgrade Summary**
 The strongest improvement set is: **(1) project-scoped IDs, (2) secure token defaults, (3) atomic/versioned state, (4) persisted retry schedule + circuit breaker, (5) stage-aware outcomes**. That combination materially improves correctness, multi-repo safety, security, operability, and real-world reliability without changing your core manual-vs-scheduled separation principle.
--- a/plans/lore-service.feedback-3.md
+++ b/plans/lore-service.feedback-3.md
@@ -1,174 +0,0 @@
 Below are the highest-impact revisions I’d make, ordered by severity/ROI. These focus on correctness first, then security, then operability and UX.
 1. **Fix multi-install ambiguity (`service_id` exists, but commands can’t target one explicitly)**
 Analysis: The plan introduces `service-manifest-{service_id}.json`, but `status/uninstall/resume/logs` have no selector. In a multi-workspace or multi-name install scenario, behavior becomes ambiguous and error-prone. Add explicit targeting plus discovery.
 ```diff
@@ ## Commands & User Journeys
 +### `lore service list`
 +Lists installed services discovered from `{data_dir}/service-manifest-*.json`.
 +Robot output includes `service_id`, `platform`, `interval_seconds`, `profile`, `installed_at_iso`.
@@ ### `lore service uninstall`
 -### `lore service uninstall`
 +### `lore service uninstall [--service <service_id|name>] [--all]`
@@
 -2. CLI reads install manifest to find `service_id`
 +2. CLI resolves target service via `--service` or current-project-derived default.
 +3. If multiple candidates and no selector, return actionable error.
@@ ### `lore service status`
 -### `lore service status`
 +### `lore service status [--service <service_id|name>]`
 ```
 2. **Make status state service-scoped (not global)**
 Analysis: A single `sync-status.json` for all services causes cross-service contamination (pause/backoff/outcome from one profile affecting another). Keep lock global, but state per service.
 ```diff
@@ ## Status File
 -### Location
 -`{get_data_dir()}/sync-status.json`
 +### Location
 +`{get_data_dir()}/sync-status-{service_id}.json`
@@ ## Paths Module Additions
 -pub fn get_service_status_path() -> PathBuf {
 -    get_data_dir().join("sync-status.json")
 +pub fn get_service_status_path(service_id: &str) -> PathBuf {
 +    get_data_dir().join(format!("sync-status-{service_id}.json"))
 }
@@
 -Note: `sync-status.json` is NOT scoped by `service_id`
 +Note: status is scoped by `service_id`; lock remains global (`sync_pipeline`) to prevent overlapping writes.
 ```
 3. **Stop classifying permanence via string matching**
 Analysis: Matching `"401 Unauthorized"` in strings is brittle and will misclassify edge cases. Carry machine codes through stage results and classify by `ErrorCode` only.
 ```diff
@@ pub struct StageResult {
 -    pub error: Option<String>,
 +    pub error: Option<String>,
 +    pub error_code: Option<String>, // e.g., AUTH_FAILED, NETWORK_ERROR
 }
@@ Error classification helpers
 -fn is_permanent_error_message(msg: Option<&str>) -> bool { ...string contains... }
 +fn is_permanent_error_code(code: Option<&str>) -> bool {
 +    matches!(code, Some("TOKEN_NOT_SET" | "AUTH_FAILED" | "CONFIG_NOT_FOUND" | "CONFIG_INVALID" | "MIGRATION_FAILED"))
 +}
 ```
 4. **Install should be transactional (manifest written last)**
 Analysis: Current order writes manifest before scheduler enable. If enable fails, you persist a false “installed” state. Use two-phase install with rollback.
 ```diff
@@ ### `lore service install` User journey
 -9. CLI writes install manifest ...
 -10. CLI runs the platform-specific enable command
 +9. CLI runs the platform-specific enable command
 +10. On success, CLI writes install manifest atomically
 +11. On failure, CLI removes generated files and returns `ServiceCommandFailed`
 ```
 5. **Fix launchd token security gap (env-file currently still embeds token)**
 Analysis: Current “env-file” on macOS still writes token into plist, defeating the main security goal. Generate a private wrapper script that reads env file at runtime and execs `lore`.
 ```diff
@@ ### macOS: launchd
 -<key>ProgramArguments</key>
 -<array>
 -    <string>{binary_path}</string>
 -    <string>--robot</string>
 -    <string>service</string>
 -    <string>run</string>
 -</array>
 +<key>ProgramArguments</key>
 +<array>
 +    <string>{data_dir}/service-run-{service_id}.sh</string>
 +</array>
@@
 -`env-file`: ... token value must still appear in plist ...
 +`env-file`: token never appears in plist; wrapper loads `{data_dir}/service-env-{service_id}` at runtime.
 ```
 6. **Improve backoff math and add half-open circuit recovery**
 Analysis: Current jitter + min clamp makes first retry deterministic and can over-pause. Also circuit-breaker requires manual resume forever. Add cooldown + half-open probe to self-heal.
 ```diff
@@ Backoff Logic
 -let backoff_secs = ((base_backoff as f64) * jitter_factor) as u64;
 -let backoff_secs = backoff_secs.max(base_interval_seconds);
 +let max_backoff = base_backoff;
 +let min_backoff = base_interval_seconds;
 +let span = max_backoff.saturating_sub(min_backoff);
 +let backoff_secs = min_backoff + ((span as f64) * jitter_factor) as u64;
@@ Scheduler states
 -- `paused` — permanent error ... OR circuit breaker tripped ...
 +- `paused` — permanent error requiring intervention
 +- `half_open` — probe state after circuit cooldown; one trial run allowed
@@ Circuit breaker
 -... transitions to `paused` ... Run: lore service resume
 +... transitions to `half_open` after cooldown (default 30m). Successful probe closes breaker automatically; failed probe returns to backoff/paused.
 ```
 7. **Promote backend trait to v1 (not v2) for deterministic integration tests**
 Analysis: This is a reliability-critical feature spanning OS schedulers. A trait abstraction now gives true behavior tests and safer refactors.
 ```diff
@@ ### Platform Backends
 -> Future architecture note: A `SchedulerBackend` trait ... for v2.
 +Adopt `SchedulerBackend` trait in v1 with real backends (`launchd/systemd/schtasks`) and `FakeBackend` for tests.
 +This enables deterministic install/uninstall/status/run-path integration tests without touching host scheduler.
 ```
 8. **Harden `run_cmd` timeout behavior**
 Analysis: If timeout occurs, child process must be killed and reaped. Otherwise you leak processes and can wedge repeated runs.
 ```diff
@@ fn run_cmd(...)
 -// Wait with timeout
 -let output = wait_with_timeout(output, timeout_secs)?;
 +// Wait with timeout; on timeout kill child and wait to reap
 +let output = wait_with_timeout_kill_and_reap(child, timeout_secs)?;
 ```
 9. **Add manual control commands (`pause`, `trigger`, `repair`)**
 Analysis: These are high-utility operational controls. `trigger` helps immediate sync without waiting interval. `pause` supports maintenance windows. `repair` avoids manual file deletion for corrupt state.
 ```diff
@@ pub enum ServiceCommand {
 +    /// Pause scheduled execution without uninstalling
 +    Pause { #[arg(long)] reason: Option<String> },
 +    /// Trigger an immediate one-off run using installed profile
 +    Trigger { #[arg(long)] ignore_backoff: bool },
 +    /// Repair corrupt manifest/status by backing up and reinitializing
 +    Repair { #[arg(long)] service: Option<String> },
 }
 ```
 10. **Make `logs` default non-interactive and add rotation policy**
 Analysis: Opening editor by default is awkward for automation/SSH and slower for normal diagnosis. Defaulting to `tail` is more practical; `--open` can preserve editor behavior.
 ```diff
@@ ### `lore service logs`
 -By default, opens in the user's preferred editor.
 +By default, prints last 100 lines to stdout.
 +Use `--open` to open editor.
@@
 +Log rotation: rotate `service-stdout.log` / `service-stderr.log` at 10 MB, keep 5 files.
 ```
 11. **Remove destructive/shell-unsafe suggested action**
 Analysis: `actions(): ["rm {path}", ...]` is unsafe (shell injection + destructive guidance). Replace with safe command path.
 ```diff
@@ LoreError::actions()
 -Self::ServiceCorruptState { path, .. } => vec![&format!("rm {path}"), "lore service install"],
 +Self::ServiceCorruptState { .. } => vec!["lore service repair", "lore service install"],
 ```
 12. **Tighten scheduler units for real-world reliability**
 Analysis: Add explicit working directory and success-exit handling to reduce environment drift and edge failures.
 ```diff
@@ systemd service unit
 [Service]
 Type=oneshot
 ExecStart={binary_path} --robot service run
 +WorkingDirectory={data_dir}
 +SuccessExitStatus=0
 TimeoutStartSec=900
 ```
 If you want, I can produce a single consolidated “v3 plan” markdown with these revisions already merged into your original structure.
--- a/plans/lore-service.feedback-4.md
+++ b/plans/lore-service.feedback-4.md
@@ -1,190 +0,0 @@
 No `## Rejected Recommendations` section was present in the plan you shared, so the proposals below are all net-new.
 1. **Make scheduled runs explicitly target a single service instance**
 Analysis: right now `service run` has no selector, but the plan supports multiple installed services. That creates ambiguity and incorrect manifest/status selection. This is the most important architectural fix.
 ```diff
@@ `lore service install` What it does
 - runs `lore --robot service run` at the specified interval
 + runs `lore --robot service run --service-id <service_id>` at the specified interval
@@ Robot output (`install`)
 - "sync_command": "/usr/local/bin/lore --robot service run",
 + "sync_command": "/usr/local/bin/lore --robot service run --service-id a1b2c3d4",
@@ `ServiceCommand` enum
 - #[command(hide = true)]
 - Run,
 + #[command(hide = true)]
 + Run {
 +     /// Internal selector injected by scheduler backend
 +     #[arg(long, hide = true)]
 +     service_id: String,
 + },
@@ `handle_service_run` signature
 -pub fn handle_service_run(start: std::time::Instant) -> Result<(), Box<dyn std::error::Error>>
 +pub fn handle_service_run(service_id: &str, start: std::time::Instant) -> Result<(), Box<dyn std::error::Error>>
@@ run flow step 1
 - Read install manifest
 + Read install manifest for `service_id`
 ```
 2. **Strengthen `service_id` derivation to avoid cross-workspace collisions**
 Analysis: hashing config path alone can collide when many workspaces share one global config. Identity should represent what is being synced, not only where config lives.
 ```diff
@@ Key Design Principles / Project-Scoped Service Identity
 - derive from a stable hash of the config file path
 + derive from a stable fingerprint of:
 + - canonical workspace root
 + - normalized configured GitLab project URLs
 + - canonical config path
 + then take first 12 hex chars of SHA-256
@@ `compute_service_id`
 - Returns first 8 hex chars of SHA-256 of the canonical config path.
 + Returns first 12 hex chars of SHA-256 of a canonical identity tuple
 + (workspace_root + sorted project URLs + config_path).
 ```
 3. **Introduce a service-state machine with a dedicated admin lock**
 Analysis: install/uninstall/pause/resume/repair/status can race each other. A lock and explicit transition table prevents invalid states and file races.
 ```diff
@@ New section: Service State Model
 + All state mutations are serialized by `AppLock("service-admin-{service_id}")`.
 + Legal transitions:
 + - idle -> running -> success|degraded|backoff|paused
 + - backoff -> running|paused
 + - paused -> half_open|running (resume)
 + - half_open -> running|paused
 + Any invalid transition is rejected with `ServiceCorruptState`.
@@ `handle_install`, `handle_uninstall`, `handle_pause`, `handle_resume`, `handle_repair`
 + Acquire `service-admin-{service_id}` before mutating manifest/status/service files.
 ```
 4. **Unify manual and scheduled sync execution behind one orchestrator**
 Analysis: the plan currently duplicates stage logic and error classification in `service run`, increasing drift risk. A shared orchestrator gives one authoritative pipeline behavior.
 ```diff
@@ Key Design Principles
 + #### 6. Single Sync Orchestrator
 + Both `lore sync` and `lore service run` call `SyncOrchestrator`.
 + Service mode adds policy (backoff/circuit-breaker); manual mode bypasses policy.
@@ Service Run Implementation
 - execute_sync_stages(&sync_args)
 + SyncOrchestrator::run(SyncMode::Service { profile, policy })
@@ manual sync
 - separate pipeline path
 + SyncOrchestrator::run(SyncMode::Manual { flags })
 ```
 5. **Add bounded in-run retries for transient core-stage failures**
 Analysis: single-shot failure handling will over-trigger backoff on temporary network blips. One short retry per core stage significantly improves freshness without much extra runtime.
 ```diff
@@ Stage-aware execution
 + Core stages (`issues`, `mrs`) get up to 1 immediate retry on transient errors
 + (jittered 1-5s). Permanent errors are never retried.
 + Optional stages keep best-effort semantics.
@@ Acceptance criteria (`service run`)
 + Retries transient core stage failures once before counting run as failed.
 ```
 6. **Harden persistence with full crash-safety semantics**
 Analysis: current atomic write description is good but incomplete for power-loss durability. You should fsync parent directory after rename and include lightweight integrity metadata.
 ```diff
@@ `write_atomic`
 - tmp file + fsync + rename
 + tmp file + fsync(file) + rename + fsync(parent_dir)
@@ `ServiceManifest` and `SyncStatusFile`
 + pub write_seq: u64,
 + pub content_sha256: String, // optional integrity guard for repair/doctor
 ```
 7. **Fix token handling to avoid shell/env injection and add secure-store mode**
 Analysis: sourcing env files in shell is brittle if token contains special chars/newlines. Also, secure OS credential stores should be first-class for production reliability/security.
 ```diff
@@ Token storage strategies
 -| `env-file` (default) ...
 +| `auto` (default) | use secure-store when available, else env-file |
 +| `secure-store` | macOS Keychain / libsecret / Windows Credential Manager |
 +| `env-file` | explicit fallback |
@@ macOS wrapper script
 -. "{data_dir}/service-env-{service_id}"
 -export {token_env_var}
 +TOKEN_VALUE="$(cat "{data_dir}/service-token-{service_id}" )"
 +export {token_env_var}="$TOKEN_VALUE"
@@ Acceptance criteria
 + Reject token values containing `\0` or newline for env-file mode.
 + Never eval/source untrusted token content.
 ```
 8. **Correct platform/runtime implementation hazards**
 Analysis: there are a few correctness risks that should be fixed in-plan now.
 ```diff
@@ macOS install steps
 - Get UID via `unsafe { libc::getuid() }`
 + Get UID via safe API (`nix::unistd::Uid::current()` or equivalent safe helper)
@@ Command Runner Helper
 - poll try_wait and read stdout/stderr after exit
 + avoid potential pipe backpressure deadlock:
 + use wait-with-timeout + concurrent stdout/stderr draining
@@ Linux timer
 - OnUnitActiveSec={interval_seconds}s
 + OnUnitInactiveSec={interval_seconds}s
 + AccuracySec=1min
 ```
 9. **Make logs fully service-scoped**
 Analysis: you already scoped manifest/status by `service_id`; logs are still global in several places. Multi-service installs will overwrite each other’s logs.
 ```diff
@@ Paths Module Additions
 -pub fn get_service_log_path() -> PathBuf
 +pub fn get_service_log_path(service_id: &str, stream: LogStream) -> PathBuf
@@ log filenames
 - logs/service-stderr.log
 - logs/service-stdout.log
 + logs/service-{service_id}-stderr.log
 + logs/service-{service_id}-stdout.log
@@ `service logs`
 - default path: `{data_dir}/logs/service-stderr.log`
 + default path: `{data_dir}/logs/service-{service_id}-stderr.log`
 ```
 10. **Resolve internal spec contradictions and rollback gaps**
 Analysis: there are a few contradictory statements and incomplete rollback behavior that will cause implementation churn.
 ```diff
@@ `service logs` behavior
 - default (no flags): open in editor (human)
 + default (no flags): print last 100 lines (human and robot metadata mode)
 + `--open` is explicit opt-in
@@ install rollback
 - On failure: removes generated service files
 + On failure: removes generated service files, env file, wrapper script, and temp manifest
@@ `handle_service_run` sample code
 - let manifest_path = get_service_manifest_path();
 + let manifest_path = get_service_manifest_path(service_id);
 ```
 If you want, I can take these revisions and produce a single consolidated “Iteration 4” replacement plan block with all sections rewritten coherently so it’s ready to hand to an implementer.
--- a/plans/time-decay-expert-scoring.feedback-1.md
+++ b/plans/time-decay-expert-scoring.feedback-1.md
@@ -1,114 +0,0 @@
 Your plan is strong directionally, but I’d revise it in 8 key places to avoid regressions and make it significantly more useful in production.
 1. **Split reviewer signals into “participated” vs “assigned-only”**
 Reason: today’s inflation problem is often assignment noise. Treating `mr_reviewers` equal to real review activity still over-ranks passive reviewers.
 ```diff
@@ Per-signal contributions
 -| Reviewer (reviewed MR touching path) | 10 | 90 days |
 +| ReviewerParticipated (left DiffNote on MR/path) | 10 | 90 days |
 +| ReviewerAssignedOnly (in mr_reviewers, no DiffNote by that user on MR/path) | 3 | 45 days |
 ```
 ```diff
@@ Scoring Formula
 -score = reviewer_mr * reviewer_weight + ...
 +score = reviewer_participated * reviewer_weight
 +      + reviewer_assigned_only * reviewer_assignment_weight
 +      + ...
 ```
 2. **Cap/saturate note intensity per MR**
 Reason: raw per-note addition can still reward “comment storms.” Use diminishing returns.
 ```diff
@@ Rust-Side Aggregation
 -- Notes: Vec<i64> (timestamps) from diffnote_reviewer
 +-- Notes grouped per (username, mr_id): note_count + max_ts
 +-- Note contribution per MR uses diminishing returns:
 +-- note_score_mr = note_bonus * ln(1 + note_count) * decay(now - ts, note_hl)
 ```
 3. **Use better event timestamps than `m.updated_at` for file-change signals**
 Reason: `updated_at` is noisy (title edits, metadata touches) and creates false recency.
 ```diff
@@ SQL Restructure
 - signal 3/4 seen_at = m.updated_at
 + signal 3/4 activity_ts = COALESCE(m.merged_at, m.closed_at, m.created_at, m.updated_at)
 ```
 4. **Don’t stream raw note rows to Rust; pre-aggregate in SQL**
 Reason: current plan removes SQL grouping and can blow up memory/latency on large repos.
 ```diff
@@ SQL Restructure
 -SELECT username, signal, mr_id, note_id, ts FROM signals
 +WITH raw_signals AS (...),
 +aggregated AS (
 +  -- 1 row per (username, signal_class, mr_id) for MR-level signals
 +  -- 1 row per (username, mr_id) for note_count + max_ts
 +)
 +SELECT username, signal_class, mr_id, qty, ts FROM aggregated
 ```
 5. **Replace fixed `"24m"` with model-driven cutoff**
 Reason: hardcoded 24m is arbitrary and tied to current weights/half-lives only.
 ```diff
@@ Default --since Change
 -Expert mode: "6m" -> "24m"
 +Expert mode default window derived from scoring.max_age_days (default 1095 days / 36m).
 +Formula guidance: choose max_age where max possible single-event contribution < epsilon (e.g. 0.25 points).
 +Add `--all-history` to disable cutoff for diagnostics.
 ```
 6. **Validate scoring config explicitly**
 Reason: silent bad configs (`half_life_days = 0`, negative weights) create undefined behavior.
 ```diff
@@ ScoringConfig (config.rs)
 pub struct ScoringConfig {
   pub author_weight: i64,
   pub reviewer_weight: i64,
   pub note_bonus: i64,
 +  pub reviewer_assignment_weight: i64,   // default: 3
   pub author_half_life_days: u32,
   pub reviewer_half_life_days: u32,
   pub note_half_life_days: u32,
 +  pub reviewer_assignment_half_life_days: u32, // default: 45
 +  pub max_age_days: u32, // default: 1095
 }
@@ Config::load_from_path
 +validate_scoring(&config.scoring)?; // weights >= 0, half_life_days > 0, max_age_days >= 30
 ```
 7. **Keep raw float score internally; round only for display**
 Reason: rounding before sort causes avoidable ties/rank instability.
 ```diff
@@ Rust-Side Aggregation
 -Round to i64 for Expert.score field
 +Compute `raw_score: f64`, sort by raw_score DESC.
 +Expose integer `score` for existing UX.
 +Optionally expose `score_raw` and `score_components` in robot JSON when `--explain-score`.
 ```
 8. **Add confidence + data-completeness metadata**
 Reason: rankings are misleading if `mr_file_changes` coverage is poor.
 ```diff
@@ ExpertResult / Output
 +confidence: "high" | "medium" | "low"
 +coverage: { mrs_with_file_changes, total_mrs_in_window, percent }
 +warning when coverage < threshold (e.g. 70%)
 ```
 ```diff
@@ Verification
 4. cargo test
 +5. ubs src/cli/commands/who.rs src/core/config.rs
 +6. Benchmark query_expert on representative DB (latency + rows scanned before/after)
 ```
 If you want, I can rewrite your full plan document into a clean “v2” version that already incorporates these diffs end-to-end.
--- a/plans/time-decay-expert-scoring.feedback-2.md
+++ b/plans/time-decay-expert-scoring.feedback-2.md
@@ -1,132 +0,0 @@
 The plan is strong, but I’d revise it in 10 places to improve correctness, scalability, and operator trust.
 1. **Add rename/old-path awareness (correctness gap)**
 Analysis: right now both existing code and your plan still center on `position_new_path` / `new_path` matches (`src/cli/commands/who.rs:643`, `src/cli/commands/who.rs:681`). That misses expertise on renamed/deleted paths and under-ranks long-time owners after refactors.
 ```diff
@@ ## Context
 -This produces two compounding problems:
 +This produces three compounding problems:
@@
 2. **Reviewer inflation**: ...
 +3. **Path-history blindness**: Renamed/moved files lose historical expertise because matching relies on current-path fields only.
@@ ### 3. SQL Restructure (who.rs)
 -AND n.position_new_path {path_op}
 +AND (n.position_new_path {path_op} OR n.position_old_path {path_op})
 -AND fc.new_path {path_op}
 +AND (fc.new_path {path_op} OR fc.old_path {path_op})
 ```
 2. **Follow rename chains for queried paths**
 Analysis: matching `old_path` helps, but true continuity needs alias expansion (A→B→C). Without this, expertise before multi-hop renames is fragmented.
 ```diff
@@ ### 3. SQL Restructure (who.rs)
 +**Path alias expansion**: Before scoring, resolve a bounded rename alias set (default max depth: 20)
 +from `mr_file_changes(change_type='renamed')`. Query signals against all aliases.
 +Output includes `path_aliases_used` for transparency.
 ```
 3. **Use hybrid SQL pre-aggregation instead of fully raw rows**
 Analysis: the “raw row” design is simpler but will degrade on large repos with heavy DiffNote volume. Pre-aggregating to `(user, mr)` for MR signals and `(user, mr, note_count)` for note signals keeps memory/latency predictable.
 ```diff
@@ ### 3. SQL Restructure (who.rs)
 -The SQL CTE ... removes the outer GROUP BY aggregation. Instead, it returns raw signal rows:
 -SELECT username, signal, mr_id, note_id, ts FROM signals
 +Use hybrid aggregation:
 +- SQL returns MR-level rows for author/reviewer signals (1 row per user+MR+signal_class)
 +- SQL returns note groups (1 row per user+MR with note_count, max_ts)
 +- Rust applies decay + ln(1+count) + final ranking.
 ```
 4. **Make timestamp policy state-aware (merged vs opened)**
 Analysis: replacing `updated_at` with only `COALESCE(merged_at, created_at)` over-decays long-running open MRs. Open MRs need recency from active lifecycle; merged MRs should anchor to merge time.
 ```diff
@@ ### 3. SQL Restructure (who.rs)
 -Replace m.updated_at with COALESCE(m.merged_at, m.created_at)
 +Use state-aware timestamp:
 +activity_ts =
 +  CASE
 +    WHEN m.state = 'merged' THEN COALESCE(m.merged_at, m.updated_at, m.created_at, m.last_seen_at)
 +    WHEN m.state = 'opened' THEN COALESCE(m.updated_at, m.created_at, m.last_seen_at)
 +  END
 ```
 5. **Replace fixed `24m` with config-driven max age**
 Analysis: `24m` is reasonable now, but brittle after tuning weights/half-lives. Tie cutoff to config so model behavior remains coherent as parameters evolve.
 ```diff
@@ ### 1. ScoringConfig (config.rs)
 +pub max_age_days: u32,                  // default: 730 (or 1095)
@@ ### 5. Default --since Change
 -Expert mode: "6m" -> "24m"
 +Expert mode default window derives from `scoring.max_age_days`
 +unless user passes `--since` or `--all-history`.
 ```
 6. **Add reproducible scoring time via `--as-of`**
 Analysis: decayed ranking is time-sensitive; debugging and tests become flaky without a fixed reference clock. This improves reliability and incident triage.
 ```diff
@@ ## Files to Modify
 -2. src/cli/commands/who.rs
 +2. src/cli/commands/who.rs
 +3. src/cli/mod.rs
 +4. src/main.rs
@@ ### 5. Default --since Change
 +Add `--as-of <RFC3339|YYYY-MM-DD>` to score at a fixed timestamp.
 +`resolved_input` includes `as_of_ms` and `as_of_iso`.
 ```
 7. **Add explainability output (`--explain-score`)**
 Analysis: decayed multi-signal ranking will be disputed without decomposition. Show components and top evidence MRs to make results actionable and debuggable.
 ```diff
@@ ## Rejected Ideas (with rationale)
 -- **`--explain-score` flag with component breakdown**: ... deferred
 +**Included in this iteration**: `--explain-score` adds per-user score components
 +(`author`, `review_participated`, `review_assigned`, `notes`) plus top evidence MRs.
 ```
 8. **Add confidence/coverage metadata**
 Analysis: rankings can look precise while data is incomplete (`mr_file_changes` gaps, sparse DiffNotes). Confidence fields prevent false certainty.
 ```diff
@@ ### 4. Rust-Side Aggregation (who.rs)
 +Compute and emit:
 +- `coverage`: {mrs_considered, mrs_with_file_changes, mrs_with_diffnotes, percent}
 +- `confidence`: high|medium|low (threshold-based)
 ```
 9. **Add index migration for new query shapes**
 Analysis: your new `EXISTS/NOT EXISTS` reviewer split and path dual-matching will need better indexes; current `who` indexes are not enough for author+path+time combinations.
 ```diff
@@ ## Files to Modify
 +3. **`migrations/021_who_decay_indexes.sql`** — indexes for decay query patterns:
 +   - notes(diffnote path + author + created_at + discussion_id) partial
 +   - notes(old_path variant) partial
 +   - mr_file_changes(project_id, new_path, merge_request_id)
 +   - mr_file_changes(project_id, old_path, merge_request_id) partial
 +   - merge_requests(state, merged_at, updated_at, created_at)
 ```
 10. **Expand tests to invariants and determinism**
 Analysis: example-based tests are good, but ranking systems need invariant tests to avoid subtle regressions.
 ```diff
@@ ### 7. New Tests (TDD)
 +**`test_score_monotonicity_by_age`**: same signal, older timestamp never scores higher
 +**`test_row_order_independence`**: shuffled SQL row order yields identical ranking
 +**`test_as_of_reproducibility`**: same data + same `--as-of` => identical output
 +**`test_rename_alias_chain_scoring`**: expertise carries across A->B->C rename chain
 +**`test_overlap_participated_vs_assigned_counts`**: overlap reflects split reviewer semantics
 ```
 If you want, I can produce a full consolidated `v2` plan doc patch (single unified diff against `plans/time-decay-expert-scoring.md`) rather than per-change snippets.
--- a/plans/time-decay-expert-scoring.feedback-3.md
+++ b/plans/time-decay-expert-scoring.feedback-3.md
@@ -1,167 +0,0 @@
 **Critical Plan Findings First**
 1. The proposed index `idx_notes_mr_path_author ON notes(noteable_id, ...)` will fail: `notes.noteable_id` does not exist in schema (`migrations/002_issues.sql:74`).
 2. Rename awareness is only applied in scoring queries, not in path resolution probes; today `build_path_query()` and `suffix_probe()` only inspect `position_new_path`/`new_path` (`src/cli/commands/who.rs:465`, `src/cli/commands/who.rs:591`), so old-path queries can still miss.
 3. A fixed `"24m"` default window is brittle once half-lives become configurable; it can silently truncate meaningful history for larger half-lives.
 Below are the revisions I’d make to your plan.
 1. **Fix migration/index architecture (blocking correctness + perf)**
 Rationale: prevents migration failure and aligns indexes to actual query shapes.
 ```diff
 diff --git a/plan.md b/plan.md
@@ ### 6. Index Migration (db.rs)
 - -- Support EXISTS subquery for reviewer participation check
 - CREATE INDEX IF NOT EXISTS idx_notes_mr_path_author
 -   ON notes(noteable_id, position_new_path, author_username)
 -   WHERE note_type = 'DiffNote' AND is_system = 0;
 + -- Support reviewer participation joins (notes -> discussions -> MR)
 + CREATE INDEX IF NOT EXISTS idx_notes_diffnote_discussion_author_created
 +   ON notes(discussion_id, author_username, created_at)
 +   WHERE note_type = 'DiffNote' AND is_system = 0;
 +
 + -- Path-first indexes for global and project-scoped path lookups
 + CREATE INDEX IF NOT EXISTS idx_mfc_new_path_project_mr
 +   ON mr_file_changes(new_path, project_id, merge_request_id);
 + CREATE INDEX IF NOT EXISTS idx_mfc_old_path_project_mr
 +   ON mr_file_changes(old_path, project_id, merge_request_id)
 +   WHERE old_path IS NOT NULL;
@@
 - -- Support state-aware timestamp selection
 - CREATE INDEX IF NOT EXISTS idx_mr_state_timestamps
 -   ON merge_requests(state, merged_at, closed_at, updated_at, created_at);
 + -- Removed: low-selectivity timestamp composite index; joins are MR-id driven.
 ```
 2. **Restructure SQL around `matched_mrs` CTE instead of repeating OR path clauses**
 Rationale: better index use, less duplicated logic, cleaner maintenance.
 ```diff
 diff --git a/plan.md b/plan.md
@@ ### 3. SQL Restructure (who.rs)
 - WITH raw AS (
 -   -- 5 UNION ALL subqueries (signals 1, 2, 3, 4a, 4b)
 - ),
 + WITH matched_notes AS (
 +   -- DiffNotes matching new_path
 +   ...
 +   UNION ALL
 +   -- DiffNotes matching old_path
 +   ...
 + ),
 + matched_file_changes AS (
 +   -- file changes matching new_path
 +   ...
 +   UNION ALL
 +   -- file changes matching old_path
 +   ...
 + ),
 + matched_mrs AS (
 +   SELECT DISTINCT mr_id, project_id FROM matched_notes
 +   UNION
 +   SELECT DISTINCT mr_id, project_id FROM matched_file_changes
 + ),
 + raw AS (
 +   -- signals sourced from matched_mrs + matched_notes
 + ),
 ```
 3. **Replace correlated `EXISTS/NOT EXISTS` reviewer split with one precomputed participation set**
 Rationale: same semantics, lower query cost, easier reasoning.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Signal 4 splits into two
 - Signal 4a uses an EXISTS subquery ...
 - Signal 4b uses NOT EXISTS ...
 + Build `reviewer_participation(mr_id, username)` once from matched DiffNotes.
 + Then classify `mr_reviewers` rows via LEFT JOIN:
 + - participated: `rp.username IS NOT NULL`
 + - assigned-only: `rp.username IS NULL`
 + This avoids correlated EXISTS scans per reviewer row.
 ```
 4. **Make default `--since` derived from half-life + decay floor, not hardcoded 24m**
 Rationale: remains mathematically consistent when config changes.
 ```diff
 diff --git a/plan.md b/plan.md
@@ ### 1. ScoringConfig (config.rs)
 + pub decay_floor: f64, // default: 0.05
@@ ### 5. Default --since Change
 - Expert mode: "6m" -> "24m"
 + Expert mode default window is computed:
 + default_since_days = ceil(max_half_life_days * log2(1.0 / decay_floor))
 + With defaults (max_half_life=180, floor=0.05), this is ~26 months.
 + CLI `--since` still overrides; `--all-history` still disables windowing.
 ```
 5. **Use `log2(1+count)` for notes instead of `ln(1+count)`**
 Rationale: keeps 1 note ~= 1 unit (with `note_bonus=1`) while preserving diminishing returns.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Scoring Formula
 - note_contribution(mr) = note_bonus * ln(1 + note_count_in_mr) * 2^(-days_elapsed / note_half_life)
 + note_contribution(mr) = note_bonus * log2(1 + note_count_in_mr) * 2^(-days_elapsed / note_half_life)
 ```
 6. **Guarantee deterministic float aggregation and expose `score_raw`**
 Rationale: avoids hash-order drift and explainability mismatch vs rounded integer score.
 ```diff
 diff --git a/plan.md b/plan.md
@@ ### 4. Rust-Side Aggregation (who.rs)
 - HashMap<i64, ...>
 + BTreeMap<i64, ...> (or sort keys before accumulation) for deterministic summation order
 + Use compensated summation (Kahan/Neumaier) for stable f64 totals
@@
 - Sort on raw `f64` score ... round only for display
 + Keep `score_raw` internally and expose when `--explain-score` is active.
 + `score` remains integer for backward compatibility.
 ```
 7. **Extend rename awareness to query resolution (not only scoring)**
 Rationale: fixes user-facing misses for old path input and suffix lookup.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Path rename awareness
 - All signal subqueries match both old and new path columns
 + Also update `build_path_query()` probes and suffix probe:
 + - exact_exists: new_path OR old_path (notes + mr_file_changes)
 + - prefix_exists: new_path LIKE OR old_path LIKE
 + - suffix_probe: union of notes.position_new_path, notes.position_old_path,
 +   mr_file_changes.new_path, mr_file_changes.old_path
 ```
 8. **Tighten CLI/output contracts for new flags**
 Rationale: avoids payload bloat/ambiguity and keeps robot clients stable.
 ```diff
 diff --git a/plan.md b/plan.md
@@ ### 5b. Score Explainability via `--explain-score`
 + `--explain-score` conflicts with `--detail` (mutually exclusive)
 + `resolved_input` includes `as_of_ms`, `as_of_iso`, `scoring_model_version`
 + robot output includes `score_raw` and `components` only when explain is enabled
 ```
 9. **Add confidence metadata (promote from rejected to accepted)**
 Rationale: makes ranking more actionable and trustworthy with sparse evidence.
 ```diff
 diff --git a/plan.md b/plan.md
@@ Rejected Ideas (with rationale)
 - Confidence/coverage metadata: ... Deferred to avoid scope creep
 + Confidence/coverage metadata: ACCEPTED (minimal v1)
 + Add per-user `confidence: low|medium|high` based on evidence breadth + recency.
 + Keep implementation lightweight (no extra SQL pass).
 ```
 10. **Upgrade test and verification scope to include query-plan and clock semantics**
 Rationale: catches regressions your current tests won’t.
 ```diff
 diff --git a/plan.md b/plan.md
@@ 8. New Tests (TDD)
 + test_old_path_probe_exact_and_prefix
 + test_suffix_probe_uses_old_path_sources
 + test_since_relative_to_as_of_clock
 + test_explain_and_detail_are_mutually_exclusive
 + test_null_timestamp_fallback_to_created_at
 + test_query_plan_uses_path_indexes (EXPLAIN QUERY PLAN)
@@ Verification
 + 7. EXPLAIN QUERY PLAN snapshots for expert query (exact + prefix) confirm index usage
 ```
 If you want, I can produce a single consolidated “revision 3” plan document that fully merges all of the above into your original structure.
--- a/plans/time-decay-expert-scoring.feedback-4.md
+++ b/plans/time-decay-expert-scoring.feedback-4.md
@@ -1,133 +0,0 @@
 Your plan is already strong. The biggest remaining gaps are temporal correctness, indexability at scale, and ranking reliability under sparse/noisy evidence. These are the revisions I’d make.
 1. **Fix temporal correctness for `--as-of` (critical)**
 Analysis: Right now the plan describes `--as-of`, but the SQL only enforces lower bounds (`>= since`). If `as_of` is in the past, “future” events can still enter and get full weight (because elapsed is clamped). This breaks reproducibility.
 ```diff
@@ 3. SQL Restructure
 - AND n.created_at >= ?2
 + AND n.created_at BETWEEN ?2 AND ?4
@@ Signal 3/4a/4b
 - AND {state_aware_ts} >= ?2
 + AND {state_aware_ts} BETWEEN ?2 AND ?4
@@ 5a. Reproducible Scoring via --as-of
 - All decay computations use as_of_ms instead of SystemTime::now()
 + All event selection and decay computations are bounded by as_of_ms.
 + Query window is [since_ms, as_of_ms], never [since_ms, now_ms].
 + Add test: test_as_of_excludes_future_events.
 ```
 2. **Resolve `closed`-state inconsistency**
 Analysis: The CASE handles `closed`, but all signal queries filter to `('opened','merged')`, making the `closed_at` branch dead code. Either include closed MRs intentionally or remove that logic. I’d include closed with a reduced multiplier.
 ```diff
@@ ScoringConfig (config.rs)
 + pub closed_mr_multiplier: f64, // default: 0.5
@@ 3. SQL Restructure
 - AND m.state IN ('opened','merged')
 + AND m.state IN ('opened','merged','closed')
@@ 4. Rust-Side Aggregation
 + if state == "closed" { contribution *= closed_mr_multiplier; }
 ```
 3. **Replace `OR` path predicates with index-friendly `UNION ALL` branches**
 Analysis: `(new_path ... OR old_path ...)` often degrades index usage in SQLite. Split into two indexed branches and dedupe once. This improves planner stability and latency on large datasets.
 ```diff
@@ 3. SQL Restructure
 -WITH matched_notes AS (
 -  ... AND (n.position_new_path {path_op} OR n.position_old_path {path_op})
 -),
 +WITH matched_notes AS (
 +  SELECT ... FROM notes n WHERE ... AND n.position_new_path {path_op}
 +  UNION ALL
 +  SELECT ... FROM notes n WHERE ... AND n.position_old_path {path_op}
 +),
 +matched_notes_dedup AS (
 +  SELECT DISTINCT id, discussion_id, author_username, created_at, project_id
 +  FROM matched_notes
 +),
@@
 - JOIN matched_notes mn ...
 + JOIN matched_notes_dedup mn ...
 ```
 4. **Add canonical path identity (rename-chain support)**
 Analysis: Direct `old_path/new_path` matching only handles one-hop rename scenarios. A small alias graph/table built at ingest time gives robust expertise continuity across A→B→C chains and avoids repeated SQL complexity.
 ```diff
@@ Files to Modify
 - 3. src/core/db.rs — Add migration for indexes...
 + 3. src/core/db.rs — Add migration for indexes + path_identity table
 + 4. src/core/ingest/*.rs — populate path_identity on rename events
 + 5. src/cli/commands/who.rs — resolve query path to canonical path_id first
@@ Context
 - The fix has three parts:
 + The fix has four parts:
 + - Introduce canonical path identity so multi-hop renames preserve expertise
 ```
 5. **Split scoring engine into a versioned core module**
 Analysis: `who.rs` is becoming a mixed CLI/query/math/output surface. Move scoring math and event normalization into `src/core/scoring/` with explicit model versions. This reduces regression risk and enables future model experiments.
 ```diff
@@ Files to Modify
 + 4. src/core/scoring/mod.rs — model interface + shared types
 + 5. src/core/scoring/model_v2_decay.rs — current implementation
 + 6. src/cli/commands/who.rs — orchestration only
@@ 5b. Score Explainability
 + resolved_input includes scoring_model_version and scoring_model_name
 ```
 6. **Add evidence confidence to reduce sparse-data rank spikes**
 Analysis: One recent MR can outrank broader, steadier expertise. Add a confidence factor derived from number of distinct evidence MRs and expose both `score_raw` and `score_adjusted`.
 ```diff
@@ Scoring Formula
 + confidence(user) = 1 - exp(-evidence_mr_count / 6.0)
 + score_adjusted = score_raw * confidence
@@ 4. Rust-Side Aggregation
 + compute evidence_mr_count from unique MR ids across all signals
 + sort by score_adjusted DESC, then score_raw DESC, then last_seen DESC
@@ 5b. --explain-score
 + include confidence and evidence_mr_count
 ```
 7. **Add first-class bot/service-account filtering**
 Analysis: Reviewer inflation is not just assignment; bots and automation users can still pollute rankings. Make exclusion explicit and configurable.
 ```diff
@@ ScoringConfig (config.rs)
 + pub excluded_username_patterns: Vec<String>, // defaults include "*bot*", "renovate", "dependabot"
@@ 3. SQL Restructure
 + AND username NOT MATCHES excluded patterns (applied in Rust post-query or SQL where feasible)
@@ CLI
 + --include-bots (override exclusions)
 ```
 8. **Tighten reviewer “participated” with substantive-note threshold**
 Analysis: A single “LGTM” note shouldn’t classify someone as engaged reviewer equivalent to real inline review. Use a minimum substantive threshold.
 ```diff
@@ ScoringConfig (config.rs)
 + pub reviewer_min_note_chars: u32, // default: 20
@@ reviewer_participation CTE
 - SELECT DISTINCT ... FROM matched_notes
 + SELECT DISTINCT ... FROM matched_notes
 + WHERE LENGTH(TRIM(body)) >= ?reviewer_min_note_chars
 ```
 9. **Add rollout safety: model compare mode + rank-delta diagnostics**
 Analysis: This is a scoring-model migration. You need safe rollout mechanics, not just tests. Add a compare mode so you can inspect rank deltas before forcing v2.
 ```diff
@@ CLI (who)
 + --scoring-model v1|v2|compare   (default: v2)
 + --max-rank-delta-report N       (compare mode diagnostics)
@@ Robot output
 + include v1_score, v2_score, rank_delta when --scoring-model compare
 ```
 If you want, I can produce a single consolidated “plan v4” document that applies all nine diffs cleanly into your original markdown.
--- a/plans/time-decay-expert-scoring.md
+++ b/plans/time-decay-expert-scoring.md
@@ -4,7 +4,7 @@ title: ""
 status: iterating
 iteration: 6
 target_iterations: 8
-beads_revision: 1
+beads_revision: 2
 related_plans: []
 created: 2026-02-08
 updated: 2026-02-12
--- a/plans/tui-prd-v2-frankentui.feedback-1.md
+++ b/plans/tui-prd-v2-frankentui.feedback-1.md
@@ -1,209 +0,0 @@
 No `## Rejected Recommendations` section was present, so these are all net-new improvements.
 1. Keep core `lore` stable; isolate nightly to a TUI crate  
 Rationale: the current plan says “whole project nightly” but later assumes TUI is feature-gated. Isolating nightly removes unnecessary risk from non-TUI users, CI, and release cadence.
 ```diff
@@ 3.2 Nightly Rust Strategy
 -- The entire gitlore project moves to pinned nightly, not just the TUI feature.
 +- Keep core `lore` on stable Rust.
 +- Add workspace member `lore-tui` pinned to nightly for FrankenTUI.
 +- Ship `lore tui` only when `--features tui` (or separate `lore-tui` binary) is enabled.
@@ 10.1 New Files
 +- crates/lore-tui/Cargo.toml
 +- crates/lore-tui/src/main.rs
@@ 11. Assumptions
 -17. TUI module is feature-gated.
 +17. TUI is isolated in a workspace crate and feature-gated in root CLI integration.
 ```
 2. Add a framework adapter boundary from day 1  
 Rationale: the “3-day ratatui escape hatch” is optimistic without a strict interface. A tiny `UiRuntime` + screen renderer trait makes fallback real, not aspirational.
 ```diff
@@ 4. Architecture
 +### 4.9 UI Runtime Abstraction
 +Introduce `UiRuntime` trait (`run`, `send`, `subscribe`) and `ScreenRenderer` trait.
 +FrankenTUI implementation is default; ratatui adapter can be dropped in with no state/action rewrite.
@@ 3.5 Escape Hatch
 -- The migration cost to ratatui is ~3 days
 +- Migration cost target is ~3-5 days, validated by one ratatui spike screen in Phase 1.
 ```
 3. Stop using CLI command modules as the TUI query API  
 Rationale: coupling TUI to CLI output-era structs creates long-term friction and accidental regressions. Create a shared domain query layer used by both CLI and TUI.
 ```diff
@@ 10.20 Refactor: Extract Query Functions
 -- extract query_* from cli/commands/*
 +- introduce `src/domain/query/*` as the canonical read model API.
 +- CLI and TUI both depend on domain query layer.
 +- CLI modules retain formatting/output only.
@@ 10.2 Modified Files
 +- src/domain/query/mod.rs
 +- src/domain/query/issues.rs
 +- src/domain/query/mrs.rs
 +- src/domain/query/search.rs
 +- src/domain/query/who.rs
 ```
 4. Replace single `Arc<Mutex<Connection>>` with connection manager  
 Rationale: one locked connection serializes everything and hurts responsiveness, especially during sync. Use separate read pool + writer connection with WAL and busy timeout.
 ```diff
@@ 4.4 App — Implementing the Model Trait
 - pub db: Arc<Mutex<Connection>>,
 + pub db: Arc<DbManager>, // read pool + single writer coordination
@@ 4.5 Async Action System
 - Each Cmd::task closure locks the mutex, runs the query, and returns a Msg
 + Reads use pooled read-only connections.
 + Sync/write path uses dedicated writer connection.
 + Enforce WAL, busy_timeout, and retry policy for SQLITE_BUSY.
 ```
 5. Make debouncing/cancellation explicit and correct  
 Rationale: “runtime coalesces rapid keypresses” is not a safe correctness guarantee. Add request IDs and stale-response dropping to prevent flicker and wrong data.
 ```diff
@@ 4.3 Core Types (Msg)
 + SearchRequestStarted { request_id: u64, query: String }
 - SearchExecuted(SearchResults),
 + SearchExecuted { request_id: u64, results: SearchResults },
@@ 4.4 maybe_debounced_query()
 - runtime coalesces rapid keypresses
 + use explicit 200ms debounce timer + monotonic request_id
 + ignore results whose request_id != current_search_request_id
 ```
 6. Implement true streaming sync, not batch-at-end pseudo-streaming  
 Rationale: the plan promises real-time logs/progress but code currently returns one completion message. This gap will disappoint users and complicate cancellation.
 ```diff
@@ 4.4 start_sync_task()
 - Pragmatic approach: run sync synchronously, collect all progress events, return summary.
 + Use event channel subscription for `SyncProgress`/`SyncLogLine` streaming.
 + Keep `SyncCompleted` only as terminal event.
 + Add cooperative cancel token mapped to `Esc` while running.
@@ 5.9 Sync
 + Add "Resume from checkpoint" option for interrupted syncs.
 ```
 7. Fix entity identity ambiguity across projects  
 Rationale: using `iid` alone is unsafe in multi-project datasets. Navigation and cross-refs should key by `(project_id, iid)` or global ID.
 ```diff
@@ 4.3 Core Types
 - IssueDetail(i64)
 - MrDetail(i64)
 + IssueDetail(EntityKey)
 + MrDetail(EntityKey)
 + pub struct EntityKey { pub project_id: i64, pub iid: i64, pub kind: EntityKind }
@@ 10.12.4 Cross-Reference Widget
 - parse "group/project#123" -> iid only
 + parse into `{project_path, iid, kind}` then resolve to `project_id` before navigation
 ```
 8. Resolve keybinding conflicts and formalize keymap precedence  
 Rationale: current spec conflicts (`Tab` sort vs focus filter; `gg` vs go-prefix). A deterministic keymap contract prevents UX bugs.
 ```diff
@@ 8.2 List Screens
 - Tab | Cycle sort column
 - f   | Focus filter bar
 + Tab | Focus filter bar
 + S   | Cycle sort column
 + /   | Focus filter bar (alias)
@@ 4.4 interpret_key()
 + Add explicit precedence table:
 + 1) modal/palette
 + 2) focused input
 + 3) global
 + 4) screen-local
 + Add configurable go-prefix timeout (default 500ms) with cancel feedback.
 ```
 9. Add performance SLOs and DB/index plan  
 Rationale: “fast enough” is vague. Add measurable budgets, required indexes, and query-plan gates in CI for predictable performance.
 ```diff
@@ 3.1 Risk Matrix
 + Add risk: "Query latency regressions on large datasets"
@@ 9.3 Phase 0 — Toolchain Gate
 +7. p95 list query latency < 75ms on 100k issues synthetic fixture
 +8. p95 search latency < 200ms on 1M docs (lexical mode)
@@ 11. Assumptions
 -5. SQLite queries are fast enough for interactive use (<50ms for filtered results).
 +5. Performance budgets are enforced by benchmark fixtures and query-plan checks.
 +6. Required indexes documented and migration-backed before TUI GA.
 ```
 10. Add reliability/observability model (error classes, retries, tracing)  
 Rationale: one string toast is not enough for production debugging. Add typed errors, retry policy, and an in-TUI diagnostics pane.
 ```diff
@@ 4.3 Core Types (Msg)
 - Error(String),
 + Error(AppError),
 + pub enum AppError {
 +   DbBusy, DbCorruption, NetworkRateLimited, NetworkUnavailable,
 +   AuthFailed, ParseError, Internal(String)
 + }
@@ 5.11 Doctor / Stats
 + Add "Diagnostics" tab:
 + - last 100 errors
 + - retry counts
 + - current sync/backoff state
 + - DB contention metrics
 ```
 11. Add “Saved Views + Watchlist” as high-value product features  
 Rationale: this makes the TUI compelling daily, not just navigable. Users can persist filters and monitor critical slices (e.g., “P1 auth issues updated in last 24h”).
 ```diff
@@ 1. Executive Summary
 + - Saved Views (named filters and layouts)
 + - Watchlist panel (tracked queries with delta badges)
@@ 5. Screen Taxonomy
 +### 5.12 Saved Views / Watchlist
 +Persistent named filters for Issues/MRs/Search.
 +Dashboard shows per-watchlist deltas since last session.
@@ 6. User Flows
 +### 6.9 Flow: "Run morning watchlist triage"
 +Dashboard -> Watchlist -> filtered IssueList/MRList -> detail drilldown
 ```
 12. Strengthen testing plan with deterministic behavior and chaos cases  
 Rationale: snapshot tests alone won’t catch race/staleness/cancellation issues. Add concurrency, cancellation, and flaky terminal behavior tests.
 ```diff
@@ 9.2 Phases
 +Phase 5.5 Reliability Test Pack (2d)
 + - stale response drop tests
 + - sync cancel/resume tests
 + - SQLITE_BUSY retry tests
 + - resize storm and rapid key-chord tests
@@ 10.9 Snapshot Test Example
 + Add non-snapshot tests:
 + - property tests for navigation invariants
 + - integration tests for request ordering correctness
 + - benchmark tests for query budgets
 ```
 If you want, I can produce a consolidated “PRD v2.1 patch” with all of the above merged into one coherent updated document structure.
--- a/plans/tui-prd-v2-frankentui.feedback-2.md
+++ b/plans/tui-prd-v2-frankentui.feedback-2.md
@@ -1,203 +0,0 @@
 I excluded the two items in your `## Rejected Recommendations` and focused on net-new improvements.  
 These are the highest-impact revisions I’d make.
 ### 1. Fix the package graph now (avoid a hard Cargo cycle)
 Your current plan has `root -> optional lore-tui` and `lore-tui -> lore (root)`, which creates a cyclic dependency risk. Split shared logic into a dedicated core crate so CLI and TUI both depend downward.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 9.1 Dependency Changes
 -[workspace]
 -members = [".", "crates/lore-tui"]
 +[workspace]
 +members = [".", "crates/lore-core", "crates/lore-tui"]
@@
 -[dependencies]
 -lore-tui = { path = "crates/lore-tui", optional = true }
 +[dependencies]
 +lore-core = { path = "crates/lore-core" }
 +lore-tui = { path = "crates/lore-tui", optional = true }
@@ # crates/lore-tui/Cargo.toml
 -lore = { path = "../.." }  # Core lore library
 +lore-core = { path = "../lore-core" }  # Shared domain/query crate (acyclic graph)
 ```
 ### 2. Stop coupling TUI to `cli/commands/*` internals
 Calling CLI command modules from TUI is brittle and will drift. Introduce a shared query/service layer with DTOs owned by core.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 4.1 Module Structure
 -    action.rs                     # Async action runners (DB queries, GitLab calls)
 +    action.rs                     # Task dispatch only
 +    service/
 +      mod.rs
 +      query.rs                    # Shared read services (CLI + TUI)
 +      sync.rs                     # Shared sync orchestration facade
 +      dto.rs                      # UI-agnostic data contracts
@@ ## 10.2 Modified Files
 -src/cli/commands/list.rs               # Extract query_issues(), query_mrs() as pub fns
 -src/cli/commands/show.rs               # Extract query_issue_detail(), query_mr_detail() as pub fns
 -src/cli/commands/who.rs                # Extract query_experts(), etc. as pub fns
 -src/cli/commands/search.rs             # Extract run_search_query() as pub fn
 +crates/lore-core/src/query/issues.rs   # Canonical issue queries
 +crates/lore-core/src/query/mrs.rs      # Canonical MR queries
 +crates/lore-core/src/query/show.rs     # Canonical detail queries
 +crates/lore-core/src/query/who.rs      # Canonical people queries
 +crates/lore-core/src/query/search.rs   # Canonical search queries
 +src/cli/commands/*.rs                  # Consume lore-core query services
 +crates/lore-tui/src/action.rs          # Consume lore-core query services
 ```
 ### 3. Add a real task supervisor (dedupe + cancellation + priority)
 Right now tasks are ad hoc and can overrun each other. Add a scheduler keyed by screen+intent.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 4.5 Async Action System
 -The `Cmd::task(|| { ... })` pattern runs a blocking closure on a background thread pool.
 +The TUI uses a `TaskSupervisor`:
 +- Keyed tasks (`TaskKey`) to dedupe redundant requests
 +- Priority lanes (`Input`, `Navigation`, `Background`)
 +- Cooperative cancellation tokens per task
 +- Late-result drop via generation IDs (not just search)
@@ ## 4.3 Core Types
 +pub enum TaskKey {
 +    LoadScreen(Screen),
 +    Search { generation: u64 },
 +    SyncStream,
 +}
 ```
 ### 4. Correct sync streaming architecture (current sketch loses streamed events)
 The sample creates `tx/rx` then drops `rx`; events never reach update loop. Define an explicit stream subscription with bounded queue and backpressure policy.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 4.4 App — Implementing the Model Trait
 -        let (tx, _rx) = std::sync::mpsc::channel::<Msg>();
 +        let (tx, rx) = std::sync::mpsc::sync_channel::<Msg>(1024);
 +        // rx is registered via Subscription::from_receiver("sync-stream", rx)
@@
 -            let result = crate::ingestion::orchestrator::run_sync(
 +            let result = crate::ingestion::orchestrator::run_sync(
                 &config,
                 &conn,
                 |event| {
@@
 -                    let _ = tx.send(Msg::SyncProgress(event.clone()));
 -                    let _ = tx.send(Msg::SyncLogLine(format!("{event:?}")));
 +                    if tx.try_send(Msg::SyncProgress(event.clone())).is_err() {
 +                        let _ = tx.try_send(Msg::SyncBackpressureDrop);
 +                    }
 +                    let _ = tx.try_send(Msg::SyncLogLine(format!("{event:?}")));
                 },
             );
 ```
 ### 5. Upgrade data-plane performance plan (keyset pagination + index contracts)
 Virtualized list without keyset paging still forces expensive scans. Add explicit keyset pagination and query-plan CI checks.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 9.3 Phase 0 — Toolchain Gate
 -7. p95 list query latency < 75ms on synthetic fixture (10k issues, 5k MRs)
 +7. p95 list page fetch latency < 75ms using keyset pagination (10k issues, 5k MRs)
 +8. EXPLAIN QUERY PLAN must show index usage for top 10 TUI queries
 +9. No full table scan on issues/MRs/discussions under default filters
@@
 -8. p95 search latency < 200ms on synthetic fixture (50k documents, lexical mode)
 +10. p95 search latency < 200ms on synthetic fixture (50k documents, lexical mode)
 +## 9.4 Required Indexes (GA blocker)
 +- `issues(project_id, state, updated_at DESC, iid DESC)`
 +- `merge_requests(project_id, state, updated_at DESC, iid DESC)`
 +- `discussions(project_id, entity_type, entity_iid, created_at DESC)`
 +- `notes(discussion_id, created_at ASC)`
 ```
 ### 6. Enforce `EntityKey` everywhere (remove bare IID paths)
 You correctly identified multi-project IID collisions, but many message/state signatures still use `i64`. Make `EntityKey` mandatory in all navigation and detail loaders.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 4.3 Core Types
 -    IssueSelected(i64),
 +    IssueSelected(EntityKey),
@@
 -    MrSelected(i64),
 +    MrSelected(EntityKey),
@@
 -    IssueDetailLoaded(IssueDetail),
 +    IssueDetailLoaded { key: EntityKey, detail: IssueDetail },
@@
 -    MrDetailLoaded(MrDetail),
 +    MrDetailLoaded { key: EntityKey, detail: MrDetail },
@@ ## 10.10 State Module — Complete
 -                Cmd::msg(Msg::NavigateTo(Screen::IssueDetail(iid)))
 +                Cmd::msg(Msg::NavigateTo(Screen::IssueDetail(entity_key)))
 ```
 ### 7. Harden filter/search semantics (strict parser + inline diagnostics + explain scores)
 Current filter parser silently ignores unknown fields; that causes hidden mistakes. Add strict parse diagnostics and search score explainability.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 10.12.1 Filter Bar Widget
 -                _ => {} // Unknown fields silently ignored
 +                _ => self.errors.push(format!("Unknown filter field: {}", token.field))
 +    pub errors: Vec<String>,   // inline parse/validation errors
 +    pub warnings: Vec<String>, // non-fatal coercions
@@ ## 5.6 Search
 -- **Live preview:** Selected result shows snippet + metadata in right pane
 +- **Live preview:** Selected result shows snippet + metadata in right pane
 +- **Explain score:** Optional breakdown (lexical, semantic, recency, boosts) for trust/debug
 ```
 ### 8. Add operational resilience: safe mode + panic report + startup fallback
 TUI failures should degrade gracefully, not block usage.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 3.1 Risk Matrix
 +| Runtime panic leaves user blocked | High | Medium | Panic hook writes crash report, restores terminal, offers fallback CLI command |
@@ ## 10.3 Entry Point
 +pub fn launch_tui(config: Config, db_path: &Path) -> Result<(), LoreError> {
 +    install_panic_hook_for_tui(); // terminal restore + crash dump path
 +    ...
 +}
@@ ## 8.1 Global (Available Everywhere)
 +| `:` | Show fallback equivalent CLI command for current screen/action |
 ```
 ### 9. Add a “jump list” (forward/back navigation, not only stack pop)
 Current model has only push/pop and reset. Add browser-like history for investigation workflows.
 ```diff
 diff --git a/PRD.md b/PRD.md
@@ ## 4.7 Navigation Stack Implementation
 pub struct NavigationStack {
 -    stack: Vec<Screen>,
 +    back_stack: Vec<Screen>,
 +    current: Screen,
 +    forward_stack: Vec<Screen>,
 +    jump_list: Vec<Screen>, // recent entity/detail hops
 }
@@ ## 8.1 Global (Available Everywhere)
 +| `Ctrl+o` | Jump backward in jump list |
 +| `Ctrl+i` | Jump forward in jump list |
 ```
 If you want, I can produce a single consolidated “PRD v2.1” patch that applies all nine revisions coherently section-by-section.
--- a/plans/tui-prd-v2-frankentui.feedback-3.md
+++ b/plans/tui-prd-v2-frankentui.feedback-3.md
@@ -1,163 +0,0 @@
 I excluded everything already listed in `## Rejected Recommendations`.  
 These are the highest-impact net-new revisions I’d make.
 1. **Enforce Entity Identity Consistency End-to-End (P0)**
 Analysis: The PRD defines `EntityKey`, but many code paths still pass bare `iid` (`IssueSelected(item.iid)`, timeline refs, search refs). In multi-project datasets this will cause wrong-entity navigation and subtle data corruption in cached state. Make `EntityKey` mandatory in every navigation message and add compile-time constructors.
 ```diff
@@ 4.3 Core Types
 pub struct EntityKey {
     pub project_id: i64,
     pub iid: i64,
     pub kind: EntityKind,
 }
 +impl EntityKey {
 +    pub fn issue(project_id: i64, iid: i64) -> Self { Self { project_id, iid, kind: EntityKind::Issue } }
 +    pub fn mr(project_id: i64, iid: i64) -> Self { Self { project_id, iid, kind: EntityKind::MergeRequest } }
 +}
@@ 10.10 state/issue_list.rs
 - .map(|item| Msg::IssueSelected(item.iid))
 + .map(|item| Msg::IssueSelected(EntityKey::issue(item.project_id, item.iid)))
@@ 10.10 state/mr_list.rs
 - .map(|item| Msg::MrSelected(item.iid))
 + .map(|item| Msg::MrSelected(EntityKey::mr(item.project_id, item.iid)))
 ```
 2. **Make TaskSupervisor Mandatory for All Background Work (P0)**
 Analysis: The plan introduces `TaskSupervisor` but still dispatches many direct `Cmd::task` calls. That will reintroduce stale updates, duplicate queries, and priority inversion under rapid input. Centralize all background task creation through one spawn path that enforces dedupe, cancellation tokening, and generation checks.
 ```diff
@@ 4.5.1 Task Supervisor (Dedup + Cancellation + Priority)
 -The supervisor is owned by `LoreApp` and consulted before dispatching any `Cmd::task`.
 +The supervisor is owned by `LoreApp` and is the ONLY allowed path for background work.
 +All task launches use `LoreApp::spawn_task(TaskKey, TaskPriority, closure)`.
@@ 4.4 App — Implementing the Model Trait
 - Cmd::task(move || { ... })
 + self.spawn_task(TaskKey::LoadScreen(screen.clone()), TaskPriority::Navigation, move |token| { ... })
 ```
 3. **Remove the Sync Streaming TODO and Make Real-Time Streaming a GA Gate (P0)**
 Analysis: Current text admits sync progress is buffered with a TODO. That undercuts one of the main value props. Make streaming progress/log delivery non-optional, with bounded buffers and dropped-line accounting.
 ```diff
@@ 4.4 start_sync_task()
 - // TODO: Register rx as subscription when FrankenTUI supports it.
 - // For now, the task returns the final Msg and progress is buffered.
 + // Register rx as a live subscription (`Subscription::from_receiver` adapter).
 + // Progress and logs must render in real time (no batch-at-end fallback).
 + // Keep a bounded ring buffer (N=5000) and surface `dropped_log_lines` in UI.
@@ 9.3 Phase 0 — Toolchain Gate
 +11. Real-time sync stream verified: progress updates visible during run, not only at completion.
 ```
 4. **Upgrade List/Search Data Strategy to Windowed Keyset + Prefetch (P0)**
 Analysis: “Virtualized list” alone does not solve query/transfer cost if full result sets are loaded. Move to fixed-size keyset windows with next-window prefetch and fast first paint; this keeps latency predictable on 100k+ records.
 ```diff
@@ 5.2 Issue List
 - Pagination: Virtual scrolling for large result sets
 + Pagination: Windowed keyset pagination (window=200 rows) with background prefetch of next window.
 + First paint uses current window only; no full-result materialization.
@@ 5.4 MR List
 + Same windowed keyset pagination strategy as Issue List.
@@ 9.3 Success criteria
 - 7. p95 list page fetch latency < 75ms using keyset pagination on synthetic fixture (10k issues, 5k MRs)
 + 7. p95 first-paint latency < 50ms and p95 next-window fetch < 75ms on synthetic fixture (100k issues, 50k MRs)
 ```
 5. **Add Resumable Sync Checkpoints + Per-Project Fault Isolation (P1)**
 Analysis: If sync is interrupted or one project fails, current design mostly falls back to cancel/fail. Add checkpoints so long runs can resume, and isolate failures to project/resource scope while continuing others.
 ```diff
@@ 3.1 Risk Matrix
 +| Interrupted sync loses progress | High | Medium | Persist phase checkpoints and offer resume |
@@ 5.9 Sync
 +Running mode: failed project/resource lanes are marked degraded while other lanes continue.
 +Summary mode: offer `[R]esume interrupted sync` from last checkpoint.
@@ 11 Assumptions
 -16. No new SQLite tables needed (but required indexes must be verified — see Performance SLOs).
 +16. Add minimal internal tables for reliability: `sync_runs` and `sync_checkpoints` (append-only metadata).
 ```
 6. **Add Capability-Adaptive Rendering Modes (P1)**
 Analysis: Terminal compatibility is currently test-focused, but runtime adaptation is under-specified. Add explicit degradations for no-truecolor, no-unicode, slow SSH/tmux paths to reduce rendering artifacts and support incidents.
 ```diff
@@ 3.4 Terminal Compatibility Testing
 +Add capability matrix validation: truecolor/256/16 color, unicode/ascii glyphs, alt-screen on/off.
@@ 10.19 CLI Integration
 +Tui {
 +  #[arg(long, default_value="auto")] render_mode: String, // auto|full|minimal
 +  #[arg(long)] ascii: bool,
 +  #[arg(long)] no_alt_screen: bool,
 +}
 ```
 7. **Harden Browser/Open and Log Privacy (P1)**
 Analysis: `open_current_in_browser` currently trusts stored URLs; sync logs may expose tokens/emails from upstream messages. Add host allowlisting and redaction pipeline by default.
 ```diff
@@ 4.4 open_current_in_browser()
 - if let Some(url) = url { ... open ... }
 + if let Some(url) = url {
 +   if !self.state.security.is_allowed_gitlab_url(&url) {
 +     self.state.set_error("Blocked non-GitLab URL".into());
 +     return;
 +   }
 +   ... open ...
 + }
@@ 5.9 Sync
 +Log stream passes through redaction (tokens, auth headers, email local-parts) before render/storage.
 ```
 8. **Add “My Workbench” Screen for Daily Pull (P1, new feature)**
 Analysis: The PRD is strong on exploration, weaker on “what should I do now?”. Add a focused operator screen aggregating assigned issues, requested reviews, unresolved threads mentioning me, and stale approvals. This makes the TUI habit-forming.
 ```diff
@@ 5. Screen Taxonomy
 +### 5.12 My Workbench
 +Single-screen triage cockpit:
 +- Assigned-to-me open issues/MRs
 +- Review requests awaiting action
 +- Threads mentioning me and unresolved
 +- Recently stale approvals / blocked MRs
@@ 8.1 Global
 +| `gb` | Go to My Workbench |
@@ 9.2 Phases
 +section Phase 3.5 — Daily Workflow
 +My Workbench screen + queries :p35a, after p3d, 2d
 ```
 9. **Add Rollout, SLO Telemetry, and Kill-Switch Plan (P0)**
 Analysis: You have implementation phases but no production rollout control. Add explicit experiment flags, health telemetry, and rollback criteria so risk is operationally bounded.
 ```diff
@@ Table of Contents
 -11. [Assumptions](#11-assumptions)
 +11. [Assumptions](#11-assumptions)
 +12. [Rollout & Telemetry](#12-rollout--telemetry)
@@ NEW SECTION 12
 +## 12. Rollout & Telemetry
 +- Feature flags: `tui_experimental`, `tui_sync_streaming`, `tui_workbench`
 +- Metrics: startup_ms, frame_render_p95_ms, db_busy_rate, panic_free_sessions, sync_drop_events
 +- Kill-switch: disable `tui` feature path at runtime if panic rate > 0.5% sessions over 24h
 +- Canary rollout: internal only -> opt-in beta -> default-on
 ```
 10. **Strengthen Reliability Pack with Event-Fuzz + Soak Tests (P0)**
 Analysis: Current tests are good but still light on prolonged event pressure. Add deterministic fuzzed key/resize/paste streams and a long soak to catch rare deadlocks/leaks and state corruption.
 ```diff
@@ 9.2 Phase 5.5 — Reliability Test Pack
 +Event fuzz tests (key/resize/paste interleavings) :p55g, after p55e, 1d
 +30-minute soak test (no panic, bounded memory)    :p55h, after p55g, 1d
@@ 9.3 Success criteria
 +12. Event-fuzz suite passes with zero invariant violations across 10k randomized traces.
 +13. 30-minute soak: no panic, no deadlock, memory growth < 5%.
 ```
 If you want, I can produce a single consolidated unified diff of the full PRD text next (all edits merged, ready to apply as v3).
--- a/plans/tui-prd-v2-frankentui.feedback-4.md
+++ b/plans/tui-prd-v2-frankentui.feedback-4.md
@@ -1,157 +0,0 @@
 Below are my strongest revisions, focused on correctness, reliability, and long-term maintainability, while avoiding all items in your `## Rejected Recommendations`.
 1. **Fix the Cargo/toolchain architecture (current plan has a real dependency-cycle risk and shaky per-member toolchain behavior).**  
 Analysis: The current plan has `lore -> lore-tui (optional)` and `lore-tui -> lore`, which creates a package cycle when `tui` is enabled. Also, per-member `rust-toolchain.toml` in a workspace is easy to misapply in CI/dev workflows. The cleanest robust shape is: `lore-tui` is a separate binary crate (nightly), `lore` remains stable and delegates at runtime (`lore tui` shells out to `lore-tui`).  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 3.2 Nightly Rust Strategy
 -- The `lore` binary integrates TUI via `lore tui` subcommand. The `lore-tui` crate is a library dependency feature-gated in the root.
 +- `lore-tui` is a separate binary crate built on pinned nightly.
 +- `lore` (stable) does not compile-link `lore-tui`; `lore tui` delegates by spawning `lore-tui`.
 +- This removes Cargo dependency-cycle risk and keeps stable builds nightly-free.
@@ 9.1 Dependency Changes
 -[features]
 -tui = ["dep:lore-tui"]
 -[dependencies]
 -lore-tui = { path = "crates/lore-tui", optional = true }
 +[dependencies]
 +# no compile-time dependency on lore-tui from lore
 +# runtime delegation keeps toolchains isolated
@@ 10.19 CLI Integration
 -Add Tui match arm that directly calls crate::tui::launch_tui(...)
 +Add Tui match arm that resolves and spawns `lore-tui` with passthrough args.
 +If missing, print actionable install/build command.
 ```
 2. **Make `TaskSupervisor` the *actual* single async path (remove contradictory direct `Cmd::task` usage in state handlers).**  
 Analysis: You declare “direct `Cmd::task` is prohibited outside supervisor,” but later `handle_screen_msg` still launches tasks directly. That contradiction will reintroduce stale-result bugs and race conditions. Make state handlers pure (intent-only); all async launch/cancel/dedup goes through one supervised API.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 4.5.1 Task Supervisor
 -The supervisor is the ONLY allowed path for background work.
 +The supervisor is the ONLY allowed path for background work, enforced by architecture:
 +`AppState` emits intents only; `LoreApp::update` launches tasks via `spawn_task(...)`.
@@ 10.10 State Module — Complete
 -pub fn handle_screen_msg(..., db: &Arc<Mutex<Connection>>) -> Cmd<Msg>
 +pub fn handle_screen_msg(...) -> ScreenIntent
 +// no DB access, no Cmd::task in state layer
 ```
 3. **Enforce `EntityKey` everywhere (remove raw IID navigation paths).**  
 Analysis: Multi-project identity is one of your strongest ideas, but multiple snippets still navigate by bare IID (`document_id`, `EntityRef::Issue(i64)`). That can misroute across projects and create silent correctness bugs. Make all navigation-bearing results carry `EntityKey` end-to-end.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 4.3 Core Types
 -pub enum EntityRef { Issue(i64), MergeRequest(i64) }
 +pub enum EntityRef { Issue(EntityKey), MergeRequest(EntityKey) }
@@ 10.10 state/search.rs
 -Some(Msg::NavigateTo(Screen::IssueDetail(r.document_id)))
 +Some(Msg::NavigateTo(Screen::IssueDetail(r.entity_key.clone())))
@@ 10.11 action.rs
 -pub fn fetch_issue_detail(conn: &Connection, iid: i64) -> Result<IssueDetail, LoreError>
 +pub fn fetch_issue_detail(conn: &Connection, key: &EntityKey) -> Result<IssueDetail, LoreError>
 ```
 4. **Introduce a shared query boundary inside the existing crate (not a new crate) to decouple TUI from CLI presentation structs.**  
 Analysis: Reusing CLI command modules directly is fast initially, but it ties TUI to output-layer types and command concerns. A minimal internal `core::query::*` module gives a stable data contract used by both CLI and TUI without the overhead of a new crate split.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 10.2 Modified Files
 -src/cli/commands/list.rs   # extract query_issues/query_mrs as pub
 -src/cli/commands/show.rs   # extract query_issue_detail/query_mr_detail as pub
 +src/core/query/mod.rs
 +src/core/query/issues.rs
 +src/core/query/mrs.rs
 +src/core/query/detail.rs
 +src/core/query/search.rs
 +src/core/query/who.rs
 +src/cli/commands/* now call core::query::* + format output
 +TUI action.rs calls core::query::* directly
 ```
 5. **Add terminal-safety sanitization for untrusted text (ANSI/OSC injection hardening).**  
 Analysis: Issue/MR bodies, notes, and logs are untrusted text in a terminal context. Without sanitization, terminal escape/control sequences can spoof UI or trigger unintended behavior. Add explicit sanitization and a strict URL policy before rendering/opening.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 3.1 Risk Matrix
 +| Terminal escape/control-sequence injection via issue/note text | High | Medium | Strip ANSI/OSC/control chars before render; escape markdown output; allowlist URL scheme+host |
@@ 4.1 Module Structure
 +    safety.rs                      # sanitize_for_terminal(), safe_url_policy()
@@ 10.5/10.8/10.14/10.16
 +All user-sourced text passes through `sanitize_for_terminal()` before widget rendering.
 +Disable markdown raw HTML and clickable links unless URL policy passes.
 ```
 6. **Move resumable sync checkpoints into v1 (lightweight version).**  
 Analysis: You already identify interruption risk as real. Deferring resumability to post-v1 leaves a major reliability gap in exactly the heaviest workflow. A lightweight checkpoint table (resource cursor + updated-at watermark) gives large reliability gain with modest complexity.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 3.1 Risk Matrix
 -- Resumable checkpoints planned for post-v1
 +Resumable checkpoints included in v1 (lightweight cursors per project/resource lane)
@@ 9.3 Success Criteria
 +14. Interrupt-and-resume test: sync resumes from checkpoint and reaches completion without full restart.
@@ 9.3.1 Required Indexes (GA Blocker)
 +CREATE TABLE IF NOT EXISTS sync_checkpoints (
 +  project_id INTEGER NOT NULL,
 +  lane TEXT NOT NULL,
 +  cursor TEXT,
 +  updated_at_ms INTEGER NOT NULL,
 +  PRIMARY KEY (project_id, lane)
 +);
 ```
 7. **Strengthen performance gates with tiered fixtures and memory ceilings.**  
 Analysis: Current thresholds are good, but fixture sizes are too close to mid-scale only. Add S/M/L fixtures and memory budget checks so regressions appear before real-world datasets hit them. This gives much more confidence in long-term scalability.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 9.3 Phase 0 — Toolchain Gate
 -7. p95 first-paint latency < 50ms ... (100k issues, 50k MRs)
 -10. p95 search latency < 200ms ... (50k documents)
 +7. Tiered fixtures:
 +   S: 10k issues / 5k MRs / 50k notes
 +   M: 100k issues / 50k MRs / 500k notes
 +   L: 250k issues / 100k MRs / 1M notes
 +   Enforce p95 targets per tier and memory ceiling (<250MB RSS in M tier).
 +10. Search SLO validated in S and M tiers, lexical and hybrid modes.
 ```
 8. **Add session restore (last screen + filters + selection), with explicit `--fresh` opt-out.**  
 Analysis: This is high-value daily UX with low complexity, and it makes the TUI feel materially more “compelling/useful” without feature bloat. It also reduces friction when recovering from crash/restart.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 1. Executive Summary
 +- **Session restore** — resume last screen, filters, and selection on startup.
@@ 4.1 Module Structure
 +    session.rs                    # persisted UI session state
@@ 8.1 Global
 +| `Ctrl+R` | Reset session state for current screen |
@@ 10.19 CLI Integration
 +`lore tui --fresh` starts without restoring prior session state.
@@ 11. Assumptions
 -12. No TUI-specific configuration initially.
 +12. Minimal TUI state file is allowed for session restore only.
 ```
 9. **Add parity tests between TUI data panels and `--robot` outputs.**  
 Analysis: You already have `ShowCliEquivalent`; parity tests make that claim trustworthy and prevent drift between interfaces. This is a strong reliability multiplier and helps future refactors.  
 ```diff
 --- a/Gitlore_TUI_PRD_v2.md
 +++ b/Gitlore_TUI_PRD_v2.md
@@ 9.2 Phases / 9.3 Success Criteria
 +Phase 5.6 — CLI/TUI Parity Pack
 +  - Dashboard count parity vs `lore --robot count/status`
 +  - List/detail parity for issues/MRs on sampled entities
 +  - Search result identity parity (top-N ids) for lexical mode
 +Success criterion: parity suite passes on CI fixtures.
 ```
 If you want, I can produce a single consolidated patch of the PRD text (one unified diff) so you can drop it directly into the next iteration.
--- a/plans/tui-prd-v2-frankentui.feedback-5.md
+++ b/plans/tui-prd-v2-frankentui.feedback-5.md
@@ -1,200 +0,0 @@
 1. **Fix the structural inconsistency between `src/tui` and `crates/lore-tui/src`**
 Analysis: The PRD currently defines two different code layouts for the same system. That will cause implementation drift, wrong imports, and duplicated modules. Locking to one canonical layout early prevents execution churn and makes every snippet/action item unambiguous.
 ```diff
@@ 4.1 Module Structure @@
 -src/
 -  tui/
 +crates/lore-tui/src/
     mod.rs
     app.rs
     message.rs
@@
 -### 10.5 Dashboard View (FrankenTUI Native)
 -// src/tui/view/dashboard.rs
 +### 10.5 Dashboard View (FrankenTUI Native)
 +// crates/lore-tui/src/view/dashboard.rs
@@
 -### 10.6 Sync View
 -// src/tui/view/sync.rs
 +### 10.6 Sync View
 +// crates/lore-tui/src/view/sync.rs
 ```
 2. **Add a small `ui_adapter` seam to contain FrankenTUI API churn**
 Analysis: You already identified high likelihood of upstream breakage. Pinning a commit helps, but if every screen imports raw `ftui_*` types directly, churn ripples through dozens of files. A thin adapter layer reduces upgrade cost without introducing the rejected “full portability abstraction”.
 ```diff
@@ 3.1 Risk Matrix @@
 | API breaking changes | High | High (v0.x) | Pin exact git commit; vendor source if needed |
 +| API breakage blast radius across app code | High | High | Constrain ftui usage behind `ui_adapter/*` wrappers |
@@ 4.1 Module Structure @@
 +    ui_adapter/
 +      mod.rs                    # Re-export stable local UI primitives
 +      runtime.rs                # App launch/options wrappers
 +      widgets.rs                # Table/List/Modal wrapper constructors
 +      input.rs                  # Text input + focus helpers
@@ 9.3 Phase 0 — Toolchain Gate @@
 +14. `ui_adapter` compile-check: no screen module imports `ftui_*` directly (lint-enforced)
 ```
 3. **Correct search mode behavior and replace sleep-based debounce with cancelable scheduling**
 Analysis: Current plan hardcodes `"hybrid"` in `execute_search`, so mode switching is UI-only and incorrect. Also, spawning sleeping tasks per keypress is wasteful under fast typing. Make mode a first-class query parameter and debounce via one cancelable scheduled event per input domain.
 ```diff
@@ 4.4 maybe_debounced_query @@
 -std::thread::sleep(std::time::Duration::from_millis(200));
 -match crate::tui::action::execute_search(&conn, &query, &filters) {
 +// no thread sleep; schedule SearchRequestStarted after 200ms via debounce scheduler
 +match crate::tui::action::execute_search(&conn, &query, &filters, mode) {
@@ 10.11 Action Module — Query Bridge @@
 -pub fn execute_search(conn: &Connection, query: &str, filters: &SearchCliFilters) -> Result<SearchResponse, LoreError> {
 -    let mode_str = "hybrid"; // default; TUI mode selector overrides
 +pub fn execute_search(
 +    conn: &Connection,
 +    query: &str,
 +    filters: &SearchCliFilters,
 +    mode: SearchMode,
 +) -> Result<SearchResponse, LoreError> {
 +    let mode_str = match mode {
 +        SearchMode::Hybrid => "hybrid",
 +        SearchMode::Lexical => "lexical",
 +        SearchMode::Semantic => "semantic",
 +    };
@@ 9.3 Phase 0 — Toolchain Gate @@
 +15. Search mode parity: lexical/hybrid/semantic each return mode-consistent top-N IDs on fixture
 ```
 4. **Guarantee consistent multi-query reads and add query interruption for responsiveness**
 Analysis: Detail screens combine multiple queries that can observe mixed states during sync writes. Wrap each detail fetch in a single read transaction for snapshot consistency. Add cancellation/interrupt checks for long-running queries so UI remains responsive under heavy datasets.
 ```diff
@@ 4.5 Async Action System @@
 +All detail fetches (`issue_detail`, `mr_detail`, timeline expansion) run inside one read transaction
 +to guarantee snapshot consistency across subqueries.
@@ 10.11 Action Module — Query Bridge @@
 +pub fn with_read_snapshot<T>(
 +    conn: &Connection,
 +    f: impl FnOnce(&rusqlite::Transaction<'_>) -> Result<T, LoreError>,
 +) -> Result<T, LoreError> { ... }
 +// Long queries register interrupt checks tied to CancelToken
 +// to avoid >1s uninterruptible stalls during rapid navigation/filtering.
 ```
 5. **Formalize sync event streaming contract to prevent “stuck” states**
 Analysis: Dropping events on backpressure is acceptable, but completion must never be dropped and event ordering must be explicit. Add a typed `SyncUiEvent` stream with guaranteed terminal sentinel and progress coalescing to reduce load while preserving correctness.
 ```diff
@@ 4.4 start_sync_task @@
 -let (tx, rx) = std::sync::mpsc::sync_channel::<Msg>(1024);
 +let (tx, rx) = std::sync::mpsc::sync_channel::<SyncUiEvent>(2048);
 -// drop this progress update rather than blocking the sync thread
 +// coalesce progress to max 30Hz per lane; never drop terminal events
 +// always emit SyncUiEvent::StreamClosed { outcome }
@@ 5.9 Sync @@
 -- Log viewer with streaming output
 +- Log viewer with streaming output and explicit stream-finalization state
 +- UI shows dropped/coalesced event counters for transparency
 ```
 6. **Version and validate session restore payloads**
 Analysis: A raw JSON session file without schema/version checks is fragile across releases and DB switches. Add schema version, DB fingerprint, and safe fallback rules so session restore never blocks startup or applies stale state incorrectly.
 ```diff
@@ 11. Assumptions @@
 -12. Minimal TUI state file allowed for session restore only ...
 +12. Versioned TUI state file allowed for session restore only:
 +    fields include `schema_version`, `app_version`, `db_fingerprint`, `saved_at`, `state`.
@@ 10.1 New Files @@
 crates/lore-tui/src/session.rs         # Lightweight session state persistence
 +                                        # + versioning, validation, corruption quarantine
@@ 4.1 Module Structure @@
     session.rs                    # Lightweight session state persistence
 +                                  # corrupted file -> `.bad-<timestamp>` and fresh start
 ```
 7. **Harden terminal safety beyond ANSI stripping**
 Analysis: ANSI stripping is necessary but not sufficient. Bidi controls and invisible Unicode controls can still spoof displayed content. URL checks should normalize host/port and disallow deceptive variants. This closes realistic terminal spoofing vectors.
 ```diff
@@ 3.1 Risk Matrix @@
 | Terminal escape/control-sequence injection via issue/note text | High | Medium | Strip ANSI/OSC/control chars via sanitize_for_terminal() ... |
 +| Bidi/invisible Unicode spoofing in rendered text | High | Medium | Strip bidi overrides + zero-width controls in untrusted text |
@@ 10.4.1 Terminal Safety — Untrusted Text Sanitization @@
 -Strip ANSI escape sequences, OSC commands, and control characters
 +Strip ANSI/OSC/control chars, bidi overrides (RLO/LRO/PDF/RLI/LRI/FSI/PDI),
 +and zero-width/invisible controls from untrusted text
 -pub fn is_safe_url(url: &str, allowed_hosts: &[String]) -> bool {
 +pub fn is_safe_url(url: &str, allowed_origins: &[Origin]) -> bool {
 +    // normalize host (IDNA), enforce scheme+host+port match
 ```
 8. **Use progressive hydration for detail screens**
 Analysis: Issue/MR detail first-paint can become slow when discussions are large. Split fetch into phases: metadata first, then discussions/file changes, then deep thread content on expand. This improves perceived performance and keeps navigation snappy on large repos.
 ```diff
@@ 5.3 Issue Detail @@
 -Data source: `lore issues <iid>` + discussions + cross-references
 +Data source (progressive):
 +1) metadata/header (first paint)
 +2) discussions summary + cross-refs
 +3) full thread bodies loaded on demand when expanded
@@ 5.5 MR Detail @@
 -Unique features: File changes list, Diff discussions ...
 +Unique features (progressive hydration):
 +- file change summary in first paint
 +- diff discussion bodies loaded lazily per expanded thread
@@ 9.3 Phase 0 — Toolchain Gate @@
 +16. Detail first-paint p95 < 75ms on M-tier fixtures (metadata-only phase)
 ```
 9. **Make reliability tests reproducible with deterministic clocks/seeds**
 Analysis: Relative-time rendering and fuzz tests are currently tied to wall clock/randomness, which makes CI flakes hard to diagnose. Introduce a `Clock` abstraction and deterministic fuzz seeds with failure replay output.
 ```diff
@@ 10.9.1 Non-Snapshot Tests @@
 +/// All time-based rendering uses injected `Clock` in tests.
 +/// Fuzz failures print deterministic seed for replay.
@@ 9.2 Phase 5.5 — Reliability Test Pack @@
 -Event fuzz tests (key/resize/paste):p55g
 +Event fuzz tests (key/resize/paste, deterministic seed replay):p55g
 +Deterministic clock/render tests:p55i
 ```
 10. **Add an “Actionable Insights” dashboard panel for stronger day-to-day utility**
 Analysis: Current dashboard is informative, but not prioritizing. Adding ranked insights (stale P1s, blocked MRs, discussion hotspots) turns it into a decision surface, not just a metrics screen. This makes the TUI materially more compelling for triage workflows.
 ```diff
@@ 1. Executive Summary @@
 - Dashboard — sync status, project health, counts at a glance
 +- Dashboard — sync status, project health, counts, and ranked actionable insights
@@ 5.1 Dashboard (Home Screen) @@
 -│  Recent Activity                  │
 +│  Recent Activity                  │
 +│  Actionable Insights              │
 +│  1) 7 opened P1 issues >14d       │
 +│  2) 3 MRs blocked by unresolved   │
 +│  3) auth/ has +42% note velocity  │
@@ 6. User Flows @@
 +### 6.9 Flow: "Risk-first morning sweep"
 +Dashboard -> select insight -> jump to pre-filtered list/detail
 ```
 These 10 changes stay clear of your `Rejected Recommendations` list and materially improve correctness, operability, and product value without adding speculative architecture.
--- a/plans/tui-prd-v2-frankentui.feedback-6.md
+++ b/plans/tui-prd-v2-frankentui.feedback-6.md
@@ -1,150 +0,0 @@
 Your plan is strong and unusually detailed. The biggest upgrades I’d make are around build isolation, async correctness, terminal correctness, and turning existing data into sharper triage workflows.
 ## 1) Fix toolchain isolation so stable builds cannot accidentally pull nightly
 Rationale: a `rust-toolchain.toml` inside `crates/lore-tui` is not a complete guard when running workspace commands from repo root. You should structurally prevent stable workflows from touching nightly-only code.
 ```diff
@@ 3.2 Nightly Rust Strategy
 -[workspace]
 -members = [".", "crates/lore-tui"]
 +[workspace]
 +members = ["."]
 +exclude = ["crates/lore-tui"]
 +`crates/lore-tui` is built as an isolated workspace/package with explicit toolchain invocation:
 +  cargo +nightly-2026-02-08 check --manifest-path crates/lore-tui/Cargo.toml
 +Core repo remains:
 +  cargo +stable check --workspace
 ```
 ## 2) Add an explicit `lore` <-> `lore-tui` compatibility contract
 Rationale: runtime delegation is correct, but version drift between binaries will become the #1 support failure mode. Add a handshake before launch.
 ```diff
@@ 10.19 CLI Integration — Adding `lore tui`
 +Before spawning `lore-tui`, `lore` runs:
 +  lore-tui --print-contract-json
 +and validates:
 +  - minimum_core_version
 +  - supported_db_schema_range
 +  - contract_version
 +On mismatch, print actionable remediation:
 +  cargo install --path crates/lore-tui
 ```
 ## 3) Make TaskSupervisor truly authoritative (remove split async paths)
 Rationale: the document says supervisor is the only path, but examples still use direct `Cmd::task` and `search_request_id`. Close that contradiction now to avoid stale-data races.
 ```diff
@@ 4.4 App — Implementing the Model Trait
 -    search_request_id: u64,
 +    task_supervisor: TaskSupervisor,
@@ 4.5.1 Task Supervisor
 -The `search_request_id` field in `LoreApp` is superseded...
 +`search_request_id` is removed. All async work uses TaskSupervisor generations.
 +No direct `Cmd::task` from screen handlers or ad-hoc helpers.
 ```
 ## 4) Resolve keybinding conflicts and implement real go-prefix timeout
 Rationale: `Ctrl+I` collides with `Tab` in terminals. Also your 500ms go-prefix timeout is described but not enforced in code.
 ```diff
@@ 8.1 Global (Available Everywhere)
 -| `Ctrl+I` | Jump forward in jump list (entity hops) |
 +| `Alt+o` | Jump forward in jump list (entity hops) |
@@ 8.2 Keybinding precedence
 +Go-prefix timeout is enforced by timestamped state + tick check.
 +Backspace global-back behavior is implemented (currently documented but not wired).
 ```
 ## 5) Add a shared display-width text utility (Unicode-safe truncation and alignment)
 Rationale: current `truncate()` implementations use byte/char length and will misalign CJK/emoji/full-width text in tables and trees.
 ```diff
@@ 10.1 New Files
 +crates/lore-tui/src/text_width.rs      # grapheme-safe truncation + display width helpers
@@ 10.5 Dashboard View / 10.13 Issue List / 10.16 Who View
 -fn truncate(s: &str, max: usize) -> String { ... }
 +use crate::text_width::truncate_display_width;
 +// all column fitting/truncation uses terminal display width, not bytes/chars
 ```
 ## 6) Upgrade sync streaming to a QoS event bus with sequence IDs
 Rationale: today progress/log events can be dropped under load with weak observability. Keep UI responsive while guaranteeing completion semantics and visible gap accounting.
 ```diff
@@ 4.4 start_sync_task()
 -let (tx, rx) = std::sync::mpsc::sync_channel::<SyncUiEvent>(2048);
 +let (ctrl_tx, ctrl_rx) = std::sync::mpsc::sync_channel::<SyncCtrlEvent>(256);   // never-drop
 +let (data_tx, data_rx) = std::sync::mpsc::sync_channel::<SyncDataEvent>(4096);   // coalescible
 +Every streamed event carries seq_no.
 +UI detects gaps and renders: "Dropped N log/progress events due to backpressure."
 +Terminal events (started/completed/failed/cancelled) remain lossless.
 ```
 ## 7) Make list pagination truly keyset-driven in state, not just in prose
 Rationale: plan text promises windowed keyset paging, but state examples still keep a single list without cursor model. Encode pagination state explicitly.
 ```diff
@@ 10.10 state/issue_list.rs
 -pub items: Vec<IssueListRow>,
 +pub window: Vec<IssueListRow>,
 +pub next_cursor: Option<IssueCursor>,
 +pub prev_cursor: Option<IssueCursor>,
 +pub prefetch: Option<Vec<IssueListRow>>,
 +pub window_size: usize, // default 200
@@ 5.2 Issue List
 -Pagination: Windowed keyset pagination...
 +Pagination: Keyset cursor model is first-class state with forward/back cursors and prefetch buffer.
 ```
 ## 8) Harden session restore with atomic persistence + integrity checksum
 Rationale: versioning/quarantine is good, but you still need crash-safe write semantics and tamper/corruption detection to avoid random boot failures.
 ```diff
@@ 10.1 New Files
 -crates/lore-tui/src/session.rs         # Versioned session state persistence + validation + corruption quarantine
 +crates/lore-tui/src/session.rs         # + atomic write (tmp->fsync->rename), checksum, max-size guard
@@ 11. Assumptions
 +Session writes are atomic and checksummed.
 +Invalid checksum or oversized file triggers quarantine and fresh boot.
 ```
 ## 9) Evolve Doctor from read-only text into actionable remediation
 Rationale: your CLI already returns machine-actionable `actions`. TUI should surface those as one-key fixes; this materially increases usefulness.
 ```diff
@@ 5.11 Doctor / Stats (Info Screens)
 -Simple read-only views rendering the output...
 +Doctor is interactive:
 +  - shows health checks + severity
 +  - exposes suggested `actions` from robot-mode errors
 +  - Enter runs selected action command (with confirmation modal)
 +Stats remains read-only.
 ```
 ## 10) Add a Dependency Lens to Issue/MR detail (high-value triage feature)
 Rationale: you already have cross-refs + discussions + timeline. A compact dependency panel (blocked-by / blocks / unresolved threads) makes this data operational for prioritization.
 ```diff
@@ 5.3 Issue Detail
 -│ ┌─ Cross-References ─────────────────────────────────────────┐ │
 +│ ┌─ Dependency Lens ──────────────────────────────────────────┐ │
 +│ │ Blocked by: #1198 (open, stale 9d)                        │ │
 +│ │ Blocks: !458 (opened, 2 unresolved threads)               │ │
 +│ │ Risk: High (P1 + stale blocker + open MR discussion)      │ │
 +│ └────────────────────────────────────────────────────────────┘ │
@@ 9.2 Phases
 +Dependency Lens (issue/mr detail, computed risk score) :p3e, after p2e, 1d
 ```
 ---
 If you want, I can next produce a consolidated **“v2.1 patch”** of the PRD with all these edits merged into one coherent updated document structure.
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`# Tools`

							`(Your tools will go here. Add notes about them as you acquire and use them.)`