fix(memory): isolate test workspace cleanup

Author: sdwolf4103

.gitignore

@@ -52,5 +52,6 @@ pnpm-lock.yaml
 # Superpowers local planning artifacts
 docs/superpowers/plans/
 
-# Local migration dry-run roots
+# Local dev/admin script inputs
+scripts/dev/run-migration-roots.local.txt
 scripts/dev/dry-run-roots.local.txt

CHANGELOG.md

@@ -14,13 +14,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Local extraction rejection log for rejected compaction memory candidates:
   `~/.local/share/opencode-working-memory/extraction-rejections.jsonl`.
 - Sanitized real-workspace regression fixtures for memory cleanup migration behavior.
+- Safe workspace residue cleanup tooling that dry-runs by default and quarantines definite temp/test workspace stores instead of deleting them.
 
 ### Changed
 
 - Unified memory quality rules in a shared quality gate for compaction memory candidates and cleanup checks.
 - Rewritten compaction memory prompt to reduce over-production of low-quality memories.
 - Changed quality cleanup migration to be conservative: it supersedes only high-confidence garbage patterns, including progress snapshots, raw errors, commit/CI snapshots, temporary status notes, active file snapshots, code/API signatures, path-heavy entries, and empty entries.
 - Soft heuristic failures (`bad_feedback`, `bad_decision`) are intentionally excluded from automatic migration cleanup to protect durable declarative memories such as branding rules, API facts, release rules, user workflow preferences, and architecture decisions.
+- Isolated test runs under a temporary `XDG_DATA_HOME` so test workspaces no longer pollute real local workspace memory data.
 
 ### Recovery note
 

README.md

@@ -176,6 +176,15 @@ The goal is to remember durable facts, not every detail.
 
 Historical cleanup is intentionally conservative: extraction-time filtering may reject more aggressively, but one-time migration cleanup only supersedes high-confidence garbage patterns. This protects existing durable memories written in declarative style, such as "API endpoint is X" or "Product branding is Y".
 
+For local development cleanup, use:
+
+```bash
+npm run cleanup:workspaces -- --dry-run
+npm run cleanup:workspaces -- --quarantine
+```
+
+The cleanup command only quarantines definite temp/test workspace residues by default. It does not delete unknown missing-root workspaces.
+
 ## Configuration
 
 OpenCode Working Memory works out of the box.
@@ -212,6 +221,7 @@ cd opencode-working-memory
 npm install
 npm test
 npm run typecheck
+npm run cleanup:workspaces -- --dry-run
 ```
 
 ## Requirements

RELEASE_NOTES.md

@@ -16,6 +16,8 @@ The quality gate is now shared across compaction extraction and migration checks
 - **Audit logs**: automatic migration cleanup writes local JSONL audit records so superseded entries can be inspected and restored.
 - **Extraction rejection logs**: newly rejected compaction candidates are logged locally to help calibrate future quality rules.
 - **Regression coverage**: migration behavior is tested against sanitized real-workspace patterns to prevent mass false positives from coming back.
+- **Workspace cleanup tooling**: a dev/admin cleanup command can dry-run or quarantine definite temp/test workspace residues without deleting unknown missing-root workspaces.
+- **Test storage isolation**: test runs now use a temporary `XDG_DATA_HOME`, preventing fixture workspaces from polluting real local memory data.
 
 ### What Gets Cleaned Up
 
@@ -63,6 +65,22 @@ Explicit and manual memories are also protected.
 
 If a useful memory is superseded, inspect the migration audit log and restore the entry by changing its status back to `"active"` in the workspace's `workspace-memory.json`.
 
+### Workspace Residue Cleanup
+
+If old test/temp workspace stores already exist locally, inspect them first:
+
+```bash
+npm run cleanup:workspaces -- --dry-run
+```
+
+To move definite temp/test residues into a local quarantine folder instead of deleting them:
+
+```bash
+npm run cleanup:workspaces -- --quarantine
+```
+
+The cleanup command skips existing workspace roots and unknown missing-root workspaces by default.
+
 ### Upgrade Notes
 
 - No configuration changes required.

package.json

@@ -16,7 +16,8 @@
   "scripts": {
     "build": "node -e \"console.log('No build step required: OpenCode loads index.ts directly')\"",
     "typecheck": "tsc --noEmit",
-    "test": "node --test --experimental-strip-types tests/*.test.ts",
+    "test": "node --import ./tests/setup-xdg-data-home.ts --test --experimental-strip-types tests/*.test.ts",
+    "cleanup:workspaces": "node --experimental-strip-types scripts/dev/cleanup-workspaces.ts",
     "check:compat": "npm install --no-save @opencode-ai/plugin@latest && npm run typecheck && npm test"
   },
   "keywords": [

scripts/dev/cleanup-workspaces.ts

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+/**
+ * Safely inspect or quarantine stale test/temp workspace memory stores.
+ *
+ * Default mode is dry-run. Quarantine moves only definite temp/test residues.
+ * Unknown missing roots are reported but skipped unless --include-orphans is set.
+ */
+
+import { cleanupWorkspaceResidues } from "../../src/workspace-cleanup.ts";
+
+type CliOptions = {
+  mode: "dry-run" | "quarantine";
+  dataHome?: string;
+  olderThanDays?: number;
+  includeOrphans: boolean;
+};
+
+function usage(): string {
+  return `Usage:
+  npm run cleanup:workspaces -- --dry-run
+  npm run cleanup:workspaces -- --quarantine
+  npm run cleanup:workspaces -- --quarantine --older-than-days 1
+
+Options:
+  --dry-run             List candidates without moving anything (default)
+  --quarantine          Move definite temp/test residues to quarantine
+  --data-home <path>    Override XDG data home for testing/admin work
+  --older-than-days <n> Only consider workspace dirs older than n days
+  --include-orphans     Also quarantine missing non-temp roots (off by default)
+  --help                Show this help
+`;
+}
+
+function parseArgs(argv: string[]): CliOptions {
+  const options: CliOptions = { mode: "dry-run", includeOrphans: false };
+
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    switch (arg) {
+      case "--dry-run":
+        options.mode = "dry-run";
+        break;
+      case "--quarantine":
+        options.mode = "quarantine";
+        break;
+      case "--data-home":
+        options.dataHome = argv[++i];
+        if (!options.dataHome) throw new Error("--data-home requires a path");
+        break;
+      case "--older-than-days": {
+        const value = Number(argv[++i]);
+        if (!Number.isFinite(value) || value < 0) throw new Error("--older-than-days requires a non-negative number");
+        options.olderThanDays = value;
+        break;
+      }
+      case "--include-orphans":
+        options.includeOrphans = true;
+        break;
+      case "--help":
+      case "-h":
+        console.log(usage());
+        process.exit(0);
+      default:
+        throw new Error(`Unknown option: ${arg}\n${usage()}`);
+    }
+  }
+
+  return options;
+}
+
+const options = parseArgs(process.argv.slice(2));
+const result = await cleanupWorkspaceResidues({
+  dataHome: options.dataHome,
+  mode: options.mode,
+  includeOrphans: options.includeOrphans,
+  minAgeMs: options.olderThanDays === undefined ? undefined : options.olderThanDays * 24 * 60 * 60 * 1_000,
+});
+
+console.log(`Mode: ${result.mode}`);
+console.log(`Scanned: ${result.results.length}`);
+console.log(`Candidates: ${result.candidates.length}`);
+
+if (result.candidates.length > 0) {
+  console.log("\nCandidates:");
+  for (const candidate of result.candidates) {
+    console.log(`- ${candidate.workspaceKey} ${candidate.classification} root=${candidate.root ?? "<missing>"}`);
+    console.log(`  reasons=${candidate.reasons.join(",")}`);
+  }
+}
+
+if (result.quarantined.length > 0) {
+  console.log(`\nQuarantined: ${result.quarantined.length}`);
+  console.log(`Quarantine dir: ${result.quarantineDir}`);
+}
+
+const unknownOrphans = result.results.filter(item => item.classification === "orphan_unknown");
+if (unknownOrphans.length > 0 && !options.includeOrphans) {
+  console.log(`\nUnknown missing-root workspaces skipped: ${unknownOrphans.length}`);
+  console.log("Use --include-orphans only after manually confirming they are safe to quarantine.");
+}

scripts/dev/dry-run-migration.ts scripts/dev/run-migration.tsscripts/dev/dry-run-migration.ts renamed to scripts/dev/run-migration.ts

@@ -2,12 +2,12 @@
  * Local helper to trigger migration on workspace roots.
  *
  * Usage:
- *   MIGRATION_DRY_RUN_ROOTS=/path/a:/path/b bun run scripts/dev/dry-run-migration.ts
+ *   MIGRATION_RUN_ROOTS=/path/a:/path/b bun run scripts/dev/run-migration.ts
  *
  * Or create a local file (gitignored):
- *   echo "/path/to/workspace1" > scripts/dev/dry-run-roots.local.txt
- *   echo "/path/to/workspace2" >> scripts/dev/dry-run-roots.local.txt
- *   bun run scripts/dev/dry-run-migration.ts
+ *   echo "/path/to/workspace1" > scripts/dev/run-migration-roots.local.txt
+ *   echo "/path/to/workspace2" >> scripts/dev/run-migration-roots.local.txt
+ *   bun run scripts/dev/run-migration.ts
  */
 
 import { existsSync } from "node:fs";
@@ -17,21 +17,21 @@ import { loadWorkspaceMemory } from "../../src/workspace-memory.ts";
 
 async function getRoots(): Promise<string[]> {
   // Priority 1: environment variable
-  const envRoots = process.env.MIGRATION_DRY_RUN_ROOTS;
+  const envRoots = process.env.MIGRATION_RUN_ROOTS;
   if (envRoots) {
     return envRoots.split(":").filter(root => root.length > 0);
   }
 
   // Priority 2: local file
-  const localFile = join(import.meta.dirname, "dry-run-roots.local.txt");
+  const localFile = join(import.meta.dirname, "run-migration-roots.local.txt");
   if (existsSync(localFile)) {
     const content = await readFile(localFile, "utf8");
     return content.trim().split("\n").filter(root => root.length > 0);
   }
 
   // No roots configured
   console.log("No workspace roots configured.");
-  console.log("Set MIGRATION_DRY_RUN_ROOTS=/path/a:/path/b or create dry-run-roots.local.txt");
+  console.log("Set MIGRATION_RUN_ROOTS=/path/a:/path/b or create run-migration-roots.local.txt");
   return [];
 }
 

src/extractors.ts

@@ -5,6 +5,7 @@ import type { ActiveFile, LongTermMemoryEntry, LongTermType, OpenError } from ".
 import { LONG_TERM_LIMITS } from "./types.ts";
 import { assessMemoryQuality } from "./memory-quality.ts";
 import { extractionRejectionLogPath } from "./paths.ts";
+import { redactCredentials } from "./redaction.ts";
 
 function id(prefix: string): string {
   return `${prefix}_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
@@ -248,15 +249,6 @@ async function logExtractionRejection(entry: ExtractionRejectionLogEntry): Promi
   }
 }
 
-function redactSensitiveText(text: string): string {
-  return text
-    .replace(/bearer\s+[a-zA-Z0-9._-]+/gi, "bearer [REDACTED]")
-    .replace(/token[=:]\s*[a-zA-Z0-9._-]+/gi, "token=[REDACTED]")
-    .replace(/password[=:]\s*[a-zA-Z0-9._-]+/gi, "password=[REDACTED]")
-    .replace(/secret[=:]\s*[a-zA-Z0-9._-]+/gi, "secret=[REDACTED]")
-    .replace(/api[-_]?key[=:]\s*[a-zA-Z0-9._-]+/gi, "api_key=[REDACTED]");
-}
-
 function shouldAcceptWorkspaceMemoryCandidate(
   entry: {
     type: LongTermType;
@@ -287,7 +279,7 @@ function shouldAcceptWorkspaceMemoryCandidate(
     void logExtractionRejection({
       timestamp: new Date().toISOString(),
       type: entry.type,
-      text: redactSensitiveText(text),
+      text: redactCredentials(text),
       reasons: quality.reasons,
       source: "compaction",
     });

src/redaction.ts

@@ -0,0 +1,73 @@
+/**
+ * Shared redaction utilities for sensitive credential patterns.
+ * Used by both workspace memory normalization and extraction rejection logging.
+ */
+
+// Password labels in multiple languages
+const PASSWORD_LABELS = /password|passwd|pwd|密碼|密码|パスワード|비밀번호|contraseña|mot de passe|passwort/i;
+
+// Username labels in multiple languages
+const USERNAME_LABELS = /username|user name|用戶名|用户名|ユーザー名|사용자명|usuario|utilisateur|benutzer/i;
+
+// Sensitive key labels
+const SENSITIVE_LABELS = /api[_-]?key|token|bearer|secret|credential|auth|auth[_-]?key|private[_-]?key/i;
+
+// Secret value pattern (excludes common delimiters and brackets)
+const SECRET_VALUE = String.raw`[^` + "`" + String.raw`'",，,\s\[]+`;
+
+// Prefix patterns for different credential types
+const PIN_PREFIX = String.raw`(\bPIN\b(?:\s*(?:是|=|:|：)\s*|\s+(?![是=:：])))`;
+const PASSWORD_PREFIX = String.raw`((?:${PASSWORD_LABELS.source})(?:\s*(?:是|=|:|：)\s*|\s+(?![是=:：])))`;
+const USERNAME_PREFIX = String.raw`((?:${USERNAME_LABELS.source})(?:\s*(?:是|=|:|：)\s*|\s+(?![是=:：])))`;
+const SENSITIVE_PREFIX = String.raw`((?:${SENSITIVE_LABELS.source})(?:\s*(?:推|是|=|:|：)\s*|[:：]\s*))`;
+const BEARER_PREFIX = String.raw`(Bearer\s+)`;
+
+/**
+ * Redacts sensitive credentials from text.
+ * Handles:
+ * - PINs in multiple formats
+ * - Username/password pairs
+ * - Standalone passwords
+ * - Bearer tokens
+ * - API keys, secrets, credentials, auth tokens, private keys
+ * 
+ * Supports multiple languages and delimiters (ASCII and CJK).
+ */
+export function redactCredentials(text: string): string {
+  let result = text;
+
+  // 1. PIN
+  result = result.replace(
+    new RegExp(String.raw`${PIN_PREFIX}[\`'"]?(${SECRET_VALUE})`, "gi"),
+    "$1[REDACTED]",
+  );
+
+  // 2. Username+password pair
+  result = result.replace(
+    new RegExp(
+      String.raw`${USERNAME_PREFIX}[\`'"]?(${SECRET_VALUE})((?:，|,)\s*)${PASSWORD_PREFIX}[\`'"]?(${SECRET_VALUE})`,
+      "gi",
+    ),
+    "$1[REDACTED]$3$4[REDACTED]",
+  );
+
+  // 3. Standalone password
+  result = result.replace(
+    new RegExp(String.raw`${PASSWORD_PREFIX}[\`'"]?(${SECRET_VALUE})`, "gi"),
+    "$1[REDACTED]",
+  );
+
+  // 4. Bearer tokens (but not "bearer token:" labels)
+  result = result.replace(
+    new RegExp(String.raw`${BEARER_PREFIX}(?!token\s*[:=：])[\`'"]?(${SECRET_VALUE})`, "gi"),
+    "$1[REDACTED]",
+  );
+
+  // 5. Sensitive keys/tokens
+  result = result.replace(
+    new RegExp(String.raw`${SENSITIVE_PREFIX}[\`'"]?(${SECRET_VALUE})`, "gi"),
+    "$1[REDACTED]",
+  );
+
+  return result;
+}