fix(memory): address quality cleanup audit findings

Author: sdwolf4103

.gitignore

@@ -51,3 +51,6 @@ pnpm-lock.yaml
 
 # Superpowers local planning artifacts
 docs/superpowers/plans/
+
+# Local migration dry-run roots
+scripts/dev/dry-run-roots.local.txt

CHANGELOG.md

@@ -7,14 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [1.4.0] - 2026-04-28
 
-### Memory Quality Cleanup
+### Added
+
+- Local migration audit log for the `2026-04-28-quality-cleanup` migration:
+  `~/.local/share/opencode-working-memory/migration-logs/2026-04-28-quality-cleanup.jsonl`.
+- Local extraction rejection log for rejected compaction memory candidates:
+  `~/.local/share/opencode-working-memory/extraction-rejections.jsonl`.
+- Sanitized real-workspace regression fixtures for memory cleanup migration behavior.
+
+### Changed
 
-- Unified quality gate for compaction memory candidates and cleanup checks.
+- Unified memory quality rules in a shared quality gate for compaction memory candidates and cleanup checks.
 - Rewritten compaction memory prompt to reduce over-production of low-quality memories.
-- Conservative one-time quality cleanup migration (`2026-04-28-quality-cleanup`) that supersedes only high-confidence garbage patterns: progress snapshots, raw errors, commit/CI snapshots, temporary status notes, active file snapshots, code/API signatures, path-heavy entries, and empty entries.
-- Soft heuristic failures (`bad_feedback`, `bad_decision`) are intentionally excluded from automatic migration cleanup to protect durable declarative memories such as branding rules, API facts, release rules, and architecture decisions.
-- Migration audit log: `~/.local/share/opencode-working-memory/migration-logs/2026-04-28-quality-cleanup.jsonl`.
-- Extraction rejection log: `~/.local/share/opencode-working-memory/extraction-rejections.jsonl`.
+- Changed quality cleanup migration to be conservative: it supersedes only high-confidence garbage patterns, including progress snapshots, raw errors, commit/CI snapshots, temporary status notes, active file snapshots, code/API signatures, path-heavy entries, and empty entries.
+- Soft heuristic failures (`bad_feedback`, `bad_decision`) are intentionally excluded from automatic migration cleanup to protect durable declarative memories such as branding rules, API facts, release rules, user workflow preferences, and architecture decisions.
 
 ### Recovery note
 

RELEASE_NOTES.md

@@ -4,37 +4,69 @@
 
 ### Memory Quality Cleanup
 
-This minor release automatically improves memory quality for all existing users on upgrade. Low-quality compaction memories are identified and superseded without requiring manual cleanup.
+This release improves automatic workspace memory quality without risking broad cleanup of useful existing memories.
+
+The quality gate is now shared across compaction extraction and migration checks, the compaction prompt is stricter about what should become durable memory, and the one-time migration is intentionally conservative.
 
 ### What Changed
 
-- **Unified quality gate**: All memory types (feedback, decision, project, reference) now share the same quality rules instead of only project entries having a quality check.
-- **Hardened compaction prompt**: The model is explicitly instructed that most compactions should produce zero memories, with clear good/bad examples.
-- **Auto-supersede migration**: On first load after upgrade, existing low-quality `compaction` memories are automatically marked as `superseded` with quality tags. Explicit and manual memories are never affected.
+- **Unified quality rules**: memory quality checks now live in one shared module and apply consistently across feedback, decisions, project facts, and references.
+- **Stricter compaction output**: the compaction prompt now tells the model to save fewer memories and prefer durable facts, user preferences, architecture decisions, and hard-to-rediscover references.
+- **Conservative migration cleanup**: the `2026-04-28-quality-cleanup` migration only supersedes high-confidence garbage patterns, not every rejected memory.
+- **Audit logs**: automatic migration cleanup writes local JSONL audit records so superseded entries can be inspected and restored.
+- **Extraction rejection logs**: newly rejected compaction candidates are logged locally to help calibrate future quality rules.
+- **Regression coverage**: migration behavior is tested against sanitized real-workspace patterns to prevent mass false positives from coming back.
 
 ### What Gets Cleaned Up
 
-Low-quality memory patterns that are now rejected/superseded:
+The migration may supersede existing `source: "compaction"` memories only when they match hard garbage patterns:
 
-- Progress snapshots: "Wave 1 completed successfully", "180 tests passed"
-- Session-internal notes: "The assistant reviewed feedback and updated the plan"
-- Implementation notes: "Implemented X in plugin.ts"
-- Commit/CI references: "Commit a762e86 contains the fix"
+- Empty entries
+- Progress snapshots, such as "Wave 1 completed successfully"
+- Test or suite count snapshots, such as "180 tests passed"
 - Raw errors and stack traces
-- Temporary status: "Currently running npm test"
+- Commit or CI snapshots
+- Temporary status notes, such as "Currently running npm test"
+- Active file snapshots
+- Code or API signatures
+- Path-heavy entries that are just rediscoverable file lists
+
+### What Is Protected
+
+The migration does not supersede entries whose only issue is a soft heuristic failure, such as:
+
+- `bad_feedback`
+- `bad_decision`
+
+This protects useful declarative memories like:
+
+- Product branding rules
+- API facts
+- Release rules
+- Architecture decisions
+- User workflow preferences
+
+Explicit and manual memories are also protected.
 
 ### Migration Behavior
 
-- Runs exactly once per workspace (idempotent, non-destructive)
-- Only affects `source: "compaction"` entries
-- Explicit/manual memories are protected
-- Superseded entries retain `status: "superseded"` and quality tags for audit
-- No user action required
+- Runs once per workspace.
+- Only affects active `source: "compaction"` entries.
+- Marks matching entries as `status: "superseded"` instead of deleting them.
+- Adds `quality_cleanup` and `quality:<reason>` tags to superseded entries.
+- Writes audit logs to:
+  `~/.local/share/opencode-working-memory/migration-logs/2026-04-28-quality-cleanup.jsonl`
+- Writes extraction rejection logs to:
+  `~/.local/share/opencode-working-memory/extraction-rejections.jsonl`
+
+### Recovery
+
+If a useful memory is superseded, inspect the migration audit log and restore the entry by changing its status back to `"active"` in the workspace's `workspace-memory.json`.
 
 ### Upgrade Notes
 
 - No configuration changes required.
-- Existing workspace memory files are automatically cleaned on first load.
+- Existing workspace memory files remain compatible.
 - The OpenCode config entry stays the same:
 
 ```json
@@ -45,7 +77,7 @@ Low-quality memory patterns that are now rejected/superseded:
 
 ### Validation
 
-- `npm test` (196 tests)
+- `npm test`
 - `npm run typecheck`
 
 ---

scripts/dev/dry-run-migration.ts

@@ -1,12 +1,45 @@
+/**
+ * Local helper to trigger migration on workspace roots.
+ *
+ * Usage:
+ *   MIGRATION_DRY_RUN_ROOTS=/path/a:/path/b bun run scripts/dev/dry-run-migration.ts
+ *
+ * Or create a local file (gitignored):
+ *   echo "/path/to/workspace1" > scripts/dev/dry-run-roots.local.txt
+ *   echo "/path/to/workspace2" >> scripts/dev/dry-run-roots.local.txt
+ *   bun run scripts/dev/dry-run-migration.ts
+ */
+
+import { existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
 import { loadWorkspaceMemory } from "../../src/workspace-memory.ts";
 
-const roots = [
-  "/Users/sd_wo/work/opencode-working-memory",
-  "/Users/sd_wo/Documents/projects/Pre-cancer-atlas",
-  "/Users/sd_wo/work/opencode-record",
-  "/Users/sd_wo/work/pathology-agent-reports",
-  "/Users/sd_wo/work/pathology-extraction",
-];
+async function getRoots(): Promise<string[]> {
+  // Priority 1: environment variable
+  const envRoots = process.env.MIGRATION_DRY_RUN_ROOTS;
+  if (envRoots) {
+    return envRoots.split(":").filter(root => root.length > 0);
+  }
+
+  // Priority 2: local file
+  const localFile = join(import.meta.dirname, "dry-run-roots.local.txt");
+  if (existsSync(localFile)) {
+    const content = await readFile(localFile, "utf8");
+    return content.trim().split("\n").filter(root => root.length > 0);
+  }
+
+  // No roots configured
+  console.log("No workspace roots configured.");
+  console.log("Set MIGRATION_DRY_RUN_ROOTS=/path/a:/path/b or create dry-run-roots.local.txt");
+  return [];
+}
+
+const roots = await getRoots();
+
+if (roots.length === 0) {
+  process.exit(0);
+}
 
 for (const root of roots) {
   console.log(`Loading workspace memory: ${root}`);

src/extractors.ts

@@ -248,6 +248,15 @@ async function logExtractionRejection(entry: ExtractionRejectionLogEntry): Promi
   }
 }
 
+function redactSensitiveText(text: string): string {
+  return text
+    .replace(/bearer\s+[a-zA-Z0-9._-]+/gi, "bearer [REDACTED]")
+    .replace(/token[=:]\s*[a-zA-Z0-9._-]+/gi, "token=[REDACTED]")
+    .replace(/password[=:]\s*[a-zA-Z0-9._-]+/gi, "password=[REDACTED]")
+    .replace(/secret[=:]\s*[a-zA-Z0-9._-]+/gi, "secret=[REDACTED]")
+    .replace(/api[-_]?key[=:]\s*[a-zA-Z0-9._-]+/gi, "api_key=[REDACTED]");
+}
+
 function shouldAcceptWorkspaceMemoryCandidate(
   entry: {
     type: LongTermType;
@@ -278,7 +287,7 @@ function shouldAcceptWorkspaceMemoryCandidate(
     void logExtractionRejection({
       timestamp: new Date().toISOString(),
       type: entry.type,
-      text,
+      text: redactSensitiveText(text),
       reasons: quality.reasons,
       source: "compaction",
     });

src/workspace-memory.ts

@@ -208,14 +208,23 @@ export async function normalizeWorkspaceMemoryWithAccounting(
   // One-time migrations for legacy/low-quality snapshot violations.
   // Run quality cleanup first so hard violations receive quality audit tags
   // before the older P0 project-only cleanup marks progress snapshots.
+  const beforeQualityCleanup = result;
   const qualityCleanup = runMigrationQualityCleanup(result, nowIso);
   result = qualityCleanup.store;
+  let skipRemainingMigrations = false;
   if (qualityCleanup.events.length > 0) {
-    await appendQualityCleanupMigrationLog(qualityCleanup.events).catch(error => {
+    try {
+      await appendQualityCleanupMigrationLog(qualityCleanup.events);
+    } catch (error) {
       console.error("[memory] failed to write quality cleanup migration log:", error);
-    });
+      console.error("[memory] aborting migration to maintain audit trail integrity");
+      result = beforeQualityCleanup;
+      skipRemainingMigrations = true;
+    }
+  }
+  if (!skipRemainingMigrations) {
+    result = runMigrationP0Cleanup(result, nowIso);
   }
-  result = runMigrationP0Cleanup(result, nowIso);
 
   // P0 accounting only considers active entries. Entries that were already
   // superseded before this normalization are preserved in storage; entries that

tests/extractors.test.ts

@@ -324,6 +324,35 @@ Memory candidates:
   }
 });
 
+test("parseWorkspaceMemoryCandidates redacts secrets in extraction rejection log", async () => {
+  const dataHome = await mkdtemp(join(tmpdir(), "wm-extraction-redact-data-"));
+  const previousXdgDataHome = process.env.XDG_DATA_HOME;
+  process.env.XDG_DATA_HOME = dataHome;
+
+  try {
+    const summary = `
+Memory candidates:
+- reference TypeError: bearer sk_test token=tok123 password=pass123 secret=sec123 api_key=key123
+`;
+
+    const items = parseWorkspaceMemoryCandidates(summary);
+
+    assert.equal(items.length, 0);
+    const logPath = join(dataHome, "opencode-working-memory", "extraction-rejections.jsonl");
+    const lines = (await waitForFile(logPath)).trim().split("\n");
+    assert.equal(lines.length, 1);
+    const event = JSON.parse(lines[0]);
+    assert.equal(
+      event.text,
+      "TypeError: bearer [REDACTED] token=[REDACTED] password=[REDACTED] secret=[REDACTED] api_key=[REDACTED]",
+    );
+  } finally {
+    if (previousXdgDataHome === undefined) delete process.env.XDG_DATA_HOME;
+    else process.env.XDG_DATA_HOME = previousXdgDataHome;
+    await rm(dataHome, { recursive: true, force: true });
+  }
+});
+
 test("parseWorkspaceMemoryCandidates rejects exact file count snapshots", () => {
   const summary = `
 Memory candidates: