fix: CLI/API parity, path validation, scrub residues

- Sync CLI client (_api.py) with live API shapes: search uses
  limit/category, diff uses days/paths, triggers hit /triggers
- Route blame/timeline/rollback/push through HTTP instead of
  bypassing to git_tools directly
- Add _resolve_memory_path() guard to git_tools.py — rejects
  null bytes and path traversal on blame, timeline, rollback
- Validate absolute paths in migrate/openclaw endpoint
- Scrub 5060 VRAM from session_end.py example
- Scrub governor/gradient agent names from PRD.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Paul Kyle

PRD.md

@@ -54,7 +54,7 @@ All of these store things. None of them *remember*.
 
 **Secondary:** The human (Paul) who browses, edits, and reviews memory files directly; receives daily digests and weekly reviews.
 
-**Tertiary:** Other agents (governor, gradient, emission) that read from shared memory.
+**Tertiary:** Other AI agents that read from shared memory (multi-agent setups).
 
 ---
 
@@ -694,7 +694,7 @@ Prompts are not disposable. They're the most durable artifact in the system —
 | **1: Core Memory** | Two-phase injection + core memory files + retire MEMORY.md | Week 2 |
 | **2: Consolidation** | Weekly cron + entity linking + insights extraction | Weeks 3-4 |
 | **3: Migration** | Backfill from Mem0 (2,632) + QC MCP (14K) selectively | Week 4+ |
-| **4: Multi-Agent + MCP** | Orchestrator/gradient/emission read access + MCP server for external tools | Future |
+| **4: Multi-Agent + MCP** | Multi-agent read access + MCP server for external tools | Future |
 
 ---
 
@@ -715,6 +715,6 @@ Prompts are not disposable. They're the most durable artifact in the system —
 
 **After 3 months:**
 
-- [ ] Multiple agents share Palinode (read access for governor/gradient)
+- [ ] Multiple agents share Palinode (read access for all agent profiles)
 - [ ] Palinode has survived at least one infrastructure failure without data loss
 - [ ] Paul trusts the system enough to stop manually curating MEMORY.md

palinode/api/server.py

@@ -1010,18 +1010,19 @@ def migrate_openclaw_api(req: MigrateOpenClawRequest) -> dict:
     if "\x00" in path:
         raise HTTPException(status_code=400, detail="Null bytes are not allowed in path")
 
-    # Resolve relative paths against memory_dir; reject absolute paths that
-    # point outside it (absolute paths that are already safe are accepted).
-    if not os.path.isabs(path):
-        base = _memory_base_dir()
+    # Resolve against memory_dir; reject paths that escape it.
+    base = _memory_base_dir()
+    if os.path.isabs(path):
+        resolved_path = os.path.realpath(path)
+    else:
         resolved_path = os.path.realpath(os.path.join(base, path))
-        try:
-            within = os.path.commonpath([base, resolved_path]) == base
-        except ValueError:
-            within = False
-        if not within:
-            raise HTTPException(status_code=403, detail="Path traversal rejected")
-        path = resolved_path
+    try:
+        within = os.path.commonpath([base, resolved_path]) == base
+    except ValueError:
+        within = False
+    if not within:
+        raise HTTPException(status_code=403, detail="Path traversal rejected")
+    path = resolved_path
 
     if not os.path.isfile(path):
         raise HTTPException(status_code=404, detail=f"File not found: {path}")

palinode/cli/_api.py

@@ -10,11 +10,11 @@ def __init__(self):
         )
         self.client = httpx.Client(base_url=self.base_url, timeout=30.0)
 
-    def search(self, query: str, top_k: int = 3, type_filter: str = None):
-        payload = {"query": query, "top_k": top_k}
-        if type_filter:
-            payload["type"] = type_filter
-        
+    def search(self, query: str, limit: int = 3, category: str = None):
+        payload: dict = {"query": query, "limit": limit}
+        if category:
+            payload["category"] = category
+
         response = self.client.post("/search", json=payload)
         response.raise_for_status()
         return response.json()
@@ -37,13 +37,11 @@ def get_status(self):
         response.raise_for_status()
         return response.json()
 
-    def get_diff(self, file_path: str = None, commits: int = None):
-        params = {}
-        if file_path:
-            params["file"] = file_path
-        if commits:
-            params["commits"] = commits
-            
+    def get_diff(self, days: int = 7, paths: str = None):
+        params: dict = {"days": days}
+        if paths:
+            params["paths"] = paths
+
         response = self.client.get("/diff", params=params)
         response.raise_for_status()
         return response.json()
@@ -53,23 +51,23 @@ def consolidate(self, dry_run: bool = False, nightly: bool = False):
         response.raise_for_status()
         return response.json()
 
-    def trigger_add(self, description: str, file_path: str, threshold: float = 0.4):
-        payload = {
+    def trigger_add(self, description: str, memory_file: str, threshold: float = 0.75):
+        payload: dict = {
             "description": description,
-            "file": file_path,
-            "threshold": threshold
+            "memory_file": memory_file,
+            "threshold": threshold,
         }
-        response = self.client.post("/trigger/add", json=payload)
+        response = self.client.post("/triggers", json=payload)
         response.raise_for_status()
         return response.json()
 
     def trigger_list(self):
-        response = self.client.get("/trigger/list")
+        response = self.client.get("/triggers")
         response.raise_for_status()
         return response.json()
 
     def trigger_remove(self, trigger_id: str):
-        response = self.client.delete(f"/trigger/remove/{trigger_id}")
+        response = self.client.delete(f"/triggers/{trigger_id}")
         response.raise_for_status()
         return response.json()
 
@@ -121,22 +119,30 @@ def migrate_mem0(self):
         return response.json()
 
     def blame(self, file_path: str, search: str = None):
-        # We need git_tools for these if they are not exposed by API yet
-        # But for now, let's assume they are or we handle them
-        from palinode.core import git_tools
-        return git_tools.blame(file_path, search)
+        params: dict = {}
+        if search:
+            params["search"] = search
+        response = self.client.get(f"/blame/{file_path}", params=params, timeout=10.0)
+        response.raise_for_status()
+        return response.json()
 
     def timeline(self, file_path: str, limit: int = 20):
-        from palinode.core import git_tools
-        return git_tools.timeline(file_path, limit)
+        response = self.client.get(f"/timeline/{file_path}", params={"limit": limit}, timeout=10.0)
+        response.raise_for_status()
+        return response.json()
 
-    def rollback(self, file_path: str, commit: str, dry_run: bool = True):
-        from palinode.core import git_tools
-        return git_tools.rollback(file_path, commit, dry_run=dry_run)
+    def rollback(self, file_path: str, commit: str = None, dry_run: bool = True):
+        params: dict = {"file_path": file_path, "dry_run": dry_run}
+        if commit:
+            params["commit"] = commit
+        response = self.client.post("/rollback", params=params, timeout=30.0)
+        response.raise_for_status()
+        return response.json()
 
     def push(self):
-        from palinode.core import git_tools
-        return git_tools.push()
+        response = self.client.post("/push", timeout=60.0)
+        response.raise_for_status()
+        return response.json()
 
     def health_check(self):
         try:

palinode/cli/diff.py

@@ -3,13 +3,13 @@
 from palinode.cli._format import console, print_result, get_default_format, OutputFormat
 
 @click.command()
-@click.argument("file", required=False)
-@click.option("--commits", type=int, help="Number of recent commits to show")
+@click.option("--days", type=int, default=7, help="Look back N days (default: 7)")
+@click.option("--paths", type=str, default=None, help="Comma-separated path filters (e.g. projects/,decisions/)")
 @click.option("--format", "fmt", type=click.Choice(["json", "text"]), help="Output format")
-def diff(file, commits, fmt):
+def diff(days, paths, fmt):
     """Show recent changes to memory files."""
     try:
-        data = api_client.get_diff(file_path=file, commits=commits)
+        data = api_client.get_diff(days=days, paths=paths)
 
         output_fmt = OutputFormat(fmt) if fmt else get_default_format()
 

palinode/cli/search.py

@@ -5,14 +5,14 @@
 
 @click.command()
 @click.argument("query")
-@click.option("--top-k", default=3, help="Number of results (default: 3)")
-@click.option("--type", "type_filter", help="Filter by memory type")
+@click.option("--limit", default=3, help="Number of results (default: 3)")
+@click.option("--category", help="Filter by memory type/category")
 @click.option("--format", "fmt", type=click.Choice(["json", "text"]), help="Output format")
 @click.option("--score/--no-score", default=False, help="Show relevance scores")
-def search(query, top_k, type_filter, fmt, score):
+def search(query, limit, category, fmt, score):
     """Search memory by meaning or keyword."""
     try:
-        results = api_client.search(query, top_k=top_k, type_filter=type_filter)
+        results = api_client.search(query, limit=limit, category=category)
 
         output_fmt = OutputFormat(fmt) if fmt else get_default_format()
 

palinode/cli/session_end.py

@@ -22,7 +22,7 @@ def session_end(summary, decision, blocker, project, source, fmt):
 
         palinode session-end "Implemented CLI wrapper with 22 commands"
 
-        palinode session-end "Fixed 5060 VRAM budget" -d "Use qwen2.5:14b" -b "Test under load" -p palinode
+        palinode session-end "Fixed embedding timeout" -d "Increase batch size" -b "Test under load" -p palinode
     """
     now = datetime.now(timezone.utc)
     today = now.strftime("%Y-%m-%d")

palinode/cli/trigger.py

@@ -10,13 +10,13 @@ def trigger():
 
 @trigger.command(name="add")
 @click.argument("description")
-@click.option("--file", "file_path", required=True, help="Memory file to trigger")
-@click.option("--threshold", type=float, default=0.4, help="Similarity threshold (0.0 to 1.0)")
+@click.option("--file", "memory_file", required=True, help="Memory file to trigger")
+@click.option("--threshold", type=float, default=0.75, help="Similarity threshold (0.0 to 1.0)")
 @click.option("--format", "fmt", type=click.Choice(["json", "text"]), help="Output format")
-def trigger_add(description, file_path, threshold, fmt):
+def trigger_add(description, memory_file, threshold, fmt):
     """Register a new auto-surface trigger."""
     try:
-        result = api_client.trigger_add(description, file_path, threshold)
+        result = api_client.trigger_add(description, memory_file, threshold)
 
         output_fmt = OutputFormat(fmt) if fmt else get_default_format()
         if output_fmt == OutputFormat.JSON:

palinode/core/git_tools.py

@@ -20,6 +20,21 @@
 logger = logging.getLogger("palinode.git_tools")
 
 
+def _resolve_memory_path(file_path: str) -> str:
+    """Resolve a relative file_path against memory_dir and reject traversal.
+
+    Returns the validated relative path. Raises ValueError if the resolved
+    path escapes memory_dir.
+    """
+    if "\x00" in file_path:
+        raise ValueError("Null bytes are not allowed in file paths")
+    base = os.path.realpath(config.memory_dir)
+    resolved = os.path.realpath(os.path.join(base, file_path))
+    if not resolved.startswith(base + os.sep) and resolved != base:
+        raise ValueError(f"Path traversal rejected: {file_path}")
+    return file_path
+
+
 def _utc_now() -> datetime:
     """Return a timezone-aware UTC timestamp."""
     return datetime.now(UTC)
@@ -116,6 +131,7 @@ def blame(file_path: str, search: str | None = None) -> str:
     Returns:
         Formatted blame output with both git dates and origin provenance.
     """
+    file_path = _resolve_memory_path(file_path)
     full_path = os.path.join(config.memory_dir, file_path)
     if not os.path.exists(full_path):
         return f"File not found: {file_path}"
@@ -189,6 +205,7 @@ def timeline(file_path: str, limit: int = 20) -> str:
     Returns:
         Formatted timeline with dates, messages, and change summaries.
     """
+    file_path = _resolve_memory_path(file_path)
     if not os.path.exists(os.path.join(config.memory_dir, file_path)):
         return f"File not found: {file_path}"
 
@@ -231,6 +248,7 @@ def rollback(file_path: str, commit: str | None = None, dry_run: bool = False) -
     Returns:
         Description of what was (or would be) rolled back.
     """
+    file_path = _resolve_memory_path(file_path)
     if not os.path.exists(os.path.join(config.memory_dir, file_path)):
         return f"File not found: {file_path}"