release: v0.8.12

Targeted hot-path patch tail to 0.8.10. Bundles 0.8.11 + 0.8.12 since
0.8.11 was internally tagged but never publicly released.

Headline fix: auto_summary moved off the /save synchronous path
(#403). Inline LLM generation in the save handler was blocking the
response for the model's full first-token cost — surfaced to REST
consumers as "write timeouts" while writes were silently succeeding
server-side. The watcher already debounces /generate-summaries for
files matching the auto-summary criteria; the fix is small (drop the
inline call, surface summary_pending=true in the /save response so
callers can distinguish "not yet generated" from "not eligible"). The
description_pending pattern from #336 is the precedent.

Observability for monitor agents: new /health/auto-summary endpoint
(auth-exempt, ok/degraded/down with reason) and an auto_summary block
in /status surfacing last_run_at, count, errors, duration, and
totals.

Also in this release:

- /search-associative now per-result snippet-enriches its response
  (#392). The associative endpoint was overlooked when snippet
  enrichment landed for /search; a single hit on a multi-fact
  aggregated file could return tens of KB un-truncated, defeating
  the budget guarantee the rest of the search surface honors.

- openclaw-palinode plugin: recallProfile config field with five
  named presets (#394). autoRecall was previously a binary switch
  with hardcoded source injection; the new presets compose source
  enablement, per-source caps, type allow/deny, and a total-budget
  hard cap. coding (default) preserves existing behavior. monitoring,
  investigation, writing, conversation, minimal, and off cover the
  practical range. recallProfileConfig shallow-overrides individual
  fields without forking a preset.

- 0.8.11 hardening (now reaching public): cross-surface session-end
  timeout normalized to 90s (#377), /wrap pushes before archiving
  (#353), embedder logging surfaces all Ollama failure paths (#383),
  silent-failure-returns-success criticals cluster fixed (#384-#387),
  Ollama context-window hardening (#335), graceful-degrade auto-
  description (#336), FTS5 sync diagnostic check (#316), server.json
  version-alignment regression guard (#313), scrub-layer unification
  (#341).

Full changelog: docs/CHANGELOG.md

Author: Paul Kyle

.github/workflows/ci.yml

@@ -1,27 +1,31 @@
+# CI pipeline for Palinode — runs on every push and pull_request to any branch.
+#
+# Jobs:
+#   1. unit-tests          — fast feedback on core logic (no external services)
+#   2. integration         — tests/integration/ (may need Ollama; continue-on-error)
+#   3. mcp-tool-coverage   — release-blocking MCP tool gate (#346)
+#   4. security-scan       — bandit (code) + pip-audit (dependencies)
+
 name: CI
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 on:
   push:
   pull_request:
 
 jobs:
+  # ---------------------------------------------------------------------------
+  # Unit tests — should never need network access or Ollama.
+  # All embeddings / LLM calls are mocked in the test suite.
+  # ---------------------------------------------------------------------------
   unit-tests:
     runs-on: ubuntu-latest
-    timeout-minutes: 15
 
     strategy:
       matrix:
-        python-version: ["3.11", "3.12", "3.13"]
+        python-version: ["3.11", "3.12"]
 
     steps:
       - uses: actions/checkout@v4
@@ -37,7 +41,9 @@ jobs:
           python -m pip install --upgrade pip
           pip install -e ".[dev]"
 
-      - name: Assert package resolves to the checked-out tree
+      - name: Assert palinode resolves to the checked-out tree
+        # Regression guard for editable installs: palinode.__file__ must
+        # resolve under GITHUB_WORKSPACE, not some other site-packages path.
         run: |
           RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
           echo "palinode.__file__ = $RESOLVED"
@@ -47,15 +53,22 @@ jobs:
             exit 1
           fi
 
-      - name: Smoke console entry points
-        run: python -m pytest tests/test_console_entry_points.py -q
-
-      - name: Run unit tests
+      - name: Run unit tests (excluding integration)
         run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
 
+  # ---------------------------------------------------------------------------
+  # Integration tests — run against tests/integration/.
+  #
+  # These tests do not require Ollama directly (embeddings are stubbed), but
+  # they do spin up FastAPI in-process and exercise the full save/search loop
+  # against a real SQLite database in a temp directory.
+  #
+  # continue-on-error: true — any test tagged @pytest.mark.slow that needs
+  # a live Ollama instance will fail here; that is expected in CI.
+  # Run the full suite locally against a host with Ollama for full coverage.
+  # ---------------------------------------------------------------------------
   integration-tests:
     runs-on: ubuntu-latest
-    timeout-minutes: 20
 
     env:
       PALINODE_DIR: /tmp/palinode-ci-test
@@ -75,12 +88,50 @@ jobs:
           pip install -e ".[dev]"
 
       - name: Run integration tests
+        # Integration tests that need Ollama will be skipped in CI;
+        # run locally against a host with Ollama for full Ollama-backed coverage.
         run: python -m pytest tests/integration/ -x -q
         continue-on-error: true
 
+  # ---------------------------------------------------------------------------
+  # MCP tool coverage — release-blocking gate (#346, parent #342).
+  #
+  # Runs the in-process (Phase 1) and stdio (Phase 2) MCP tool-coverage
+  # tests WITHOUT continue-on-error.  A failure here blocks the PR.
+  # The drift guard in test_mcp_e2e.py ensures new tools cannot ship
+  # without smoke-args coverage.
+  # ---------------------------------------------------------------------------
+  mcp-tool-coverage:
+    runs-on: ubuntu-latest
+
+    env:
+      PALINODE_DIR: /tmp/palinode-ci-mcp
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run MCP tool-coverage tests
+        run: python -m pytest tests/integration/test_mcp_e2e.py tests/integration/test_mcp_stdio.py -v
+
+  # ---------------------------------------------------------------------------
+  # Security scans — informational (continue-on-error: true on pip-audit).
+  #
+  # bandit:    static analysis for common Python security issues
+  # pip-audit: checks installed packages against known vulnerability databases
+  # ---------------------------------------------------------------------------
   security-scan:
     runs-on: ubuntu-latest
-    timeout-minutes: 20
 
     steps:
       - uses: actions/checkout@v4
@@ -97,9 +148,11 @@ jobs:
           pip install -e ".[dev]"
           pip install bandit pip-audit
 
-      - name: Run bandit
+      - name: Run bandit (static security analysis)
+        # -r: recursive, -ll: medium+ severity, -q: quiet output
         run: bandit -r palinode/ -ll -q
 
-      - name: Run pip-audit
+      - name: Run pip-audit (dependency vulnerability check)
+        # continue-on-error: known-vulnerability lists drift; treat as informational
         run: pip-audit
         continue-on-error: true

.github/workflows/main-ci.yml

@@ -0,0 +1,157 @@
+# Rationale: post-merge sweep for main.
+# Option A (require branch-up-to-date before merge) is enforced
+# in GitHub repo settings → Branches → main branch protection.
+# This file is the backstop if that check is bypassed (admin merge, etc.).
+#
+# Triggered only on push to main (not on PRs — those are covered by ci.yml).
+# On any failure, opens a GitHub issue to flag the regression.
+
+name: Main CI (post-merge sweep)
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Unit tests — mirrors ci.yml; catches interaction bugs that slip through
+  # independent-PR CI (the failure mode documented in #198).
+  # ---------------------------------------------------------------------------
+  unit-tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Assert palinode resolves to the checked-out tree
+        run: |
+          RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
+          echo "palinode.__file__ = $RESOLVED"
+          if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
+            echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
+            echo "       Got: $RESOLVED"
+            exit 1
+          fi
+
+      - name: Run unit tests (excluding integration)
+        run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
+
+  # ---------------------------------------------------------------------------
+  # Integration tests — informational backstop on main.
+  # continue-on-error: true because Ollama is not available in CI runners.
+  # ---------------------------------------------------------------------------
+  integration-tests:
+    runs-on: ubuntu-latest
+
+    env:
+      PALINODE_DIR: /tmp/palinode-ci-test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run integration tests
+        run: python -m pytest tests/integration/ -x -q
+        continue-on-error: true
+
+  # ---------------------------------------------------------------------------
+  # MCP tool coverage — mirrors ci.yml; release-blocking on main (#346).
+  # ---------------------------------------------------------------------------
+  mcp-tool-coverage:
+    runs-on: ubuntu-latest
+
+    env:
+      PALINODE_DIR: /tmp/palinode-ci-mcp
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run MCP tool-coverage tests
+        run: python -m pytest tests/integration/test_mcp_e2e.py tests/integration/test_mcp_stdio.py -v
+
+  # ---------------------------------------------------------------------------
+  # Security scan — same as ci.yml.
+  # ---------------------------------------------------------------------------
+  security-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+          pip install bandit pip-audit
+
+      - name: Run bandit (static security analysis)
+        run: bandit -r palinode/ -ll -q
+
+      - name: Run pip-audit (dependency vulnerability check)
+        run: pip-audit
+        continue-on-error: true
+
+  # ---------------------------------------------------------------------------
+  # Regression reporter — fires only when a job above fails.
+  # Opens a GitHub issue so the regression is visible outside the Actions UI.
+  # ---------------------------------------------------------------------------
+  report-regression:
+    runs-on: ubuntu-latest
+    needs: [unit-tests, integration-tests, mcp-tool-coverage, security-scan]
+    if: failure()
+
+    steps:
+      - name: Report regression
+        if: failure()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh issue create \
+            --title "CI regression on main: ${{ github.sha }}" \
+            --body "Commit ${{ github.sha }} broke CI on main. Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --label "bug"