trusty-memory 0.15.5

MCP server (stdio + HTTP/SSE) for trusty-memory
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
//! CLI entry point for the `trusty-memory` binary.
//!
//! Why: ship a thin clap-to-handler shim so users can `cargo install
//! trusty-memory` and invoke `trusty-memory serve --stdio` (the direct
//! MCP stdio server, PR1 #919 of the #914 stdio-cutover epic), `trusty-memory
//! serve` (the HTTP/SSE daemon), or `trusty-memory migrate kuzu-memory`
//! (which rewrites Claude settings files that still reference the legacy
//! kuzu-memory MCP server). All real logic lives in the library and the
//! `commands::` modules — this file does CLI parsing and dispatch only.
//! The former `trusty-memory-mcp-bridge` binary and UDS transport were
//! removed in PR3 of the #914 epic; `serve --stdio` is the canonical
//! stdio integration.
//! What: defines a `clap::Parser` with `serve`, `migrate`, and other
//! subcommands. `serve --stdio` defers to `commands::serve_stdio_bridge`;
//! `serve` (HTTP) defers to `trusty_memory::run_http` / `run_http_dynamic`.
//! Test: `cargo run -p trusty-memory -- --help` lists all subcommands.
//! `cargo run -p trusty-memory -- migrate kuzu-memory --dry-run` exercises
//! the migrate path end-to-end without modifying any files.

use anyhow::Result;
use clap::{Parser, Subcommand};
use std::net::SocketAddr;
use trusty_memory::commands::inbox_check::handle_inbox_check;
use trusty_memory::commands::link::handle_link;
use trusty_memory::commands::migrate::{handle_migrate, MigrateTarget};
use trusty_memory::commands::note::handle_note;
use trusty_memory::commands::prompt_context::handle_prompt_context;
use trusty_memory::commands::send_message::handle_send_message;
use trusty_memory::commands::service::{handle_service, ServiceAction};
use trusty_memory::commands::setup::handle_setup;
use trusty_memory::commands::start::handle_start;
use trusty_memory::commands::stop::handle_stop;
use trusty_memory::commands::upgrade::handle_upgrade;
use trusty_memory::{
    foreground::run_http_foreground, resolve_palace_registry_dir, run_http, run_http_dynamic,
    AppState,
};

/// Top-level CLI for `trusty-memory`.
#[derive(Debug, Parser)]
#[command(
    name = "trusty-memory",
    version,
    about = "Memory palace MCP server + migration utility",
    long_about = "MCP server (stdio + HTTP/SSE) for trusty-memory, plus a \
                  `migrate kuzu-memory` subcommand that rewrites Claude \
                  settings files referencing the legacy kuzu-memory server."
)]
struct Cli {
    /// Increase tracing verbosity (`-v` = debug, `-vv` = trace).
    #[arg(short, long, action = clap::ArgAction::Count, global = true)]
    verbose: u8,

    #[command(subcommand)]
    command: Command,
}

/// Top-level subcommands.
///
/// Why: keep the surface small and mirror the `trusty-search` pattern so
/// users moving between the two tools have a consistent experience.
/// What: `serve` runs the MCP server; `migrate` rewrites Claude settings.
/// Test: clap's `--help` output enumerates both.
#[derive(Debug, Subcommand)]
enum Command {
    /// Start the HTTP daemon in the background and return control to the shell.
    ///
    /// Why: matches `trusty-search start` so the trusty-* daemons share a
    /// `start` / `serve` / `stop` surface. The detached child runs
    /// `serve --foreground` so it does not respawn recursively.
    Start,

    /// Stop every running trusty-memory daemon process.
    ///
    /// Why: with `start` now self-spawning a detached daemon, operators need a
    /// way to take it down that does not depend on launchd / systemd.
    Stop,

    /// Run the daemon.  Mode matrix (#914 PR4):
    ///   serve                  → HTTP daemon (default, dynamic port, background)
    ///   serve --http[=ADDR]    → explicit HTTP; optional bind address
    ///   serve --foreground     → HTTP in foreground (launchd / systemd)
    ///   serve --stdio          → direct stdio JSON-RPC MCP server (Claude Code)
    ///
    /// Default mode is HTTP/SSE with dynamic port selection (7070..=7079, OS
    /// fallback). Without `--foreground`, `serve` self-spawns a detached
    /// background daemon (alias for `start`) and returns immediately so the
    /// parent shell gets its prompt back. Pass `--foreground` to keep the
    /// daemon in the foreground (used internally by `start` to host the
    /// actual HTTP server, and by launchd / systemd). Pass `--http <ADDR>`
    /// to bind a specific address.
    ///
    /// Claude Code integration (recommended): use `serve --stdio` for a
    /// direct stdio JSON-RPC MCP server (PR1 #919, #914).  This mode binds
    /// no HTTP port; stdout is the JSON-RPC channel.  Palaces are opened
    /// read-only via the snapshot fallback when a write lock is held by
    /// another process.  Every request resolves within a deadline — success
    /// or an explicit JSON-RPC error — so the MCP client never hangs.
    Serve {
        /// Select HTTP mode explicitly with an optional bind address.
        ///
        /// `--http` (bare): dynamic port (same as bare `serve`).
        /// `--http 127.0.0.1:7070`: bind that exact address.
        /// Absent: default HTTP mode — bare `serve` behaviour unchanged.
        #[arg(
            long,
            value_name = "ADDR",
            num_args = 0..=1,
            require_equals = false,
            conflicts_with = "stdio"
        )]
        http: Option<Option<SocketAddr>>,

        /// Run the HTTP daemon in the foreground (do not self-spawn).
        ///
        /// Why: `serve` defaults to background mode so the trusty-* daemons
        /// share a `start` / `serve` UX. Long-running supervisors (launchd,
        /// systemd, Docker) need a foreground process to manage, so they
        /// pass `--foreground` to opt out of the spawn.
        #[arg(long, conflicts_with = "stdio")]
        foreground: bool,

        /// Run a direct stdio JSON-RPC MCP server (issue #914).
        ///
        /// Why: reinstates `serve --stdio` as a safe, deadlock-free code
        /// path.  When set, no axum HTTP server and no UDS listener are
        /// bound — stdout is the exclusive JSON-RPC channel.  All
        /// non-protocol output (update checks, banners) is suppressed.
        /// Every request resolves within a deadline so the MCP client
        /// never hangs.
        #[arg(long)]
        stdio: bool,

        /// Bind every MCP tool call to this palace when the caller omits the
        /// `palace` argument.
        #[arg(long, value_name = "NAME")]
        palace: Option<String>,
    },

    /// Migrate from another memory MCP server to trusty-memory.
    ///
    /// For `kuzu-memory`: rewrites Claude `mcpServers` config entries.
    /// For `kuzu-data`: imports entity/relation data from a kuzu-memory
    /// `store.redb` file into a trusty-memory palace (requires `--from`
    /// and `--palace`).
    Migrate {
        /// What to migrate from.
        #[arg(value_enum)]
        target: MigrateTarget,

        /// Print what would change without writing any files.
        #[arg(long)]
        dry_run: bool,

        /// Accepted for parity with `trusty-search migrate`. Today the
        /// migration only has a config phase, so this flag is a no-op.
        #[arg(long)]
        config_only: bool,

        /// Path to the kuzu-memory `store.redb` file (required for
        /// `kuzu-data`).
        #[arg(long, value_name = "PATH")]
        from: Option<std::path::PathBuf>,

        /// Target palace name to import into (required for `kuzu-data`).
        /// The palace is created if it does not already exist.
        #[arg(long, value_name = "NAME")]
        palace: Option<String>,

        /// Maximum number of entities to import (default: import all).
        #[arg(long, value_name = "N")]
        limit: Option<usize>,
    },

    /// First-time setup: data dir + launchd (macOS) + Claude settings patch.
    Setup,

    /// Print the daemon's prompt-context block to stdout (Claude Code hook).
    ///
    /// Why: installed as a Claude Code `UserPromptSubmit` hook by
    /// `trusty-memory setup`. Claude Code injects whatever the hook writes to
    /// stdout as additional context for the next prompt, so this command
    /// fetches the daemon's pre-formatted prompt-context block and prints it
    /// verbatim. Every failure path exits 0 silently so the hook can never
    /// block a Claude Code prompt; the `CLAUDE_MPM_SUB_AGENT` env var also
    /// short-circuits this command to keep nested MPM agents from piling on
    /// duplicate prompt-context blocks.
    /// What: see `commands::prompt_context::handle_prompt_context`.
    /// Test: covered by the unit test in that module plus the integration
    /// path `cargo run -p trusty-memory -- prompt-context` against a live
    /// daemon.
    #[command(name = "prompt-context")]
    PromptContext,

    /// Diagnose daemon health: fastembed cache, launchd plist, HTTP /health,
    /// and stale palace locks. With `--fix-palaces`, audit existing palaces
    /// for project-mapping compliance (issue #88).
    ///
    /// Why: GH #62 / #88 — silent failures (missing `FASTEMBED_CACHE_PATH` in
    /// the plist, missing model cache, daemon not bound) currently force users
    /// to grep through several directories by hand. `doctor` runs the
    /// equivalent checks in one shot. `--fix-palaces` layers in the palace =
    /// project audit so users can see which palaces are orphaned (no matching
    /// project directory on disk).
    /// What: a one-shot CLI command that prints a ✅/❌ line per check and
    /// exits non-zero on any failure. See `commands::doctor`.
    /// Test: `cargo run -p trusty-memory -- doctor` after `setup`.
    ///       `cargo run -p trusty-memory -- doctor --fix-palaces` for the
    ///       palace audit (read-only by default; add `--fix` to suggest renames).
    Doctor {
        /// Audit existing palaces and report orphaned ones (palaces whose name
        /// does not match any detectable project directory on disk).
        ///
        /// Why: issue #88 — users accumulate palaces across many projects;
        /// `--fix-palaces` surfaces which names are orphaned so they can be
        /// cleaned up manually or via `--fix`.
        #[arg(long)]
        fix_palaces: bool,

        /// Print rename suggestions for orphaned palaces (dry-run by default).
        ///
        /// Why: issue #88 conservative default — users may have data in
        /// orphaned palaces; we never auto-rename without confirmation. `--fix`
        /// prints the "would rename X → Y" suggestions that can then be
        /// executed manually.
        #[arg(long, requires = "fix_palaces")]
        fix: bool,
    },

    /// Manage the macOS launchd LaunchAgent for the daemon.
    Service {
        #[command(subcommand)]
        action: ServiceAction,
    },

    /// Monitor the trusty-memory daemon via web UI or terminal dashboard.
    ///
    /// `monitor web` prints the daemon's admin-panel URL; `monitor tui`
    /// launches the trusty-memory-specific ratatui dashboard: a palace list,
    /// a live dream/recall activity log, and a recall query bar.
    #[command(subcommand_required = true)]
    Monitor {
        #[command(subcommand)]
        target: MonitorTarget,
    },

    /// Send an inter-project message to another palace (issue #99).
    ///
    /// Why: replaces the Python `/mpm-message` skill with a trusty-memory
    /// native primitive. Writes a tagged drawer into the recipient palace;
    /// the recipient's SessionStart hook picks it up via `inbox-check`.
    ///
    /// Example: `trusty-memory send-message --to claude-mpm --purpose task \
    ///           --content "Please refresh the messaging.db schema"`.
    #[command(name = "send-message")]
    SendMessage {
        /// Recipient palace id (repo slug). Required.
        #[arg(long, value_name = "PALACE")]
        to: String,

        /// Free-text purpose / category (e.g. `task`, `notify`, `reply`).
        #[arg(long, value_name = "PURPOSE")]
        purpose: String,

        /// Message body. Plain text; rendered into the recipient session as
        /// a Markdown block.
        #[arg(long, value_name = "TEXT")]
        content: String,

        /// Sender palace id (defaults to the cwd-derived slug).
        #[arg(long, value_name = "PALACE")]
        from: Option<String>,
    },

    /// Pick up unread inter-project messages for the calling project
    /// (issue #99).
    ///
    /// Why: installed as a Claude Code `SessionStart` hook by
    /// `trusty-memory setup`. Reads the receiver palace's unread messages,
    /// prints them as Markdown to stdout (Claude Code injects stdout as
    /// session context), and marks them read via the daemon's HTTP API.
    /// Every failure path degrades to silence so a slow daemon never blocks
    /// session start.
    ///
    /// `--palace` overrides the cwd-derived slug; useful for test rigs and
    /// for projects whose repo basename does not match their preferred
    /// palace name.
    #[command(name = "inbox-check")]
    InboxCheck {
        /// Receiver palace id (defaults to cwd-derived repo slug).
        #[arg(long, value_name = "PALACE")]
        palace: Option<String>,
    },

    /// Fire-and-forget save of a memory note to the running daemon.
    ///
    /// Why: sub-agents spawned via Claude Code's Agent tool do not inherit
    /// any MCP connections, so the `mcp__trusty-memory__memory_remember`
    /// tool is unreachable to them. They can still execute shell commands,
    /// so this subcommand POSTs to `POST /api/v1/remember` and returns
    /// immediately — the daemon dispatches `memory_remember` on a detached
    /// task. Errors degrade to stderr warnings + zero exit because the
    /// agent has already left the room by the time the write completes.
    ///
    /// Example: `trusty-memory note "User prefers tabs" --palace my-project \
    ///           --tag style --tag preferences`.
    Note {
        /// Drawer body. Required.
        #[arg(value_name = "CONTENT")]
        content: String,

        /// Target palace (defaults to the daemon's `--palace` default when
        /// omitted; required when the daemon was started without one).
        #[arg(long, value_name = "NAME")]
        palace: Option<String>,

        /// Tag to attach to the drawer. Repeatable.
        #[arg(long = "tag", value_name = "TAG")]
        tags: Vec<String>,
    },

    /// Re-run auto-KG extraction across every drawer in a palace.
    ///
    /// Why: Issue #97 — `memory_remember` now extracts triples on write,
    /// but existing palaces sit at zero auto-extracted triples until
    /// back-filled. `kg-rebuild` walks every drawer and re-asserts the
    /// heuristic triples so the visual graph view is immediately useful.
    /// What: Loads palaces from disk, processes each palace (or just one
    /// when `--palace` is supplied), and prints a per-palace summary plus
    /// an aggregate total. Failures on individual asserts are logged but
    /// never abort the run.
    /// Test: `commands::kg_rebuild::tests::kg_rebuild_processes_all_drawers`.
    #[command(name = "kg-rebuild")]
    KgRebuild {
        /// Restrict the rebuild to a single palace id. When omitted, every
        /// palace under the data root is processed.
        #[arg(long, value_name = "ID")]
        palace: Option<String>,
    },

    /// Pin this project's palace slug in `.trusty-tools/trusty-memory.yaml`.
    ///
    /// Why: the lazy write in normal memory operations locks in the slug the
    /// first time a memory is saved. `link` lets you do this explicitly
    /// *before* a directory rename or drive reorg, so the slug is already
    /// committed and the palace linkage never breaks.
    ///
    /// The generated file should be committed to version control; it travels
    /// with the repository regardless of where the directory lives on disk.
    ///
    /// Examples:
    ///   trusty-memory link                        # pin CWD's project
    ///   trusty-memory link --path ~/projects/foo  # pin a specific project
    ///   trusty-memory link --slug custom-slug     # override the derived slug
    ///   trusty-memory link --force                # overwrite existing pin
    Link {
        /// Project directory to pin (default: current directory). The
        /// command walks upward from here to find the project root.
        #[arg(long, value_name = "DIR")]
        path: Option<std::path::PathBuf>,

        /// Override the derived palace slug. When omitted the slug is
        /// derived from the project root's directory basename.
        #[arg(long, value_name = "SLUG")]
        slug: Option<String>,

        /// Optional human note to embed in the pin file
        /// (e.g. "pinned before GDrive reorganisation 2026-06").
        #[arg(long, value_name = "TEXT")]
        note: Option<String>,

        /// Overwrite an existing pin file even when the slug differs.
        /// Without this flag, `link` refuses to overwrite an existing pin
        /// with a different slug to prevent accidental data loss.
        #[arg(long)]
        force: bool,
    },

    /// Print the daemon's listening port (or address) to stdout.
    ///
    /// Reads the address the running daemon persisted to its `http_addr`
    /// discovery file. Useful for shell substitution:
    ///   curl http://127.0.0.1:$(trusty-memory port)/api/v1/health
    ///
    /// Exits non-zero (with a message on stderr) when no daemon is running
    /// or the address file is missing, so substitution fails cleanly.
    ///
    /// Examples:
    ///   trusty-memory port               # bare port: 7070
    ///   trusty-memory port --addr        # host:port: 127.0.0.1:7070
    ///   trusty-memory port --json        # {"addr":"127.0.0.1","port":7070}
    Port {
        /// Emit full `host:port` instead of the bare port number.
        #[arg(long, conflicts_with = "json")]
        addr: bool,

        /// Emit a JSON object: `{"addr":"…","port":…}`.
        #[arg(long, conflicts_with = "addr")]
        json: bool,
    },

    /// Check for or install a new version of trusty-memory.
    ///
    /// Why: Gives operators a single command to go from "I wonder if I'm up
    /// to date" through `cargo install` and daemon restart — without having
    /// to remember the exact `cargo install` invocation.
    ///
    /// Without flags: checks crates.io, shows current → available, prompts
    /// for confirmation, then installs + restarts (if newer exists).
    /// With `--check`: report versions only, no install.
    /// With `--yes`: skip the confirmation prompt.
    ///
    /// After a successful install the daemon restarts automatically when
    /// running under launchd (`KeepAlive::OnSuccess`). When not supervised,
    /// a restart hint is printed instead.
    ///
    /// Examples:
    ///   trusty-memory upgrade               # interactive
    ///   trusty-memory upgrade --check       # report only
    ///   trusty-memory upgrade --yes         # non-interactive
    Upgrade {
        /// Report current and available versions without installing anything.
        #[arg(long)]
        check: bool,

        /// Skip the confirmation prompt and install immediately.
        #[arg(short = 'y', long)]
        yes: bool,
    },
}

/// Target surface for the `monitor` subcommand.
///
/// Why: operators want a quick link to the daemon's web UI, the
/// memory-specific terminal UI, OR the same dashboard data as plain text /
/// JSON so scripts and CI can read it without a TUI (issues #33, #34).
/// What: `Web` prints the daemon's `/ui` URL; `Tui` launches the
/// trusty-memory-specific `trusty_common::monitor::memory_tui` dashboard;
/// `Status` and `Palaces` print scriptable health and per-palace stats.
/// Test: `cargo run -p trusty-memory -- monitor --help` lists every variant.
#[derive(Debug, Subcommand)]
enum MonitorTarget {
    /// Open the web dashboard URL in the terminal (or browser).
    Web,
    /// Launch the trusty-memory terminal UI: palaces, recall, and dream monitor.
    Tui,
    /// Print daemon status: version and aggregate palace/drawer/vector counts.
    ///
    /// Examples:
    ///   trusty-memory monitor status
    ///   trusty-memory monitor status --json
    Status {
        /// Emit the status as a JSON object instead of plain text.
        #[arg(long)]
        json: bool,
    },
    /// List every palace, or show one palace's detail when an ID is given.
    ///
    /// Examples:
    ///   trusty-memory monitor palaces
    ///   trusty-memory monitor palaces default
    ///   trusty-memory monitor palaces --json
    Palaces {
        /// Optional palace ID to show detail for (omit to list all).
        id: Option<String>,
        /// Emit the result as JSON instead of a plain-text table.
        #[arg(long)]
        json: bool,
    },
}

/// Bundled declarative help config (issue #216). Loaded once per process.
///
/// Why: every binary in the workspace embeds its `help.yaml` via
/// `include_str!` so the workspace-shared `trusty_common::help::suggest`
/// helper has a config to consult when the user types an unknown subcommand.
/// What: `LazyLock<HelpConfig>` parsed from `help.yaml` at first access.
/// Test: parse coverage lives in `trusty-common`; this site is exercised
/// manually via `trusty-memory dotor`.
static HELP: std::sync::LazyLock<trusty_common::help::HelpConfig> =
    std::sync::LazyLock::new(|| {
        trusty_common::help::load_help(include_str!("../help.yaml"))
            .expect("trusty-memory help.yaml is bundled and valid") // Why: include_str! guarantees presence at compile time; parse is validated in tests
    });

#[tokio::main]
async fn main() -> Result<()> {
    // Why: parse via `try_parse` so we can attach the workspace-shared
    // "did you mean?" suggestion to clap's standard error rendering before
    // exiting (issue #216).
    let argv: Vec<String> = std::env::args().collect();
    let cli = match Cli::try_parse() {
        Ok(cli) => cli,
        Err(e) => {
            e.print().ok();
            if matches!(
                e.kind(),
                clap::error::ErrorKind::InvalidSubcommand | clap::error::ErrorKind::UnknownArgument
            ) {
                trusty_common::help::print_suggestion_hint(&argv, &HELP);
            }
            std::process::exit(e.exit_code());
        }
    };
    // Issue #35: initialise tracing with an in-memory `LogBuffer` so the HTTP
    // daemon's `GET /api/v1/logs/tail` endpoint can serve recent logs. The
    // buffer-backed subscriber still writes the standard `fmt` layer to
    // stderr, so non-HTTP subcommands (and the MCP stdio path, which must
    // keep stdout clean) are unaffected. The buffer is only wired into the
    // `AppState` on the HTTP serve path.
    //
    // Bug-reporting #478 (Phase 1 wire-up): compose the bug-capture layer in
    // the same registry so all three layers are installed in one `try_init`.
    // The `ErrorStore` is forwarded to `run_serve` which stashes it in
    // `AppState` so Phase 2 can expose it via HTTP / MCP tools.
    let (log_buffer, error_store) = trusty_common::init_tracing_with_buffer_and_capture(
        cli.verbose,
        trusty_common::log_buffer::DEFAULT_LOG_CAPACITY,
        "trusty-memory",
        env!("CARGO_PKG_VERSION"),
    );

    // Update check: emitted only for human-facing subcommands. `serve`
    // (foreground or stdio) is the long-running HTTP/MCP daemon — stdout/stderr
    // are owned by the supervisor or the JSON-RPC framing, so we must not print
    // anything there. `start` self-spawns a detached `serve --foreground` child
    // and exits immediately; the very brief window makes the notice useless.
    // `upgrade` does its own fresh check, so we skip the throttled notice to
    // avoid a redundant second check on the same run.
    // The check is throttled to once per 24 h (on-disk cache), so on a
    // typical run this is a sub-millisecond cache-hit with no network I/O.
    let is_daemon_path = matches!(cli.command, Command::Serve { .. } | Command::Start);
    let is_upgrade = matches!(cli.command, Command::Upgrade { .. });
    if !is_daemon_path && !is_upgrade {
        if let Some(info) = trusty_common::update::check_throttled(
            env!("CARGO_PKG_NAME"),
            env!("CARGO_PKG_VERSION"),
        )
        .await
        {
            eprintln!("{}", trusty_common::update::notice(&info));
        }
    }

    match cli.command {
        Command::Start => handle_start().await,
        Command::Stop => handle_stop().await,
        Command::Serve {
            http,
            foreground,
            stdio,
            palace,
        } => {
            if stdio {
                run_serve_stdio(palace).await
            } else {
                // Flatten Option<Option<SocketAddr>> → Option<SocketAddr>.
                // --http (bare) → Some(None) → flatten → None → dynamic port.
                // --http ADDR   → Some(Some(addr)) → flatten → Some(addr).
                // absent        → None → flatten → None → dynamic port.
                run_serve(http.flatten(), foreground, palace, log_buffer, error_store).await
            }
        }
        Command::Migrate {
            target,
            dry_run,
            config_only,
            from,
            palace,
            limit,
        } => handle_migrate(target, dry_run, config_only, from, palace, limit),
        Command::Setup => handle_setup(),
        Command::PromptContext => handle_prompt_context().await,
        Command::Service { action } => handle_service(&action),
        Command::Doctor { fix_palaces, fix } => {
            if fix_palaces {
                trusty_memory::commands::doctor::handle_doctor_fix_palaces(fix).await?;
            }
            trusty_memory::commands::doctor::handle_doctor().await
        }
        Command::Monitor { target } => run_monitor(target).await,
        Command::SendMessage {
            to,
            purpose,
            content,
            from,
        } => handle_send_message(to, purpose, content, from).await,
        Command::InboxCheck { palace } => handle_inbox_check(palace).await,
        Command::Note {
            content,
            palace,
            tags,
        } => handle_note(content, palace, tags).await,
        Command::KgRebuild { palace } => {
            trusty_memory::commands::kg_rebuild::handle_kg_rebuild(palace).await
        }
        Command::Link {
            path,
            slug,
            note,
            force,
        } => handle_link(path, slug, note, force),
        Command::Port { addr, json } => {
            let format = if json {
                trusty_memory::commands::port::PortFormat::Json
            } else if addr {
                trusty_memory::commands::port::PortFormat::Addr
            } else {
                trusty_memory::commands::port::PortFormat::Port
            };
            trusty_memory::commands::port::handle_port(format)
        }
        Command::Upgrade { check, yes } => handle_upgrade(check, yes).await,
    }
}

/// Dispatch the `monitor` subcommand.
///
/// Why: keeps `main` focused on parsing while putting the daemon-address
/// discovery and dashboard launch in one place.
/// What: `Web` delegates to `daemon_guard::open_web_dashboard` which
/// auto-starts the daemon when not running, then opens the browser.
/// `Tui` launches the trusty-memory-specific
/// `trusty_common::monitor::memory_tui` ratatui dashboard; `Status` and
/// `Palaces` print scriptable health and per-palace stats via the
/// `commands::monitor` handlers.
/// Test: not unit-tested (process-level entry point); `cargo run -p
/// trusty-memory -- monitor web` with no daemon auto-starts it then opens
/// the browser.
async fn run_monitor(target: MonitorTarget) -> Result<()> {
    use trusty_memory::commands::monitor;
    match target {
        MonitorTarget::Web => trusty_memory::commands::daemon_guard::open_web_dashboard().await,
        MonitorTarget::Tui => trusty_common::monitor::memory_tui::run().await,
        MonitorTarget::Status { json } => monitor::handle_status(json).await,
        MonitorTarget::Palaces { id, json } => monitor::handle_palaces(id, json).await,
    }
}

/// Dispatch `serve --stdio` to the pure daemon-bridge MCP server (issue #1078).
///
/// Why: the prior direct-store path opened redb in the stdio process, which
/// collided with the HTTP daemon's exclusive write lock.  Reads fell back to
/// a stale snapshot; writes failed with "palace is read-only".  The fix is to
/// make the stdio process a pure proxy: it never touches redb.  Every JSON-RPC
/// request is forwarded to `POST /rpc` on the running HTTP daemon; if the
/// daemon is not running it is auto-started (detached, survives CLI exit).
/// Stdout hygiene: no update-check banner, no HTTP bind announcement, no
/// eprintln! — stdout is the JSON-RPC channel and must carry only protocol
/// bytes.
/// What: delegates to `commands::serve_stdio_bridge::run_stdio_bridge` which
/// (1) ensures the daemon is running (auto-start + 30 s health-poll), (2)
/// builds a shared reqwest client, and (3) enters `run_stdio_loop` forwarding
/// each request to `POST /rpc`.
/// Test: `tests/serve_stdio_e2e.rs` spawns a real child, asserts bounded
/// responses.  The bridge-specific unit tests live in
/// `commands/serve_stdio_bridge.rs`.
async fn run_serve_stdio(palace: Option<String>) -> Result<()> {
    trusty_memory::commands::serve_stdio_bridge::run_stdio_bridge(palace).await
}

/// Dispatch `serve` (HTTP path) to the HTTP server.
///
/// Why: keeps `main` focused on parsing while `AppState` construction lives
/// in one place. The direct `--stdio` path (`serve --stdio`, PR1 #919) is
/// handled by `run_serve_stdio` above; the HTTP path runs the full axum daemon.
/// What: resolves the palace registry directory (descending into the legacy
/// `palaces/` subdirectory when present — see `resolve_palace_registry_dir`),
/// builds an `AppState` rooted there, applies the `--palace` default if any,
/// re-hydrates every persisted palace, wires the issue-#35 `LogBuffer` so
/// `GET /api/v1/logs/tail` serves captured logs, and installs the Phase 1
/// bug-capture `ErrorStore` (bug-reporting #478) so Phase 2 can query errors.
/// Test: not unit-tested (process-level entry point); exercised manually via
/// `cargo run -p trusty-memory -- serve` and the parent integration tests.
async fn run_serve(
    http: Option<SocketAddr>,
    foreground: bool,
    palace: Option<String>,
    log_buffer: trusty_common::log_buffer::LogBuffer,
    error_store: trusty_common::error_capture::ErrorStore,
) -> Result<()> {
    // Background self-spawn path: when invoked without `--http` or
    // `--foreground`, fork a detached copy of ourselves with `serve
    // --foreground` and return immediately. Mirrors `trusty-search start` so
    // the parent shell keeps its prompt and tmux pane closures do not
    // SIGHUP the daemon.
    //
    // Supervisors (launchd, systemd, Docker) always pass `--foreground` and
    // stay on the inline path so they can manage the process lifecycle.
    if !foreground && http.is_none() {
        return trusty_memory::commands::start::handle_start().await;
    }

    // Single-instance guard (Fix B): if another healthy daemon is already
    // running (detected via the http_addr discovery file + /health probe),
    // exit 0. launchd's `KeepAlive { SuccessfulExit: false }` only respawns
    // on *non-zero* exits, so exit 0 stops the respawn storm cleanly.
    // This check runs on every `serve --foreground` invocation — both those
    // spawned by launchd and those spawned manually — so the guard is always
    // active regardless of how the daemon was launched.
    {
        use trusty_memory::commands::single_instance as si;
        let addr_file = trusty_memory::http_addr_path();
        // Issue #1152, Tier 3: 3 probes × 200 ms catches a mid-boot daemon.
        let action = si::single_instance_check_retried(addr_file.as_deref(), 2, 200).await;
        match action {
            si::StartupAction::Proceed => {}
            si::StartupAction::ExitAlreadyRunning => {
                tracing::info!(
                    "single-instance guard: another trusty-memory instance is \
                     already running; exiting 0 to stop launchd respawn storm"
                );
                eprintln!(
                    "trusty-memory: another instance is already running; \
                     exiting cleanly (exit 0 stops launchd KeepAlive respawn)"
                );
                std::process::exit(0);
            }
            si::StartupAction::Fail(msg) => {
                anyhow::bail!("single-instance check failed unexpectedly: {msg}");
            }
        }
    }

    // Resolve the standard data dir, then descend into `palaces/` if that
    // legacy-layout subdirectory exists. Using the resolved directory as
    // `data_root` keeps every call site (status, palace_list, open_palace,
    // palace_create, load_palaces_from_disk) pointed at the same place.
    let data_dir = trusty_common::resolve_data_dir("trusty-memory")?;
    // Defense-in-depth (belt-and-suspenders, #503): assert the resolved data
    // root is absolute and not the filesystem root before binding. This guards
    // against any future resolver path that could produce a bad dir — even if
    // trusty_common::resolve_data_dir's own guards fire first, a second check
    // here means a misconfigured deployment fails loudly at startup rather than
    // silently scattering palaces across `/`.
    if !data_dir.is_absolute() {
        anyhow::bail!(
            "resolved trusty-memory data directory {:?} is not absolute; \
             refusing to start to prevent palace directories from being created \
             under the daemon working directory",
            data_dir
        );
    }
    if data_dir == std::path::Path::new("/") {
        anyhow::bail!(
            "resolved trusty-memory data directory is the filesystem root (/); \
             refusing to start to prevent palace directories from being created \
             directly under /",
        );
    }
    let data_root = resolve_palace_registry_dir(data_dir);

    // Apply one-shot, idempotent on-disk migrations before any in-memory
    // registry hydration so subsequent `load_palaces_from_disk` calls see the
    // updated metadata. Currently this rewrites the default `localLLM`
    // palace's display name to "User Memories" when the legacy literal is
    // still present (issue #98). Failures here are logged but do not abort
    // startup — a single bad migration must not take the daemon down.
    if let Err(e) = trusty_memory::commands::migrations::migrate_default_palace_name(&data_root) {
        tracing::warn!("default-palace name migration skipped: {e:#}");
    }

    if let Some(addr) = http {
        let state = AppState::new(data_root)
            .with_default_palace(palace)
            .with_log_buffer(log_buffer)
            // Bug-reporting #478: wire the bug-capture ErrorStore into AppState
            // so Phase 2 HTTP / MCP endpoints can query it. The store is an
            // Arc-backed clone of the same ring the BugCaptureLayer writes to.
            .with_error_store(error_store)
            // Issue #156 + #193: opt in to the BM25 lexical lane (and its
            // spawn supervisor) when TRUSTY_BM25_DAEMON=1. The builder is
            // a no-op when the env var is unset so existing deployments
            // see no behavioural change.
            .with_bm25_client_from_env();
        spawn_startup_tasks(&state);
        run_http(state, addr).await
    } else {
        let state = AppState::new(data_root)
            .with_default_palace(palace)
            .with_log_buffer(log_buffer)
            // Bug-reporting #478: wire the bug-capture ErrorStore into AppState
            // so Phase 2 HTTP / MCP endpoints can query it.
            .with_error_store(error_store)
            // Issue #156 + #193: opt in to the BM25 lexical lane (and its
            // spawn supervisor) when TRUSTY_BM25_DAEMON=1. The builder is
            // a no-op when the env var is unset so existing deployments
            // see no behavioural change.
            .with_bm25_client_from_env();
        spawn_startup_tasks(&state);
        if foreground {
            run_http_foreground(state).await
        } else {
            run_http_dynamic(state).await
        }
    }
}

/// Why: startup tasks (palace hydration, alias discovery, pin scan) are the
///      same regardless of whether HTTP binds to a fixed or dynamic port;
///      keeping the logic in a single helper means a new startup task only has
///      to be added in one place. Previously, `load_palaces_from_disk` was
///      awaited synchronously before binding the HTTP listener — a single
///      broken `kg.db` (stale WAL sidecar, corrupt file, permissions) could
///      stall hydration for seconds per palace, deferring `/health` becoming
///      reachable until every palace had been visited. The dashboard, MCP
///      clients, and `launchctl` health-probes all interpret that as "the
///      daemon is dead", so the launchd job thrashes and operators see no
///      useful output. Spawning hydration as a background task lets the HTTP
///      server bind immediately; palaces appear in `palace_list` and the
///      dashboard as each one finishes opening. Per-palace failures are
///      already logged and skipped inside `load_palaces_from_disk` so a
///      single bad `kg.db` can never abort the daemon.
/// What: clones `state` (cheap — `AppState` derives `Clone` with `Arc`-wrapped
///       internals) and spawns a background task that (1) hydrates persisted
///       palaces from disk with timing logs, (2) once palaces are live,
///       kicks off issue-#42 alias auto-discovery against the cwd targeting
///       the default palace (if configured), and (3) runs the issue-#470
///       single-pass pin scan and populates `AppState::pin_project_map`
///       (scan-only — NO palace opens). Returns immediately — the spawned
///       task runs concurrently with the HTTP listener bind.
/// Test: `spawn_startup_tasks_populates_pin_map` verifies the scan path runs
///       and populates the map; the log emission is confirmed by the throwaway
///       daemon run documented in the session notes.
fn spawn_startup_tasks(state: &AppState) {
    // Issue #906 / #910 / #911: eager embedder warm-up.
    // Spawn BEFORE the palace hydration task so the CoreML / CUDA cold compile
    // (30-120 s on first run) races ahead concurrently and the warm embedder
    // is likely ready by the time the first `memory_remember` / `memory_recall`
    // arrives.
    //
    // On SUCCESS flip `daemon_readiness` to `Ready` so the preflight guards in
    // `tools.rs` (issue #911) allow requests through.  Until then they return
    // a fast "warming up" error instead of blocking behind the OnceCell init.
    //
    // On FAILURE: log at ERROR, leave state as `Warming`.  The lazy-init path
    // in `shared_embedder()` will retry on the first real request (and the
    // bounded timeout there means it will fail fast, not hang).
    let warmup_state = state.clone();
    tokio::spawn(async move {
        let ws = std::time::Instant::now();
        tracing::info!("starting background embedder warm-up (issues #906/#910)");
        match trusty_common::memory_core::retrieval::shared_embedder().await {
            Ok(_) => {
                let elapsed_ms = ws.elapsed().as_millis() as u64;
                tracing::info!(
                    elapsed_ms,
                    "background embedder warm-up complete; daemon is now Ready (issues #910/#911)"
                );
                warmup_state.set_ready();
            }
            Err(e) => tracing::error!(
                elapsed_ms = ws.elapsed().as_millis() as u64,
                "background embedder warm-up failed (daemon stays Warming; \
                 memory ops will return a bounded error on first request): {e:#}"
            ),
        }
    });

    let bg_state = state.clone();
    tokio::spawn(async move {
        let started = std::time::Instant::now();
        tracing::info!("starting background palace hydration");
        match bg_state.load_palaces_from_disk().await {
            Ok(count) => tracing::info!(
                elapsed_ms = started.elapsed().as_millis() as u64,
                "background palace hydration complete: {count} palaces loaded"
            ),
            Err(e) => tracing::error!(
                elapsed_ms = started.elapsed().as_millis() as u64,
                "background palace hydration failed: {e:#}"
            ),
        }
        // Issue #42: once palaces are live, kick off auto-discovery against
        // cwd targeting the default palace (if configured). Without a default
        // palace there's no obvious destination, so skip — explicit MCP
        // `discover_aliases` calls still work.
        if let Some(palace) = bg_state.default_palace.clone() {
            if let Ok(cwd) = std::env::current_dir() {
                bg_state.spawn_alias_discovery(palace, cwd);
            }
        }
        // Issue #537: throttled startup update check. Runs once per 24h (on-disk
        // cache). Result stored in AppState::update_available for /health.
        // Non-blocking: failure degrades to "no update info" — never aborts startup.
        {
            let update_available = bg_state.update_available.clone();
            tokio::spawn(async move {
                let crate_name = env!("CARGO_PKG_NAME");
                let current = env!("CARGO_PKG_VERSION");
                if let Some(info) =
                    trusty_common::update::check_throttled(crate_name, current).await
                {
                    tracing::info!(
                        latest = %info.latest,
                        "update available: {}",
                        trusty_common::update::notice(&info)
                    );
                    eprintln!("{}", trusty_common::update::notice(&info));
                    if let Ok(mut guard) = update_available.lock() {
                        *guard = Some(info.latest);
                    }
                }
            });
        }

        // Issue #470 / #474: single-pass scan-only pin discovery — NO palace
        // opens. Run on the blocking pool because readdir is blocking I/O;
        // the scan is bounded (one level under each search root) so it
        // completes quickly. We populate `pin_project_map` on the shared
        // `AppState` arc so handlers can look up palace_id → project_path
        // cheaply.
        //
        // Fix #474: the completion log is emitted at `info!` level AND via
        // `eprintln!` to stderr directly. The `info!` is visible under
        // `RUST_LOG=info`; the `eprintln!` is visible regardless of the
        // tracing filter and matches the pattern used by `run_http_on` for
        // the bind-address announcement. This dual-emit guarantees the
        // operator can always confirm the scan ran, even when the daemon is
        // started via launchd (stderr → log file) or with the default
        // `RUST_LOG=warn` level.
        let pin_scan_started = std::time::Instant::now();
        let pin_map_ref = bg_state.pin_project_map.clone();
        // Fix #880: when a data-dir override is active the daemon is running
        // in an isolated environment (test rig, CI, parallel run). The
        // default_search_dirs() scan walks the REAL user environment
        // (~/Projects, ~/Developer, …) and would import palaces from the
        // live system into the isolated data root, defeating isolation.
        // Use an empty search list so the scan is a no-op; the pin map stays
        // empty for the lifetime of this isolated instance.
        let override_active = trusty_memory::is_data_dir_override_active();
        let scan_result = tokio::task::spawn_blocking(move || {
            let search_dirs = if override_active {
                Vec::new()
            } else {
                trusty_memory::startup_scan::default_search_dirs()
            };
            trusty_memory::startup_scan::scan_pin_map(&search_dirs)
        })
        .await;
        match scan_result {
            Ok(map) => {
                let count = map.len();
                let elapsed_ms = pin_scan_started.elapsed().as_millis() as u64;
                for (palace_id, project_path) in map {
                    pin_map_ref.insert(palace_id, project_path);
                }
                // Dual-emit: tracing INFO (visible under RUST_LOG=info) +
                // eprintln! to stderr (visible at any filter level, matching
                // the `run_http_on` bind-address announcement pattern).
                // Root cause of #474: when the daemon is started via
                // `trusty-memory start`, the child's stderr is redirected to
                // /dev/null and tracing output is silently lost; when started
                // via launchd the default RUST_LOG=warn suppresses info!.
                // eprintln! bypasses the tracing filter so the completion is
                // always visible in launchd logs and on the operator's
                // terminal when run in the foreground.
                tracing::info!(
                    pins_found = count,
                    elapsed_ms,
                    "startup pin scan complete: {count} pin(s) discovered in {elapsed_ms}ms"
                );
                eprintln!("startup pin scan complete: {count} pin(s) discovered in {elapsed_ms}ms");
            }
            Err(e) => {
                // spawn_blocking join error — should not happen in practice.
                tracing::warn!("startup pin scan task panicked or was cancelled: {e}");
                eprintln!("startup pin scan task panicked or was cancelled: {e}");
            }
        }
    });
}

// CLI parse tests: `serve --http` / `--stdio` semantics (#914 PR4)
#[cfg(test)]
#[path = "cli_tests.rs"]
mod cli_tests;
// ---------------------------------------------------------------------------
// Tests for spawn_startup_tasks (#474)
// ---------------------------------------------------------------------------

#[cfg(test)]
mod startup_task_tests {
    use super::*;
    use std::fs;
    use trusty_memory::project_root::{write_project_pin, ProjectPin, PIN_SCHEMA_VERSION};

    /// Why: the pin scan inside `spawn_startup_tasks` must populate
    /// `AppState::pin_project_map` so handlers can resolve a palace id to a
    /// project path without a filesystem walk at request time (issue #470).
    /// This test verifies the full wiring: a real `AppState` with a real temp
    /// search root, a pinned project, and the async background task.
    /// What: creates a project with a pin file under a temp search root; then
    /// calls `spawn_startup_tasks` and yields to the tokio runtime until the
    /// task completes; asserts the pin map contains the expected entry.
    /// Test: itself (issue #474 regression guard).
    #[tokio::test]
    async fn spawn_startup_tasks_populates_pin_map() {
        // Build a temp search root with one pinned project.
        let tmp = tempfile::tempdir().expect("tempdir");
        let search_root = tmp.path().join("Projects");
        let project_dir = search_root.join("my-project");
        fs::create_dir_all(&project_dir).expect("create project dir");
        write_project_pin(
            &project_dir,
            &ProjectPin {
                schema_version: PIN_SCHEMA_VERSION,
                palace: "my-palace".to_string(),
                note: None,
            },
        )
        .expect("write pin");

        // Override HOME so `default_search_dirs()` points at our temp root.
        // SAFETY: single-threaded test; env var only affects this process.
        let prev_home = std::env::var_os("HOME");
        unsafe {
            std::env::set_var("HOME", tmp.path());
        }
        // Also bypass palace-slug enforcement so AppState::new doesn't
        // need a real project root.
        unsafe {
            std::env::set_var("TRUSTY_SKIP_PALACE_ENFORCEMENT", "1");
        }

        let state_root = tmp.path().join("data");
        fs::create_dir_all(&state_root).expect("create data dir");
        let state = AppState::new(state_root);

        // Fire the background task.
        spawn_startup_tasks(&state);

        // Yield to the tokio runtime repeatedly until the task populates the
        // pin map or a timeout is reached (50 × 10 ms = 500 ms ceiling).
        let deadline = std::time::Instant::now() + std::time::Duration::from_millis(500);
        loop {
            if state.pin_project_map.contains_key("my-palace") {
                break;
            }
            if std::time::Instant::now() >= deadline {
                panic!(
                    "pin_project_map was not populated within 500 ms; \
                     spawn_startup_tasks may not be running the pin scan"
                );
            }
            tokio::time::sleep(std::time::Duration::from_millis(10)).await;
        }

        // Restore HOME.
        match prev_home {
            Some(v) => unsafe { std::env::set_var("HOME", v) },
            None => unsafe { std::env::remove_var("HOME") },
        }

        let found = state.pin_project_map.get("my-palace").map(|e| e.clone());
        assert!(
            found.is_some(),
            "pin_project_map must contain 'my-palace' after spawn_startup_tasks"
        );
        // Canonicalize to handle macOS /private symlinks.
        let actual = fs::canonicalize(found.unwrap()).expect("canonicalize actual");
        let expected = fs::canonicalize(&project_dir).expect("canonicalize expected");
        assert_eq!(
            actual, expected,
            "pin_project_map entry must point to the project directory"
        );
    }
}