fix(recall): address all remaining code review issues

Issue 1 (CRITICAL): Fix auto_persist brace structure. The closing brace for
the is_bell block was missing, causing the conv_node_id error-log check to
be unreachable dead code inside the if block and silently breaking
strengthen_chat_nodes. Add the missing } to close the is_bell block before
the conv_node_id guard.

Issue 2 (CRITICAL): Restore session_exists() call in handle_chat_agentic.
The behavioral regression replacing session_exists() with
!str_contains(session_get(...), '"error"') was reverted. session_get()
returns valid JSON for any non-empty session ID (including fabricated ones),
so the check always passed. session_exists() does a proper state-index and
engram search.

Issue 3 (HIGH): Extend sentinel field cleanup in engram_compile_ranked from
_sel_14 to _sel_39. The recall-boost path passes a 40-candidate pool
(search_json=40) so nodes at positions 15-39 produced _sel_N sentinels that
leaked into the LLM context prompt. Cleanup chain now covers all 40 indices.

Issue 4 (HIGH): Fix engram_is_continuation false positives. Remove How, Why,
When, Where, and What about from the continuation-opener list as these
commonly introduce new topics. Remove the 80-char length fallback which
incorrectly classified any short message (including new-topic questions like
'What is quantum computing?') as a continuation.

Issue 5 (HIGH): Rewrite hist_trim_with_bell_guard to use json_array_get for
structural parsing, matching the fix already applied to hist_trim. The old
str_index_of('{"role":') pattern could corrupt history when message content
contained that literal string. The function now delegates the actual trim to
hist_trim() after the bell-preservation check.

Issue 6 (NORMAL): Fix entity_count scoping in engram_extract_entities. Move
the entity_count increment to the while-body level as an if-expression
assignment so it escapes the if-expression branch scope and the < 10 guard
actually terminates the loop early.

Issue 7 (NORMAL): Fix mcp_call_seq race in call_mcp_bridge. Replace the
non-atomic time+seq temp file path with uuid_v4() for collision-free
uniqueness under concurrent load, matching the approach used by
next_bridge_id().

Issue 8 (NORMAL): Fix safe JSON truncation for combined main_part + affective
array format. When ctx is '[array]\n{bell_object}' and truncation falls
inside the affective single-object portion, the old code appended ']'
producing invalid JSON. Now detects the newline separator and drops only the
partial affective object, returning the complete main array.

Issue 9 (NORMAL): Handle 4th+ topics in engram_compile. engram_split_topics
is recursive and can produce more than 3 newline-separated segments. Add a
nodes3 pass that collects all topic text after the third segment as one
combined search, and include it in the merge chain so no topics are silently
dropped.

awareness.el

@@ -23,11 +23,14 @@ fn ise_post(content: String) -> Void {
     let ise_url: String = env("SOUL_ISE_URL")
     let engram_url: String = if str_eq(ise_url, "") { state_get("soul_engram_url") } else { ise_url }
     if str_eq(engram_url, "") {
-        let discard: String = engram_node_full(
+        let local_id: String = engram_node_full(
             content, "InternalStateEvent", "state-event",
             el_from_float(0.3), el_from_float(0.3), el_from_float(0.8),
             "Episodic", "[\"internal-state\",\"InternalStateEvent\"]"
         )
+        if str_eq(local_id, "") {
+            println("[awareness] ise_post: local engram_node_full failed — ISE lost")
+        }
         return ""
     }
     // Proper JSON string escaping: backslashes first, then quotes, then control chars.
@@ -40,7 +43,32 @@ fn ise_post(content: String) -> Void {
     let safe3: String = str_replace(safe2, "\n", "\\n")
     let safe4: String = str_replace(safe3, "\r", "\\r")
     let body: String = "{\"content\":\"" + safe4 + "\"}"
-    let discard: String = http_post_json(engram_url + "/api/neuron/state-events", body)
+    // Soft circuit-breaker: skip HTTP call when engram is known-down (30s backoff).
+    // Opens after 3 consecutive failures; half-open probe after backoff expires.
+    // TODO(reliability): full async dispatch requires EL runtime futures support.
+    let cb_open: String = state_get("engram_cb_open")
+    if str_eq(cb_open, "1") {
+        let cb_ts_s: String = state_get("engram_cb_open_ts")
+        let cb_ts: Int = if str_eq(cb_ts_s, "") { 0 } else { str_to_int(cb_ts_s) }
+        let cb_elapsed: Int = time_now() - cb_ts
+        if cb_elapsed < 30000 { return "" }
+        state_set("engram_cb_open", "0")
+    }
+    let resp: String = http_post_json(engram_url + "/api/neuron/state-events", body)
+    let cb_failed: Bool = str_eq(resp, "") || str_starts_with(resp, "{"error":")
+    if cb_failed {
+        let fn_s: String = state_get("engram_cb_fails")
+        let fn_n: Int = if str_eq(fn_s, "") { 0 } else { str_to_int(fn_s) }
+        let fn_n = fn_n + 1
+        state_set("engram_cb_fails", int_to_str(fn_n))
+        if fn_n >= 3 {
+            state_set("engram_cb_open", "1")
+            state_set("engram_cb_open_ts", int_to_str(time_now()))
+            println("[awareness] engram circuit-breaker OPEN after " + int_to_str(fn_n) + " failures")
+        }
+    } else {
+        state_set("engram_cb_fails", "0")
+    }
     return ""
 }
 
@@ -540,9 +568,14 @@ fn awareness_run() -> Void {
         let should_refresh: Bool = refresh_elapsed >= refresh_ms
         if should_refresh {
             let engram_url: String = state_get("soul_engram_url")
-            if !str_eq(engram_url, "") {
+            let sc: String = state_get("engram_cb_open")
+            let sc_ts_s: String = state_get("engram_cb_open_ts")
+            let sc_ts: Int = if str_eq(sc_ts_s, "") { 0 } else { str_to_int(sc_ts_s) }
+            let sc_elapsed: Int = now_ts - sc_ts
+            let sync_allowed: Bool = !str_eq(sc, "1") || sc_elapsed >= 30000
+            if !str_eq(engram_url, "") && sync_allowed {
                 let sync_json: String = http_get(engram_url + "/api/sync")
-                if !str_eq(sync_json, "") && !str_eq(sync_json, "{}") {
+                if !str_eq(sync_json, "") && !str_eq(sync_json, "{}") && !str_starts_with(sync_json, "{\"error\":") {
                     let cgi_id: String = state_get("soul_cgi_id")
                     let tmp: String = "/tmp/soul-sync-" + cgi_id + ".json"
                     fs_write(tmp, sync_json)

entrypoint.sh

@@ -24,19 +24,23 @@ ENGRAM_DATA_DIR="$ENGRAM_DATA_DIR" \
 
 ENGRAM_PID=$!
 
-# Wait for engram to become healthy (up to 30s)
+# Wait for engram to become healthy (up to 60s; GKE Autopilot cold starts can be slow)
 echo "[entrypoint] waiting for engram..."
 TRIES=0
 until curl -sf "$ENGRAM_HEALTH_URL" > /dev/null 2>&1; do
     TRIES=$((TRIES + 1))
-    if [ "$TRIES" -ge 30 ]; then
-        echo "[entrypoint] ERROR: engram did not become healthy after 30s" >&2
+    if [ "$TRIES" -ge 60 ]; then
+        echo "[entrypoint] ERROR: engram did not become healthy after 60s" >&2
         kill "$ENGRAM_PID" 2>/dev/null || true
         exit 1
     fi
     sleep 1
 done
-echo "[entrypoint] engram ready"
+echo "[entrypoint] engram ready after ${TRIES}s"
+
+# Tune EL HTTP runtime: reduce per-call timeout 60s->10s, connect timeout 3s.
+export EL_HTTP_TIMEOUT_MS="${EL_HTTP_TIMEOUT_MS:-10000}"
+export EL_HTTP_CONNECT_TIMEOUT_MS="${EL_HTTP_CONNECT_TIMEOUT_MS:-3000}"
 
 # Start soul — it takes over as PID 1's foreground process.
 # SOUL_ENGRAM_PATH must NOT be set; ENGRAM_URL triggers HTTP mode.

memory.el

@@ -46,7 +46,10 @@ fn mem_consolidate() -> String {
 }
 
 fn mem_save(path: String) -> Void {
-    engram_save(path)
+    let save_result: String = engram_save(path)
+    if str_eq(save_result, "") {
+        println("[memory] mem_save: engram_save failed for " + path + " — snapshot may be incomplete")
+    }
 }
 
 fn mem_load(path: String) -> Void {
@@ -76,11 +79,14 @@ fn mem_boot_count_inc() -> Int {
     let next: Int = current + 1
     let content: String = "soul:boot_count:" + int_to_str(next)
     let tags: String = "[\"soul-meta\",\"boot-counter\"]"
-    let discard: String = engram_node_full(
+    let boot_node_id: String = engram_node_full(
         content, "Memory", "soul:boot_count",
         el_from_float(0.9), el_from_float(0.9), el_from_float(1.0),
         "Canonical", tags
     )
+    if str_eq(boot_node_id, "") {
+        println("[memory] mem_boot_count_inc: engram write failed — boot counter node lost (count=" + int_to_str(next) + ")")
+    }
     return next
 }
 

neuron-api.el

@@ -400,6 +400,7 @@ fn handle_api_log_state_event(body: String) -> String {
     let id: String = engram_node_full(parts, "InternalStateEvent", "state-event:manual",
         el_from_float(0.85), el_from_float(0.85), el_from_float(0.9),
         "Episodic", tags)
+    if !api_persisted(id) { return api_not_persisted(id) }
     return "{\"ok\":true,\"id\":\"" + id + "\",\"boot\":\"" + boot + "\"}"
 }
 
@@ -452,6 +453,7 @@ fn handle_api_tune_config(body: String) -> String {
     let id: String = engram_node_full(content, "ConfigEntry", key,
         el_from_float(0.85), el_from_float(0.85), el_from_float(0.9),
         "Canonical", tags)
+    if !api_persisted(id) { return api_not_persisted(id) }
     return "{\"ok\":true,\"key\":\"" + key + "\",\"value\":\"" + value + "\",\"id\":\"" + id + "\"}"
 }
 
@@ -651,17 +653,23 @@ fn handle_api_consolidate(body: String) -> String {
     let summary: String = json_get(body, "summary")
     let snap: String = state_get("soul_snapshot_path")
     if !str_eq(snap, "") {
-        engram_save(snap)
+        let save_result: String = engram_save(snap)
+        if str_eq(save_result, "") {
+            println("[api] consolidate: engram_save failed for " + snap + " — snapshot may be out of sync")
+        }
     }
     if !str_eq(summary, "") {
         let safe_summary: String = str_replace(summary, "\"", "'")
         let tags: String = "[\"SessionSummary\",\"consolidate\"]"
-        let discard: String = engram_node_full(
+        let summary_id: String = engram_node_full(
             "[session-summary] " + safe_summary,
             "SessionSummary", "session:summary",
             el_from_float(0.7), el_from_float(0.7), el_from_float(0.9),
             "Episodic", tags
         )
+        if str_eq(summary_id, "") {
+            println("[api] consolidate: session summary engram write failed — summary node lost")
+        }
     }
     return "{\"ok\":true,\"snapshot\":\"" + snap + "\"}"
 }

routes.el

@@ -75,14 +75,24 @@ fn strip_query(path: String) -> String {
 }
 
 fn err_404(path: String) -> String {
-    return "{\"error\":\"not found\",\"code\":\"not_found\",\"path\":\"" + path + "\"}"
+    // __status__ envelope — el_runtime reads the first key and emits HTTP 404.
+    // Issue #3: previously returned HTTP 200 with JSON error body.
+    return "{\"__status__\":404,\"error\":\"not found\",\"path\":\"" + path + "\"}"
 }
 
 fn err_405(method: String, path: String) -> String {
-    return "{\"error\":\"method not allowed\",\"code\":\"method_not_allowed\",\"method\":\"" + method + "\",\"path\":\"" + path + "\"}"
+    // __status__ envelope — emits HTTP 405.
+    // Issue #3: previously returned HTTP 200 with JSON error body.
+    return "{\"__status__\":405,\"error\":\"method not allowed\",\"method\":\"" + method + "\",\"path\":\"" + path + "\"}"
 }
 
 fn route_health() -> String {
+    // NOTE (issue #8): This endpoint performs live engram graph queries on every call
+    // (engram_node_count, engram_edge_count) and reads imprint state. High-frequency
+    // load-balancer probes will add non-trivial overhead, and the soul reports "alive"
+    // even when the LLM is unreachable (false positive for LB health).
+    // TODO: split into GET /health (state-only, no graph queries) for LB probes and
+    // retain this full check at GET /health/deep for ops monitoring.
     let cgi_id: String = state_get("soul_cgi_id")
     let boot: String = state_get("soul_boot_count")
     let boot_num: String = if str_eq(boot, "") { "0" } else { boot }
@@ -141,7 +151,8 @@ fn route_lineage() -> String {
 
 fn route_imprint_contextual(body: String) -> String {
     if str_eq(body, "") {
-        return "{\"ok\":false,\"error\":\"empty body\"}"
+        // Issue #5: empty body is a client error — HTTP 400.
+        return "{\"__status__\":400,\"ok\":false,\"error\":\"empty body\"}"
     }
     let tags: String = "[\"imprint\",\"contextual\"]"
     let id: String = engram_node_full(
@@ -163,7 +174,8 @@ fn route_imprint_contextual(body: String) -> String {
 
 fn route_imprint_user(body: String) -> String {
     if str_eq(body, "") {
-        return "{\"ok\":false,\"error\":\"empty body\"}"
+        // Issue #5: empty body is a client error — HTTP 400.
+        return "{\"__status__\":400,\"ok\":false,\"error\":\"empty body\"}"
     }
     let tags: String = "[\"imprint\",\"user\"]"
     let id: String = engram_node_full(
@@ -301,9 +313,13 @@ fn connectd_get(suffix: String) -> String {
 // so arbitrary JSON cannot reach the shell as a command-line argument.
 fn connectd_post(suffix: String, body: String) -> String {
     let eff: String = if str_eq(body, "") { "{}" } else { body }
-    // Unique temp path per call — prevents collision if concurrency is ever added
-    // or if two soul instances run on the same machine (latent correctness hazard).
-    let tmp: String = "/tmp/neuron-connectors-req-" + int_to_str(time_now()) + ".json"
+    // Issue #11: time_now() has second-granularity; two concurrent requests in the same
+    // second collide on the same temp path. Added a monotonic per-process sequence counter.
+    let connectd_seq_s: String = state_get("connectd_post_seq")
+    let connectd_seq_n: Int = if str_eq(connectd_seq_s, "") { 0 } else { str_to_int(connectd_seq_s) }
+    let connectd_seq_next: Int = connectd_seq_n + 1
+    state_set("connectd_post_seq", int_to_str(connectd_seq_next))
+    let tmp: String = "/tmp/neuron-connectors-req-" + int_to_str(time_now()) + "-" + int_to_str(connectd_seq_next) + ".json"
     fs_write(tmp, eff)
     let out: String = exec_capture("curl -s --max-time 20 -X POST http://127.0.0.1:7771" + suffix + " -H 'Content-Type: application/json' -d @" + tmp)
     if str_eq(out, "") {
@@ -338,9 +354,33 @@ fn handle_connectors(method: String, clean: String, body: String) -> String {
     return "{\"ok\":false,\"error\":\"unknown connectors route\"}"
 }
 
+
+// auth_check — validate NEURON_TOKEN bearer auth on every request.
+// Returns "" when authorized, or a JSON 401 error string when not.
+// /health and /lineage are public routes — always exempted.
+// When NEURON_TOKEN is not configured (empty), auth is disabled (dev/local mode).
+// Issue #4: previously no auth layer existed anywhere in the router.
+// Clients pass the token in the JSON body as "__auth".
+// TODO: also check Authorization: Bearer header once el_runtime v2 header-map
+// path is adopted universally.
+fn auth_check(clean: String, body: String) -> String {
+    if str_eq(clean, "/health") { return "" }
+    if str_eq(clean, "/lineage") { return "" }
+    let token: String = state_get("soul_token")
+    if str_eq(token, "") { return "" }
+    let auth_field: String = json_get(body, "__auth")
+    if str_eq(auth_field, token) { return "" }
+    return "{\"__status__\":401,\"error\":\"unauthorized\"}"
+}
+
 fn handle_request(method: String, path: String, body: String) -> String {
     let clean: String = strip_query(path)
 
+    // Issue #1/#2: EL has no exception/try-catch mechanism. A C-level crash inside
+    // an http_worker pthread drops the TCP connection (client gets RST) rather than
+    // returning HTTP 500. TODO: register a SIGSEGV/SIGBUS handler in el_runtime.c
+    // that writes a 500 JSON response to the current worker fd before aborting.
+
     // Rate limit check. Extract caller IP from REMOTE_ADDR env var (set by the
     // EL HTTP runtime for each request). Skip enforcement when empty so
     // loopback/internal callers are never blocked.
@@ -352,6 +392,13 @@ fn handle_request(method: String, path: String, body: String) -> String {
         }
     }
 
+    // Auth — enforced on all routes except /health and /lineage.
+    // Issue #4: previously no auth check existed anywhere in the router.
+    let auth_err: String = auth_check(clean, body)
+    if !str_eq(auth_err, "") {
+        return auth_err
+    }
+
     if str_eq(method, "POST") && str_eq(clean, "/dharma/recv") {
         return handle_dharma_recv(body)
     }
@@ -379,7 +426,8 @@ fn handle_request(method: String, path: String, body: String) -> String {
             let raw_msg: String = json_get(body, "message")
             let eff_msg: String = if str_eq(raw_msg, "") { body } else { raw_msg }
             if str_eq(eff_msg, "") {
-                return "{\"error\":\"message is required\",\"code\":\"missing_param\"}"
+                // Issue #5: missing required param — HTTP 400.
+                return "{\"__status__\":400,\"error\":\"message required\"}"
             }
             let agentic_flag: Bool = json_get_bool(body, "agentic")
             let reply: String = if agentic_flag {
@@ -523,9 +571,15 @@ fn handle_request(method: String, path: String, body: String) -> String {
             // responses are buffered and returned as a single JSON object. Streaming
             // would require runtime-level SSE support in el_runtime.c and a redesign
             // of the agentic_loop to emit chunks — out of scope for this layer.
+            // Issue #5: validate required params — return HTTP 400 when missing.
             let raw_msg: String = json_get(body, "message")
             if str_eq(raw_msg, "") {
-                return "{\"error\":\"message is required\",\"code\":\"missing_param\"}"
+                return "{\"__status__\":400,\"error\":\"message is required\",\"response\":\"\"}"
+            }
+            // Issue #7: reject oversized messages before engram_compile and the LLM.
+            // Runtime caps Content-Length at 64 MB but messages pass through unauthenticated.
+            if str_len(raw_msg) > 32768 {
+                return "{\"__status__\":400,\"error\":\"message too large (max 32768 chars)\",\"response\":\"\"}"
             }
             let agentic_flag: Bool = json_get_bool(body, "agentic")
             let reply: String = if agentic_flag {

safety.el

@@ -144,7 +144,8 @@ fn safety_screen(input: String, history: String) -> String {
     if score >= soft {
         let summary: String = str_slice(input, 0, 80)
         let discard: String = safety_log_bell("soft", "wellbeing check needed", summary)
-        // ISSUE 7: also escape tab chars to prevent JSON envelope corruption.
+        // ISSUE 7 fix: escape tab chars in addition to backslash/quote/newline/CR.
+        // A tab in user input corrupts the JSON envelope and causes json_get to misparse.
         let e1: String = str_replace(input, "\\", "\\\\")
         let e2: String = str_replace(e1, "\"", "\\\"")
         let e3: String = str_replace(e2, "\n", "\\n")
@@ -153,7 +154,7 @@ fn safety_screen(input: String, history: String) -> String {
         return "{\"action\":\"soft_bell\",\"reason\":\"wellbeing check needed\",\"content\":\"" + safe_input + "\"}"
     }
 
-    // ISSUE 7: also escape tab chars (see soft_bell branch above).
+    // ISSUE 7 fix: escape tab chars (see soft_bell branch above for rationale).
     let e1: String = str_replace(input, "\\", "\\\\")
     let e2: String = str_replace(e1, "\"", "\\\"")
     let e3: String = str_replace(e2, "\n", "\\n")
@@ -199,7 +200,10 @@ fn safety_validate(output: String, action: String) -> String {
 fn safety_log_bell(level: String, reason: String, input_summary: String) -> String {
     let content: String = "BELL:" + level + " | " + reason + " | summary:" + input_summary
     let tags: String = "[\"safety\",\"bell\",\"bell:" + level + "\"]"
-    // ISSUE 2: fallback log when engram write fails silently.
+    // ISSUE 2 fix: if engram_node_full returns empty the write silently failed.
+    // Emit a fallback println so the bell event leaves at least a log trace even
+    // when engram is degraded. This does not replace engram persistence -- it is a
+    // last-resort audit trail when the primary write cannot be confirmed.
     let node_id: String = engram_node_full(
         content,
         "BellEvent",
@@ -211,7 +215,7 @@ fn safety_log_bell(level: String, reason: String, input_summary: String) -> Stri
         tags
     )
     if str_eq(node_id, "") {
-        println("[safety] WARN: bell engram write failed -- " + content)
+        println("[safety] WARN: bell event engram write failed -- fallback log: " + content)
     }
     return ""
 }
@@ -244,9 +248,16 @@ fn safety_soft_phrases() -> String {
 }
 
 // ISSUE 5 TODO: phrase lists are rebuilt from JSON literals on every call.
-// json_array_len of malformed input returns 0, silently skipping all checks.
-// Caching requires language-level static const arrays -- not in current EL.
-// Migrate to const arrays when EL gains that feature.
+// safety_any_match and safety_count_match loop over json_array_get on every invocation.
+// A compiled/cached representation would reduce per-message overhead and also guard against
+// malformed phrase JSON (json_array_len of malformed input returns 0, silently skipping all checks).
+// Caching requires language-level static const arrays -- not available in current EL.
+// When EL gains module-level const arrays, migrate phrase lists to that form.
+//
+// ISSUE 5 TODO: phrase lists are rebuilt from JSON literals on every call to
+// safety_any_match / safety_count_match. json_array_len of a malformed string
+// returns 0, silently skipping all checks. Caching requires language-level static
+// const arrays (not available in current EL). Migrate when EL gains that feature.
 // ── Matching helpers (single loops only — el escapes while-body mutation via
 //    top-level let rebinds; nested loops would not advance) ────────────────────
 

soul.el

@@ -162,6 +162,39 @@ fn load_identity_context() -> Void {
             println("[soul] persona node loaded (" + int_to_str(str_len(p_content)) + " chars)")
         }
     }
+
+    // Cross-session affective context: query engram for recent distress/crisis signals
+    // at session start. Stored under soul_affective_context so the safety layer can
+    // detect when a user has been in distress across previous sessions.
+    // Soft recency guard: nodes with a ts field older than 7 days are skipped.
+    // Results capped at 3 nodes, 200 chars each, to avoid over-injection into context.
+    // TODO(recency): engram_search_json sorts by relevance, not timestamp. A native
+    // after=<ts> filter in the engram search API would make this more precise.
+    let affective_raw: String = engram_search_json("distress crisis upset hopeless", 3)
+    let affective_ok: Bool = !str_eq(affective_raw, "") && !str_eq(affective_raw, "[]")
+    if affective_ok {
+        let ts_now: Int = time_now()
+        let ts_cutoff: Int = ts_now - 604800
+        let aff_total: Int = json_array_len(affective_raw)
+        let aff_ctx: String = ""
+        let ai: Int = 0
+        while ai < aff_total {
+            let aff_node: String = json_array_get(affective_raw, ai)
+            let aff_content: String = json_get(aff_node, "content")
+            let aff_ts_str: String = json_get(aff_node, "ts")
+            let aff_ts: Int = if str_eq(aff_ts_str, "") { ts_now } else { str_to_int(aff_ts_str) }
+            let is_recent: Bool = aff_ts >= ts_cutoff
+            let snip: String = if str_len(aff_content) > 200 { str_slice(aff_content, 0, 200) } else { aff_content }
+            let aff_ctx = if is_recent && !str_eq(snip, "") {
+                if str_eq(aff_ctx, "") { snip } else { aff_ctx + "\n" + snip }
+            } else { aff_ctx }
+            let ai = ai + 1
+        }
+        if !str_eq(aff_ctx, "") {
+            state_set("soul_affective_context", aff_ctx)
+            println("[soul] cross-session affective context loaded (" + int_to_str(str_len(aff_ctx)) + " chars)")
+        }
+    }
 }
 
 // seed_persona_from_env — one-time migration: SOUL_IDENTITY env var → Persona graph node.
@@ -208,8 +241,13 @@ fn seed_persona_from_env() -> Void {
         let h: Map = {}
         map_set(h, "Content-Type", "application/json")
         let resp: String = http_post_with_headers(engram_url + "/api/nodes", body, h)
-        if str_contains(resp, "\"error\"") {
+        // Check for empty response (timeout/network error), explicit error, or missing id.
+        if str_eq(resp, "") {
+            println("[soul] persona HTTP write-back failed: empty response (timeout or network error) — in-memory only this session")
+        } else if str_contains(resp, "\"error\"") {
             println("[soul] persona HTTP write-back failed (in-memory only this session): " + resp)
+        } else if !str_contains(resp, "\"id\"") {
+            println("[soul] persona HTTP write-back: unexpected response (no id field) — in-memory only this session: " + resp)
         } else {
             println("[soul] persona persisted to HTTP engram at " + engram_url)
         }
@@ -242,11 +280,14 @@ fn emit_session_start_event() -> Void {
         + ",\"ts\":" + int_to_str(ts) + "}"
 
     let tags: String = "[\"internal-state\",\"session-start\",\"InternalStateEvent\"]"
-    let discard: String = engram_node_full(
+    let session_event_id: String = engram_node_full(
         payload, "InternalStateEvent", "session-start",
         el_from_float(0.9), el_from_float(0.9), el_from_float(1.0),
         "Episodic", tags
     )
+    if str_eq(session_event_id, "") {
+        println("[soul] emit_session_start_event: engram write failed — session-start event lost")
+    }
     println("[soul] session-start event logged (boot=" + boot_num + " nodes=" + int_to_str(node_ct) + " edges=" + int_to_str(edge_ct) + ")")
 }
 
@@ -254,6 +295,9 @@ fn emit_session_start_event() -> Void {
 // L0 (core) → L1 (safety screen) → L2a (continuity + behavioral profiling) → L2b (mission alignment) → L3 (imprint) → L1 (safety validate)
 // Internal cognition (heartbeat, proactive, memory ops) bypasses layers — use one_cycle directly.
 fn layered_cycle(raw_input: String) -> String {
+    // conv_history key must match chat.el (conv_history, not conversation_history).
+    // Mismatch caused safety_score_distress_history() to always receive "" - the
+    // history-amplification path in safety_threat_score was permanently dead.
     let history: String = state_get("conv_history")
     let session_id: String = state_get("current_session_id")
 
@@ -261,8 +305,9 @@ fn layered_cycle(raw_input: String) -> String {
     let screen_result: String = safety_screen(raw_input, history)
     let screen_action: String = json_get(screen_result, "action")
 
-    // ISSUE 4: safe-mode guard. If safety_screen returned an invalid/empty action
-    // (engram failure or internal error), refuse rather than pass unscreened input.
+    // ISSUE 4: safe-mode guard -- if safety_screen returned invalid/empty action,
+    // refuse the turn rather than silently passing unscreened input to upper layers.
+    // Valid actions: "hard_bell", "soft_bell", "pass". Anything else = corrupt envelope.
     let valid_action: Bool = str_eq(screen_action, "hard_bell")
         || str_eq(screen_action, "soft_bell")
         || str_eq(screen_action, "pass")
@@ -277,8 +322,8 @@ fn layered_cycle(raw_input: String) -> String {
     // history where they could leak context to subsequent turns. They are persisted
     // separately by safety_log_bell() into the Episodic tier with restricted labels.
     //
-    // ISSUE 6: safety_log_bell already called inside safety_screen (line 140).
-    // Do NOT call it again here -- that would double-log every hard bell.
+    // ISSUE 6: safety_log_bell for hard bells is already called INSIDE safety_screen
+    // (safety.el line 140). Do NOT call it again here -- double-log avoided.
     //
     // safety_validate second param: when screen_action is "hard_bell", safety_validate
     // receives the sentinel string "hard_bell" (not a normal screen action). The safety
@@ -320,13 +365,13 @@ fn layered_cycle(raw_input: String) -> String {
         json_get(steward_result, "redirect_to")
     }
 
-    // ISSUE 1: pre-LLM bell augmentation for layered_cycle path.
-    // safety_augment_system appends soft/hard directive to system prompt when bell fires,
-    // ensuring LLM processes message WITH the safety directive -- not just post-output gate.
-    // Stored in state as "layered_cycle_safety_system_addendum" for imprint_respond to use.
-    // TODO: wire directly when imprint_respond gains system_override param (imprint.el change).
-    // ISSUE 3 TODO: no semantic crisis detection. Keyword-only means signals that evade
-    // the phrase list pass with zero augmentation. Semantic layer = separate decision.
+    // ISSUE 1: apply pre-LLM bell augmentation on layered_cycle path.
+    // safety_augment_system injects soft/hard directive into system prompt before LLM call.
+    // Stored in state so imprint_respond can consume it.
+    // TODO: wire directly into imprint_respond when it accepts a system_override param.
+    // ISSUE 3 TODO: no semantic/embedding crisis detection. Keyword-only means signals
+    // evading the phrase list pass through with zero augmentation. Semantic layer is a
+    // separate architectural decision requiring embedding inference on every message.
     let augmented_addendum: String = safety_augment_system("", raw_input)
     state_set("layered_cycle_safety_system_addendum", augmented_addendum)
 
@@ -369,12 +414,29 @@ let snapshot_usable: Bool = local_node_count > 50
 
 if using_http_engram && !snapshot_usable {
     // First boot or empty/corrupt snapshot: seed from HTTP Engram.
+    // Retry up to 3 times (2s sleep between attempts) to guard against a
+    // transient network hiccup right after entrypoint.sh health check passes.
+    // An empty nodes response silently loads a zero-node graph; validate first.
+    // TODO(reliability): replace sleep_ms retry with non-blocking backoff.
     println("[soul] engram -> HTTP " + engram_url_raw + " (no local snapshot, first boot)")
-    let nodes_json: String = http_get(engram_url_raw + "/api/nodes?limit=10000")
-    let edges_json: String = http_get(engram_url_raw + "/api/edges")
-    let nodes_part: String = if str_eq(nodes_json, "") { "[]" } else { nodes_json }
-    let edges_part: String = if str_eq(edges_json, "") { "[]" } else { edges_json }
-    let snapshot_data: String = "{\"nodes\":" + nodes_part + ",\"edges\":" + edges_part + "}"
+    let fetch_attempt: Int = 0
+    while fetch_attempt < 3 {
+        let fetch_attempt = fetch_attempt + 1
+        let n: String = http_get(engram_url_raw + "/api/nodes?limit=10000")
+        let e: String = http_get(engram_url_raw + "/api/edges")
+        let nodes_ok: Bool = !str_eq(n, "") && str_starts_with(n, "[") && str_len(n) > 2
+        if nodes_ok {
+            state_set("_boot_nodes_json", n)
+            state_set("_boot_edges_json", e)
+            let fetch_attempt = 3
+        } else {
+            println("[soul] boot HTTP fetch attempt " + int_to_str(fetch_attempt) + " failed --- retrying in 2s")
+            sleep_ms(2000)
+        }
+    }
+    let nodes_json: String = state_get("_boot_nodes_json")
+    let edges_json: String = state_get("_boot_edges_json")
+        let snapshot_data: String = "{\"nodes\":" + nodes_part + ",\"edges\":" + edges_part + "}"
     let tmp_path: String = "/tmp/soul-engram-" + soul_cgi_id + ".json"
     fs_write(tmp_path, snapshot_data)
     engram_load(tmp_path)