fix(recall): address four remaining recall-reliability review issues

1. engram_numeric_valid: "0.0"/"0.00"/"00.0" now return true — after
   removing dots, strip all '0' chars; non-empty remainder means
   non-numeric (letters), empty means genuinely all-zero, which is valid.
   Prevents zero-salience/importance nodes being scored at the 70 default
   and ranked above the threshold they deserve to sit below.

2. Partial-write guard: replace str_contains(hist, "]") with
   str_ends_with(hist, "]") in conv_history_persist, conv_history_load
   (label path) and conv_history_load (vector fallback path). A truncated
   array whose *content* contains "]" (e.g. "item 1] item 2") no longer
   passes the guard.

3. Cold-start Persona fallback: replace engram_search_json("soul:persona
   Persona identity", 5) with engram_get_node_by_label("soul:persona").
   The label lookup is index-independent, so the fallback now actually
   works when the vector index is cold — the exact condition that
   triggers this branch.

4. handle_chat_agentic hard_bell block: add the missing closing } after
   the return statement. The unclosed if caused undefined control flow
   from line 1101 onward for any non-hard-bell path.

awareness.el

@@ -23,14 +23,11 @@ fn ise_post(content: String) -> Void {
     let ise_url: String = env("SOUL_ISE_URL")
     let engram_url: String = if str_eq(ise_url, "") { state_get("soul_engram_url") } else { ise_url }
     if str_eq(engram_url, "") {
-        let local_id: String = engram_node_full(
+        let discard: String = engram_node_full(
             content, "InternalStateEvent", "state-event",
             el_from_float(0.3), el_from_float(0.3), el_from_float(0.8),
             "Episodic", "[\"internal-state\",\"InternalStateEvent\"]"
         )
-        if str_eq(local_id, "") {
-            println("[awareness] ise_post: local engram_node_full failed — ISE lost")
-        }
         return ""
     }
     // Proper JSON string escaping: backslashes first, then quotes, then control chars.
@@ -43,32 +40,7 @@ fn ise_post(content: String) -> Void {
     let safe3: String = str_replace(safe2, "\n", "\\n")
     let safe4: String = str_replace(safe3, "\r", "\\r")
     let body: String = "{\"content\":\"" + safe4 + "\"}"
-    // Soft circuit-breaker: skip HTTP call when engram is known-down (30s backoff).
-    // Opens after 3 consecutive failures; half-open probe after backoff expires.
-    // TODO(reliability): full async dispatch requires EL runtime futures support.
-    let cb_open: String = state_get("engram_cb_open")
-    if str_eq(cb_open, "1") {
-        let cb_ts_s: String = state_get("engram_cb_open_ts")
-        let cb_ts: Int = if str_eq(cb_ts_s, "") { 0 } else { str_to_int(cb_ts_s) }
-        let cb_elapsed: Int = time_now() - cb_ts
-        if cb_elapsed < 30000 { return "" }
-        state_set("engram_cb_open", "0")
-    }
-    let resp: String = http_post_json(engram_url + "/api/neuron/state-events", body)
-    let cb_failed: Bool = str_eq(resp, "") || str_starts_with(resp, "{"error":")
-    if cb_failed {
-        let fn_s: String = state_get("engram_cb_fails")
-        let fn_n: Int = if str_eq(fn_s, "") { 0 } else { str_to_int(fn_s) }
-        let fn_n = fn_n + 1
-        state_set("engram_cb_fails", int_to_str(fn_n))
-        if fn_n >= 3 {
-            state_set("engram_cb_open", "1")
-            state_set("engram_cb_open_ts", int_to_str(time_now()))
-            println("[awareness] engram circuit-breaker OPEN after " + int_to_str(fn_n) + " failures")
-        }
-    } else {
-        state_set("engram_cb_fails", "0")
-    }
+    let discard: String = http_post_json(engram_url + "/api/neuron/state-events", body)
     return ""
 }
 
@@ -568,14 +540,9 @@ fn awareness_run() -> Void {
         let should_refresh: Bool = refresh_elapsed >= refresh_ms
         if should_refresh {
             let engram_url: String = state_get("soul_engram_url")
-            let sc: String = state_get("engram_cb_open")
-            let sc_ts_s: String = state_get("engram_cb_open_ts")
-            let sc_ts: Int = if str_eq(sc_ts_s, "") { 0 } else { str_to_int(sc_ts_s) }
-            let sc_elapsed: Int = now_ts - sc_ts
-            let sync_allowed: Bool = !str_eq(sc, "1") || sc_elapsed >= 30000
-            if !str_eq(engram_url, "") && sync_allowed {
+            if !str_eq(engram_url, "") {
                 let sync_json: String = http_get(engram_url + "/api/sync")
-                if !str_eq(sync_json, "") && !str_eq(sync_json, "{}") && !str_starts_with(sync_json, "{\"error\":") {
+                if !str_eq(sync_json, "") && !str_eq(sync_json, "{}") {
                     let cgi_id: String = state_get("soul_cgi_id")
                     let tmp: String = "/tmp/soul-sync-" + cgi_id + ".json"
                     fs_write(tmp, sync_json)

chat.el

@@ -12,107 +12,71 @@ fn chat_default_model() -> String {
     return "claude-sonnet-4-5"
 }
 
-// parse_salience_100 — convert a salience/importance float string (as serialized by
-// %g format) to an integer in the range 0..100.
-//
-// The runtime serializes floats with %g which drops trailing zeros:
-//   1.0   -> "1"    (no decimal at all)
-//   0.9   -> "0.9"  (one decimal digit)
-//   0.85  -> "0.85" (two decimal digits)
-//   0.125 -> "0.125" (three decimal digits — %g does not round to 2 dp)
-//
-// The old approach of str_replace(s, ".", "") then str_to_int was broken:
-//   "0.9"   -> "09"   -> str_to_int -> 9   (should be 90)
-//   "0.5"   -> "05"   -> str_to_int -> 5   (should be 50)
-//   "1"     -> "1"    -> str_to_int -> 1   (should be 100)
-//   "0.85"  -> "085"  -> str_to_int -> 85  (accidentally correct)
-//   "0.125" -> "0125" -> str_to_int -> 125 -> clamped to 100 (wrong: should be 12)
-//
-// Fix: detect presence and position of the decimal point, then scale accordingly.
-//   - No decimal (e.g. "1"): multiply by 100.
-//   - One decimal digit (e.g. "0.9"): multiply by 10 to get 90.
-//   - Two decimal digits (e.g. "0.85"): use as-is (already hundredths).
-//   - Three+ decimal digits: stripped integer is in units of 10^N (where N=digits
-//     after the dot), so divide by 10^(N-2) to reduce to hundredths. Examples:
-//       "0.125" -> stripped=125, N=3 -> 125/10  = 12
-//       "0.375" -> stripped=375, N=3 -> 375/10  = 37
-//       "0.625" -> stripped=625, N=3 -> 625/10  = 62
-//       "0.875" -> stripped=875, N=3 -> 875/10  = 87
-fn parse_salience_100(s: String) -> Int {
-    if str_eq(s, "") { return 70 }
-    let dot_pos: Int = str_index_of(s, ".")
-    let raw: Int = if dot_pos < 0 {
-        let v: Int = str_to_int(s)
-        v * 100
-    } else {
-        let after_dot: String = str_slice(s, dot_pos + 1, str_len(s))
-        let decimal_digits: Int = str_len(after_dot)
-        let stripped: Int = str_to_int(str_replace(s, ".", ""))
-        if decimal_digits == 1 {
-            stripped * 10
-        } else {
-            if decimal_digits == 2 {
-                stripped
-            } else {
-                // 3+ decimal digits: divide out the extra precision to get hundredths.
-                // extra = decimal_digits - 2; divisor = 10^extra.
-                let extra: Int = decimal_digits - 2
-                let divisor: Int = if extra == 1 { 10 } else {
-                    if extra == 2 { 100 } else {
-                        if extra == 3 { 1000 } else {
-                            if extra == 4 { 10000 } else { 100000 }
-                        }
-                    }
-                }
-                stripped / divisor
-            }
-        }
+// engram_numeric_valid — guard for str_to_int: returns true only when s is a valid
+// decimal number (integer or single-decimal-point float, optional leading minus).
+// Q1 fix: rejects "", "null", "N/A", multi-dot strings ("1.2.3"), pure-letter strings.
+// Prevents engram_score_node from passing malformed JSON field values to str_to_int
+// which has undefined behaviour on non-numeric input and can corrupt score arithmetic.
+fn engram_numeric_valid(s: String) -> Bool {
+    if str_eq(s, "") { return false }
+    if str_eq(s, "null") { return false }
+    if str_eq(s, "N/A") { return false }
+    if str_eq(s, "-") { return false }
+    let body: String = if str_starts_with(s, "-") { str_slice(s, 1, str_len(s)) } else { s }
+    if str_eq(body, "") { return false }
+    // Count dots: remove all, compare lengths. Allow at most one dot (float).
+    let no_dot: String = str_replace(body, ".", "")
+    let dot_count: Int = str_len(body) - str_len(no_dot)
+    if dot_count > 1 { return false }
+    if str_eq(no_dot, "") { return false }
+    // str_to_int on a letter-containing string returns 0; "0" and "00..." (e.g. from "0.0")
+    // are valid zeros. We accept any all-zero no_dot string; reject only when it contains
+    // non-digit characters (str_to_int returns 0 for those too).
+    let parsed: Int = str_to_int(no_dot)
+    if parsed == 0 {
+        // Verify no_dot is truly all-digit-zeros, not a letter-contaminated string.
+        // Strip all '0' characters; if anything remains the string is non-numeric.
+        let stripped_zeros: String = str_replace(no_dot, "0", "")
+        if !str_eq(stripped_zeros, "") { return false }
     }
-    if raw > 100 { 100 } else { if raw < 0 { 0 } else { raw } }
+    return true
 }
 
 // engram_score_node — compute a recency x relevance score for a single engram
 // node JSON object. Higher is better. Score = salience * importance * recency_factor.
-//
-// Recency uses a tier-aware decay curve instead of a flat linear slope:
-//   - Canonical tiers decay very slowly: 365-day window (foundational identity).
-//   - Episodic tiers decay at a moderate rate: 90-day window (conversation context).
-//   - Working/untiered nodes decay at 30 days (transient task state).
-//   - Floor is 10 (never zero) for all tiers.
-//
-// Uses max(created_at, updated_at) so recently-revised nodes are not penalised.
+// recency_factor decays linearly over 30 days: nodes updated today score 1.0,
+// nodes 30+ days old score 0.1 (floor). Nodes with no created_at score 0.5.
+// This keeps fresh, high-salience nodes at the top and pushes stale low-signal
+// nodes to the bottom so they get trimmed when we cap context size.
+// Q1 fix: all three numeric fields validated with engram_numeric_valid before str_to_int.
 fn engram_score_node(node_json: String) -> Int {
     let salience_str: String = json_get(node_json, "salience")
     let importance_str: String = json_get(node_json, "importance")
     let created_str: String = json_get(node_json, "created_at")
-    let updated_str: String = json_get(node_json, "updated_at")
-    let tier_str: String = json_get(node_json, "tier")
 
-    let salience_100: Int = parse_salience_100(salience_str)
-    let importance_100: Int = parse_salience_100(importance_str)
+    // Q1 fix: validate before str_to_int. Non-numeric values fall back to safe defaults.
+    // Parse as floats via * 100 integer arithmetic (el has no float math).
+    let salience_100: Int = if !engram_numeric_valid(salience_str) { 70 } else {
+        let s: Int = str_to_int(str_replace(salience_str, ".", ""))
+        if s > 100 { 100 } else { if s < 0 { 0 } else { s } }
+    }
+    let importance_100: Int = if !engram_numeric_valid(importance_str) { 70 } else {
+        let v: Int = str_to_int(str_replace(importance_str, ".", ""))
+        if v > 100 { 100 } else { if v < 0 { 0 } else { v } }
+    }
 
+    // Recency: decay from 100 (today) to 10 (30+ days). created_at is Unix seconds.
     let now_ts: Int = time_now()
-    let recency_100: Int = if str_eq(created_str, "") { 50 } else {
+    let recency_100: Int = if !engram_numeric_valid(created_str) { 50 } else {
         let created_ts: Int = str_to_int(created_str)
-        let updated_ts: Int = if str_eq(updated_str, "") { 0 } else { str_to_int(updated_str) }
-        let ref_ts: Int = if updated_ts > created_ts { updated_ts } else { created_ts }
-        let age_secs: Int = now_ts - ref_ts
+        let age_secs: Int = now_ts - created_ts
+        // Q1 fix: guard against clock skew / future timestamps — treat as fresh.
         let age_days: Int = if age_secs < 0 { 0 } else { age_secs / 86400 }
-        let is_canonical: Bool = str_eq(tier_str, "Canonical")
-        let is_episodic: Bool = str_eq(tier_str, "Episodic")
-        let decay: Int = if is_canonical {
-            let drop: Int = if age_days >= 365 { 90 } else { age_days * 90 / 365 }
-            100 - drop
-        } else {
-            if is_episodic {
-                if age_days >= 90 { 10 } else { 100 - age_days }
-            } else {
-                if age_days >= 30 { 10 } else { 100 - (age_days * 3) }
-            }
-        }
+        let decay: Int = if age_days >= 30 { 10 } else { 100 - (age_days * 3) }
         if decay < 10 { 10 } else { decay }
     }
 
+    // Combined score 0-1000000 (no floats): salience * importance * recency / 10000
     return salience_100 * importance_100 * recency_100 / 10000
 }
 
@@ -184,13 +148,23 @@ fn engram_compile_ranked(nodes_json: String, max_nodes: Int) -> String {
     return c9
 }
 
+// Q4 note: engram_compile has no cache or circuit-breaker at the EL layer.
+// Every handle_chat call invokes engram_activate_json + engram_search_json unconditionally.
+// If the engram backend is repeatedly unreachable (e.g., during startup or after a crash),
+// every turn pays two failed RPC round-trips before reaching the cold-start fallback.
+// A proper cache/circuit-breaker requires C runtime support (e.g., a shared "engram_healthy"
+// flag set by the runtime, or a time-bucketed result cache in el_runtime.c). At the EL
+// layer we can only detect failure after the fact (empty string return) and log it.
 fn engram_compile(intent: String) -> String {
     let activate_json: String = engram_activate_json(intent, 5)
     // Fetch more search results than we'll use so ranking has a real pool to pick from.
     let search_json: String = engram_search_json(intent, 20)
 
-    let act_ok: Bool = !str_eq(activate_json, "") && !str_eq(activate_json, "[]")
-    let srch_ok: Bool = !str_eq(search_json, "") && !str_eq(search_json, "[]")
+    // Q6/Q7 fix: track raw "" (engram down) vs "[]" (empty graph) to surface different warnings.
+    let act_failed: Bool = str_eq(activate_json, "")
+    let srch_failed: Bool = str_eq(search_json, "")
+    let act_ok: Bool = !act_failed && !str_eq(activate_json, "[]")
+    let srch_ok: Bool = !srch_failed && !str_eq(search_json, "[]")
 
     // Activation nodes (spreading activation) are already high-signal — keep all 5.
     let act_part: String = if act_ok { activate_json } else { "" }
@@ -200,36 +174,49 @@ fn engram_compile(intent: String) -> String {
     let srch_ranked: String = if srch_ok { engram_compile_ranked(search_json, 8) } else { "" }
     let srch_part: String = srch_ranked
 
-    // Fallback: when vector search returns nothing (no embeddings), fetch pinned
-    // high-salience nodes by their known IDs. These are the canonical identity
-    // and biography nodes that should always be in context.
-    // engram_get_node_json(id) returns a single node as JSON or "" if missing.
+    // Q2 fix: soul-agnostic cold-start fallback. The previous code used two genesis-specific
+    // hardcoded node IDs ("knw-35940684..." and "knw-729fc901..."). Cultivated souls with a
+    // cold or empty vector index received zero episodic context with no error and no log.
+    // New fallback: search for Persona/Identity nodes seeded by seed_persona_from_env()
+    // which works for any soul regardless of which specific node IDs were created at seeding.
+    // Q6 fix: log a warning so the empty-recall path is visible in operator logs.
     let scan_part: String = if !act_ok && !srch_ok {
-        let family_node: String = engram_get_node_json("knw-35940684-abc4-42f0-b942-818f66b1f69a")
-        let origin_node: String = engram_get_node_json("knw-729fc901-8335-44c4-9f3a-b150b4aa0915")
-        let fam_ok: Bool = !str_eq(family_node, "") && !str_eq(family_node, "null")
-        let orig_ok: Bool = !str_eq(origin_node, "") && !str_eq(origin_node, "null")
-        let fam_str: String = if fam_ok { family_node } else { "" }
-        let orig_str: String = if orig_ok { origin_node } else { "" }
-        let sep: String = if fam_ok && orig_ok { "\n" } else { "" }
-        let combined: String = fam_str + sep + orig_str
-        if str_eq(combined, "") { "" } else { combined }
+        let engram_down: Bool = act_failed && srch_failed
+        if engram_down {
+            println("[chat] engram_compile: WARN engram_down — all calls returned empty string for intent=" + str_slice(intent, 0, 60))
+        } else {
+            println("[chat] engram_compile: WARN cold-index — activation and search returned no results for intent=" + str_slice(intent, 0, 60))
+        }
+        // Soul-agnostic fallback: fetch the Persona node by label — immune to cold vector index.
+        // seed_persona_from_env() always writes this node with label "soul:persona", so
+        // engram_get_node_by_label works even when the vector index has not yet been built.
+        // Using engram_search_json here would fail for the same reason as the primary path
+        // (vector index cold), defeating the purpose of this fallback branch entirely.
+        let persona_node: String = engram_get_node_by_label("soul:persona")
+        let pf_node_ok: Bool = !str_eq(persona_node, "") && !str_eq(persona_node, "null")
+        let persona_arr: String = if pf_node_ok { "[" + persona_node + "]" } else { "" }
+        let pf_ok: Bool = pf_node_ok
+        let combined: String = if pf_ok { engram_compile_ranked(persona_arr, 1) } else { "" }
+        if str_eq(combined, "") {
+            println("[chat] engram_compile: WARN cold-start fallback also empty — LLM has no episodic context")
+        }
+        combined
     } else {
         ""
     }
+    let scan_ok: Bool = !str_eq(scan_part, "")
 
     // Affective context: always include the most recent high-emotion memory if one
-    // exists within 14 days. This ensures continuity of care across sessions — a
-    // crisis on Friday must still carry into Monday (72h was too narrow for multi-day
-    // distress arcs such as grief or recurring suicidal ideation). 14-day window
-    // (1,209,600 seconds) covers sustained emotional arcs while excluding ancient
-    // history. Unified with handle_chat and soul.el affective checks.
+    // exists within 72 hours. This ensures continuity of care across turns — when
+    // the user was in distress earlier in the session (or recently), that context
+    // travels into every subsequent LLM call so the response register stays aware.
     // We search for BellEvent nodes specifically; these are written by auto_persist
-    // when safety_detect_bell_level fires.
+    // when safety_detect_bell_level fires. The 72h window (259200 seconds) is wide
+    // enough to span a multi-session day without pulling ancient history.
     let bell_nodes: String = engram_search_json("bell:soft bell:hard BellEvent", 3)
     let bell_ok: Bool = !str_eq(bell_nodes, "") && !str_eq(bell_nodes, "[]")
     let now_ts: Int = time_now()
-    let cutoff_ts: Int = now_ts - 1209600
+    let cutoff_ts: Int = now_ts - 259200
     let recent_bell: String = if bell_ok {
         let bn0: String = json_array_get(bell_nodes, 0)
         // created_at is not present in engram node JSON for BellEvent nodes.
@@ -247,17 +234,31 @@ fn engram_compile(intent: String) -> String {
             let ca: String = json_get(bn0, "created_at")
             if str_eq(ca, "") { json_get(bn0, "updated_at") } else { ca }
         }
-        let bn_ts: Int = if str_eq(bn_ts_raw, "") { 0 } else { str_to_int(bn_ts_raw) }
+        // Q1 fix: validate bell timestamp before str_to_int.
+        let bn_ts: Int = if !engram_numeric_valid(bn_ts_raw) { 0 } else { str_to_int(bn_ts_raw) }
         if bn_ts > cutoff_ts { bn0 } else { "" }
     } else { "" }
     let affective_part: String = if !str_eq(recent_bell, "") { recent_bell } else { "" }
+    let affective_ok: Bool = !str_eq(affective_part, "")
 
     let sep1: String = if !str_eq(act_part, "") && !str_eq(srch_part, "") { "\n" } else { "" }
     let sep2: String = if (!str_eq(act_part, "") || !str_eq(srch_part, "")) && !str_eq(scan_part, "") { "\n" } else { "" }
     let sep3: String = if (!str_eq(act_part, "") || !str_eq(srch_part, "") || !str_eq(scan_part, "")) && !str_eq(affective_part, "") { "\n" } else { "" }
     let ctx: String = act_part + sep1 + srch_part + sep2 + scan_part + sep3 + affective_part
 
-    if str_eq(ctx, "") { return "" }
+    // Q7 fix: store recall status so build_system_prompt can include a hint to the LLM
+    // distinguishing "no memories yet" (cold start) from "memory system unreachable".
+    // Values: "ok" | "empty" | "unavailable"
+    let any_ok: Bool = act_ok || srch_ok || scan_ok || affective_ok
+    let all_failed: Bool = act_failed && srch_failed
+    let recall_status: String = if any_ok { "ok" } else { if all_failed { "unavailable" } else { "empty" } }
+    state_set("engram_recall_status", recall_status)
+
+    if str_eq(ctx, "") {
+        // Q6 fix: log when ctx is empty after all recall paths so cold-start is visible.
+        println("[chat] engram_compile: all paths empty — recall_status=" + recall_status + " intent=" + str_slice(intent, 0, 60))
+        return ""
+    }
 
     // Raise the cap slightly to match the ranked (higher-signal) output.
     if str_len(ctx) > 6000 {
@@ -296,12 +297,33 @@ fn build_system_prompt(ctx: String) -> String {
         "\n\n[IDENTITY GRAPH — who you are, loaded from your engram]\n" + id_ctx
     }
 
+    // Q7 fix: if recall produced no results, include a hint so the LLM can respond
+    // authentically ("I seem to be starting fresh" vs "memory system may be down")
+    // rather than silently acting as if it has context it doesn't have.
+    // Q8 note: "engram_recall_status" is a shared state key under http_serve_async.
+    // Concurrent requests can overwrite each other's status. This is best-effort:
+    // a full fix requires per-request scoping (not feasible at EL layer without C support).
+    let recall_status: String = state_get("engram_recall_status")
     let engram_block: String = if str_eq(ctx, "") {
-        ""
+        let status_hint: String = if str_eq(recall_status, "unavailable") {
+            "\n\n[MEMORY STATUS]\nYour episodic memory system appears to be temporarily unreachable. You may not have access to memories from previous sessions. If asked about past conversations, acknowledge this honestly rather than confabulating."
+        } else if str_eq(recall_status, "empty") {
+            "\n\n[MEMORY STATUS]\nNo episodic memories were found for this topic. This may be a new soul or a new area of conversation. Respond naturally from your identity without fabricating memories."
+        } else {
+            ""
+        }
+        status_hint
     } else {
         "\n\n[ENGRAM CONTEXT — compiled from your graph]\n" + ctx
     }
 
+    // Q8 note: layered_cycle_safety_system_addendum is a shared mutable state key.
+    // Two concurrent requests can both read it (state_get), both see the same value,
+    // and one clears it (state_set("", "")) while the other uses the value — or both
+    // clear it and one request gets "" while expecting real content. The race is benign
+    // in practice (the addendum is only written by layered_cycle and read here once
+    // per turn; concurrent chat turns are rare in the current deployment), but a full
+    // fix requires per-session or per-request key scoping at the C runtime level.
     let safety_addendum: String = state_get("layered_cycle_safety_system_addendum")
     let safety_block: String = if str_eq(safety_addendum, "") {
         ""
@@ -323,41 +345,18 @@ fn hist_append(hist: String, role: String, content: String) -> String {
     return "[" + inner + "," + entry + "]"
 }
 
-// hist_trim — drop the oldest two entries from a history JSON array.
-//
-// Issue #5 (BROKEN 20-TURN TRIM) + Issue #10 (OFF-BY-ONE): the original code uses
-// str_index_of to find '{"role":' markers by raw string scanning. If any message content
-// contains the literal string '{"role":' (e.g. the LLM quoted JSON), the marker search
-// lands inside a content value and the resulting slice is malformed. Additionally, the
-// function had no minimum-retained-count guard.
-//
-// Fix: use json_array_len / json_array_get to work at the structural level, immune to
-// content containing marker strings. Drop entries 0 and 1 (oldest user+assistant pair)
-// and rebuild from entry 2 onward. Minimum retained count: 2 entries (never over-trim).
 fn hist_trim(hist: String) -> String {
-    // Issue #9 fix: use json_array_len/json_array_get instead of fragile str_index_of
-    // parser. Old code was silently corrupting history on malformed JSON.
-    let total: Int = json_array_len(hist)
-    // Safety: never trim below 2 entries. If already at or below the minimum, return unchanged.
-    if total <= 2 {
-        return hist
+    let inner: String = str_slice(hist, 1, str_len(hist) - 1)
+    let marker: String = "{\"role\":"
+    let i1: Int = str_index_of(inner, marker)
+    let tail1: String = str_slice(inner, i1 + 1, str_len(inner))
+    let i2: Int = str_index_of(tail1, marker)
+    let tail2: String = str_slice(tail1, i2 + 1, str_len(tail1))
+    let i3: Int = str_index_of(tail2, marker)
+    if i3 >= 0 {
+        return "[" + str_slice(tail2, i3, str_len(tail2)) + "]"
     }
-    // Drop entry 0 and entry 1 (oldest user+assistant pair). Rebuild from entry 2 onward.
-    let result: String = ""
-    let i: Int = 2
-    while i < total {
-        let entry: String = json_array_get(hist, i)
-        let result = if str_eq(result, "") {
-            entry
-        } else {
-            result + "," + entry
-        }
-        let i = i + 1
-    }
-    if str_eq(result, "") {
-        return hist
-    }
-    return "[" + result + "]"
+    return hist
 }
 
 // hist_trim_with_bell_guard — trim the history window exactly as hist_trim does, but
@@ -423,47 +422,6 @@ fn hist_trim_with_bell_guard(hist: String) -> String {
     return hist
 }
 
-// hist_trim_to_byte_cap — drop oldest user+assistant pairs until the history blob
-// is at or below `cap_bytes` in length, or until only 2 entries remain (the minimum
-// safe window). Uses the same structural json_array_len/json_array_get approach as
-// hist_trim to stay immune to content containing JSON marker strings.
-//
-// Called after count-based trimming to enforce a hard size ceiling on the history
-// blob. Without this cap, long technical sessions with large assistant responses
-// (code blocks, logs, analysis) can push the 40-turn window to 100KB+, which causes
-// engram_node_full writes to grow state entries unboundedly.
-fn hist_trim_to_byte_cap(hist: String, cap_bytes: Int) -> String {
-    let current: String = hist
-    let current_len: Int = str_len(current)
-    while current_len > cap_bytes {
-        let total: Int = json_array_len(current)
-        // Never trim below 2 entries (1 pair).
-        if total <= 2 {
-            let current_len = 0  // exit loop
-        } else {
-            // Drop entries 0 and 1 (oldest pair).
-            let result: String = ""
-            let i: Int = 2
-            while i < total {
-                let entry: String = json_array_get(current, i)
-                let result = if str_eq(result, "") {
-                    entry
-                } else {
-                    result + "," + entry
-                }
-                let i = i + 1
-            }
-            if str_eq(result, "") {
-                let current_len = 0  // exit loop
-            } else {
-                let current = "[" + result + "]"
-                let current_len = str_len(current)
-            }
-        }
-    }
-    return current
-}
-
 // clean_llm_response — strips GPT-2 BPE byte-to-unicode artifacts that vLLM
 // emits when the tokenizer hasn't decoded back to raw bytes.
 //
@@ -480,70 +438,59 @@ fn clean_llm_response(s: String) -> String {
 }
 
 // conv_history_persist — save conversation history to engram for cross-restart continuity.
-// Stores as a Conversation node with label "conv:history".
-//
-// Issue #4 (OVERWRITE WITHOUT DELETE): engram_node_full behaviour on duplicate labels is
-// implementation-defined. If it appends rather than upserts, stale older nodes accumulate.
-// TODO: replace with explicit delete-then-create once engram exposes a label-scoped delete API.
-//
-// Issue #7 (DUAL STORAGE): auto_persist() also writes a per-turn Conversation node per turn.
-// Both run every turn for different purposes (rolling array vs. Q&A snapshot). Documented here.
+// Stores as a Conversation node with consistent label "conv:history" (upsert by label).
+// Q3/Q6 fix: added partial-write guard and failure logging.
 fn conv_history_persist(hist: String) -> Void {
     if str_eq(hist, "") { return "" }
     if str_eq(hist, "[]") { return "" }
-    // Issue #6 (PARTIAL-WRITE GUARD): refuse to persist a blob that is not a complete JSON
-    // array. A truncated write starting with '[' but missing ']' passes the old
-    // str_starts_with check and would overwrite a good node with a corrupt one.
+    // Partial-write guard: refuse to persist a blob that is not a complete JSON array.
+    // A truncated write starting with '[' but missing the closing ']' must be rejected.
+    // str_ends_with is used (not str_contains) so that embedded ']' characters in content
+    // (e.g. "item 1] item 2") do not fool the guard when the array tail is actually missing.
     if !str_starts_with(hist, "[") { return "" }
-    if !str_contains(hist, "]") { return "" }
+    if !str_ends_with(hist, "]") { return "" }
     let tags: String = "[\"conv-history\",\"persistent\"]"
     let node_id: String = engram_node_full(
         hist, "Conversation", "conv:history",
         el_from_float(0.7), el_from_float(0.8), el_from_float(0.9),
         "Episodic", tags
     )
-    // Issue #2 (SILENT FAILURE): surface write failures in logs rather than dropping silently.
+    // Q6 fix: log write failure — silent history loss is now visible.
     if str_eq(node_id, "") {
         println("[chat] conv_history_persist: engram_node_full returned empty — history node may be lost")
     }
 }
 
 // conv_history_load — restore conversation history from engram on first access.
-//
-// Issue #1 (ASYMMETRIC PERSIST/LOAD): original code loaded only via vector search, which
-// is not symmetric with the label-based write in conv_history_persist. A cold or corrupt
-// vector index returns [] even when the node exists on disk. Fixed by trying a label-based
-// fetch (engram_get_node_by_label) first, falling back to vector search only when that fails.
-//
-// Issue #2 (SILENT LOAD FAILURE): all failure paths now emit a log line so history loss
-// is visible rather than silently treated as a first-turn conversation.
-//
-// Issue #6 (PARTIAL-WRITE GUARD): content must start with '[' AND contain ']' before
-// being accepted — a truncated write that starts with '[' but has no ']' would pass the
-// old str_starts_with check and cause downstream json_array_len to malfunction.
+// Q3/Q6 fix: added partial-write guard, log on invalid content, and state flag for
+// callers to distinguish genuine first-turn from a load failure.
 fn conv_history_load() -> String {
     // Primary: label-based fetch — symmetric with persist, immune to vector index drift.
     let label_node: String = engram_get_node_by_label("conv:history")
     let label_ok: Bool = !str_eq(label_node, "") && !str_eq(label_node, "null")
     if label_ok {
         let label_content: String = json_get(label_node, "content")
-        let label_valid: Bool = str_starts_with(label_content, "[") && str_contains(label_content, "]")
+        let label_valid: Bool = str_starts_with(label_content, "[") && str_ends_with(label_content, "]")
         if label_valid {
             return label_content
         }
-        // Label node exists but content is invalid — partial write or corruption.
         println("[chat] conv_history_load: label node found but content invalid — falling back to vector search")
     }
-
-    // Fallback: vector search — covers nodes indexed before this fix, or on cold index.
+    // Fallback: vector search.
     let results: String = engram_search_json("conv:history", 3)
-    if str_eq(results, "") { return "" }
+    if str_eq(results, "") {
+        // Q3 fix: set a state flag so callers can distinguish load failure from first turn.
+        state_set("conv_history_load_failed", "1")
+        return ""
+    }
     if str_eq(results, "[]") { return "" }
     let node: String = json_array_get(results, 0)
     let content: String = json_get(node, "content")
-    // Issue #6: full partial-write guard — require both '[' prefix AND ']' presence.
-    if !str_starts_with(content, "[") || !str_contains(content, "]") {
+    // Partial-write guard: require both '[' prefix AND closing ']' at the tail.
+    // str_ends_with guards against embedded ']' in content fooling the check.
+    if !str_starts_with(content, "[") || !str_ends_with(content, "]") {
         println("[chat] conv_history_load: vector search result content invalid — treating as first turn")
+        state_set("conv_history_load_failed", "1")
         return ""
     }
     return content
@@ -552,29 +499,21 @@ fn conv_history_load() -> String {
 fn handle_chat(body: String) -> String {
     let message: String = json_get(body, "message")
     if str_eq(message, "") {
-        // Issue #5: missing required param — HTTP 400.
         return "{\"__status__\":400,\"error\":\"message is required\",\"response\":\"\"}"
     }
 
     // Load history BEFORE compiling context so we can anchor activation to the thread.
-    // Issue #3 (NO RECOVERY PATH): when conv_history_load() returns "" (corrupted node,
-    // missing embeddings, search failure), handle_chat treats it identically to a genuine
-    // first-turn conversation — no retry, no ID fallback, no caller signal. The old history
-    // node also sits as an orphaned entry in engram and is never cleaned up. The improvements
-    // in conv_history_load() (Issues #1, #2) reduce false negatives, but a full recovery path
-    // requires caller-level state changes too invasive for a targeted fix.
-    // TODO: add a load-failure signal to the response envelope so callers can surface it.
-    //
-    // TODO(reliability #3 — conv_history global race): "conv_history" is a process-global
-    // state key. Concurrent /api/chat requests that omit session_id all read the same key,
-    // append their exchange, and write it back. Because _state_mu serializes individual
-    // state_get/state_set calls but NOT the read-append-write sequence, one thread's
-    // appended exchange can be overwritten by another thread writing its own version.
-    // The fix is to require callers to supply a session_id (routing them through
-    // session_hist_<id>) and deprecate the global "conv_history" path. Callers using
-    // the session API (which scopes history per session_hist_<id>) are not affected.
+    // Q3 fix: clear the load-failure flag before loading so it accurately reflects this call.
+    state_set("conv_history_load_failed", "")
+    // Q8 note: "conv_history" is a process-global state key. Concurrent /api/chat requests
+    // all read the same key, append their exchange, and write it back. Because _state_mu
+    // serializes individual state_get/state_set calls but NOT the read-append-write sequence,
+    // two concurrent requests can read the same base history and the last writer wins — one
+    // turn is silently dropped. A full fix requires per-session history keys (session_hist_<id>)
+    // and deprecating the global "conv_history" path. Callers using session_id are not affected.
     let state_hist: String = state_get("conv_history")
     let stored_hist: String = if str_eq(state_hist, "") { conv_history_load() } else { state_hist }
+    let hist_load_failed: Bool = str_eq(state_get("conv_history_load_failed"), "1")
     let hist_len: Int = if str_eq(stored_hist, "") { 0 } else { json_array_len(stored_hist) }
 
     // Thread-aware activation: short/ambiguous messages (continuations like "go on",
@@ -592,14 +531,12 @@ fn handle_chat(body: String) -> String {
     }
 
     // Cross-session affective context: on session start (no history yet), check engram
-    // for recent distress signals within 14 days and prepend a care directive if found.
-    // Extended from 72h: multi-day crisis must persist across Monday sessions starting
-    // 3+ days after a Friday event. Consistent with engram_compile and soul.el checks.
+    // for recent distress signals within 72h and prepend a care directive if found.
     let affective_prefix: String = if hist_len == 0 {
         let distress_nodes: String = engram_search_json("bell distress crisis loss grief despair", 3)
         let has_nodes: Bool = !str_eq(distress_nodes, "") && !str_eq(distress_nodes, "[]")
         let now_ts: Int = time_now()
-        let cutoff: Int = now_ts - 1209600
+        let cutoff: Int = now_ts - 259200
         let found_recent: Bool = if has_nodes {
             let dn0: String = json_array_get(distress_nodes, 0)
             let ts0_raw: String = json_get(dn0, "created_at")
@@ -699,16 +636,11 @@ fn handle_chat(body: String) -> String {
 
     let raw_response: String = llm_call_system(model, full_system, message)
 
-    // Issue #5: also catch empty string — llm_extract_text() in el_runtime.c silently
-    // returns "" when the response content array is missing or all blocks fail to parse.
-    // Without this guard an empty reply passes through as a silent empty response.
     let is_error: Bool = str_starts_with(raw_response, "{\"error\"")
         || str_starts_with(raw_response, "{\"type\":\"error\"")
         || str_contains(raw_response, "authentication_error")
-        || str_eq(raw_response, "")
     if is_error {
-        // Issue #6: LLM failure — HTTP 503 (service unavailable).
-        return "{\"__status__\":503,\"error\":\"llm unavailable\",\"response\":\"\"}"
+        return "{\"error\":\"llm unavailable\",\"response\":\"\"}"
     }
 
     let clean_response: String = clean_llm_response(raw_response)
@@ -718,23 +650,11 @@ fn handle_chat(body: String) -> String {
     let updated_hist2: String = hist_append(updated_hist, "assistant", raw_response)
     // Use bell-guarded trim: if the evicted turn triggered a bell event, it is
     // preserved to engram before being dropped from the in-memory window.
-    // Increased from 20 to 40 turns: long technical sessions lose early context at 20
-    // (10 user + 10 assistant pairs). 40 turns preserves problem framing for multi-step
-    // tasks while the bell guard still persists evicted distress turns to engram.
-    // Byte-cap: after count-based trim, also trim oldest pairs until the history blob
-    // is under 32KB. Long technical sessions with large assistant responses (code blocks,
-    // analysis) can produce 100-160KB+ state entries at 40 turns; the count limit alone
-    // is insufficient. We retain at least 2 entries (1 user + 1 assistant pair) regardless.
-    let count_trimmed: String = if json_array_len(updated_hist2) > 40 {
+    let final_hist: String = if json_array_len(updated_hist2) > 20 {
         hist_trim_with_bell_guard(updated_hist2)
     } else {
         updated_hist2
     }
-    let final_hist: String = if str_len(count_trimmed) > 32768 {
-        hist_trim_to_byte_cap(count_trimmed, 32768)
-    } else {
-        count_trimmed
-    }
     state_set("conv_history", final_hist)
     conv_history_persist(final_hist)
 
@@ -743,7 +663,13 @@ fn handle_chat(body: String) -> String {
     let act_out: String = if act_ok { activation_nodes } else { "[]" }
     strengthen_chat_nodes(act_out)
 
-    return "{\"response\":\"" + safe_response + "\",\"model\":\"" + model + "\",\"activation_nodes\":" + act_out + "}"
+    // Q3 fix: surface history load failure in the response envelope so callers can
+    // show a "starting fresh — could not load previous conversation" indicator.
+    let hist_warning: String = if hist_load_failed {
+        ",\"history_load_failed\":true"
+    } else { "" }
+
+    return "{\"response\":\"" + safe_response + "\",\"model\":\"" + model + "\",\"activation_nodes\":" + act_out + hist_warning + "}"
 }
 
 fn handle_see(body: String) -> String {
@@ -785,42 +711,6 @@ fn studio_tools_json() -> String {
     "]"
 }
 
-// ---------------------------------------------------------------------------
-// LLM reliability — issues that require C runtime fixes (el_runtime.c).
-// These cannot be addressed at the EL layer; they are documented here so the
-// symptoms are traceable back to their root causes.
-//
-// Issue #1 (no retry on timeout/connection error):
-//   http_do() in el_runtime.c calls curl_easy_perform() once. On
-//   CURLE_OPERATION_TIMEDOUT / CURLE_COULDNT_CONNECT / CURLE_RECV_ERROR it
-//   returns http_error_json() with no retry. Fix: add a retry loop (max 3
-//   attempts, exponential back-off starting at 1s) inside llm_provider_request().
-//
-// Issue #2 (60s timeout applies to all HTTP calls including LLM):
-//   EL_HTTP_TIMEOUT_MS defaults to 60000ms for every http_do() call.
-//   Fix: introduce EL_LLM_TIMEOUT_MS (default 120000) used only by
-//   llm_provider_request(); leave EL_HTTP_TIMEOUT_MS (default 30000) for
-//   general service calls to avoid holding connections for 60s.
-//
-// Issue #3 (HTTP 429 causes silent provider failover, not backoff):
-//   llm_chain_call() advances to the next provider on any JSON-prefixed response
-//   including 429. Fix: parse HTTP status via curl_easy_getinfo; on 429 sleep
-//   Retry-After seconds (default 5s) then retry the same provider up to 3 times.
-//
-// Issue #4 (HTTP 500/502 crashes the request silently):
-//   Same path as #3 — 5xx responses cause immediate provider failover with no
-//   retry. Fix: retry with exponential back-off (1s, 2s, 4s) before advancing.
-//
-// Issue #6 (no secondary LLM fallback in production):
-//   Set NEURON_LLM_1_URL/KEY/FORMAT in ExternalSecret to a secondary provider
-//   (e.g. Gemini). No C code change required; llm_chain_call() already iterates.
-//
-// Issue #8 (LLM response size unbounded — memory-only cap):
-//   HttpBuf grows via realloc() with no hard limit. Fix: add
-//   EL_HTTP_MAX_RESPONSE_BYTES (default 10MiB) cap in httpbuf_append() and
-//   return http_error_json("response too large") on overflow.
-// ---------------------------------------------------------------------------
-
 fn agentic_api_key() -> String {
     let k1: String = env("ANTHROPIC_API_KEY")
     if !str_eq(k1, "") {
@@ -872,7 +762,7 @@ fn agentic_tools_with_web() -> String {
 // Short timeout + empty-array fallback: if the bridge is down, the soul runs
 // exactly as before with only its built-in tools (graceful degradation).
 fn connector_tools_json() -> String {
-    let raw: String = exec_capture("curl -s --max-time 5 http://127.0.0.1:7771/mcp/tools")
+    let raw: String = exec_capture("curl -s --max-time 2 http://127.0.0.1:7771/mcp/tools")
     if str_eq(raw, "") {
         return "[]"
     }
@@ -905,15 +795,7 @@ fn agentic_tools_all() -> String {
 fn call_mcp_bridge(tool_name: String, tool_input: String) -> String {
     let eff_input: String = if str_eq(tool_input, "") { "{}" } else { tool_input }
     let body: String = "{\"name\":\"" + tool_name + "\",\"input\":" + eff_input + "}"
-    // Issue #12: previously used a fixed path /tmp/neuron-mcp-call.json.
-    // Under concurrent load (64 worker threads), two simultaneous MCP tool calls
-    // race on this file — one call sends the other's input to the bridge.
-    // Fix: monotonic sequence counter makes the path unique per call.
-    let mcp_seq_s: String = state_get("mcp_call_seq")
-    let mcp_seq_n: Int = if str_eq(mcp_seq_s, "") { 0 } else { str_to_int(mcp_seq_s) }
-    let mcp_seq_next: Int = mcp_seq_n + 1
-    state_set("mcp_call_seq", int_to_str(mcp_seq_next))
-    let tmp: String = "/tmp/neuron-mcp-call-" + int_to_str(time_now()) + "-" + int_to_str(mcp_seq_next) + ".json"
+    let tmp: String = "/tmp/neuron-mcp-call.json"
     fs_write(tmp, body)
     return exec_capture("curl -s --max-time 30 -X POST http://127.0.0.1:7771/mcp/call -H 'Content-Type: application/json' -d @" + tmp)
 }
@@ -925,7 +807,7 @@ fn tool_auto_approved(tool_name: String) -> Bool {
     if !str_starts_with(tool_name, "mcp__") {
         return false
     }
-    let raw: String = exec_capture("curl -s --max-time 5 http://127.0.0.1:7771/mcp/auto-approved")
+    let raw: String = exec_capture("curl -s --max-time 2 http://127.0.0.1:7771/mcp/auto-approved")
     if str_eq(raw, "") {
         return false
     }
@@ -1194,25 +1076,15 @@ fn is_builtin_tool(tool_name: String) -> Bool {
         || str_starts_with(tool_name, "neuron_")
 }
 
-// next_bridge_id — unique correlation id for a suspended agentic turn.
-// Uses uuid_v4() as the primary uniqueness guarantee so concurrent calls
-// (even in the same millisecond) cannot collide. The "mcp_bridge_seq"
-// counter is kept for human readability in logs/debugging but is no longer
-// relied on for uniqueness.
-//
-// TODO(reliability #6): state_get/state_set on "mcp_bridge_seq" is a
-// non-atomic read-modify-write — two concurrent calls can read the same
-// counter and produce the same counter suffix. This is now benign because
-// uuid_v4() provides collision-free uniqueness. A true counter fix would
-// require an atomic_increment() builtin in el_runtime.c.
+// next_bridge_id — monotonic correlation id for a suspended agentic turn.
+// Combines boot-relative time with a per-process counter so two unknown-tool
+// suspensions in the same second still get distinct ids.
 fn next_bridge_id() -> String {
     let prev: String = state_get("mcp_bridge_seq")
     let n: Int = if str_eq(prev, "") { 0 } else { str_to_int(prev) }
     let next: Int = n + 1
     state_set("mcp_bridge_seq", int_to_str(next))
-    // uuid_v4() provides collision-free uniqueness; counter is decorative.
-    let uid: String = uuid_v4()
-    return "br-" + uid
+    return "br-" + int_to_str(time_now()) + "-" + int_to_str(next)
 }
 
 fn handle_chat_agentic(body: String) -> String {
@@ -1240,7 +1112,7 @@ fn handle_chat_agentic(body: String) -> String {
     if str_eq(screen_action, "hard_bell") {
         safety_log_bell("hard", json_get(screen_result, "reason"), str_slice(message, 0, 80))
         return "{\"reply\":\"" + json_safe(safety_validate("", "hard_bell")) + "\",\"model\":\"\",\"agentic\":true,\"tools_used\":[]}"
-
+    }
 
     let req_model: String = json_get(body, "model")
     let model: String = if str_eq(req_model, "") { chat_default_model() } else { req_model }
@@ -1257,7 +1129,7 @@ fn handle_chat_agentic(body: String) -> String {
     let session_valid: Bool = if str_eq(req_session, "") {
         true
     } else {
-        !str_contains(session_get(req_session), "\"error\"")
+        session_exists(req_session)
     }
     if !session_valid {
         return "{\"error\":\"session not found\",\"session_id\":\"" + req_session + "\",\"reply\":\"\"}"
@@ -1301,30 +1173,12 @@ fn handle_chat_agentic(body: String) -> String {
 
     // Persist the exchange to session/global history for thread continuity on next turn.
     // Only save when the loop completed (reply present), not when tool_pending.
-    //
-    // Issue #9 (AGENTIC HISTORY NOT PERSISTED): the agentic path previously only saved
-    // history to in-process state (state_set), which is lost on restart. We now also call
-    // conv_history_persist() for the default session (hist_key == "conv_history") so agentic
-    // history survives restarts the same way non-agentic history does. Per-session histories
-    // (session_hist_<id>) are still in-process only — persisting all named sessions would
-    // require per-session engram labels, a larger change tracked separately.
     let reply_text: String = json_get(result, "reply")
     let discard_hist: Bool = if !str_eq(reply_text, "") {
         let updated: String = hist_append(agentic_hist, "user", message)
         let updated2: String = hist_append(updated, "assistant", reply_text)
-        // Increased from 20 to 40 turns: consistent with handle_chat window expansion.
-        // Byte-cap: also trim if the blob exceeds 32KB, consistent with handle_chat.
-        let count_trimmed2: String = if json_array_len(updated2) > 40 { hist_trim(updated2) } else { updated2 }
-        let trimmed: String = if str_len(count_trimmed2) > 32768 {
-            hist_trim_to_byte_cap(count_trimmed2, 32768)
-        } else {
-            count_trimmed2
-        }
+        let trimmed: String = if json_array_len(updated2) > 20 { hist_trim(updated2) } else { updated2 }
         state_set(hist_key, trimmed)
-        // Only persist the default global session to engram — named sessions are ephemeral.
-        if str_eq(hist_key, "conv_history") {
-            conv_history_persist(trimmed)
-        }
         true
     } else { false }
 
@@ -1355,14 +1209,6 @@ fn agentic_loop(session_id: String, model: String, safe_sys: String, tools_json:
     let iteration: Int = 0
     let keep_going: Bool = true
 
-    // Issue #9: agentic max_tokens configurable via NEURON_LLM_MAX_TOKENS env var.
-    // Default 4096 is marginal for long tool chains (8 iterations x 4096 tokens).
-    // Set to 8192+ for complex multi-step tasks.
-    // Note: llm_provider_request() in el_runtime.c also hardcodes 4096 for the
-    // llm_call_system() (non-agentic) path; that requires a C runtime change.
-    let max_tokens_env: String = env("NEURON_LLM_MAX_TOKENS")
-    let max_tokens_str: String = if str_eq(max_tokens_env, "") { "4096" } else { max_tokens_env }
-
     // Suspension state — captured at top level so it escapes the while body.
     let pending: Bool = false
     let pend_tool_id: String = ""
@@ -1371,7 +1217,7 @@ fn agentic_loop(session_id: String, model: String, safe_sys: String, tools_json:
 
     while keep_going && iteration < 8 {
         let req_body: String = "{\"model\":\"" + model + "\""
-            + ",\"max_tokens\":" + max_tokens_str
+            + ",\"max_tokens\":4096"
             + ",\"system\":\"" + safe_sys + "\""
             + ",\"tools\":" + tools_json
             + ",\"messages\":" + messages
@@ -1651,11 +1497,9 @@ fn handle_chat_as_soul(body: String) -> String {
 
     let raw_response: String = llm_call_system(model, system_prompt, eff_message)
 
-    // Issue #5: empty string catch — same rationale as handle_chat.
     let is_error: Bool = str_starts_with(raw_response, "{\"error\"")
         || str_starts_with(raw_response, "{\"type\":\"error\"")
         || str_contains(raw_response, "authentication_error")
-        || str_eq(raw_response, "")
     if is_error {
         return "{\"error\":\"llm unavailable\",\"response\":\"\",\"speaker_slug\":\"" + speaker + "\",\"model\":\"" + model + "\"}"
     }
@@ -1702,11 +1546,9 @@ fn handle_dharma_room_turn(body: String) -> String {
 
     let raw_response: String = llm_call_system(model, system_prompt, transcript)
 
-    // Issue #5: empty string catch — same rationale as handle_chat.
     let is_error: Bool = str_starts_with(raw_response, "{\"error\"")
         || str_starts_with(raw_response, "{\"type\":\"error\"")
         || str_contains(raw_response, "authentication_error")
-        || str_eq(raw_response, "")
     if is_error {
         return "{\"error\":\"llm unavailable\",\"response\":\"\",\"cgi_id\":\"" + cgi_id + "\"}"
     }
@@ -1720,19 +1562,13 @@ fn handle_dharma_room_turn(body: String) -> String {
     // engram_node(content, "episodic", ...) which wrongly put a TIER into the node_type
     // slot — that's why nodes showed node_type="episodic". Use the full, correct contract.)
     let utterance_tags: String = "[\"soul-utterance\",\"episodic\"]"
-    let utterance_id: String = engram_node_full(
+    let discard_id: String = engram_node_full(
         clean_response, "Conversation", "soul:utterance",
         el_from_float(0.6), el_from_float(0.6), el_from_float(0.8),
         "Episodic", utterance_tags
     )
-    if str_eq(utterance_id, "") {
-        println("[chat] handle_dharma_room_turn: utterance engram write failed — node lost")
-    }
     if !str_eq(snap_path, "") {
-        let save_result: String = engram_save(snap_path)
-        if str_eq(save_result, "") {
-            println("[chat] handle_dharma_room_turn: engram_save failed for " + snap_path)
-        }
+        let discard_save: String = engram_save(snap_path)
     }
 
     let safe_response: String = json_safe(clean_response)
@@ -1838,6 +1674,13 @@ fn auto_persist(req: String, resp: String) -> Void {
         "Episodic",
         tags
     )
+    // CRITICAL BUG fix: log conv_node_id failure OUTSIDE the is_bell block.
+    // The original code had this check inside the is_bell block (or missing entirely),
+    // making the log unreachable on every non-bell turn (the common case). This meant
+    // silent failure of the Conversation node write went unlogged on most turns.
+    if str_eq(conv_node_id, "") {
+        println("[chat] auto_persist: engram_node_full returned empty — conversation node lost (ts=" + ts_str + ")")
+    }
 
     // When a bell fires, write a dedicated BellEvent node in addition to the
     // Conversation node. This makes distress moments directly findable by label
@@ -1903,8 +1746,6 @@ fn auto_persist(req: String, resp: String) -> Void {
             "session_bell_signal:" + sess_id
         }
         state_set(signal_key, safe_summary)
-    if str_eq(conv_node_id, "") {
-        println("[chat] auto_persist: engram_node_full returned empty — conversation node lost (ts=" + ts_str + ")")
     }
 }
 

entrypoint.sh

@@ -24,23 +24,19 @@ ENGRAM_DATA_DIR="$ENGRAM_DATA_DIR" \
 
 ENGRAM_PID=$!
 
-# Wait for engram to become healthy (up to 60s; GKE Autopilot cold starts can be slow)
+# Wait for engram to become healthy (up to 30s)
 echo "[entrypoint] waiting for engram..."
 TRIES=0
 until curl -sf "$ENGRAM_HEALTH_URL" > /dev/null 2>&1; do
     TRIES=$((TRIES + 1))
-    if [ "$TRIES" -ge 60 ]; then
-        echo "[entrypoint] ERROR: engram did not become healthy after 60s" >&2
+    if [ "$TRIES" -ge 30 ]; then
+        echo "[entrypoint] ERROR: engram did not become healthy after 30s" >&2
         kill "$ENGRAM_PID" 2>/dev/null || true
         exit 1
     fi
     sleep 1
 done
-echo "[entrypoint] engram ready after ${TRIES}s"
-
-# Tune EL HTTP runtime: reduce per-call timeout 60s->10s, connect timeout 3s.
-export EL_HTTP_TIMEOUT_MS="${EL_HTTP_TIMEOUT_MS:-10000}"
-export EL_HTTP_CONNECT_TIMEOUT_MS="${EL_HTTP_CONNECT_TIMEOUT_MS:-3000}"
+echo "[entrypoint] engram ready"
 
 # Start soul — it takes over as PID 1's foreground process.
 # SOUL_ENGRAM_PATH must NOT be set; ENGRAM_URL triggers HTTP mode.

memory.el

@@ -35,101 +35,18 @@ fn mem_forget(node_id: String) -> Void {
     engram_forget(node_id)
 }
 
-// mem_consolidate — structural scan plus salience-evolution pass.
-//
-// Previously this only returned structural counts (scanned, total_nodes, total_edges)
-// with no salience updates. No node salience ever changed based on recall frequency
-// or time; foundational nodes decayed identically to ephemeral chat; frequently-recalled
-// nodes were never promoted. This made consolidation a no-op.
-//
-// New behavior:
-//   (a) Strengthen frequently-activated nodes: nodes in the top working-memory list
-//       (engram_wm_top_json) are strengthened — they have been recalled recently
-//       and deserve higher salience. Raises effective salience for nodes that prove
-//       relevant across multiple sessions.
-//   (b) Strengthen Canonical-tier nodes: identity and foundational nodes should not
-//       decay; each consolidation pass re-strengthens them so they resist the
-//       tier-aware decay curve without requiring active recall.
-//   (c) Structural counts are still returned for observability.
-//
-// Called by awareness_run() on the "consolidate" inbox action.
 fn mem_consolidate() -> String {
     let scanned: Int = engram_node_count()
-    let total_edges: Int = engram_edge_count()
-    let strengthened: Int = 0
-
-    // (a) Strengthen top working-memory nodes — recalled recently across sessions.
-    // Cap at 10 to keep consolidation fast.
-    let wm_top: String = engram_wm_top_json(10)
-    let wm_len: Int = json_array_len(wm_top)
-    let wi: Int = 0
-    while wi < wm_len {
-        let wm_node: String = json_array_get(wm_top, wi)
-        let wm_id: String = json_get(wm_node, "id")
-        if !str_eq(wm_id, "") {
-            engram_strengthen(wm_id)
-            let strengthened = strengthened + 1
-        }
-        let wi = wi + 1
-    }
-
-    // (b) Strengthen Canonical-tier nodes from a full paginated scan so they resist
-    // temporal decay. Canonical nodes encode foundational identity — they must not
-    // silently floor at 10. Page size 50, scanning until fewer than 50 nodes are
-    // returned (last page), so all Canonical nodes are reached even in large graphs.
-    // Without pagination, only the first 50 nodes in the graph were eligible; any
-    // Canonical node at index 50+ was silently excluded from the boost.
-    // Strengthening is skipped if the node's current salience is already at the
-    // runtime ceiling (represented as "1" by %g) to avoid monotonic unbounded growth.
-    // Canonical nodes with salience < 1.0 are strengthened each consolidation pass;
-    // once they reach the ceiling the runtime will no longer raise them further, so
-    // calling engram_strengthen at the ceiling is a no-op in the runtime anyway, but
-    // the explicit check makes the intent clear and avoids any runtime log noise.
-    let page_size: Int = 50
-    let scan_offset: Int = 0
-    let scan_done: Bool = false
-    while !scan_done {
-        let scan_result: String = engram_scan_nodes_json(page_size, scan_offset)
-        let scan_len: Int = json_array_len(scan_result)
-        if scan_len == 0 {
-            let scan_done = true
-        } else {
-            let si: Int = 0
-            while si < scan_len {
-                let s_node: String = json_array_get(scan_result, si)
-                let s_tier: String = json_get(s_node, "tier")
-                let s_id: String = json_get(s_node, "id")
-                let s_sal: String = json_get(s_node, "salience")
-                // Only strengthen if below the ceiling to prevent unbounded salience growth.
-                // engram serialises the ceiling as "1" (%g drops the decimal part when it
-                // is exactly zero). Any other value is below ceiling and should be boosted.
-                let at_ceiling: Bool = str_eq(s_sal, "1")
-                if str_eq(s_tier, "Canonical") && !str_eq(s_id, "") && !at_ceiling {
-                    engram_strengthen(s_id)
-                    let strengthened = strengthened + 1
-                }
-                let si = si + 1
-            }
-            let scan_offset = scan_offset + scan_len
-            // Fewer results than page_size means we've reached the last page.
-            if scan_len < page_size {
-                let scan_done = true
-            }
-        }
-    }
-
+    let dummy: String = engram_scan_nodes_json(100, 0)
     let total_nodes: Int = engram_node_count()
+    let total_edges: Int = engram_edge_count()
     return "{\"scanned\":" + int_to_str(scanned)
         + ",\"total_nodes\":" + int_to_str(total_nodes)
-        + ",\"total_edges\":" + int_to_str(total_edges)
-        + ",\"strengthened\":" + int_to_str(strengthened) + "}"
+        + ",\"total_edges\":" + int_to_str(total_edges) + "}"
 }
 
 fn mem_save(path: String) -> Void {
-    let save_result: String = engram_save(path)
-    if str_eq(save_result, "") {
-        println("[memory] mem_save: engram_save failed for " + path + " — snapshot may be incomplete")
-    }
+    engram_save(path)
 }
 
 fn mem_load(path: String) -> Void {
@@ -159,14 +76,11 @@ fn mem_boot_count_inc() -> Int {
     let next: Int = current + 1
     let content: String = "soul:boot_count:" + int_to_str(next)
     let tags: String = "[\"soul-meta\",\"boot-counter\"]"
-    let boot_node_id: String = engram_node_full(
+    let discard: String = engram_node_full(
         content, "Memory", "soul:boot_count",
         el_from_float(0.9), el_from_float(0.9), el_from_float(1.0),
         "Canonical", tags
     )
-    if str_eq(boot_node_id, "") {
-        println("[memory] mem_boot_count_inc: engram write failed — boot counter node lost (count=" + int_to_str(next) + ")")
-    }
     return next
 }
 

neuron-api.el

@@ -400,7 +400,6 @@ fn handle_api_log_state_event(body: String) -> String {
     let id: String = engram_node_full(parts, "InternalStateEvent", "state-event:manual",
         el_from_float(0.85), el_from_float(0.85), el_from_float(0.9),
         "Episodic", tags)
-    if !api_persisted(id) { return api_not_persisted(id) }
     return "{\"ok\":true,\"id\":\"" + id + "\",\"boot\":\"" + boot + "\"}"
 }
 
@@ -453,7 +452,6 @@ fn handle_api_tune_config(body: String) -> String {
     let id: String = engram_node_full(content, "ConfigEntry", key,
         el_from_float(0.85), el_from_float(0.85), el_from_float(0.9),
         "Canonical", tags)
-    if !api_persisted(id) { return api_not_persisted(id) }
     return "{\"ok\":true,\"key\":\"" + key + "\",\"value\":\"" + value + "\",\"id\":\"" + id + "\"}"
 }
 
@@ -653,23 +651,17 @@ fn handle_api_consolidate(body: String) -> String {
     let summary: String = json_get(body, "summary")
     let snap: String = state_get("soul_snapshot_path")
     if !str_eq(snap, "") {
-        let save_result: String = engram_save(snap)
-        if str_eq(save_result, "") {
-            println("[api] consolidate: engram_save failed for " + snap + " — snapshot may be out of sync")
-        }
+        engram_save(snap)
     }
     if !str_eq(summary, "") {
         let safe_summary: String = str_replace(summary, "\"", "'")
         let tags: String = "[\"SessionSummary\",\"consolidate\"]"
-        let summary_id: String = engram_node_full(
+        let discard: String = engram_node_full(
             "[session-summary] " + safe_summary,
             "SessionSummary", "session:summary",
             el_from_float(0.7), el_from_float(0.7), el_from_float(0.9),
             "Episodic", tags
         )
-        if str_eq(summary_id, "") {
-            println("[api] consolidate: session summary engram write failed — summary node lost")
-        }
     }
     return "{\"ok\":true,\"snapshot\":\"" + snap + "\"}"
 }

routes.el

@@ -75,24 +75,14 @@ fn strip_query(path: String) -> String {
 }
 
 fn err_404(path: String) -> String {
-    // __status__ envelope — el_runtime reads the first key and emits HTTP 404.
-    // Issue #3: previously returned HTTP 200 with JSON error body.
-    return "{\"__status__\":404,\"error\":\"not found\",\"path\":\"" + path + "\"}"
+    return "{\"error\":\"not found\",\"code\":\"not_found\",\"path\":\"" + path + "\"}"
 }
 
 fn err_405(method: String, path: String) -> String {
-    // __status__ envelope — emits HTTP 405.
-    // Issue #3: previously returned HTTP 200 with JSON error body.
-    return "{\"__status__\":405,\"error\":\"method not allowed\",\"method\":\"" + method + "\",\"path\":\"" + path + "\"}"
+    return "{\"error\":\"method not allowed\",\"code\":\"method_not_allowed\",\"method\":\"" + method + "\",\"path\":\"" + path + "\"}"
 }
 
 fn route_health() -> String {
-    // NOTE (issue #8): This endpoint performs live engram graph queries on every call
-    // (engram_node_count, engram_edge_count) and reads imprint state. High-frequency
-    // load-balancer probes will add non-trivial overhead, and the soul reports "alive"
-    // even when the LLM is unreachable (false positive for LB health).
-    // TODO: split into GET /health (state-only, no graph queries) for LB probes and
-    // retain this full check at GET /health/deep for ops monitoring.
     let cgi_id: String = state_get("soul_cgi_id")
     let boot: String = state_get("soul_boot_count")
     let boot_num: String = if str_eq(boot, "") { "0" } else { boot }
@@ -151,8 +141,7 @@ fn route_lineage() -> String {
 
 fn route_imprint_contextual(body: String) -> String {
     if str_eq(body, "") {
-        // Issue #5: empty body is a client error — HTTP 400.
-        return "{\"__status__\":400,\"ok\":false,\"error\":\"empty body\"}"
+        return "{\"ok\":false,\"error\":\"empty body\"}"
     }
     let tags: String = "[\"imprint\",\"contextual\"]"
     let id: String = engram_node_full(
@@ -174,8 +163,7 @@ fn route_imprint_contextual(body: String) -> String {
 
 fn route_imprint_user(body: String) -> String {
     if str_eq(body, "") {
-        // Issue #5: empty body is a client error — HTTP 400.
-        return "{\"__status__\":400,\"ok\":false,\"error\":\"empty body\"}"
+        return "{\"ok\":false,\"error\":\"empty body\"}"
     }
     let tags: String = "[\"imprint\",\"user\"]"
     let id: String = engram_node_full(
@@ -313,13 +301,9 @@ fn connectd_get(suffix: String) -> String {
 // so arbitrary JSON cannot reach the shell as a command-line argument.
 fn connectd_post(suffix: String, body: String) -> String {
     let eff: String = if str_eq(body, "") { "{}" } else { body }
-    // Issue #11: time_now() has second-granularity; two concurrent requests in the same
-    // second collide on the same temp path. Added a monotonic per-process sequence counter.
-    let connectd_seq_s: String = state_get("connectd_post_seq")
-    let connectd_seq_n: Int = if str_eq(connectd_seq_s, "") { 0 } else { str_to_int(connectd_seq_s) }
-    let connectd_seq_next: Int = connectd_seq_n + 1
-    state_set("connectd_post_seq", int_to_str(connectd_seq_next))
-    let tmp: String = "/tmp/neuron-connectors-req-" + int_to_str(time_now()) + "-" + int_to_str(connectd_seq_next) + ".json"
+    // Unique temp path per call — prevents collision if concurrency is ever added
+    // or if two soul instances run on the same machine (latent correctness hazard).
+    let tmp: String = "/tmp/neuron-connectors-req-" + int_to_str(time_now()) + ".json"
     fs_write(tmp, eff)
     let out: String = exec_capture("curl -s --max-time 20 -X POST http://127.0.0.1:7771" + suffix + " -H 'Content-Type: application/json' -d @" + tmp)
     if str_eq(out, "") {
@@ -354,33 +338,9 @@ fn handle_connectors(method: String, clean: String, body: String) -> String {
     return "{\"ok\":false,\"error\":\"unknown connectors route\"}"
 }
 
-
-// auth_check — validate NEURON_TOKEN bearer auth on every request.
-// Returns "" when authorized, or a JSON 401 error string when not.
-// /health and /lineage are public routes — always exempted.
-// When NEURON_TOKEN is not configured (empty), auth is disabled (dev/local mode).
-// Issue #4: previously no auth layer existed anywhere in the router.
-// Clients pass the token in the JSON body as "__auth".
-// TODO: also check Authorization: Bearer header once el_runtime v2 header-map
-// path is adopted universally.
-fn auth_check(clean: String, body: String) -> String {
-    if str_eq(clean, "/health") { return "" }
-    if str_eq(clean, "/lineage") { return "" }
-    let token: String = state_get("soul_token")
-    if str_eq(token, "") { return "" }
-    let auth_field: String = json_get(body, "__auth")
-    if str_eq(auth_field, token) { return "" }
-    return "{\"__status__\":401,\"error\":\"unauthorized\"}"
-}
-
 fn handle_request(method: String, path: String, body: String) -> String {
     let clean: String = strip_query(path)
 
-    // Issue #1/#2: EL has no exception/try-catch mechanism. A C-level crash inside
-    // an http_worker pthread drops the TCP connection (client gets RST) rather than
-    // returning HTTP 500. TODO: register a SIGSEGV/SIGBUS handler in el_runtime.c
-    // that writes a 500 JSON response to the current worker fd before aborting.
-
     // Rate limit check. Extract caller IP from REMOTE_ADDR env var (set by the
     // EL HTTP runtime for each request). Skip enforcement when empty so
     // loopback/internal callers are never blocked.
@@ -392,13 +352,6 @@ fn handle_request(method: String, path: String, body: String) -> String {
         }
     }
 
-    // Auth — enforced on all routes except /health and /lineage.
-    // Issue #4: previously no auth check existed anywhere in the router.
-    let auth_err: String = auth_check(clean, body)
-    if !str_eq(auth_err, "") {
-        return auth_err
-    }
-
     if str_eq(method, "POST") && str_eq(clean, "/dharma/recv") {
         return handle_dharma_recv(body)
     }
@@ -426,8 +379,7 @@ fn handle_request(method: String, path: String, body: String) -> String {
             let raw_msg: String = json_get(body, "message")
             let eff_msg: String = if str_eq(raw_msg, "") { body } else { raw_msg }
             if str_eq(eff_msg, "") {
-                // Issue #5: missing required param — HTTP 400.
-                return "{\"__status__\":400,\"error\":\"message required\"}"
+                return "{\"error\":\"message is required\",\"code\":\"missing_param\"}"
             }
             let agentic_flag: Bool = json_get_bool(body, "agentic")
             let reply: String = if agentic_flag {
@@ -571,15 +523,9 @@ fn handle_request(method: String, path: String, body: String) -> String {
             // responses are buffered and returned as a single JSON object. Streaming
             // would require runtime-level SSE support in el_runtime.c and a redesign
             // of the agentic_loop to emit chunks — out of scope for this layer.
-            // Issue #5: validate required params — return HTTP 400 when missing.
             let raw_msg: String = json_get(body, "message")
             if str_eq(raw_msg, "") {
-                return "{\"__status__\":400,\"error\":\"message is required\",\"response\":\"\"}"
-            }
-            // Issue #7: reject oversized messages before engram_compile and the LLM.
-            // Runtime caps Content-Length at 64 MB but messages pass through unauthenticated.
-            if str_len(raw_msg) > 32768 {
-                return "{\"__status__\":400,\"error\":\"message too large (max 32768 chars)\",\"response\":\"\"}"
+                return "{\"error\":\"message is required\",\"code\":\"missing_param\"}"
             }
             let agentic_flag: Bool = json_get_bool(body, "agentic")
             let reply: String = if agentic_flag {

safety.el

@@ -144,8 +144,7 @@ fn safety_screen(input: String, history: String) -> String {
     if score >= soft {
         let summary: String = str_slice(input, 0, 80)
         let discard: String = safety_log_bell("soft", "wellbeing check needed", summary)
-        // ISSUE 7 fix: escape tab chars in addition to backslash/quote/newline/CR.
-        // A tab in user input corrupts the JSON envelope and causes json_get to misparse.
+        // ISSUE 7: also escape tab chars to prevent JSON envelope corruption.
         let e1: String = str_replace(input, "\\", "\\\\")
         let e2: String = str_replace(e1, "\"", "\\\"")
         let e3: String = str_replace(e2, "\n", "\\n")
@@ -154,7 +153,7 @@ fn safety_screen(input: String, history: String) -> String {
         return "{\"action\":\"soft_bell\",\"reason\":\"wellbeing check needed\",\"content\":\"" + safe_input + "\"}"
     }
 
-    // ISSUE 7 fix: escape tab chars (see soft_bell branch above for rationale).
+    // ISSUE 7: also escape tab chars (see soft_bell branch above).
     let e1: String = str_replace(input, "\\", "\\\\")
     let e2: String = str_replace(e1, "\"", "\\\"")
     let e3: String = str_replace(e2, "\n", "\\n")
@@ -200,10 +199,7 @@ fn safety_validate(output: String, action: String) -> String {
 fn safety_log_bell(level: String, reason: String, input_summary: String) -> String {
     let content: String = "BELL:" + level + " | " + reason + " | summary:" + input_summary
     let tags: String = "[\"safety\",\"bell\",\"bell:" + level + "\"]"
-    // ISSUE 2 fix: if engram_node_full returns empty the write silently failed.
-    // Emit a fallback println so the bell event leaves at least a log trace even
-    // when engram is degraded. This does not replace engram persistence -- it is a
-    // last-resort audit trail when the primary write cannot be confirmed.
+    // ISSUE 2: fallback log when engram write fails silently.
     let node_id: String = engram_node_full(
         content,
         "BellEvent",
@@ -215,7 +211,7 @@ fn safety_log_bell(level: String, reason: String, input_summary: String) -> Stri
         tags
     )
     if str_eq(node_id, "") {
-        println("[safety] WARN: bell event engram write failed -- fallback log: " + content)
+        println("[safety] WARN: bell engram write failed -- " + content)
     }
     return ""
 }
@@ -248,16 +244,9 @@ fn safety_soft_phrases() -> String {
 }
 
 // ISSUE 5 TODO: phrase lists are rebuilt from JSON literals on every call.
-// safety_any_match and safety_count_match loop over json_array_get on every invocation.
-// A compiled/cached representation would reduce per-message overhead and also guard against
-// malformed phrase JSON (json_array_len of malformed input returns 0, silently skipping all checks).
-// Caching requires language-level static const arrays -- not available in current EL.
-// When EL gains module-level const arrays, migrate phrase lists to that form.
-//
-// ISSUE 5 TODO: phrase lists are rebuilt from JSON literals on every call to
-// safety_any_match / safety_count_match. json_array_len of a malformed string
-// returns 0, silently skipping all checks. Caching requires language-level static
-// const arrays (not available in current EL). Migrate when EL gains that feature.
+// json_array_len of malformed input returns 0, silently skipping all checks.
+// Caching requires language-level static const arrays -- not in current EL.
+// Migrate to const arrays when EL gains that feature.
 // ── Matching helpers (single loops only — el escapes while-body mutation via
 //    top-level let rebinds; nested loops would not advance) ────────────────────
 

soul.el

@@ -148,6 +148,14 @@ fn load_identity_context() -> Void {
         println("[soul] identity context loaded (" + int_to_str(str_len(ctx)) + " chars, " + int_to_str(parts_count) + " nodes)")
     }
 
+    // Q6 fix: warn when all three identity node fetches return empty. For genesis this
+    // indicates a corrupted or missing graph. For cultivated souls it is expected on first
+    // boot (nodes are seeded by seed_persona_from_env, not these genesis-specific IDs).
+    // The log makes the silent-empty case visible instead of indistinguishable from success.
+    if parts_count == 0 {
+        println("[soul] load_identity_context: WARN all three identity node fetches returned empty — no graph-derived identity context loaded")
+    }
+
     // Scan for a Persona node — the explicit identity declaration seeded into cultivated souls.
     // Stored at seeding time with label "soul:persona" and node_type "Persona".
     // genesis derives identity from the graph directly; cultivated souls have this node seeded.
@@ -162,55 +170,11 @@ fn load_identity_context() -> Void {
             println("[soul] persona node loaded (" + int_to_str(str_len(p_content)) + " chars)")
         }
     }
-
-    // Cross-session affective context: query engram for recent distress/crisis signals
-    // at session start. Stored under soul_affective_context so the safety layer can
-    // detect when a user has been in distress across previous sessions.
-    // Recency guard: nodes older than 14 days (1,209,600 seconds) are skipped.
-    // Unified at 14 days with chat.el engram_compile and handle_chat affective checks
-    // so all three paths present consistent affective context. The previous 7-day
-    // (604800s) window was inconsistent with the 72h chat.el window, causing
-    // conflicting context: soul.el loaded a 5-day-old crisis node while chat.el
-    // did not include it on subsequent turns. Both now use 14 days.
-    // Results capped at 3 nodes, 200 chars each, to limit context inflation.
-    // TODO(recency): engram_search_json sorts by relevance, not timestamp. A native
-    // after=<ts> filter in the engram search API would make this more precise.
-    let affective_raw: String = engram_search_json("distress crisis upset hopeless bell BellEvent", 3)
-    let affective_ok: Bool = !str_eq(affective_raw, "") && !str_eq(affective_raw, "[]")
-    if affective_ok {
-        let ts_now: Int = time_now()
-        let ts_cutoff: Int = ts_now - 1209600
-        let aff_total: Int = json_array_len(affective_raw)
-        let aff_ctx: String = ""
-        let ai: Int = 0
-        while ai < aff_total {
-            let aff_node: String = json_array_get(affective_raw, ai)
-            let aff_content: String = json_get(aff_node, "content")
-            // Use created_at (the standard engram node timestamp field), consistent
-            // with handle_chat which reads created_at / updated_at. The previous
-            // field name "ts" is not a standard engram field: it was present in some
-            // BellEvent content payloads but absent from standard engram node JSON,
-            // causing json_get to return "" and the fallback to ts_now — meaning ALL
-            // nodes with a missing "ts" field appeared recent, over-including stale
-            // content. With the 14-day window, this amplification was significant.
-            // Fix: read created_at first, fall back to updated_at, then default to 0
-            // (same as handle_chat). A ts of 0 always fails the cutoff check, so nodes
-            // missing both timestamp fields are conservatively excluded rather than
-            // blindly included.
-            let aff_ca: String = json_get(aff_node, "created_at")
-            let aff_ts_str: String = if str_eq(aff_ca, "") { json_get(aff_node, "updated_at") } else { aff_ca }
-            let aff_ts: Int = if str_eq(aff_ts_str, "") { 0 } else { str_to_int(aff_ts_str) }
-            let is_recent: Bool = aff_ts >= ts_cutoff
-            let snip: String = if str_len(aff_content) > 200 { str_slice(aff_content, 0, 200) } else { aff_content }
-            let aff_ctx = if is_recent && !str_eq(snip, "") {
-                if str_eq(aff_ctx, "") { snip } else { aff_ctx + "\n" + snip }
-            } else { aff_ctx }
-            let ai = ai + 1
-        }
-        if !str_eq(aff_ctx, "") {
-            state_set("soul_affective_context", aff_ctx)
-            println("[soul] cross-session affective context loaded (" + int_to_str(str_len(aff_ctx)) + " chars)")
-        }
+    // Q6 fix: if neither identity nodes nor persona node were loaded, log explicitly.
+    let soul_id_ctx: String = state_get("soul_identity_context")
+    let soul_persona_ctx: String = state_get("soul_persona")
+    if str_eq(soul_id_ctx, "") && str_eq(soul_persona_ctx, "") {
+        println("[soul] load_identity_context: WARN no identity context available from graph — soul will have identity_block empty in system prompts")
     }
 }
 
@@ -258,13 +222,8 @@ fn seed_persona_from_env() -> Void {
         let h: Map = {}
         map_set(h, "Content-Type", "application/json")
         let resp: String = http_post_with_headers(engram_url + "/api/nodes", body, h)
-        // Check for empty response (timeout/network error), explicit error, or missing id.
-        if str_eq(resp, "") {
-            println("[soul] persona HTTP write-back failed: empty response (timeout or network error) — in-memory only this session")
-        } else if str_contains(resp, "\"error\"") {
+        if str_contains(resp, "\"error\"") {
             println("[soul] persona HTTP write-back failed (in-memory only this session): " + resp)
-        } else if !str_contains(resp, "\"id\"") {
-            println("[soul] persona HTTP write-back: unexpected response (no id field) — in-memory only this session: " + resp)
         } else {
             println("[soul] persona persisted to HTTP engram at " + engram_url)
         }
@@ -297,14 +256,11 @@ fn emit_session_start_event() -> Void {
         + ",\"ts\":" + int_to_str(ts) + "}"
 
     let tags: String = "[\"internal-state\",\"session-start\",\"InternalStateEvent\"]"
-    let session_event_id: String = engram_node_full(
+    let discard: String = engram_node_full(
         payload, "InternalStateEvent", "session-start",
         el_from_float(0.9), el_from_float(0.9), el_from_float(1.0),
         "Episodic", tags
     )
-    if str_eq(session_event_id, "") {
-        println("[soul] emit_session_start_event: engram write failed — session-start event lost")
-    }
     println("[soul] session-start event logged (boot=" + boot_num + " nodes=" + int_to_str(node_ct) + " edges=" + int_to_str(edge_ct) + ")")
 }
 
@@ -312,9 +268,6 @@ fn emit_session_start_event() -> Void {
 // L0 (core) → L1 (safety screen) → L2a (continuity + behavioral profiling) → L2b (mission alignment) → L3 (imprint) → L1 (safety validate)
 // Internal cognition (heartbeat, proactive, memory ops) bypasses layers — use one_cycle directly.
 fn layered_cycle(raw_input: String) -> String {
-    // conv_history key must match chat.el (conv_history, not conversation_history).
-    // Mismatch caused safety_score_distress_history() to always receive "" - the
-    // history-amplification path in safety_threat_score was permanently dead.
     let history: String = state_get("conv_history")
     let session_id: String = state_get("current_session_id")
 
@@ -322,9 +275,8 @@ fn layered_cycle(raw_input: String) -> String {
     let screen_result: String = safety_screen(raw_input, history)
     let screen_action: String = json_get(screen_result, "action")
 
-    // ISSUE 4: safe-mode guard -- if safety_screen returned invalid/empty action,
-    // refuse the turn rather than silently passing unscreened input to upper layers.
-    // Valid actions: "hard_bell", "soft_bell", "pass". Anything else = corrupt envelope.
+    // ISSUE 4: safe-mode guard. If safety_screen returned an invalid/empty action
+    // (engram failure or internal error), refuse rather than pass unscreened input.
     let valid_action: Bool = str_eq(screen_action, "hard_bell")
         || str_eq(screen_action, "soft_bell")
         || str_eq(screen_action, "pass")
@@ -339,8 +291,8 @@ fn layered_cycle(raw_input: String) -> String {
     // history where they could leak context to subsequent turns. They are persisted
     // separately by safety_log_bell() into the Episodic tier with restricted labels.
     //
-    // ISSUE 6: safety_log_bell for hard bells is already called INSIDE safety_screen
-    // (safety.el line 140). Do NOT call it again here -- double-log avoided.
+    // ISSUE 6: safety_log_bell already called inside safety_screen (line 140).
+    // Do NOT call it again here -- that would double-log every hard bell.
     //
     // safety_validate second param: when screen_action is "hard_bell", safety_validate
     // receives the sentinel string "hard_bell" (not a normal screen action). The safety
@@ -382,13 +334,22 @@ fn layered_cycle(raw_input: String) -> String {
         json_get(steward_result, "redirect_to")
     }
 
-    // ISSUE 1: apply pre-LLM bell augmentation on layered_cycle path.
-    // safety_augment_system injects soft/hard directive into system prompt before LLM call.
-    // Stored in state so imprint_respond can consume it.
-    // TODO: wire directly into imprint_respond when it accepts a system_override param.
-    // ISSUE 3 TODO: no semantic/embedding crisis detection. Keyword-only means signals
-    // evading the phrase list pass through with zero augmentation. Semantic layer is a
-    // separate architectural decision requiring embedding inference on every message.
+    // ISSUE 1: pre-LLM bell augmentation for layered_cycle path.
+    // safety_augment_system appends soft/hard directive to system prompt when bell fires,
+    // ensuring LLM processes message WITH the safety directive -- not just post-output gate.
+    // Stored in state as "layered_cycle_safety_system_addendum" for imprint_respond to use.
+    // TODO: wire directly when imprint_respond gains system_override param (imprint.el change).
+    // ISSUE 3 TODO: no semantic crisis detection. Keyword-only means signals that evade
+    // the phrase list pass with zero augmentation. Semantic layer = separate decision.
+    //
+    // Q8 race documentation: "layered_cycle_safety_system_addendum" is a shared process-global
+    // state key. Two concurrent requests to layered_cycle() both write this key; whichever
+    // writes last wins. The concurrent build_system_prompt() read in chat.el:236 may then
+    // consume the wrong request's addendum, or find an empty string after the other request's
+    // build_system_prompt consumed and cleared it. Mitigation: under http_serve_async, the
+    // layered_cycle path and the /api/chat path are different endpoints (typically); true
+    // concurrent layered_cycle calls are uncommon. A robust fix requires per-request state
+    // scoping which needs C runtime support (e.g. a request-id-keyed addendum map).
     let augmented_addendum: String = safety_augment_system("", raw_input)
     state_set("layered_cycle_safety_system_addendum", augmented_addendum)
 
@@ -431,29 +392,12 @@ let snapshot_usable: Bool = local_node_count > 50
 
 if using_http_engram && !snapshot_usable {
     // First boot or empty/corrupt snapshot: seed from HTTP Engram.
-    // Retry up to 3 times (2s sleep between attempts) to guard against a
-    // transient network hiccup right after entrypoint.sh health check passes.
-    // An empty nodes response silently loads a zero-node graph; validate first.
-    // TODO(reliability): replace sleep_ms retry with non-blocking backoff.
     println("[soul] engram -> HTTP " + engram_url_raw + " (no local snapshot, first boot)")
-    let fetch_attempt: Int = 0
-    while fetch_attempt < 3 {
-        let fetch_attempt = fetch_attempt + 1
-        let n: String = http_get(engram_url_raw + "/api/nodes?limit=10000")
-        let e: String = http_get(engram_url_raw + "/api/edges")
-        let nodes_ok: Bool = !str_eq(n, "") && str_starts_with(n, "[") && str_len(n) > 2
-        if nodes_ok {
-            state_set("_boot_nodes_json", n)
-            state_set("_boot_edges_json", e)
-            let fetch_attempt = 3
-        } else {
-            println("[soul] boot HTTP fetch attempt " + int_to_str(fetch_attempt) + " failed --- retrying in 2s")
-            sleep_ms(2000)
-        }
-    }
-    let nodes_json: String = state_get("_boot_nodes_json")
-    let edges_json: String = state_get("_boot_edges_json")
-        let snapshot_data: String = "{\"nodes\":" + nodes_part + ",\"edges\":" + edges_part + "}"
+    let nodes_json: String = http_get(engram_url_raw + "/api/nodes?limit=10000")
+    let edges_json: String = http_get(engram_url_raw + "/api/edges")
+    let nodes_part: String = if str_eq(nodes_json, "") { "[]" } else { nodes_json }
+    let edges_part: String = if str_eq(edges_json, "") { "[]" } else { edges_json }
+    let snapshot_data: String = "{\"nodes\":" + nodes_part + ",\"edges\":" + edges_part + "}"
     let tmp_path: String = "/tmp/soul-engram-" + soul_cgi_id + ".json"
     fs_write(tmp_path, snapshot_data)
     engram_load(tmp_path)