fix(release): close two P1 data-integrity gaps + announcement/docs for v0.26.0

Release-audit council found two silent-data-loss blockers; both fixed:

1. Collision-merge embedding loss (relocate-memory.ts). When moving a memory
   that collides with an equivalent at the target, the source row was DELETEd —
   FK-cascading its memory_embeddings away — without transferring an embedding to
   the surviving target. A merged memory could end up with no vector. Now
   INSERT OR IGNORE the source embedding onto the target before the delete (the
   two are equivalent: same category + normalized_hash, so either vector is
   valid). +1 regression test.

2. migrate-session cross-DB split-brain (migrate-session.ts). The two databases
   are separate files, so OpenCode committed first and context.db committed
   later; a context.db failure left OpenCode moved but Magic Context not. Capture
   the session's prior column values and add a compensating rollback: if the
   context.db transaction throws, restore OpenCode to its pre-migration state so
   the two stay consistent (best-effort; the user's pre-run backup is the final
   safety net). +1 regression test.

Also (SHOULD-FIX from the audit):
- Narrow the release-notes + CONFIGURATION.md fallback claim: the session-model
  last resort is HISTORIAN-ONLY; dreamer/sidekick use only their configured
  fallback_models (verified in compartment-runner-historian.ts vs dreamer/runner).
- Bump ANNOUNCEMENT_VERSION 0.25.0 -> 0.26.0 with this release's features.

Cache-stability core verified SAFE by the council (6/6 unanimous): perf scoping is
speed-only, D2 redacted-skip + gate sound, embedding identity unaffected,
migration v38 correct. Gate: plugin 2166/0, CLI 178/0 (+2), tsc + biome clean.

Author: ualtinok

CONFIGURATION.md

@@ -250,7 +250,7 @@ Each hidden agent (historian, dreamer, sidekick) uses the `model` you configure
 If the configured primary fails (auth, transient, or returns unusable output), the fallback order is:
 
 1. Your explicit `fallback_models` for that agent, in order.
-2. Your active session model, as a last resort (a model you're already using).
+2. **Historian only:** your active session model, as a last resort (a model you're already using). The dreamer and sidekick use only their configured `fallback_models`.
 
 If you set no `fallback_models`, a failing primary simply retries — it never jumps to an unconfigured model. Set `fallback_models` to add alternates of your own (each `"provider/model-id"`).
 

packages/cli/src/commands/migrate-session.test.ts

@@ -409,4 +409,47 @@ describe("applyMigrateSession — memory actions", () => {
             ).c,
         ).toBe(1);
     });
+
+    it("move collision: source embedding is preserved on the surviving target (no silent loss)", () => {
+        const { oc, ctx } = setup();
+        // FROM row HAS an embedding; the equivalent TO row does NOT.
+        insertMemory(ctx, FROM, SID, { category: "NAMING", content: "dup", withEmbedding: true });
+        const targetId = Number(
+            (
+                ctx
+                    .prepare(
+                        `INSERT INTO memories (project_path, category, content, normalized_hash, importance, source_session_id, seen_count, status, created_at)
+                         VALUES (?, 'NAMING', 'dup', ?, 50, NULL, 1, 'active', 0) RETURNING id`,
+                    )
+                    .get(TO, `hash-${hashCounter}`) as { id: number }
+            ).id,
+        );
+        const plan = planMigrateSession(SID, "/home/u/benchmarks", makeDeps(oc, ctx));
+        const res = applyMigrateSession(plan, "move-originated", makeDeps(oc, ctx));
+        expect(res.memoriesMerged).toBe(1);
+        // The surviving target row must now carry an embedding adopted from the
+        // deleted source — without the transfer the FK-cascade would lose it.
+        expect(
+            (
+                ctx
+                    .prepare("SELECT COUNT(*) AS c FROM memory_embeddings WHERE memory_id = ?")
+                    .get(targetId) as { c: number }
+            ).c,
+        ).toBe(1);
+    });
+
+    it("compensates the OpenCode move when the context.db transaction fails (no split-brain)", () => {
+        const { oc, ctx } = setup();
+        // Force the context.db transaction to throw AFTER the OpenCode commit by
+        // dropping a table its transaction writes to.
+        ctx.exec("DROP TABLE compartment_chunk_embeddings");
+        const plan = planMigrateSession(SID, "/home/u/benchmarks", makeDeps(oc, ctx));
+        expect(() => applyMigrateSession(plan, "leave", makeDeps(oc, ctx))).toThrow();
+        // OpenCode must be restored to its pre-migration values.
+        const session = oc
+            .prepare("SELECT directory, project_id FROM session WHERE id = ?")
+            .get(SID) as { directory: string; project_id: string };
+        expect(session.directory).toBe("/old/dir");
+        expect(session.project_id).toBe("global");
+    });
 });

packages/cli/src/commands/migrate-session.ts

@@ -231,6 +231,16 @@ export function applyMigrateSession(
         sets.push("workspace_id = ?");
         params.push(null);
     }
+    // The two databases are separate files, so a single ACID transaction across
+    // them is impossible. To avoid a split-brain (OpenCode moved, context.db not),
+    // capture the session's PRIOR column values now; if the (larger, second)
+    // context.db transaction fails, we compensate by restoring OpenCode to these
+    // values so the user is never left half-migrated.
+    const restoreCols = ["directory", ...sets.map((s) => s.split(" = ")[0]).slice(1)];
+    const priorRow = deps.opencodeDb
+        .prepare(`SELECT ${restoreCols.join(", ")} FROM session WHERE id = ?`)
+        .get(plan.sessionId) as Record<string, string | null> | undefined;
+
     deps.opencodeDb.exec("BEGIN IMMEDIATE");
     try {
         deps.opencodeDb
@@ -242,6 +252,27 @@ export function applyMigrateSession(
         throw error;
     }
 
+    const compensateOpenCode = (): void => {
+        if (!priorRow) return;
+        try {
+            const restoreSets = restoreCols.map((c) => `${c} = ?`).join(", ");
+            const restoreParams = restoreCols.map((c) => priorRow[c] ?? null);
+            deps.opencodeDb.exec("BEGIN IMMEDIATE");
+            deps.opencodeDb
+                .prepare(`UPDATE session SET ${restoreSets} WHERE id = ?`)
+                .run(...restoreParams, plan.sessionId);
+            deps.opencodeDb.exec("COMMIT");
+        } catch {
+            // Best-effort: the original error is what we rethrow. If even the
+            // compensation fails the user still has their pre-run backup.
+            try {
+                deps.opencodeDb.exec("ROLLBACK");
+            } catch {
+                // ignore
+            }
+        }
+    };
+
     // 2. Magic Context side — re-stamp + memory action in one transaction.
     let memoriesRelocated = 0;
     let memoriesMerged = 0;
@@ -321,6 +352,9 @@ export function applyMigrateSession(
         deps.contextDb.exec("COMMIT");
     } catch (error) {
         deps.contextDb.exec("ROLLBACK");
+        // Context.db rolled back atomically; now undo the already-committed
+        // OpenCode move so the two databases stay consistent (no split-brain).
+        compensateOpenCode();
         throw error;
     }
 

packages/plugin/src/features/magic-context/memory/relocate-memory.ts

@@ -84,6 +84,16 @@ export function rekeyMemoryRowWithCollisionMerge(
                 collision.id,
             );
         }
+        // Preserve an embedding on the surviving target BEFORE the source row's
+        // embedding FK-cascades away on DELETE (memory_embeddings.memory_id
+        // REFERENCES memories(id) ON DELETE CASCADE). INSERT OR IGNORE keeps the
+        // target's existing embedding when it has one; otherwise it adopts the
+        // source's — so a merged memory never ends up with NO vector (the two are
+        // equivalent: same category + normalized_hash, so either vector is valid).
+        db.prepare(
+            `INSERT OR IGNORE INTO memory_embeddings (memory_id, embedding, model_id)
+             SELECT ?, embedding, model_id FROM memory_embeddings WHERE memory_id = ?`,
+        ).run(collision.id, rowId);
         db.prepare("DELETE FROM memories WHERE id = ?").run(rowId);
         return true;
     }

packages/plugin/src/shared/announcement.ts

@@ -23,18 +23,18 @@ import { getMagicContextStorageDir } from "./data-path";
  * Bump only when there are user-visible changes worth a startup dialog.
  * Does NOT need to match the published package version.
  */
-export const ANNOUNCEMENT_VERSION = "0.25.0";
+export const ANNOUNCEMENT_VERSION = "0.26.0";
 
 /**
  * Short, user-facing bullet strings. Keep each line ~80 chars or shorter so the
  * TUI dialog renders cleanly without horizontal scroll on a typical terminal.
  */
 export const ANNOUNCEMENT_FEATURES: ReadonlyArray<string> = [
-    "Old tool output is now reclaimed automatically: once a file read / search / command output has gone a full execute cycle unused, it's dropped on the next one — no need to call ctx_reduce for stale results.",
-    "Recover anything that was dropped: ctx_expand({ message: N }) returns a dropped message's full content (every tool call's input + output) from storage. ctx_expand({ start, end, verbose: true }) lists a range message-by-message to find it.",
-    "Searchable history made reliable: /ctx-embed shows embedding coverage and runs a resilient backfill (retries transient failures, no longer bails on the first hiccup); the active session now auto-embeds in the background. ctx_reduce guidance also reframed as deferred + recoverable so models trim spent output earlier.",
-    "Pi: fixed /ctx-dream (was failing with 'Unknown named parameter') and local-embedding load failures on Windows/Desktop (#151, #128).",
-    "Runaway background agents on weak/local models are now capped and force-stopped (#154, #152). Plus several prompt-cache busts removed.",
+    "Faster on large sessions: per-message transform overhead is at least 2x lower on typical passes and up to ~10x lower when history summarization fires (no more multi-second pause on big sessions).",
+    "No more surprise models: the built-in fallback chain is gone. Hidden agents only use the model (and fallback_models) you configure — no confusing 'model not found' for providers you never set up. `doctor` now records every historian run so real failures are visible.",
+    "Anthropic thinking-block fix: clearing old reasoning no longer risks a stale-signature rejection on Claude / Bedrock / proxied-Claude routes. Plus fewer prompt-cache busts.",
+    "Community fixes: TUI crash on the upgrade progress panel (#168), historian.disallowed_tools for weak models that loop on tool calls (#166), and a Pi-only config key leak (#167).",
+    "New: doctor migrate-session re-homes a session (and optionally its memories) to another project, with a dry-run preview.",
 ];
 
 /**