feat(agent-memory): ADR-003 Phase 2a — POST /memory/sync with mode + dedup (#191)

Adds the kernel promotion endpoint every runtime driver will target. Phase 2b
(new OpenClaw tools that call it) is a separate change in the submodule.

## What ships

**New endpoint: `POST /api/agents/runtime/memory/sync`**
- Required body: `{ sections, sourceRuntime?, mode }`
- `mode: "full"` — replaces the entire sections envelope. Sections omitted
  from the payload are cleared. Use for driver snapshots.
- `mode: "patch"` — merges with existing state. Single-object sections $set
  per-key (siblings preserved). Array sections (daily, relationships) merge
  element-wise keyed by `date` / `otherInstanceId`. Use for incremental
  promotion.
- Idempotent within the same UTC day: repeated identical payloads return
  `{ deduped: true }` without writing. Dedup key is
  `(dayBucket, sourceRuntime, sha256-trunc32 of canonical-stringified body)`.
  Canonical stringify sorts object keys recursively so semantically
  identical payloads with different key order collapse to one write.

**Supporting work**
- `AgentMemory.lastSyncKey` + `lastSyncAt` track the dedup cache state.
- Strict `'YYYY-MM-DD'` validation on `daily[].date` — regex + Date
  round-trip so calendar-invalid dates (2026-02-30) are rejected.
- `mergePatchSections` in agentMemoryService pure-fns the element-level
  array merge; unit-tested separately from route wiring.
- Full-mode handler always updates v1 `content` mirror from final sections,
  including blanking it when the new snapshot omits long_term. Avoids
  phantom data on GET when v1 readers still exist.

## Critical fix caught by review

- `PUT /memory` and `nativeRuntimeService.commonly_write_memory` now clear
  `lastSyncKey`/`lastSyncAt` on every write. Without this, a non-sync
  writer mutating state between two identical syncs caused the second sync
  to be silently deduped, leaving the kernel stuck on the intervening
  write while the driver believed its promotion succeeded. Regression
  test locks the invariant.

## Other review-driven changes

- Canonical stringify (json-stable-order) replaces JSON.stringify in the
  dedup key so webhook/Python drivers with different emit order don't
  silently miss dedup.
- Full-mode v1 mirror rule made symmetric with sections (full replace →
  full mirror refresh, including empty when long_term omitted).
- Structured logs now fire on both dedup hits and validation rejects
  (REVIEW.md §Maintainability, kernel-surface observability).
- Concurrency caveat noted inline on `mergePatchSections` — read-merge-
  write assumes per-instance serialization; revisit when webhook drivers
  arrive in Phase 2b/later.

## Tests (17 new; 95/95 agent-memory pass; 705/705 backend total)

Unit (on top of existing):
- `isValidYMD` (4 tests — accept valid, reject malformed, reject
  calendar-invalid incl. leap years, reject non-strings)
- `mergePatchSections` (6 tests — single-object per-key merge, replacement,
  daily by date, relationships by otherInstanceId, missing-existing,
  preserve-omitted)
- `computeSyncDedupKey` (8 tests — same-day-same-payload collapse,
  mode/runtime/day/content sensitivity, key prefix, canonical-stringify
  order invariance across object keys AND across top-level sections)

Integration (on top of existing):
- Rejects without sections, without valid mode, with malformed date,
  with calendar-invalid date
- full mode wipes envelope, patch mode preserves siblings + merges daily
  by date and relationships by otherInstanceId
- full mode WITHOUT long_term blanks v1 content mirror (Important fix)
- Patch mode with long_term mirrors v1 content
- Same-day dedup returns deduped:true; cross-content re-sync does not
- PUT /memory invalidates sync dedup cache (Critical fix)
- Server-stamps byteSize; rejects unauthenticated

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lilyshen0722

backend/__tests__/integration/agent-memory-envelope.test.js

@@ -548,4 +548,314 @@ describe('AgentMemory envelope — GET/PUT /memory + backfill', () => {
       expect(after.sections).toBeUndefined();
     });
   });
+
+  // ------------------------------------------------------------------- //
+  // POST /memory/sync  (ADR-003 Phase 2)                                 //
+  // ------------------------------------------------------------------- //
+
+  describe('POST /memory/sync', () => {
+    it('rejects requests without sections', async () => {
+      const res = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ mode: 'full' });
+      expect(res.status).toBe(400);
+      expect(res.body.message).toMatch(/sections is required/);
+    });
+
+    it('rejects requests without a valid mode', async () => {
+      const resA = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ sections: { long_term: { content: 'x' } } });
+      expect(resA.status).toBe(400);
+      expect(resA.body.message).toMatch(/mode must be 'full' or 'patch'/);
+
+      const resB = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ sections: { long_term: { content: 'x' } }, mode: 'merge' });
+      expect(resB.status).toBe(400);
+    });
+
+    it('rejects invalid YYYY-MM-DD date on daily entries', async () => {
+      const res = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { daily: [{ date: '2026/04/14', content: 'x' }] },
+          mode: 'full',
+        });
+      expect(res.status).toBe(400);
+      expect(res.body.message).toMatch(/YYYY-MM-DD/);
+    });
+
+    it('also rejects calendar-invalid dates (feb 30)', async () => {
+      const res = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { daily: [{ date: '2026-02-30', content: 'x' }] },
+          mode: 'full',
+        });
+      expect(res.status).toBe(400);
+      expect(res.body.message).toMatch(/YYYY-MM-DD/);
+    });
+
+    it('full mode: replaces the entire sections envelope', async () => {
+      // Seed with long_term + shared.
+      await request(app)
+        .put('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ sections: { long_term: { content: 'old' }, shared: { content: 'bio', visibility: 'public' } } })
+        .expect(200);
+
+      // full sync with only dedup_state — long_term/shared should be gone.
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { dedup_state: { content: '## Commented\n{}' } },
+          mode: 'full',
+          sourceRuntime: 'openclaw',
+        })
+        .expect(200);
+
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.sections.long_term).toBeUndefined();
+      expect(get.body.sections.shared).toBeUndefined();
+      expect(get.body.sections.dedup_state.content).toContain('Commented');
+      expect(get.body.sourceRuntime).toBe('openclaw');
+    });
+
+    it('patch mode: preserves sibling sections and merges daily by date', async () => {
+      // Seed.
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: {
+            long_term: { content: 'keep me' },
+            daily: [
+              { date: '2026-04-12', content: 'mon' },
+              { date: '2026-04-13', content: 'tue' },
+            ],
+          },
+          mode: 'full',
+        })
+        .expect(200);
+
+      // Patch with updated tue + new wed; long_term should survive.
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: {
+            daily: [
+              { date: '2026-04-13', content: 'tue-updated' },
+              { date: '2026-04-14', content: 'wed' },
+            ],
+          },
+          mode: 'patch',
+        })
+        .expect(200);
+
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.sections.long_term.content).toBe('keep me');
+      const byDate = Object.fromEntries(get.body.sections.daily.map((d) => [d.date, d.content]));
+      expect(byDate['2026-04-12']).toBe('mon');
+      expect(byDate['2026-04-13']).toBe('tue-updated');
+      expect(byDate['2026-04-14']).toBe('wed');
+    });
+
+    it('patch mode: merges relationships by otherInstanceId', async () => {
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: {
+            relationships: [
+              { otherInstanceId: 'nova', notes: 'old nova' },
+              { otherInstanceId: 'theo', notes: 'old theo' },
+            ],
+          },
+          mode: 'full',
+        })
+        .expect(200);
+
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: {
+            relationships: [
+              { otherInstanceId: 'nova', notes: 'new nova' },
+              { otherInstanceId: 'liz', notes: 'new liz' },
+            ],
+          },
+          mode: 'patch',
+        })
+        .expect(200);
+
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      const byId = Object.fromEntries(
+        get.body.sections.relationships.map((r) => [r.otherInstanceId, r.notes]),
+      );
+      expect(byId.nova).toBe('new nova');
+      expect(byId.theo).toBe('old theo');
+      expect(byId.liz).toBe('new liz');
+    });
+
+    it('mirrors v1 content when patch mode includes long_term', async () => {
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { long_term: { content: 'sync-mirrored' } },
+          mode: 'patch',
+        })
+        .expect(200);
+
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.content).toBe('sync-mirrored');
+    });
+
+    it('dedupes identical payloads within the same day bucket', async () => {
+      const body = {
+        sections: { long_term: { content: 'stable' } },
+        sourceRuntime: 'openclaw',
+        mode: 'patch',
+      };
+
+      const first = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send(body);
+      expect(first.status).toBe(200);
+      expect(first.body.ok).toBe(true);
+      expect(first.body.deduped).toBeUndefined();
+
+      const second = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send(body);
+      expect(second.status).toBe(200);
+      expect(second.body.ok).toBe(true);
+      expect(second.body.deduped).toBe(true);
+
+      // Count should still be 1.
+      expect(await AgentMemory.countDocuments({})).toBe(1);
+    });
+
+    it('does NOT dedupe when the payload content changes', async () => {
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { long_term: { content: 'first' } }, sourceRuntime: 'openclaw', mode: 'patch',
+        })
+        .expect(200);
+
+      const res = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { long_term: { content: 'second' } }, sourceRuntime: 'openclaw', mode: 'patch',
+        });
+      expect(res.body.deduped).toBeUndefined();
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.sections.long_term.content).toBe('second');
+    });
+
+    it('server-stamps byteSize on sync writes', async () => {
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({
+          sections: { long_term: { content: '😀 hi', byteSize: 9999 } },
+          mode: 'full',
+        })
+        .expect(200);
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.sections.long_term.byteSize).toBe(Buffer.byteLength('😀 hi', 'utf8'));
+    });
+
+    it('rejects unauthenticated sync requests', async () => {
+      const res = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .send({ sections: { long_term: { content: 'x' } }, mode: 'full' });
+      expect(res.status).toBe(401);
+    });
+
+    it('full mode without long_term wipes the v1 content mirror', async () => {
+      // Seed with v1 content via mirror.
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ sections: { long_term: { content: 'v1 mirror source' } }, mode: 'full' })
+        .expect(200);
+      let get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.content).toBe('v1 mirror source');
+
+      // full sync that omits long_term — v1 content must be blanked, not stale.
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ sections: { dedup_state: { content: '## Commented\n{}' } }, mode: 'full' })
+        .expect(200);
+      get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.content).toBe('');
+      expect(get.body.sections.long_term).toBeUndefined();
+    });
+
+    it('PUT /memory invalidates the sync dedup cache (cross-writer safety)', async () => {
+      const body = {
+        sections: { long_term: { content: 'dedup-me' } },
+        sourceRuntime: 'openclaw',
+        mode: 'patch',
+      };
+
+      // Sync once so lastSyncKey is populated.
+      await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send(body)
+        .expect(200);
+
+      // A non-sync writer mutates sections directly (human operator / v1 tool).
+      await request(app)
+        .put('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send({ sections: { long_term: { content: 'stomped by PUT' } } })
+        .expect(200);
+
+      // The same sync payload must NOT be deduped now — kernel state drifted.
+      const second = await request(app)
+        .post('/api/agents/runtime/memory/sync')
+        .set('Authorization', `Bearer ${runtimeToken}`)
+        .send(body);
+      expect(second.body.deduped).toBeUndefined();
+
+      const get = await request(app)
+        .get('/api/agents/runtime/memory')
+        .set('Authorization', `Bearer ${runtimeToken}`);
+      expect(get.body.sections.long_term.content).toBe('dedup-me');
+    });
+  });
 });