…ity)

Aligns hook.py with the kind= search filter introduced in the /repair +
/silent-save PR. Saves written with topic="auto-save" would not be
returned by kind=checkpoint queries once that PR lands.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…key, portable paths

Two issues called out by @rboarescu in the PR #4 review:

1. clients/palace-mode embedded a hardcoded PALACE_API_KEY default
   value at lines 16-17. The author key has been treated as compromised
   and will be rotated on next daemon restart; this commit stops the
   bleed by reading both URL and key from the environment with no
   in-source defaults. `palace-mode remote` now fails fast with a
   clear error if neither PALACE_DAEMON_URL nor PALACE_API_KEY is set,
   instead of silently writing empty strings into settings.local.json.

2. clients/palace-mcp-dispatch.sh hardcoded an absolute path to its
   sibling clients/mempalace-mcp.py, only working on the author's
   machine. Now resolves siblings via readlink -f / dirname (same
   pattern palace-mode already used), so the dispatcher works
   wherever the clients/ directory lives.

No daemon restart needed for these client-side fixes.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Pulls in 8 commits we were behind on, most importantly:

- v1.4.4: Dockerfile + docker-compose.yml + HNSW monitoring + granular
  concurrency env vars (PALACE_MAX_READ_CONCURRENCY /
  PALACE_MAX_WRITE_CONCURRENCY)
- v1.4.5: time-based saves, session-end force save, state cleanup
- 0060190: use CHECKPOINT_TOPIC constant for diary writes (PR #4
  compatibility — composes cleanly with our existing CHECKPOINT_TOPIC
  + CHECKPOINT_TOPIC_SYNONYMS block)
- a64244c: revert MCP-breaking toast injection, keep REST endpoint
  toasts
- d0aabb9 v1.5.1: harden _get_collection (silent failures logged,
  cache self-healing retry, num_threads=1 enforced on every open),
  /health returns 503 on degraded palace, systemd watchdog via
  sd_notify, startup warmup opens the collection
- patches/ + scripts/apply_patches.sh: upstream's patch-style backport
  system

Conflict resolution:
- main.py: kept VERSION at 1.7.2 (was 1.7.1; bumped to reflect the
  upstream merge). Kept our CHECKPOINT_TOPIC + CHECKPOINT_TOPIC_SYNONYMS
  block AND adopted upstream's PALACE_MAX_READ/WRITE_CONCURRENCY env
  var split.
- palace-daemon.service: kept our placeholder (User=user,
  /home/user/...) and ExecStartPre/ExecStartPost hooks; adopted
  upstream's Type=notify + NotifyAccess=main for the watchdog.
- README.md: kept fork-shaped narrative wholesale per the
  fork-README-handling pattern. Queue table needs a follow-up sweep
  to reflect what's now upstream (watchdog, HNSW threads enforcement,
  collection cache auto-retry, --force flag) — those rows can be
  retired.
- CHANGELOG.md: added a v1.7.2 entry at the top listing what came in
  from upstream's v1.5.1; kept our own v1.5.1 entry below for fork
  history with a note about the v1.5.1 naming collision and PR #4's
  closed-not-merged status.

No tests in this repo; smoke test will run via deploy.sh after this
commit.

…wording

Reordered the queue so the smallest, most universally-applicable changes
sit at the top and the JP-personalized tooling sits at the bottom. The
prior order ranked by raw size, which buried the actual best candidates
(`limit=` bug fix, `_canonical_topic`, `/graph.tunnels`) under deploy
tooling that needs significant generalization before it would be a
reasonable PR.

New top of queue (PR-ready, universal):
1. `limit=` bug fix on /search /context (tiny, clear bug)
2. `_canonical_topic()` synonym rewrite (composes with upstream's CHECKPOINT_TOPIC constant from 0060190)
3. `/graph.tunnels` derived from graph_stats (small fix)
4. `scripts/verify-routes.sh` (universal curl smoke test)
5. `GET /graph` (medium, depends on a sqlite-direct read pattern)
6. `GET /viz` (medium, depends on /graph)

Marked **needs generalization** on three rows that have JP-specific
assumptions baked in:
- `clients/palace-mode` (Claude Code plugin cache layout)
- `scripts/auto-repair-if-empty.sh` (systemd --user shape)
- `scripts/deploy.sh` (PALACE_HOST=disks, ~/.claude/settings.local.json,
  Syncthing-mirrored source tree, fork-mempalace import-check that
  would fail on upstream installs)

Also tightened the front-matter wording on PR #4: rboarescu cherry-picked
the contents into upstream main directly (`ef6ac03`) rather than merging
the PR via the GitHub UI, so "merged via PR #4" was technically
misleading. Updated to reflect the actual merge mechanism.

Bumped version 1.7.0 → 1.7.2 to match the post-upstream-merge state.
Drawer count refreshed 150,814 → 150,891.

…eralization

Mirrors the mempalace fork's README pattern: top-of-document section
listing PRs we've filed and their state, then a "pending" queue for
PR-ready items, then an explicit "needs generalization" table for
items that bake in JP-specific assumptions and are held until they
can be split into a universal shape.

## What's now where

- **Open upstream PRs** (3): rboarescu#7 limit= fix, rboarescu#8 _canonical_topic, rboarescu#9
  verify-routes.sh
- **Recently landed in upstream**: PR #4 (cherry-picked into ef6ac03,
  closed) — the v1.5.0 daemon work
- **Pending PRs — ready to file** (6): GET /graph (folds in
  /graph.tunnels fix), GET /viz, palace-mcp-dispatch.sh, mempal-fast.py,
  event-log-frame.md, graph-endpoint.md
- **Needs generalization before PR** (3): deploy.sh (PALACE_HOST=disks
  + fork-mempalace import-check), palace-mode (Claude Code plugin
  cache layout), auto-repair-if-empty.sh (systemd --user shape)

## Why

JP's note: "we can wait if we need to generalize things but make sure
that is noted in the readme like we do with memorypalace." Filing PRs
that have JP-specific assumptions baked in would either fail in
contributor review or land features other operators couldn't use.
Better to be explicit about which items are PR-ready, which are queued,
and which need generalization work first — and what that work is —
so anyone can pick up a generalization-ready item without re-discovering
the constraint set.

`/graph.tunnels` was previously listed as its own row but it's
structurally a sub-feature of `/graph`; merged into that row to
avoid implying it can ship independently.

`clients/palace-mode` shipped with two embedded user-specific defaults
on lines 19-20: a `DEFAULT_URL` pointing at my homelab daemon and a
real hex `DEFAULT_KEY`. Both are leftovers from when the script was
extracted from my own install — the URL is my homelab address, and
the hex string is a real API key I authored (it has since been
rotated, so it doesn't authenticate against my daemon anymore — but
the literal value is still in upstream main's source).

## Fix

Read both from environment, no in-source defaults:

```bash
DEFAULT_URL="${PALACE_DAEMON_URL_DEFAULT:-${PALACE_DAEMON_URL:-}}"
DEFAULT_KEY="${PALACE_API_KEY:-}"
```

Plus fail-fast guards in `set_mode_remote()` so silent empty-string
writes don't end up in `~/.claude/settings.local.json`. If either URL
or key is unset, the script prints a clear error pointing at the right
env vars and exits 2 instead of writing broken config.

## Why now

Three reasons even though the embedded key is no longer live:

1. Trains contributors that hex defaults are normal — anyone reading
   the source might assume embedding their own key is fine.
2. Default `palace-mode remote` (no args) writes my homelab URL into
   a fresh user's `settings.local.json`, sending their hooks to a
   daemon they have no auth for.
3. Reviewable provenance — removing the literal makes future audits
   cleaner.

## Scope

+11 / -1. Single file. No new dependencies. No behavior change for
operators who set `PALACE_DAEMON_URL` and `PALACE_API_KEY` in their
shell rc. Operators who relied on the embedded defaults get a clear
error pointing at what they need to set.

Originally part of fork commit `d450cef` ("address upstream review on
PR #4"); the portable-paths half of that commit shipped as PR rboarescu#10.
Sending the embedded-defaults half standalone.

The dispatcher in `clients/palace-mcp-dispatch.sh` has a hardcoded
`/home/jp/Projects/palace-daemon/clients/mempalace-mcp.py` in the
`--daemon` branch — a leftover from when it was extracted into PR #4.
As shipped in `main` today, the dispatcher only works on my machine;
on every other operator's machine the `exec` target doesn't exist
and the daemon-proxy mode fails immediately.

## Fix

Resolve the sibling client path at runtime:

```bash
HERE="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd -P)"
MCP_CLIENT="$HERE/mempalace-mcp.py"
```

`cd "$(dirname …)" && pwd -P` is POSIX-portable. It resolves symlinks
in the directory path via the filesystem, which covers the actual
common case for plugin invocations (the script's parent directory
may be a symlink under a Claude Code plugin cache). The earlier
`readlink -f` approach failed on macOS — BSD `readlink` doesn't
accept `-f`, so the dispatcher would silently `command not found`
on macOS clients (caught in Copilot review).

Also adds an explicit existence check on `$MCP_CLIENT` before exec,
so the failure mode is a clear error message ("missing sibling
client at …") rather than a generic Python "can't open file" trace.

Same behavior on my machine; correct + portable behavior everywhere
else. The "in-process" branch (`python -m mempalace.mcp_server`)
was already portable, no change there.

Originally extracted from a fork-side commit (`d450cef`) that landed
during PR #4's review cycle but didn't make it into the final
cherry-pick. Sending standalone per the "small separate PRs"
preference.

A curl-based smoke test that exercises every public read-only route
against a running daemon. Designed for manual post-deploy validation
(`systemctl restart palace-daemon`-style), not CI — depends on a live
palace.

## What it probes

GET-only routes:
- /health (auth-bypass; always responds)
- /search?q=palace&limit=2
- /context?topic=palace&limit=2
- /stats
- /repair/status

Plus a regression check on `limit=3` returning 3 hits end-to-end (only
fails if the palace had ≥3 matches and the response was capped at fewer;
flags rather than fails on empty/unreachable palaces).

POST routes (/repair, /silent-save, /memory, /mine, /flush, /reload,
/backup) intentionally skipped — they mutate state and belong in a
dedicated integration run against a throwaway palace, not in a manual
smoke against production.

## Usage

    PALACE_DAEMON_URL=http://your-host:8085 \
    PALACE_API_KEY=... \
        scripts/verify-routes.sh

Both env vars optional; defaults to localhost:8085 and no auth header.

## Why this shape

Easier than maintaining a full pytest harness for one-shot deploy
verification, and the actual failure surface (HTTP 500, malformed
JSON, missing routes after merge) is what curl + grep catches well.
The probe helpers (`probe`, `probe_json_field`) keep failure messages
short and actionable.

Originally extracted from a fork-side commit; sending standalone per
the "small separate PRs" preference noted on PR #4.

`clients/palace-mode` shipped with two embedded user-specific defaults
on lines 19-20: a `DEFAULT_URL` pointing at my homelab daemon and a
real hex `DEFAULT_KEY`. Both are leftovers from when the script was
extracted from my own install — the URL is my homelab address, and
the hex string is a real API key I authored (it has since been
rotated, so it doesn't authenticate against my daemon anymore — but
the literal value is still in upstream main's source).

## Fix

Read both from environment, no in-source defaults:

```bash
DEFAULT_URL="${PALACE_DAEMON_URL_DEFAULT:-${PALACE_DAEMON_URL:-}}"
DEFAULT_KEY="${PALACE_API_KEY:-}"
```

Plus fail-fast guards in `set_mode_remote()` so silent empty-string
writes don't end up in `~/.claude/settings.local.json`. If either URL
or key is unset, the script prints a clear error pointing at the right
env vars and exits 2 instead of writing broken config.

## Why now

Three reasons even though the embedded key is no longer live:

1. Trains contributors that hex defaults are normal — anyone reading
   the source might assume embedding their own key is fine.
2. Default `palace-mode remote` (no args) writes my homelab URL into
   a fresh user's `settings.local.json`, sending their hooks to a
   daemon they have no auth for.
3. Reviewable provenance — removing the literal makes future audits
   cleaner.

## Scope

+11 / -1. Single file. No new dependencies. No behavior change for
operators who set `PALACE_DAEMON_URL` and `PALACE_API_KEY` in their
shell rc. Operators who relied on the embedded defaults get a clear
error pointing at what they need to set.

Originally part of fork commit `d450cef` ("address upstream review on
PR #4"); the portable-paths half of that commit shipped as PR rboarescu#10.
Sending the embedded-defaults half standalone.

Adds `_canonical_topic()` between `/silent-save`'s payload parse and
`tool_diary_write`. When a topic comes in matching a known legacy
synonym (currently `"auto-save"`), it gets rewritten to the canonical
`CHECKPOINT_TOPIC` ("checkpoint") and a warning is logged.

## Why

The bundled clients (`clients/hook.py`, `clients/mempal-fast.py`)
already write the canonical value, so this is defense-in-depth. It
catches:

1. Future drift in those clients (someone edits one and forgets the
   convention)
2. Third-party callers POSTing to `/silent-save` directly with the
   older synonym
3. Buggy hook installs that haven't been updated

Without this, drift would silently leak into palace metadata and
mempalace's `tool_diary_write` topic-routing — which sends matching
topics to the dedicated `mempalace_session_recovery` collection rather
than the searchable main collection — would miss those drawers and
they'd dominate vector top-N in `mempalace_search` results. The
warning makes drift observable; the rewrite keeps the palace clean.

## Scope

- New module-level constants: `CHECKPOINT_TOPIC`, `CHECKPOINT_TOPIC_SYNONYMS`
- New helper: `_canonical_topic(topic: str) -> str` (10 lines)
- One call-site change in `_do_silent_save_write`

Non-checkpoint topics (e.g. `"musings"`, `"decisions"`) pass through
unchanged — the rewrite only fires on synonyms in the explicit list.

No new dependencies, no behavior change for already-canonical writes,
no breaking change for callers using the default.

Originally extracted from a larger fork-side commit (`b4b39fc`) that
bundled this with a now-retired `kind=` filter; sending it standalone
per the "small separate PRs" preference noted on PR #4.

…nding queue; trim patch

Filed four upstream PRs on 2026-04-30:
- rboarescu#15  feat: GET /viz status dashboard (stacks on rboarescu#13)
- rboarescu#16  feat: GET /list — query-free metadata browse
- rboarescu#17  feat: DELETE /memory + PATCH /memory
- rboarescu#18  feat(lifespan): auto-migrate Stop-hook checkpoints on startup

Also rebased PR rboarescu#13 onto upstream/main to clear a CHANGELOG conflict
left by upstream's b4aee82 (patch sync) — state went CONFLICTING ->
MERGEABLE / CLEAN.

README:
- Open upstream PRs table: four new rows (rboarescu#15-rboarescu#18) plus a 2026-04-30
  note covering today's rebase + new PRs in one breath.
- Pending PRs queue: now empty. Replaced the four stale rows
  (event-log-frame and graph-endpoint were already in flight via
  rboarescu#11 and rboarescu#13; mempal-fast.py was already upstream via the merged
  PR #4 omnibus; /viz is now PR rboarescu#15) with a brief empty-state note.

CLAUDE.md:
- Patch description trimmed to reflect that the hnsw:num_threads
  enforcement landed upstream via _pin_hnsw_threads(); only the
  log + retry-once slice remains.

patches/mcp_server_get_collection.patch:
- Regenerated against current mempalace develop. The patch is now
  just the "log exception + retry once on cache failure" change.
  Filed upstream as MemPalace/mempalace#1286; once that merges this
  patch retires.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Seven findings, all addressed:

1. **Path translation before is_dir check** (Copilot watcher.py:133).
   parse_watch_dirs() validated against the daemon filesystem before
   any path translation, so a PALACE_WATCH_DIRS value written in the
   client namespace was always rejected as "not a directory". Add a
   translator= kwarg; main.py now passes _translate_client_path so
   client-namespace entries reach the daemon's view first.

2. **Drop on_any_event in favor of specific subscriptions** (Copilot
   watcher.py:160). watchdog 3.x emits opened/closed events on plain
   file reads on Linux; routing those through the debounce would
   re-mine the project on every file open. Replaced on_any_event
   with explicit on_created / on_modified / on_moved / on_deleted.

3. **Check dest_path on FileMovedEvent** (Copilot watcher.py:171).
   Editor save-via-rename writes a temp file then renames to the
   real filename. The src_path on the move event is the temp; only
   dest_path has the real extension. Extracted _has_watchable_extension()
   helper; on_moved() checks both sides.

4. **Per-target schedule() failure isolation** (Copilot watcher.py:219).
   A bare for-loop let an exception in observer.schedule() (e.g.
   inotify watch limit on a large repo) abort the entire service.
   Wrap each schedule() in try/except; one failed target no longer
   disables the others. Logged at warning level.

5. **Cancel debounce timers on stop** (Copilot watcher.py:224). stop()
   tore down the observer but left armed threading.Timer objects to
   fire mid-teardown. Add cancel_pending() on the handler; service
   stop() walks all handlers first.

6. **Surface watcher-coroutine errors** (Copilot watcher.py:246).
   asyncio.run_coroutine_threadsafe() returns a Future the caller
   must observe; dropping it swallowed exceptions silently. Add a
   _log_future_exception done-callback.

7. **/watch reports running state accurately** (Copilot main.py:558).
   app.state.watcher was set unconditionally even when start()
   returned early (empty env, missing dep, all targets failed). Now
   only published to app.state when watcher.is_running. GET /watch
   reports running: false for idle/disabled instead of misleading
   running: true.

Tests: 28 pass (was 24). New cases:
- test_rename_to_watched_extension_fires (covers #3)
- test_cancel_pending_drops_armed_timer (covers #5)
- test_one_failed_target_doesnt_disable_others (covers #4)
- test_translator_runs_before_is_dir (covers #1)
Existing handler tests retargeted from on_any_event to on_modified
since on_any_event no longer exists in this revision.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Seven findings, all addressed:

1. **Path translation before is_dir check** (Copilot watcher.py:133).
   parse_watch_dirs() validated against the daemon filesystem before
   any path translation, so a PALACE_WATCH_DIRS value written in the
   client namespace was always rejected as "not a directory". Add a
   translator= kwarg; main.py now passes _translate_client_path so
   client-namespace entries reach the daemon's view first.

2. **Drop on_any_event in favor of specific subscriptions** (Copilot
   watcher.py:160). watchdog 3.x emits opened/closed events on plain
   file reads on Linux; routing those through the debounce would
   re-mine the project on every file open. Replaced on_any_event
   with explicit on_created / on_modified / on_moved / on_deleted.

3. **Check dest_path on FileMovedEvent** (Copilot watcher.py:171).
   Editor save-via-rename writes a temp file then renames to the
   real filename. The src_path on the move event is the temp; only
   dest_path has the real extension. Extracted _has_watchable_extension()
   helper; on_moved() checks both sides.

4. **Per-target schedule() failure isolation** (Copilot watcher.py:219).
   A bare for-loop let an exception in observer.schedule() (e.g.
   inotify watch limit on a large repo) abort the entire service.
   Wrap each schedule() in try/except; one failed target no longer
   disables the others. Logged at warning level.

5. **Cancel debounce timers on stop** (Copilot watcher.py:224). stop()
   tore down the observer but left armed threading.Timer objects to
   fire mid-teardown. Add cancel_pending() on the handler; service
   stop() walks all handlers first.

6. **Surface watcher-coroutine errors** (Copilot watcher.py:246).
   asyncio.run_coroutine_threadsafe() returns a Future the caller
   must observe; dropping it swallowed exceptions silently. Add a
   _log_future_exception done-callback.

7. **/watch reports running state accurately** (Copilot main.py:558).
   app.state.watcher was set unconditionally even when start()
   returned early (empty env, missing dep, all targets failed). Now
   only published to app.state when watcher.is_running. GET /watch
   reports running: false for idle/disabled instead of misleading
   running: true.

Tests: 28 pass (was 24). New cases:
- test_rename_to_watched_extension_fires (covers #3)
- test_cancel_pending_drops_armed_timer (covers #5)
- test_one_failed_target_doesnt_disable_others (covers #4)
- test_translator_runs_before_is_dir (covers #1)
Existing handler tests retargeted from on_any_event to on_modified
since on_any_event no longer exists in this revision.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* feat(watcher): file-watcher service for auto-mining on file change

Closes the "automining when files are added or updated" half of JP's
ask. The other half (CLI add/remove of mined data) ships in
jphein/mempalace#4 as `mempalace mined` + `mempalace purge --source-file`.

Adds a watchdog-based file watcher that runs inside the daemon's
lifespan. Configured via `PALACE_WATCH_DIRS` env var:

    PALACE_WATCH_DIRS="/home/jp/Projects/realmwatch=wing_realmwatch,
                       /home/jp/Projects/oracle=wing_oracle"

Each entry is `path` or `path=wing`. Bare path derives wing via
`mempalace.config.normalize_wing_name(basename)` to match the
local-spawn miner default. Non-existent paths are warned-and-skipped,
not fatal — a misconfigured env var doesn't kill startup.

Architecture:

* watcher.py — pure-Python module: parse_watch_dirs(),
  _DebouncedMineHandler (subclass of FileSystemEventHandler with a
  per-target debounce timer), WatcherService (lifecycle wrapper around
  watchdog.Observer).
* main.py lifespan — instantiate WatcherService, schedule one
  recursive watch per target, register stop() on shutdown. Failures
  are non-fatal; the daemon serves traffic regardless.
* main.py — `_internal_mine()` async closure runs the same
  `mempalace mine ... --mode projects --wing X` argv as the existing
  /mine endpoint, gated by the same `_mine_sem`.
* main.py — new `GET /watch` endpoint surfaces the running target
  list. No POST/DELETE — runtime add/remove requires daemon restart
  (operator just edits the systemd unit env and restarts).

Debounce: events on the same target collapse via a 2-second per-target
timer. Catches editor write+rename storms and *.swp / *.lock churn.
Also pre-filters by extension allowlist (29 extensions: code, configs,
markdown). Inotify fires for everything; the handler discards
non-watched extensions before the timer schedules.

Path translation: when a watch path lives in a Syncthing-replicated
directory, the daemon-side path is translated through
`PALACE_DAEMON_PATH_MAP` before the mine subprocess runs (same
mechanism used by /mine).

Tests: 11 new unittest cases in tests/test_watcher.py:
- TestParseWatchDirs (7 cases): empty, single-with-derived-wing,
  explicit-wing, multiple, skips-nonexistent, skips-files, env-fallback
- TestDebouncedMineHandler (4 cases): single-event-fires,
  burst-collapses-to-one, skips-directory-events, skips-bad-extensions

Stacked on #1 (path-translation). When that
merges, this PR auto-rebases against main; reviewers see only the
new commits in this PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* fix(watcher): address Copilot review on #2

Seven findings, all addressed:

1. **Path translation before is_dir check** (Copilot watcher.py:133).
   parse_watch_dirs() validated against the daemon filesystem before
   any path translation, so a PALACE_WATCH_DIRS value written in the
   client namespace was always rejected as "not a directory". Add a
   translator= kwarg; main.py now passes _translate_client_path so
   client-namespace entries reach the daemon's view first.

2. **Drop on_any_event in favor of specific subscriptions** (Copilot
   watcher.py:160). watchdog 3.x emits opened/closed events on plain
   file reads on Linux; routing those through the debounce would
   re-mine the project on every file open. Replaced on_any_event
   with explicit on_created / on_modified / on_moved / on_deleted.

3. **Check dest_path on FileMovedEvent** (Copilot watcher.py:171).
   Editor save-via-rename writes a temp file then renames to the
   real filename. The src_path on the move event is the temp; only
   dest_path has the real extension. Extracted _has_watchable_extension()
   helper; on_moved() checks both sides.

4. **Per-target schedule() failure isolation** (Copilot watcher.py:219).
   A bare for-loop let an exception in observer.schedule() (e.g.
   inotify watch limit on a large repo) abort the entire service.
   Wrap each schedule() in try/except; one failed target no longer
   disables the others. Logged at warning level.

5. **Cancel debounce timers on stop** (Copilot watcher.py:224). stop()
   tore down the observer but left armed threading.Timer objects to
   fire mid-teardown. Add cancel_pending() on the handler; service
   stop() walks all handlers first.

6. **Surface watcher-coroutine errors** (Copilot watcher.py:246).
   asyncio.run_coroutine_threadsafe() returns a Future the caller
   must observe; dropping it swallowed exceptions silently. Add a
   _log_future_exception done-callback.

7. **/watch reports running state accurately** (Copilot main.py:558).
   app.state.watcher was set unconditionally even when start()
   returned early (empty env, missing dep, all targets failed). Now
   only published to app.state when watcher.is_running. GET /watch
   reports running: false for idle/disabled instead of misleading
   running: true.

Tests: 28 pass (was 24). New cases:
- test_rename_to_watched_extension_fires (covers #3)
- test_cancel_pending_drops_armed_timer (covers #5)
- test_one_failed_target_doesnt_disable_others (covers #4)
- test_translator_runs_before_is_dir (covers #1)
Existing handler tests retargeted from on_any_event to on_modified
since on_any_event no longer exists in this revision.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>