feat: adaptive learning system — skill synthesis, user profiles, session search

[smkrv]

Hey folks, don't think I've lost my mind here, but I'd like to propose this level-up PR with an adaptive learning mechanism that will make the whole project a bit smarter and the routine a bit easier.

I've tried to test this as thoroughly as I could - ran it through 30+ full review-and-fix iterations across Opus and Codex (not code generation - testing, reviewing, and fixing), with multi-agent review panels (Architecture, Code Style, Security, Product Owner, Lead Dev, UI/UX, CPO, and others - all Blocking/High/Critical findings resolved), and also tested locally on my own agents in my own environment.

But I could have missed things (I definitely have :D), including edge cases that only show up under real-world conditions at scale.

Fresh eyes are very welcome.

Would really appreciate help with testing and reviewing all of this - no matter how good LLM-powered code generation and review gets, pulling something like this off solo is tough :) Would be awesome to see this feature get some life and evolve further as a real level-up for the project. And yes,

I swear I'm not crazy — I just went way too deep down this rabbit hole and at some point there was no turning back, so here we are.

---

What this does

This PR adds an Adaptive Learning System — three independently testable subsystems that let IronClaw autonomously learn from experience while architecturally guaranteeing that learned knowledge cannot leak secrets.

The Three Pillars

1. Autonomous Skill Synthesis (src/learning/)

The agent watches its own successful interactions. When it completes a complex multi-tool task (3+ tool calls with quality score ≥75, diverse tool combinations with ≥2 unique tools, or high quality completions scoring 90+), a background worker synthesizes a reusable SKILL.md from the interaction — via LLM, not templates. The generated skill passes through 6 layers of security validation before the user even sees it. The user must explicitly approve before it goes live. No auto-deployment, ever.

2. Encrypted User Profile Engine (src/user_profile/)

An evolving user model built from conversations. The ProfileDistiller extracts durable facts (timezone, expertise, communication style) via LLM, encrypts them with AES-256-GCM (per-fact HKDF-derived keys, random 32-byte salt, master key from OS keychain or SECRETS_MASTER_KEY env var — same crypto as credential storage), and injects them into the system prompt on next turn. The agent remembers you across sessions without storing anything in plaintext.

3. Session Search (src/db/libsql/session_search.rs, src/db/postgres.rs)

FTS5 (libSQL) / tsvector (PostgreSQL) full-text search over conversation summaries with vector embedding support for future hybrid search. The session_search tool lets the agent recall prior work, decisions, and context from previous conversations.

Architecture Diagrams

Full Architecture Pipeline

Skill Lifecycle State Machine

Runtime Sequence Flow

Security Architecture

Database Schema (V13)

Security Architecture (6 defense-in-depth layers)

All learned data flows through IronClaw's existing security primitives:

1. Content Wrapping — wrap_external_content() on every untrusted input before it reaches an LLM prompt
2. Threat Scanning — scan_content_for_threats() with NFKC unicode normalization, prompt injection patterns, role manipulation detection
3. Structural Validation — SkillValidator enforces YAML frontmatter, 16 KiB size limit, 256-char description limit, name/content/description threat scanning
4. Encryption at Rest — Profile facts encrypted with AES-256-GCM, per-fact salt, master key never leaves OS keychain or env var
5. Trust Boundaries — SkillSource::Synthesized forces Installed trust (read-only tools, treated as suggestions), path traversal prevention
6. User Approval Gate — ApprovalRequirement::Always on skill_approve for accept action — the LLM cannot self-approve its own generated skills (reject is safe and doesn't require approval)

Architecture Decisions

• Standalone store traits (SessionSearchStore, UserProfileStore, LearningStore) — NOT added to Database supertrait. Injected via Arc<dyn T>. This keeps the existing DB implementations untouched and lets the system start without these features.
• Background worker via bounded mpsc(32) — event-driven consumer pattern. Backpressure built in. Worker dies when sender is dropped.
• Heuristic quality scoring — no LLM call needed. Simple formula: base score (50 no errors, 20 with errors) + tool diversity bonus + turn bonus + volume bonus, capped at 100.
• Dual-backend — PostgreSQL (V13 migration) + libSQL (incremental migration V13) as per project requirements.

Files Changed

• 6 new modules: src/learning/ (7 files), src/user_profile/ (5 files)
• 6 new tools: session_search, skill_list_pending, skill_approve, profile_view, profile_edit, profile_clear
• 3 new store traits in src/db/mod.rs with implementations for both PostgreSQL and libSQL
• V13 migration for both backends
• Integration in dispatcher.rs: profile injection via append_system_context() after system prompt is set, learning event emission after turn completion
• SkillSource::Synthesized variant in src/skills/registry.rs with forced Installed trust

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant 'level-up' to the project by integrating an adaptive learning system. This system empowers the agent to autonomously learn from its interactions, personalize user experiences through encrypted profiles, and efficiently retrieve past conversational context. The changes are designed to make the agent smarter and more adaptable, while rigorously maintaining security and privacy standards through multiple layers of validation and encryption.

Highlights

• Adaptive Learning System Introduced: Implemented a comprehensive adaptive learning system featuring autonomous skill synthesis, an encrypted user profile engine, and session search capabilities to enhance agent intelligence and efficiency.
• Autonomous Skill Synthesis: Enabled the agent to automatically generate reusable SKILL.md files from successful, complex multi-tool interactions, subject to multi-layered security validation and explicit user approval.
• Encrypted User Profile Engine: Developed a system to distill and store durable user facts (e.g., timezone, expertise) from conversations, encrypting them with AES-256-GCM and injecting them into system prompts for personalized interactions without plaintext storage.
• Session Search Functionality: Added full-text search (FTS5/tsvector) over conversation summaries, with vector embedding support for future hybrid search, allowing the agent to recall prior work and context.
• Enhanced Security Architecture: Integrated six defense-in-depth layers for learned data, including content wrapping, threat scanning, structural validation, encryption at rest, trust boundaries, and user approval gates for synthesized skills.
• New Database Migrations and Store Traits: Introduced V13 database migrations for both PostgreSQL and libSQL, adding tables for session summaries, user profile facts, and synthesized skills, along with new standalone store traits.
• New Built-in Tools: Added six new built-in tools: session_search, skill_list_pending, skill_approve, profile_view, profile_edit, and profile_clear to manage the new learning and user profile features.

Changelog

• .gitignore
  • Added entries for .DS_Store and local architecture/plan documentation directories.
• Cargo.lock
  • Updated dependencies to include 'unicode-normalization'.
• crates/ironclaw_safety/Cargo.toml
  • Added 'unicode-normalization' dependency for enhanced security scanning.
• crates/ironclaw_safety/src/lib.rs
  • Implemented scan_content_for_threats function to detect prompt injection, credential exfiltration, and other malicious patterns.
  • Added normalize_for_scanning function to handle Unicode normalization and zero-width character stripping for robust threat detection.
  • Extended unit tests for new threat scanning functionality.
• migrations/V13__learning_system.sql
  • Created new database tables: session_summaries for conversation search, user_profile_facts for encrypted user data, and synthesized_skills for skill audit logs.
• src/agent/agent_loop.rs
  • Extended AgentDeps struct to include optional learning_tx (for background worker), profile_engine, and user_profile_config.
• src/agent/dispatcher.rs
  • Modified agent dispatch logic to inject user profile data into the system prompt if enabled and available.
  • Added logic to emit LearningEvents after successful turn completion, triggering skill synthesis and profile distillation.
  • Implemented auto-distillation of user profile facts at regular intervals.
• src/app.rs
  • Updated AppComponents to hold new learning system store handles (session search, user profile, learning store).
  • Modified AppBuilder to capture these store handles during database connection before type erasure.
• src/cli/skills.rs
  • Added formatting for the new Synthesized skill source type.
• src/config/learning.rs
  • Added new configuration struct LearningConfig to manage adaptive learning parameters like minimum tool calls, unique tools, quality score, and skill limits.
• src/config/mod.rs
  • Integrated learning and user_profile modules into the main configuration system.
  • Added LearningConfig and UserProfileConfig to the main Config struct.
• src/config/user_profile.rs
  • Added new configuration struct UserProfileConfig to manage user profile engine parameters like enabled status, max prompt characters, distillation interval, and max facts.
• src/db/libsql/learning.rs
  • Implemented the LearningStore trait for the LibSQL backend, providing persistence for synthesized skills.
• src/db/libsql/mod.rs
  • Included new LibSQL modules for learning, session search, and user profiles.
• src/db/libsql/session_search.rs
  • Implemented the SessionSearchStore trait for the LibSQL backend, including FTS5 search and a vector search fallback.
• src/db/libsql/user_profile.rs
  • Implemented the UserProfileStore trait for the LibSQL backend, handling encrypted user profile facts.
• src/db/libsql_migrations.rs
  • Added V13 migration for LibSQL, creating session_summaries, user_profile_facts, and synthesized_skills tables with FTS5 virtual table and triggers.
• src/db/mod.rs
  • Extended DatabaseHandles to include session_search_store, user_profile_store, and learning_store as Arc<dyn T> trait objects.
  • Modified connect_with_handles to create and store these standalone learning system trait objects from concrete backend types.
• src/db/postgres.rs
  • Implemented SessionSearchStore, UserProfileStore, and LearningStore traits for the PostgreSQL backend, including pgvector support for embeddings.
• src/learning/candidate.rs
  • Defined SynthesisCandidate struct to represent interactions suitable for skill synthesis.
  • Defined DetectionReason enum to categorize why an interaction was flagged for synthesis.
• src/learning/detector.rs
  • Implemented PatternDetector to evaluate completed interactions and identify those worthy of skill synthesis based on configured thresholds.
• src/learning/error.rs
  • Defined LearningError enum for error handling within the adaptive learning system.
• src/learning/mod.rs
  • Created the learning module, encapsulating candidate detection, synthesis, validation, and worker logic.
• src/learning/synthesizer.rs
  • Defined SkillSynthesizer trait and LlmSkillSynthesizer implementation for LLM-powered skill generation.
  • Implemented prompt construction for skill synthesis, including safety wrapping for user-provided context.
• src/learning/validator.rs
  • Implemented SkillValidator to enforce structural correctness, size limits, and safety checks on synthesized skills before persistence.
• src/learning/worker.rs
  • Implemented spawn_learning_worker to run as a background task, processing LearningEvents, detecting synthesis candidates, and managing skill lifecycle.
  • Added heuristic_quality_score function to evaluate interaction quality.
• src/lib.rs
  • Added learning and user_profile modules to the crate root.
• src/llm/reasoning.rs
  • Added append_system_context method to Reasoning for injecting additional context (like user profiles) into the system prompt.
• src/main.rs
  • Integrated the adaptive learning system by initializing the learning worker and user profile engine based on configuration.
  • Registered new learning and user profile tools with the tool registry.
• src/skills/mod.rs
  • Added SkillSource::Synthesized variant to denote skills generated by the learning system.
• src/skills/registry.rs
  • Modified skill discovery logic to include auto-synthesized skills from a dedicated directory, with Installed trust.
• src/testing/mod.rs
  • Updated test harness to include default learning_tx, profile_engine, and user_profile_config.
• src/tools/builtin/learning_tools.rs
  • Implemented SkillListPendingTool to list skills awaiting user approval.
  • Implemented SkillApproveTool to allow users to accept or reject synthesized skills, including safety checks and filesystem persistence for accepted skills.
• src/tools/builtin/mod.rs
  • Exported new learning and profile tools for use in the tool registry.
• src/tools/builtin/profile_tools.rs
  • Implemented ProfileViewTool to display user profile facts.
  • Implemented ProfileEditTool to allow manual addition or update of profile facts.
  • Implemented ProfileClearTool to remove specific or all facts from a category.
• src/tools/builtin/session_search.rs
  • Implemented SessionSearchTool for searching past conversation summaries.
• src/tools/registry.rs
  • Added new learning and user profile tools to the tool registry.
  • Included new tool names in PROTECTED_TOOL_NAMES to prevent unauthorized modification.
• src/user_profile/distiller.rs
  • Implemented ProfileDistiller to extract structured profile facts from user messages using an LLM.
  • Incorporated safety wrapping and fact validation to prevent injection and ensure data integrity.
• src/user_profile/engine.rs
  • Defined UserProfileEngine trait and EncryptedProfileEngine implementation for managing encrypted user profiles.
  • Handles encryption/decryption of profile facts using SecretsCrypto and enforces fact limits and safety checks.
• src/user_profile/error.rs
  • Defined UserProfileError enum for error handling within the user profile system.
• src/user_profile/mod.rs
  • Created the user_profile module, containing distiller, engine, error, and types for user profiles.
• src/user_profile/types.rs
  • Defined FactCategory, FactSource, ProfileFact, and UserProfile structs for structured user data.
  • Implemented format_for_prompt for UserProfile to generate a concise, truncated representation for LLM injection.
• tests/support/gateway_workflow_harness.rs
  • Updated GatewayWorkflowHarness to include default learning and user profile components for testing.
• tests/support/test_rig.rs
  • Updated TestRigBuilder to include default learning and user profile components for testing.

Activity

• The author, smkrv, has invested significant effort, running over 30 full review-and-fix iterations with multiple AI agents (Opus, Codex) acting as reviewers (Architecture, Code Style, Security, Product Owner, Lead Dev, UI/UX, CPO).
• All Blocking/High/Critical findings identified by these multi-agent review panels have been resolved.
• Local testing was also performed on the author's own agents and environment.
• smkrv acknowledges that despite thorough testing, edge cases might exist and welcomes fresh eyes and testing from other contributors.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is an impressive and ambitious pull request that introduces a sophisticated adaptive learning system. The architecture is well-designed with clear separation of concerns between skill synthesis, user profiles, and session search. The focus on security is particularly noteworthy, with multiple layers of defense including content wrapping, threat scanning, structural validation, and strong encryption. The code is high quality, well-documented, and includes good test coverage. I've identified a couple of potential race conditions that could lead to data corruption or bypassing resource limits, but overall this is an excellent contribution.

[smkrv]

Re: TOCTOU in max_facts_per_user check (engine.rs:145)

Good catch on the race condition — this is a real concern at scale. Here's the current mitigation and why a per-user mutex isn't the right fit yet:

Current state:

• libSQL (default backend): WAL mode serializes all writes through a single writer with 5s busy timeout. Concurrent store_fact calls for the same user are physically serialized at the DB level — the race cannot occur.
• PostgreSQL: The distiller runs in a single tokio::spawn per turn per user in the dispatcher. Two concurrent distillations for the same user_id would require two simultaneous turns completing for the same user, which the session model (single active thread per session) makes unlikely.

Why not per-user mutex:

• DashMap<String, Mutex<()>> in the engine creates runtime state that doesn't survive restarts, grows unboundedly (no eviction), and adds complexity for a race that the DB layer already mitigates.
• The proper fix is an atomic DB-level check: INSERT ... WHERE (SELECT COUNT(*) ...) < limit — but that requires a new trait method + dual-backend implementation, which is better as a follow-up.

What we do have:

• is_update check allows UPDATE at the limit (won't block editing existing facts)
• Fact key uniqueness (UNIQUE(user_id, agent_id, category, fact_key)) prevents true duplicates
• MAX_FACTS_PER_RUN = 5 caps each distillation batch

Happy to add the atomic DB-level constraint as a follow-up if the team thinks the current guardrails aren't sufficient.

[zmanian]

Review: REQUEST CHANGES

Strong implementation quality and well-thought-out security architecture across ~4,500 lines. Three independent subsystems (skill synthesis, user profiles, session search), all disabled by default. But functional gaps need addressing.

What's Good

• Architecture: Standalone store traits (SessionSearchStore, UserProfileStore, LearningStore) rather than extending the Database supertrait -- excellent decision, avoids breaking existing implementations.
• Dual-backend: Both PostgreSQL + libSQL correctly implemented with proper dialect handling (FTS5 with sync triggers vs tsvector GENERATED ALWAYS).
• Security defense-in-depth: wrap_external_content() on user data, scan_content_for_threats() with NFKC normalization + zero-width stripping, per-fact HKDF-derived AES-256-GCM encryption, ApprovalRequirement::Always prevents LLM self-approval, SkillSource::Synthesized forces Installed trust level.
• Code quality: No .unwrap() in production code, proper thiserror types, good unit test coverage (46+ tests).

Critical

C1: profile_clear is N+1 queries
ProfileClearTool::execute() loads all facts then calls remove_fact() one-by-one. With 100 facts (the max), that's 101 DB round-trips. Add a delete_profile_facts_by_category() method to UserProfileStore.

C2: store_fact TOCTOU on max_facts limit
Count check and insert aren't atomic. Concurrent distillation tasks (via tokio::spawn) could race past the limit. Fix with a per-user lock or DB-level constraint.

Important

I1: Session summaries are never populated
upsert_session_summary() exists in both backends but nothing calls it anywhere in the diff. The session_search tool will always return empty results. Either add the summary writer (e.g., on session end/compaction) or remove the tool and note it as "coming in a follow-up."

I2: Dead code from path traversal fix
is_safe_skill_name() and old auto_dir.join(&skill.skill_name) remain after switching to UUID-based directory names. Clean up.

I3: FNV-1a content hash isn't collision-resistant
Used for skill dedup unique index (idx_synthesized_skills_dedup). Two different skill contents could collide and silently fail to record. Replace with SHA-256 (already a transitive dep).

I4: No DB integration tests
Good unit tests but no round-trip tests for the 3 new store traits. Project convention (src/db/CLAUDE.md) calls for integration tests using LibSqlBackend::new_memory().

I5: Unbounded tokio::spawn for distillation
No JoinHandle tracking or cancellation token. Orphaned on agent shutdown (bounded by 120s LLM timeout, but still a leak).

Suggestions

• Cargo.lock contains unrelated windows-sys version downgrades -- split out or confirm intentional.
• .gitignore adding docs/plans/ would affect all maintainers -- discuss whether this is desired.
• Consider splitting: session search (incomplete) could be a separate PR from skill synthesis + profile engine.
• Add clear_profile(user_id, agent_id) method to UserProfileStore for GDPR "forget me" support.

[smkrv]

Thanks for the thorough review @zmanian — really appreciate the level of detail here. Every point was valid and I've addressed all of them in dc26ad1 (rebased on current main).

Critical

C1: profile_clear N+1 queries — Fixed. Added delete_profile_facts_by_category() and clear_profile() to the UserProfileStore trait with single-query batch DELETE in both PostgreSQL and libSQL backends. ProfileClearTool now calls the batch method directly — no more load-then-loop. Also upgraded the tool to support 3 modes: specific fact (category + key), category wipe (category only), and full erasure (omit both — the GDPR "forget me" you suggested in S2).

C2: store_fact TOCTOU on max_facts — Fixed with per-user tokio::Mutex in EncryptedProfileEngine. The check-and-write is now serialized per user_id:agent_id pair. Safety scan runs outside the lock (no DB access needed), lock is acquired only for the count check + upsert. The outer std::sync::Mutex on the lock map is held only briefly for HashMap get_or_insert — no .await under it. Added a NOTE about unbounded map growth being acceptable for single-user but needing LRU eviction before multi-user.

Important

I1: Session summaries never populated — Removed SessionSearchTool from registration. The DB schema, store traits, and implementations stay in place (they have 19 integration tests pinning their behavior) — ready for a follow-up PR that wires the summary writer on session end/compaction. Comment in register_learning_tools() documents the intent.

I2: Dead code from path traversal fix — Already cleaned up in 088f5ee (now 548ed38 after rebase). is_safe_skill_name() was removed, directory uses skill_id.to_string() (UUID).

I3: FNV-1a → SHA-256 — Replaced content_hash() with sha2::Sha256. Full 64-char hex string stored in skill_content_hash for the dedup unique index. The 8-char prefix in auto-{hash[..8]} is cosmetic (skill display name only).

I4: No DB integration tests — Added 19 tests in tests/learning_store_integration.rs covering all 3 store traits: UserProfileStore (10 tests including upsert, conflict, category filter, batch delete, clear, user isolation, edge cases), LearningStore (5 tests including IDOR protection, content hash dedup, status transitions), SessionSearchStore (4 tests including FTS search, upsert-updates-existing, user isolation). Uses file-based libSQL with tempfile.

I5: Unbounded tokio::spawn — spawn_learning_worker() now returns (Sender, JoinHandle). The handle is awaited in the shutdown sequence after agent.run() returns, ensuring in-flight synthesis completes before exit.

Suggestions

Cargo.lock / windows-sys — Resolved by rebase onto current main (139 commits ahead). The uds_windows bump was auto-dropped as already upstream.

.gitignore docs/plans/ — Removed. Only docs/architecture/adaptive-learning/ remains (local-only design docs).

Split session search — Agreed it's incomplete without the summary writer. Kept the infrastructure (schema + traits + tests) since it shares the V14 migration, but deregistered the tool. Follow-up PR will wire the writer.

GDPR clear_profile — Done as part of C1. clear_profile(user_id, agent_id) added to trait + both backends + exposed as mode 3 in profile_clear tool. Note: currently only covers user_profile_facts — full erasure across session_summaries + synthesized_skills is tracked as follow-up.

---

CI is fully green (26/26 checks passing). Let me know if anything else needs attention!

[ilblackdragon]

Super interesting, been thinking about similar. Need to figure out how to benchmark this.

Few comments/questions:

• just merged profiler that works at onboarding - seems like can be merged with this
• curious why encrypt user profile info? there is already workspace with memory in the database

Also high level it feels like there needs to be a retrospective after skills were used - to suggest improving existing skills.

[smkrv]

Thanks! Glad this resonates.

Profiler merge - yeah, makes total sense to wire onboarding profiler into UserProfileEngine as the initial seed. Can do as a follow-up once this lands.

Why encrypt profiles - workspace memory is stuff the agent writes on its own. Profile is structured personal data the LLM extracts (timezone, expertise, habits) - felt like it deserves a separate layer even if DB is compromised. But honestly if the team thinks it's overkill, happy to drop encryption and treat it like regular workspace data, the rest of the pipeline doesn't care either way.

Skill retrospective - 100%, that's exactly where I want to take this. I'm prepping a phase 2 that would close the feedback loop - track whether synthesized skills actually get picked up by the scoring pipeline, flag underperformers, suggest improvements. If this PR lands I'll spec it out and open a follow-up.

Re benchmarking: happy to help set something up once we figure out what "better" looks like here :D

[zmanian]

Ambitious feature with solid security design, but the scope and a few critical issues need addressing before merge.

Strengths:

• Defense-in-depth security: 6 layers (content wrapping, threat scanning, structural validation, AES-256-GCM encryption, trust boundaries, user approval gate)
• Dual-backend support (PostgreSQL + libSQL V13 migration)
• Unicode NFKC normalization + zero-width character stripping prevents homoglyph/bypass attacks
• Synthesized skills forced to "Installed" (read-only tools) -- correct trust model
• 648-line integration test validates both backends

Required changes:

1. CRITICAL: Silent event loss -- try_send() on the learning event channel drops events when full (capacity 32) with no logging or alerting. Use send().await with backpressure, or at minimum log warnings when events are dropped.

2. Profile key derivation -- HKDF info parameter should include user_id so per-user profiles get distinct derived keys: HKDF-Expand(PRK, info=user_id||fact_key||salt)

3. Unbounded task spawning -- Profile distiller spawns tokio::spawn every N turns without awaiting or tracking handles. Under load, tasks accumulate. Add a shutdown hook or track JoinHandles.

4. Scope: strongly recommend splitting into 3-5 PRs:

   • DB schema + store trait definitions
   • Skill synthesis + validation
   • User profile engine + encryption
   • Session search
   • Tool wiring + e2e tests

5. Vector embedding column lacks dimension constraint -- document why unbounded is safe or add constraint.

Non-blocking suggestions:

• Skill synthesis heuristic thresholds (3+ tool calls, 75+ quality score) should be configurable
• Add e2e tests for the skill approval workflow and profile injection into prompts

[zmanian]

Maintainer note: This PR introduces significant architectural additions to the codebase. Before it can be considered for merge, it will need collective discussion among maintainers to align on the design direction, scope, and integration approach. The code review feedback above covers implementation-level concerns, but the broader question of whether this feature belongs in core (vs. a plugin/extension) and how it fits the project's architecture roadmap needs to be discussed first.

cc @ilblackdragon

[smkrv]

Thanks for the note @zmanian. Totally understand the concern about scope, happy to talk through this.

Re core vs plugin/extension - the learning system is pretty deeply coupled to internal APIs that aren't accessible from the plugin boundary:

• Profile distillation is spawned as a background task from dispatcher.rs with access to AgentDeps, LlmProvider, and SecretsCrypto for encryption at rest
• Skill synthesis hooks into the background worker with a tokio::mpsc channel from the dispatcher, processes LearningEvents that carry tool call data from the agentic loop
• Session search uses standalone store traits (SessionSearchStore, UserProfileStore, LearningStore) that connect through DatabaseHandles during DB init
• The profile engine injects into the system prompt via Reasoning::append_system_context which is internal to the LLM pipeline

None of these have plugin-facing equivalents today. Moving this to a plugin would require exposing a bunch of new extension points that don't exist yet, and the result would be a "plugin" that's really just core code behind an abstraction barrier that only it uses. Felt like the wrong tradeoff.

That said, totally open to splitting the PR to make review easier. I was thinking something like:

1. DB schema + store traits (V14 migration, SessionSearchStore/UserProfileStore/LearningStore + both backend impls + integration tests)
2. Skill synthesis pipeline (detector, synthesizer, validator, worker, learning tools)
3. User profile engine (encryption, distiller, profile tools, system prompt injection)

Session search is already deregistered (summaries aren't populated yet), so it goes naturally with the schema PR.

Would this breakdown work for you? Happy to adjust based on what makes the review most manageable. In the meantime I pushed fixes for all 5 items from your second review (event logging, HKDF domain separation with user_id in length-prefixed info, bounded distillation via semaphore, embedding dimension documented, thresholds were already configurable via env vars).

[serrrfirat]

Hey @smkrv, this is my jam! I spent a considerable amount of time thinking about this here https://github.com/serrrfirat/synapse-daemon. I think your design overall is great!

Couple of questions:

• Do you think heuristics would be enough to create 'valuable' skills? In my own project, I also used heuristics to filter out noise but eventually got better results by doing an LLM pass at the end.
• How do you avoid duplication ? I had some issues with this, ended up implementing some sort of semantic grouping so that my agent wouldn't create same insights/skills all the time.
• One thing I struggled a bit on my own project was the cognitive load on the user. We should consider the frequency of skill approvals and rejections. Too noisy and users drop off pretty quickly.

Hermes agent https://github.com/0xNyk/awesome-hermes-agent also does something similar, would be good to check that out.

Would love to contribute to this feature, I think this is a big differentiator!

[smkrv]

Hey @serrrfirat! Checked out synapse-daemon, our pipelines have more in common than I expected.

Heuristics vs LLM - you're right, PatternDetector is a cheap threshold gate right now, no "is this actually generalizable?" check before synthesis fires. Adding an LLM eval step between detection and synthesis is on my list for phase 2, your experience with synapse confirms the intuition.

Deduplication - biggest gap honestly. We only have SHA-256 exact-match dedup, no semantic grouping. The embedding infra is partially there (SessionSearchStore has vector columns) but not wired into synthesis yet. Plan is similarity check against existing skill embeddings before generating new ones + tool-combo fingerprints as a cheap first pass. Would love your input here since you've already solved this in synapse.

Cognitive load - 100% make-or-break. Right now it's just blunt caps (max_skills_per_user, pending limits). I like synapse's digest pattern - periodic "here are 3 skills from this week" feels way better than per-interaction interrupts. Also thinking about silently dropping low-confidence drafts instead of queueing everything for approval.

Re Hermes - the dojo concept of auto-iterating underperforming skills is exactly the feedback loop ilblackdragon was asking about above, phase 2 territory.

Happy to walk through the codebase if you want to pick something up!

[serrrfirat]

Review: Integration Path with v2 Engine

Great work on this PR — the adaptive learning system has solid ideas and strong implementation, especially the encryption, FTS, and validation layers. Here's some feedback on how this could align with the v2 engine direction.

What's excellent here

1. Per-fact encryption — AES-256-GCM with HKDF-derived per-fact keys is genuinely novel relative to what the v2 engine currently has. The MemoryDoc system lacks per-document encryption at rest, and this approach could be adopted there.

2. Dedicated FTS infrastructure — FTS5 (libSQL) + tsvector (PostgreSQL) purpose-built for session recall is more capable than v2's keyword matching in RetrievalEngine. Solid dual-backend implementations.

3. SkillValidator with 6-layer checks — YAML frontmatter validation, 16KiB limit, threat scanning, NFKC normalization — this is more specific and thorough than v2's generic policy engine for generated content.

4. Non-blocking architecture — Bounded mpsc(32), semaphore-guarded distillation, background tokio tasks. Clean separation that never blocks the main loop.

5. Standalone store traits — SessionSearchStore, UserProfileStore, LearningStore injected via Arc<dyn T> independently keeps the Database supertrait clean.

Integration concern: v1 vs v2 targeting

The main challenge is that this targets v1 integration points (src/agent/dispatcher.rs, LoopOutcome flow). The v2 engine in crates/ironclaw_engine/ already covers ~80% of this via:

• skill-extraction mission — fires on 5+ steps with 3+ tool actions, produces DocType::Skill MemoryDocs
• conversation-insights mission — fires every 5 completed threads, extracts user preferences/patterns
• RetrievalEngine — keyword-based context retrieval from project-scoped MemoryDocs
• GateDecision::Pause { Approval } — user approval gate for synthesized content

Suggested integration path

Rather than merging the v1 hooks (which will become dead code as v2 takes over), we'd love to see the novel contributions ported into v2 primitives:

Your Contribution	v2 Target
Per-fact encryption	Add encrypted_content + key_salt to v2's MemoryDoc schema
SkillValidator	Port into crates/ironclaw_safety/ — usable by both engines
FTS infrastructure	Add as optional index on v2's Store doc table
Profile injection	Enhance executor/prompt.rs to retrieve ProfileFact-type docs
Quality heuristic scoring	Feed into v2's ExecutionTrace analysis as trigger criteria
LearningEvent	Map to v2's ThreadEvent (18 event kinds, event-sourced)

Concrete next steps

1. Cherry-pick src/secrets/crypto.rs changes (HKDF per-fact encryption) — independently valuable
2. Move SkillValidator into crates/ironclaw_safety/ as skill-specific safety logic
3. Adapt FTS SQL as an index on the v2 Store's MemoryDoc table (same excellent SQL, different integration point)
4. Wire profile injection into crates/ironclaw_engine/src/executor/prompt.rs instead of v1's dispatcher
5. Drop src/agent/dispatcher.rs hooks — the v2 MissionManager handles the trigger/synthesis lifecycle

This way the implementation stays relevant as we migrate to v2, and the strongest parts (crypto, FTS, validation) become shared infrastructure rather than v1-only features.

Would be happy to pair on the v2 integration if you're interested — the core logic is solid and we'd love to see it land in a durable form. Keep going! 🚀