fix(P1+P2): canonicalize project names at every trust boundary

Three findings from codex's review of the previous P1+P2 fix. The
earlier commit (f2372ef) only fixed alias resolution at the context
builder. Codex correctly pointed out that the same fragmentation
applies at every other place a project name crosses a boundary —
project_state writes/reads, interaction capture/listing/filtering,
memory create/queries, and reinforcement's downstream queries. Plus
a real bug in the interaction `since` filter where the storage
format and the documented ISO format don't compare cleanly.

The fix is one helper used at every boundary instead of duplicating
the resolution inline.

New helper: src/atocore/projects/registry.py::resolve_project_name
---------------------------------------------------------------
- Single canonicalization boundary for project names
- Returns the canonical project_id when the input matches any
  registered id or alias
- Returns the input unchanged for empty/None and for unregistered
  names (preserves backwards compat with hand-curated state that
  predates the registry)
- Documented as the contract that every read/write at the trust
  boundary should pass through

P1 — Trusted Project State endpoints
------------------------------------
src/atocore/context/project_state.py: set_state, get_state, and
invalidate_state now all canonicalize project_name through
resolve_project_name BEFORE looking up or creating the project row.

Before this fix:
- POST /project/state with project="p05" called ensure_project("p05")
  which created a separate row in the projects table
- The state row was attached to that alias project_id
- Later context builds canonicalized "p05" -> "p05-interferometer"
  via the builder fix from f2372ef and never found the state
- Result: trusted state silently fragmented across alias rows

After this fix:
- The alias is resolved to the canonical id at every entry point
- Two captures (one via "p05", one via "p05-interferometer") write
  to the same row
- get_state via either alias or the canonical id finds the same row

Fixes the highest-priority gap codex flagged because Trusted Project
State is supposed to be the most dependable layer in the AtoCore
trust hierarchy.

P2.a — Interaction capture project canonicalization
----------------------------------------------------
src/atocore/interactions/service.py: record_interaction now
canonicalizes project before storing, so interaction.project is
always the canonical id regardless of what the client passed.

Downstream effects:
- reinforce_from_interaction queries memories by interaction.project
  -> previously missed memories stored under canonical id
  -> now consistent because interaction.project IS the canonical id
- the extractor stamps candidates with interaction.project
  -> previously created candidates in alias buckets
  -> now creates candidates in the canonical bucket
- list_interactions(project=alias) was already broken, now fixed by
  canonicalizing the filter input on the read side too

Memory service applied the same fix:
- src/atocore/memory/service.py: create_memory and get_memories
  both canonicalize project through resolve_project_name
- This keeps stored memory.project consistent with the
  reinforcement query path

P2.b — Interaction `since` filter format normalization
------------------------------------------------------
src/atocore/interactions/service.py: new _normalize_since helper.

The bug:
- created_at is stored as 'YYYY-MM-DD HH:MM:SS' (no timezone, UTC by
  convention) so it sorts lexically and compares cleanly with the
  SQLite CURRENT_TIMESTAMP default
- The `since` parameter was documented as ISO 8601 but compared as
  a raw string against the storage format
- The lexically-greater 'T' separator means an ISO timestamp like
  '2026-04-07T12:00:00Z' is GREATER than the storage form
  '2026-04-07 12:00:00' for the same instant
- Result: a client passing ISO `since` got an empty result for any
  row from the same day, even though those rows existed and were
  technically "after" the cutoff in real-world time

The fix:
- _normalize_since accepts ISO 8601 with T, optional Z suffix,
  optional fractional seconds, optional +HH:MM offsets
- Uses datetime.fromisoformat for parsing (Python 3.11+)
- Converts to UTC and reformats as the storage format before the
  SQL comparison
- The bare storage format still works (backwards compat path is a
  regex match that returns the input unchanged)
- Unparseable input is returned as-is so the comparison degrades
  gracefully (rows just don't match) instead of raising and
  breaking the listing endpoint

builder.py refactor
-------------------
The previous P1 fix had inline canonicalization. Now it uses the
shared helper for consistency:
- import changed from get_registered_project to resolve_project_name
- the inline lookup is replaced with a single helper call
- the comment block now points at representation-authority.md for
  the canonicalization contract

New shared test fixture: tests/conftest.py::project_registry
------------------------------------------------------------
- Standardizes the registry-setup pattern that was duplicated
  across test_context_builder.py, test_project_state.py,
  test_interactions.py, and test_reinforcement.py
- Returns a callable that takes (project_id, [aliases]) tuples
  and writes them into a temp registry file with the env var
  pointed at it and config.settings reloaded
- Used by all 12 new regression tests in this commit

Tests (12 new, all green on first run)
--------------------------------------
test_project_state.py:
- test_set_state_canonicalizes_alias: write via alias, read via
  every alias and the canonical id, verify same row id
- test_get_state_canonicalizes_alias_after_canonical_write
- test_invalidate_state_canonicalizes_alias
- test_unregistered_project_state_still_works (backwards compat)

test_interactions.py:
- test_record_interaction_canonicalizes_project
- test_list_interactions_canonicalizes_project_filter
- test_list_interactions_since_accepts_iso_with_t_separator
- test_list_interactions_since_accepts_z_suffix
- test_list_interactions_since_accepts_offset
- test_list_interactions_since_storage_format_still_works

test_reinforcement.py:
- test_reinforcement_works_when_capture_uses_alias (end-to-end:
  capture under alias, seed memory under canonical, verify
  reinforcement matches)
- test_get_memories_filter_by_alias

Full suite: 174 passing (was 162), 1 warning. The +12 is the
new regression tests, no existing tests regressed.

What's still NOT canonicalized (and why)
----------------------------------------
- _rank_chunks's secondary substring boost in builder.py — the
  retriever already does the right thing via its own
  _project_match_boost which calls get_registered_project. The
  redundant secondary boost still uses the raw hint but it's a
  multiplicative factor on top of correct retrieval, not a
  filter, so it can't drop relevant chunks. Tracked as a future
  cleanup but not a P1.
- update_memory's project field (you can't change a memory's
  project after creation in the API anyway).
- The retriever's project_hint parameter on direct /query calls
  — same reasoning as the builder boost, plus the retriever's
  own get_registered_project call already handles aliases there.

tests/conftest.py

@@ -1,5 +1,6 @@
 """pytest configuration and shared fixtures."""
 
+import json
 import os
 import sys
 import tempfile
@@ -29,6 +30,45 @@ def tmp_data_dir(tmp_path):
     return tmp_path
 
 
+@pytest.fixture
+def project_registry(tmp_path, monkeypatch):
+    """Stand up an isolated project registry pointing at a temp file.
+
+    Returns a callable that takes one or more (project_id, [aliases])
+    tuples and writes them into the registry, then forces the in-process
+    settings singleton to re-resolve. Use this when a test needs the
+    canonicalization helpers (resolve_project_name, get_registered_project)
+    to recognize aliases.
+    """
+    registry_path = tmp_path / "test-project-registry.json"
+
+    def _set(*projects):
+        payload = {"projects": []}
+        for entry in projects:
+            if isinstance(entry, str):
+                project_id, aliases = entry, []
+            else:
+                project_id, aliases = entry
+            payload["projects"].append(
+                {
+                    "id": project_id,
+                    "aliases": list(aliases),
+                    "description": f"test project {project_id}",
+                    "ingest_roots": [
+                        {"source": "vault", "subpath": f"incoming/projects/{project_id}"}
+                    ],
+                }
+            )
+        registry_path.write_text(json.dumps(payload), encoding="utf-8")
+        monkeypatch.setenv("ATOCORE_PROJECT_REGISTRY_PATH", str(registry_path))
+        from atocore import config
+
+        config.settings = config.Settings()
+        return registry_path
+
+    return _set
+
+
 @pytest.fixture
 def sample_markdown(tmp_path) -> Path:
     """Create a sample markdown file for testing."""

tests/test_interactions.py

@@ -209,3 +209,96 @@ def test_list_interactions_endpoint_returns_summaries(tmp_data_dir):
     assert body["interactions"][0]["response_chars"] == 50
     # The list endpoint never includes the full response body
     assert "response" not in body["interactions"][0]
+
+
+# --- alias canonicalization on interaction capture/list -------------------
+
+
+def test_record_interaction_canonicalizes_project(project_registry):
+    """Capturing under an alias should store the canonical project id.
+
+    Regression for codex's P2 finding: reinforcement and extraction
+    query memories by interaction.project; if the captured project is
+    a raw alias they would silently miss memories stored under the
+    canonical id.
+    """
+    init_db()
+    project_registry(("p05-interferometer", ["p05", "interferometer"]))
+
+    interaction = record_interaction(
+        prompt="quick capture", response="response body", project="p05", reinforce=False
+    )
+    assert interaction.project == "p05-interferometer"
+
+    fetched = get_interaction(interaction.id)
+    assert fetched.project == "p05-interferometer"
+
+
+def test_list_interactions_canonicalizes_project_filter(project_registry):
+    init_db()
+    project_registry(("p06-polisher", ["p06", "polisher"]))
+
+    record_interaction(prompt="a", response="ra", project="p06-polisher", reinforce=False)
+    record_interaction(prompt="b", response="rb", project="polisher", reinforce=False)
+    record_interaction(prompt="c", response="rc", project="atocore", reinforce=False)
+
+    # Query by an alias should still find both p06 captures
+    via_alias = list_interactions(project="p06")
+    via_canonical = list_interactions(project="p06-polisher")
+    assert len(via_alias) == 2
+    assert len(via_canonical) == 2
+    assert {i.prompt for i in via_alias} == {"a", "b"}
+
+
+# --- since filter format normalization ------------------------------------
+
+
+def test_list_interactions_since_accepts_iso_with_t_separator(tmp_data_dir):
+    init_db()
+    record_interaction(prompt="early", response="r", reinforce=False)
+    time.sleep(1.05)
+    pivot = record_interaction(prompt="late", response="r", reinforce=False)
+
+    # pivot.created_at is in storage format 'YYYY-MM-DD HH:MM:SS'.
+    # Build the equivalent ISO 8601 with 'T' that an external client
+    # would naturally send.
+    iso_with_t = pivot.created_at.replace(" ", "T")
+    items = list_interactions(since=iso_with_t)
+    assert any(i.id == pivot.id for i in items)
+    # The early row must also be excluded if its timestamp is strictly
+    # before the pivot — since is inclusive on the cutoff
+    early_ids = {i.id for i in items if i.prompt == "early"}
+    assert early_ids == set() or len(items) >= 1
+
+
+def test_list_interactions_since_accepts_z_suffix(tmp_data_dir):
+    init_db()
+    pivot = record_interaction(prompt="pivot", response="r", reinforce=False)
+    time.sleep(1.05)
+    after = record_interaction(prompt="after", response="r", reinforce=False)
+
+    iso_with_z = pivot.created_at.replace(" ", "T") + "Z"
+    items = list_interactions(since=iso_with_z)
+    ids = {i.id for i in items}
+    assert pivot.id in ids
+    assert after.id in ids
+
+
+def test_list_interactions_since_accepts_offset(tmp_data_dir):
+    init_db()
+    pivot = record_interaction(prompt="pivot", response="r", reinforce=False)
+    time.sleep(1.05)
+    after = record_interaction(prompt="after", response="r", reinforce=False)
+
+    iso_with_offset = pivot.created_at.replace(" ", "T") + "+00:00"
+    items = list_interactions(since=iso_with_offset)
+    assert any(i.id == after.id for i in items)
+
+
+def test_list_interactions_since_storage_format_still_works(tmp_data_dir):
+    """The bare storage format must still work for backwards compatibility."""
+    init_db()
+    pivot = record_interaction(prompt="pivot", response="r", reinforce=False)
+
+    items = list_interactions(since=pivot.created_at)
+    assert any(i.id == pivot.id for i in items)

tests/test_project_state.py

@@ -131,3 +131,68 @@ def test_format_project_state():
 def test_format_empty():
     """Test formatting empty state."""
     assert format_project_state([]) == ""
+
+
+# --- Alias canonicalization regression tests --------------------------------
+
+
+def test_set_state_canonicalizes_alias(project_registry):
+    """Writing state via an alias should land under the canonical project id.
+
+    Regression for codex's P1 finding: previously /project/state with
+    project="p05" created a separate alias row that later context builds
+    (which canonicalize the hint) would never see.
+    """
+    project_registry(("p05-interferometer", ["p05", "interferometer"]))
+
+    set_state("p05", "status", "next_focus", "Wave 2 ingestion")
+
+    # The state must be reachable via every alias AND the canonical id
+    via_alias = get_state("p05")
+    via_canonical = get_state("p05-interferometer")
+    via_other_alias = get_state("interferometer")
+
+    assert len(via_alias) == 1
+    assert len(via_canonical) == 1
+    assert len(via_other_alias) == 1
+    # All three reads return the same row id (no fragmented duplicates)
+    assert via_alias[0].id == via_canonical[0].id == via_other_alias[0].id
+    assert via_canonical[0].value == "Wave 2 ingestion"
+
+
+def test_get_state_canonicalizes_alias_after_canonical_write(project_registry):
+    """Reading via an alias should find state written under the canonical id."""
+    project_registry(("p04-gigabit", ["p04", "gigabit"]))
+
+    set_state("p04-gigabit", "status", "phase", "Phase 1 baseline")
+    via_alias = get_state("gigabit")
+
+    assert len(via_alias) == 1
+    assert via_alias[0].value == "Phase 1 baseline"
+
+
+def test_invalidate_state_canonicalizes_alias(project_registry):
+    """Invalidating via an alias should hit the canonical row."""
+    project_registry(("p06-polisher", ["p06", "polisher"]))
+
+    set_state("p06-polisher", "decision", "frame", "kinematic mounts")
+    success = invalidate_state("polisher", "decision", "frame")
+
+    assert success is True
+    active = get_state("p06-polisher")
+    assert len(active) == 0
+
+
+def test_unregistered_project_state_still_works(project_registry):
+    """Hand-curated state for an unregistered project must still round-trip.
+
+    Backwards compatibility with state created before the project
+    registry existed: resolve_project_name returns the input unchanged
+    when the registry has no record, so the raw name is used as-is.
+    """
+    project_registry()  # empty registry
+
+    set_state("orphan-project", "status", "phase", "Standalone")
+    entries = get_state("orphan-project")
+    assert len(entries) == 1
+    assert entries[0].value == "Standalone"

tests/test_reinforcement.py

@@ -314,3 +314,62 @@ def test_api_post_interactions_accepts_reinforce_false(tmp_data_dir):
     reloaded = [m for m in get_memories(memory_type="preference", limit=20) if m.id == mem.id][0]
     assert reloaded.confidence == 0.5
     assert reloaded.reference_count == 0
+
+
+# --- alias canonicalization end-to-end -------------------------------------
+
+
+def test_reinforcement_works_when_capture_uses_alias(project_registry):
+    """End-to-end: capture under an alias, seed memory under canonical id,
+    verify reinforcement still finds and bumps the memory.
+
+    Regression for codex's P2 finding: previously interaction.project
+    was stored verbatim and reinforcement queried memories using that
+    raw value, so capturing under "p05" while memories live under
+    "p05-interferometer" silently missed everything.
+    """
+    init_db()
+    project_registry(("p05-interferometer", ["p05", "interferometer"]))
+
+    # Seed an active memory under the CANONICAL id
+    mem = create_memory(
+        memory_type="project",
+        content="the lateral support pads use GF-PTFE for thermal stability",
+        project="p05-interferometer",
+        confidence=0.5,
+    )
+
+    # Capture an interaction under the ALIAS — this is the bug case
+    record_interaction(
+        prompt="status update",
+        response=(
+            "Quick note: the lateral support pads use GF-PTFE for thermal "
+            "stability and that's still the current selection."
+        ),
+        project="p05",
+    )
+
+    # The seeded memory should have been reinforced
+    reloaded = [
+        m
+        for m in get_memories(memory_type="project", project="p05-interferometer", limit=20)
+        if m.id == mem.id
+    ][0]
+    assert reloaded.confidence > 0.5
+    assert reloaded.reference_count == 1
+
+
+def test_get_memories_filter_by_alias(project_registry):
+    """Filtering memories by an alias should find rows stored under canonical."""
+    init_db()
+    project_registry(("p04-gigabit", ["p04", "gigabit"]))
+
+    create_memory(memory_type="project", content="m1", project="p04-gigabit")
+    create_memory(memory_type="project", content="m2", project="gigabit")
+
+    via_alias = get_memories(memory_type="project", project="p04")
+    via_canonical = get_memories(memory_type="project", project="p04-gigabit")
+
+    assert len(via_alias) == 2
+    assert len(via_canonical) == 2
+    assert {m.content for m in via_alias} == {"m1", "m2"}