SearchMemory now returns (results, metrics, err). The metrics struct
captures channel counts, candidates_total, results_returned, score
distribution, and limit_requested — exactly what the search_metrics
telemetry table needs, with no coupling to the telemetry package.

Replaces the Node pattern of a module-level _lastSearchMetrics side
channel. Go callers get an explicit value and tests can assert on it
without any global state.

HandleTool keeps its original (any, error) signature for backward
compatibility. A new HandleToolWithMetrics sibling returns
(any, *SearchMetrics, error) and is called by the mcpserver dispatch
when it wants the search_metrics payload. The shared body lives in an
inner dispatchTool helper that writes metrics via an out-pointer —
avoids rewriting every case's return statement.

Callers updated: internal/store/tools.go recall handler,
internal/store/parity_test.go (5 call sites). No behavior change for
any existing test.

Entrypoint (cmd/workmem/main.go): reads MEMORY_TELEMETRY_PATH and
MEMORY_TELEMETRY_PRIVACY via telemetry.FromEnv(), passes the *Client to
mcpserver.Config. Deferred Close() on shutdown. When unset, FromEnv
returns nil and no DB is ever opened.

mcpserver dispatch (internal/mcpserver/server.go): handleTool now
measures wall-clock duration and uses a single defer to log on every
exit path (success, validation failure, dispatch error). The defer
captures four observables as the flow progresses — argObject,
toolResult, metrics, projectRaw, isError — and flushes them via
r.logToolCall + r.logSearchMetrics at the end.

mcpserver helpers (internal/mcpserver/telemetry.go): client detection
from MCP initialize handshake (req.Session.InitializeParams().ClientInfo)
with env fallback via telemetry.DetectClient. Resolves project path to
absolute when project arg is present.

Integration tests (3): enabled roundtrip asserts remember/recall/forget
each land a tool_calls row with duration > 0 and no observation content
leak, plus one search_metrics row linked to the recall tool_call.
Disabled path asserts no telemetry file is created. Strict mode asserts
Alice and sensitive-query text never appear in args_summary and
search_metrics.query is sha256-hashed.

- docs/TELEMETRY.md: full user-facing guide. Adapted from the Node
  telemetry.md, with privacy-strict mode documented (trade-off: ranking
  debug vs plaintext leak risk on sensitive backends). Includes example
  client config for Claude Code / governor env-file wiring.

- OPERATIONS.md invariants: telemetry is opt-in and never affects the
  success path; DB is physically separate from memory DB; strict mode
  sha256-hashes identifiers before disk. P1 "telemetry deferred" entry
  removed (condition met). P2 telemetry-schema entry removed (designed
  and implemented). Pre-Launch TODO no longer lists Kilo proof — already
  closed in PR #4.

- IMPLEMENTATION.md: new Step 3.4 Telemetry marked done with explicit
  Gate — enabled writes rows, disabled creates no DB, strict hashes.

- DECISION_LOG.md: append entry documenting the three Go-native
  refinements (nil-tolerant Client, no globals, SearchMetrics tuple)
  and the new privacy-strict mode. Explicitly rejects at-rest
  encryption with keychain for this iteration as over-scope.

Three new comments after the previous fixes landed. All legitimate:

1. telemetry/client.go InitIfEnabled: align DSN pattern with the main
   memory DB. Use file:<cleanPath>?_pragma=foreign_keys(1) + db.Ping()
   instead of a raw path + separate PRAGMA. Safer on Windows drive
   letters, foreign keys are enforced from open time (not just at the
   first Exec), and the init failure mode becomes immediately
   observable via Ping.

2. telemetry_integration_test.go: the enabled-roundtrip and strict-mode
   tests were calling tele.Close() directly, violating the ownership
   contract the previous round introduced (Runtime owns the telemetry
   client once passed to New). Tests now call stop() explicitly before
   reopening the telemetry DB for readback, so Runtime.Close -> tele
   .Close -> flush happens through the documented path.

3. startTelemetrySession stop function made idempotent via sync.Once,
   so explicit stop() + deferred stop() converge safely. t.Fatal
   replaced with t.Error in the cleanup timeout path — calling Fatal
   from a deferred function aborts the goroutine but skips subsequent
   cleanup/readback assertions; Error is the correct level here.

The self-inflicted inconsistency between "Runtime owns the telemetry
client" (added last round in mcpserver.Config docstring) and the tests
closing it directly is exactly the kind of drift a second reviewer pass
catches. Good catch.

Eight new comments, grouped into three themes:

Cross-platform readback DSN (4 sites): client_test.go (two tests) and
telemetry_integration_test.go (two tests) were opening the telemetry
DB for readback with a raw path, while production code uses
file:<cleanPath>?_pragma=foreign_keys(1) (see internal/store/sqlite.go
openSQLite). The raw-path form can misbehave on Windows drive letters
and drifts from production. All four readbacks now use the same DSN
construction.

Belt-and-suspenders FK enforcement (1 site): telemetry/client.go
InitIfEnabled sets _pragma=foreign_keys(1) in the DSN but did not
issue PRAGMA foreign_keys=ON explicitly afterward. The main store's
openSQLite does both, because some driver/version combinations honor
one form but not the other. Telemetry now matches the same sequence.

Small drift cleanup (3 sites):
- detect_test.go TestDetectClientEnvFallbackKilo: remove the redundant
  t.Setenv pair before unsetMCPClientEnv — same two vars were set,
  cleared, and re-set, which adds noise without changing behavior.
- detect_test.go unsetMCPClientEnv: rewrite the trailing comment. The
  old wording warned about LookupEnv semantics, but DetectClient
  actually uses os.Getenv != "", so empty-string values are treated as
  absent for every current signal.
- mcpserver/telemetry.go resolveProjectPath: the docstring promised a
  "global-scope call without a path" on resolve failure, but
  logToolCall keeps db_scope="project" whenever the caller supplied a
  non-empty project argument, regardless of whether resolution
  succeeded. Rewrote the docstring to match the actual (and intended)
  behavior: scope reflects caller intent, only project_path column is
  NULL when resolution fails.

Four new comments, all legitimate:

1. cmd/workmem/main.go: fix telemetry leak when mcpserver.New fails.
   FromEnv() was inlined directly in the Config literal — if New
   returned an error, the DB handle was already open and nobody closed
   it. Now FromEnv() lands in a local var; on New failure the code
   calls tele.Close() (nil-safe) before exiting. Ownership transfers
   to Runtime only after New succeeds, matching the documented
   contract.

2. internal/telemetry/client.go: Client.Close is now truly idempotent.
   After the first call it nil-s db, insertCall, insertSearch so the
   second call hits the new `if c.db == nil { return nil }` guard
   instead of trying to close an already-closed *sql.DB (which would
   have surfaced a confusing shutdown error). Runtime.Close already
   comments "nil-safe and idempotent" — now it's true.

3. internal/telemetry/{schema.go,client.go}: schema initialization no
   longer runs a single multi-statement Exec. Statements are listed
   separately in schemaStatements and exec'd one-by-one, matching the
   main store's InitSchema pattern. More portable across SQLite
   drivers and produces per-statement errors when one fails.

4. internal/telemetry/sanitize.go: add optional Summarizable interface
   as a fast path in SummarizeResult. Types that implement
   TelemetrySummary() skip the JSON marshal + unmarshal round-trip
   entirely. The fallback stays in place for all current store result
   types (zero behavior change this round); any type whose result size
   becomes a telemetry hotspot can now opt in by adding the method.

Tests:
- TestClientCloseIsIdempotent: open, close, close, close — all three
  must return nil, proving Close can be called defensively multiple
  times without surfacing an error.
- TestSummarizeResultUsesFastPathForSummarizable: a fake Summarizable
  type is serialized without going through the JSON fallback.
- TestSummarizeResultFallsBackToJSONForNonSummarizable: plain map
  values still produce the correct entity_groups / stored summary
  through the fallback path.

- telemetry: guard LogToolCall and LogSearchMetrics against post-Close
  panic by nil-checking db / prepared-statement fields, not just the
  receiver. Covers late-arriving tool calls during an orderly shutdown.
  Test: TestLogAfterCloseDoesNotPanic.
- search: record the trimmed query in SearchMetrics so two recall calls
  that only differ by whitespace do not appear as distinct queries in
  telemetry. Test: TestSearchMemoryMetricsQueryIsTrimmed (5 subcases).
- docs: TELEMETRY.md said batched arrays became "<N items>" but the code
  emits "<N facts>" / "<N observations>". Doc updated to match reality.

Two concurrency concerns raised on c46ac66:

1. telemetry.Client had no synchronization: Close nil-ed db/stmt fields
   while LogToolCall / LogSearchMetrics read and used the same pointers,
   so a real concurrent shutdown could produce a data race (formally
   undefined behavior under Go's memory model) or a TOCTOU panic where
   Exec ran on a stmt being closed.

   Fix: add sync.Mutex to Client, protect Close + Log* under the lock.
   strict is immutable after construction and stays lock-free. The
   uncontended lock cost (a few ns) is dwarfed by SQLite Exec (µs-ms),
   so the hot path is unaffected.

2. Runtime.Close called r.telemetry.Close() before nil-ing r.telemetry,
   so an in-flight handler's telemetry defer could observe a non-nil
   pointer on a client that was concurrently closing.

   Fix: swap r.telemetry into a local, set the field to nil first, then
   Close the local. With the client mutex this is a defensive second
   layer rather than the primary safety guarantee, but it keeps future
   readers honest about lifecycle ordering.

Tests:
- TestClientCloseRacesWithLogging fires 32 logger goroutines firing
  LogToolCall + LogSearchMetrics in a tight loop while Close runs
  concurrently, then a final round of post-close calls that must
  no-op. Passes under `go test -race` — without the mutex the race
  detector flags the pointer-field accesses immediately.