fix: harden post-release installs and legacy native migration

[vibecodooor]

Summary

• harden generated Codex/Claude helpers so fresh installs no longer depend on ephemeral ~/.npm/_npx/... paths
• make setup guidance explicitly MCP-first and document that raw _npx script paths are not a supported standard path
• fix legacy memory_native_chunks migration so old registries add scope/linked_memory_id before building the scope index

Validation

• node tests/run-all.js --filter unit-standalone-client,unit-native-sync-query,integration-codex-setup,integration-claude-setup
• npm test
• npm pack --dry-run

Notes

• No new features
• No public MCP/HTTP API changes
• PR feat: mirror native memory into an obsidian vault #19 intentionally stays out of this merge

[vibecodooor]

Deep-audit follow-up is now pushed on top of this PR in 90cf2b6.

What landed:

• fail-closed standalone setup/doctor behavior for malformed or missing explicit configs
• lazy MCP startup import so fresh-maintainer/runtime paths validate config before pulling the MCP stack
• scoped world-model/entity filtering to avoid cross-scope entity lock-on and detail leakage
• multi-entity reranking now uses real entity signals instead of opaque internal entity IDs
• semantic rerank no longer demotes uncached rows during partial-cache operation
• memory API relation endpoints now filter relation rows by per-memory scope access

Revalidated after the fixes:

• npm test
• npm pack --dry-run
• npm run test:release-live
• npm run eval:deep-recall
• hostile manual checks for malformed config, missing config, bootstrap recall, packaged helper generation, concurrent shared-store doctor runs, and scoped entity leak repros
• Nimbus runtime sync + safe gateway restart + plugin/gateway/doctor health checks

Current verdict: no confirmed P1/P2 blockers remain on this branch; this PR is now merge-safe from the local/Nimbus audit perspective.