fix: hybrid search column mismatch, clamp limits, bound queries

- Fix critical bug: search_hybrid FTS query was missing updated_at column,
  causing row_to_memory to misparse all fields and silently fail
- Clamp all user-facing limit params to 1..100 (prevent i64→usize wrap)
- Clamp depth to 1..3 in memoir_inspect, min_cluster_size to 2..50
- Add LIMIT 10000 to list_all(), LIMIT 500 to get_by_topic_prefix()
- Use collect_rows() in get_by_topic_prefix

Author: pszymkowiak

crates/icm-mcp/src/tools.rs

@@ -734,7 +734,7 @@ fn tool_recall(
         Some(q) => q,
         None => return ToolResult::error("missing required field: query".into()),
     };
-    let limit = get_i64(args, "limit", 5) as usize;
+    let limit = get_i64(args, "limit", 5).clamp(1, 100) as usize;
     let topic = get_str(args, "topic");
     let keyword = get_str(args, "keyword");
 
@@ -1003,7 +1003,7 @@ fn tool_extract_patterns(store: &SqliteStore, args: &Value) -> ToolResult {
         Some(t) => t,
         None => return ToolResult::error("missing required field: topic".into()),
     };
-    let min_cluster_size = get_i64(args, "min_cluster_size", 3) as usize;
+    let min_cluster_size = get_i64(args, "min_cluster_size", 3).clamp(2, 50) as usize;
     let memoir_name = get_str(args, "memoir");
 
     let patterns = match store.detect_patterns(topic, min_cluster_size) {
@@ -1317,7 +1317,7 @@ fn tool_memoir_search(store: &SqliteStore, args: &Value) -> ToolResult {
         Some(q) => q,
         None => return ToolResult::error("missing required field: query".into()),
     };
-    let limit = get_i64(args, "limit", 10) as usize;
+    let limit = get_i64(args, "limit", 10).clamp(1, 100) as usize;
     let label_str = get_str(args, "label");
 
     let memoir = match resolve_memoir(store, memoir_name) {
@@ -1378,7 +1378,7 @@ fn tool_memoir_search_all(store: &SqliteStore, args: &Value) -> ToolResult {
         Some(q) => q,
         None => return ToolResult::error("missing required field: query".into()),
     };
-    let limit = get_i64(args, "limit", 10) as usize;
+    let limit = get_i64(args, "limit", 10).clamp(1, 100) as usize;
 
     let results = match store.search_all_concepts_fts(query, limit) {
         Ok(r) => r,
@@ -1476,7 +1476,7 @@ fn tool_memoir_inspect(store: &SqliteStore, args: &Value) -> ToolResult {
         Some(n) => n,
         None => return ToolResult::error("missing required field: name".into()),
     };
-    let depth = get_i64(args, "depth", 1) as usize;
+    let depth = get_i64(args, "depth", 1).clamp(1, 3) as usize;
 
     let memoir = match resolve_memoir(store, memoir_name) {
         Ok(m) => m,
@@ -1814,7 +1814,7 @@ fn tool_feedback_search(store: &SqliteStore, args: &Value) -> ToolResult {
         None => return ToolResult::error("missing required field: query".into()),
     };
     let topic = get_str(args, "topic");
-    let limit = get_i64(args, "limit", 5) as usize;
+    let limit = get_i64(args, "limit", 5).clamp(1, 100) as usize;
 
     match store.search_feedback(query, topic, limit) {
         Ok(results) => {

crates/icm-store/src/store.rs

@@ -513,7 +513,8 @@ impl MemoryStore for SqliteStore {
         let sanitized = sanitize_fts_query(query);
 
         // 1. Get FTS results with rank scores
-        let fts_sql = "SELECT m.id, m.created_at, m.last_accessed, m.access_count, m.weight, \
+        let fts_sql =
+            "SELECT m.id, m.created_at, m.updated_at, m.last_accessed, m.access_count, m.weight, \
                     m.topic, m.summary, m.raw_excerpt, m.keywords, \
                     m.importance, m.source_type, m.source_data, m.related_ids, m.embedding, \
                     fts.rank \
@@ -678,7 +679,7 @@ impl MemoryStore for SqliteStore {
         let mut stmt = self
             .conn
             .prepare(&format!(
-                "SELECT {SELECT_COLS} FROM memories ORDER BY weight DESC"
+                "SELECT {SELECT_COLS} FROM memories ORDER BY weight DESC LIMIT 10000"
             ))
             .map_err(db_err)?;
 
@@ -1706,19 +1707,15 @@ impl SqliteStore {
             let mut stmt = self
                 .conn
                 .prepare(&format!(
-                    "SELECT {SELECT_COLS} FROM memories WHERE topic LIKE ?1 ORDER BY weight DESC"
+                    "SELECT {SELECT_COLS} FROM memories WHERE topic LIKE ?1 ORDER BY weight DESC LIMIT 500"
                 ))
                 .map_err(db_err)?;
 
             let rows = stmt
                 .query_map(params![pattern], row_to_memory)
                 .map_err(db_err)?;
 
-            let mut results = Vec::new();
-            for row in rows {
-                results.push(row.map_err(db_err)?);
-            }
-            Ok(results)
+            collect_rows(rows)
         } else {
             self.get_by_topic(topic)
         }