feat(1001): story_ids filter for recover_half_written_items

The first dry-run against the live pipeline surfaced 735 orphans (35
tombstoned half-writes, 700 stale content rows with no CRDT entry —
mostly artefacts of the pre-numeric-id era). Bulk-recovering would
resurrect a lot of stories the user deliberately purged in the past.

Add an optional `story_ids` filter that restricts both discovery (in
dry-run) and recovery to a named subset, so the operator can target
the specific recent half-writes without touching anything else. The
new test asserts the filter is honoured.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

server/src/http/mcp/diagnostics/mod.rs

@@ -131,21 +131,37 @@ pub(crate) fn tool_recover_half_written_items(args: &Value) -> Result<String, St
         .and_then(|v| v.as_bool())
         .unwrap_or(true);
 
+    // Optional id filter — when provided, recovery (or the dry-run report) is
+    // restricted to these ids.  This is the safe choice for live systems
+    // where the orphan set may include many historic purged stories that
+    // should stay dead.
+    let only: Option<Vec<String>> = args.get("story_ids").and_then(|v| {
+        v.as_array().map(|arr| {
+            arr.iter()
+                .filter_map(|x| x.as_str().map(str::to_string))
+                .collect()
+        })
+    });
+
     if dry_run {
-        let half = crate::db::find_half_written_items();
+        let mut half = crate::db::find_half_written_items();
+        if let Some(filter) = &only {
+            half.retain(|h| filter.iter().any(|f| f == &h.story_id));
+        }
+        let count = half.len();
         return serde_json::to_string_pretty(&json!({
             "dry_run": true,
             "found": half,
-            "count": half.len(),
+            "count": count,
             "message": format!(
-                "Discovered {} half-written item(s). Re-run with dry_run=false to recover them.",
-                half.len()
+                "Discovered {count} half-written item(s){scope}. Re-run with dry_run=false to recover them.",
+                scope = if only.is_some() { " matching the filter" } else { "" },
             ),
         }))
         .map_err(|e| format!("Serialization error: {e}"));
     }
 
-    let results = crate::db::recover_half_written_items();
+    let results = crate::db::recover_half_written_items(only.as_deref());
     serde_json::to_string_pretty(&json!({
         "dry_run": false,
         "recovered": results,

server/src/http/mcp/tools_list/system_tools.rs

@@ -290,13 +290,18 @@ pub(super) fn system_tools() -> Vec<Value> {
         }),
         json!({
             "name": "recover_half_written_items",
-            "description": "Discover (and optionally recover) half-written pipeline items — rows whose content is in the SQLite shadow and content store but whose CRDT entry is absent or tombstoned. These are invisible to every CRDT-driven read path and can't be cleaned up by delete_story / purge_story. Recovery moves each orphan's content onto a fresh non-tombstoned id and reports the old→new mapping. Defaults to dry_run=true so you can see what would change before mutating.",
+            "description": "Discover (and optionally recover) half-written pipeline items — rows whose content is in the SQLite shadow and content store but whose CRDT entry is absent or tombstoned. These are invisible to every CRDT-driven read path and can't be cleaned up by delete_story / purge_story. Recovery moves each orphan's content onto a fresh non-tombstoned id and reports the old→new mapping. Defaults to dry_run=true so you can see what would change before mutating. Use story_ids to restrict the operation to a specific list of ids — strongly recommended on live systems where the orphan set may include historic purged stories that should stay dead.",
             "inputSchema": {
                 "type": "object",
                 "properties": {
                     "dry_run": {
                         "type": "boolean",
                         "description": "When true (default), only discover half-written items and report them. When false, perform the recovery."
+                    },
+                    "story_ids": {
+                        "type": "array",
+                        "items": { "type": "string" },
+                        "description": "Optional: restrict the operation (discovery in dry-run, recovery otherwise) to these story_ids. Anything else in the orphan set is left untouched. Strongly recommended for live recovery so you don't resurrect historic purged items."
                     }
                 },
                 "required": []