@haaaiawd/second-nature 0.1.1 → 0.1.3

package/runtime/observability/redaction/policy.js

@@ -0,0 +1,71 @@
+export const REDACTION_CONFIG = {
+    maskedFieldNames: [
+        "token",
+        "access_token",
+        "refresh_token",
+        "api_key",
+        "apiSecret",
+        "secret",
+        "password",
+        "bearer_token",
+        "authorization",
+        "node_secret",
+    ],
+    eraseFieldNames: [
+        "full_message",
+        "full_post",
+        "private_message",
+        "prompt",
+        "system_prompt",
+        "completion",
+        "response_content",
+    ],
+    hashFieldNames: [
+        "user_id",
+        "session_id",
+        "trace_id",
+        "content_hash",
+    ],
+    sensitivityLevels: ["public", "internal", "confidential", "restricted"],
+};
+export const DEFAULT_REDACTION_POLICY = {
+    defaultPolicy: [
+        { fieldName: "token", action: "mask" },
+        { fieldName: "access_token", action: "mask" },
+        { fieldName: "refresh_token", action: "mask" },
+        { fieldName: "api_key", action: "mask" },
+        { fieldName: "apiSecret", action: "mask" },
+        { fieldName: "secret", action: "mask" },
+        { fieldName: "password", action: "mask" },
+        { fieldName: "bearer_token", action: "mask" },
+        { fieldName: "authorization", action: "mask" },
+        { fieldName: "node_secret", action: "mask" },
+        { fieldName: "full_message", action: "erase" },
+        { fieldName: "full_post", action: "erase" },
+        { fieldName: "private_message", action: "erase" },
+        { fieldName: "prompt", action: "erase" },
+        { fieldName: "system_prompt", action: "erase" },
+        { fieldName: "completion", action: "erase" },
+        { fieldName: "response_content", action: "erase" },
+        { fieldName: "content_hash", action: "hash" },
+    ],
+    fieldOverrides: {},
+    maxFieldLength: 500,
+};
+export function getFieldRedactionRule(fieldName, policy = DEFAULT_REDACTION_POLICY) {
+    for (const rule of policy.defaultPolicy) {
+        if (rule.fieldName === fieldName) {
+            return rule;
+        }
+    }
+    for (const [prefix, rules] of Object.entries(policy.fieldOverrides)) {
+        if (fieldName.startsWith(prefix)) {
+            for (const rule of rules) {
+                if (rule.fieldName === fieldName || rule.fieldName === "*") {
+                    return rule;
+                }
+            }
+        }
+    }
+    return { fieldName, action: "keep" };
+}

package/runtime/observability/services/decision-ledger.d.ts

@@ -0,0 +1,33 @@
+import type { ObservabilityDatabase } from "../db/index.js";
+import type { DecisionRecord } from "../../shared/types/continuity.js";
+export interface QuietLifecycleEvent {
+    id: string;
+    tickId: string;
+    eventType: "quiet.entered" | "quiet.skipped" | "quiet.interrupted" | "quiet.resumed" | "quiet.suppressed";
+    reason?: string;
+    suppressedBy?: string;
+    reflectionCandidates?: string[];
+    createdAt: string;
+}
+export interface OutreachDecision {
+    id: string;
+    tickId: string;
+    eventType: "outreach.considered" | "outreach.denied" | "outreach.deferred" | "outreach.sent";
+    platformId?: string;
+    targetUserId?: string;
+    valueScore?: number;
+    suppressionReason?: string;
+    messagePreview?: string;
+    createdAt: string;
+}
+export declare class DecisionLedger {
+    private db;
+    constructor(db: ObservabilityDatabase);
+    recordDecision(record: DecisionRecord): Promise<void>;
+    recordQuietLifecycle(event: QuietLifecycleEvent): Promise<void>;
+    recordOutreachDecision(event: OutreachDecision): Promise<void>;
+    queryByTickId(tickId: string): Promise<DecisionRecord[]>;
+    queryByTraceId(traceId: string): Promise<DecisionRecord | null>;
+    queryByIntentId(intentId: string): Promise<DecisionRecord[]>;
+    private mapToDecisionRecord;
+}

package/runtime/observability/services/decision-ledger.js

@@ -0,0 +1,115 @@
+import { eq } from "drizzle-orm";
+import { decisionLedger } from "../db/schema/index.js";
+import { redactEvent } from "../redaction/manifest.js";
+import { persistRedactionManifest } from "./redaction-store.js";
+export class DecisionLedger {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async recordDecision(record) {
+        const { redacted, manifest } = redactEvent(record);
+        await this.db.db.insert(decisionLedger).values({
+            id: redacted.id,
+            tickId: redacted.tickId,
+            traceId: redacted.traceId,
+            intentId: redacted.intentId ?? null,
+            platformId: redacted.platformId ?? null,
+            verdict: redacted.verdict,
+            mode: redacted.mode,
+            reasons: JSON.stringify(redacted.reasons),
+            reasonCodes: JSON.stringify(redacted.reasonCodes),
+            decisionBasis: redacted.decisionBasis,
+            evidenceRefs: JSON.stringify(redacted.evidenceRefs),
+            modelEvalRef: redacted.modelEvalRef ?? null,
+            createdAt: redacted.createdAt,
+        });
+        await persistRedactionManifest(this.db, redacted.id, "decision.recorded", manifest);
+    }
+    async recordQuietLifecycle(event) {
+        const { redacted, manifest } = redactEvent(event);
+        await this.db.db.insert(decisionLedger).values({
+            id: redacted.id,
+            tickId: redacted.tickId,
+            traceId: `quiet-${redacted.eventType}-${redacted.id}`,
+            intentId: null,
+            platformId: null,
+            verdict: "allow",
+            mode: "quiet",
+            reasons: JSON.stringify([redacted.eventType, redacted.reason ?? ""].filter(Boolean)),
+            reasonCodes: JSON.stringify(["quiet_lifecycle"]),
+            decisionBasis: "rule_only",
+            evidenceRefs: JSON.stringify(redacted.reflectionCandidates ?? []),
+            modelEvalRef: null,
+            createdAt: redacted.createdAt,
+        });
+        await persistRedactionManifest(this.db, redacted.id, redacted.eventType, manifest);
+    }
+    async recordOutreachDecision(event) {
+        const { redacted, manifest } = redactEvent(event);
+        const verdict = redacted.eventType === "outreach.sent"
+            ? "allow"
+            : redacted.eventType === "outreach.deferred" || redacted.eventType === "outreach.considered"
+                ? "defer"
+                : "deny";
+        await this.db.db.insert(decisionLedger).values({
+            id: redacted.id,
+            tickId: redacted.tickId,
+            traceId: `outreach-${redacted.eventType}-${redacted.id}`,
+            intentId: null,
+            platformId: redacted.platformId ?? null,
+            verdict,
+            mode: "active",
+            reasons: JSON.stringify([
+                redacted.eventType,
+                redacted.valueScore?.toString() ?? "",
+                redacted.suppressionReason ?? "",
+            ].filter(Boolean)),
+            reasonCodes: JSON.stringify(["outreach_decision"]),
+            decisionBasis: "score_based",
+            evidenceRefs: JSON.stringify([redacted.targetUserId ?? ""].filter(Boolean)),
+            modelEvalRef: null,
+            createdAt: redacted.createdAt,
+        });
+        await persistRedactionManifest(this.db, redacted.id, redacted.eventType, manifest);
+    }
+    async queryByTickId(tickId) {
+        const results = await this.db.db
+            .select()
+            .from(decisionLedger)
+            .where(eq(decisionLedger.tickId, tickId));
+        return results.map(this.mapToDecisionRecord);
+    }
+    async queryByTraceId(traceId) {
+        const results = await this.db.db
+            .select()
+            .from(decisionLedger)
+            .where(eq(decisionLedger.traceId, traceId))
+            .limit(1);
+        return results[0] ? this.mapToDecisionRecord(results[0]) : null;
+    }
+    async queryByIntentId(intentId) {
+        const results = await this.db.db
+            .select()
+            .from(decisionLedger)
+            .where(eq(decisionLedger.intentId, intentId));
+        return results.map(this.mapToDecisionRecord);
+    }
+    mapToDecisionRecord(row) {
+        return {
+            id: row.id,
+            tickId: row.tickId,
+            traceId: row.traceId,
+            intentId: row.intentId ?? undefined,
+            platformId: row.platformId ?? undefined,
+            verdict: row.verdict,
+            mode: row.mode,
+            reasons: JSON.parse(row.reasons),
+            reasonCodes: JSON.parse(row.reasonCodes),
+            decisionBasis: row.decisionBasis,
+            evidenceRefs: JSON.parse(row.evidenceRefs),
+            modelEvalRef: row.modelEvalRef ?? undefined,
+            createdAt: row.createdAt,
+        };
+    }
+}

package/runtime/observability/services/execution-telemetry.d.ts

@@ -0,0 +1,32 @@
+import type { ObservabilityDatabase } from "../db/index.js";
+import type { ExecutionAttempt, IntentCommitState } from "../../shared/types/continuity.js";
+export interface ExecutionAttemptInput {
+    traceId: string;
+    decisionId: string;
+    intentId: string;
+    platformId: string;
+    capability: string;
+    channel: string;
+    status: ExecutionAttempt["status"];
+    commitState?: IntentCommitState;
+    failureClass?: string;
+    retryPolicy?: string;
+    idempotencyKey?: string;
+    metadata?: Record<string, unknown>;
+    startedAt?: string;
+    finishedAt?: string;
+}
+export declare class ExecutionTelemetry {
+    private db;
+    constructor(db: ObservabilityDatabase);
+    recordExecutionAttempt(attempt: ExecutionAttempt): Promise<void>;
+    startAttempt(input: ExecutionAttemptInput): Promise<string>;
+    completeAttempt(traceId: string, status: "succeeded" | "failed", commitState?: IntentCommitState, failureClass?: string): Promise<void>;
+    updateCommitState(traceId: string, commitState: IntentCommitState): Promise<void>;
+    queryByTraceId(traceId: string): Promise<ExecutionAttempt | null>;
+    queryByDecisionId(decisionId: string): Promise<ExecutionAttempt[]>;
+    queryByPlatform(platformId: string): Promise<ExecutionAttempt[]>;
+    queryFailedAttempts(since: string): Promise<ExecutionAttempt[]>;
+    queryByCommitState(commitState: IntentCommitState): Promise<ExecutionAttempt[]>;
+    private mapToExecutionAttempt;
+}

package/runtime/observability/services/execution-telemetry.js

@@ -0,0 +1,126 @@
+import { eq, and, gte } from "drizzle-orm";
+import { executionAttempts } from "../db/schema/index.js";
+import { redactEvent } from "../redaction/manifest.js";
+import { persistRedactionManifest } from "./redaction-store.js";
+export class ExecutionTelemetry {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async recordExecutionAttempt(attempt) {
+        const { redacted, manifest } = redactEvent(attempt);
+        await this.db.db.insert(executionAttempts).values({
+            id: redacted.id,
+            traceId: redacted.traceId,
+            decisionId: redacted.decisionId,
+            intentId: redacted.intentId,
+            platformId: redacted.platformId,
+            capability: redacted.capability,
+            channel: redacted.channel,
+            status: redacted.status,
+            commitState: redacted.commitState ?? null,
+            failureClass: redacted.failureClass ?? null,
+            retryPolicy: redacted.retryPolicy ?? null,
+            idempotencyKey: redacted.idempotencyKey ?? null,
+            startedAt: redacted.startedAt ?? null,
+            finishedAt: redacted.finishedAt ?? null,
+        });
+        await persistRedactionManifest(this.db, redacted.id, "connector.attempt.recorded", manifest);
+    }
+    async startAttempt(input) {
+        const id = `attempt-${input.traceId}-${Date.now()}`;
+        const now = new Date().toISOString();
+        const attempt = {
+            id,
+            traceId: input.traceId,
+            decisionId: input.decisionId,
+            intentId: input.intentId,
+            platformId: input.platformId,
+            capability: input.capability,
+            channel: input.channel,
+            status: "started",
+            commitState: input.commitState,
+            failureClass: input.failureClass,
+            retryPolicy: input.retryPolicy,
+            idempotencyKey: input.idempotencyKey,
+            metadata: input.metadata,
+            startedAt: now,
+            finishedAt: undefined,
+        };
+        await this.recordExecutionAttempt(attempt);
+        return id;
+    }
+    async completeAttempt(traceId, status, commitState, failureClass) {
+        const now = new Date().toISOString();
+        await this.db.db
+            .update(executionAttempts)
+            .set({
+            status,
+            commitState: commitState ?? null,
+            failureClass: failureClass ?? null,
+            finishedAt: now,
+        })
+            .where(eq(executionAttempts.traceId, traceId));
+    }
+    async updateCommitState(traceId, commitState) {
+        await this.db.db
+            .update(executionAttempts)
+            .set({ commitState })
+            .where(eq(executionAttempts.traceId, traceId));
+    }
+    async queryByTraceId(traceId) {
+        const results = await this.db.db
+            .select()
+            .from(executionAttempts)
+            .where(eq(executionAttempts.traceId, traceId))
+            .limit(1);
+        return results[0] ? this.mapToExecutionAttempt(results[0]) : null;
+    }
+    async queryByDecisionId(decisionId) {
+        const results = await this.db.db
+            .select()
+            .from(executionAttempts)
+            .where(eq(executionAttempts.decisionId, decisionId));
+        return results.map(this.mapToExecutionAttempt);
+    }
+    async queryByPlatform(platformId) {
+        const results = await this.db.db
+            .select()
+            .from(executionAttempts)
+            .where(eq(executionAttempts.platformId, platformId));
+        return results.map(this.mapToExecutionAttempt);
+    }
+    async queryFailedAttempts(since) {
+        const results = await this.db.db
+            .select()
+            .from(executionAttempts)
+            .where(and(eq(executionAttempts.status, "failed"), gte(executionAttempts.startedAt, since)));
+        return results.map(this.mapToExecutionAttempt);
+    }
+    async queryByCommitState(commitState) {
+        const results = await this.db.db
+            .select()
+            .from(executionAttempts)
+            .where(eq(executionAttempts.commitState, commitState));
+        return results.map(this.mapToExecutionAttempt);
+    }
+    mapToExecutionAttempt(row) {
+        return {
+            id: row.id,
+            traceId: row.traceId,
+            decisionId: row.decisionId,
+            intentId: row.intentId,
+            platformId: row.platformId,
+            capability: row.capability,
+            channel: row.channel,
+            status: row.status,
+            commitState: row.commitState,
+            failureClass: row.failureClass ?? undefined,
+            retryPolicy: row.retryPolicy ?? undefined,
+            idempotencyKey: row.idempotencyKey ?? undefined,
+            metadata: undefined,
+            startedAt: row.startedAt ?? undefined,
+            finishedAt: row.finishedAt ?? undefined,
+        };
+    }
+}

package/runtime/observability/services/governance-audit.d.ts

@@ -0,0 +1,27 @@
+import type { ObservabilityDatabase } from "../db/index.js";
+import type { AnchorChangeAudit } from "../../shared/types/continuity.js";
+export interface CredentialLifecycleAudit {
+    id: string;
+    platformId: string;
+    credentialId: string;
+    statusFrom?: string;
+    statusTo: string;
+    verificationDeadline?: string;
+    attemptsRemaining?: number;
+    explanationCapsule: string;
+    createdAt: string;
+}
+export declare class GovernanceAudit {
+    private db;
+    constructor(db: ObservabilityDatabase);
+    recordAnchorChangeAudit(event: AnchorChangeAudit): Promise<void>;
+    recordCredentialLifecycle(event: CredentialLifecycleAudit): Promise<void>;
+    recordProposalApply(proposalId: string, targetAssetId: string, assetPath: string, beforeHash: string | undefined, afterHash: string | undefined, supportingSources: string[], reason: string): Promise<void>;
+    recordProposalReject(proposalId: string, targetAssetId: string, assetPath: string, reason: string): Promise<void>;
+    queryByProposalId(proposalId: string): Promise<AnchorChangeAudit[]>;
+    queryByAssetId(assetId: string): Promise<AnchorChangeAudit[]>;
+    queryByEventType(eventType: string): Promise<AnchorChangeAudit[]>;
+    queryCredentialByPlatform(platformId: string): Promise<CredentialLifecycleAudit[]>;
+    private mapToAnchorAudit;
+    private mapToCredentialAudit;
+}

package/runtime/observability/services/governance-audit.js

@@ -0,0 +1,139 @@
+import { eq } from "drizzle-orm";
+import { governanceAudit } from "../db/schema/index.js";
+import { redactEvent } from "../redaction/manifest.js";
+import { persistRedactionManifest } from "./redaction-store.js";
+export class GovernanceAudit {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async recordAnchorChangeAudit(event) {
+        const { redacted, manifest } = redactEvent(event);
+        await this.db.db.insert(governanceAudit).values({
+            id: redacted.id,
+            eventType: "anchor_change",
+            proposalId: redacted.proposalId,
+            targetAssetId: redacted.targetAssetId,
+            assetPath: redacted.assetPath,
+            statusFrom: null,
+            statusTo: redacted.status,
+            beforeHash: redacted.beforeHash ?? null,
+            afterHash: redacted.afterHash ?? null,
+            supportingSources: JSON.stringify(redacted.supportingSources),
+            reason: redacted.reason,
+            verificationDeadline: null,
+            attemptsRemaining: null,
+            createdAt: redacted.createdAt,
+        });
+        await persistRedactionManifest(this.db, redacted.id, "anchor.change", manifest);
+    }
+    async recordCredentialLifecycle(event) {
+        const { redacted, manifest } = redactEvent(event);
+        await this.db.db.insert(governanceAudit).values({
+            id: redacted.id,
+            eventType: "credential_lifecycle",
+            proposalId: null,
+            targetAssetId: redacted.platformId,
+            assetPath: redacted.credentialId,
+            statusFrom: redacted.statusFrom ?? null,
+            statusTo: redacted.statusTo,
+            beforeHash: null,
+            afterHash: null,
+            supportingSources: "[]",
+            reason: redacted.explanationCapsule,
+            verificationDeadline: redacted.verificationDeadline ?? null,
+            attemptsRemaining: redacted.attemptsRemaining ?? null,
+            createdAt: redacted.createdAt,
+        });
+        await persistRedactionManifest(this.db, redacted.id, "credential.lifecycle", manifest);
+    }
+    async recordProposalApply(proposalId, targetAssetId, assetPath, beforeHash, afterHash, supportingSources, reason) {
+        const id = `anchor-${proposalId}-${Date.now()}`;
+        const event = {
+            id,
+            proposalId,
+            targetAssetId,
+            assetPath,
+            status: "applied",
+            beforeHash,
+            afterHash,
+            supportingSources,
+            reason,
+            appliedAt: new Date().toISOString(),
+            createdAt: new Date().toISOString(),
+        };
+        await this.recordAnchorChangeAudit(event);
+    }
+    async recordProposalReject(proposalId, targetAssetId, assetPath, reason) {
+        const id = `anchor-reject-${proposalId}-${Date.now()}`;
+        const event = {
+            id,
+            proposalId,
+            targetAssetId,
+            assetPath,
+            status: "rejected",
+            supportingSources: [],
+            reason,
+            createdAt: new Date().toISOString(),
+        };
+        await this.recordAnchorChangeAudit(event);
+    }
+    async queryByProposalId(proposalId) {
+        const results = await this.db.db
+            .select()
+            .from(governanceAudit)
+            .where(eq(governanceAudit.proposalId, proposalId));
+        return results.map(this.mapToAnchorAudit);
+    }
+    async queryByAssetId(assetId) {
+        const results = await this.db.db
+            .select()
+            .from(governanceAudit)
+            .where(eq(governanceAudit.targetAssetId, assetId));
+        return results.map(this.mapToAnchorAudit);
+    }
+    async queryByEventType(eventType) {
+        const results = await this.db.db
+            .select()
+            .from(governanceAudit)
+            .where(eq(governanceAudit.eventType, eventType));
+        return results.map(this.mapToAnchorAudit);
+    }
+    async queryCredentialByPlatform(platformId) {
+        const results = await this.db.db
+            .select()
+            .from(governanceAudit)
+            .where(eq(governanceAudit.targetAssetId, platformId));
+        return results
+            .filter(r => r.eventType === "credential_lifecycle")
+            .map(this.mapToCredentialAudit);
+    }
+    mapToAnchorAudit(row) {
+        return {
+            id: row.id,
+            proposalId: row.proposalId ?? "",
+            targetAssetId: row.targetAssetId ?? "",
+            assetPath: row.assetPath ?? "",
+            status: row.statusTo,
+            beforeHash: row.beforeHash ?? undefined,
+            afterHash: row.afterHash ?? undefined,
+            supportingSources: JSON.parse(row.supportingSources ?? "[]"),
+            reason: row.reason ?? "",
+            appliedAt: row.statusTo === "applied" ? row.createdAt : undefined,
+            createdAt: row.createdAt,
+        };
+    }
+    mapToCredentialAudit(row) {
+        return {
+            id: row.id,
+            platformId: row.targetAssetId ?? "",
+            credentialId: row.assetPath ?? "",
+            statusFrom: row.statusFrom ?? undefined,
+            statusTo: row.statusTo,
+            verificationDeadline: row.verificationDeadline ?? undefined,
+            attemptsRemaining: row.attemptsRemaining ?? undefined,
+            explanationCapsule: row.reason ?? "",
+            createdAt: row.createdAt,
+        };
+    }
+}

package/runtime/observability/services/redaction-store.d.ts

@@ -0,0 +1,3 @@
+import type { ObservabilityDatabase } from "../db/index.js";
+import type { RedactionManifest } from "../redaction/manifest.js";
+export declare function persistRedactionManifest(db: ObservabilityDatabase, eventId: string, eventType: string, manifest: RedactionManifest): Promise<void>;

package/runtime/observability/services/redaction-store.js

@@ -0,0 +1,20 @@
+import { redactionManifest as redactionManifestTable } from "../db/schema/index.js";
+export async function persistRedactionManifest(db, eventId, eventType, manifest) {
+    const rows = [
+        ...manifest.maskedFields.map((fieldName) => ({ fieldName, action: "mask" })),
+        ...manifest.erasedFields.map((fieldName) => ({ fieldName, action: "erase" })),
+        ...manifest.hashedFields.map((fieldName) => ({ fieldName, action: "hash" })),
+    ];
+    if (rows.length === 0) {
+        rows.push({ fieldName: "*", action: "none" });
+    }
+    await db.db.insert(redactionManifestTable).values(rows.map((row, index) => ({
+        id: `${manifest.id}:${index}`,
+        eventId,
+        eventType,
+        fieldName: row.fieldName,
+        action: row.action,
+        originalValueHash: null,
+        createdAt: manifest.createdAt,
+    })));
+}

package/runtime/setup/HOST_SETUP.md

@@ -0,0 +1,112 @@
+# Second Nature Host Setup Guide
+
+This file ships inside the published plugin package.
+
+Use it after installing `@haaaiawd/second-nature` in an OpenClaw host to complete the minimum runtime setup and avoid pretending the system is fully connected before it is.
+
+## What to check first
+
+Confirm these in order:
+
+1. The plugin is installed and enabled.
+2. `workspace/` exists in the host environment.
+3. The anchor files exist:
+   - `workspace/SOUL.md`
+   - `workspace/USER.md`
+   - `workspace/IDENTITY.md`
+   - `workspace/MEMORY.md`
+4. Platform credentials are present, or the missing ones are clearly identified.
+5. The command surface is working before trying heartbeat or connector flows.
+
+## Minimum workspace setup
+
+If the anchor files are missing, create short first-person versions that are actually usable.
+
+- `SOUL.md`: values, stance, what I care about, what I refuse to become
+- `USER.md`: who the user is to me, how I should relate to them, what matters to them
+- `IDENTITY.md`: who I am, my role, my behavioral boundaries
+- `MEMORY.md`: stable facts and continuity worth carrying forward
+
+Do not leave them as empty headings.
+
+## Platform prerequisites
+
+Check platform readiness honestly.
+
+### Moltbook
+
+Look for a usable credential first.
+
+### InStreet
+
+Check whether the credential is already `active` or still `pending_verification`.
+
+### EvoMap
+
+Check whether a `node_secret` already exists.
+Without it, heartbeat, work discovery, and task claim will not be truly connected.
+
+## Command surface to inspect
+
+Use these first:
+
+- `status`
+- `credential`
+- `quiet`
+- `report`
+- `session`
+- `explain`
+
+The purpose is simple:
+
+1. verify the plugin is alive
+2. verify commands are usable
+3. see where credentials are blocked
+4. see whether reports and explain flows already have evidence to read back
+
+## About heartbeat
+
+Do not claim heartbeat is connected unless there is evidence.
+
+Look for:
+
+- heartbeat-related records in `report`
+- evidence in `explain`
+- signs of `heartbeat_bridge` in runtime records
+
+If that evidence does not exist, report that heartbeat bridge is not yet confirmed in the host.
+
+## About direct user replies
+
+Direct chat with the user should keep very light continuity.
+
+- do keep continuity
+- do not use post-reply tone
+- do not pretend the direct user reply path is connected unless you can observe evidence
+
+If continuity is not visible, report that the `user_reply` host entry is not yet confirmed.
+
+## Reporting template
+
+When setup inspection is done, report in this structure:
+
+1. Plugin state
+2. Workspace state
+3. Platform credential state
+4. Command/tool/service state
+5. Heartbeat evidence
+6. Direct user reply continuity evidence
+7. Current blockers
+
+## Important reminder
+
+This guide is only for installation and host bring-up.
+
+Long-term principles should move into:
+
+- `workspace/SOUL.md`
+- `workspace/USER.md`
+- `workspace/IDENTITY.md`
+- `workspace/MEMORY.md`
+
+Do not depend on this file as the long-term memory source.