@haaaiawd/second-nature 0.1.19 → 0.1.21

package/index.js

@@ -96,6 +96,13 @@ const WORKSPACE_BRIDGE_COMMANDS = new Set([
     "heartbeat_check",
     "fallback",
     "storage_smoke",
+    // T1.2.8 (SN-CODE-03): capability probe surface via workspace bridge
+    "capability_probe",
+    // T1.2.6 / T1.2.7: policy show + audit read surface
+    "policy",
+    "audit",
+    // T3.3.2: near-real connector smoke sentinel
+    "near_real_smoke",
 ]);
 function isWorkspaceBridgeCommand(command, input) {
     if (command === "credential") {
@@ -153,18 +160,25 @@ function resolveWorkspaceRoot(toolWorkspaceRoot) {
     if (tool) {
         return { resolution: "tool_args", declaredRoot: tool, runtimeRoot: tool };
     }
-    return { resolution: "unknown", declaredRoot: undefined, runtimeRoot: process.cwd() };
+    return {
+        resolution: "unknown",
+        declaredRoot: undefined,
+        runtimeRoot: process.cwd(),
+    };
 }
 function syncWorkspaceRootFromTool(spine, toolWorkspaceRoot) {
     const next = resolveWorkspaceRoot(toolWorkspaceRoot);
     const prev = spine.workspaceRootContext;
-    const changed = next.runtimeRoot !== prev.runtimeRoot || next.resolution !== prev.resolution;
+    const changed = next.runtimeRoot !== prev.runtimeRoot ||
+        next.resolution !== prev.resolution;
     if (changed) {
         disposeWorkspaceOpsBridge();
     }
     spine.workspaceRootContext = next;
     if (changed) {
-        spine.runtimeHandle = startRuntimeService({ workspaceRoot: next.runtimeRoot });
+        spine.runtimeHandle = startRuntimeService({
+            workspaceRoot: next.runtimeRoot,
+        });
     }
 }
 function trimRuntimeEvidence(spine) {
@@ -229,7 +243,8 @@ function parseExplainSubject(subjectRaw) {
 }
 function buildStatusPayload(spine) {
     const runtimeEvidence = latestRuntimeEvidence(spine);
-    const updatedAt = runtimeEvidence?.createdAt ?? new Date(spine.lifecycleState.lastChangedAt).toISOString();
+    const updatedAt = runtimeEvidence?.createdAt ??
+        new Date(spine.lifecycleState.lastChangedAt).toISOString();
     const wr = spine.workspaceRootContext;
     const needsRootHint = wr.resolution === "unknown";
     return {
@@ -240,7 +255,9 @@ function buildStatusPayload(spine) {
         error: {
             code: "WORKSPACE_READ_SURFACE_UNAVAILABLE",
             message: "Aggregated status requires workspace state; the host-safe plugin does not load persisted read models on this surface.",
-            requiredUserInput: needsRootHint ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"] : [],
+            requiredUserInput: needsRootHint
+                ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"]
+                : [],
             nextStep: "run_workspace_second_nature_cli_or_full_runtime_package",
         },
         data: {
@@ -264,7 +281,9 @@ function buildQuietPayload(spine, scope) {
         error: {
             code: "QUIET_READ_SURFACE_UNAVAILABLE",
             message: "Quiet read surface requires workspace runtime; not evaluated in host-safe carrier mode.",
-            requiredUserInput: wr.resolution === "unknown" ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"] : [],
+            requiredUserInput: wr.resolution === "unknown"
+                ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"]
+                : [],
             nextStep: "run_workspace_second_nature_cli_or_full_runtime_package",
         },
         data: {
@@ -285,7 +304,9 @@ function buildReportPayload(spine, day) {
         error: {
             code: "REPORT_READ_SURFACE_UNAVAILABLE",
             message: "Daily report artifacts require workspace runtime.",
-            requiredUserInput: wr.resolution === "unknown" ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"] : [],
+            requiredUserInput: wr.resolution === "unknown"
+                ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"]
+                : [],
             nextStep: "run_workspace_second_nature_cli_or_full_runtime_package",
         },
         data: {
@@ -317,7 +338,9 @@ function buildSessionPayload(spine, sessionId) {
         error: {
             code: "SESSION_READ_SURFACE_UNAVAILABLE",
             message: "Session analytics require workspace state database.",
-            requiredUserInput: wr.resolution === "unknown" ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"] : [],
+            requiredUserInput: wr.resolution === "unknown"
+                ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"]
+                : [],
             nextStep: "run_workspace_second_nature_cli_or_full_runtime_package",
         },
         data: {
@@ -338,7 +361,9 @@ function buildCredentialPayload(spine, platformId) {
         error: {
             code: "CREDENTIAL_READ_SURFACE_UNAVAILABLE",
             message: "Credential inspection requires workspace runtime on this surface.",
-            requiredUserInput: wr.resolution === "unknown" ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"] : [],
+            requiredUserInput: wr.resolution === "unknown"
+                ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"]
+                : [],
             nextStep: "run_workspace_second_nature_cli_or_full_runtime_package",
         },
         data: {
@@ -384,7 +409,9 @@ function buildExplainPayload(spine, subjectRaw) {
         error: {
             code: "EXPLAIN_READ_SURFACE_UNAVAILABLE",
             message: "Evidence-backed explain requires persisted workspace read models; host-safe carrier did not evaluate operator explain (CH-11-02).",
-            requiredUserInput: wr.resolution === "unknown" ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"] : [],
+            requiredUserInput: wr.resolution === "unknown"
+                ? ["SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot"]
+                : [],
             nextStep: "run_workspace_second_nature_cli_or_full_runtime_package",
         },
         data: {
@@ -398,8 +425,13 @@ async function buildStorageSmokePayload(input) {
     try {
         const mod = await import("./runtime/storage/bootstrap/storage-mode-smoke.js");
         const runRepairFixture = Boolean(input?.runRepairFixture);
-        const workspaceRoot = typeof input?.workspaceRoot === "string" ? input.workspaceRoot : undefined;
-        const data = await mod.runStorageModeSmoke({ runRepairFixture, workspaceRoot });
+        const workspaceRoot = typeof input?.workspaceRoot === "string"
+            ? input.workspaceRoot
+            : undefined;
+        const data = await mod.runStorageModeSmoke({
+            runRepairFixture,
+            workspaceRoot,
+        });
         return { ok: true, data };
     }
     catch (error) {
@@ -434,8 +466,11 @@ function isProbeOnlyInput(input) {
 }
 function buildHeartbeatCheckPayload(spine, input) {
     const runtimeEvidence = latestRuntimeEvidence(spine);
-    const updatedAt = runtimeEvidence?.createdAt ?? new Date(spine.lifecycleState.lastChangedAt).toISOString();
-    const timestamp = typeof input?.timestamp === "string" && input.timestamp.trim().length > 0 ? input.timestamp : updatedAt;
+    const updatedAt = runtimeEvidence?.createdAt ??
+        new Date(spine.lifecycleState.lastChangedAt).toISOString();
+    const timestamp = typeof input?.timestamp === "string" && input.timestamp.trim().length > 0
+        ? input.timestamp
+        : updatedAt;
     const wr = spine.workspaceRootContext;
     if (isProbeOnlyInput(input)) {
         return {
@@ -461,8 +496,10 @@ function buildHeartbeatCheckPayload(spine, input) {
                 bridge: {
                     timestamp,
                     probeOnly: true,
-                    sessionContextProvided: typeof input?.sessionContext === "string" && input.sessionContext.trim().length > 0,
-                    heartbeatChecklistProvided: typeof input?.heartbeatChecklist === "string" && input.heartbeatChecklist.trim().length > 0,
+                    sessionContextProvided: typeof input?.sessionContext === "string" &&
+                        input.sessionContext.trim().length > 0,
+                    heartbeatChecklistProvided: typeof input?.heartbeatChecklist === "string" &&
+                        input.heartbeatChecklist.trim().length > 0,
                     serviceEntryMode: "capability_probe",
                 },
             },
@@ -491,19 +528,16 @@ function buildHeartbeatCheckPayload(spine, input) {
             },
             bridge: {
                 timestamp,
-                sessionContextProvided: typeof input?.sessionContext === "string" && input.sessionContext.trim().length > 0,
-                heartbeatChecklistProvided: typeof input?.heartbeatChecklist === "string" && input.heartbeatChecklist.trim().length > 0,
+                sessionContextProvided: typeof input?.sessionContext === "string" &&
+                    input.sessionContext.trim().length > 0,
+                heartbeatChecklistProvided: typeof input?.heartbeatChecklist === "string" &&
+                    input.heartbeatChecklist.trim().length > 0,
                 serviceEntryMode: "runtime_carrier_only",
             },
         },
     };
 }
 function createHostSafeRouter(spine) {
-    const notImplemented = async (command) => ({
-        ok: false,
-        command,
-        message: HOST_SAFE_LIMITATION_MESSAGE,
-    });
     const commands = [
         {
             name: "status",
@@ -518,7 +552,7 @@ function createHostSafeRouter(spine) {
                 if (action === "set") {
                     return createUnavailableActionError("HOST_SAFE_POLICY_SET_UNAVAILABLE", "policy set is unavailable in the host-safe plugin package", ["social_daily_limit", "quiet_enabled"], "run_workspace_runtime_or_reinstall_full_build");
                 }
-                return notImplemented("policy");
+                return createUnavailableActionError("HOST_SAFE_POLICY_SHOW_UNAVAILABLE", "Policy read requires workspace state database; host-safe plugin does not load persisted policy rows.", [], "run_workspace_second_nature_cli_or_full_runtime_package");
             },
         },
         {
@@ -560,7 +594,7 @@ function createHostSafeRouter(spine) {
         {
             name: "audit",
             description: "Inspect audit and evidence views",
-            execute: async () => notImplemented("audit"),
+            execute: async () => createUnavailableActionError("HOST_SAFE_AUDIT_UNAVAILABLE", "Audit read requires workspace observability database; host-safe plugin does not load persisted audit events.", [], "run_workspace_second_nature_cli_or_full_runtime_package"),
         },
         {
             name: "explain",
@@ -588,6 +622,16 @@ function createHostSafeRouter(spine) {
             description: "T4.1.4 storage mode smoke report (sql.js vs native probe)",
             execute: async (input) => buildStorageSmokePayload(input),
         },
+        {
+            name: "capability_probe",
+            description: "Probe host capabilities (workspace runtime required for full report)",
+            execute: async () => createUnavailableActionError("HOST_SAFE_CAPABILITY_PROBE_UNAVAILABLE", "Full capability probe requires workspace observability database for persistence; host-safe carrier returns static unknown.", [], "run_workspace_second_nature_cli_or_full_runtime_package"),
+        },
+        {
+            name: "near_real_smoke",
+            description: "Run near-real connector smoke (workspace runtime + connectors required)",
+            execute: async () => createUnavailableActionError("HOST_SAFE_NEAR_REAL_SMOKE_UNAVAILABLE", "Near-real connector smoke requires workspace state and observability databases; host-safe plugin cannot run connector harness.", [], "run_workspace_second_nature_cli_or_full_runtime_package"),
+        },
     ];
     return {
         commands,
@@ -600,7 +644,9 @@ function createActivationSpine() {
     const workspaceRootContext = resolveWorkspaceRoot(undefined);
     const spine = {
         router: undefined,
-        runtimeHandle: startRuntimeService({ workspaceRoot: workspaceRootContext.runtimeRoot }),
+        runtimeHandle: startRuntimeService({
+            workspaceRoot: workspaceRootContext.runtimeRoot,
+        }),
         lifecycleState: getLifecycleState(),
         serviceStartRecorded: false,
         runtimeEvidence: [],
@@ -640,12 +686,15 @@ function refreshRegistrationState() {
     const spine = ensureActivationSpine();
     const workspaceRootContext = resolveWorkspaceRoot(undefined);
     const prev = spine.workspaceRootContext;
-    const changed = workspaceRootContext.runtimeRoot !== prev.runtimeRoot || workspaceRootContext.resolution !== prev.resolution;
+    const changed = workspaceRootContext.runtimeRoot !== prev.runtimeRoot ||
+        workspaceRootContext.resolution !== prev.resolution;
     if (changed) {
         disposeWorkspaceOpsBridge();
     }
     spine.workspaceRootContext = workspaceRootContext;
-    spine.runtimeHandle = startRuntimeService({ workspaceRoot: workspaceRootContext.runtimeRoot });
+    spine.runtimeHandle = startRuntimeService({
+        workspaceRoot: workspaceRootContext.runtimeRoot,
+    });
     spine.lifecycleState = recordRegistration();
     spine.serviceStartRecorded = false;
     recordRuntimeEvidence(spine, "register");
@@ -809,7 +858,11 @@ export default definePluginEntry({
                 const resolved = spine.router.resolve(parsed.command);
                 if (!resolved) {
                     return {
-                        text: JSON.stringify({ ok: false, command: parsed.command, message: "Unknown Second Nature command." }),
+                        text: JSON.stringify({
+                            ok: false,
+                            command: parsed.command,
+                            message: "Unknown Second Nature command.",
+                        }),
                     };
                 }
                 const result = await routeSecondNatureCommand(spine, parsed.command, parsed.input);
@@ -827,7 +880,10 @@ export default definePluginEntry({
                     content: [
                         {
                             type: "text",
-                            text: JSON.stringify({ ok: false, message: "Unknown Second Nature command." }),
+                            text: JSON.stringify({
+                                ok: false,
+                                message: "Unknown Second Nature command.",
+                            }),
                         },
                     ],
                 };

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "second-nature",
   "name": "Second Nature",
-  "version": "0.1.19",
+  "version": "0.1.21",
   "description": "OpenClaw native plugin with synchronous surface registration and bundled runtime spine. Set SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot to the same path as the agent workspace (see README / T1.1.4 ops norm).",
   "activation": {
     "onStartup": true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haaaiawd/second-nature",
-  "version": "0.1.19",
+  "version": "0.1.21",
   "description": "OpenClaw native plugin with synchronous registration, a packaged runtime artifact, and operator-facing status/explain flows.",
   "keywords": [
     "openclaw",

package/runtime/cli/commands/index.js

@@ -1,7 +1,7 @@
 import { credentialVerify } from "./credential.js";
 import { formatExplanation } from "../explain/format-explanation.js";
 import { explainSurfaceSubject } from "../explain/explain-surface-subject.js";
-import { showOperatorFallback, OperatorFallbackNotFoundError } from "../ops/show-operator-fallback.js";
+import { showOperatorFallback, OperatorFallbackNotFoundError, } from "../ops/show-operator-fallback.js";
 import { runStorageModeSmoke } from "../../storage/bootstrap/storage-mode-smoke.js";
 import { policySet } from "./policy.js";
 const notImplemented = async (command) => ({
@@ -40,7 +40,10 @@ export function createCliCommands(deps) {
                 if (action === "set") {
                     return policySet(actionBridge, input);
                 }
-                return notImplemented("policy");
+                // T1.2.6 (SN-CODE-01): `policy show` (default) returns the current rhythm policy
+                // snapshot. Returns workspace defaults when no policy row has been persisted yet.
+                const data = await readModels.loadPolicy();
+                return { ok: true, data };
             },
         },
         {
@@ -69,7 +72,9 @@ export function createCliCommands(deps) {
             name: "report",
             description: "Show daily report artifacts",
             execute: async (input) => {
-                const day = typeof input?.day === "string" ? input.day : new Date().toISOString().slice(0, 10);
+                const day = typeof input?.day === "string"
+                    ? input.day
+                    : new Date().toISOString().slice(0, 10);
                 const data = await readModels.loadDailyReport(day);
                 return { ok: true, data };
             },
@@ -97,7 +102,12 @@ export function createCliCommands(deps) {
         {
             name: "audit",
             description: "Inspect audit and evidence views",
-            execute: () => notImplemented("audit"),
+            execute: async () => {
+                // T1.2.7 (SN-CODE-02): minimal read-side view — list all in-memory audit events.
+                // Empty store returns { totalEvents: 0, events: [] } (honest empty, not an error).
+                const data = await readModels.loadAuditSummary();
+                return { ok: true, data };
+            },
         },
         {
             name: "explain",
@@ -148,8 +158,13 @@ export function createCliCommands(deps) {
             description: "T4.1.4 — report sql.js vs native SQLite probe and optional artifact→index repair fixture",
             execute: async (input) => {
                 const runRepairFixture = Boolean(input?.runRepairFixture);
-                const workspaceRoot = typeof input?.workspaceRoot === "string" ? input.workspaceRoot : undefined;
-                const data = await runStorageModeSmoke({ runRepairFixture, workspaceRoot });
+                const workspaceRoot = typeof input?.workspaceRoot === "string"
+                    ? input.workspaceRoot
+                    : undefined;
+                const data = await runStorageModeSmoke({
+                    runRepairFixture,
+                    workspaceRoot,
+                });
                 return { ok: true, data };
             },
         },
@@ -189,5 +204,21 @@ export function createCliCommands(deps) {
                 }
             },
         },
+        {
+            name: "capability_probe",
+            description: "T1.2.8 — probe host capabilities and persist report (static unknown adapter in CLI context)",
+            execute: async (input) => {
+                const surface = await Promise.resolve(opsRouter.dispatch("capability_probe", input));
+                return surface;
+            },
+        },
+        {
+            name: "near_real_smoke",
+            description: "T3.3.2 — run near-real connector smoke (sentinel Moltbook + EvoMap, no live HTTP)",
+            execute: async (input) => {
+                const surface = await Promise.resolve(opsRouter.dispatch("near_real_smoke", input));
+                return surface;
+            },
+        },
     ];
 }

package/runtime/cli/index.js

@@ -7,6 +7,7 @@ import { createOpsRouter } from "./ops/ops-router.js";
 import { createCliReadModels, } from "./read-models/index.js";
 import { resolvePackagedRuntime } from "./runtime/runtime-artifact-boundary.js";
 import { createRuntimeDecisionRecorder, } from "../observability/services/runtime-decision-recorder.js";
+import { createConnectorExecutorAdapter } from "../connectors/services/connector-executor-adapter.js";
 export function createCliRuntimeDeps(overrides = {}) {
     const stateDb = overrides.stateDb ?? createStateDatabase();
     const observabilityDb = overrides.observabilityDb ?? createObservabilityDatabase();
@@ -16,6 +17,7 @@ export function createCliRuntimeDeps(overrides = {}) {
             stateDb,
             observabilityDb,
             workspaceRoot: process.cwd(),
+            livedExperienceAuditStore: overrides.livedExperienceAuditStore,
         });
     const actionBridge = overrides.actionBridge ?? createActionBridge(stateApi);
     const runtimeRecorder = overrides.runtimeRecorder ?? createRuntimeDecisionRecorder(observabilityDb);
@@ -31,12 +33,18 @@ export function createCliRuntimeDeps(overrides = {}) {
 export function createCommandRouter(options = {}) {
     const runtime = createCliRuntimeDeps(options.deps);
     const pluginRoot = path.join(process.cwd(), "plugin");
+    const connectorExecutor = createConnectorExecutorAdapter({
+        stateDb: runtime.stateDb,
+        observabilityDb: runtime.observabilityDb,
+    });
     const opsRouter = createOpsRouter({
         runtimeAvailable: resolvePackagedRuntime(pluginRoot).ok,
         readModels: runtime.readModels,
         runtimeRecorder: runtime.runtimeRecorder,
         state: runtime.stateDb,
         workspaceRoot: process.cwd(),
+        observabilityDb: runtime.observabilityDb,
+        connectorExecutor,
     });
     const commands = createCliCommands({
         readModels: runtime.readModels,

package/runtime/cli/ops/heartbeat-surface.d.ts

@@ -9,6 +9,7 @@ import type { HeartbeatSignal } from "../../core/second-nature/heartbeat/signal.
 import type { CliReadModels } from "../read-models/index.js";
 import type { RuntimeDecisionRecorder } from "../../observability/services/runtime-decision-recorder.js";
 import type { StateDatabase } from "../../storage/db/index.js";
+import type { ConnectorExecutor } from "../../core/second-nature/orchestrator/effect-dispatcher.js";
 export type HeartbeatSurfaceStatus = "heartbeat_ok" | "intent_selected" | "denied" | "deferred" | "runtime_carrier_only" | "delivery_unavailable";
 export interface HeartbeatSurfaceResult {
     ok: boolean;
@@ -41,5 +42,10 @@ export interface HeartbeatCheckInput {
     timestamp?: string;
     sessionContext?: string;
     scopeHint?: HeartbeatSignal["scopeHint"];
+    /**
+     * When present, guard-allowed connector_action intents are dispatched through the
+     * connector-system instead of returning connector_dispatch_unwired.
+     */
+    connectorExecutor?: ConnectorExecutor;
 }
 export declare function heartbeatCheck(input: HeartbeatCheckInput): Promise<HeartbeatSurfaceResult>;

package/runtime/cli/ops/heartbeat-surface.js

@@ -73,6 +73,7 @@ export async function heartbeatCheck(input) {
         runtimeRecorder: input.runtimeRecorder,
         state: input.state,
         workspaceRoot: input.workspaceRoot ?? process.cwd(),
+        connectorExecutor: input.connectorExecutor,
     });
     const cycle = await run(signal);
     return mapCycleToSurface(cycle, "workspace_full_runtime");

package/runtime/cli/ops/ops-router.d.ts

@@ -5,6 +5,8 @@ import { type HeartbeatCheckInput, type HeartbeatSurfaceResult } from "./heartbe
 import type { CliReadModels } from "../read-models/index.js";
 import type { RuntimeDecisionRecorder } from "../../observability/services/runtime-decision-recorder.js";
 import type { StateDatabase } from "../../storage/db/index.js";
+import type { ObservabilityDatabase } from "../../observability/db/index.js";
+import type { ConnectorExecutor } from "../../core/second-nature/orchestrator/effect-dispatcher.js";
 export interface OpsRouterDeps {
     /** When true, packaged runtime artifacts resolved and full graph is loadable */
     runtimeAvailable: boolean;
@@ -18,6 +20,16 @@ export interface OpsRouterDeps {
      */
     state?: StateDatabase;
     workspaceRoot?: string;
+    /**
+     * T1.2.8 (SN-CODE-03): observability DB for persisting capability probe reports.
+     * When absent, `capability_probe` still runs but skips persistence.
+     */
+    observabilityDb?: ObservabilityDatabase;
+    /**
+     * When present, guard-allowed connector_action intents are dispatched through the
+     * connector-system instead of returning connector_dispatch_unwired.
+     */
+    connectorExecutor?: ConnectorExecutor;
 }
 export interface OpsRouter {
     heartbeatCheck(input: HeartbeatCheckInput): Promise<HeartbeatSurfaceResult>;

package/runtime/cli/ops/ops-router.js

@@ -3,10 +3,35 @@
  */
 import { heartbeatCheck, } from "./heartbeat-surface.js";
 import { showOperatorFallback, OperatorFallbackNotFoundError, } from "./show-operator-fallback.js";
+import { probeHostCapability } from "../host-capability/probe-host-capability.js";
+import { recordHostCapability } from "../host-capability/record-host-capability.js";
+import { runNearRealConnectorSmoke } from "../../connectors/near-real/near-real-connector-smoke.js";
 function coerceProbeOnlyFlag(input) {
     const v = input?.probeOnly;
     return v === true || v === "true" || v === 1 || v === "1";
 }
+/**
+ * T1.2.8 — static local adapter: all checks return `unknown` when no real host is available.
+ * Allows `capability_probe` to be called from CLI / workspace bridge without requiring a live host.
+ */
+function createStaticUnknownAdapter() {
+    const now = new Date().toISOString();
+    const unknownResult = (name) => ({
+        name,
+        verdict: "unknown",
+        observedAt: now,
+        reason: "static_local_probe_no_host_context",
+        evidenceRefs: [],
+    });
+    return {
+        checkPluginLoad: () => unknownResult("plugin_load"),
+        checkHeartbeatBridge: () => unknownResult("heartbeat_bridge"),
+        checkHeartbeatToolInvocation: () => unknownResult("heartbeat_tool_invocation"),
+        checkDeliveryTarget: () => ({ status: "unknown", evidenceRefs: [] }),
+        checkAckDropBehavior: () => unknownResult("ack_drop"),
+        checkHookSupport: () => [],
+    };
+}
 export function createOpsRouter(deps) {
     return {
         heartbeatCheck: (input) => heartbeatCheck({
@@ -16,6 +41,7 @@ export function createOpsRouter(deps) {
             runtimeRecorder: input.runtimeRecorder ?? deps.runtimeRecorder,
             state: input.state ?? deps.state,
             workspaceRoot: input.workspaceRoot ?? deps.workspaceRoot,
+            connectorExecutor: input.connectorExecutor ?? deps.connectorExecutor,
         }),
         dispatch(command, input) {
             if (command === "heartbeat_check") {
@@ -42,6 +68,8 @@ export function createOpsRouter(deps) {
                         ? input.sessionContext
                         : undefined,
                     scopeHint: input?.scopeHint,
+                    connectorExecutor: input
+                        ?.connectorExecutor ?? deps.connectorExecutor,
                 });
             }
             if (command === "fallback") {
@@ -90,6 +118,67 @@ export function createOpsRouter(deps) {
                     }
                 })();
             }
+            if (command === "capability_probe") {
+                // T1.2.8 (SN-CODE-03): run host capability probe with static unknown adapter (CLI context).
+                // Persists report when observabilityDb is available; returns safe JSON subset.
+                return (async () => {
+                    const adapter = createStaticUnknownAdapter();
+                    const docCheckedAt = new Date().toISOString();
+                    const report = probeHostCapability({
+                        adapter,
+                        docLinks: [],
+                        docCheckedAt,
+                    });
+                    if (deps.observabilityDb) {
+                        await recordHostCapability(deps.observabilityDb, report);
+                    }
+                    return {
+                        ok: true,
+                        command: "capability_probe",
+                        data: {
+                            reportId: report.reportId,
+                            generatedAt: report.generatedAt,
+                            deliveryTarget: report.deliveryTarget,
+                            pluginLoad: { verdict: report.pluginLoad.verdict },
+                            heartbeatBridge: { verdict: report.heartbeatBridge.verdict },
+                            heartbeatToolInvocation: {
+                                verdict: report.heartbeatToolInvocation.verdict,
+                            },
+                            ackDropBehavior: { verdict: report.ackDropBehavior.verdict },
+                            conflictCount: report.conflictRecords.length,
+                            recommendedNextStep: report.recommendedNextStep,
+                            note: "static_local_probe: all verdicts are unknown without live host context",
+                        },
+                    };
+                })();
+            }
+            if (command === "near_real_smoke") {
+                // T3.3.2 (SN-CODE-05): wrap runNearRealConnectorSmoke as an ops surface command.
+                // Requires state + observabilityDb + workspaceRoot to be wired into OpsRouterDeps.
+                if (!deps.state || !deps.observabilityDb || !deps.workspaceRoot) {
+                    return {
+                        ok: false,
+                        command: "near_real_smoke",
+                        error: {
+                            code: "NEAR_REAL_SMOKE_DEPS_UNAVAILABLE",
+                            message: "near_real_smoke requires state, observabilityDb, and workspaceRoot in OpsRouterDeps",
+                            nextStep: "wire_deps_into_ops_router",
+                        },
+                    };
+                }
+                return (async () => {
+                    const result = await runNearRealConnectorSmoke({
+                        state: deps.state,
+                        observabilityDb: deps.observabilityDb,
+                        workspaceRoot: deps.workspaceRoot,
+                    });
+                    return {
+                        ok: true,
+                        command: "near_real_smoke",
+                        data: result,
+                    };
+                })();
+            }
             return {
                 ok: false,
                 error: {

package/runtime/cli/ops/workspace-heartbeat-runner.d.ts

@@ -17,6 +17,7 @@ import type { SnapshotInputs } from "../../core/second-nature/heartbeat/snapshot
 import type { CliReadModels } from "../read-models/index.js";
 import type { RuntimeDecisionRecorder } from "../../observability/services/runtime-decision-recorder.js";
 import type { StateDatabase } from "../../storage/db/index.js";
+import type { ConnectorExecutor } from "../../core/second-nature/orchestrator/effect-dispatcher.js";
 export interface WorkspaceHeartbeatRunnerOptions {
     /** When supplied, the runner persists the cycle so `loadStatus` can read it (T1.2.3). */
     runtimeRecorder?: RuntimeDecisionRecorder;
@@ -32,6 +33,11 @@ export interface WorkspaceHeartbeatRunnerOptions {
      * Defaults to true when workspaceRoot is provided, since this is the host-safe workspace path.
      */
     enableQuietWorkflow?: boolean;
+    /**
+     * When present, guard-allowed connector_action intents are dispatched through the
+     * connector-system instead of returning connector_dispatch_unwired.
+     */
+    connectorExecutor?: ConnectorExecutor;
 }
 export declare function loadSnapshotInputsForWorkspaceHeartbeat(readModels: CliReadModels, options?: {
     state?: StateDatabase;

package/runtime/cli/ops/workspace-heartbeat-runner.js

@@ -76,6 +76,7 @@ export function createWorkspaceHeartbeatRunner(readModels, options = {}) {
                 quietWorkflow: quietEnabled
                     ? { workspaceRoot: options.workspaceRoot }
                     : undefined,
+                connectorExecutor: options.connectorExecutor,
             },
         });
         if (options.runtimeRecorder) {

package/runtime/cli/read-models/index.d.ts

@@ -1,9 +1,12 @@
 import type { StateDatabase } from "../../storage/db/index.js";
 import type { ObservabilityDatabase } from "../../observability/db/index.js";
 import { AppendOnlyAuditStore } from "../../observability/audit/append-only-audit-store.js";
-import type { StatusReadModel, DailyReportReadModel, QuietReadModel, SessionDetailReadModel, CredentialReadModel, ExplainReadModel, ExplainSubjectKind } from "./types.js";
+import type { StatusReadModel, DailyReportReadModel, QuietReadModel, SessionDetailReadModel, CredentialReadModel, ExplainReadModel, ExplainSubjectKind, AuditSummaryReadModel } from "./types.js";
+export type { AuditSummaryReadModel } from "./types.js";
 export type { ExplainSubjectKind } from "./types.js";
 import type { OperatorFallbackView } from "../../storage/fallback/operator-fallback-view.js";
+import { type RhythmPolicySnapshot } from "../../storage/rhythm/rhythm-policy-snapshot.js";
+export type { RhythmPolicySnapshot };
 export interface CliReadModels {
     loadStatus(scope?: string): Promise<StatusReadModel>;
     loadDailyReport(day: string): Promise<DailyReportReadModel>;
@@ -13,6 +16,14 @@ export interface CliReadModels {
     explain(subject: ExplainSubject): Promise<ExplainReadModel>;
     /** T1.2.2 — persisted operator fallback; view status is always not_sent. */
     loadFallbackView(ref: string): Promise<OperatorFallbackView | null>;
+    /** T1.2.6 — rhythm policy snapshot for operator `policy show`. */
+    loadPolicy(): Promise<RhythmPolicySnapshot>;
+    /**
+     * T1.2.7 (SN-CODE-02) — minimal audit read-side view for operator `audit` command.
+     * Returns a summary of all in-memory audit events in the default store.
+     * Empty store returns `{ totalEvents: 0, events: [] }` (honest empty, not an error).
+     */
+    loadAuditSummary(): Promise<AuditSummaryReadModel>;
 }
 /** T1.2.1 / T1.2.2 — operator-facing read surface (subset of full CLI read models). */
 export type OpsReadModelPort = Pick<CliReadModels, "loadStatus" | "loadDailyReport" | "loadQuiet" | "loadSession" | "loadCredential" | "explain" | "loadFallbackView">;

package/runtime/cli/read-models/index.js

@@ -10,6 +10,7 @@ import { AppendOnlyAuditStore } from "../../observability/audit/append-only-audi
 import { queryExplain, } from "../../observability/query/explain-query.js";
 import { mapOperatorExplainToReadModel } from "./operator-explain-map.js";
 import { loadOperatorFallbackRow, toOperatorFallbackView, } from "../../storage/fallback/load-operator-fallback.js";
+import { loadRhythmPolicySnapshot, } from "../../storage/rhythm/rhythm-policy-snapshot.js";
 const INTERNAL_RUNTIME_PLATFORM_ID = "second-nature-runtime";
 const INTERNAL_RUNTIME_TRACE_PREFIX = "sn-runtime-";
 function toExplainQuery(subject) {
@@ -92,6 +93,11 @@ function mapRuntimeStatus(attempt) {
     if (!attempt) {
         return "unknown";
     }
+    // T1.2.9 (SN-CODE-04): control-plane denial (no eligible intent) is NOT a runtime fault.
+    // Return `awaiting_sources` so operators do not misread a clean denied cycle as a crash/degraded.
+    if (attempt.failureClass === "decision_denied") {
+        return "awaiting_sources";
+    }
     if (attempt.failureClass || attempt.status === "failed") {
         return "degraded";
     }
@@ -324,6 +330,26 @@ export function createCliReadModels(deps) {
                 return null;
             return toOperatorFallbackView(row);
         },
+        // T1.2.6 (SN-CODE-01): return the current workspace rhythm policy snapshot so that
+        // `policy show` is no longer a notImplemented shell. Returns defaults if no policy row exists.
+        async loadPolicy() {
+            return loadRhythmPolicySnapshot(deps.stateDb);
+        },
+        // T1.2.7 (SN-CODE-02): minimal audit read-side for operator `audit` command.
+        // Lists all in-memory envelopes with safe redacted fields; empty store returns honest empty.
+        async loadAuditSummary() {
+            const events = auditStore.list();
+            return {
+                totalEvents: events.length,
+                events: events.map((e) => ({
+                    eventId: e.eventId,
+                    family: e.family,
+                    plane: e.plane,
+                    createdAt: e.createdAt,
+                    sensitivity: e.redaction.sensitivity,
+                })),
+            };
+        },
         async explain(subject) {
             const q = toExplainQuery(subject);
             // T1.2.5: auditStore is always non-null (default-injected), so the explain path always

package/runtime/cli/read-models/types.d.ts

@@ -1,6 +1,11 @@
 export interface RuntimeSummary {
     host: "openclaw-plugin";
-    serviceStatus: "idle" | "running" | "degraded" | "unknown";
+    /**
+     * T1.2.9 (SN-CODE-04): `awaiting_sources` signals that the last runtime cycle was
+     * control-plane denied (decision_denied) — no eligible intent found, NOT a delivery
+     * or execution fault. Operators must not interpret this as a runtime crash.
+     */
+    serviceStatus: "idle" | "running" | "degraded" | "awaiting_sources" | "unknown";
     updatedAt: string;
 }
 export interface RhythmSummary {
@@ -110,3 +115,15 @@ export interface ExplainReadModel {
     warnings?: string[];
     relatedAuditEventIds?: string[];
 }
+/** T1.2.7 (SN-CODE-02) — minimal audit read-side summary for operator `audit` command. */
+export interface AuditEventSummaryEntry {
+    eventId: string;
+    family: string;
+    plane: string;
+    createdAt: string;
+    sensitivity: string;
+}
+export interface AuditSummaryReadModel {
+    totalEvents: number;
+    events: AuditEventSummaryEntry[];
+}

package/runtime/connectors/base/contract.d.ts

@@ -78,6 +78,16 @@ export interface ExecutionRunner {
 export interface ConnectorExecutionPort {
     executeCapability(intent: CapabilityIntent, request: ConnectorRequest): Promise<ConnectorResult<unknown>>;
 }
+export interface ConnectorExecutor {
+    executeEffect(input: {
+        platformId: string;
+        intent: CapabilityIntent;
+        payload: Record<string, unknown>;
+        decisionId: string;
+        intentId: string;
+        idempotencyKey: string;
+    }): Promise<ConnectorResult<unknown>>;
+}
 export declare function normalizeOutcome(attempt: RawAttempt): ConnectorResult<unknown>;
 export declare function createConnectorContractCore(input: {
     manifestLoader: ConnectorManifestLoader;

package/runtime/connectors/base/contract.js

@@ -1,6 +1,14 @@
 import { z } from "zod";
-import { classifyFailure, ConnectorPolicyError } from "./failure-taxonomy.js";
-export const CHANNEL_TYPES = ["api_rest", "api_rpc", "a2a", "mcp", "cli", "skill", "browser"];
+import { classifyFailure, ConnectorPolicyError, } from "./failure-taxonomy.js";
+export const CHANNEL_TYPES = [
+    "api_rest",
+    "api_rpc",
+    "a2a",
+    "mcp",
+    "cli",
+    "skill",
+    "browser",
+];
 export const CAPABILITY_INTENTS = [
     "feed.read",
     "post.publish",

package/runtime/connectors/base/failure-taxonomy.js

@@ -40,11 +40,15 @@ export class ConnectorPolicyError extends Error {
 }
 function readRetryAfterMs(input) {
     const retryAfterMs = input.retryAfterMs;
-    if (typeof retryAfterMs === "number" && Number.isFinite(retryAfterMs) && retryAfterMs > 0) {
+    if (typeof retryAfterMs === "number" &&
+        Number.isFinite(retryAfterMs) &&
+        retryAfterMs > 0) {
         return retryAfterMs;
     }
     const retryAfterSeconds = input.retryAfterSeconds;
-    if (typeof retryAfterSeconds === "number" && Number.isFinite(retryAfterSeconds) && retryAfterSeconds > 0) {
+    if (typeof retryAfterSeconds === "number" &&
+        Number.isFinite(retryAfterSeconds) &&
+        retryAfterSeconds > 0) {
         return retryAfterSeconds * 1000;
     }
     return undefined;
@@ -64,24 +68,56 @@ export function classifyFailure(error) {
         const record = error;
         const code = record.code;
         if (typeof code === "string") {
+            if (code === "auth_failure")
+                return {
+                    class: "auth_failure",
+                    retryable: RETRYABLE_BY_CLASS.auth_failure,
+                };
             if (code === "verification_required")
-                return { class: "verification_required", retryable: RETRYABLE_BY_CLASS.verification_required };
+                return {
+                    class: "verification_required",
+                    retryable: RETRYABLE_BY_CLASS.verification_required,
+                };
             if (code === "credential_expired")
-                return { class: "credential_expired", retryable: RETRYABLE_BY_CLASS.credential_expired };
+                return {
+                    class: "credential_expired",
+                    retryable: RETRYABLE_BY_CLASS.credential_expired,
+                };
             if (code === "cooldown_blocked")
-                return { class: "cooldown_blocked", retryable: RETRYABLE_BY_CLASS.cooldown_blocked };
+                return {
+                    class: "cooldown_blocked",
+                    retryable: RETRYABLE_BY_CLASS.cooldown_blocked,
+                };
             if (code === "idempotency_conflict")
-                return { class: "idempotency_conflict", retryable: RETRYABLE_BY_CLASS.idempotency_conflict };
+                return {
+                    class: "idempotency_conflict",
+                    retryable: RETRYABLE_BY_CLASS.idempotency_conflict,
+                };
             if (code === "concurrency_conflict")
-                return { class: "concurrency_conflict", retryable: RETRYABLE_BY_CLASS.concurrency_conflict };
+                return {
+                    class: "concurrency_conflict",
+                    retryable: RETRYABLE_BY_CLASS.concurrency_conflict,
+                };
             if (code === "protocol_mismatch")
-                return { class: "protocol_mismatch", retryable: RETRYABLE_BY_CLASS.protocol_mismatch };
+                return {
+                    class: "protocol_mismatch",
+                    retryable: RETRYABLE_BY_CLASS.protocol_mismatch,
+                };
             if (code === "semantic_rejection")
-                return { class: "semantic_rejection", retryable: RETRYABLE_BY_CLASS.semantic_rejection };
+                return {
+                    class: "semantic_rejection",
+                    retryable: RETRYABLE_BY_CLASS.semantic_rejection,
+                };
             if (code === "transport_failure")
-                return { class: "transport_failure", retryable: RETRYABLE_BY_CLASS.transport_failure };
+                return {
+                    class: "transport_failure",
+                    retryable: RETRYABLE_BY_CLASS.transport_failure,
+                };
             if (code === "permanent_input_error")
-                return { class: "permanent_input_error", retryable: RETRYABLE_BY_CLASS.permanent_input_error };
+                return {
+                    class: "permanent_input_error",
+                    retryable: RETRYABLE_BY_CLASS.permanent_input_error,
+                };
         }
         const status = record.status;
         if (status === 429) {
@@ -92,14 +128,26 @@ export function classifyFailure(error) {
             };
         }
         if (status === 401 || status === 403) {
-            return { class: "auth_failure", retryable: RETRYABLE_BY_CLASS.auth_failure };
+            return {
+                class: "auth_failure",
+                retryable: RETRYABLE_BY_CLASS.auth_failure,
+            };
         }
         if (status === 400 || status === 404 || status === 422) {
-            return { class: "permanent_input_error", retryable: RETRYABLE_BY_CLASS.permanent_input_error };
+            return {
+                class: "permanent_input_error",
+                retryable: RETRYABLE_BY_CLASS.permanent_input_error,
+            };
         }
         if (status === 500 || status === 502 || status === 503 || status === 504) {
-            return { class: "transport_failure", retryable: RETRYABLE_BY_CLASS.transport_failure };
+            return {
+                class: "transport_failure",
+                retryable: RETRYABLE_BY_CLASS.transport_failure,
+            };
         }
     }
-    return { class: "unknown_platform_change", retryable: RETRYABLE_BY_CLASS.unknown_platform_change };
+    return {
+        class: "unknown_platform_change",
+        retryable: RETRYABLE_BY_CLASS.unknown_platform_change,
+    };
 }

package/runtime/connectors/services/connector-executor-adapter.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Adapter: assemble connector-system execution infrastructure into the
+ * ConnectorExecutor interface consumed by EffectDispatcher.
+ *
+ * When credentials / base URLs are missing, returns an honest
+ * terminal_failure instead of throwing so the heartbeat loop stays stable.
+ */
+import type { ConnectorExecutor } from "../base/contract.js";
+export type { ConnectorExecutor } from "../base/contract.js";
+import type { ObservabilityDatabase } from "../../observability/db/index.js";
+import type { StateDatabase } from "../../storage/db/index.js";
+export interface ConnectorExecutorAdapterOptions {
+    stateDb: StateDatabase;
+    observabilityDb: ObservabilityDatabase;
+}
+export declare function createConnectorExecutorAdapter(options: ConnectorExecutorAdapterOptions): ConnectorExecutor;

package/runtime/connectors/services/connector-executor-adapter.js

@@ -0,0 +1,118 @@
+import { CapabilityContractRegistry } from "../base/manifest.js";
+import { ConnectorRoutePlanner } from "../base/route-planner.js";
+import { ChannelHealthStore } from "../base/channel-health.js";
+import { createConnectorPolicyLayer } from "../base/policy-layer.js";
+import { InMemoryEffectCommitLedger } from "../base/execution-policy.js";
+import { moltbookManifest } from "../social-community/moltbook/manifest.js";
+import { evomapManifest } from "../agent-network/evomap/manifest.js";
+import { createMoltbookApiClient } from "../social-community/moltbook/api-client.js";
+import { createMoltbookRunner } from "../social-community/moltbook/adapter.js";
+import { ExecutionTelemetry } from "../../observability/services/execution-telemetry.js";
+import { createCredentialVault } from "../../storage/services/credential-vault.js";
+import { createCredentialRouteContextPort } from "./credential-route-context.js";
+function createAdaptiveExecutionRunner(vault) {
+    return {
+        async run(_plan, request) {
+            const platformId = request.platformId;
+            const started = Date.now();
+            const credential = await vault.loadCredentialContext(platformId);
+            if (!credential ||
+                credential.status !== "active" ||
+                !credential.encryptedValue) {
+                return {
+                    platformId,
+                    channel: request.preferredChannel ?? "api_rest",
+                    latencyMs: Date.now() - started,
+                    success: false,
+                    error: {
+                        code: "auth_failure",
+                        detail: "credential_unavailable_for_execution",
+                    },
+                };
+            }
+            if (platformId === "moltbook") {
+                const baseUrl = process.env.SECOND_NATURE_MOLTBOOK_BASE_URL;
+                if (!baseUrl) {
+                    return {
+                        platformId,
+                        channel: request.preferredChannel ?? "api_rest",
+                        latencyMs: Date.now() - started,
+                        success: false,
+                        error: {
+                            code: "configuration_missing",
+                            detail: "SECOND_NATURE_MOLTBOOK_BASE_URL not set",
+                        },
+                    };
+                }
+                const apiClient = createMoltbookApiClient({
+                    baseUrl,
+                    accessToken: credential.encryptedValue,
+                    timeoutMs: 10000,
+                });
+                const runner = createMoltbookRunner({
+                    apiClient,
+                    skillRunner: {
+                        run: async () => {
+                            throw {
+                                code: "protocol_mismatch",
+                                detail: "moltbook_skill_runner_not_configured",
+                            };
+                        },
+                    },
+                });
+                return runner.run(_plan, request);
+            }
+            if (platformId === "evomap") {
+                return {
+                    platformId,
+                    channel: request.preferredChannel ?? "api_rest",
+                    latencyMs: Date.now() - started,
+                    success: false,
+                    error: {
+                        code: "not_implemented",
+                        detail: "evomap_execution_runner_not_yet_implemented",
+                    },
+                };
+            }
+            return {
+                platformId,
+                channel: request.preferredChannel ?? "api_rest",
+                latencyMs: Date.now() - started,
+                success: false,
+                error: {
+                    code: "unknown_platform",
+                    detail: `no execution runner for ${platformId}`,
+                },
+            };
+        },
+    };
+}
+export function createConnectorExecutorAdapter(options) {
+    const vault = createCredentialVault(options.stateDb.db);
+    const registry = new CapabilityContractRegistry();
+    registry.register({ ...moltbookManifest });
+    registry.register({ ...evomapManifest });
+    const routeContextPort = createCredentialRouteContextPort(vault);
+    const routePlanner = new ConnectorRoutePlanner(registry, routeContextPort, new ChannelHealthStore());
+    const telemetry = new ExecutionTelemetry(options.observabilityDb);
+    const executionRunner = createAdaptiveExecutionRunner(vault);
+    const policy = createConnectorPolicyLayer({
+        routePlanner,
+        executionRunner,
+        telemetry,
+        effectCommitLedger: new InMemoryEffectCommitLedger(),
+        retryPolicy: { maxRetries: 2, jitter: true },
+    });
+    return {
+        async executeEffect(input) {
+            return policy.executeWithPolicy(input.intent, {
+                platformId: input.platformId,
+                intent: input.intent,
+                payload: input.payload,
+                decisionId: input.decisionId,
+                intentId: input.intentId,
+                idempotencyKey: input.idempotencyKey,
+            });
+        },
+    };
+}

package/runtime/connectors/services/credential-route-context.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Bridge CredentialVault → RouteContextPort for connector route planning.
+ *
+ * Loads decrypted credentials from state DB and maps them to the
+ * CredentialContext shape expected by ConnectorRoutePlanner.
+ * Cooldown is stubbed (always unblocked) until a cooldown ledger is modeled.
+ */
+import type { RouteContextPort } from "../base/contract.js";
+import type { CredentialVault } from "../../storage/services/credential-vault.js";
+export declare function createCredentialRouteContextPort(vault: CredentialVault): RouteContextPort;

package/runtime/connectors/services/credential-route-context.js

@@ -0,0 +1,19 @@
+export function createCredentialRouteContextPort(vault) {
+    return {
+        async loadCredentialState(platformId) {
+            const ctx = await vault.loadCredentialContext(platformId);
+            // Defensive: some ORM findFirst variants return {} instead of null/undefined.
+            if (!ctx || !ctx.platformId || !ctx.status) {
+                return {
+                    platformId,
+                    status: "missing",
+                    credentialType: "api_key",
+                };
+            }
+            return ctx;
+        },
+        async loadCooldownState() {
+            return { blocked: false };
+        },
+    };
+}

package/runtime/core/second-nature/heartbeat/heartbeat-loop.d.ts

@@ -19,6 +19,7 @@ import { type HeartbeatRuntimeSnapshot } from "./runtime-snapshot.js";
 import type { GuidanceDraftPort } from "../../../guidance/outreach-draft-schema.js";
 import type { StateDatabase } from "../../../storage/db/index.js";
 import { type OpenClawDeliveryPort } from "../outreach/dispatch-user-outreach.js";
+import type { ConnectorExecutor } from "../../../connectors/base/contract.js";
 export interface HeartbeatDecisionTracePayload {
     scope: RuntimeScope;
     status: HeartbeatCycleStatus;
@@ -44,7 +45,7 @@ export interface HeartbeatQuietWorkflowDeps {
  * Resolves the heartbeat outcome for a guard-allowed intent (outreach dispatch, quiet orchestration, or default).
  * Exported for unit tests (CR-M1 wiring).
  */
-export declare function resolveAllowedIntentResult(intent: CandidateIntent, runtime: HeartbeatRuntimeSnapshot, inputs: SnapshotInputs, signal: HeartbeatSignal, deps: Pick<HeartbeatDeps, "outreachDispatch" | "quietWorkflow">): Promise<HeartbeatCycleResult>;
+export declare function resolveAllowedIntentResult(intent: CandidateIntent, runtime: HeartbeatRuntimeSnapshot, inputs: SnapshotInputs, signal: HeartbeatSignal, deps: Pick<HeartbeatDeps, "outreachDispatch" | "quietWorkflow" | "connectorExecutor">): Promise<HeartbeatCycleResult>;
 export interface HeartbeatDeps {
     /** Load snapshot inputs from state-system */
     loadSnapshotInputs: () => Promise<SnapshotInputs>;
@@ -52,6 +53,11 @@ export interface HeartbeatDeps {
     recordDecisionTrace?: (payload: HeartbeatDecisionTracePayload) => Promise<void>;
     outreachDispatch?: HeartbeatOutreachDispatchDeps;
     quietWorkflow?: HeartbeatQuietWorkflowDeps;
+    /**
+     * When present, guard-allowed connector_action intents are dispatched
+     * through the connector-system instead of returning connector_dispatch_unwired.
+     */
+    connectorExecutor?: ConnectorExecutor;
 }
 /**
  * Ingest a heartbeat rhythm signal and drive one full decision round.

package/runtime/core/second-nature/heartbeat/heartbeat-loop.js

@@ -5,6 +5,7 @@ import { evaluateHardGuards } from "../orchestrator/guard-layer.js";
 import { dispatchUserOutreachIntent, } from "../outreach/dispatch-user-outreach.js";
 import { buildJudgeOutreachInputFromSnapshot } from "../outreach/judge-input-from-snapshot.js";
 import { runSourceBackedQuiet } from "../quiet/run-source-backed-quiet.js";
+import { toCapabilityIntent } from "../orchestrator/effect-dispatcher.js";
 /**
  * Resolves the heartbeat outcome for a guard-allowed intent (outreach dispatch, quiet orchestration, or default).
  * Exported for unit tests (CR-M1 wiring).
@@ -48,6 +49,28 @@ export async function resolveAllowedIntentResult(intent, runtime, inputs, signal
         intent.effectClass === "no_effect" ||
         intent.kind === "maintenance";
     const connectorUnwired = intent.effectClass === "connector_action";
+    if (connectorUnwired && deps.connectorExecutor) {
+        const result = await deps.connectorExecutor.executeEffect({
+            platformId: intent.platformId ?? "unknown",
+            intent: toCapabilityIntent(intent),
+            payload: {},
+            decisionId: `decision:${intent.id}:${Date.now()}`,
+            intentId: intent.id,
+            idempotencyKey: `idem:${intent.id}:${Date.now()}`,
+        });
+        const base = {
+            scope: "rhythm",
+            status: "intent_selected",
+            selectedIntentId: intent.id,
+            decisionId: `decision:${intent.id}:${Date.now()}`,
+            reasons: result.status === "success"
+                ? ["connector_effect_executed"]
+                : result.status === "retryable_failure"
+                    ? ["connector_retryable_failure", result.failureClass ?? "unknown"]
+                    : ["connector_terminal_failure", result.failureClass ?? "unknown"],
+        };
+        return base;
+    }
     const reasons = noExternalEffect
         ? ["internal_tick"]
         : connectorUnwired

package/runtime/core/second-nature/orchestrator/effect-dispatcher.d.ts

@@ -1,4 +1,5 @@
-import type { ConnectorResult, CapabilityIntent } from "../../../connectors/base/contract.js";
+import type { ConnectorResult, CapabilityIntent, ConnectorExecutor } from "../../../connectors/base/contract.js";
+export type { ConnectorExecutor } from "../../../connectors/base/contract.js";
 import { LeaseManager, type EffectClass } from "./lease-manager.js";
 export interface AllowedIntent {
     id: string;
@@ -31,16 +32,6 @@ export interface IntentCommitPort {
     }): Promise<void>;
     abortIntentCommit(id: string, reason: string): Promise<void>;
 }
-export interface ConnectorExecutor {
-    executeEffect(input: {
-        platformId: string;
-        intent: CapabilityIntent;
-        payload: Record<string, unknown>;
-        decisionId: string;
-        intentId: string;
-        idempotencyKey: string;
-    }): Promise<ConnectorResult<unknown>>;
-}
 export interface CheckpointPort {
     saveCheckpoint(input: {
         id: string;
@@ -83,6 +74,7 @@ export type DispatchResult = {
     status: "maintenance_done";
     commitId: string;
 };
+export declare function toCapabilityIntent(intent: Pick<AllowedIntent, "kind">): CapabilityIntent;
 export declare class EffectDispatcher {
     private readonly leaseManager;
     private readonly commitPort;

package/runtime/core/second-nature/orchestrator/effect-dispatcher.js

@@ -1,14 +1,17 @@
 import * as crypto from "crypto";
 function needsLease(effectClass) {
-    return effectClass === "external_platform_action" || effectClass === "connector_action" || effectClass === "user_outreach";
+    return (effectClass === "external_platform_action" ||
+        effectClass === "connector_action" ||
+        effectClass === "user_outreach");
 }
 function needsCheckpoint(effectClass) {
     return effectClass !== "maintenance" && effectClass !== "no_effect";
 }
 function isConnectorEffect(effectClass) {
-    return effectClass === "external_platform_action" || effectClass === "connector_action";
+    return (effectClass === "external_platform_action" ||
+        effectClass === "connector_action");
 }
-function toCapabilityIntent(intent) {
+export function toCapabilityIntent(intent) {
     if (intent.kind === "work")
         return "work.discover";
     if (intent.kind === "exploration")
@@ -48,7 +51,9 @@ export class EffectDispatcher {
                 id: decision.checkpointId,
                 tickId: decision.tickId,
                 intentId: decision.intentId,
-                phase: isConnectorEffect(intent.effectClass) ? "before_effect" : "before_quiet_write",
+                phase: isConnectorEffect(intent.effectClass)
+                    ? "before_effect"
+                    : "before_quiet_write",
                 snapshotRef: decision.traceId,
             });
         }

package/runtime/core/second-nature/runtime/service-entry.js

@@ -27,7 +27,7 @@ export function startRuntimeService(ctx) {
     // - control-plane-system (heartbeat bridge preparation)
     const workspaceRoot = ctx?.workspaceRoot ?? process.cwd();
     /** Keep in sync with `plugin/package.json` when cutting releases. */
-    const version = "0.1.19";
+    const version = "0.1.20";
     activeHandle = {
         ready: true,
         version,

package/runtime/observability/services/observability-retention.d.ts

@@ -0,0 +1,10 @@
+import type { ObservabilityDatabase } from "../db/index.js";
+export interface RetentionCleanupInput {
+    /** Delete rows with createdAt < this ISO string. */
+    beforeDate: string;
+}
+export interface RetentionCleanupResult {
+    decisionLedgerDeleted: number;
+    executionAttemptsDeleted: number;
+}
+export declare function pruneObservabilityTables(db: ObservabilityDatabase, input: RetentionCleanupInput): Promise<RetentionCleanupResult>;

package/runtime/observability/services/observability-retention.js

@@ -0,0 +1,37 @@
+/**
+ * Observability retention cleanup (P2-06).
+ *
+ * Core logic: delete rows older than a retention threshold from
+ * decision_ledger and execution_attempts. Host capability reports and
+ * governance audit are intentionally kept longer (they are rare and
+ * operator-relevant).
+ *
+ * Boundaries:
+ *  - Does NOT vacuum the SQLite file (callers may do so separately).
+ *  - Returns honest counts so operators can verify.
+ *  - Safe to run while the system is active (SQLite DELETE is row-level).
+ */
+import { lt, sql } from "drizzle-orm";
+import { decisionLedger, executionAttempts } from "../db/schema/index.js";
+export async function pruneObservabilityTables(db, input) {
+    // Count before delete so we can return honest deletion numbers
+    // (SQLite DELETE result does not expose changes in Drizzle's type).
+    const dlBefore = await db.db
+        .select({ count: sql `count(*)` })
+        .from(decisionLedger)
+        .where(lt(decisionLedger.createdAt, input.beforeDate));
+    const eaBefore = await db.db
+        .select({ count: sql `count(*)` })
+        .from(executionAttempts)
+        .where(lt(executionAttempts.startedAt, input.beforeDate));
+    await db.db
+        .delete(decisionLedger)
+        .where(lt(decisionLedger.createdAt, input.beforeDate));
+    await db.db
+        .delete(executionAttempts)
+        .where(lt(executionAttempts.startedAt, input.beforeDate));
+    return {
+        decisionLedgerDeleted: dlBefore[0]?.count ?? 0,
+        executionAttemptsDeleted: eaBefore[0]?.count ?? 0,
+    };
+}

package/workspace-ops-bridge.js

@@ -22,7 +22,9 @@ export async function openWorkspaceOpsBridge(workspaceRoot) {
     try {
         const pluginPackageRoot = path.dirname(fileURLToPath(import.meta.url));
         // Packaged `plugin/runtime` is emitted JS without sibling `.d.ts` in this repo layout.
-        // @ts-expect-error TS7016 — intentional dynamic import of artifact bundle
+        // Dynamic import of artifact bundle — typed via PackagedCliModule interface above.
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore TS7016 — intentional: runtime artifact has no adjacent .d.ts in this layout
         const cliIndex = (await import("./runtime/cli/index.js"));
         const commandsMod = (await import("./runtime/cli/commands/index.js"));
         const storageDb = (await import("./runtime/storage/db/index.js"));
@@ -40,6 +42,10 @@ export async function openWorkspaceOpsBridge(workspaceRoot) {
             runtimeAvailable: runtimeResolved.ok,
             readModels: deps.readModels,
             runtimeRecorder: deps.runtimeRecorder,
+            // T1.2.8 (SN-CODE-03): pass observabilityDb so capability_probe can persist reports
+            observabilityDb,
+            state: stateDb,
+            workspaceRoot: resolvedRoot,
         });
         const commands = commandsMod.createCliCommands({
             readModels: deps.readModels,
@@ -51,7 +57,10 @@ export async function openWorkspaceOpsBridge(workspaceRoot) {
             if (!def) {
                 return {
                     ok: false,
-                    error: { code: "unknown_command", message: `Unknown Second Nature command: ${command}` },
+                    error: {
+                        code: "unknown_command",
+                        message: `Unknown Second Nature command: ${command}`,
+                    },
                 };
             }
             const prevCwd = process.cwd();