@haaaiawd/second-nature 0.1.22 → 0.1.23

package/runtime/connectors/manifest/manifest-parser.js

@@ -0,0 +1,35 @@
+import yaml from "js-yaml";
+import { connectorManifestV6Schema, } from "./manifest-schema.js";
+/**
+ * Safe YAML parse + zod validation for connector manifest v6.
+ * Uses JSON_SCHEMA to block custom YAML tags/object constructors.
+ */
+export function parseConnectorManifestV6(yamlText, path) {
+    let raw;
+    try {
+        raw = yaml.load(yamlText, { schema: yaml.JSON_SCHEMA });
+    }
+    catch (error) {
+        return {
+            ok: false,
+            errors: [
+                error instanceof Error ? `yaml_parse_error:${error.message}` : `yaml_parse_error:${String(error)}`,
+            ],
+        };
+    }
+    if (raw === null || typeof raw !== "object") {
+        return { ok: false, errors: ["yaml_parse_error:parsed_content_is_null_or_not_object"] };
+    }
+    const parsed = connectorManifestV6Schema.safeParse(raw);
+    if (!parsed.success) {
+        const errors = parsed.error.issues.map((issue) => {
+            const pathStr = issue.path.join(".");
+            return `schema_validation_error:${pathStr}:${issue.message}`;
+        });
+        return { ok: false, errors };
+    }
+    return { ok: true, manifest: parsed.data };
+}
+export function toValidationError(path, output) {
+    return output.errors.map((message) => ({ path, message }));
+}

package/runtime/connectors/manifest/manifest-schema.d.ts

@@ -0,0 +1,145 @@
+import { z } from "zod";
+export declare const connectorRunnerKindSchema: z.ZodEnum<{
+    skill: "skill";
+    browser: "browser";
+    declarative_http: "declarative_http";
+    declarative_a2a: "declarative_a2a";
+    declarative_mcp: "declarative_mcp";
+    cli_descriptor: "cli_descriptor";
+    custom_adapter: "custom_adapter";
+}>;
+export type ConnectorRunnerKind = z.infer<typeof connectorRunnerKindSchema>;
+export declare const connectorTrustStatusSchema: z.ZodEnum<{
+    blocked: "blocked";
+    declarative_trusted: "declarative_trusted";
+    custom_adapter_pending_trust: "custom_adapter_pending_trust";
+    trusted_custom_adapter: "trusted_custom_adapter";
+}>;
+export type ConnectorTrustStatus = z.infer<typeof connectorTrustStatusSchema>;
+export declare const capabilityDeclarationSchema: z.ZodObject<{
+    id: z.ZodString;
+    channel: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type ConnectorCapabilityDeclaration = z.infer<typeof capabilityDeclarationSchema>;
+export declare const runnerDeclarationSchema: z.ZodObject<{
+    kind: z.ZodEnum<{
+        skill: "skill";
+        browser: "browser";
+        declarative_http: "declarative_http";
+        declarative_a2a: "declarative_a2a";
+        declarative_mcp: "declarative_mcp";
+        cli_descriptor: "cli_descriptor";
+        custom_adapter: "custom_adapter";
+    }>;
+    entrypoint: z.ZodOptional<z.ZodString>;
+    config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export type ConnectorRunnerDeclaration = z.infer<typeof runnerDeclarationSchema>;
+export declare const credentialRequirementSchema: z.ZodObject<{
+    type: z.ZodString;
+    required: z.ZodDefault<z.ZodBoolean>;
+    description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type CredentialRequirementDeclaration = z.infer<typeof credentialRequirementSchema>;
+export declare const sourceRefPolicySchema: z.ZodObject<{
+    minSourceRefs: z.ZodDefault<z.ZodNumber>;
+    rejectInlineSensitivePayload: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+export type SourceRefPolicyDeclaration = z.infer<typeof sourceRefPolicySchema>;
+export declare const trustDeclarationSchema: z.ZodObject<{
+    status: z.ZodOptional<z.ZodEnum<{
+        blocked: "blocked";
+        declarative_trusted: "declarative_trusted";
+        custom_adapter_pending_trust: "custom_adapter_pending_trust";
+        trusted_custom_adapter: "trusted_custom_adapter";
+    }>>;
+    override: z.ZodOptional<z.ZodBoolean>;
+    reason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type ConnectorTrustDeclaration = z.infer<typeof trustDeclarationSchema>;
+export declare const connectorManifestV6Schema: z.ZodObject<{
+    schemaVersion: z.ZodLiteral<"sn.connector.v1">;
+    platformId: z.ZodString;
+    displayName: z.ZodString;
+    family: z.ZodEnum<{
+        custom: "custom";
+        social_community: "social_community";
+        agent_network: "agent_network";
+        work_platform: "work_platform";
+    }>;
+    capabilities: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        channel: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    runner: z.ZodObject<{
+        kind: z.ZodEnum<{
+            skill: "skill";
+            browser: "browser";
+            declarative_http: "declarative_http";
+            declarative_a2a: "declarative_a2a";
+            declarative_mcp: "declarative_mcp";
+            cli_descriptor: "cli_descriptor";
+            custom_adapter: "custom_adapter";
+        }>;
+        entrypoint: z.ZodOptional<z.ZodString>;
+        config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>;
+    credentials: z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        required: z.ZodDefault<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    sourceRefPolicy: z.ZodObject<{
+        minSourceRefs: z.ZodDefault<z.ZodNumber>;
+        rejectInlineSensitivePayload: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>;
+    trust: z.ZodOptional<z.ZodObject<{
+        status: z.ZodOptional<z.ZodEnum<{
+            blocked: "blocked";
+            declarative_trusted: "declarative_trusted";
+            custom_adapter_pending_trust: "custom_adapter_pending_trust";
+            trusted_custom_adapter: "trusted_custom_adapter";
+        }>>;
+        override: z.ZodOptional<z.ZodBoolean>;
+        reason: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type ConnectorManifestV6 = z.infer<typeof connectorManifestV6Schema>;
+export interface ConnectorConflict {
+    platformId: string;
+    existingSource: "built_in" | "workspace";
+    attemptedSource: "built_in" | "workspace";
+    reason: string;
+}
+export interface ConnectorManifestValidationError {
+    platformId?: string;
+    path: string;
+    message: string;
+}
+export interface ConnectorInventoryEntry {
+    platformId: string;
+    source: "built_in" | "workspace";
+    manifestPath?: string;
+    trustStatus: ConnectorTrustStatus;
+    executable: boolean;
+    capabilities: string[];
+    validationErrors: string[];
+    conflict?: ConnectorConflict;
+}
+export interface ConnectorReloadResult {
+    scanned: number;
+    registered: number;
+    skipped: number;
+    conflicts: ConnectorConflict[];
+    validationErrors: ConnectorManifestValidationError[];
+}
+export interface ConnectorRegistrySnapshot {
+    readonly entries: ReadonlyMap<string, ConnectorInventoryEntry>;
+    readonly builtInEntries: ReadonlyMap<string, ConnectorInventoryEntry>;
+    readonly dynamicEntries: ReadonlyMap<string, ConnectorInventoryEntry>;
+    readonly conflicts: readonly ConnectorConflict[];
+    readonly validationErrors: readonly ConnectorManifestValidationError[];
+    readonly createdAt: string;
+}

package/runtime/connectors/manifest/manifest-schema.js

@@ -0,0 +1,51 @@
+import { z } from "zod";
+export const connectorRunnerKindSchema = z.enum([
+    "declarative_http",
+    "declarative_a2a",
+    "declarative_mcp",
+    "cli_descriptor",
+    "custom_adapter",
+    "skill",
+    "browser",
+]);
+export const connectorTrustStatusSchema = z.enum([
+    "declarative_trusted",
+    "custom_adapter_pending_trust",
+    "trusted_custom_adapter",
+    "blocked",
+]);
+export const capabilityDeclarationSchema = z.object({
+    id: z.string().min(1),
+    channel: z.string().optional(),
+    description: z.string().optional(),
+});
+export const runnerDeclarationSchema = z.object({
+    kind: connectorRunnerKindSchema,
+    entrypoint: z.string().optional(),
+    config: z.record(z.string(), z.unknown()).optional(),
+});
+export const credentialRequirementSchema = z.object({
+    type: z.string().min(1),
+    required: z.boolean().default(true),
+    description: z.string().optional(),
+});
+export const sourceRefPolicySchema = z.object({
+    minSourceRefs: z.number().int().min(0).default(1),
+    rejectInlineSensitivePayload: z.boolean().optional(),
+});
+export const trustDeclarationSchema = z.object({
+    status: connectorTrustStatusSchema.optional(),
+    override: z.boolean().optional(),
+    reason: z.string().optional(),
+});
+export const connectorManifestV6Schema = z.object({
+    schemaVersion: z.literal("sn.connector.v1"),
+    platformId: z.string().min(1),
+    displayName: z.string().min(1),
+    family: z.enum(["social_community", "agent_network", "work_platform", "custom"]),
+    capabilities: z.array(capabilityDeclarationSchema).min(1),
+    runner: runnerDeclarationSchema,
+    credentials: z.array(credentialRequirementSchema),
+    sourceRefPolicy: sourceRefPolicySchema,
+    trust: trustDeclarationSchema.optional(),
+});

package/runtime/connectors/registry/dynamic-connector-registry.d.ts

@@ -0,0 +1,29 @@
+import { type ConnectorManifestV6, type ConnectorInventoryEntry, type ConnectorReloadResult, type ConnectorRegistrySnapshot } from "../manifest/manifest-schema.js";
+export interface RegistrySnapshotStore {
+    getActive(): ConnectorRegistrySnapshot;
+    swap(snapshot: ConnectorRegistrySnapshot): void;
+}
+export declare function createRegistrySnapshotStore(initial?: ConnectorRegistrySnapshot): RegistrySnapshotStore;
+export interface DynamicConnectorRegistryOptions {
+    builtInManifests?: ConnectorManifestV6[];
+    snapshotStore: RegistrySnapshotStore;
+}
+/**
+ * DynamicConnectorRegistry scans workspace manifests, validates, classifies trust,
+ * merges built-in entries, applies fail-closed conflict policy, and publishes
+ * immutable registry snapshots.
+ */
+export declare class DynamicConnectorRegistry {
+    private readonly builtInManifests;
+    private readonly snapshotStore;
+    constructor(options: DynamicConnectorRegistryOptions);
+    /**
+     * Reload connectors from workspace root.
+     * Scans `.second-nature/connectors/{platformId}/manifest.yaml`, validates,
+     * classifies trust, and atomically swaps the active registry snapshot.
+     */
+    reloadConnectors(workspaceRoot: string): ConnectorReloadResult;
+    getActiveRegistrySnapshot(): ConnectorRegistrySnapshot;
+    listConnectors(): ConnectorInventoryEntry[];
+    describeConnector(platformId: string): ConnectorInventoryEntry | undefined;
+}

package/runtime/connectors/registry/dynamic-connector-registry.js

@@ -0,0 +1,123 @@
+import path from "node:path";
+import { parseConnectorManifestV6, toValidationError } from "../manifest/manifest-parser.js";
+import { classifyTrust, isExecutable } from "./trust-policy.js";
+import { scanConnectorManifests } from "./manifest-scanner.js";
+export function createRegistrySnapshotStore(initial) {
+    let active = initial ??
+        buildSnapshot(new Map(), new Map(), [], [], new Date().toISOString());
+    return {
+        getActive() {
+            return active;
+        },
+        swap(snapshot) {
+            active = snapshot;
+        },
+    };
+}
+function buildSnapshot(builtIn, dynamic, conflicts, validationErrors, createdAt) {
+    const entries = new Map();
+    for (const [k, v] of builtIn)
+        entries.set(k, v);
+    for (const [k, v] of dynamic)
+        entries.set(k, v);
+    return Object.freeze({
+        entries,
+        builtInEntries: builtIn,
+        dynamicEntries: dynamic,
+        conflicts: Object.freeze([...conflicts]),
+        validationErrors: Object.freeze([...validationErrors]),
+        createdAt,
+    });
+}
+function manifestToInventoryEntry(manifest, source, manifestPath) {
+    const trustStatus = classifyTrust(manifest);
+    return {
+        platformId: manifest.platformId,
+        source,
+        manifestPath,
+        trustStatus,
+        executable: isExecutable(trustStatus),
+        capabilities: manifest.capabilities.map((c) => c.id),
+        validationErrors: [],
+    };
+}
+/**
+ * DynamicConnectorRegistry scans workspace manifests, validates, classifies trust,
+ * merges built-in entries, applies fail-closed conflict policy, and publishes
+ * immutable registry snapshots.
+ */
+export class DynamicConnectorRegistry {
+    builtInManifests;
+    snapshotStore;
+    constructor(options) {
+        this.builtInManifests = options.builtInManifests ?? [];
+        this.snapshotStore = options.snapshotStore;
+    }
+    /**
+     * Reload connectors from workspace root.
+     * Scans `.second-nature/connectors/{platformId}/manifest.yaml`, validates,
+     * classifies trust, and atomically swaps the active registry snapshot.
+     */
+    reloadConnectors(workspaceRoot) {
+        const scannedFiles = scanConnectorManifests(workspaceRoot);
+        const scanned = scannedFiles.length;
+        const builtInMap = new Map();
+        for (const manifest of this.builtInManifests) {
+            builtInMap.set(manifest.platformId, manifestToInventoryEntry(manifest, "built_in"));
+        }
+        const dynamicMap = new Map();
+        const conflicts = [];
+        const validationErrors = [];
+        let registered = 0;
+        let skipped = 0;
+        for (const file of scannedFiles) {
+            const parseResult = parseConnectorManifestV6(file.content, file.path);
+            if (!parseResult.ok) {
+                validationErrors.push(...toValidationError(file.path, parseResult));
+                skipped++;
+                continue;
+            }
+            const manifest = parseResult.manifest;
+            const manifestPath = path.relative(workspaceRoot, file.path);
+            // Duplicate platformId without override -> fail-closed
+            if (builtInMap.has(manifest.platformId) || dynamicMap.has(manifest.platformId)) {
+                const existing = builtInMap.get(manifest.platformId) ?? dynamicMap.get(manifest.platformId);
+                const allowOverride = manifest.trust?.override === true;
+                const isTrustedSource = existing.source === "built_in";
+                if (!allowOverride || isTrustedSource) {
+                    conflicts.push({
+                        platformId: manifest.platformId,
+                        existingSource: existing.source,
+                        attemptedSource: "workspace",
+                        reason: allowOverride
+                            ? "override_rejected_trusted_source"
+                            : "duplicate_platform_id_without_override",
+                    });
+                    skipped++;
+                    continue;
+                }
+            }
+            const entry = manifestToInventoryEntry(manifest, "workspace", manifestPath);
+            dynamicMap.set(manifest.platformId, entry);
+            registered++;
+        }
+        const snapshot = buildSnapshot(builtInMap, dynamicMap, conflicts, validationErrors, new Date().toISOString());
+        this.snapshotStore.swap(snapshot);
+        return {
+            scanned,
+            registered,
+            skipped,
+            conflicts,
+            validationErrors,
+        };
+    }
+    getActiveRegistrySnapshot() {
+        return this.snapshotStore.getActive();
+    }
+    listConnectors() {
+        return [...this.snapshotStore.getActive().entries.values()];
+    }
+    describeConnector(platformId) {
+        return this.snapshotStore.getActive().entries.get(platformId);
+    }
+}

package/runtime/connectors/registry/index.d.ts

@@ -0,0 +1,3 @@
+export { DynamicConnectorRegistry, createRegistrySnapshotStore, type RegistrySnapshotStore, type DynamicConnectorRegistryOptions, } from "./dynamic-connector-registry.js";
+export { scanConnectorManifests, type ManifestScanResult } from "./manifest-scanner.js";
+export { classifyTrust, isExecutable } from "./trust-policy.js";

package/runtime/connectors/registry/index.js

@@ -0,0 +1,3 @@
+export { DynamicConnectorRegistry, createRegistrySnapshotStore, } from "./dynamic-connector-registry.js";
+export { scanConnectorManifests } from "./manifest-scanner.js";
+export { classifyTrust, isExecutable } from "./trust-policy.js";

package/runtime/connectors/registry/manifest-scanner.d.ts

@@ -0,0 +1,9 @@
+export interface ManifestScanResult {
+    path: string;
+    content: string;
+}
+/**
+ * Enumerate `.second-nature/connectors/{platformId}/manifest.yaml` under workspace root.
+ * Does not execute any code; only reads file paths and contents.
+ */
+export declare function scanConnectorManifests(workspaceRoot: string): ManifestScanResult[];

package/runtime/connectors/registry/manifest-scanner.js

@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+/**
+ * Enumerate `.second-nature/connectors/{platformId}/manifest.yaml` under workspace root.
+ * Does not execute any code; only reads file paths and contents.
+ */
+export function scanConnectorManifests(workspaceRoot) {
+    const connectorsDir = path.join(workspaceRoot, ".second-nature", "connectors");
+    if (!fs.existsSync(connectorsDir)) {
+        return [];
+    }
+    const results = [];
+    const entries = fs.readdirSync(connectorsDir, { withFileTypes: true });
+    for (const entry of entries) {
+        if (!entry.isDirectory())
+            continue;
+        const manifestPath = path.join(connectorsDir, entry.name, "manifest.yaml");
+        if (!fs.existsSync(manifestPath))
+            continue;
+        try {
+            const content = fs.readFileSync(manifestPath, "utf-8");
+            results.push({ path: manifestPath, content });
+        }
+        catch {
+            // Skip unreadable files; validation layer will not see them
+        }
+    }
+    return results;
+}

package/runtime/connectors/registry/trust-policy.d.ts

@@ -0,0 +1,13 @@
+import { type ConnectorManifestV6, type ConnectorTrustStatus } from "../manifest/manifest-schema.js";
+/**
+ * Classify manifest runner into trust status per v6 trust decision tree.
+ * declarative_http/a2a/mcp -> declarative_trusted
+ * cli_descriptor -> declarative_trusted (P0 conditional; dry-run/read path优先)
+ * custom_adapter/skill/browser -> custom_adapter_pending_trust
+ * explicit blocked/trusted_custom_adapter in manifest.trust respected.
+ */
+export declare function classifyTrust(manifest: ConnectorManifestV6): ConnectorTrustStatus;
+/**
+ * Determine whether a connector entry is executable based on trust status.
+ */
+export declare function isExecutable(trustStatus: ConnectorTrustStatus): boolean;

package/runtime/connectors/registry/trust-policy.js

@@ -0,0 +1,37 @@
+/**
+ * Classify manifest runner into trust status per v6 trust decision tree.
+ * declarative_http/a2a/mcp -> declarative_trusted
+ * cli_descriptor -> declarative_trusted (P0 conditional; dry-run/read path优先)
+ * custom_adapter/skill/browser -> custom_adapter_pending_trust
+ * explicit blocked/trusted_custom_adapter in manifest.trust respected.
+ */
+export function classifyTrust(manifest) {
+    if (manifest.trust?.status === "blocked") {
+        return "blocked";
+    }
+    if (manifest.trust?.status === "trusted_custom_adapter") {
+        return "trusted_custom_adapter";
+    }
+    const kind = manifest.runner.kind;
+    switch (kind) {
+        case "declarative_http":
+        case "declarative_a2a":
+        case "declarative_mcp":
+        case "cli_descriptor":
+            return "declarative_trusted";
+        case "custom_adapter":
+        case "skill":
+        case "browser":
+            return "custom_adapter_pending_trust";
+        default: {
+            // Exhaustive check; unknown runner kind is blocked for safety
+            return "blocked";
+        }
+    }
+}
+/**
+ * Determine whether a connector entry is executable based on trust status.
+ */
+export function isExecutable(trustStatus) {
+    return trustStatus === "declarative_trusted" || trustStatus === "trusted_custom_adapter";
+}

package/runtime/core/second-nature/heartbeat/heartbeat-loop.d.ts

@@ -20,6 +20,7 @@ import type { GuidanceDraftPort } from "../../../guidance/outreach-draft-schema.
 import type { StateDatabase } from "../../../storage/db/index.js";
 import { type OpenClawDeliveryPort } from "../outreach/dispatch-user-outreach.js";
 import type { ConnectorExecutor } from "../../../connectors/base/contract.js";
+import type { NarrativeStateStore } from "../../../storage/narrative/narrative-state-store.js";
 export interface HeartbeatDecisionTracePayload {
     scope: RuntimeScope;
     status: HeartbeatCycleStatus;
@@ -58,6 +59,8 @@ export interface HeartbeatDeps {
      * through the connector-system instead of returning connector_dispatch_unwired.
      */
     connectorExecutor?: ConnectorExecutor;
+    /** T2.1.5: when present, heartbeat writes a source-backed NarrativeState revision after each cycle. */
+    narrativeStateStore?: NarrativeStateStore;
 }
 /**
  * Ingest a heartbeat rhythm signal and drive one full decision round.

package/runtime/core/second-nature/heartbeat/heartbeat-loop.js

@@ -1,11 +1,13 @@
 import { buildContinuitySnapshot, } from "./snapshot-builder.js";
 import { buildHeartbeatRuntimeSnapshot, } from "./runtime-snapshot.js";
 import { planCandidateIntents } from "../orchestrator/intent-planner.js";
+import { applyGoalPriority } from "../orchestrator/goal-priority.js";
 import { evaluateHardGuards } from "../orchestrator/guard-layer.js";
 import { dispatchUserOutreachIntent, } from "../outreach/dispatch-user-outreach.js";
 import { buildJudgeOutreachInputFromSnapshot } from "../outreach/judge-input-from-snapshot.js";
 import { runSourceBackedQuiet } from "../quiet/run-source-backed-quiet.js";
 import { toCapabilityIntent } from "../orchestrator/effect-dispatcher.js";
+import { updateNarrativeAfterEffect } from "../orchestrator/narrative-update.js";
 /**
  * Resolves the heartbeat outcome for a guard-allowed intent (outreach dispatch, quiet orchestration, or default).
  * Exported for unit tests (CR-M1 wiring).
@@ -83,6 +85,49 @@ export async function resolveAllowedIntentResult(intent, runtime, inputs, signal
         reasons,
     };
 }
+/**
+ * T2.1.5: after the cycle result is known, write a narrative revision when
+ * a NarrativeStateStore is wired. Errors are swallowed so the cycle result
+ * is never blocked by a store failure. Store failures are optionally traced
+ * via recordDecisionTrace so operators can monitor store health.
+ */
+async function maybeUpdateNarrativeState(result, selectedIntent, runtime, store, recordTrace, signal) {
+    if (!store)
+        return;
+    try {
+        const prior = await store.loadNarrativeState();
+        const update = updateNarrativeAfterEffect({
+            result,
+            selectedIntent,
+            lifeEvidence: runtime.lifeEvidence,
+            priorNarrative: prior,
+        });
+        await store.updateNarrativeState(update);
+    }
+    catch {
+        // degrade silently; narrative update is best-effort
+        if (recordTrace && signal) {
+            try {
+                await recordTrace({
+                    scope: result.scope,
+                    status: result.status,
+                    reasons: ["narrative_update_failed"],
+                    selectedIntentId: selectedIntent?.id,
+                    rhythmWindowId: runtime.rhythmWindow.windowId,
+                    allowedIntentKinds: [...runtime.rhythmWindow.allowedIntentKinds],
+                    candidateCount: 0,
+                    lifeEvidenceEmpty: runtime.lifeEvidence.evidenceRefs.length === 0 &&
+                        runtime.lifeEvidence.platformEventCount === 0 &&
+                        runtime.lifeEvidence.workEventCount === 0,
+                    trigger: signal.trigger,
+                });
+            }
+            catch {
+                // trace emission must also not block the cycle
+            }
+        }
+    }
+}
 /**
  * Ingest a heartbeat rhythm signal and drive one full decision round.
  */
@@ -91,7 +136,8 @@ export async function ingestRhythmSignal(signal, deps) {
     const snapshot = buildContinuitySnapshot(inputs);
     const timestamp = signal.payload.timestamp;
     const runtime = buildHeartbeatRuntimeSnapshot(timestamp, inputs, snapshot);
-    const candidates = planCandidateIntents(runtime);
+    const rawCandidates = planCandidateIntents(runtime);
+    const { candidates } = applyGoalPriority(rawCandidates, inputs.acceptedGoals);
     const emitTrace = async (result) => {
         if (!deps.recordDecisionTrace)
             return;
@@ -132,6 +178,7 @@ export async function ingestRhythmSignal(signal, deps) {
                 ? { ...resolved, reasons: evaluation.reasons }
                 : resolved;
             await emitTrace(result);
+            await maybeUpdateNarrativeState(result, intent, runtime, deps.narrativeStateStore, deps.recordDecisionTrace, signal);
             return result;
         }
         if (evaluation.verdict === "defer") {
@@ -149,6 +196,7 @@ export async function ingestRhythmSignal(signal, deps) {
             reasons: ["silent_no_candidates"],
         };
         await emitTrace(result);
+        await maybeUpdateNarrativeState(result, undefined, runtime, deps.narrativeStateStore, deps.recordDecisionTrace, signal);
         return result;
     }
     if (!anyAllow && anyDefer && !anyDeny) {
@@ -158,6 +206,7 @@ export async function ingestRhythmSignal(signal, deps) {
             reasons: denyReasons.length > 0 ? denyReasons : ["all_candidates_deferred"],
         };
         await emitTrace(result);
+        await maybeUpdateNarrativeState(result, undefined, runtime, deps.narrativeStateStore, deps.recordDecisionTrace, signal);
         return result;
     }
     if (!anyAllow && denyReasons.length > 0) {
@@ -167,6 +216,7 @@ export async function ingestRhythmSignal(signal, deps) {
             reasons: denyReasons,
         };
         await emitTrace(result);
+        await maybeUpdateNarrativeState(result, undefined, runtime, deps.narrativeStateStore, deps.recordDecisionTrace, signal);
         return result;
     }
     const result = {
@@ -175,6 +225,7 @@ export async function ingestRhythmSignal(signal, deps) {
         reasons: ["no_allow_verdict"],
     };
     await emitTrace(result);
+    await maybeUpdateNarrativeState(result, undefined, runtime, deps.narrativeStateStore, deps.recordDecisionTrace, signal);
     return result;
 }
 /**

package/runtime/core/second-nature/heartbeat/snapshot-builder.d.ts

@@ -10,6 +10,7 @@ import type { ContinuitySnapshot, ControlPlaneSourceRef, TopLevelMode } from "..
 import type { RhythmPolicy } from "../rhythm/rhythm-policy.js";
 import type { DeliveryCapabilitySnapshot } from "../outreach/delivery-target.js";
 import type { UserInterestSnapshot } from "../../../storage/user-interest/types.js";
+import type { AgentGoal } from "../../../storage/goal/agent-goal-store.js";
 export interface SnapshotInputs {
     mode: TopLevelMode;
     currentWindowId: string;
@@ -41,6 +42,8 @@ export interface SnapshotInputs {
     deliveryCapability?: DeliveryCapabilitySnapshot;
     /** When present, outreach judgment uses this user-interest read model (T4.2.2). */
     userInterestSnapshot?: UserInterestSnapshot;
+    /** T2.1.4: accepted goals to influence candidate intent priority. */
+    acceptedGoals?: AgentGoal[];
 }
 /**
  * Build a ContinuitySnapshot from loaded inputs.

package/runtime/core/second-nature/orchestrator/goal-priority.d.ts

@@ -0,0 +1,19 @@
+/**
+ * T2.1.4 — Goal-Directed Intent Priority.
+ *
+ * `applyGoalPriority` adjusts candidate intent priorities based on accepted AgentGoals.
+ * Priority order: user_task > accepted_goal > rhythm.
+ * Only goals with status === "accepted" and origin !== "agent_proposed" are considered.
+ * All other statuses (proposal / rejected / completed / paused) are implicitly excluded.
+ */
+import type { CandidateIntent } from "../types.js";
+import type { AgentGoal } from "../../../storage/goal/agent-goal-store.js";
+export interface ApplyGoalPriorityResult {
+    candidates: CandidateIntent[];
+    goalInfluences: Array<{
+        candidateId: string;
+        goalIds: string[];
+        boost: number;
+    }>;
+}
+export declare function applyGoalPriority(candidates: CandidateIntent[], goals: AgentGoal[] | undefined): ApplyGoalPriorityResult;