@haaaiawd/second-nature 0.2.6 → 0.2.8

package/index.js

@@ -108,6 +108,8 @@ const WORKSPACE_BRIDGE_COMMANDS = new Set([
     "connector_test",
     "connector_behavior_add",
     "cycle:recent",
+    // v8 ops surface (T-ROS.C.1): causal loop health must be reachable from Claw.
+    "loop_status",
     // v7 ops surface (T-ROS.C.1 / T-ROS.C.2 / T-ROS.C.3 / T-V7C.C.5): self_health, tool_affordance,
     // heartbeat_digest, snapshot:capture, narrative:diff, timeline, restore, runtime_secret_bootstrap,
     // connector:run, guidance_payload
@@ -877,6 +879,11 @@ function createHostSafeRouter(spine) {
             description: "Show recent cycle summary (workspace runtime required)",
             execute: async () => createUnavailableActionError("HOST_SAFE_CYCLE_RECENT_UNAVAILABLE", "Cycle recent read requires workspace observability database; host-safe plugin does not load persisted audit events.", [], "run_workspace_second_nature_cli_or_full_runtime_package"),
         },
+        {
+            name: "loop_status",
+            description: "Show v8 causal loop health (workspace runtime required)",
+            execute: async () => createUnavailableActionError("HOST_SAFE_LOOP_STATUS_UNAVAILABLE", "loop_status requires workspace state database; provide workspaceRoot so the full workspace bridge can read persisted v8 loop state.", ["workspaceRoot"], "reinvoke_with_workspaceRoot_or_set_SECOND_NATURE_WORKSPACE_ROOT"),
+        },
     ];
     return {
         commands,
@@ -1088,6 +1095,8 @@ function parseCommandInput(rawArgs) {
                 command,
                 input: rest[0] ? { limit: Number(rest[0]) } : undefined,
             };
+        case "loop_status":
+            return { ok: true, command, input: undefined };
         // v7 ops surface (T-ROS.C.2)
         case "self_health":
             return { ok: true, command, input: undefined };

package/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
   "id": "second-nature",
   "name": "Second Nature",
-  "version": "0.2.6",
-  "description": "OpenClaw native plugin with synchronous surface registration and bundled runtime spine. Set SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot to the same path as the agent workspace. Agent inner guide is packaged as agent-inner-guide.md. v7 ops surface: self_health, tool_affordance, heartbeat_digest, snapshot:capture, narrative:diff, timeline, restore, runtime_secret_bootstrap, connector:run, guidance_payload.",
+  "version": "0.2.8",
+  "description": "OpenClaw native plugin with synchronous surface registration and bundled runtime spine. Set SECOND_NATURE_WORKSPACE_ROOT or tool workspaceRoot to the same path as the agent workspace. Agent inner guide is packaged as agent-inner-guide.md. Ops surface: loop_status, self_health, tool_affordance, heartbeat_digest, snapshot:capture, narrative:diff, timeline, restore, runtime_secret_bootstrap, connector:run, guidance_payload.",
   "activation": {
     "onStartup": true,
     "onCapabilities": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haaaiawd/second-nature",
-  "version": "0.2.6",
+  "version": "0.2.8",
   "description": "OpenClaw native plugin with synchronous registration, a packaged runtime artifact, and operator-facing status/explain flows.",
   "keywords": [
     "openclaw",

package/runtime/cli/commands/index.js

@@ -449,6 +449,15 @@ export function createCliCommands(deps) {
                 return surface;
             },
         },
+        {
+            name: "connector_status",
+            description: "T1.2.5 — show connector inventory status, trust, and health conflicts",
+            execute: async (input) => {
+                const surface = await Promise.resolve(opsRouter.dispatch("connector_status", input));
+                flush();
+                return surface;
+            },
+        },
         opsCommand("connector:run", "T-ROS.C.3 — manually execute a connector capability outside heartbeat cadence"),
         opsCommand("loop_status", "T-ROS.C.1 — show v8 causal loop health: stalled stage, next action, and stage summaries"),
         opsCommand("self_health", "T-ROS.C.1 — show v7 self-health snapshot and degraded dimensions"),

package/runtime/cli/ops/heartbeat-surface.js

@@ -112,6 +112,7 @@ export async function heartbeatCheck(input) {
                 else {
                     const spine = v8Result;
                     surfaceResult.v8Spine = spine;
+                    surfaceResult.livedExperienceLoopClaimed = Boolean(spine.cycleId && (spine.closureRef || spine.noActionReason));
                     surfaceResult.reasons = [
                         ...surfaceResult.reasons,
                         `v8_spine_cycle:${spine.cycleId}`,

package/runtime/connectors/base/normalized-evidence-content.d.ts

@@ -0,0 +1,71 @@
+/**
+ * NormalizedEvidenceContent — Cross-platform content-bearing evidence envelope.
+ *
+ * Core logic: Map arbitrary connector read payloads into a stable, source-backed
+ * summary structure that perception, Quiet, and Dream can consume. This is a
+ * schema boundary, not a judgment layer.
+ *
+ * Design authority:
+ * - `.anws/v8/04_SYSTEM_DESIGN/connector-system.md`
+ * - `.anws/v8/04_SYSTEM_DESIGN/perception-judgment-system.md`
+ *
+ * Dependencies:
+ * - none (pure extraction)
+ *
+ * Boundary:
+ * - Does not classify sensitivity.
+ * - Does not redact; callers run redaction separately.
+ * - Does not persist; callers write EvidenceItem.
+ * - Preserves raw values in canonicalText/excerpt so downstream can decide what to keep.
+ *
+ * Test coverage: tests/unit/connectors/normalized-evidence-content.test.ts
+ */
+export declare const NORMALIZED_EVIDENCE_SCHEMA_VERSION = 1;
+export type EvidenceSourceKind = "post" | "comment" | "profile" | "task" | "event" | "game_state" | "notification" | "document" | "unknown";
+export type SummaryProducer = "connector_rules" | "model_assist" | "operator_supplied";
+export interface EvidenceActor {
+    id?: string;
+    displayName?: string;
+    role?: string;
+}
+export interface NormalizedEvidenceContent {
+    schemaVersion: typeof NORMALIZED_EVIDENCE_SCHEMA_VERSION;
+    sourceKind: EvidenceSourceKind;
+    platformId: string;
+    capabilityId: string;
+    externalId?: string;
+    title?: string;
+    summary: string;
+    excerpt?: string;
+    canonicalText?: string;
+    actor?: EvidenceActor;
+    url?: string;
+    occurredAt?: string;
+    observedAt: string;
+    tags?: string[];
+    entities?: string[];
+    metrics?: Record<string, number | string | boolean>;
+    rawContentRef?: string;
+    summaryProducer: SummaryProducer;
+}
+export interface ExtractEvidenceOptions {
+    platformId: string;
+    capabilityId: string;
+    observedAt?: string;
+    summaryProducer?: SummaryProducer;
+    /** Max characters for excerpt. Default 240. */
+    excerptMaxChars?: number;
+    /** Max characters for canonicalText. Default 2000. */
+    canonicalTextMaxChars?: number;
+}
+/**
+ * Extract a list of content-bearing evidence items from a connector success payload.
+ * Returns empty array when data is not an object/array or contains no extractable items.
+ */
+export declare function extractNormalizedEvidenceItems(data: unknown, options: ExtractEvidenceOptions): NormalizedEvidenceContent[];
+/**
+ * Compute a stable content hash for deduplication across connector runs.
+ * Prefer externalId-based identity; this hash is the fallback.
+ */
+export declare function computeEvidenceContentHash(content: NormalizedEvidenceContent): string;
+export declare function computeEvidenceContentHashSync(content: NormalizedEvidenceContent): string;

package/runtime/connectors/base/normalized-evidence-content.js

@@ -0,0 +1,273 @@
+/**
+ * NormalizedEvidenceContent — Cross-platform content-bearing evidence envelope.
+ *
+ * Core logic: Map arbitrary connector read payloads into a stable, source-backed
+ * summary structure that perception, Quiet, and Dream can consume. This is a
+ * schema boundary, not a judgment layer.
+ *
+ * Design authority:
+ * - `.anws/v8/04_SYSTEM_DESIGN/connector-system.md`
+ * - `.anws/v8/04_SYSTEM_DESIGN/perception-judgment-system.md`
+ *
+ * Dependencies:
+ * - none (pure extraction)
+ *
+ * Boundary:
+ * - Does not classify sensitivity.
+ * - Does not redact; callers run redaction separately.
+ * - Does not persist; callers write EvidenceItem.
+ * - Preserves raw values in canonicalText/excerpt so downstream can decide what to keep.
+ *
+ * Test coverage: tests/unit/connectors/normalized-evidence-content.test.ts
+ */
+export const NORMALIZED_EVIDENCE_SCHEMA_VERSION = 1;
+// ───────────────────────────────────────────────────────────────
+// String helpers
+// ───────────────────────────────────────────────────────────────
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}
+function firstNonEmptyString(values) {
+    for (const v of values) {
+        if (isNonEmptyString(v))
+            return v.trim();
+    }
+    return undefined;
+}
+function truncate(text, maxChars) {
+    if (text.length <= maxChars)
+        return text;
+    return `${text.slice(0, maxChars)}…`;
+}
+function toStringArray(value) {
+    if (!Array.isArray(value))
+        return [];
+    return value
+        .map((item) => (typeof item === "string" ? item.trim() : String(item ?? "").trim()))
+        .filter((item) => item.length > 0);
+}
+function normalizeDate(value) {
+    if (typeof value !== "string" || value.trim().length === 0)
+        return undefined;
+    const parsed = Date.parse(value);
+    if (Number.isNaN(parsed))
+        return undefined;
+    return new Date(parsed).toISOString();
+}
+// ───────────────────────────────────────────────────────────────
+// Object traversal helpers
+// ───────────────────────────────────────────────────────────────
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function findFirstValue(obj, keys) {
+    if (!isRecord(obj))
+        return undefined;
+    for (const key of keys) {
+        if (key in obj)
+            return obj[key];
+    }
+    return undefined;
+}
+function findDeepValue(obj, keys) {
+    const queue = [obj];
+    while (queue.length > 0) {
+        const current = queue.shift();
+        if (isRecord(current)) {
+            const found = findFirstValue(current, keys);
+            if (found !== undefined)
+                return found;
+            for (const v of Object.values(current)) {
+                queue.push(v);
+            }
+        }
+        else if (Array.isArray(current)) {
+            for (const v of current) {
+                queue.push(v);
+            }
+        }
+    }
+    return undefined;
+}
+// ───────────────────────────────────────────────────────────────
+// Source kind inference
+// ───────────────────────────────────────────────────────────────
+function inferSourceKind(item) {
+    const typeHint = String(findFirstValue(item, ["type", "kind", "sourceKind", "object", "category"]) ?? "").toLowerCase();
+    if (typeHint.includes("post"))
+        return "post";
+    if (typeHint.includes("comment") || typeHint.includes("reply"))
+        return "comment";
+    if (typeHint.includes("profile") || typeHint.includes("user") || typeHint.includes("author"))
+        return "profile";
+    if (typeHint.includes("task") || typeHint.includes("issue") || typeHint.includes("todo"))
+        return "task";
+    if (typeHint.includes("event") || typeHint.includes("activity"))
+        return "event";
+    if (typeHint.includes("game") || typeHint.includes("match") || typeHint.includes("score"))
+        return "game_state";
+    if (typeHint.includes("notification") || typeHint.includes("alert"))
+        return "notification";
+    if (typeHint.includes("document") || typeHint.includes("article") || typeHint.includes("page"))
+        return "document";
+    return "unknown";
+}
+// ───────────────────────────────────────────────────────────────
+// Field extraction
+// ───────────────────────────────────────────────────────────────
+function extractId(item) {
+    const id = findFirstValue(item, ["id", "externalId", "postId", "taskId", "eventId"]);
+    if (id === undefined || id === null)
+        return undefined;
+    return String(id).trim();
+}
+function extractTitle(item) {
+    return firstNonEmptyString([
+        findFirstValue(item, ["title", "subject", "heading", "name", "displayName"]),
+    ]);
+}
+function extractBodyText(item) {
+    return firstNonEmptyString([
+        findFirstValue(item, ["content", "body", "text", "description", "message", "snippet", "summary"]),
+    ]);
+}
+function extractUrl(item) {
+    const url = findFirstValue(item, ["url", "link", "permalink", "href", "webUrl"]);
+    if (!isNonEmptyString(url))
+        return undefined;
+    try {
+        new URL(url);
+        return url;
+    }
+    catch {
+        return undefined;
+    }
+}
+function extractActor(item) {
+    const author = findFirstValue(item, ["author", "creator", "user", "actor", "from"]);
+    if (!isRecord(author) && !isNonEmptyString(author))
+        return undefined;
+    if (isNonEmptyString(author)) {
+        return { displayName: author };
+    }
+    const displayName = firstNonEmptyString([
+        findFirstValue(author, ["displayName", "name", "username", "handle", "login"]),
+    ]);
+    const id = firstNonEmptyString([findFirstValue(author, ["id", "userId", "accountId"])]);
+    const role = firstNonEmptyString([findFirstValue(author, ["role", "type"])]);
+    if (!displayName && !id)
+        return undefined;
+    return { displayName, id, role };
+}
+function extractOccurredAt(item) {
+    return normalizeDate(findFirstValue(item, ["createdAt", "publishedAt", "occurredAt", "timestamp", "date", "time"]));
+}
+function extractTags(item) {
+    const tags = findFirstValue(item, ["tags", "labels", "categories", "topics"]);
+    return toStringArray(tags);
+}
+function extractEntities(item) {
+    const entities = findFirstValue(item, ["entities", "mentions", "hashtags", "keywords"]);
+    return toStringArray(entities);
+}
+function extractMetrics(item) {
+    const metrics = findFirstValue(item, ["metrics", "stats", "counts", "engagement"]);
+    if (!isRecord(metrics))
+        return undefined;
+    const out = {};
+    for (const [k, v] of Object.entries(metrics)) {
+        if (typeof v === "number" || typeof v === "string" || typeof v === "boolean") {
+            out[k] = v;
+        }
+    }
+    return Object.keys(out).length > 0 ? out : undefined;
+}
+// ───────────────────────────────────────────────────────────────
+// Item extraction from connector payload
+// ───────────────────────────────────────────────────────────────
+function extractItems(data) {
+    if (Array.isArray(data))
+        return data;
+    if (!isRecord(data))
+        return [];
+    for (const key of ["items", "data", "results", "posts", "nodes", "agents", "edges", "entries", "feed"]) {
+        const candidate = data[key];
+        if (Array.isArray(candidate))
+            return candidate;
+    }
+    // If the payload itself looks like a single item, treat it as one-item array.
+    if ("id" in data || "title" in data || "content" in data)
+        return [data];
+    return [];
+}
+function normalizeSingleItem(item, options) {
+    if (!isRecord(item))
+        return null;
+    const sourceKind = inferSourceKind(item);
+    const externalId = extractId(item);
+    const title = extractTitle(item);
+    const bodyText = extractBodyText(item);
+    const url = extractUrl(item);
+    const actor = extractActor(item);
+    const occurredAt = extractOccurredAt(item);
+    const tags = extractTags(item);
+    const entities = extractEntities(item);
+    const metrics = extractMetrics(item);
+    const rawText = bodyText ?? title ?? "[no readable content]";
+    const summary = truncate(rawText, 160);
+    const excerpt = rawText.length > summary.length ? truncate(rawText, options.excerptMaxChars ?? 240) : undefined;
+    const canonicalText = truncate(rawText, options.canonicalTextMaxChars ?? 2000);
+    return {
+        schemaVersion: NORMALIZED_EVIDENCE_SCHEMA_VERSION,
+        sourceKind,
+        platformId: options.platformId,
+        capabilityId: options.capabilityId,
+        externalId,
+        title,
+        summary,
+        excerpt,
+        canonicalText,
+        actor,
+        url,
+        occurredAt,
+        observedAt: options.observedAt ?? new Date().toISOString(),
+        tags,
+        entities,
+        metrics,
+        summaryProducer: options.summaryProducer ?? "connector_rules",
+    };
+}
+/**
+ * Extract a list of content-bearing evidence items from a connector success payload.
+ * Returns empty array when data is not an object/array or contains no extractable items.
+ */
+export function extractNormalizedEvidenceItems(data, options) {
+    const items = extractItems(data);
+    const out = [];
+    for (const item of items) {
+        const normalized = normalizeSingleItem(item, options);
+        if (normalized)
+            out.push(normalized);
+    }
+    return out;
+}
+/**
+ * Compute a stable content hash for deduplication across connector runs.
+ * Prefer externalId-based identity; this hash is the fallback.
+ */
+export function computeEvidenceContentHash(content) {
+    return computeEvidenceContentHashSync(content);
+}
+import * as crypto from "node:crypto";
+export function computeEvidenceContentHashSync(content) {
+    const canonical = [
+        content.platformId,
+        content.capabilityId,
+        content.externalId ?? "",
+        content.title ?? "",
+        content.summary,
+        content.excerpt ?? "",
+        content.canonicalText ?? "",
+    ].join("\u0000");
+    return crypto.createHash("sha256").update(canonical).digest("hex").slice(0, 16);
+}

package/runtime/connectors/evidence-normalizer.d.ts

@@ -11,12 +11,12 @@
  *
  * Dependencies:
  * - `src/shared/types/v8-contracts.js` (SourceRef, V8ReasonCode)
- * - `src/storage/v8-state-stores.js` (writeEvidenceItem)
+ * - `src/storage/v8-state-stores.js` (writeEvidenceItem, readEvidenceItemById)
  *
  * Boundary:
  * - Does not judge evidence importance.
  * - Does not fabricate evidence on empty or failed connector results.
- * - Deduplicates by content hash within a single normalization run.
+ * - Deduplicates by externalId first, then content hash, across runs.
  *
  * Test coverage: tests/unit/connectors/evidence-normalizer.test.ts
  */
@@ -26,7 +26,8 @@ export interface ConnectorReadResult {
     status: "success" | "failed" | "unavailable" | "timeout";
     platformId: string;
     capabilityId: string;
-    items: ConnectorReadItem[];
+    data?: unknown;
+    items?: ConnectorReadItem[];
     observedAt?: string;
     failureReason?: V8ReasonCode;
 }

package/runtime/connectors/evidence-normalizer.js

@@ -11,21 +11,24 @@
  *
  * Dependencies:
  * - `src/shared/types/v8-contracts.js` (SourceRef, V8ReasonCode)
- * - `src/storage/v8-state-stores.js` (writeEvidenceItem)
+ * - `src/storage/v8-state-stores.js` (writeEvidenceItem, readEvidenceItemById)
  *
  * Boundary:
  * - Does not judge evidence importance.
  * - Does not fabricate evidence on empty or failed connector results.
- * - Deduplicates by content hash within a single normalization run.
+ * - Deduplicates by externalId first, then content hash, across runs.
  *
  * Test coverage: tests/unit/connectors/evidence-normalizer.test.ts
  */
 import * as crypto from "node:crypto";
-import { writeEvidenceItem } from "../storage/v8-state-stores.js";
+import { eq } from "drizzle-orm";
+import { evidenceItem } from "../storage/db/schema/v8-entities.js";
+import { writeEvidenceItem, readEvidenceItemById } from "../storage/v8-state-stores.js";
+import { extractNormalizedEvidenceItems, computeEvidenceContentHashSync, } from "./base/normalized-evidence-content.js";
 // ───────────────────────────────────────────────────────────────
 // Helpers
 // ───────────────────────────────────────────────────────────────
-function computeContentHash(content) {
+function computeLegacyContentHash(content) {
     return crypto.createHash("sha256").update(content).digest("hex").slice(0, 16);
 }
 function buildSourceRef(platformId, capabilityId, itemId, observedAt) {
@@ -37,18 +40,43 @@ function buildSourceRef(platformId, capabilityId, itemId, observedAt) {
         resolveStatus: "resolvable",
     };
 }
-function inferSensitivityHint(item) {
-    if (item.sensitivityHint)
-        return item.sensitivityHint;
-    const content = item.content;
-    if (/token|secret|password|key|credential/i.test(content)) {
-        if (/\b[a-zA-Z0-9_]+\s*[:=]\s*['"][a-zA-Z0-9+/=]{20,}['"]/.test(content)) {
-            return "sensitive";
-        }
-        return "public_technical";
+const SECRET_KEYWORD_RE = /\b(?:api[-_]?key|auth[-_]?token|access[-_]?token|secret|password|credential|private[-_]?key)\b/i;
+const SECRET_VALUE_RE = /\b[a-zA-Z0-9_]+\s*[:=]\s*["']([^"'\s]{20,})["']/;
+function inferSensitivityHint(content) {
+    // Only flag sensitive when a secret keyword is paired with a value-like shape.
+    // Broad keyword matches alone are not enough to classify public_technical.
+    if (SECRET_KEYWORD_RE.test(content) && SECRET_VALUE_RE.test(content)) {
+        return "sensitive";
     }
     return "public_general";
 }
+function mergeSensitivityHint(fromContent, explicit) {
+    if (explicit === "sensitive" || fromContent === "sensitive")
+        return "sensitive";
+    if (explicit === "private_context" || fromContent === "private_context")
+        return "private_context";
+    if (explicit === "public_technical" || fromContent === "public_technical")
+        return "public_technical";
+    return explicit ?? fromContent;
+}
+function stableEvidenceId(platformId, capabilityId, externalId, contentHash) {
+    const key = externalId ?? contentHash;
+    return `ev_${platformId}_${capabilityId}_${key}`;
+}
+async function findExistingEvidenceByExternalId(db, id) {
+    const result = await readEvidenceItemById(db, id);
+    if ("row" in result && result.row) {
+        return {
+            id: result.row.id,
+            observedAt: result.row.observedAt,
+            payloadJson: result.row.payloadJson ?? null,
+        };
+    }
+    return undefined;
+}
+function buildPayloadJson(content) {
+    return JSON.stringify(content);
+}
 // ───────────────────────────────────────────────────────────────
 // Public API
 // ───────────────────────────────────────────────────────────────
@@ -60,31 +88,109 @@ export async function normalizeConnectorEvidence(db, result, now = new Date().to
             emptyReason: "ingestion_connector_failed",
         };
     }
+    // Extract content-bearing items from payload
+    const observedAt = result.observedAt ?? now;
+    const normalizedItems = extractNormalizedEvidenceItems(result.data ?? result.items ?? [], {
+        platformId: result.platformId,
+        capabilityId: result.capabilityId,
+        observedAt,
+        summaryProducer: "connector_rules",
+    });
     // Empty result — no fabrication
-    if (!result.items || result.items.length === 0) {
+    if (normalizedItems.length === 0) {
+        // Legacy fallback: if caller passed flat items, still try to produce evidence.
+        return normalizeLegacyConnectorEvidence(db, result, now);
+    }
+    // Truncate if over 100 items
+    const items = normalizedItems.slice(0, 100);
+    const truncated = normalizedItems.length > 100;
+    const seenKeys = new Set();
+    const evidenceIds = [];
+    for (const content of items) {
+        const contentHash = computeEvidenceContentHashSync(content);
+        const key = `ev_${result.platformId}_${result.capabilityId}_${content.externalId ?? contentHash}`;
+        if (seenKeys.has(key))
+            continue;
+        seenKeys.add(key);
+        const evidenceId = stableEvidenceId(result.platformId, result.capabilityId, content.externalId, contentHash);
+        const existing = await findExistingEvidenceByExternalId(db, evidenceId);
+        const sourceRef = buildSourceRef(result.platformId, result.capabilityId, content.externalId ?? contentHash, observedAt);
+        const sensitivityHint = mergeSensitivityHint(inferSensitivityHint(content.summary), inferSensitivityHint(content.title ?? ""));
+        if (existing) {
+            // Idempotent update: refresh observedAt and seen count; do not duplicate.
+            try {
+                await db.db
+                    .update(evidenceItem)
+                    .set({
+                    observedAt,
+                    payloadJson: JSON.stringify({
+                        ...JSON.parse(existing.payloadJson ?? "{}"),
+                        lastObservedAt: observedAt,
+                        seenCount: (JSON.parse(existing.payloadJson ?? "{}").seenCount ?? 1) + 1,
+                    }),
+                })
+                    .where(eq(evidenceItem.id, existing.id));
+                evidenceIds.push(existing.id);
+                continue;
+            }
+            catch {
+                // Fall through to insert attempt if update fails.
+            }
+        }
+        const writeResult = await writeEvidenceItem(db, {
+            id: evidenceId,
+            createdAt: now,
+            platformId: result.platformId,
+            contentHash,
+            observedAt,
+            sensitivityHint,
+            sourceRefs: [sourceRef],
+            redactionClass: sensitivityHint === "sensitive" ? "blocked" : "none",
+            lifecycleStatus: "pending",
+            payloadJson: buildPayloadJson(content),
+        });
+        if ("id" in writeResult) {
+            evidenceIds.push(writeResult.id);
+        }
+        else {
+            // Degraded write — continue with remaining items, report degraded
+            return {
+                evidenceIds,
+                degraded: writeResult,
+            };
+        }
+    }
+    return {
+        evidenceIds,
+        emptyReason: truncated ? "evidence_batch_truncated" : undefined,
+    };
+}
+/**
+ * Legacy fallback for callers that still pass flat ConnectorReadItem[] without `data`.
+ * This preserves the previous behavior while allowing gradual migration to content-bearing payloads.
+ */
+async function normalizeLegacyConnectorEvidence(db, result, now) {
+    const items = result.items ?? [];
+    if (items.length === 0) {
         return {
             evidenceIds: [],
             emptyReason: "evidence_batch_empty",
         };
     }
-    // Truncate if over 100 items
-    const items = result.items.slice(0, 100);
-    const truncated = result.items.length > 100;
+    const truncated = items.length > 100;
     const seenHashes = new Set();
     const evidenceIds = [];
     for (const item of items) {
-        if (typeof item.content !== "string") {
+        if (typeof item.content !== "string")
             continue;
-        }
-        const contentHash = computeContentHash(item.content);
-        // Deduplicate by content hash
+        const contentHash = computeLegacyContentHash(item.content);
         if (seenHashes.has(contentHash))
             continue;
         seenHashes.add(contentHash);
         const itemId = item.id ?? `ev_${contentHash}`;
         const observedAt = result.observedAt ?? now;
         const sourceRef = buildSourceRef(result.platformId, result.capabilityId, itemId, observedAt);
-        const sensitivityHint = inferSensitivityHint(item);
+        const sensitivityHint = mergeSensitivityHint(inferSensitivityHint(item.content), item.sensitivityHint);
         const writeResult = await writeEvidenceItem(db, {
             id: `ev_${result.platformId}_${itemId}_${observedAt.replace(/[:.]/g, "")}`,
             createdAt: now,
@@ -101,7 +207,6 @@ export async function normalizeConnectorEvidence(db, result, now = new Date().to
             evidenceIds.push(writeResult.id);
         }
         else {
-            // Degraded write — continue with remaining items, report degraded
             return {
                 evidenceIds,
                 degraded: writeResult,