nexo-brain 7.30.28 → 7.30.30

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.30.28",
+  "version": "7.30.29",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/bin/nexo-brain.js

@@ -3403,6 +3403,20 @@ async function runSetup() {
         if (fs.existsSync(rulesSrc)) {
           copyDirRec(rulesSrc, rulesDest);
           log("  Rules updated.");
+          const rulesSyncPython = findVenvPython(NEXO_HOME) || "python3";
+          const rulesSync = spawnSync(rulesSyncPython, [
+            "-c",
+            "import os,sys; sys.path.insert(0, os.environ['NEXO_CODE']); from plugins.core_rules import _sync_rules_from_json; print(_sync_rules_from_json().get('active_total', 0))"
+          ], {
+            cwd: srcDir,
+            env: { ...process.env, NEXO_HOME, NEXO_CODE: srcDir, PYTHONPATH: srcDir },
+            encoding: "utf8",
+            timeout: 30000,
+          });
+          if (rulesSync.status !== 0) {
+            throw new Error(`Core rules registry sync failed: ${rulesSync.stderr || rulesSync.stdout || "unknown error"}`);
+          }
+          log(`  Core rules registry synced (${String(rulesSync.stdout || "").trim() || "0"} active).`);
         }
 
         // Update crons (manifest.json + sync.py — needed by catchup & watchdog)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.30.28",
+  "version": "7.30.30",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/auto_update.py

@@ -2593,6 +2593,7 @@ def _run_db_migrations() -> bool:
         applied = run_migrations(conn)
         if applied > 0:
             _log(f"Applied {applied} DB migration(s)")
+        _sync_core_rules_registry()
         # Plan Consolidado F1 — one-shot legacy email config migration.
         # After m46 adds the table, operators installed pre-v6.4.0 still
         # keep their data inside ~/.nexo/nexo-email/config.json. If the
@@ -2620,6 +2621,21 @@ def _run_db_migrations() -> bool:
         return False
 
 
+def _sync_core_rules_registry() -> None:
+    """Keep packaged product-core rules installed in the Brain DB."""
+    try:
+        from plugins.core_rules import _sync_rules_from_json
+        result = _sync_rules_from_json()
+        if result.get("status") == "applied":
+            _log(
+                "Core rules registry synced: "
+                f"v{result.get('version_from')} -> v{result.get('version_to')} "
+                f"({result.get('active_total')} active)"
+            )
+    except Exception as exc:
+        raise RuntimeError(f"core rules registry sync failed: {exc}") from exc
+
+
 def _maybe_migrate_legacy_email_config() -> None:
     """F1 auto-migrator — idempotent. Runs the helper script the first
     time after v6.4.0 lands on an existing runtime."""

package/src/cli.py

@@ -1287,17 +1287,27 @@ def _agents_set_schedule(args):
 
     interval_seconds = None
     daily_at = None
+    schedule_freq = None
+    schedule_at = None
+    schedule_day = None
     if getattr(args, "every_minutes", None) is not None:
         interval_seconds = int(args.every_minutes) * 60
     elif getattr(args, "every_seconds", None) is not None:
         interval_seconds = int(args.every_seconds)
     elif getattr(args, "daily_at", None):
         daily_at = str(args.daily_at).strip()
+    elif getattr(args, "schedule_freq", None):
+        schedule_freq = str(args.schedule_freq).strip()
+        schedule_at = str(getattr(args, "schedule_at", "") or "").strip()
+        schedule_day = getattr(args, "schedule_day", None)
 
     result = set_agent_schedule(
         args.name,
         interval_seconds=interval_seconds,
         daily_at=daily_at,
+        schedule_freq=schedule_freq,
+        schedule_at=schedule_at,
+        schedule_day=schedule_day,
         clear=bool(getattr(args, "reset", False)),
     )
     if args.json:
@@ -4160,7 +4170,10 @@ def main():
     agents_schedule_group.add_argument("--every-minutes", type=int, help="Run the agent every N minutes")
     agents_schedule_group.add_argument("--every-seconds", type=int, help="Run the agent every N seconds")
     agents_schedule_group.add_argument("--daily-at", type=str, help="Run the agent every day at HH:MM or HH:MM:weekday")
+    agents_schedule_group.add_argument("--schedule-freq", choices=["daily", "weekly", "monthly", "every_n_days"], help="Run the agent on an anchored cadence")
     agents_schedule_group.add_argument("--reset", action="store_true", help="Clear the agent schedule")
+    agents_schedule_p.add_argument("--schedule-at", type=str, help="Anchored schedule time HH:MM")
+    agents_schedule_p.add_argument("--schedule-day", type=int, help="Weekday 0-6, month day 1-28, or every N days")
     agents_schedule_p.add_argument("--json", action="store_true", help="JSON output")
 
     agents_run_p = agents_sub.add_parser("run", help="Run an agent now")

package/src/db/_schema.py

@@ -288,7 +288,13 @@ def _m15_core_rules_tables(conn):
             type TEXT NOT NULL DEFAULT 'advisory',
             added_in TEXT DEFAULT '',
             removed_in TEXT DEFAULT NULL,
-            is_active INTEGER NOT NULL DEFAULT 1
+            is_active INTEGER NOT NULL DEFAULT 1,
+            source_artifact TEXT DEFAULT '',
+            source_anchor TEXT DEFAULT '',
+            content_hash TEXT DEFAULT '',
+            protected INTEGER NOT NULL DEFAULT 1,
+            severity TEXT DEFAULT 'critical',
+            replacement_rule_id TEXT DEFAULT NULL
         )
     """)
     conn.execute("""
@@ -3063,6 +3069,17 @@ def _m80_opportunity_orchestrator(conn):
     _migrate_add_index(conn, "idx_nexo_authorizations_scope", "nexo_action_authorizations", "scope, allowed_action_class")
 
 
+def _m81_core_rules_product_metadata(conn):
+    """Add product-core provenance and protection metadata to core_rules."""
+    _migrate_add_column(conn, "core_rules", "source_artifact", "TEXT DEFAULT ''")
+    _migrate_add_column(conn, "core_rules", "source_anchor", "TEXT DEFAULT ''")
+    _migrate_add_column(conn, "core_rules", "content_hash", "TEXT DEFAULT ''")
+    _migrate_add_column(conn, "core_rules", "protected", "INTEGER NOT NULL DEFAULT 1")
+    _migrate_add_column(conn, "core_rules", "severity", "TEXT DEFAULT 'critical'")
+    _migrate_add_column(conn, "core_rules", "replacement_rule_id", "TEXT DEFAULT NULL")
+    conn.execute("CREATE INDEX IF NOT EXISTS idx_core_rules_protected ON core_rules(protected, is_active)")
+
+
 MIGRATIONS = [
     (1, "learnings_columns", _m1_learnings_columns),
     (2, "followups_reasoning", _m2_followups_reasoning),
@@ -3144,6 +3161,7 @@ MIGRATIONS = [
     (78, "operational_closure_plane", _m78_operational_closure_plane),
     (79, "operational_closure_links_readiness", _m79_operational_closure_links_readiness),
     (80, "opportunity_orchestrator", _m80_opportunity_orchestrator),
+    (81, "core_rules_product_metadata", _m81_core_rules_product_metadata),
 ]
 
 

package/src/local_context/api.py

@@ -43,6 +43,8 @@ DEFAULT_MAX_JOB_ATTEMPTS = int(os.environ.get("NEXO_LOCAL_INDEX_MAX_JOB_ATTEMPTS
 DEFAULT_SQLITE_BUSY_RETRY_ATTEMPTS = int(os.environ.get("NEXO_LOCAL_CONTEXT_BUSY_RETRY_ATTEMPTS", "5") or "5")
 DEFAULT_SQLITE_BUSY_RETRY_DELAY_SECONDS = float(os.environ.get("NEXO_LOCAL_CONTEXT_BUSY_RETRY_DELAY_SECONDS", "0.35") or "0.35")
 DEFAULT_HYGIENE_QUICK_SCAN_LIMIT = int(os.environ.get("NEXO_LOCAL_INDEX_HYGIENE_QUICK_SCAN_LIMIT", "5000") or "5000")
+LOCAL_CONTEXT_DEFAULT_MAX_DB_BYTES = 60 * 1024 ** 3
+LOCAL_CONTEXT_DEFAULT_MIN_FREE_BYTES = 5 * 1024 ** 3
 INITIAL_INDEX_COMPLETE_KEY = "initial_index_complete"
 INITIAL_INDEX_STARTED_AT_KEY = "initial_index_started_at"
 PERFORMANCE_PROFILE_KEY = "performance_profile"
@@ -1845,6 +1847,73 @@ def _is_paused_conn(conn) -> bool:
     return _get_state_conn(conn, "paused", "0") == "1"
 
 
+def _local_context_storage_bytes(db_path: Path | None = None) -> int:
+    db = Path(db_path or local_context_db_path())
+    total = 0
+    for candidate in (db, Path(str(db) + "-wal"), Path(str(db) + "-shm")):
+        try:
+            total += int(candidate.stat().st_size)
+        except OSError:
+            pass
+    return total
+
+
+def _local_context_disk_budget() -> dict:
+    db_path = Path(local_context_db_path())
+    max_bytes = paths.parse_size_bytes(
+        os.environ.get("NEXO_LOCAL_CONTEXT_MAX_DB_BYTES"),
+        default=LOCAL_CONTEXT_DEFAULT_MAX_DB_BYTES,
+    )
+    min_free_bytes = paths.parse_size_bytes(
+        os.environ.get("NEXO_LOCAL_CONTEXT_MIN_FREE_BYTES"),
+        default=LOCAL_CONTEXT_DEFAULT_MIN_FREE_BYTES,
+    )
+    db_bytes = _local_context_storage_bytes(db_path)
+    try:
+        probe = db_path.parent if db_path.parent.exists() else paths.memory_dir()
+        free_bytes = int(shutil.disk_usage(str(probe)).free)
+    except Exception:
+        free_bytes = None
+
+    reason = ""
+    if max_bytes > 0 and db_bytes > max_bytes:
+        reason = "local_context_db_too_large"
+    elif min_free_bytes > 0 and free_bytes is not None and free_bytes < min_free_bytes:
+        reason = "disk_free_below_floor"
+    return {
+        "ok": not reason,
+        "paused": bool(reason),
+        "reason": reason,
+        "db_path": str(db_path),
+        "db_bytes": db_bytes,
+        "max_bytes": max_bytes,
+        "free_bytes": free_bytes,
+        "min_free_bytes": min_free_bytes,
+    }
+
+
+def enforce_local_context_disk_budget() -> dict:
+    budget = _local_context_disk_budget()
+    if budget["ok"]:
+        return budget
+    try:
+        _set_state("paused", "1")
+        _set_state("pause_reason", str(budget["reason"]))
+        log_event(
+            "warn",
+            "index_paused_disk_budget",
+            "Local memory indexing paused to protect disk space",
+            reason=budget["reason"],
+            db_bytes=budget["db_bytes"],
+            max_bytes=budget["max_bytes"],
+            free_bytes=budget["free_bytes"],
+            min_free_bytes=budget["min_free_bytes"],
+        )
+    except Exception as exc:
+        budget["pause_error"] = type(exc).__name__
+    return budget
+
+
 def _allow_explicit_blocked_root(path: str) -> bool:
     # Test and controlled diagnostics may explicitly index a temporary fixture
     # root while production root discovery still skips temp/system trees.
@@ -3332,6 +3401,33 @@ def run_once(
     live_dir_limit: int | None = None,
     live_file_limit: int | None = None,
 ) -> dict:
+    disk_budget = enforce_local_context_disk_budget()
+    if disk_budget.get("paused"):
+        config = performance_config()
+        return {
+            "ok": True,
+            "paused": True,
+            "disk_budget": disk_budget,
+            "initial_scan": {
+                "complete": False,
+                "mode": "paused",
+                "pending_roots": 0,
+                "total_roots": 0,
+                "checkpoint_count": 0,
+            },
+            "initial_index_complete": False,
+            "live": {"ok": True, "paused": True, "assets": {}, "dirs": {}},
+            "scan": {"ok": True, "paused": True, "roots": 0, "seen": 0, "changed": 0, "errors": 0, "partial": False},
+            "jobs": {"ok": True, "paused": True, "processed": 0, "failed": 0},
+            "performance": {
+                "profile": config["profile"],
+                "scan_limit": 0,
+                "process_limit": 0,
+                "live_asset_limit": 0,
+                "live_dir_limit": 0,
+                "live_file_limit": 0,
+            },
+        }
     if _get_state("privacy_hygiene_v2", "0") != "1":
         local_index_privacy_hygiene(fix=True)
         _set_state("privacy_hygiene_v2", "1")
@@ -3832,6 +3928,21 @@ def _status_from_conn(conn, *, readonly: bool = False) -> dict:
     service["state"] = "paused" if paused else ("attention" if problem else ("idle" if active_jobs == 0 and initial_index_complete else "indexing"))
     performance = performance_config(conn=conn)
     problems = _problem_rows(conn)
+    disk_budget = _local_context_disk_budget()
+    if not disk_budget["ok"]:
+        problems.insert(0, {
+            "user_message": "Local memory indexing is paused to protect disk space",
+            "message_key": "local_context.disk_budget.paused",
+            "recommended_action": "Review local memory size and free disk space",
+            "recommended_action_key": "local_context.disk_budget.review",
+            "technical_detail": json_dumps(disk_budget),
+            "support_code": "LOCAL_CONTEXT_DISK_BUDGET",
+            "severity": "warning",
+            "retryable": True,
+            "path": disk_budget["db_path"],
+            "phase": "storage",
+            "created_at": now(),
+        })
     if problem:
         problems.insert(0, {
             "user_message": problem["user_message"],
@@ -3881,6 +3992,7 @@ def _status_from_conn(conn, *, readonly: bool = False) -> dict:
             "performance_profile": performance["profile"],
         },
         "performance": performance,
+        "disk_budget": disk_budget,
         "initial_scan": initial_scan,
         "initial_index_complete": bool(initial_index_complete),
         "volumes": volumes,

package/src/paths.py

@@ -515,8 +515,8 @@ def aggressive_runtime_backup_prune(
 ) -> dict:
     """Escalate NEXO-owned backup pruning before any user-facing disk alert.
 
-    Escalation never targets protected business/hourly backup classes; the
-    pruner enforces that policy.
+    Escalation never targets protected business/weekly restore classes. Hourly
+    DB dumps are pruned only down to their configured restore floor.
     """
     root = Path(backups_root or backups_dir())
     floor = int(min_free_bytes if min_free_bytes is not None else backup_min_free_bytes())

package/src/plugins/core_rules.py

@@ -1,5 +1,6 @@
 """Core Rules plugin — query and manage versioned behavioral rules."""
 
+import hashlib
 import json
 import os
 
@@ -9,54 +10,167 @@ def _get_db():
     return get_db()
 
 
-def _seed_if_empty():
-    """Seed rules from JSON if table is empty (first run after migration)."""
-    import sys
-    conn = _get_db()
-    try:
-        count = conn.execute("SELECT COUNT(*) FROM core_rules WHERE is_active = 1").fetchone()[0]
-    except Exception:
-        # Table doesn't exist yet — create it
-        conn.execute("""CREATE TABLE IF NOT EXISTS core_rules (
-            id TEXT PRIMARY KEY, category TEXT NOT NULL, rule TEXT NOT NULL,
-            why TEXT NOT NULL, importance INTEGER NOT NULL DEFAULT 3,
-            type TEXT NOT NULL DEFAULT 'advisory', added_in TEXT DEFAULT '',
-            removed_in TEXT DEFAULT NULL, is_active INTEGER NOT NULL DEFAULT 1)""")
-        conn.execute("""CREATE TABLE IF NOT EXISTS core_rules_version (
-            id INTEGER PRIMARY KEY, version TEXT NOT NULL, updated_at TEXT NOT NULL)""")
-        conn.execute("INSERT OR IGNORE INTO core_rules_version (id, version, updated_at) VALUES (1, '0.0.0', datetime('now'))")
-        conn.commit()
-        count = 0
-    if count > 0:
-        return
+def _rules_file_path() -> str:
+    return os.path.join(
+        os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
+        "rules",
+        "core-rules.json",
+    )
 
-    rules_file = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
-                              "rules", "core-rules.json")
-    if not os.path.exists(rules_file):
-        print(f"[core_rules] WARNING: {rules_file} not found, skipping seed", file=sys.stderr)
-        return
 
+def _load_rules_data() -> dict:
+    with open(_rules_file_path()) as f:
+        return json.load(f)
+
+
+def _rule_hash(rule: dict, category: str) -> str:
+    payload = {
+        "category": category,
+        "id": rule.get("id", ""),
+        "rule": rule.get("rule", ""),
+        "why": rule.get("why", ""),
+        "importance": rule.get("importance", 0),
+        "type": rule.get("type", ""),
+        "source_artifact": rule.get("source_artifact", ""),
+        "source_anchor": rule.get("source_anchor", ""),
+    }
+    raw = json.dumps(payload, sort_keys=True, ensure_ascii=False, separators=(",", ":"))
+    return hashlib.sha256(raw.encode("utf-8")).hexdigest()
+
+
+def _ensure_schema(conn):
+    conn.execute("""CREATE TABLE IF NOT EXISTS core_rules (
+        id TEXT PRIMARY KEY, category TEXT NOT NULL, rule TEXT NOT NULL,
+        why TEXT NOT NULL, importance INTEGER NOT NULL DEFAULT 3,
+        type TEXT NOT NULL DEFAULT 'advisory', added_in TEXT DEFAULT '',
+        removed_in TEXT DEFAULT NULL, is_active INTEGER NOT NULL DEFAULT 1,
+        source_artifact TEXT DEFAULT '', source_anchor TEXT DEFAULT '',
+        content_hash TEXT DEFAULT '', protected INTEGER NOT NULL DEFAULT 1,
+        severity TEXT DEFAULT 'critical', replacement_rule_id TEXT DEFAULT NULL)""")
+    conn.execute("""CREATE TABLE IF NOT EXISTS core_rules_version (
+        id INTEGER PRIMARY KEY, version TEXT NOT NULL, updated_at TEXT NOT NULL)""")
+    for column, ddl in (
+        ("source_artifact", "TEXT DEFAULT ''"),
+        ("source_anchor", "TEXT DEFAULT ''"),
+        ("content_hash", "TEXT DEFAULT ''"),
+        ("protected", "INTEGER NOT NULL DEFAULT 1"),
+        ("severity", "TEXT DEFAULT 'critical'"),
+        ("replacement_rule_id", "TEXT DEFAULT NULL"),
+    ):
+        try:
+            existing = {row[1] for row in conn.execute("PRAGMA table_info(core_rules)").fetchall()}
+            if column not in existing:
+                conn.execute(f"ALTER TABLE core_rules ADD COLUMN {column} {ddl}")
+        except Exception:
+            pass
+    conn.execute("INSERT OR IGNORE INTO core_rules_version (id, version, updated_at) VALUES (1, '0.0.0', datetime('now'))")
+    conn.execute("CREATE INDEX IF NOT EXISTS idx_core_rules_category ON core_rules(category)")
+    conn.execute("CREATE INDEX IF NOT EXISTS idx_core_rules_active ON core_rules(is_active)")
+    conn.execute("CREATE INDEX IF NOT EXISTS idx_core_rules_protected ON core_rules(protected, is_active)")
+
+
+def _flatten_rules(data: dict) -> dict[str, dict]:
+    version = data["_meta"]["version"]
+    rules = {}
+    for cat_key, cat in data["categories"].items():
+        for rule in cat["rules"]:
+            severity = rule.get("severity") or ("critical" if rule.get("type") == "blocking" and int(rule.get("importance") or 0) >= 5 else "high")
+            rules[rule["id"]] = {
+                **rule,
+                "category": cat_key,
+                "added_in": rule.get("added_in", version),
+                "content_hash": _rule_hash(rule, cat_key),
+                "protected": 0 if rule.get("protected") is False else 1,
+                "severity": severity,
+                "source_artifact": rule.get("source_artifact", "core-rules.json"),
+                "source_anchor": rule.get("source_anchor", rule["id"]),
+                "replacement_rule_id": rule.get("replacement_rule_id"),
+            }
+    return rules
+
+
+def _sync_rules_from_json(conn=None, dry_run: bool = False) -> dict:
+    conn = conn or _get_db()
+    _ensure_schema(conn)
+    data = _load_rules_data()
+    new_version = data["_meta"]["version"]
+    json_rules = _flatten_rules(data)
+
+    current_version_row = conn.execute("SELECT version FROM core_rules_version WHERE id = 1").fetchone()
+    current_version = current_version_row[0] if current_version_row else "0.0.0"
+    db_rows = {
+        row["id"]: dict(row)
+        for row in conn.execute("SELECT * FROM core_rules WHERE is_active = 1").fetchall()
+    }
+
+    added = set(json_rules) - set(db_rows)
+    removed = set(db_rows) - set(json_rules)
+    changed = {
+        rid
+        for rid in set(json_rules) & set(db_rows)
+        if (db_rows[rid].get("content_hash") or "") != json_rules[rid]["content_hash"]
+        or current_version != new_version
+    }
+
+    result = {
+        "version_from": current_version,
+        "version_to": new_version,
+        "added": sorted(added),
+        "removed": sorted(removed),
+        "changed": sorted(changed),
+        "active_total": len(json_rules),
+        "dry_run": dry_run,
+    }
+    if dry_run:
+        return result
+
+    for rid in sorted(added | changed):
+        r = json_rules[rid]
+        conn.execute(
+            """INSERT OR REPLACE INTO core_rules
+               (id, category, rule, why, importance, type, added_in, removed_in, is_active,
+                source_artifact, source_anchor, content_hash, protected, severity, replacement_rule_id)
+               VALUES (?, ?, ?, ?, ?, ?, ?, NULL, 1, ?, ?, ?, ?, ?, ?)""",
+            (
+                r["id"],
+                r["category"],
+                r["rule"],
+                r["why"],
+                r["importance"],
+                r["type"],
+                r["added_in"],
+                r["source_artifact"],
+                r["source_anchor"],
+                r["content_hash"],
+                r["protected"],
+                r["severity"],
+                r["replacement_rule_id"],
+            ),
+        )
+
+    for rid in sorted(removed):
+        replacement = db_rows.get(rid, {}).get("replacement_rule_id")
+        conn.execute(
+            "UPDATE core_rules SET is_active = 0, removed_in = ?, replacement_rule_id = COALESCE(?, replacement_rule_id) WHERE id = ?",
+            (new_version, replacement, rid),
+        )
+
+    conn.execute("UPDATE core_rules_version SET version = ?, updated_at = datetime('now') WHERE id = 1", (new_version,))
+    conn.commit()
+    result["status"] = "up_to_date" if not (added or removed or changed or current_version != new_version) else "applied"
+    return result
+
+
+def _sync_if_needed():
+    """Keep installed DB rules aligned with packaged product-core JSON."""
+    import sys
+    if not os.path.exists(_rules_file_path()):
+        print(f"[core_rules] WARNING: {_rules_file_path()} not found, skipping sync", file=sys.stderr)
+        return
     try:
-        with open(rules_file) as f:
-            data = json.load(f)
-
-        version = data["_meta"]["version"]
-        loaded = 0
-        for cat_key, cat in data["categories"].items():
-            for rule in cat["rules"]:
-                conn.execute(
-                    """INSERT OR REPLACE INTO core_rules (id, category, rule, why, importance, type, added_in)
-                       VALUES (?, ?, ?, ?, ?, ?, ?)""",
-                    (rule["id"], cat_key, rule["rule"], rule["why"],
-                     rule["importance"], rule["type"], rule.get("added_in", version))
-                )
-                loaded += 1
-
-        conn.execute("UPDATE core_rules_version SET version = ?, updated_at = datetime('now') WHERE id = 1", (version,))
-        conn.commit()
-        print(f"[core_rules] Seeded {loaded} rules (v{version})", file=sys.stderr)
+        _sync_rules_from_json()
     except Exception as e:
-        print(f"[core_rules] ERROR seeding rules: {e}", file=sys.stderr)
+        print(f"[core_rules] ERROR syncing rules: {e}", file=sys.stderr)
 
 
 def handle_rules_check(area: str = "", importance_min: int = 0) -> str:
@@ -70,21 +184,24 @@ def handle_rules_check(area: str = "", importance_min: int = 0) -> str:
               Maps to categories: code→execution+integrity, delegation→delegation, etc.
         importance_min: Minimum importance level (1-5, default 0 = all rules)
     """
-    _seed_if_empty()
+    _sync_if_needed()
     conn = _get_db()
 
     area_to_categories = {
-        "code": ("integrity", "execution"),
-        "edit": ("integrity", "execution"),
+        "code": ("integrity", "execution", "product_core", "bootstrap_contract"),
+        "edit": ("integrity", "execution", "product_core", "bootstrap_contract"),
         "delegation": ("delegation",),
         "delegate": ("delegation",),
         "subagent": ("delegation",),
-        "communication": ("communication",),
-        "respond": ("communication",),
-        "memory": ("memory",),
-        "learn": ("memory",),
-        "proactivity": ("proactivity",),
-        "protect": ("proactivity",),
+        "communication": ("communication", "product_core"),
+        "respond": ("communication", "product_core"),
+        "memory": ("memory", "product_core", "bootstrap_contract"),
+        "learn": ("memory", "product_core"),
+        "proactivity": ("proactivity", "product_core"),
+        "protect": ("proactivity", "product_core"),
+        "support": ("product_core",),
+        "capability": ("product_core",),
+        "bootstrap": ("bootstrap_contract",),
     }
 
     where = "WHERE is_active = 1"
@@ -146,7 +263,7 @@ def handle_rules_list(
     limit: int = 0,
 ) -> str:
     """List all core rules with their status, grouped by category."""
-    _seed_if_empty()
+    _sync_if_needed()
     conn = _get_db()
 
     ver = conn.execute("SELECT version FROM core_rules_version WHERE id = 1").fetchone()
@@ -202,75 +319,22 @@ def handle_rules_migrate(dry_run: bool = False) -> str:
     Args:
         dry_run: If True, show what would change without applying
     """
-    conn = _get_db()
-    rules_file = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
-                              "rules", "core-rules.json")
-    if not os.path.exists(rules_file):
+    if not os.path.exists(_rules_file_path()):
         return "ERROR: core-rules.json not found"
-
-    with open(rules_file) as f:
-        data = json.load(f)
-
-    new_version = data["_meta"]["version"]
-    ver = conn.execute("SELECT version FROM core_rules_version WHERE id = 1").fetchone()
-    current_version = ver[0] if ver else "0.0.0"
-
-    # Collect all rule IDs from JSON
-    json_ids = set()
-    json_rules = {}
-    for cat_key, cat in data["categories"].items():
-        for rule in cat["rules"]:
-            json_ids.add(rule["id"])
-            json_rules[rule["id"]] = {**rule, "category": cat_key}
-
-    # Collect active IDs from DB
-    db_ids = set()
-    for r in conn.execute("SELECT id FROM core_rules WHERE is_active = 1").fetchall():
-        db_ids.add(r[0])
-
-    added = json_ids - db_ids
-    removed = db_ids - json_ids
-    unchanged = json_ids & db_ids
+    result = _sync_rules_from_json(dry_run=dry_run)
 
     lines = [
-        f"RULES MIGRATION: v{current_version} → v{new_version}",
-        f"  Added: {len(added)} — {', '.join(sorted(added)) if added else 'none'}",
-        f"  Removed: {len(removed)} — {', '.join(sorted(removed)) if removed else 'none'}",
-        f"  Unchanged: {len(unchanged)}",
+        f"RULES MIGRATION: v{result['version_from']} → v{result['version_to']}",
+        f"  Added: {len(result['added'])} — {', '.join(result['added']) if result['added'] else 'none'}",
+        f"  Removed: {len(result['removed'])} — {', '.join(result['removed']) if result['removed'] else 'none'}",
+        f"  Changed: {len(result['changed'])} — {', '.join(result['changed']) if result['changed'] else 'none'}",
+        f"  Active total: {result['active_total']}",
     ]
 
     if dry_run:
         lines.append("  Mode: DRY RUN (no changes applied)")
-        return "\n".join(lines)
-
-    # Apply additions
-    for rid in added:
-        r = json_rules[rid]
-        conn.execute(
-            """INSERT OR REPLACE INTO core_rules (id, category, rule, why, importance, type, added_in, is_active)
-               VALUES (?, ?, ?, ?, ?, ?, ?, 1)""",
-            (r["id"], r["category"], r["rule"], r["why"], r["importance"], r["type"], r.get("added_in", new_version))
-        )
-
-    # Apply removals (soft delete)
-    for rid in removed:
-        conn.execute(
-            "UPDATE core_rules SET is_active = 0, removed_in = ? WHERE id = ?",
-            (new_version, rid)
-        )
-
-    # Update existing rules (content might have changed)
-    for rid in unchanged:
-        r = json_rules[rid]
-        conn.execute(
-            "UPDATE core_rules SET rule = ?, why = ?, importance = ?, type = ?, category = ? WHERE id = ?",
-            (r["rule"], r["why"], r["importance"], r["type"], r["category"], rid)
-        )
-
-    conn.execute("UPDATE core_rules_version SET version = ?, updated_at = datetime('now') WHERE id = 1", (new_version,))
-    conn.commit()
-
-    lines.append("  Status: APPLIED")
+    else:
+        lines.append(f"  Status: {str(result.get('status') or 'APPLIED').upper()}")
     return "\n".join(lines)