nexo-brain 7.30.30 → 7.30.31

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.30.29",
+  "version": "7.30.31",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.30.28` is the current packaged-runtime line. Patch release over v7.30.27 - F0.6 runtime repairs now run through an existing post-install hook, so older updaters execute script-conflict recovery and `core/current` refresh on the first upgrade.
+Version `7.30.31` is the current packaged-runtime line. Patch release over v7.30.30 - Core Rules now reach agents both through a compact managed bootstrap summary and task-specific `cortex/task_open` injection from the protected `core_rules` registry.
+
+Previously in `7.30.30`: product-managed Core Rules now sync from `src/rules/core-rules.json` into protected DB rows for bootstrap and product behavior, with provenance, hashes, severity, and install/update synchronization.
+
+Previously in `7.30.29`: runtime disk guards now bound hourly database backups and pause Local Memory indexing before disk pressure becomes unsafe.
 
 Previously in `7.30.27`: patch release over v7.30.26 - post-update repair now recovers core scripts archived by older F0.6 shim reconciliation and refreshes `core/current` from `core`, so same-version snapshots cannot keep stale watchdog code.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.30.30",
+  "version": "7.30.31",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/db/_schema.py

@@ -3071,6 +3071,7 @@ def _m80_opportunity_orchestrator(conn):
 
 def _m81_core_rules_product_metadata(conn):
     """Add product-core provenance and protection metadata to core_rules."""
+    _m15_core_rules_tables(conn)
     _migrate_add_column(conn, "core_rules", "source_artifact", "TEXT DEFAULT ''")
     _migrate_add_column(conn, "core_rules", "source_anchor", "TEXT DEFAULT ''")
     _migrate_add_column(conn, "core_rules", "content_hash", "TEXT DEFAULT ''")

package/src/plugins/cortex.py

@@ -31,25 +31,159 @@ def _get_db():
     return get_db()
 
 
+_CLASSIC_RULE_CATEGORIES_BY_TASK = {
+    "edit": ["integrity", "execution"],
+    "execute": ["integrity", "execution", "delegation"],
+    "delegate": ["delegation"],
+    "analyze": ["execution", "memory"],
+    "answer": ["communication"],
+}
+
+_PRODUCT_RULE_IDS_BY_TASK = {
+    "answer": [
+        "PC1",   # Context before asking
+        "PC2",   # Capability before delegating work to the user
+        "PC4",   # Evidence before closure claims
+        "PC8",   # Do not invent product capabilities
+        "PC16",  # Continuity of identity and sessions
+        "PC19",  # Product language, not internal jargon
+        "PC24",  # Read what NEXO already wrote before acting
+        "PC25",  # External state claims require live evidence
+        "PC28",  # Check real capability before denying
+        "PC29",  # Operational explanation stays simple
+        "PC32",  # Reuse prior work before researching from zero
+        "MEMORY_AUTHORITY",
+        "IDENTITY_CONTINUITY",
+        "SAFE_AUTONOMY_FIRST",
+        "DEFERRED_TOOL_DISCOVERY",
+    ],
+    "analyze": [
+        "PC1",
+        "PC2",
+        "PC5",
+        "PC16",
+        "PC24",
+        "PC25",
+        "PC28",
+        "PC31",
+        "PC32",
+        "MEMORY_AUTHORITY",
+        "CORE_SYSTEM_AWARENESS",
+        "SAFE_AUTONOMY_FIRST",
+    ],
+    "edit": [
+        "PC3",
+        "PC4",
+        "PC5",
+        "PC18",
+        "PC24",
+        "PC25",
+        "PC30",
+        "PC31",
+        "PC32",
+        "RUNTIME_CORE_PROTECTED",
+        "MEMORY_AUTHORITY",
+        "SAFE_AUTONOMY_FIRST",
+    ],
+    "execute": [
+        "PC2",
+        "PC3",
+        "PC4",
+        "PC10",
+        "PC11",
+        "PC12",
+        "PC13",
+        "PC14",
+        "PC15",
+        "PC17",
+        "PC25",
+        "PC26",
+        "PC27",
+        "RUNTIME_CORE_PROTECTED",
+        "SAFE_AUTONOMY_FIRST",
+    ],
+    "delegate": [
+        "PC1",
+        "PC2",
+        "PC10",
+        "PC11",
+        "PC12",
+        "PC16",
+        "PC24",
+        "PC31",
+        "PC32",
+        "MEMORY_AUTHORITY",
+        "IDENTITY_CONTINUITY",
+    ],
+}
+
+_DEFAULT_PRODUCT_RULE_IDS = [
+    "PC1",
+    "PC2",
+    "PC4",
+    "PC24",
+    "PC25",
+    "PC28",
+    "PC32",
+    "MEMORY_AUTHORITY",
+    "SAFE_AUTONOMY_FIRST",
+]
+
+
+def _sync_core_rules_if_available() -> None:
+    try:
+        from plugins.core_rules import _sync_if_needed
+        _sync_if_needed()
+    except Exception:
+        pass
+
+
+def _rule_rows_for_ids(conn, ids: list[str]) -> list:
+    unique_ids = list(dict.fromkeys(ids))
+    if not unique_ids:
+        return []
+    placeholders = ",".join("?" * len(unique_ids))
+    rows = conn.execute(
+        f"""SELECT id, rule
+            FROM core_rules
+            WHERE id IN ({placeholders}) AND is_active = 1 AND type = 'blocking'""",
+        unique_ids,
+    ).fetchall()
+    by_id = {row["id"]: row for row in rows}
+    return [by_id[rule_id] for rule_id in unique_ids if rule_id in by_id]
+
+
+def _classic_rule_rows_for_task(conn, task_type: str, excluded_ids: set[str], limit: int = 5) -> list:
+    categories = _CLASSIC_RULE_CATEGORIES_BY_TASK.get(task_type, ["integrity", "execution"])
+    placeholders = ",".join("?" * len(categories))
+    rows = conn.execute(
+        f"""SELECT id, rule
+            FROM core_rules
+            WHERE category IN ({placeholders})
+              AND is_active = 1
+              AND type = 'blocking'
+            ORDER BY importance DESC, category, id
+            LIMIT ?""",
+        [*categories, limit + len(excluded_ids)],
+    ).fetchall()
+    filtered = [row for row in rows if row["id"] not in excluded_ids]
+    return filtered[:limit]
+
+
 def _get_core_rules_for_task(task_type: str) -> list[str]:
     """Get relevant Core Rules for the given task type."""
-    conn = _get_db()
     try:
-        # Map task type to rule categories
-        category_map = {
-            "edit": ["integrity", "execution"],
-            "execute": ["integrity", "execution", "delegation"],
-            "delegate": ["delegation"],
-            "analyze": ["execution", "memory"],
-            "answer": ["communication"],
-        }
-        categories = category_map.get(task_type, ["integrity", "execution"])
-        placeholders = ",".join("?" * len(categories))
-
-        rows = conn.execute(
-            f"SELECT id, rule FROM core_rules WHERE category IN ({placeholders}) AND is_active = 1 AND type = 'blocking' ORDER BY importance DESC LIMIT 5",
-            categories
-        ).fetchall()
+        _sync_core_rules_if_available()
+        conn = _get_db()
+        clean_type = str(task_type or "").strip().lower()
+        product_ids = _PRODUCT_RULE_IDS_BY_TASK.get(clean_type, _DEFAULT_PRODUCT_RULE_IDS)
+        product_rows = _rule_rows_for_ids(conn, product_ids)
+        classic_rows = _classic_rule_rows_for_task(
+            conn,
+            clean_type,
+            {row["id"] for row in product_rows},
+        )
+        rows = classic_rows + product_rows
         return [f"{r['id']}: {r['rule']}" for r in rows]
     except Exception:
         return []

package/templates/CLAUDE.md.template

@@ -30,6 +30,22 @@ Claude Code may list `mcp__nexo__*` tools as **deferred** at session start (name
 - Diagnostic plane: `nexo_doctor plane='installation_live'` inspects client/install surfaces — consult it when tools appear missing on a fresh install.
 <!-- nexo:end:tools_at_startup -->
 
+## Core Rules Summary
+The full protected registry lives in NEXO Brain `core_rules`. Keep this compact summary active from the first turn:
+
+- Check existing context, memory, tickets, files, credentials, and prior work before asking the user.
+- Do not ask the user to do work that NEXO can safely do with available tools.
+- Prepare up to the safe boundary; ask only for real decisions, missing credentials, approvals, payments, destructive actions, or legally required consent.
+- Verify current reality before claiming facts about external state, product capabilities, dates, versions, servers, routes, ports, schemas, or tickets.
+- Do not invent or deny NEXO capabilities without checking the live product/source of truth first.
+- Preserve one continuous user-facing identity across supported clients and sessions.
+- Treat Brain, calibration, profile, decisions, learnings, diary, and followups as stronger authority than legacy client memory files.
+- Keep product-managed `CORE` separate from tenant/operator-managed `USER`; updates may rewrite `CORE` but must preserve `USER`.
+- Never leak personal or tenant-specific configuration into global product rules.
+- Reuse recorded work, decisions, skills, and successful procedures before researching or building from zero.
+- Review existing architecture before adding parallel queues, supervisors, recovery layers, or duplicate systems.
+- Close work only with evidence, and keep actions, promises, followups, and ticket decisions in a single traceable ledger.
+
 ## Protocol (7 rules)
 1. `nexo_startup` once per session and keep the returned `SID`.
 2. `nexo_heartbeat` on every user message.

package/templates/CODEX.AGENTS.md.template

@@ -25,6 +25,22 @@ Codex (and Claude Code) may list `mcp__nexo__*` tools as **deferred** at session
 - If discovery still cannot resolve a `nexo_*` tool, then (and only then) treat it as a real runtime gap and surface it as a blocker.
 - Diagnostic plane: `nexo_doctor plane='installation_live'` inspects client/install surfaces — consult it when tools appear missing on a fresh install.
 
+## Core Rules Summary
+The full protected registry lives in NEXO Brain `core_rules`. Keep this compact summary active from the first turn:
+
+- Check existing context, memory, tickets, files, credentials, and prior work before asking the user.
+- Do not ask the user to do work that NEXO can safely do with available tools.
+- Prepare up to the safe boundary; ask only for real decisions, missing credentials, approvals, payments, destructive actions, or legally required consent.
+- Verify current reality before claiming facts about external state, product capabilities, dates, versions, servers, routes, ports, schemas, or tickets.
+- Do not invent or deny NEXO capabilities without checking the live product/source of truth first.
+- Preserve one continuous user-facing identity across supported clients and sessions.
+- Treat Brain, calibration, profile, decisions, learnings, diary, and followups as stronger authority than legacy client memory files.
+- Keep product-managed `CORE` separate from tenant/operator-managed `USER`; updates may rewrite `CORE` but must preserve `USER`.
+- Never leak personal or tenant-specific configuration into global product rules.
+- Reuse recorded work, decisions, skills, and successful procedures before researching or building from zero.
+- Review existing architecture before adding parallel queues, supervisors, recovery layers, or duplicate systems.
+- Close work only with evidence, and keep actions, promises, followups, and ticket decisions in a single traceable ledger.
+
 ## Protocol (7 rules)
 1. `nexo_startup` once per session, then keep the returned `SID`.
 2. `nexo_heartbeat` on every user message.