nexo-brain 7.4.1 → 7.6.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.4.1",
+  "version": "7.6.0",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.4.1` is the current packaged-runtime line. Hotfix minor release correcting three critical bugs that surfaced right after v7.2.0. B11 Guardian wire: new `src/hooks/pre_tool_use.py` entrypoint is now registered in `src/hooks/manifest.json` and `hooks/hooks.json` so the Claude Code PreToolUse event actually reaches Guardian — before this, `guardian-runtime-overrides.json` in hard mode was silently inert for G3-destructive, G3-SSH, and G4-guard_check gates. A parallel SSH prescreen in `hook_guardrails.process_pre_tool_event` forces `op=write` on remote-write patterns the local shell classifier could not see. B10 post-sync: `_run_post_install_hooks_fresh(dest, env)` invokes each whitelisted hook (`_persist_guardian_hard_defaults`, `_maybe_promote_adaptive_weights_empirically`) in a clean subprocess against the newly copied tree, so the first `nexo update` that introduces a new post-install hook actually runs it — previously the hook dispatch used the pre-upgrade module held in memory and silently no-op'd. B12 map distribution: `tool-enforcement-map.json` is now part of the npm `files` whitelist so fresh `npm install -g nexo-brain` ships it, closing the three-way gap (Brain npm + Desktop bundle + runtime sync) that prevented Desktop from ever discovering the map on new installs. Also ships the PE1 rapid items promised for this milestone: 5 additional `destructive_command` entries in `src/presets/entities_universal.json` (`curl_pipe_shell`, `dd_to_device`, `chmod_recursive_wide_open`, `ssh_remote_overwrite`, `scp_rsync_upload`; coverage floor raised from 7 to 12) and the `guardian-metrics` daily cron at 02:15 that feeds Fase C gate and the Guardian Proposals panel.
+Version `7.6.0` is the current packaged-runtime line. Minor release that closes the drift between `tool-enforcement-map.json` v2.2 and the two enforcement engines (Brain Python + Desktop JS), and moves several default rule modes toward the obedience target requested by the constructor-guardian-90 checklist. Brain now dispatches `before_tool`, `on_event`, and `conditional` alongside the previously-handled types — before v7.6 Brain silently ignored these three despite the map declaring them, so Brain users got the weaker contract. `after_tool` dependencies now satisfy per-instance (monotonic `_tool_instance_counter`) instead of once-per-session, which was the specific bug the checklist flagged. Map v2.2 tightens two triggers: `nexo_learning_add` grace_messages 3 → 0 (corrections produce the learning in the same turn) and `nexo_task_open` conditional threshold 10 → 4 with level `should → must` and an explicit `inject_prompt`. `guardian_default.json` v1.4.0 raises `R15_project_context`, `R17_promise_debt`, `R22_personal_script` and `R_CATALOG_before_artifact_create` from soft to hard, and moves `R34_identity_coherence` from shadow to soft so identity denials surface a visible reminder instead of silent telemetry. A new contract test (`tests/test_v76_map_parity.py`) pins six invariants including Brain↔Desktop dispatch parity and per-instance satisfaction so a future refactor cannot quietly re-open the drift. Companion release: NEXO Desktop v0.26.0 mirrors the engine fixes + default hardening.
+
+Previously in `7.5.0`: minor release that promoted `nexo_lifecycle_event` from ledger + reconciliation authority to **canonical authority of session-end**. Brain now owns the prompt, the sequence, and the timing of diary+stop; Desktop v0.25.0 (closed-source companion) is the conduit that executes Brain's plan against the live Claude process. The new 2-call contract — `nexo_lifecycle_event` returns a versioned `canonical_plan` (resume_session → inject_prompt → stop_session, with stable ids and per-action timeouts) and `nexo_lifecycle_complete_canonical` confirms execution with a per-action results array — replaces polling with explicit acknowledgement. `canonical_plan_id` is deterministic: `sha256(event_id + "|v" + plan_version)[:24]`, so retries reuse the same id. Migration m52 extends `lifecycle_events` with six `canonical_*` columns plus an index; pre-v7.5 rows simply carry NULL. `session_diary` is the dedupe key on re-delivery: if Desktop crashes between executing the inject and sending the complete call, the next `nexo_lifecycle_event` for the same `event_id` checks for a diary written after `canonical_dispatched_at`; if one exists, Brain short-circuits to `already_processed` and refuses to re-dispatch. The seven explicit `delivery_status` values (`accepted`, `processed`, `canonical_pending`, `canonical_done`, `already_processed`, `retryable_error`, `rejected`) give the pipeline a diffable state machine. `switch` and `window-close` stay observational (no plan ever issued, even with a live `session_id`). `nexo lifecycle record` now returns exit code 0 for `canonical_pending`; older wrappers that treated it as an error are incompatible with v7.5. MCP tool count: 262 → 263.
+
+Previously in `7.4.1`: patch release correcting the over-promise in v7.4.0's release notes and locking in the exact role of `nexo_lifecycle_event` as a ledger + reconciliation authority — NOT the canonical executor of diary+stop, which lived in Desktop. That responsibility moved to Brain in v7.5.
 
 Previously in `7.2.0`: minor release consolidating three parallel workstreams into a single Guardian-active-by-default train. Block K roadmap closure (G1 enforcer active, G3 SSH remote-write detector, `src/guardian_runtime_config.py` resolver, `_persist_guardian_hard_defaults` during `nexo update`). F0.6 hardening wave (`nexo rollback f06` CLI, `src/scripts/prune_runtime_backups.py` promoted to core, `docs/f06-layout-contract.md`, three new doctor boot-tier checks, `scripts/nexo-migrate-nora.sh` + `scripts/f0-safe-apply-remote.sh` idempotent migration). Adaptive weights flipped from "14-day calendar wait" to "14 days OR (≥200 samples AND ≥2 days)" with auto-promotion during `nexo update`. Small-fixes batch: R34 `bool("unknown")==True` fix, `classify_scripts_dir` dedup, B10 module-level path constants lazy-evaluated, schedule override audit log, `scripts/pre-release-verify.sh` + `docs/release-discipline.md`, pre-commit hook that blocks commits when `tool-enforcement-map.json` drifts from `src/plugins/`.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.4.1",
+  "version": "7.6.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain \u2014 Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/cli.py

@@ -3092,6 +3092,18 @@ def main():
     lstat_p = lifecycle_sub.add_parser("status", help="Read the current delivery_status of an event")
     lstat_p.add_argument("--event-id", required=True)
 
+    lcomp_p = lifecycle_sub.add_parser(
+        "complete-canonical",
+        help="v7.5: confirm Desktop finished executing the canonical_actions a prior record returned",
+    )
+    lcomp_p.add_argument("--event-id", required=True)
+    lcomp_p.add_argument("--plan-id", required=True, help="canonical_plan_id returned by the original record call")
+    lcomp_p.add_argument(
+        "--results",
+        default="",
+        help="JSON array of per-action outcomes, e.g. '[{\"action_id\":\"a1\",\"status\":\"ok\"}]'",
+    )
+
     # Fase E.5 — quarantine ops surfaced via Desktop Guardian Proposals panel.
     quarantine_parser = sub.add_parser("quarantine", help="Quarantine proposals (Fase E.5 Desktop UI)")
     quarantine_sub = quarantine_parser.add_subparsers(dest="quarantine_command")
@@ -3327,10 +3339,12 @@ def main():
                 status = str(parsed.get("status", ""))
             except Exception:
                 status = ""
-            # Exit code 0 for terminal ok states, 2 for retryable_error so
-            # Desktop can distinguish "persisted + processed" from "try
-            # again on boot reconciliation". Rejected is exit 3 (bad input).
-            if status in ("processed", "already_processed", "accepted"):
+            # Exit code 0 for terminal ok states AND for canonical_pending
+            # (v7.5: plan handed to Desktop, awaiting complete_canonical).
+            # 2 for retryable_error so Desktop can distinguish "persisted +
+            # processed" from "try again on boot reconciliation".
+            # Rejected is exit 3 (bad input).
+            if status in ("processed", "already_processed", "accepted", "canonical_pending"):
                 return 0
             if status == "retryable_error":
                 return 2
@@ -3339,6 +3353,23 @@ def main():
             out = _lifecycle_plugin.handle_nexo_lifecycle_status(args.event_id)
             print(out)
             return 0
+        if args.lifecycle_command == "complete-canonical":
+            out = _lifecycle_plugin.handle_nexo_lifecycle_complete_canonical(
+                event_id=args.event_id,
+                canonical_plan_id=args.plan_id,
+                results=args.results or "",
+            )
+            print(out)
+            try:
+                parsed = _json.loads(out)
+                status = str(parsed.get("status", ""))
+            except Exception:
+                status = ""
+            if status in ("canonical_done", "already_processed"):
+                return 0
+            if status == "retryable_error":
+                return 2
+            return 3
         lifecycle_parser.print_help()
         return 1
     elif args.command in ("schema", "identity", "onboard", "scan-profile"):

package/src/db/_schema.py

@@ -1351,6 +1351,48 @@ def _m51_lifecycle_events(conn):
     _migrate_add_index(conn, "idx_lifecycle_events_action", "lifecycle_events", "action")
 
 
+def _m52_lifecycle_canonical_plan(conn):
+    """v7.5.0 — Brain promoted to canonical authority for session-end.
+
+    When the Desktop pipeline posts a close / delete / archive / app-exit
+    lifecycle event with a live session_id, Brain now decides the exact
+    prompt + sequence to run against the live Claude process and hands
+    that plan back to Desktop in the same MCP call. Desktop executes
+    the plan inline and confirms via a second call
+    (``nexo_lifecycle_complete_canonical``).
+
+    New columns on ``lifecycle_events``:
+
+    - ``canonical_plan_id`` — deterministic id hash(event_id+plan_version).
+      Used for idempotent retries: Desktop can ask "did you already
+      finish this plan_id" and Brain can dedupe without re-running any
+      diary write.
+    - ``canonical_plan_version`` — schema version of the plan payload
+      (INTEGER, default 1). Lets us evolve the action shape without
+      breaking older Desktop builds.
+    - ``canonical_actions_json`` — the actions array Brain returned,
+      verbatim. Persisted so boot reconciliation can re-send the exact
+      same plan on a crash between dispatch and confirm.
+    - ``canonical_dispatched_at`` — first time Brain returned the plan.
+      Used as the "since" cursor for the session_diary dedup query.
+    - ``canonical_done_at`` — set only when Desktop calls
+      ``nexo_lifecycle_complete_canonical``. Absence + presence of
+      ``canonical_dispatched_at`` == "dispatched but not confirmed".
+    - ``canonical_done_results`` — JSON array of per-action results
+      reported by Desktop, used for telemetry and retry classification.
+
+    Idempotent. Fresh installs already created the table in m51; this
+    migration only ADDs the new columns.
+    """
+    _migrate_add_column(conn, "lifecycle_events", "canonical_plan_id", "TEXT DEFAULT NULL")
+    _migrate_add_column(conn, "lifecycle_events", "canonical_plan_version", "INTEGER DEFAULT NULL")
+    _migrate_add_column(conn, "lifecycle_events", "canonical_actions_json", "TEXT DEFAULT NULL")
+    _migrate_add_column(conn, "lifecycle_events", "canonical_dispatched_at", "TEXT DEFAULT NULL")
+    _migrate_add_column(conn, "lifecycle_events", "canonical_done_at", "TEXT DEFAULT NULL")
+    _migrate_add_column(conn, "lifecycle_events", "canonical_done_results", "TEXT DEFAULT NULL")
+    _migrate_add_index(conn, "idx_lifecycle_events_plan_id", "lifecycle_events", "canonical_plan_id")
+
+
 MIGRATIONS = [
     (1, "learnings_columns", _m1_learnings_columns),
     (2, "followups_reasoning", _m2_followups_reasoning),
@@ -1403,6 +1445,7 @@ MIGRATIONS = [
     (49, "protocol_guard_ack_backfill", _m49_protocol_guard_ack_backfill),
     (50, "dedupe_nexo_product_learning_pair", _m50_dedupe_nexo_product_learning_pair),
     (51, "lifecycle_events", _m51_lifecycle_events),
+    (52, "lifecycle_canonical_plan", _m52_lifecycle_canonical_plan),
 ]
 
 

package/src/enforcement_engine.py

@@ -399,12 +399,38 @@ class HeadlessEnforcer:
         self._periodic_msg: list[dict] = []
         self._periodic_time: list[dict] = []
         self._after_tool: dict[str, list[dict]] = {}
+        # v7.6.0 parity fix: three rule types were declared in the map
+        # (version 2.1) but never dispatched by Brain, only by Desktop.
+        # This broke the Brain↔Desktop parity contract (fase2_schema
+        # notes line) and made the map silently over-promise.
+        self._before_tool: dict[str, list[dict]] = {}   # trigger_tool → [entries watching it]
+        self._on_event: dict[str, list[dict]] = {}       # event_name → [entries listening]
+        self._conditional: list[dict] = []               # [entries with counter-based conditions]
+        # Monotonic tool-call instance counter. Used by after_tool /
+        # before_tool to implement "per-instance" satisfaction instead of
+        # the old "once in session" semantics that the checklist flagged
+        # as broken: once target_tool was called a single time, every
+        # subsequent trigger call was silently satisfied.
+        self._tool_instance_counter: int = 0
+        self._tool_last_instance: dict[str, int] = {}
+        # Mapping trigger_instance → satisfaction required. Key: (trigger_tool, trigger_instance, target_tool).
+        # The dependency is satisfied when target_tool is called with
+        # tool_last_instance[target] > trigger_instance.
+        self._after_tool_open_deps: list[tuple[str, int, str]] = []
+        # conditional counters — tool_calls_without_target per rule.
+        self._conditional_counters: dict[str, int] = {}
+        # on_event grace windows — per (event_name) counter of messages
+        # since event fired without the required tool being called.
+        self._on_event_pending: dict[str, dict] = {}
 
         if self.map:
             self._build_indexes()
-            _logger.info("Map v%s loaded: %d on_start, %d on_end, %d periodic_msg, %d periodic_time, %d after_tool",
-                         self.map.get("version", "?"), len(self._on_start), len(self._on_end),
-                         len(self._periodic_msg), len(self._periodic_time), len(self._after_tool))
+            _logger.info(
+                "Map v%s loaded: %d on_start, %d on_end, %d periodic_msg, %d periodic_time, "
+                "%d after_tool, %d before_tool, %d on_event (events), %d conditional",
+                self.map.get("version", "?"), len(self._on_start), len(self._on_end),
+                len(self._periodic_msg), len(self._periodic_time), len(self._after_tool),
+                len(self._before_tool), len(self._on_event), len(self._conditional))
         else:
             _logger.warning("No enforcement map found")
 
@@ -427,6 +453,28 @@ class HeadlessEnforcer:
                 elif rtype == "after_tool":
                     for wt in rule.get("watch_tools", []):
                         self._after_tool.setdefault(wt, []).append(entry)
+                elif rtype == "before_tool":
+                    # Tool T declares a before_tool rule watching tools W1..Wn.
+                    # When any Wi is about to be called, T must have been
+                    # called first (since the last relevant reset). Example:
+                    # nexo_guard_check has before_tool watching [Edit, Write].
+                    for wt in rule.get("watch_tools", []):
+                        self._before_tool.setdefault(wt, []).append(entry)
+                elif rtype == "on_event":
+                    # Tool T declares an on_event rule listening for event E.
+                    # Hooks / the engine itself raise E via raise_event(E).
+                    # When E fires, if T was not called within grace_messages,
+                    # inject the reminder.
+                    event = rule.get("event", "")
+                    if event:
+                        self._on_event.setdefault(event, []).append(entry)
+                elif rtype == "conditional":
+                    # Tool T must be called when a condition holds (currently
+                    # "more_than_N_tool_calls_without_task_open" style). v7.6
+                    # fix: the condition is evaluated at every tool call so
+                    # the obligation re-opens per task, not just once in the
+                    # session.
+                    self._conditional.append(entry)
 
             for triggered in enf.get("triggers_after", []):
                 self._after_tool.setdefault(tool_name, []).append({
@@ -1861,9 +1909,31 @@ class HeadlessEnforcer:
     def on_tool_call(self, raw_name: str, tool_input=None):
         name = _normalize(raw_name)
         self.tool_call_count += 1
+        # v7.6 per-instance counter. Every tool call advances it and we
+        # pin the tool's latest instance so after_tool/before_tool can
+        # tell "has target been called AFTER this trigger?" without
+        # relying on the broken set-membership check.
+        self._tool_instance_counter += 1
+        self._tool_last_instance[name] = self._tool_instance_counter
         self.tools_called.add(name)
         self.tool_timestamps[name] = time.time()
         self.msg_since_tool[name] = 0
+
+        # v7.6 conditional counter advance. Tools watched by a
+        # conditional rule tick a counter on every non-matching call.
+        # When task_open (or whichever tool holds the rule) fires, the
+        # counter is reset via reset_task_cycle().
+        for entry in self._conditional:
+            tool = entry["tool"]
+            if tool == name:
+                self._conditional_counters[tool] = 0
+            else:
+                self._conditional_counters[tool] = self._conditional_counters.get(tool, 0) + 1
+
+        # v7.6 task_close observed → rearm conditional for the companion
+        # open tool so the next task cycle re-opens the obligation.
+        if name == "nexo_task_close":
+            self.reset_task_cycle("nexo_task_open")
         # Track the recent tool_use with the file paths it targets so Fase 2
         # Capa 2 rules (R13, future R19/R20) can inspect the write path.
         files = self._extract_files(tool_input)
@@ -1942,12 +2012,160 @@ class HeadlessEnforcer:
         # R24 — stale memory window decay.
         self._advance_r24_window(name)
 
+        # v7.6 per-instance satisfaction. The legacy check "target not in
+        # tools_called" silently satisfied a dependency forever after the
+        # first target call in the session. Now each trigger call opens a
+        # fresh dependency; satisfaction is marked only when the target is
+        # called AFTER this specific trigger instance.
+        current_instance = self._tool_last_instance.get(name, self._tool_instance_counter)
         for entry in self._after_tool.get(name, []):
             target = entry["tool"]
-            if target not in self.tools_called:
+            target_last = self._tool_last_instance.get(target, -1)
+            if target_last < current_instance:
                 prompt = entry["enf"].get("inject_prompt", "")
                 if prompt:
-                    self._enqueue(prompt, f"after:{name}->{target}", rule_id="after_tool_dependency")
+                    self._enqueue(
+                        prompt,
+                        f"after:{name}:{current_instance}->{target}",
+                        rule_id="after_tool_dependency",
+                    )
+                    self._after_tool_open_deps.append((name, current_instance, target))
+
+        # v7.6 on_event pending resolution. If the target tool was called
+        # within its grace window, clear the pending state.
+        for event_name, pending in list(self._on_event_pending.items()):
+            required_tool = pending.get("tool")
+            if required_tool and self._tool_last_instance.get(required_tool, -1) > pending.get("fired_at_instance", -1):
+                self._on_event_pending.pop(event_name, None)
+
+    def on_tool_call_before(self, raw_name: str, tool_input=None):
+        """Pre-invocation hook.
+
+        Dispatches `before_tool` rules declared in the map. If the caller
+        routes every tool call through this method, a missing required
+        predecessor (e.g. nexo_guard_check before Edit) produces a visible
+        injection BEFORE the destructive operation lands. The canonical
+        pre-edit guard (R13, Capa 2) already handles Edit/Write defensively
+        elsewhere — this path covers any future `before_tool` wiring the
+        map declares without needing a new custom rule each time.
+        """
+        name = _normalize(raw_name)
+        entries = self._before_tool.get(name, [])
+        if not entries:
+            return
+        for entry in entries:
+            required_tool = entry["tool"]
+            rule = entry.get("rule", {})
+            # R13 already emits a dedicated, context-aware prompt for the
+            # nexo_guard_check → Edit/Write case. Skip the generic
+            # before_tool injection there to avoid double-firing.
+            if required_tool == "nexo_guard_check" and name in ("Edit", "Write"):
+                continue
+            current_instance = self._tool_instance_counter + 1  # upcoming call
+            last = self._tool_last_instance.get(required_tool, -1)
+            if last < current_instance - 1:  # required tool not called for this instance
+                prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+                if prompt:
+                    self._enqueue(
+                        prompt,
+                        f"before:{name}:{current_instance}->{required_tool}",
+                        rule_id="before_tool_dependency",
+                    )
+
+    def raise_event(self, event_name: str, context: dict | None = None):
+        """External/hook trigger for `on_event` rules.
+
+        Call this when a semantic event occurs that the map references:
+
+        - `pre_compaction` / `post_compaction` (harness compaction hooks)
+        - `factual_answer_with_high_stakes` (response contract upgrade)
+        - `user_correction_without_learning` (R14-style detection)
+        - `multi_step_task_detected` (3+ related edits or workflow-kind work)
+        - `done_claimed_with_open_task` (R16 trigger on done/sent/fixed/published/deployed/shipped)
+
+        The required tool (declared in the map) must be called within
+        `grace_messages` (0 by default after the v7.6 checklist tightening
+        so corrections land immediately, not 3 messages later). If not,
+        a pending state is recorded and re-evaluated on every subsequent
+        tool call via the same dispatcher as after_tool.
+        """
+        entries = self._on_event.get(event_name, [])
+        if not entries:
+            return
+        for entry in entries:
+            required_tool = entry["tool"]
+            rule = entry.get("rule", {})
+            grace = int(rule.get("grace_messages", 0))
+            # If already called after the event fired, nothing to do.
+            last = self._tool_last_instance.get(required_tool, -1)
+            if last >= self._tool_instance_counter and grace == 0:
+                continue
+            prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+            if not prompt:
+                continue
+            # Record pending so check_periodic and next on_tool_call can
+            # clear it when the required tool actually fires.
+            self._on_event_pending[event_name] = {
+                "tool": required_tool,
+                "fired_at_instance": self._tool_instance_counter,
+                "grace": grace,
+                "messages_since": 0,
+            }
+            # For grace=0 the injection is immediate. For grace>0 the
+            # injection is deferred to check_periodic. The checklist set
+            # learning_add to grace=0, so the typical path is immediate.
+            if grace == 0:
+                self._enqueue(
+                    prompt,
+                    f"on_event:{event_name}->{required_tool}",
+                    rule_id=f"on_event:{event_name}",
+                )
+
+    def _check_conditional(self):
+        """Evaluate conditional rules (e.g. task_open threshold).
+
+        Called from check_periodic on every user turn boundary so the
+        obligation opens per conversation turn rather than requiring a
+        specific trigger event. v7.6 checklist fix: the previous
+        threshold of 10 tool calls was criticized as "tarde" — the map
+        now keeps the declared threshold but the engine halves it when
+        the recent tool mix shows edit/execute/delegate signals (Edit,
+        Write, Bash with mutation commands, Task dispatch).
+        """
+        for entry in self._conditional:
+            tool = entry["tool"]
+            rule = entry.get("rule", {})
+            base_threshold = int(rule.get("threshold", 10))
+            # Heuristic: if the recent window shows at least one Edit /
+            # Write / Task call, we treat the work as "edit/execute/
+            # delegate" and halve the threshold (rounding up). This is
+            # the checklist-driven early trigger without changing the
+            # declared contract for non-edit flows.
+            recent_names = {getattr(r, "tool", "") for r in self.recent_tool_records[-10:]}
+            is_edit_flow = bool(recent_names & {"Edit", "Write", "Task"})
+            threshold = max(1, (base_threshold + 1) // 2) if is_edit_flow else base_threshold
+            counter = self._conditional_counters.get(tool, 0)
+            if tool in self.tools_called:
+                # Once task_open has been called at least once, the
+                # conditional rule is satisfied for this task cycle. The
+                # counter is reset on every task_close via reset_task_cycle().
+                continue
+            if counter >= threshold:
+                prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+                if prompt:
+                    self._enqueue(
+                        prompt,
+                        f"conditional:{tool}:{counter}",
+                        rule_id="conditional_threshold",
+                    )
+
+    def reset_task_cycle(self, tool: str = "nexo_task_open"):
+        """Called when a task_close lands, so the conditional counter for
+        the matching open-tool rearms for the next task. Without this,
+        the first task_open satisfies the condition forever — which is
+        exactly the "satisfied-by-once" semantics the checklist flagged.
+        """
+        self._conditional_counters[tool] = 0
 
     def check_periodic(self):
         for entry in self._on_start:
@@ -1977,6 +2195,39 @@ class HeadlessEnforcer:
                 if prompt:
                     self._enqueue(prompt, f"periodic_time:{tool}", rule_id="periodic_by_time")
 
+        # v7.6 conditional + deferred on_event reminders.
+        self._check_conditional()
+        self._check_on_event_pending()
+
+    def _check_on_event_pending(self):
+        """Re-evaluate on_event rules with grace > 0 after message ticks.
+
+        Called from check_periodic. If the grace window has expired and
+        the required tool was never called, fire the reminder. Otherwise
+        the pending row stays put until the target fires or grace runs out.
+        """
+        for event_name, pending in list(self._on_event_pending.items()):
+            required_tool = pending.get("tool")
+            grace = int(pending.get("grace", 0))
+            if required_tool and self._tool_last_instance.get(required_tool, -1) > pending.get("fired_at_instance", -1):
+                self._on_event_pending.pop(event_name, None)
+                continue
+            pending["messages_since"] = int(pending.get("messages_since", 0)) + 1
+            if pending["messages_since"] >= grace:
+                # Locate the matching entry to pull the injection prompt.
+                for entry in self._on_event.get(event_name, []):
+                    if entry["tool"] != required_tool:
+                        continue
+                    rule = entry.get("rule", {})
+                    prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+                    if prompt:
+                        self._enqueue(
+                            prompt,
+                            f"on_event:{event_name}:{pending['fired_at_instance']}->{required_tool}",
+                            rule_id=f"on_event:{event_name}",
+                        )
+                    break
+
     def get_end_prompts(self) -> list[str]:
         prompts = []
         for entry in self._on_end:

package/src/lifecycle_events.py

@@ -1,36 +1,52 @@
-"""NEXO Brain — canonical lifecycle event handler (v7.4.0).
-
-Companion to nexo-desktop's ConversationLifecycleService. Desktop
-persists every conversation/app transition (close / delete / archive /
-switch / window-close / app-exit) to an append-only NDJSON queue BEFORE
-any UI mutation becomes visible, then calls this handler via the
-``nexo_lifecycle_event`` MCP tool. The handler is strictly idempotent:
-re-delivery of the same ``event_id`` returns ``already_processed``
-without replaying any canonical side effect.
-
-Canonical side effects are intentionally minimal in this first slice:
-
-- ``close`` / ``delete`` / ``archive`` / ``app-exit`` / ``window-close``
-  → mark processed. Diary / stop inside the conversation are driven by
-  Desktop's graceful-close flow (``conv-close`` IPC → nexo CLI) and
-  remain the authority for that per-conversation payload. This table
-  is the durable ledger so the next boot can reconcile.
-- ``switch`` → mark processed. No canonical side effect beyond the
-  audit trail; the ledger still matters for telemetry and guard
-  invariants ("operator switched away from a conversation that still
-  had uncommitted claims").
-
-Return shape matches the plan (lines 94-100):
-
-- ``processed``          first delivery, side effects (if any) done
-- ``already_processed``  duplicate delivery, no re-run
-- ``accepted``           persisted, side effect deferred (not used yet)
-- ``rejected``           malformed input, no persistence
-- ``retryable_error``    transient failure, Desktop should retry
-
-Any row keeps ``delivery_status`` as the latest terminal or retryable
-status so ``nexo_lifecycle_status`` / future reconciliation queries
-can read it directly.
+"""NEXO Brain — canonical lifecycle event handler (v7.5).
+
+v7.4.x shipped this tool as a pure ledger + reconciliation surface:
+Desktop persisted every conversation lifecycle transition locally,
+called ``nexo_lifecycle_event`` for book-keeping, and ran its own
+hardcoded ``diary + stop`` prompts against the live Claude process
+during ``closeConversationGraceful``.
+
+v7.5 promotes this handler to the **canonical authority** for
+session-end. For every ``close`` / ``delete`` / ``archive`` /
+``app-exit`` event with a live ``session_id``, Brain now generates a
+deterministic **canonical plan** (``canonical_plan_id``, versioned
+action list) and hands it back in the same MCP call. Desktop executes
+the plan inline (Desktop is still the only process that can reach the
+Claude proc's stdin) and then calls
+``nexo_lifecycle_complete_canonical`` with per-action results. Brain
+records ``canonical_done_at`` only on that second call — no polling.
+
+Idempotency is real, not cosmetic:
+
+1. ``canonical_plan_id`` is deterministic: ``sha256(event_id + version)``.
+   A retry of the same event returns the same plan id, which Desktop
+   can use to skip actions it already completed locally.
+2. Before regenerating a plan for a previously dispatched event, Brain
+   checks whether the session already wrote a ``session_diary`` row
+   after the original ``canonical_dispatched_at``. If it did → the
+   answer is ``already_processed``; no re-dispatch, no duplicate diary.
+
+Status values:
+
+- ``processed``           first delivery, no canonical plan applicable
+                          (e.g. switch / window-close / missing
+                          session_id).
+- ``canonical_pending``   plan generated and returned. Desktop is
+                          expected to execute + confirm.
+- ``canonical_dispatched`` alias for ``canonical_pending`` on a row
+                          that already has ``canonical_dispatched_at``
+                          set (re-delivery case).
+- ``canonical_done``      Desktop confirmed via complete_canonical.
+- ``already_processed``   idempotent duplicate, no re-run.
+- ``accepted``            persisted, no canonical side effect required.
+- ``rejected``            malformed input.
+- ``retryable_error``     a canonical action failed (inject timeout,
+                          stdin closed, etc). Reconciler can retry
+                          with the same plan_id.
+
+Actions that carry a canonical plan: ``close``, ``delete``, ``archive``,
+``app-exit``. ``switch`` and ``window-close`` still return
+``accepted`` (no live-session work to do).
 """
 from __future__ import annotations
 
@@ -38,6 +54,7 @@ import json
 from typing import Any, Dict, Optional
 
 from db import get_db
+import lifecycle_prompts
 
 
 VALID_ACTIONS = {
@@ -49,8 +66,14 @@ VALID_ACTIONS = {
     "window-close",
 }
 
-TERMINAL_STATUSES = {"processed", "already_processed", "rejected"}
-_DIARY_TRIGGERING = {"close", "delete", "archive", "app-exit"}
+# Terminal for the user of the ledger (no further action expected).
+TERMINAL_STATUSES = {
+    "processed",
+    "canonical_done",
+    "already_processed",
+    "rejected",
+}
+_DIARY_TRIGGERING = lifecycle_prompts.DIARY_TRIGGERING_ACTIONS
 
 
 def _normalise_payload(obj: Any) -> str:
@@ -60,6 +83,26 @@ def _normalise_payload(obj: Any) -> str:
         return "{}"
 
 
+def _session_diary_since(conn, session_id: str, dispatched_at: Optional[str]) -> bool:
+    """True if session_diary has a row for ``session_id`` created after
+    ``dispatched_at``. Used by the canonical-authority idempotency
+    guard: if the live session already produced a diary since the
+    plan was handed out, we must NOT re-dispatch it.
+    """
+    if not session_id or not dispatched_at:
+        return False
+    try:
+        row = conn.execute(
+            "SELECT 1 FROM session_diary "
+            "WHERE session_id = ? AND created_at > ? LIMIT 1",
+            (str(session_id), str(dispatched_at)),
+        ).fetchone()
+    except Exception:
+        # Missing table on a minimal test harness — treat as "no diary".
+        return False
+    return row is not None
+
+
 def record_lifecycle_event(
     event_id: str,
     action: str,
@@ -70,9 +113,15 @@ def record_lifecycle_event(
     source: str = "desktop",
     schema_version: int = 1,
 ) -> Dict[str, Any]:
-    """Idempotent upsert + process.
+    """Idempotent upsert + canonical plan generation (v7.5).
 
-    Returns ``{status, event_id, diary_triggered, duplicate}``.
+    Returns ``{status, event_id, ...}`` where ``status`` is one of:
+    ``rejected`` | ``already_processed`` | ``processed`` |
+    ``canonical_pending`` | ``accepted``. When the answer is
+    ``canonical_pending``, the response also carries
+    ``canonical_plan_id``, ``canonical_plan_version`` and
+    ``canonical_actions[]`` — Desktop must execute those actions and
+    confirm via ``record_complete_canonical``.
     """
     if not event_id or not str(event_id).strip():
         return {"status": "rejected", "reason": "missing-event-id"}
@@ -83,12 +132,32 @@ def record_lifecycle_event(
 
     conn = get_db()
     existing = conn.execute(
-        "SELECT delivery_status FROM lifecycle_events WHERE event_id = ?",
+        "SELECT delivery_status, canonical_plan_id, canonical_plan_version, "
+        "canonical_actions_json, canonical_dispatched_at, canonical_done_at "
+        "FROM lifecycle_events WHERE event_id = ?",
         (str(event_id),),
     ).fetchone()
 
+    plan = lifecycle_prompts.build_canonical_plan(
+        event_id=str(event_id),
+        action=str(action),
+        conversation_id=str(conversation_id),
+        session_id=str(session_id) if session_id else None,
+        payload_snapshot=payload_snapshot or {},
+    )
+
     if existing is not None:
         status = str(existing[0] or "")
+        prior_plan_id = existing[1]
+        prior_actions_json = existing[3]
+        prior_dispatched_at = existing[5]  # column 5 is canonical_done_at — reuse?
+        # column indices (0-5): delivery_status, canonical_plan_id,
+        # canonical_plan_version, canonical_actions_json,
+        # canonical_dispatched_at, canonical_done_at.
+        prior_dispatched_at = existing[4]
+        prior_done_at = existing[5]
+
+        # Case A: terminal status already recorded — hard idempotency.
         if status in TERMINAL_STATUSES:
             return {
                 "status": "already_processed",
@@ -96,8 +165,73 @@ def record_lifecycle_event(
                 "duplicate": True,
                 "prior_status": status,
             }
-        # Non-terminal row (accepted / retryable_error) — flip to processed
-        # now and record the transition.
+
+        # Case B: canonical was dispatched but never confirmed. Check
+        # whether the live session wrote a diary after dispatch; if so
+        # the intent has already been satisfied by the model and we
+        # must NOT ask Desktop to re-run the plan.
+        if prior_plan_id and prior_dispatched_at and not prior_done_at:
+            if session_id and _session_diary_since(conn, str(session_id), str(prior_dispatched_at)):
+                conn.execute(
+                    "UPDATE lifecycle_events "
+                    "SET delivery_status = 'already_processed', "
+                    "    canonical_done_at = datetime('now'), "
+                    "    last_error = NULL "
+                    "WHERE event_id = ?",
+                    (str(event_id),),
+                )
+                conn.commit()
+                return {
+                    "status": "already_processed",
+                    "event_id": event_id,
+                    "duplicate": True,
+                    "prior_status": status,
+                    "reason": "session_diary-already-written",
+                }
+            # Re-hand the exact same plan so Desktop can resume / finish
+            # any actions it didn't complete before the crash.
+            try:
+                actions = json.loads(prior_actions_json) if prior_actions_json else []
+            except Exception:
+                actions = []
+            return {
+                "status": "canonical_pending",
+                "event_id": event_id,
+                "canonical_plan_id": prior_plan_id,
+                "canonical_plan_version": int(existing[2] or lifecycle_prompts.PLAN_VERSION),
+                "canonical_actions": actions,
+                "resumed_from_dispatch": True,
+            }
+
+        # Case C: non-terminal, no canonical plan yet — flip to processed
+        # (legacy ledger semantics) OR upgrade to canonical_pending if a
+        # plan applies.
+        if plan is not None:
+            conn.execute(
+                "UPDATE lifecycle_events "
+                "SET delivery_status = 'canonical_pending', "
+                "    canonical_plan_id = ?, "
+                "    canonical_plan_version = ?, "
+                "    canonical_actions_json = ?, "
+                "    canonical_dispatched_at = datetime('now'), "
+                "    last_error = NULL "
+                "WHERE event_id = ?",
+                (
+                    plan["canonical_plan_id"],
+                    int(plan["canonical_plan_version"]),
+                    json.dumps(plan["canonical_actions"], ensure_ascii=False),
+                    str(event_id),
+                ),
+            )
+            conn.commit()
+            return {
+                "status": "canonical_pending",
+                "event_id": event_id,
+                "canonical_plan_id": plan["canonical_plan_id"],
+                "canonical_plan_version": plan["canonical_plan_version"],
+                "canonical_actions": plan["canonical_actions"],
+                "reopened": True,
+            }
         conn.execute(
             "UPDATE lifecycle_events SET delivery_status = 'processed', "
             "processed_at = datetime('now'), last_error = NULL "
@@ -113,6 +247,45 @@ def record_lifecycle_event(
             "reopened": True,
         }
 
+    # Brand new event.
+    if plan is not None:
+        conn.execute(
+            """
+            INSERT INTO lifecycle_events (
+                event_id, schema_version, source, action, conversation_id,
+                session_id, reason, payload_snapshot, delivery_status,
+                retry_count, canonical_plan_id, canonical_plan_version,
+                canonical_actions_json, canonical_dispatched_at
+            ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, 'canonical_pending', 0,
+                      ?, ?, ?, datetime('now'))
+            """,
+            (
+                str(event_id),
+                int(schema_version or 1),
+                str(source or "desktop"),
+                str(action),
+                str(conversation_id),
+                str(session_id) if session_id else None,
+                str(reason or "user_action"),
+                _normalise_payload(payload_snapshot),
+                plan["canonical_plan_id"],
+                int(plan["canonical_plan_version"]),
+                json.dumps(plan["canonical_actions"], ensure_ascii=False),
+            ),
+        )
+        conn.commit()
+        return {
+            "status": "canonical_pending",
+            "event_id": event_id,
+            "canonical_plan_id": plan["canonical_plan_id"],
+            "canonical_plan_version": plan["canonical_plan_version"],
+            "canonical_actions": plan["canonical_actions"],
+            "duplicate": False,
+        }
+
+    # No plan: ledger-only record (switch/window-close or missing
+    # session_id on a diary-triggering action). Mark processed
+    # immediately so callers get the v7.4.x contract back.
     conn.execute(
         """
         INSERT INTO lifecycle_events (
@@ -133,7 +306,6 @@ def record_lifecycle_event(
         ),
     )
     conn.commit()
-
     return {
         "status": "processed",
         "event_id": event_id,
@@ -142,13 +314,94 @@ def record_lifecycle_event(
     }
 
 
+def record_complete_canonical(
+    event_id: str,
+    canonical_plan_id: str,
+    results: Optional[list] = None,
+) -> Dict[str, Any]:
+    """Close the 2-call contract: Desktop confirms it executed the plan.
+
+    Inputs:
+    - ``event_id``: the original event id.
+    - ``canonical_plan_id``: must match the one Brain handed out. A
+      mismatch means Desktop is confirming a stale plan — we ignore
+      it and answer ``rejected``.
+    - ``results``: list of ``{action_id, status, ...}``. If any
+      ``status != 'ok'`` we flip the row to ``retryable_error`` and
+      keep ``canonical_dispatched_at`` intact so reconciliation can
+      re-ask.
+
+    Returns the effective row status after the call.
+    """
+    if not event_id:
+        return {"status": "rejected", "reason": "missing-event-id"}
+    if not canonical_plan_id:
+        return {"status": "rejected", "reason": "missing-canonical-plan-id"}
+
+    conn = get_db()
+    row = conn.execute(
+        "SELECT delivery_status, canonical_plan_id, canonical_done_at "
+        "FROM lifecycle_events WHERE event_id = ?",
+        (str(event_id),),
+    ).fetchone()
+    if row is None:
+        return {"status": "rejected", "reason": "unknown-event-id"}
+    current_status = str(row[0] or "")
+    expected_plan = row[1]
+    already_done_at = row[2]
+
+    if expected_plan and canonical_plan_id != expected_plan:
+        return {
+            "status": "rejected",
+            "reason": "canonical_plan_id-mismatch",
+            "expected": expected_plan,
+            "received": canonical_plan_id,
+        }
+    if already_done_at and current_status == "canonical_done":
+        return {
+            "status": "already_processed",
+            "event_id": event_id,
+            "duplicate": True,
+        }
+
+    results_list = list(results or [])
+    any_failure = any(
+        str((r or {}).get("status", "")).lower() not in {"ok", "success", "already_processed"}
+        for r in results_list
+    )
+    effective = "retryable_error" if any_failure else "canonical_done"
+    conn.execute(
+        "UPDATE lifecycle_events "
+        "SET delivery_status = ?, "
+        "    canonical_done_at = datetime('now'), "
+        "    canonical_done_results = ?, "
+        "    last_error = ? "
+        "WHERE event_id = ?",
+        (
+            effective,
+            json.dumps(results_list, ensure_ascii=False),
+            "one-or-more-actions-failed" if any_failure else None,
+            str(event_id),
+        ),
+    )
+    conn.commit()
+    return {
+        "status": effective,
+        "event_id": event_id,
+        "canonical_plan_id": canonical_plan_id,
+        "failed_actions": any_failure,
+    }
+
+
 def get_lifecycle_event(event_id: str) -> Optional[Dict[str, Any]]:
     if not event_id:
         return None
     row = get_db().execute(
         "SELECT event_id, schema_version, source, action, conversation_id, "
         "session_id, reason, payload_snapshot, delivery_status, retry_count, "
-        "created_at, processed_at, last_error "
+        "created_at, processed_at, last_error, "
+        "canonical_plan_id, canonical_plan_version, canonical_actions_json, "
+        "canonical_dispatched_at, canonical_done_at, canonical_done_results "
         "FROM lifecycle_events WHERE event_id = ?",
         (str(event_id),),
     ).fetchone()
@@ -158,6 +411,14 @@ def get_lifecycle_event(event_id: str) -> Optional[Dict[str, Any]]:
         payload = json.loads(row[7] or "{}")
     except Exception:
         payload = {}
+    try:
+        actions = json.loads(row[15]) if row[15] else None
+    except Exception:
+        actions = None
+    try:
+        results = json.loads(row[18]) if row[18] else None
+    except Exception:
+        results = None
     return {
         "event_id": row[0],
         "schema_version": row[1],
@@ -172,6 +433,12 @@ def get_lifecycle_event(event_id: str) -> Optional[Dict[str, Any]]:
         "created_at": row[10],
         "processed_at": row[11],
         "last_error": row[12],
+        "canonical_plan_id": row[13],
+        "canonical_plan_version": row[14],
+        "canonical_actions": actions,
+        "canonical_dispatched_at": row[16],
+        "canonical_done_at": row[17],
+        "canonical_done_results": results,
     }
 
 

package/src/lifecycle_prompts.py

@@ -0,0 +1,138 @@
+"""NEXO Brain — canonical lifecycle action templates (v7.5).
+
+Brain owns the prompt that Desktop injects into a live Claude session
+at close / delete / archive / app-exit time. Desktop never hardcodes
+the wording; it just receives a list of ``canonical_actions`` and
+executes them against the conversation's stdin / lifecycle.
+
+The template version is bumped whenever the prompt or the action
+schema changes. The version is part of ``canonical_plan_id`` so two
+dispatches of the same event produced by two different Brain versions
+do NOT collide (a retry from an older Desktop hitting a newer Brain
+will get the newer plan; a retry of a previous plan reuses the same
+id because the event_id hasn't changed).
+"""
+from __future__ import annotations
+
+import hashlib
+import json
+from typing import Any, Dict, List, Optional
+
+
+PLAN_VERSION = 1
+
+
+# Actions that trigger a canonical diary+stop plan. `switch` and
+# `window-close` never do: they're observational transitions that Brain
+# records in the ledger but doesn't orchestrate anything against the
+# live session (the session keeps running after a switch, and a window
+# close to the tray doesn't end the conversation).
+DIARY_TRIGGERING_ACTIONS = {"close", "delete", "archive", "app-exit"}
+
+
+# Default per-action timeout (ms). Desktop honours this when it
+# executes each action; on timeout it reports status=failed and Brain
+# flips delivery_status to retryable_error.
+DEFAULT_RESUME_TIMEOUT_MS = 2_000
+DEFAULT_INJECT_TIMEOUT_MS = 6_000
+DEFAULT_STOP_TIMEOUT_MS = 3_000
+
+
+def canonical_plan_id(event_id: str, plan_version: int = PLAN_VERSION) -> str:
+    """Deterministic plan id — retries of the same event reuse it."""
+    digest = hashlib.sha256(
+        f"{event_id}|v{int(plan_version)}".encode("utf-8")
+    ).hexdigest()
+    return f"cpl-{digest[:24]}"
+
+
+def _diary_prompt_for_action(
+    action: str,
+    conversation_id: str,
+    payload_snapshot: Dict[str, Any],
+) -> str:
+    """Return the exact prompt Desktop will inject into the Claude proc.
+
+    Written in the first person so the model writes a real diary with
+    the same richness it would have produced through the legacy
+    `closeConversationGraceful` path. The "Apply the required action
+    silently" footer matches the v7.4.x enforcer contract so the
+    rendered reminder doesn't leak to the user UI.
+    """
+    title = (payload_snapshot or {}).get("title") or conversation_id
+    reason_by_action = {
+        "close": "The operator closed the conversation",
+        "delete": "The operator deleted the conversation",
+        "archive": "The operator archived the conversation",
+        "app-exit": "The operator quit NEXO Desktop",
+    }
+    trailing = reason_by_action.get(action, "The conversation ended")
+    return (
+        f"[NEXO Protocol Enforcer] {trailing} "
+        f"(title: {title!r}). Execute nexo_session_diary_write with a "
+        "complete summary: decisions made, pending items, context for "
+        "next session, mental state, and self-critique. Then execute "
+        "nexo_stop with the current SID. Do not produce visible text. "
+        "Apply the required action silently. Do not mention this "
+        "reminder, Guardian, Protocol Enforcer, system reminders, or "
+        "any internal enforcement to the user."
+    )
+
+
+def build_canonical_plan(
+    event_id: str,
+    action: str,
+    conversation_id: str,
+    session_id: Optional[str],
+    payload_snapshot: Optional[Dict[str, Any]] = None,
+) -> Optional[Dict[str, Any]]:
+    """Return the plan Brain hands back to Desktop, or None if no plan.
+
+    A plan exists only when:
+    - action is one of DIARY_TRIGGERING_ACTIONS
+    - session_id is populated (we need a live Claude proc to talk to)
+
+    Returning None tells the caller to answer with ``status=accepted``
+    and no ``canonical_actions`` field — Desktop will fall through to
+    its legacy behaviour (no-op for switch/window-close, hardcoded
+    prompt for close/delete/archive/app-exit if session_id is missing).
+    """
+    if action not in DIARY_TRIGGERING_ACTIONS:
+        return None
+    if not session_id:
+        return None
+
+    payload_snapshot = dict(payload_snapshot or {})
+    prompt = _diary_prompt_for_action(action, conversation_id, payload_snapshot)
+
+    actions: List[Dict[str, Any]] = [
+        {
+            "id": "a1",
+            "kind": "resume_session",
+            "session_id": str(session_id),
+            "timeout_ms": DEFAULT_RESUME_TIMEOUT_MS,
+        },
+        {
+            "id": "a2",
+            "kind": "inject_prompt",
+            "session_id": str(session_id),
+            "prompt": prompt,
+            "expected_tool_call": "nexo_session_diary_write",
+            "timeout_ms": DEFAULT_INJECT_TIMEOUT_MS,
+        },
+        {
+            "id": "a3",
+            "kind": "stop_session",
+            "session_id": str(session_id),
+            "timeout_ms": DEFAULT_STOP_TIMEOUT_MS,
+        },
+    ]
+    return {
+        "canonical_plan_id": canonical_plan_id(event_id, PLAN_VERSION),
+        "canonical_plan_version": PLAN_VERSION,
+        "canonical_actions": actions,
+    }
+
+
+def canonical_plan_as_json(plan: Dict[str, Any]) -> str:
+    return json.dumps(plan, ensure_ascii=False, sort_keys=True)

package/src/plugins/lifecycle_events.py

@@ -99,15 +99,68 @@ def handle_nexo_lifecycle_status(event_id: str) -> str:
     return json.dumps(row, ensure_ascii=False)
 
 
+def handle_nexo_lifecycle_complete_canonical(
+    event_id: str,
+    canonical_plan_id: str,
+    results: str = "",
+) -> str:
+    """Close the v7.5 canonical-authority 2-call contract.
+
+    Desktop calls this tool after executing every action Brain returned
+    in the ``canonical_actions`` array from ``nexo_lifecycle_event``.
+    Brain then records ``canonical_done_at`` and flips the row status
+    to ``canonical_done`` (or ``retryable_error`` if any action
+    failed).
+
+    Args:
+        event_id: UUID of the original lifecycle event.
+        canonical_plan_id: The plan id Brain returned. Mismatch → rejected.
+        results: JSON-encoded array of per-action outcomes:
+            ``[{"action_id": "a1", "status": "ok"|"failed", ...}, ...]``
+
+    Returns:
+        JSON ack with the effective row status.
+    """
+    parsed_results: list = []
+    if results:
+        try:
+            parsed = json.loads(results)
+            if isinstance(parsed, list):
+                parsed_results = parsed
+            else:
+                parsed_results = [{"status": "failed", "reason": "results-not-array", "raw": str(results)[:200]}]
+        except Exception as exc:
+            parsed_results = [{"status": "failed", "reason": f"malformed-results:{exc}"}]
+
+    try:
+        ack = lifecycle_events.record_complete_canonical(
+            event_id=str(event_id or ""),
+            canonical_plan_id=str(canonical_plan_id or ""),
+            results=parsed_results,
+        )
+    except Exception as exc:
+        return json.dumps({
+            "status": "retryable_error",
+            "reason": f"{type(exc).__name__}: {exc}",
+            "handler_threw": True,
+        }, ensure_ascii=False)
+    return json.dumps(ack, ensure_ascii=False)
+
+
 TOOLS = [
     (
         handle_nexo_lifecycle_event,
         "nexo_lifecycle_event",
-        "Record a durable lifecycle event (close/delete/archive/switch/app-exit/window-close) and return a canonical ack.",
+        "Record a durable lifecycle event (close/delete/archive/switch/app-exit/window-close). In v7.5 Brain returns a canonical_actions plan for diary-triggering actions with a live session_id.",
     ),
     (
         handle_nexo_lifecycle_status,
         "nexo_lifecycle_status",
         "Read the current delivery_status of a lifecycle event. Used by Desktop boot reconciliation.",
     ),
+    (
+        handle_nexo_lifecycle_complete_canonical,
+        "nexo_lifecycle_complete_canonical",
+        "Confirm that Desktop finished executing the canonical_actions Brain handed out in a prior nexo_lifecycle_event call. Brain marks canonical_done_at only on this confirmation.",
+    ),
 ]

package/src/presets/guardian_default.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://nexo-brain.com/schemas/guardian-config-v1.json",
-  "version": "1.3.3",
-  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator.",
+  "version": "1.4.0",
+  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator. v1.4.0 (constructor-guardian-90 checklist): R15/R17/R22/R_CATALOG upgraded from soft to hard where false-positive telemetry was low enough; R34 identity_coherence raised from shadow to soft so identity denials surface an actual reminder instead of silent logging.",
   "enabled": true,
   "classifier_task_profile": "enforcer_classify",
   "classifier_tier": "muy_bajo",
@@ -27,14 +27,14 @@
     "R12_cognitive_write_dedup": "soft",
     "R13_pre_edit_guard": "hard",
     "R14_correction_learning": "hard",
-    "R15_project_context": "soft",
+    "R15_project_context": "hard",
     "R16_declared_done": "hard",
-    "R17_promise_debt": "soft",
+    "R17_promise_debt": "hard",
     "R18_followup_autocomplete": "soft",
     "R19_project_grep": "soft",
     "R20_constant_grep": "soft",
     "R21_legacy_path": "shadow",
-    "R22_personal_script": "soft",
+    "R22_personal_script": "hard",
     "R23_ssh_without_atlas": "soft",
     "R23i_auto_deploy_ignored": "soft",
     "R23j_global_install": "shadow",
@@ -42,7 +42,7 @@
     "R24_stale_memory": "shadow",
     "R25_nora_maria_read_only": "hard",
     "R30_pre_done_evidence_system_prompt": "hard",
-    "R_CATALOG_before_artifact_create": "soft",
+    "R_CATALOG_before_artifact_create": "hard",
     "R26_no_internal_jargon": "hard",
     "R27_concise_responses": "hard",
     "R28_correction_learning_system_prompt": "hard",
@@ -59,7 +59,7 @@
     "R23g_secrets_in_output": "soft",
     "R23m_message_duplicate": "soft",
     "R23h_shebang_mismatch": "shadow",
-    "R34_identity_coherence": "shadow"
+    "R34_identity_coherence": "soft"
   },
   "core_rules": [
     "R13_pre_edit_guard",

package/tool-enforcement-map.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://nexo-brain.com/schemas/tool-enforcement-map-v2.1.json",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Canonical map of all NEXO Brain MCP tools with enforcement rules, dependency chains, and behavioral hints. Source of truth for Protocol Enforcer (Desktop + headless). v2.1 adds schema support for Fase 2 event-driven rules (R01-R33): server_side_rules at tool level, per-rule mode (shadow|soft|hard), core_rule flag, and new rule types (pre_tool_intent, post_user_message, on_output_classify, before_tool_strict_block). Backward-compatible: executors that only handle v2.0 rule types ignore the new fields.",
   "tools": {
     "nexo_adaptive_decay": {
@@ -1749,7 +1749,7 @@
           {
             "type": "on_event",
             "event": "user_correction_without_learning",
-            "grace_messages": 3
+            "grace_messages": 0
           }
         ],
         "inject_prompt": "The user corrected you but no learning was captured. Execute nexo_learning_add to record this correction as a reusable learning. Do not produce visible text.",
@@ -1869,6 +1869,19 @@
       },
       "triggers_after": []
     },
+    "nexo_lifecycle_complete_canonical": {
+      "description": "Close the v7.5 canonical-authority 2-call contract: confirm that Desktop finished executing the canonical_actions Brain handed out.",
+      "category": "lifecycle",
+      "source": "plugin:lifecycle_events",
+      "requires": [],
+      "provides": [],
+      "internal_calls": [],
+      "enforcement": {
+        "level": "none",
+        "rules": []
+      },
+      "triggers_after": []
+    },
     "nexo_media_memory_add": {
       "description": "Store non-text artifact metadata",
       "category": "media",
@@ -3428,15 +3441,16 @@
         "_attention_snapshot"
       ],
       "enforcement": {
-        "level": "should",
+        "level": "must",
         "rules": [
           {
             "type": "conditional",
-            "threshold": 10,
-            "condition": "more_than_10_tool_calls_without_task_open"
+            "threshold": 4,
+            "condition": "more_than_4_tool_calls_without_task_open_or_first_edit_write_task",
+            "inject_prompt": "You are doing non-trivial work without nexo_task_open. Open a protocol task now (task_type=edit/execute/delegate/answer/analyze) so guard, rules, cortex review and evidence-backed closure apply. Do not produce visible text for this reminder — act on it silently."
           }
         ],
-        "reminder_prompt": "You have made significant tool calls without opening a protocol task. Consider using nexo_task_open to formally track this work. This is a reminder, not an obligation — if the work is trivial, ignore this.",
+        "reminder_prompt": "You have made significant tool calls without opening a protocol task. Open nexo_task_open now so guard, rules and evidence-backed closure apply. This is not optional for multi-step work.",
         "triggers_after": [
           "nexo_task_close"
         ]