nexo-brain 7.5.0 → 7.7.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.5.0",
+  "version": "7.7.0",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.5.0` is the current packaged-runtime line. Minor release that promotes `nexo_lifecycle_event` from ledger + reconciliation authority to **canonical authority of session-end**. Brain now owns the prompt, the sequence, and the timing of diary+stop; Desktop v0.25.0 (closed-source companion) is the conduit that executes Brain's plan against the live Claude process. The new 2-call contract — `nexo_lifecycle_event` returns a versioned `canonical_plan` (resume_session → inject_prompt → stop_session, with stable ids and per-action timeouts) and `nexo_lifecycle_complete_canonical` confirms execution with a per-action results array — replaces polling with explicit acknowledgement. `canonical_plan_id` is deterministic: `sha256(event_id + "|v" + plan_version)[:24]`, so retries reuse the same id. Migration m52 extends `lifecycle_events` with six `canonical_*` columns plus an index; pre-v7.5 rows simply carry NULL. `session_diary` is the dedupe key on re-delivery: if Desktop crashes between executing the inject and sending the complete call, the next `nexo_lifecycle_event` for the same `event_id` checks for a diary written after `canonical_dispatched_at`; if one exists, Brain short-circuits to `already_processed` and refuses to re-dispatch. The seven explicit `delivery_status` values (`accepted`, `processed`, `canonical_pending`, `canonical_done`, `already_processed`, `retryable_error`, `rejected`) give the pipeline a diffable state machine. `switch` and `window-close` stay observational (no plan ever issued, even with a live `session_id`). `nexo lifecycle record` now returns exit code 0 for `canonical_pending`; older wrappers that treated it as an error are incompatible with v7.5. MCP tool count: 262 → 263.
+Version `7.7.0` is the current packaged-runtime line. Minor release that closes the six gaps left partial after v7.6.0's constructor-guardian-90 pass 1. Gap 1: an autonomous detector now raises `multi_step_task_detected` after three recent Edit/Write/Task calls without a prior `nexo_skill_match` (v7.6 dispatched the event but nothing raised it). Gap 2: the R16 classifier prompt recognises the full done-claim vocabulary (sent / delivered / published / deployed / released / fixed / resolved / merged / pushed plus Spanish equivalents) so the on_event trigger `done_claimed_with_open_task` fires beyond the word "done". Gap 3: R_CATALOG extends to plain `Edit` / `Write` into artefact-bearing paths (skills/, plugins/, personal scripts, `templates/core-prompts/`) and grows its discovery set to include `nexo_personal_scripts_list` + `nexo_plugin_list`. Gap 4: new `R_PRIMITIVE_CHOICE` runtime rule gates Edit/Write of a brand-new artefact without a recent primitive-choice probe (SK-CREATE-NEXO-PRIMITIVE). Gap 5: `guardian_default.json` v1.5.0 raises `R11_plugin_load_pre_inventory` from soft to hard. Gap 6: new `tests/test_v77_enforcement_gaps.py` pins 12 invariants across all six rails. Pytest 2070 passing (+14 vs v7.6.0). Companion release: NEXO Desktop v0.27.0 mirrors the guardian default bumps.
+
+Previously in `7.6.0`: minor release that closed the drift between `tool-enforcement-map.json` v2.2 and the two enforcement engines (Brain Python + Desktop JS), added per-instance `after_tool` satisfaction, tightened `learning_add` grace to 0 and `task_open` threshold to 4/must, hardened R15/R17/R22/R_CATALOG from soft to hard, and raised R34 from shadow to soft.
+
+Previously in `7.5.0`: minor release that promoted `nexo_lifecycle_event` from ledger + reconciliation authority to **canonical authority of session-end**. Brain now owns the prompt, the sequence, and the timing of diary+stop; Desktop v0.25.0 (closed-source companion) is the conduit that executes Brain's plan against the live Claude process. The new 2-call contract — `nexo_lifecycle_event` returns a versioned `canonical_plan` (resume_session → inject_prompt → stop_session, with stable ids and per-action timeouts) and `nexo_lifecycle_complete_canonical` confirms execution with a per-action results array — replaces polling with explicit acknowledgement. `canonical_plan_id` is deterministic: `sha256(event_id + "|v" + plan_version)[:24]`, so retries reuse the same id. Migration m52 extends `lifecycle_events` with six `canonical_*` columns plus an index; pre-v7.5 rows simply carry NULL. `session_diary` is the dedupe key on re-delivery: if Desktop crashes between executing the inject and sending the complete call, the next `nexo_lifecycle_event` for the same `event_id` checks for a diary written after `canonical_dispatched_at`; if one exists, Brain short-circuits to `already_processed` and refuses to re-dispatch. The seven explicit `delivery_status` values (`accepted`, `processed`, `canonical_pending`, `canonical_done`, `already_processed`, `retryable_error`, `rejected`) give the pipeline a diffable state machine. `switch` and `window-close` stay observational (no plan ever issued, even with a live `session_id`). `nexo lifecycle record` now returns exit code 0 for `canonical_pending`; older wrappers that treated it as an error are incompatible with v7.5. MCP tool count: 262 → 263.
 
 Previously in `7.4.1`: patch release correcting the over-promise in v7.4.0's release notes and locking in the exact role of `nexo_lifecycle_event` as a ledger + reconciliation authority — NOT the canonical executor of diary+stop, which lived in Desktop. That responsibility moved to Brain in v7.5.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.5.0",
+  "version": "7.7.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain \u2014 Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/enforcement_engine.py

@@ -80,6 +80,11 @@ try:
 except ImportError:  # pragma: no cover
     _r_catalog_should = None  # type: ignore
 
+try:
+    from r_primitive_choice import should_inject_r_primitive as _r_primitive_should
+except ImportError:  # pragma: no cover
+    _r_primitive_should = None  # type: ignore
+
 try:
     from r34_identity_coherence import should_inject_r34 as _r34_should
 except ImportError:  # pragma: no cover
@@ -399,12 +404,41 @@ class HeadlessEnforcer:
         self._periodic_msg: list[dict] = []
         self._periodic_time: list[dict] = []
         self._after_tool: dict[str, list[dict]] = {}
+        # v7.6.0 parity fix: three rule types were declared in the map
+        # (version 2.1) but never dispatched by Brain, only by Desktop.
+        # This broke the Brain↔Desktop parity contract (fase2_schema
+        # notes line) and made the map silently over-promise.
+        self._before_tool: dict[str, list[dict]] = {}   # trigger_tool → [entries watching it]
+        self._on_event: dict[str, list[dict]] = {}       # event_name → [entries listening]
+        self._conditional: list[dict] = []               # [entries with counter-based conditions]
+        # Monotonic tool-call instance counter. Used by after_tool /
+        # before_tool to implement "per-instance" satisfaction instead of
+        # the old "once in session" semantics that the checklist flagged
+        # as broken: once target_tool was called a single time, every
+        # subsequent trigger call was silently satisfied.
+        self._tool_instance_counter: int = 0
+        self._tool_last_instance: dict[str, int] = {}
+        # Mapping trigger_instance → satisfaction required. Key: (trigger_tool, trigger_instance, target_tool).
+        # The dependency is satisfied when target_tool is called with
+        # tool_last_instance[target] > trigger_instance.
+        self._after_tool_open_deps: list[tuple[str, int, str]] = []
+        # conditional counters — tool_calls_without_target per rule.
+        self._conditional_counters: dict[str, int] = {}
+        # on_event grace windows — per (event_name) counter of messages
+        # since event fired without the required tool being called.
+        self._on_event_pending: dict[str, dict] = {}
+        # v7.7 Gap 1: latch so multi_step_task_detected fires at most once
+        # per task cycle. Cleared on skill_match OR task_close.
+        self._multi_step_event_fired: bool = False
 
         if self.map:
             self._build_indexes()
-            _logger.info("Map v%s loaded: %d on_start, %d on_end, %d periodic_msg, %d periodic_time, %d after_tool",
-                         self.map.get("version", "?"), len(self._on_start), len(self._on_end),
-                         len(self._periodic_msg), len(self._periodic_time), len(self._after_tool))
+            _logger.info(
+                "Map v%s loaded: %d on_start, %d on_end, %d periodic_msg, %d periodic_time, "
+                "%d after_tool, %d before_tool, %d on_event (events), %d conditional",
+                self.map.get("version", "?"), len(self._on_start), len(self._on_end),
+                len(self._periodic_msg), len(self._periodic_time), len(self._after_tool),
+                len(self._before_tool), len(self._on_event), len(self._conditional))
         else:
             _logger.warning("No enforcement map found")
 
@@ -427,6 +461,28 @@ class HeadlessEnforcer:
                 elif rtype == "after_tool":
                     for wt in rule.get("watch_tools", []):
                         self._after_tool.setdefault(wt, []).append(entry)
+                elif rtype == "before_tool":
+                    # Tool T declares a before_tool rule watching tools W1..Wn.
+                    # When any Wi is about to be called, T must have been
+                    # called first (since the last relevant reset). Example:
+                    # nexo_guard_check has before_tool watching [Edit, Write].
+                    for wt in rule.get("watch_tools", []):
+                        self._before_tool.setdefault(wt, []).append(entry)
+                elif rtype == "on_event":
+                    # Tool T declares an on_event rule listening for event E.
+                    # Hooks / the engine itself raise E via raise_event(E).
+                    # When E fires, if T was not called within grace_messages,
+                    # inject the reminder.
+                    event = rule.get("event", "")
+                    if event:
+                        self._on_event.setdefault(event, []).append(entry)
+                elif rtype == "conditional":
+                    # Tool T must be called when a condition holds (currently
+                    # "more_than_N_tool_calls_without_task_open" style). v7.6
+                    # fix: the condition is evaluated at every tool call so
+                    # the obligation re-opens per task, not just once in the
+                    # session.
+                    self._conditional.append(entry)
 
             for triggered in enf.get("triggers_after", []):
                 self._after_tool.setdefault(tool_name, []).append({
@@ -602,6 +658,14 @@ class HeadlessEnforcer:
         self._r14_correction_seen_for_turn = True
         _logger.info("[R14 %s] correction detected; window opened for %d tool calls",
                      mode.upper(), self._r14_window_remaining)
+        # v7.7 Gap 7.2 — wire on_event so the map's
+        # `user_correction_without_learning` rule fires in the live
+        # stream. grace_messages was set to 0 in map v2.2 so the
+        # learning reminder must surface the same turn.
+        try:
+            self.raise_event("user_correction_without_learning", {"text_hash": hash(text or "")})
+        except Exception:
+            pass  # telemetry-style; never crash R14 detection
 
     def _run_session_end_detection(self, text: str, *, detector=None) -> bool:
         if not self._on_end:
@@ -800,6 +864,13 @@ class HeadlessEnforcer:
             return
         self._enqueue(_R16_PROMPT, "r16:declared-done-without-close", rule_id="R16_declared_done")
         _logger.info("[R16 %s] enqueued declared-done reminder", mode.upper())
+        # v7.7 Gap 7.2 — fire the on_event rule wired to task_close so
+        # the map's `done_claimed_with_open_task` trigger actually runs
+        # from the live stream, not only via test harnesses.
+        try:
+            self.raise_event("done_claimed_with_open_task", {"source": "R16"})
+        except Exception:
+            pass
 
     def _r25_context(self) -> tuple[set[str], list[str]]:
         """Resolve the (read_only_hosts, destructive_patterns) pair from
@@ -1705,8 +1776,15 @@ class HeadlessEnforcer:
         self._enqueue(prompt, decision["tag"], rule_id="R22_personal_script")
         _logger.info("[R22 %s] enqueued path=%s missing=%s", mode.upper(), decision["path"], decision["missing"])
 
-    def _check_r_catalog(self, tool_name: str):
-        """R-CATALOG (Plan Consolidado 0.X.2) — pre-create discovery probe."""
+    def _check_r_catalog(self, tool_name: str, files: list[str] | None = None):
+        """R-CATALOG — pre-create discovery probe.
+
+        v7.7 Gap 3: the trigger set is now {nexo_*_create/_open/_add}
+        UNION {Edit / Write into artefact-bearing paths}. The caller
+        passes the extracted file list so plain Edit/Write materialising
+        a skill / plugin / script without going through a dedicated MCP
+        tool still triggers the probe.
+        """
         if _r_catalog_should is None:
             return
         mode = self._guardian_rule_mode("R_CATALOG_before_artifact_create")
@@ -1720,7 +1798,7 @@ class HeadlessEnforcer:
             r.tool for r in self.recent_tool_records[:-1]
             if (now - getattr(r, "ts", now)) <= window
         ]
-        should, prompt = _r_catalog_should(tool_name, recent_tool_names=names)
+        should, prompt = _r_catalog_should(tool_name, recent_tool_names=names, files=files or [])
         if not should:
             return
         if mode == "shadow":
@@ -1729,6 +1807,45 @@ class HeadlessEnforcer:
         self._enqueue(prompt, f"R_CATALOG:{tool_name}", rule_id="R_CATALOG_before_artifact_create")
         _logger.info("[R_CATALOG %s] enqueued tool=%s", mode.upper(), tool_name)
 
+    def _check_r_primitive_choice(self, tool_name: str, files: list[str] | None):
+        """R_PRIMITIVE_CHOICE (v7.7 Gap 4) — SK-CREATE-NEXO-PRIMITIVE gate.
+
+        Flags Edit/Write of a NEW artefact file without a recent primitive-
+        choice probe. Does not duplicate R_CATALOG: R_CATALOG fires on
+        every artefact-path write without inventory consultation, while
+        this rule fires only when the file is genuinely new (no prior
+        Read / Grep / Edit on the same path).
+        """
+        if _r_primitive_should is None:
+            return
+        mode = self._guardian_rule_mode("R_PRIMITIVE_CHOICE")
+        if mode == "off":
+            return
+        window = 120.0
+        now = time.time()
+        names = [
+            r.tool for r in self.recent_tool_records[:-1]
+            if (now - getattr(r, "ts", now)) <= window
+        ]
+        records = [r for r in self.recent_tool_records[:-1]]
+        should, prompt = _r_primitive_should(
+            tool_name,
+            files=files or [],
+            recent_tool_names=names,
+            recent_tool_records=records,
+        )
+        if not should:
+            return
+        if mode == "shadow":
+            _logger.info("[R_PRIMITIVE_CHOICE SHADOW] would inject for %s", tool_name)
+            return
+        self._enqueue(
+            prompt,
+            f"R_PRIMITIVE_CHOICE:{tool_name}",
+            rule_id="R_PRIMITIVE_CHOICE",
+        )
+        _logger.info("[R_PRIMITIVE_CHOICE %s] enqueued tool=%s", mode.upper(), tool_name)
+
     def _check_r18(self, tool_name: str, tool_input):
         """R18 — suggest followup_complete on closure-class actions."""
         if _r18_should is None or _r18_format is None:
@@ -1861,9 +1978,54 @@ class HeadlessEnforcer:
     def on_tool_call(self, raw_name: str, tool_input=None):
         name = _normalize(raw_name)
         self.tool_call_count += 1
+        # v7.6 per-instance counter. Every tool call advances it and we
+        # pin the tool's latest instance so after_tool/before_tool can
+        # tell "has target been called AFTER this trigger?" without
+        # relying on the broken set-membership check.
+        self._tool_instance_counter += 1
+        self._tool_last_instance[name] = self._tool_instance_counter
         self.tools_called.add(name)
         self.tool_timestamps[name] = time.time()
         self.msg_since_tool[name] = 0
+
+        # v7.6 conditional counter advance. Tools watched by a
+        # conditional rule tick a counter on every non-matching call.
+        # When task_open (or whichever tool holds the rule) fires, the
+        # counter is reset via reset_task_cycle().
+        for entry in self._conditional:
+            tool = entry["tool"]
+            if tool == name:
+                self._conditional_counters[tool] = 0
+            else:
+                self._conditional_counters[tool] = self._conditional_counters.get(tool, 0) + 1
+
+        # v7.6 task_close observed → rearm conditional for the companion
+        # open tool so the next task cycle re-opens the obligation.
+        if name == "nexo_task_close":
+            self.reset_task_cycle("nexo_task_open")
+
+        # v7.7 Gap 1 — autonomous detector for multi_step_task_detected.
+        # The event was dispatched by the map but nothing ever raised it.
+        # Heuristic: three or more edit/execute/delegate calls within the
+        # recent window (Edit/Write/Task/Bash-with-write-command) without
+        # a nexo_skill_match in between signals multi-step work that
+        # should consult skills first. We raise the event at most once per
+        # task cycle — skill_match clears it; task_close rearms it.
+        if not self._multi_step_event_fired:
+            edit_like = {"Edit", "Write", "Task"}
+            recent_edit_calls = sum(
+                1 for r in self.recent_tool_records[-10:] if r.tool in edit_like
+            )
+            if recent_edit_calls >= 3 and "nexo_skill_match" not in self.tools_called:
+                try:
+                    self.raise_event("multi_step_task_detected", {"recent_edits": recent_edit_calls})
+                except Exception:
+                    pass  # telemetry-style; never crash enforcement
+                self._multi_step_event_fired = True
+        if name == "nexo_skill_match" or name == "nexo_task_close":
+            # Both signals clear the multi-step flag so the next task
+            # cycle gets its own detection window.
+            self._multi_step_event_fired = False
         # Track the recent tool_use with the file paths it targets so Fase 2
         # Capa 2 rules (R13, future R19/R20) can inspect the write path.
         files = self._extract_files(tool_input)
@@ -1934,7 +2096,13 @@ class HeadlessEnforcer:
 
         # R-CATALOG (Plan 0.X.2) — nudge if we are about to create/open/add
         # without having consulted the live inventory in the last 60 s.
-        self._check_r_catalog(name)
+        self._check_r_catalog(name, files)
+
+        # v7.7 Gap 4 — R_PRIMITIVE_CHOICE. Runs AFTER R_CATALOG because
+        # R_CATALOG's prompt covers the generic inventory case; this one
+        # adds the specific primitive-decision reminder when a brand-new
+        # artefact file is being materialised via Edit/Write.
+        self._check_r_primitive_choice(name, files)
 
         # R18 — retroactive followup-complete suggestion on closure actions.
         self._check_r18(name, tool_input)
@@ -1942,12 +2110,175 @@ class HeadlessEnforcer:
         # R24 — stale memory window decay.
         self._advance_r24_window(name)
 
+        # v7.6 per-instance satisfaction. The legacy check "target not in
+        # tools_called" silently satisfied a dependency forever after the
+        # first target call in the session. Now each trigger call opens a
+        # fresh dependency; satisfaction is marked only when the target is
+        # called AFTER this specific trigger instance.
+        current_instance = self._tool_last_instance.get(name, self._tool_instance_counter)
         for entry in self._after_tool.get(name, []):
             target = entry["tool"]
-            if target not in self.tools_called:
+            target_last = self._tool_last_instance.get(target, -1)
+            if target_last < current_instance:
                 prompt = entry["enf"].get("inject_prompt", "")
                 if prompt:
-                    self._enqueue(prompt, f"after:{name}->{target}", rule_id="after_tool_dependency")
+                    self._enqueue(
+                        prompt,
+                        f"after:{name}:{current_instance}->{target}",
+                        rule_id="after_tool_dependency",
+                    )
+                    self._after_tool_open_deps.append((name, current_instance, target))
+
+        # v7.6 on_event pending resolution. If the target tool was called
+        # within its grace window, clear the pending state.
+        for event_name, pending in list(self._on_event_pending.items()):
+            required_tool = pending.get("tool")
+            if required_tool and self._tool_last_instance.get(required_tool, -1) > pending.get("fired_at_instance", -1):
+                self._on_event_pending.pop(event_name, None)
+
+    def on_tool_call_before(self, raw_name: str, tool_input=None):
+        """Pre-invocation hook.
+
+        Dispatches `before_tool` rules declared in the map. If the caller
+        routes every tool call through this method, a missing required
+        predecessor (e.g. nexo_guard_check before Edit) produces a visible
+        injection BEFORE the destructive operation lands. The canonical
+        pre-edit guard (R13, Capa 2) already handles Edit/Write defensively
+        elsewhere — this path covers any future `before_tool` wiring the
+        map declares without needing a new custom rule each time.
+        """
+        name = _normalize(raw_name)
+        entries = self._before_tool.get(name, [])
+        if not entries:
+            return
+        for entry in entries:
+            required_tool = entry["tool"]
+            rule = entry.get("rule", {})
+            # R13 already emits a dedicated, context-aware prompt for the
+            # nexo_guard_check → Edit/Write case. Skip the generic
+            # before_tool injection there to avoid double-firing.
+            if required_tool == "nexo_guard_check" and name in ("Edit", "Write"):
+                continue
+            current_instance = self._tool_instance_counter + 1  # upcoming call
+            last = self._tool_last_instance.get(required_tool, -1)
+            if last < current_instance - 1:  # required tool not called for this instance
+                prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+                if prompt:
+                    self._enqueue(
+                        prompt,
+                        f"before:{name}:{current_instance}->{required_tool}",
+                        rule_id="before_tool_dependency",
+                    )
+
+    def raise_event(self, event_name: str, context: dict | None = None):
+        """External/hook trigger for `on_event` rules.
+
+        Call this when a semantic event occurs that the map references:
+
+        - `pre_compaction` / `post_compaction` (harness compaction hooks)
+        - `factual_answer_with_high_stakes` (response contract upgrade)
+        - `user_correction_without_learning` (R14-style detection)
+        - `multi_step_task_detected` (3+ related edits or workflow-kind work)
+        - `done_claimed_with_open_task` (R16 trigger on done/sent/fixed/published/deployed/shipped)
+
+        The required tool (declared in the map) must be called within
+        `grace_messages` (0 by default after the v7.6 checklist tightening
+        so corrections land immediately, not 3 messages later). If not,
+        a pending state is recorded and re-evaluated on every subsequent
+        tool call via the same dispatcher as after_tool.
+        """
+        entries = self._on_event.get(event_name, [])
+        if not entries:
+            return
+        for entry in entries:
+            required_tool = entry["tool"]
+            rule = entry.get("rule", {})
+            grace = int(rule.get("grace_messages", 0))
+            # If already called after the event fired, nothing to do.
+            last = self._tool_last_instance.get(required_tool, -1)
+            if last >= self._tool_instance_counter and grace == 0:
+                continue
+            prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+            if not prompt:
+                continue
+            # Record pending so check_periodic and next on_tool_call can
+            # clear it when the required tool actually fires.
+            self._on_event_pending[event_name] = {
+                "tool": required_tool,
+                "fired_at_instance": self._tool_instance_counter,
+                "grace": grace,
+                "messages_since": 0,
+            }
+            # For grace=0 the injection is immediate. For grace>0 the
+            # injection is deferred to check_periodic. The checklist set
+            # learning_add to grace=0, so the typical path is immediate.
+            if grace == 0:
+                self._enqueue(
+                    prompt,
+                    f"on_event:{event_name}->{required_tool}",
+                    rule_id=f"on_event:{event_name}",
+                )
+
+    def _check_conditional(self):
+        """Evaluate conditional rules (e.g. task_open threshold).
+
+        Called from check_periodic on every user turn boundary so the
+        obligation opens per conversation turn rather than requiring a
+        specific trigger event. v7.6 checklist fix: the previous
+        threshold of 10 tool calls was criticized as "tarde" — the map
+        now keeps the declared threshold but the engine halves it when
+        the recent tool mix shows edit/execute/delegate signals (Edit,
+        Write, Bash with mutation commands, Task dispatch).
+        """
+        for entry in self._conditional:
+            tool = entry["tool"]
+            rule = entry.get("rule", {})
+            base_threshold = int(rule.get("threshold", 10))
+            # Heuristic: if the recent window shows at least one Edit /
+            # Write / Task call, we treat the work as "edit/execute/
+            # delegate" and halve the threshold (rounding up). This is
+            # the checklist-driven early trigger without changing the
+            # declared contract for non-edit flows.
+            recent_names = {getattr(r, "tool", "") for r in self.recent_tool_records[-10:]}
+            is_edit_flow = bool(recent_names & {"Edit", "Write", "Task"})
+            threshold = max(1, (base_threshold + 1) // 2) if is_edit_flow else base_threshold
+            counter = self._conditional_counters.get(tool, 0)
+            if tool in self.tools_called:
+                # Once task_open has been called at least once, the
+                # conditional rule is satisfied for this task cycle. The
+                # counter is reset on every task_close via reset_task_cycle().
+                continue
+            if counter >= threshold:
+                prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+                if prompt:
+                    self._enqueue(
+                        prompt,
+                        f"conditional:{tool}:{counter}",
+                        rule_id="conditional_threshold",
+                    )
+
+    def reset_task_cycle(self, tool: str = "nexo_task_open"):
+        """Called when a task_close lands, so the conditional counter for
+        the matching open-tool rearms for the next task.
+
+        v7.7 Gap 7.1 (checklist pass-2 hotfix): v7.6 only reset the
+        counter but left `tools_called` carrying `nexo_task_open` from
+        the previous cycle. That meant `_check_conditional`'s early
+        `if tool in self.tools_called: continue` short-circuit still
+        blocked the re-nudge forever. We now also drop the open-tool
+        from `tools_called` and clear its per-instance pin so the gate
+        genuinely re-arms for the next task cycle. `_tool_last_instance`
+        stays intact for the OTHER tools (per-instance semantics for
+        after_tool still rely on it).
+        """
+        self._conditional_counters[tool] = 0
+        if tool in self.tools_called:
+            self.tools_called.discard(tool)
+        # Clearing the per-instance pin lets future after_tool
+        # dependencies on this tool re-open too; the conditional rule is
+        # what the checklist focused on but the same "satisfied-by-once"
+        # defect applied to after_tool gates pointing at task_open.
+        self._tool_last_instance.pop(tool, None)
 
     def check_periodic(self):
         for entry in self._on_start:
@@ -1977,6 +2308,39 @@ class HeadlessEnforcer:
                 if prompt:
                     self._enqueue(prompt, f"periodic_time:{tool}", rule_id="periodic_by_time")
 
+        # v7.6 conditional + deferred on_event reminders.
+        self._check_conditional()
+        self._check_on_event_pending()
+
+    def _check_on_event_pending(self):
+        """Re-evaluate on_event rules with grace > 0 after message ticks.
+
+        Called from check_periodic. If the grace window has expired and
+        the required tool was never called, fire the reminder. Otherwise
+        the pending row stays put until the target fires or grace runs out.
+        """
+        for event_name, pending in list(self._on_event_pending.items()):
+            required_tool = pending.get("tool")
+            grace = int(pending.get("grace", 0))
+            if required_tool and self._tool_last_instance.get(required_tool, -1) > pending.get("fired_at_instance", -1):
+                self._on_event_pending.pop(event_name, None)
+                continue
+            pending["messages_since"] = int(pending.get("messages_since", 0)) + 1
+            if pending["messages_since"] >= grace:
+                # Locate the matching entry to pull the injection prompt.
+                for entry in self._on_event.get(event_name, []):
+                    if entry["tool"] != required_tool:
+                        continue
+                    rule = entry.get("rule", {})
+                    prompt = entry["enf"].get("inject_prompt", "") or rule.get("inject_prompt", "")
+                    if prompt:
+                        self._enqueue(
+                            prompt,
+                            f"on_event:{event_name}:{pending['fired_at_instance']}->{required_tool}",
+                            rule_id=f"on_event:{event_name}",
+                        )
+                    break
+
     def get_end_prompts(self) -> list[str]:
         prompts = []
         for entry in self._on_end:
@@ -2171,10 +2535,17 @@ def run_with_enforcement(
             if event_type == "assistant" and event.get("message", {}).get("content"):
                 for block in event["message"]["content"]:
                     if block.get("type") == "tool_use":
+                        # v7.7 Gap 7.3 — wire before_tool in the live
+                        # stream. Desktop already calls onBeforeToolCall
+                        # before onToolCall; Brain's stream was only
+                        # calling on_tool_call, silently skipping every
+                        # before_tool rule the map declared.
+                        enforcer.on_tool_call_before(block.get("name", ""), block.get("input"))
                         enforcer.on_tool_call(block.get("name", ""), block.get("input"))
             elif event_type == "content_block_start":
                 cb = event.get("content_block", {})
                 if cb.get("type") == "tool_use":
+                    enforcer.on_tool_call_before(cb.get("name", ""), cb.get("input"))
                     enforcer.on_tool_call(cb.get("name", ""), cb.get("input"))
 
             if event_type == "assistant" and not waiting_for_injection_response:

package/src/presets/guardian_default.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://nexo-brain.com/schemas/guardian-config-v1.json",
-  "version": "1.3.3",
-  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator.",
+  "version": "1.5.0",
+  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator. v1.4.0 (constructor-guardian-90 pass 1): R15/R17/R22/R_CATALOG upgraded from soft to hard where FP telemetry was low; R34 raised from shadow to soft. v1.5.0 (pass 2): R11_plugin_load_pre_inventory upgraded from soft to hard; new R_PRIMITIVE_CHOICE (SK-CREATE-NEXO-PRIMITIVE gate) added at soft so it can be observed before hardening.",
   "enabled": true,
   "classifier_task_profile": "enforcer_classify",
   "classifier_tier": "muy_bajo",
@@ -23,18 +23,18 @@
     "R08_reminder_recurrence_conflict": "soft",
     "R09_artifact_create_dedup": "soft",
     "R10_workflow_open_without_task": "hard",
-    "R11_plugin_load_pre_inventory": "soft",
+    "R11_plugin_load_pre_inventory": "hard",
     "R12_cognitive_write_dedup": "soft",
     "R13_pre_edit_guard": "hard",
     "R14_correction_learning": "hard",
-    "R15_project_context": "soft",
+    "R15_project_context": "hard",
     "R16_declared_done": "hard",
-    "R17_promise_debt": "soft",
+    "R17_promise_debt": "hard",
     "R18_followup_autocomplete": "soft",
     "R19_project_grep": "soft",
     "R20_constant_grep": "soft",
     "R21_legacy_path": "shadow",
-    "R22_personal_script": "soft",
+    "R22_personal_script": "hard",
     "R23_ssh_without_atlas": "soft",
     "R23i_auto_deploy_ignored": "soft",
     "R23j_global_install": "shadow",
@@ -42,7 +42,8 @@
     "R24_stale_memory": "shadow",
     "R25_nora_maria_read_only": "hard",
     "R30_pre_done_evidence_system_prompt": "hard",
-    "R_CATALOG_before_artifact_create": "soft",
+    "R_CATALOG_before_artifact_create": "hard",
+    "R_PRIMITIVE_CHOICE": "soft",
     "R26_no_internal_jargon": "hard",
     "R27_concise_responses": "hard",
     "R28_correction_learning_system_prompt": "hard",
@@ -59,7 +60,7 @@
     "R23g_secrets_in_output": "soft",
     "R23m_message_duplicate": "soft",
     "R23h_shebang_mismatch": "shadow",
-    "R34_identity_coherence": "shadow"
+    "R34_identity_coherence": "soft"
   },
   "core_rules": [
     "R13_pre_edit_guard",

package/src/r_catalog.py

@@ -1,24 +1,30 @@
-"""R-CATALOG — Plan Consolidado 0.X.2.
+"""R-CATALOG — Plan Consolidado 0.X.2 + v7.7 Gap 3 expansion.
 
-Pre-create discovery probe: when the agent is about to create a resource
-(``nexo_*_create`` family) without having consulted any inventory tool in
-the same turn, R-CATALOG nudges it to search first.
+Pre-create discovery probe. Two trigger families:
 
-Rationale (Plan Consolidado §FASE 0.X): the Guardian should not re-teach
-what tools exist; the live catalog does that. But if the agent never
-reads the catalog before creating a new artefact, it skips discovery and
-produces duplicates (already-existing skills cloned as personal scripts,
-learnings with equivalent content, followups on resolved work, etc.).
+  (a) `nexo_*_create` / `_open` / `_add` — the original MCP-tool path.
+  (b) v7.7: `Edit` / `Write` writing into artefact-bearing paths
+      (skills/, plugins/, scripts/, personal scripts). The checklist
+      item "ampliar el ámbito del pre-probe de catálogo para cubrir
+      no solo nexo_*_create/_open/_add, sino también writes de
+      archivos que materializan skills/plugins/scripts/plantillas/
+      artefactos aunque no hayan pasado por un tool MCP de 'create'".
+
+Rationale: the Guardian should not re-teach what tools exist; the live
+catalog does that. But if the agent materialises a new skill / plugin /
+script by writing a file directly, without consulting inventory, it
+skips discovery and produces duplicates.
 
 Contract:
-  - Trigger tools: any tool matching ``nexo_*_create`` / ``_open`` / ``_add``.
-  - Discovery tools (any one resets the window): ``nexo_system_catalog``,
-    ``nexo_tool_explain``, ``nexo_skill_match``, ``nexo_skill_list``,
-    ``nexo_learning_search``, ``nexo_guard_check``.
-  - Window: 60s. Caller passes ``recent_tool_names`` already filtered to
+  - Trigger tools: `nexo_*_create` / `_open` / `_add` (always), or
+    `Edit` / `Write` when the file path lives under a recognised
+    artefact root.
+  - Discovery tools (any one resets the window): `nexo_system_catalog`,
+    `nexo_tool_explain`, `nexo_skill_match`, `nexo_skill_list`,
+    `nexo_learning_search`, `nexo_guard_check`, `nexo_personal_scripts_list`,
+    `nexo_plugin_list`.
+  - Window: 60s. Caller passes `recent_tool_names` already filtered to
     the last 60 seconds so the rule itself is time-agnostic.
-  - Dedup tag: the engine's _enqueue keys dedup by rule_id + tag so an
-    agent chaining two creates only gets nudged once per 60s.
 """
 from __future__ import annotations
 
@@ -34,8 +40,30 @@ DISCOVERY_TOOLS = frozenset({
     "nexo_skill_list",
     "nexo_learning_search",
     "nexo_guard_check",
+    # v7.7 Gap 3: inventory surfaces that count as "I checked what
+    # already exists before writing a new artefact".
+    "nexo_personal_scripts_list",
+    "nexo_plugin_list",
 })
 
+# Path fragments that classify a write as an "artefact creation" write,
+# even when it goes through plain Edit / Write instead of a dedicated
+# MCP tool. v7.7 Gap 3 coverage.
+ARTEFACT_PATH_FRAGMENTS = (
+    "/skills/",
+    "/clawhub-skill/",
+    "/.claude-plugin/",
+    "/src/plugins/",
+    "/personal/scripts/",
+    "/personal/skills/",
+    "/personal-scripts/",
+    "/.nexo/personal/scripts/",
+    "/.nexo/skills/",
+    "/templates/core-prompts/",
+    "/core-prompts/",
+    "/src/presets/",
+)
+
 INJECTION_PROMPT = render_core_prompt("r-catalog", tool="{tool}")
 
 
@@ -45,13 +73,30 @@ def _is_trigger_tool(tool_name) -> bool:
     return tool_name.endswith("_create") or tool_name.endswith("_open") or tool_name.endswith("_add")
 
 
+def _is_artefact_write(tool_name, files: Iterable[str] | None) -> bool:
+    """v7.7 Gap 3: a plain Edit/Write into an artefact-bearing path
+    counts as a trigger even without a *_create MCP tool."""
+    if tool_name not in ("Edit", "Write"):
+        return False
+    if not files:
+        return False
+    for path in files:
+        if not isinstance(path, str):
+            continue
+        for fragment in ARTEFACT_PATH_FRAGMENTS:
+            if fragment in path:
+                return True
+    return False
+
+
 def should_inject_r_catalog(
     tool_name,
     *,
     recent_tool_names: Iterable[str] | None,
+    files: Iterable[str] | None = None,
 ) -> tuple[bool, str]:
     """Return (inject, prompt). Never raises."""
-    if not _is_trigger_tool(tool_name):
+    if not _is_trigger_tool(tool_name) and not _is_artefact_write(tool_name, files):
         return False, ""
     if tool_name in DISCOVERY_TOOLS:
         return False, ""
@@ -63,6 +108,7 @@ def should_inject_r_catalog(
 
 __all__ = [
     "DISCOVERY_TOOLS",
+    "ARTEFACT_PATH_FRAGMENTS",
     "INJECTION_PROMPT",
     "should_inject_r_catalog",
 ]

package/src/r_primitive_choice.py

@@ -0,0 +1,111 @@
+"""R_PRIMITIVE_CHOICE — v7.7 Gap 4.
+
+Before materialising a NEW artefact (skill / plugin / personal script /
+template) via plain Edit / Write, the agent MUST consult SK-CREATE-
+NEXO-PRIMITIVE (or its equivalent signal — a recent `nexo_skill_match`
+/ `nexo_tool_explain` call) so skill-vs-plugin-vs-script-vs-schedule-
+vs-core-change is not improvised.
+
+Distinct from R_CATALOG (v7.7 Gap 3) which fires on EVERY write into
+an artefact-bearing path; R_PRIMITIVE_CHOICE fires only when the file
+is NEW (write without prior matching read/grep) so editing an existing
+skill to tweak a step is not reprimanded.
+
+Contract:
+  - Trigger: Edit/Write into artefact-bearing paths AND the file did
+    NOT appear in the recent tool record as a previous Read/Grep.
+  - Relief signal (any one in last 120s): `nexo_skill_match`,
+    `nexo_tool_explain`, Read or Grep of the same path, or
+    `nexo_skill_apply` referencing SK-CREATE-NEXO-PRIMITIVE.
+  - Default mode: soft (so the rule can be observed before hardening).
+"""
+from __future__ import annotations
+
+from typing import Iterable
+
+from core_prompts import render_core_prompt
+
+
+ARTEFACT_PATH_FRAGMENTS = (
+    "/skills/",
+    "/clawhub-skill/",
+    "/.claude-plugin/",
+    "/src/plugins/",
+    "/personal/scripts/",
+    "/personal/skills/",
+    "/personal-scripts/",
+    "/.nexo/personal/scripts/",
+    "/.nexo/skills/",
+    "/templates/core-prompts/",
+)
+
+RELIEF_TOOLS = frozenset({
+    "nexo_skill_match",
+    "nexo_tool_explain",
+    "nexo_skill_apply",
+    "Read",
+    "Grep",
+})
+
+
+INJECTION_PROMPT = render_core_prompt("r-primitive-choice", path="{path}")
+
+
+def _is_artefact_path(path: str) -> bool:
+    if not isinstance(path, str):
+        return False
+    return any(fragment in path for fragment in ARTEFACT_PATH_FRAGMENTS)
+
+
+def _file_previously_touched(path: str, recent_records) -> bool:
+    """True iff the same path was seen in a prior Read / Grep / Edit
+    call inside the recent window. The engine passes its
+    recent_tool_records list (each record has .tool and .files)."""
+    if not isinstance(path, str):
+        return False
+    for record in recent_records or []:
+        tool = getattr(record, "tool", "")
+        if tool not in ("Read", "Grep", "Edit"):
+            continue
+        files = getattr(record, "files", ())
+        for f in files or ():
+            if f == path:
+                return True
+    return False
+
+
+def should_inject_r_primitive(
+    tool_name,
+    *,
+    files: Iterable[str] | None,
+    recent_tool_names: Iterable[str] | None,
+    recent_tool_records,
+) -> tuple[bool, str]:
+    """Return (inject, prompt). Fail-closed on bad input → (False, "")."""
+    if tool_name not in ("Edit", "Write"):
+        return False, ""
+    file_list = [f for f in (files or []) if isinstance(f, str)]
+    if not file_list:
+        return False, ""
+    artefact_files = [f for f in file_list if _is_artefact_path(f)]
+    if not artefact_files:
+        return False, ""
+    # If any relief tool fired recently, rule is satisfied.
+    recent = set(recent_tool_names or [])
+    if recent & RELIEF_TOOLS:
+        return False, ""
+    # If the file appears to be an edit of an existing artefact (Read
+    # or Grep already touched the same path), treat as relief too —
+    # we only want to flag NEW artefact creation.
+    for f in artefact_files:
+        if _file_previously_touched(f, recent_tool_records):
+            return False, ""
+    return True, INJECTION_PROMPT.format(path=artefact_files[0])
+
+
+__all__ = [
+    "ARTEFACT_PATH_FRAGMENTS",
+    "RELIEF_TOOLS",
+    "INJECTION_PROMPT",
+    "should_inject_r_primitive",
+]

package/templates/core-prompts/r-primitive-choice.md

@@ -0,0 +1 @@
+[NEXO Protocol Enforcer] R_PRIMITIVE_CHOICE: you are about to write a new artefact under `{path}` without consulting SK-CREATE-NEXO-PRIMITIVE or an equivalent primitive-choice probe. Stop. Run `nexo_skill_match` with the phrase "create a new primitive" (or the equivalent in your language) and follow the skill's decision table before creating. skill vs plugin vs personal-script vs schedule vs core-change is a durable decision — do not improvise. Do not produce visible text for this reminder; act on it silently.

package/templates/core-prompts/r16-declared-done-question.md

@@ -1 +1 @@
-Does the assistant message below declare that a task is finished, completed, shipped, or already done? Answer yes only if the assistant is claiming completion of the current work. Answer no for status updates, mid-task progress reports, questions, or partial summaries.
+Does the assistant message below declare that a task is finished, completed, shipped, sent, delivered, published, deployed, released, fixed, resolved, merged, pushed, handed off, or otherwise closed on any plane (deploy, release, publish, email/message sent, PR merged, fix applied, task resolved)? Answer yes only if the assistant is claiming real completion of the current work (in any language — Spanish "listo/hecho/terminado/enviado/arreglado/desplegado/publicado/lanzado/resuelto/mergeado" counts equally). Answer no for status updates, mid-task progress reports, questions, partial summaries, or "I will now..." promises without execution in the same turn.

package/tool-enforcement-map.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://nexo-brain.com/schemas/tool-enforcement-map-v2.1.json",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Canonical map of all NEXO Brain MCP tools with enforcement rules, dependency chains, and behavioral hints. Source of truth for Protocol Enforcer (Desktop + headless). v2.1 adds schema support for Fase 2 event-driven rules (R01-R33): server_side_rules at tool level, per-rule mode (shadow|soft|hard), core_rule flag, and new rule types (pre_tool_intent, post_user_message, on_output_classify, before_tool_strict_block). Backward-compatible: executors that only handle v2.0 rule types ignore the new fields.",
   "tools": {
     "nexo_adaptive_decay": {
@@ -1749,7 +1749,7 @@
           {
             "type": "on_event",
             "event": "user_correction_without_learning",
-            "grace_messages": 3
+            "grace_messages": 0
           }
         ],
         "inject_prompt": "The user corrected you but no learning was captured. Execute nexo_learning_add to record this correction as a reusable learning. Do not produce visible text.",
@@ -3441,15 +3441,16 @@
         "_attention_snapshot"
       ],
       "enforcement": {
-        "level": "should",
+        "level": "must",
         "rules": [
           {
             "type": "conditional",
-            "threshold": 10,
-            "condition": "more_than_10_tool_calls_without_task_open"
+            "threshold": 4,
+            "condition": "more_than_4_tool_calls_without_task_open_or_first_edit_write_task",
+            "inject_prompt": "You are doing non-trivial work without nexo_task_open. Open a protocol task now (task_type=edit/execute/delegate/answer/analyze) so guard, rules, cortex review and evidence-backed closure apply. Do not produce visible text for this reminder — act on it silently."
           }
         ],
-        "reminder_prompt": "You have made significant tool calls without opening a protocol task. Consider using nexo_task_open to formally track this work. This is a reminder, not an obligation — if the work is trivial, ignore this.",
+        "reminder_prompt": "You have made significant tool calls without opening a protocol task. Open nexo_task_open now so guard, rules and evidence-backed closure apply. This is not optional for multi-step work.",
         "triggers_after": [
           "nexo_task_close"
         ]