nexo-brain 7.6.0 → 7.7.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.6.0",
+  "version": "7.7.0",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,9 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.6.0` is the current packaged-runtime line. Minor release that closes the drift between `tool-enforcement-map.json` v2.2 and the two enforcement engines (Brain Python + Desktop JS), and moves several default rule modes toward the obedience target requested by the constructor-guardian-90 checklist. Brain now dispatches `before_tool`, `on_event`, and `conditional` alongside the previously-handled types — before v7.6 Brain silently ignored these three despite the map declaring them, so Brain users got the weaker contract. `after_tool` dependencies now satisfy per-instance (monotonic `_tool_instance_counter`) instead of once-per-session, which was the specific bug the checklist flagged. Map v2.2 tightens two triggers: `nexo_learning_add` grace_messages 3 → 0 (corrections produce the learning in the same turn) and `nexo_task_open` conditional threshold 10 → 4 with level `should → must` and an explicit `inject_prompt`. `guardian_default.json` v1.4.0 raises `R15_project_context`, `R17_promise_debt`, `R22_personal_script` and `R_CATALOG_before_artifact_create` from soft to hard, and moves `R34_identity_coherence` from shadow to soft so identity denials surface a visible reminder instead of silent telemetry. A new contract test (`tests/test_v76_map_parity.py`) pins six invariants including Brain↔Desktop dispatch parity and per-instance satisfaction so a future refactor cannot quietly re-open the drift. Companion release: NEXO Desktop v0.26.0 mirrors the engine fixes + default hardening.
+Version `7.7.0` is the current packaged-runtime line. Minor release that closes the six gaps left partial after v7.6.0's constructor-guardian-90 pass 1. Gap 1: an autonomous detector now raises `multi_step_task_detected` after three recent Edit/Write/Task calls without a prior `nexo_skill_match` (v7.6 dispatched the event but nothing raised it). Gap 2: the R16 classifier prompt recognises the full done-claim vocabulary (sent / delivered / published / deployed / released / fixed / resolved / merged / pushed plus Spanish equivalents) so the on_event trigger `done_claimed_with_open_task` fires beyond the word "done". Gap 3: R_CATALOG extends to plain `Edit` / `Write` into artefact-bearing paths (skills/, plugins/, personal scripts, `templates/core-prompts/`) and grows its discovery set to include `nexo_personal_scripts_list` + `nexo_plugin_list`. Gap 4: new `R_PRIMITIVE_CHOICE` runtime rule gates Edit/Write of a brand-new artefact without a recent primitive-choice probe (SK-CREATE-NEXO-PRIMITIVE). Gap 5: `guardian_default.json` v1.5.0 raises `R11_plugin_load_pre_inventory` from soft to hard. Gap 6: new `tests/test_v77_enforcement_gaps.py` pins 12 invariants across all six rails. Pytest 2070 passing (+14 vs v7.6.0). Companion release: NEXO Desktop v0.27.0 mirrors the guardian default bumps.
+
+Previously in `7.6.0`: minor release that closed the drift between `tool-enforcement-map.json` v2.2 and the two enforcement engines (Brain Python + Desktop JS), added per-instance `after_tool` satisfaction, tightened `learning_add` grace to 0 and `task_open` threshold to 4/must, hardened R15/R17/R22/R_CATALOG from soft to hard, and raised R34 from shadow to soft.
 
 Previously in `7.5.0`: minor release that promoted `nexo_lifecycle_event` from ledger + reconciliation authority to **canonical authority of session-end**. Brain now owns the prompt, the sequence, and the timing of diary+stop; Desktop v0.25.0 (closed-source companion) is the conduit that executes Brain's plan against the live Claude process. The new 2-call contract — `nexo_lifecycle_event` returns a versioned `canonical_plan` (resume_session → inject_prompt → stop_session, with stable ids and per-action timeouts) and `nexo_lifecycle_complete_canonical` confirms execution with a per-action results array — replaces polling with explicit acknowledgement. `canonical_plan_id` is deterministic: `sha256(event_id + "|v" + plan_version)[:24]`, so retries reuse the same id. Migration m52 extends `lifecycle_events` with six `canonical_*` columns plus an index; pre-v7.5 rows simply carry NULL. `session_diary` is the dedupe key on re-delivery: if Desktop crashes between executing the inject and sending the complete call, the next `nexo_lifecycle_event` for the same `event_id` checks for a diary written after `canonical_dispatched_at`; if one exists, Brain short-circuits to `already_processed` and refuses to re-dispatch. The seven explicit `delivery_status` values (`accepted`, `processed`, `canonical_pending`, `canonical_done`, `already_processed`, `retryable_error`, `rejected`) give the pipeline a diffable state machine. `switch` and `window-close` stay observational (no plan ever issued, even with a live `session_id`). `nexo lifecycle record` now returns exit code 0 for `canonical_pending`; older wrappers that treated it as an error are incompatible with v7.5. MCP tool count: 262 → 263.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.6.0",
+  "version": "7.7.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain \u2014 Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/enforcement_engine.py

@@ -80,6 +80,11 @@ try:
 except ImportError:  # pragma: no cover
     _r_catalog_should = None  # type: ignore
 
+try:
+    from r_primitive_choice import should_inject_r_primitive as _r_primitive_should
+except ImportError:  # pragma: no cover
+    _r_primitive_should = None  # type: ignore
+
 try:
     from r34_identity_coherence import should_inject_r34 as _r34_should
 except ImportError:  # pragma: no cover
@@ -422,6 +427,9 @@ class HeadlessEnforcer:
         # on_event grace windows — per (event_name) counter of messages
         # since event fired without the required tool being called.
         self._on_event_pending: dict[str, dict] = {}
+        # v7.7 Gap 1: latch so multi_step_task_detected fires at most once
+        # per task cycle. Cleared on skill_match OR task_close.
+        self._multi_step_event_fired: bool = False
 
         if self.map:
             self._build_indexes()
@@ -650,6 +658,14 @@ class HeadlessEnforcer:
         self._r14_correction_seen_for_turn = True
         _logger.info("[R14 %s] correction detected; window opened for %d tool calls",
                      mode.upper(), self._r14_window_remaining)
+        # v7.7 Gap 7.2 — wire on_event so the map's
+        # `user_correction_without_learning` rule fires in the live
+        # stream. grace_messages was set to 0 in map v2.2 so the
+        # learning reminder must surface the same turn.
+        try:
+            self.raise_event("user_correction_without_learning", {"text_hash": hash(text or "")})
+        except Exception:
+            pass  # telemetry-style; never crash R14 detection
 
     def _run_session_end_detection(self, text: str, *, detector=None) -> bool:
         if not self._on_end:
@@ -848,6 +864,13 @@ class HeadlessEnforcer:
             return
         self._enqueue(_R16_PROMPT, "r16:declared-done-without-close", rule_id="R16_declared_done")
         _logger.info("[R16 %s] enqueued declared-done reminder", mode.upper())
+        # v7.7 Gap 7.2 — fire the on_event rule wired to task_close so
+        # the map's `done_claimed_with_open_task` trigger actually runs
+        # from the live stream, not only via test harnesses.
+        try:
+            self.raise_event("done_claimed_with_open_task", {"source": "R16"})
+        except Exception:
+            pass
 
     def _r25_context(self) -> tuple[set[str], list[str]]:
         """Resolve the (read_only_hosts, destructive_patterns) pair from
@@ -1753,8 +1776,15 @@ class HeadlessEnforcer:
         self._enqueue(prompt, decision["tag"], rule_id="R22_personal_script")
         _logger.info("[R22 %s] enqueued path=%s missing=%s", mode.upper(), decision["path"], decision["missing"])
 
-    def _check_r_catalog(self, tool_name: str):
-        """R-CATALOG (Plan Consolidado 0.X.2) — pre-create discovery probe."""
+    def _check_r_catalog(self, tool_name: str, files: list[str] | None = None):
+        """R-CATALOG — pre-create discovery probe.
+
+        v7.7 Gap 3: the trigger set is now {nexo_*_create/_open/_add}
+        UNION {Edit / Write into artefact-bearing paths}. The caller
+        passes the extracted file list so plain Edit/Write materialising
+        a skill / plugin / script without going through a dedicated MCP
+        tool still triggers the probe.
+        """
         if _r_catalog_should is None:
             return
         mode = self._guardian_rule_mode("R_CATALOG_before_artifact_create")
@@ -1768,7 +1798,7 @@ class HeadlessEnforcer:
             r.tool for r in self.recent_tool_records[:-1]
             if (now - getattr(r, "ts", now)) <= window
         ]
-        should, prompt = _r_catalog_should(tool_name, recent_tool_names=names)
+        should, prompt = _r_catalog_should(tool_name, recent_tool_names=names, files=files or [])
         if not should:
             return
         if mode == "shadow":
@@ -1777,6 +1807,45 @@ class HeadlessEnforcer:
         self._enqueue(prompt, f"R_CATALOG:{tool_name}", rule_id="R_CATALOG_before_artifact_create")
         _logger.info("[R_CATALOG %s] enqueued tool=%s", mode.upper(), tool_name)
 
+    def _check_r_primitive_choice(self, tool_name: str, files: list[str] | None):
+        """R_PRIMITIVE_CHOICE (v7.7 Gap 4) — SK-CREATE-NEXO-PRIMITIVE gate.
+
+        Flags Edit/Write of a NEW artefact file without a recent primitive-
+        choice probe. Does not duplicate R_CATALOG: R_CATALOG fires on
+        every artefact-path write without inventory consultation, while
+        this rule fires only when the file is genuinely new (no prior
+        Read / Grep / Edit on the same path).
+        """
+        if _r_primitive_should is None:
+            return
+        mode = self._guardian_rule_mode("R_PRIMITIVE_CHOICE")
+        if mode == "off":
+            return
+        window = 120.0
+        now = time.time()
+        names = [
+            r.tool for r in self.recent_tool_records[:-1]
+            if (now - getattr(r, "ts", now)) <= window
+        ]
+        records = [r for r in self.recent_tool_records[:-1]]
+        should, prompt = _r_primitive_should(
+            tool_name,
+            files=files or [],
+            recent_tool_names=names,
+            recent_tool_records=records,
+        )
+        if not should:
+            return
+        if mode == "shadow":
+            _logger.info("[R_PRIMITIVE_CHOICE SHADOW] would inject for %s", tool_name)
+            return
+        self._enqueue(
+            prompt,
+            f"R_PRIMITIVE_CHOICE:{tool_name}",
+            rule_id="R_PRIMITIVE_CHOICE",
+        )
+        _logger.info("[R_PRIMITIVE_CHOICE %s] enqueued tool=%s", mode.upper(), tool_name)
+
     def _check_r18(self, tool_name: str, tool_input):
         """R18 — suggest followup_complete on closure-class actions."""
         if _r18_should is None or _r18_format is None:
@@ -1934,6 +2003,29 @@ class HeadlessEnforcer:
         # open tool so the next task cycle re-opens the obligation.
         if name == "nexo_task_close":
             self.reset_task_cycle("nexo_task_open")
+
+        # v7.7 Gap 1 — autonomous detector for multi_step_task_detected.
+        # The event was dispatched by the map but nothing ever raised it.
+        # Heuristic: three or more edit/execute/delegate calls within the
+        # recent window (Edit/Write/Task/Bash-with-write-command) without
+        # a nexo_skill_match in between signals multi-step work that
+        # should consult skills first. We raise the event at most once per
+        # task cycle — skill_match clears it; task_close rearms it.
+        if not self._multi_step_event_fired:
+            edit_like = {"Edit", "Write", "Task"}
+            recent_edit_calls = sum(
+                1 for r in self.recent_tool_records[-10:] if r.tool in edit_like
+            )
+            if recent_edit_calls >= 3 and "nexo_skill_match" not in self.tools_called:
+                try:
+                    self.raise_event("multi_step_task_detected", {"recent_edits": recent_edit_calls})
+                except Exception:
+                    pass  # telemetry-style; never crash enforcement
+                self._multi_step_event_fired = True
+        if name == "nexo_skill_match" or name == "nexo_task_close":
+            # Both signals clear the multi-step flag so the next task
+            # cycle gets its own detection window.
+            self._multi_step_event_fired = False
         # Track the recent tool_use with the file paths it targets so Fase 2
         # Capa 2 rules (R13, future R19/R20) can inspect the write path.
         files = self._extract_files(tool_input)
@@ -2004,7 +2096,13 @@ class HeadlessEnforcer:
 
         # R-CATALOG (Plan 0.X.2) — nudge if we are about to create/open/add
         # without having consulted the live inventory in the last 60 s.
-        self._check_r_catalog(name)
+        self._check_r_catalog(name, files)
+
+        # v7.7 Gap 4 — R_PRIMITIVE_CHOICE. Runs AFTER R_CATALOG because
+        # R_CATALOG's prompt covers the generic inventory case; this one
+        # adds the specific primitive-decision reminder when a brand-new
+        # artefact file is being materialised via Edit/Write.
+        self._check_r_primitive_choice(name, files)
 
         # R18 — retroactive followup-complete suggestion on closure actions.
         self._check_r18(name, tool_input)
@@ -2161,11 +2259,26 @@ class HeadlessEnforcer:
 
     def reset_task_cycle(self, tool: str = "nexo_task_open"):
         """Called when a task_close lands, so the conditional counter for
-        the matching open-tool rearms for the next task. Without this,
-        the first task_open satisfies the condition forever — which is
-        exactly the "satisfied-by-once" semantics the checklist flagged.
+        the matching open-tool rearms for the next task.
+
+        v7.7 Gap 7.1 (checklist pass-2 hotfix): v7.6 only reset the
+        counter but left `tools_called` carrying `nexo_task_open` from
+        the previous cycle. That meant `_check_conditional`'s early
+        `if tool in self.tools_called: continue` short-circuit still
+        blocked the re-nudge forever. We now also drop the open-tool
+        from `tools_called` and clear its per-instance pin so the gate
+        genuinely re-arms for the next task cycle. `_tool_last_instance`
+        stays intact for the OTHER tools (per-instance semantics for
+        after_tool still rely on it).
         """
         self._conditional_counters[tool] = 0
+        if tool in self.tools_called:
+            self.tools_called.discard(tool)
+        # Clearing the per-instance pin lets future after_tool
+        # dependencies on this tool re-open too; the conditional rule is
+        # what the checklist focused on but the same "satisfied-by-once"
+        # defect applied to after_tool gates pointing at task_open.
+        self._tool_last_instance.pop(tool, None)
 
     def check_periodic(self):
         for entry in self._on_start:
@@ -2422,10 +2535,17 @@ def run_with_enforcement(
             if event_type == "assistant" and event.get("message", {}).get("content"):
                 for block in event["message"]["content"]:
                     if block.get("type") == "tool_use":
+                        # v7.7 Gap 7.3 — wire before_tool in the live
+                        # stream. Desktop already calls onBeforeToolCall
+                        # before onToolCall; Brain's stream was only
+                        # calling on_tool_call, silently skipping every
+                        # before_tool rule the map declared.
+                        enforcer.on_tool_call_before(block.get("name", ""), block.get("input"))
                         enforcer.on_tool_call(block.get("name", ""), block.get("input"))
             elif event_type == "content_block_start":
                 cb = event.get("content_block", {})
                 if cb.get("type") == "tool_use":
+                    enforcer.on_tool_call_before(cb.get("name", ""), cb.get("input"))
                     enforcer.on_tool_call(cb.get("name", ""), cb.get("input"))
 
             if event_type == "assistant" and not waiting_for_injection_response:

package/src/presets/guardian_default.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://nexo-brain.com/schemas/guardian-config-v1.json",
-  "version": "1.4.0",
-  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator. v1.4.0 (constructor-guardian-90 checklist): R15/R17/R22/R_CATALOG upgraded from soft to hard where false-positive telemetry was low enough; R34 identity_coherence raised from shadow to soft so identity denials surface an actual reminder instead of silent logging.",
+  "version": "1.5.0",
+  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator. v1.4.0 (constructor-guardian-90 pass 1): R15/R17/R22/R_CATALOG upgraded from soft to hard where FP telemetry was low; R34 raised from shadow to soft. v1.5.0 (pass 2): R11_plugin_load_pre_inventory upgraded from soft to hard; new R_PRIMITIVE_CHOICE (SK-CREATE-NEXO-PRIMITIVE gate) added at soft so it can be observed before hardening.",
   "enabled": true,
   "classifier_task_profile": "enforcer_classify",
   "classifier_tier": "muy_bajo",
@@ -23,7 +23,7 @@
     "R08_reminder_recurrence_conflict": "soft",
     "R09_artifact_create_dedup": "soft",
     "R10_workflow_open_without_task": "hard",
-    "R11_plugin_load_pre_inventory": "soft",
+    "R11_plugin_load_pre_inventory": "hard",
     "R12_cognitive_write_dedup": "soft",
     "R13_pre_edit_guard": "hard",
     "R14_correction_learning": "hard",
@@ -43,6 +43,7 @@
     "R25_nora_maria_read_only": "hard",
     "R30_pre_done_evidence_system_prompt": "hard",
     "R_CATALOG_before_artifact_create": "hard",
+    "R_PRIMITIVE_CHOICE": "soft",
     "R26_no_internal_jargon": "hard",
     "R27_concise_responses": "hard",
     "R28_correction_learning_system_prompt": "hard",

package/src/r_catalog.py

@@ -1,24 +1,30 @@
-"""R-CATALOG — Plan Consolidado 0.X.2.
+"""R-CATALOG — Plan Consolidado 0.X.2 + v7.7 Gap 3 expansion.
 
-Pre-create discovery probe: when the agent is about to create a resource
-(``nexo_*_create`` family) without having consulted any inventory tool in
-the same turn, R-CATALOG nudges it to search first.
+Pre-create discovery probe. Two trigger families:
 
-Rationale (Plan Consolidado §FASE 0.X): the Guardian should not re-teach
-what tools exist; the live catalog does that. But if the agent never
-reads the catalog before creating a new artefact, it skips discovery and
-produces duplicates (already-existing skills cloned as personal scripts,
-learnings with equivalent content, followups on resolved work, etc.).
+  (a) `nexo_*_create` / `_open` / `_add` — the original MCP-tool path.
+  (b) v7.7: `Edit` / `Write` writing into artefact-bearing paths
+      (skills/, plugins/, scripts/, personal scripts). The checklist
+      item "ampliar el ámbito del pre-probe de catálogo para cubrir
+      no solo nexo_*_create/_open/_add, sino también writes de
+      archivos que materializan skills/plugins/scripts/plantillas/
+      artefactos aunque no hayan pasado por un tool MCP de 'create'".
+
+Rationale: the Guardian should not re-teach what tools exist; the live
+catalog does that. But if the agent materialises a new skill / plugin /
+script by writing a file directly, without consulting inventory, it
+skips discovery and produces duplicates.
 
 Contract:
-  - Trigger tools: any tool matching ``nexo_*_create`` / ``_open`` / ``_add``.
-  - Discovery tools (any one resets the window): ``nexo_system_catalog``,
-    ``nexo_tool_explain``, ``nexo_skill_match``, ``nexo_skill_list``,
-    ``nexo_learning_search``, ``nexo_guard_check``.
-  - Window: 60s. Caller passes ``recent_tool_names`` already filtered to
+  - Trigger tools: `nexo_*_create` / `_open` / `_add` (always), or
+    `Edit` / `Write` when the file path lives under a recognised
+    artefact root.
+  - Discovery tools (any one resets the window): `nexo_system_catalog`,
+    `nexo_tool_explain`, `nexo_skill_match`, `nexo_skill_list`,
+    `nexo_learning_search`, `nexo_guard_check`, `nexo_personal_scripts_list`,
+    `nexo_plugin_list`.
+  - Window: 60s. Caller passes `recent_tool_names` already filtered to
     the last 60 seconds so the rule itself is time-agnostic.
-  - Dedup tag: the engine's _enqueue keys dedup by rule_id + tag so an
-    agent chaining two creates only gets nudged once per 60s.
 """
 from __future__ import annotations
 
@@ -34,8 +40,30 @@ DISCOVERY_TOOLS = frozenset({
     "nexo_skill_list",
     "nexo_learning_search",
     "nexo_guard_check",
+    # v7.7 Gap 3: inventory surfaces that count as "I checked what
+    # already exists before writing a new artefact".
+    "nexo_personal_scripts_list",
+    "nexo_plugin_list",
 })
 
+# Path fragments that classify a write as an "artefact creation" write,
+# even when it goes through plain Edit / Write instead of a dedicated
+# MCP tool. v7.7 Gap 3 coverage.
+ARTEFACT_PATH_FRAGMENTS = (
+    "/skills/",
+    "/clawhub-skill/",
+    "/.claude-plugin/",
+    "/src/plugins/",
+    "/personal/scripts/",
+    "/personal/skills/",
+    "/personal-scripts/",
+    "/.nexo/personal/scripts/",
+    "/.nexo/skills/",
+    "/templates/core-prompts/",
+    "/core-prompts/",
+    "/src/presets/",
+)
+
 INJECTION_PROMPT = render_core_prompt("r-catalog", tool="{tool}")
 
 
@@ -45,13 +73,30 @@ def _is_trigger_tool(tool_name) -> bool:
     return tool_name.endswith("_create") or tool_name.endswith("_open") or tool_name.endswith("_add")
 
 
+def _is_artefact_write(tool_name, files: Iterable[str] | None) -> bool:
+    """v7.7 Gap 3: a plain Edit/Write into an artefact-bearing path
+    counts as a trigger even without a *_create MCP tool."""
+    if tool_name not in ("Edit", "Write"):
+        return False
+    if not files:
+        return False
+    for path in files:
+        if not isinstance(path, str):
+            continue
+        for fragment in ARTEFACT_PATH_FRAGMENTS:
+            if fragment in path:
+                return True
+    return False
+
+
 def should_inject_r_catalog(
     tool_name,
     *,
     recent_tool_names: Iterable[str] | None,
+    files: Iterable[str] | None = None,
 ) -> tuple[bool, str]:
     """Return (inject, prompt). Never raises."""
-    if not _is_trigger_tool(tool_name):
+    if not _is_trigger_tool(tool_name) and not _is_artefact_write(tool_name, files):
         return False, ""
     if tool_name in DISCOVERY_TOOLS:
         return False, ""
@@ -63,6 +108,7 @@ def should_inject_r_catalog(
 
 __all__ = [
     "DISCOVERY_TOOLS",
+    "ARTEFACT_PATH_FRAGMENTS",
     "INJECTION_PROMPT",
     "should_inject_r_catalog",
 ]

package/src/r_primitive_choice.py

@@ -0,0 +1,111 @@
+"""R_PRIMITIVE_CHOICE — v7.7 Gap 4.
+
+Before materialising a NEW artefact (skill / plugin / personal script /
+template) via plain Edit / Write, the agent MUST consult SK-CREATE-
+NEXO-PRIMITIVE (or its equivalent signal — a recent `nexo_skill_match`
+/ `nexo_tool_explain` call) so skill-vs-plugin-vs-script-vs-schedule-
+vs-core-change is not improvised.
+
+Distinct from R_CATALOG (v7.7 Gap 3) which fires on EVERY write into
+an artefact-bearing path; R_PRIMITIVE_CHOICE fires only when the file
+is NEW (write without prior matching read/grep) so editing an existing
+skill to tweak a step is not reprimanded.
+
+Contract:
+  - Trigger: Edit/Write into artefact-bearing paths AND the file did
+    NOT appear in the recent tool record as a previous Read/Grep.
+  - Relief signal (any one in last 120s): `nexo_skill_match`,
+    `nexo_tool_explain`, Read or Grep of the same path, or
+    `nexo_skill_apply` referencing SK-CREATE-NEXO-PRIMITIVE.
+  - Default mode: soft (so the rule can be observed before hardening).
+"""
+from __future__ import annotations
+
+from typing import Iterable
+
+from core_prompts import render_core_prompt
+
+
+ARTEFACT_PATH_FRAGMENTS = (
+    "/skills/",
+    "/clawhub-skill/",
+    "/.claude-plugin/",
+    "/src/plugins/",
+    "/personal/scripts/",
+    "/personal/skills/",
+    "/personal-scripts/",
+    "/.nexo/personal/scripts/",
+    "/.nexo/skills/",
+    "/templates/core-prompts/",
+)
+
+RELIEF_TOOLS = frozenset({
+    "nexo_skill_match",
+    "nexo_tool_explain",
+    "nexo_skill_apply",
+    "Read",
+    "Grep",
+})
+
+
+INJECTION_PROMPT = render_core_prompt("r-primitive-choice", path="{path}")
+
+
+def _is_artefact_path(path: str) -> bool:
+    if not isinstance(path, str):
+        return False
+    return any(fragment in path for fragment in ARTEFACT_PATH_FRAGMENTS)
+
+
+def _file_previously_touched(path: str, recent_records) -> bool:
+    """True iff the same path was seen in a prior Read / Grep / Edit
+    call inside the recent window. The engine passes its
+    recent_tool_records list (each record has .tool and .files)."""
+    if not isinstance(path, str):
+        return False
+    for record in recent_records or []:
+        tool = getattr(record, "tool", "")
+        if tool not in ("Read", "Grep", "Edit"):
+            continue
+        files = getattr(record, "files", ())
+        for f in files or ():
+            if f == path:
+                return True
+    return False
+
+
+def should_inject_r_primitive(
+    tool_name,
+    *,
+    files: Iterable[str] | None,
+    recent_tool_names: Iterable[str] | None,
+    recent_tool_records,
+) -> tuple[bool, str]:
+    """Return (inject, prompt). Fail-closed on bad input → (False, "")."""
+    if tool_name not in ("Edit", "Write"):
+        return False, ""
+    file_list = [f for f in (files or []) if isinstance(f, str)]
+    if not file_list:
+        return False, ""
+    artefact_files = [f for f in file_list if _is_artefact_path(f)]
+    if not artefact_files:
+        return False, ""
+    # If any relief tool fired recently, rule is satisfied.
+    recent = set(recent_tool_names or [])
+    if recent & RELIEF_TOOLS:
+        return False, ""
+    # If the file appears to be an edit of an existing artefact (Read
+    # or Grep already touched the same path), treat as relief too —
+    # we only want to flag NEW artefact creation.
+    for f in artefact_files:
+        if _file_previously_touched(f, recent_tool_records):
+            return False, ""
+    return True, INJECTION_PROMPT.format(path=artefact_files[0])
+
+
+__all__ = [
+    "ARTEFACT_PATH_FRAGMENTS",
+    "RELIEF_TOOLS",
+    "INJECTION_PROMPT",
+    "should_inject_r_primitive",
+]

package/templates/core-prompts/r-primitive-choice.md

@@ -0,0 +1 @@
+[NEXO Protocol Enforcer] R_PRIMITIVE_CHOICE: you are about to write a new artefact under `{path}` without consulting SK-CREATE-NEXO-PRIMITIVE or an equivalent primitive-choice probe. Stop. Run `nexo_skill_match` with the phrase "create a new primitive" (or the equivalent in your language) and follow the skill's decision table before creating. skill vs plugin vs personal-script vs schedule vs core-change is a durable decision — do not improvise. Do not produce visible text for this reminder; act on it silently.

package/templates/core-prompts/r16-declared-done-question.md

@@ -1 +1 @@
-Does the assistant message below declare that a task is finished, completed, shipped, or already done? Answer yes only if the assistant is claiming completion of the current work. Answer no for status updates, mid-task progress reports, questions, or partial summaries.
+Does the assistant message below declare that a task is finished, completed, shipped, sent, delivered, published, deployed, released, fixed, resolved, merged, pushed, handed off, or otherwise closed on any plane (deploy, release, publish, email/message sent, PR merged, fix applied, task resolved)? Answer yes only if the assistant is claiming real completion of the current work (in any language — Spanish "listo/hecho/terminado/enviado/arreglado/desplegado/publicado/lanzado/resuelto/mergeado" counts equally). Answer no for status updates, mid-task progress reports, questions, partial summaries, or "I will now..." promises without execution in the same turn.