nexo-brain 7.6.0 → 7.8.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.6.0",
+  "version": "7.8.0",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.6.0` is the current packaged-runtime line. Minor release that closes the drift between `tool-enforcement-map.json` v2.2 and the two enforcement engines (Brain Python + Desktop JS), and moves several default rule modes toward the obedience target requested by the constructor-guardian-90 checklist. Brain now dispatches `before_tool`, `on_event`, and `conditional` alongside the previously-handled types — before v7.6 Brain silently ignored these three despite the map declaring them, so Brain users got the weaker contract. `after_tool` dependencies now satisfy per-instance (monotonic `_tool_instance_counter`) instead of once-per-session, which was the specific bug the checklist flagged. Map v2.2 tightens two triggers: `nexo_learning_add` grace_messages 3 → 0 (corrections produce the learning in the same turn) and `nexo_task_open` conditional threshold 10 → 4 with level `should → must` and an explicit `inject_prompt`. `guardian_default.json` v1.4.0 raises `R15_project_context`, `R17_promise_debt`, `R22_personal_script` and `R_CATALOG_before_artifact_create` from soft to hard, and moves `R34_identity_coherence` from shadow to soft so identity denials surface a visible reminder instead of silent telemetry. A new contract test (`tests/test_v76_map_parity.py`) pins six invariants including Brain↔Desktop dispatch parity and per-instance satisfaction so a future refactor cannot quietly re-open the drift. Companion release: NEXO Desktop v0.26.0 mirrors the engine fixes + default hardening.
+Version `7.8.0` is the current packaged-runtime line. Minor release that closes the PostCompact continuity work Francisco requested after v7.7: `src/hooks/post_compact.py` is a real registered hook (part of the canonical 9-hook set, was 8), `pre-compact.sh` resolves the exact NEXO SID from `CLAUDE_SESSION_ID` instead of falling back to "latest active session" (that was actively wrong in multi-conversation Desktop), the sidecar moves from `/tmp` to `$NEXO_HOME/runtime/data/compacting-sid.txt` so two concurrent compactions on two conversations cannot race on `/tmp`, `post-compact.sh` removes its "latest checkpoint" fallback (fail-closed to a diagnostic systemMessage instead of restoring the wrong conversation), and the hook cross-checks the sidecar SID against the env-resolved one so a "SID mismatch" is logged as such. Pre- and post-compact now emit NDJSON events the engine drains on every periodic tick via `_consume_pending_hook_events()`; the queue file is truncated after read so an event never fires twice. A new contract test (`tests/test_v78_compaction_continuity.py`) pins 11 invariants across ten rails including the hook registration, the exact-SID resolution path, fail-closed behaviour, and that `compaction_count` only increments on real restore. Pytest 2086 passing (+16 vs v7.7). No Desktop bump — v0.27.0 continues to ship.
+
+Previously in `7.7.0`: minor release that closed the six gaps left partial after v7.6.0's constructor-guardian-90 pass 1 (autonomous detector for `multi_step_task_detected`, R16 vocabulary expansion, R_CATALOG extended to plain Edit/Write, new `R_PRIMITIVE_CHOICE` rule, `R11_plugin_load_pre_inventory` hardened, 12 new contract tests). Post-review hotfix on the same release wired `task_open` rearm properly (discarded from `tools_called` + per-instance pin cleared on `task_close`), added live `on_event` triggers in R14 and R16, and called `on_tool_call_before` before `on_tool_call` in `run_with_enforcement` so before_tool rules fire in Brain the same way Desktop fires `onBeforeToolCall`.
+
+Previously in `7.6.0`: minor release that closed the drift between `tool-enforcement-map.json` v2.2 and the two enforcement engines (Brain Python + Desktop JS), added per-instance `after_tool` satisfaction, tightened `learning_add` grace to 0 and `task_open` threshold to 4/must, hardened R15/R17/R22/R_CATALOG from soft to hard, and raised R34 from shadow to soft.
 
 Previously in `7.5.0`: minor release that promoted `nexo_lifecycle_event` from ledger + reconciliation authority to **canonical authority of session-end**. Brain now owns the prompt, the sequence, and the timing of diary+stop; Desktop v0.25.0 (closed-source companion) is the conduit that executes Brain's plan against the live Claude process. The new 2-call contract — `nexo_lifecycle_event` returns a versioned `canonical_plan` (resume_session → inject_prompt → stop_session, with stable ids and per-action timeouts) and `nexo_lifecycle_complete_canonical` confirms execution with a per-action results array — replaces polling with explicit acknowledgement. `canonical_plan_id` is deterministic: `sha256(event_id + "|v" + plan_version)[:24]`, so retries reuse the same id. Migration m52 extends `lifecycle_events` with six `canonical_*` columns plus an index; pre-v7.5 rows simply carry NULL. `session_diary` is the dedupe key on re-delivery: if Desktop crashes between executing the inject and sending the complete call, the next `nexo_lifecycle_event` for the same `event_id` checks for a diary written after `canonical_dispatched_at`; if one exists, Brain short-circuits to `already_processed` and refuses to re-dispatch. The seven explicit `delivery_status` values (`accepted`, `processed`, `canonical_pending`, `canonical_done`, `already_processed`, `retryable_error`, `rejected`) give the pipeline a diffable state machine. `switch` and `window-close` stay observational (no plan ever issued, even with a live `session_id`). `nexo lifecycle record` now returns exit code 0 for `canonical_pending`; older wrappers that treated it as an error are incompatible with v7.5. MCP tool count: 262 → 263.
 

package/hooks/hooks.json

@@ -76,6 +76,18 @@
         ]
       }
     ],
+    "PostCompact": [
+      {
+        "matcher": "*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "NEXO_HOME=\"${CLAUDE_PLUGIN_DATA}\" NEXO_CODE=\"${CLAUDE_PLUGIN_ROOT}/src\" python3 \"${CLAUDE_PLUGIN_ROOT}/src/hooks/post_compact.py\"",
+            "timeout": 15
+          }
+        ]
+      }
+    ],
     "Notification": [
       {
         "matcher": "*",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.6.0",
+  "version": "7.8.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain \u2014 Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/enforcement_engine.py

@@ -80,6 +80,11 @@ try:
 except ImportError:  # pragma: no cover
     _r_catalog_should = None  # type: ignore
 
+try:
+    from r_primitive_choice import should_inject_r_primitive as _r_primitive_should
+except ImportError:  # pragma: no cover
+    _r_primitive_should = None  # type: ignore
+
 try:
     from r34_identity_coherence import should_inject_r34 as _r34_should
 except ImportError:  # pragma: no cover
@@ -422,6 +427,9 @@ class HeadlessEnforcer:
         # on_event grace windows — per (event_name) counter of messages
         # since event fired without the required tool being called.
         self._on_event_pending: dict[str, dict] = {}
+        # v7.7 Gap 1: latch so multi_step_task_detected fires at most once
+        # per task cycle. Cleared on skill_match OR task_close.
+        self._multi_step_event_fired: bool = False
 
         if self.map:
             self._build_indexes()
@@ -650,6 +658,14 @@ class HeadlessEnforcer:
         self._r14_correction_seen_for_turn = True
         _logger.info("[R14 %s] correction detected; window opened for %d tool calls",
                      mode.upper(), self._r14_window_remaining)
+        # v7.7 Gap 7.2 — wire on_event so the map's
+        # `user_correction_without_learning` rule fires in the live
+        # stream. grace_messages was set to 0 in map v2.2 so the
+        # learning reminder must surface the same turn.
+        try:
+            self.raise_event("user_correction_without_learning", {"text_hash": hash(text or "")})
+        except Exception:
+            pass  # telemetry-style; never crash R14 detection
 
     def _run_session_end_detection(self, text: str, *, detector=None) -> bool:
         if not self._on_end:
@@ -848,6 +864,13 @@ class HeadlessEnforcer:
             return
         self._enqueue(_R16_PROMPT, "r16:declared-done-without-close", rule_id="R16_declared_done")
         _logger.info("[R16 %s] enqueued declared-done reminder", mode.upper())
+        # v7.7 Gap 7.2 — fire the on_event rule wired to task_close so
+        # the map's `done_claimed_with_open_task` trigger actually runs
+        # from the live stream, not only via test harnesses.
+        try:
+            self.raise_event("done_claimed_with_open_task", {"source": "R16"})
+        except Exception:
+            pass
 
     def _r25_context(self) -> tuple[set[str], list[str]]:
         """Resolve the (read_only_hosts, destructive_patterns) pair from
@@ -1753,8 +1776,15 @@ class HeadlessEnforcer:
         self._enqueue(prompt, decision["tag"], rule_id="R22_personal_script")
         _logger.info("[R22 %s] enqueued path=%s missing=%s", mode.upper(), decision["path"], decision["missing"])
 
-    def _check_r_catalog(self, tool_name: str):
-        """R-CATALOG (Plan Consolidado 0.X.2) — pre-create discovery probe."""
+    def _check_r_catalog(self, tool_name: str, files: list[str] | None = None):
+        """R-CATALOG — pre-create discovery probe.
+
+        v7.7 Gap 3: the trigger set is now {nexo_*_create/_open/_add}
+        UNION {Edit / Write into artefact-bearing paths}. The caller
+        passes the extracted file list so plain Edit/Write materialising
+        a skill / plugin / script without going through a dedicated MCP
+        tool still triggers the probe.
+        """
         if _r_catalog_should is None:
             return
         mode = self._guardian_rule_mode("R_CATALOG_before_artifact_create")
@@ -1768,7 +1798,7 @@ class HeadlessEnforcer:
             r.tool for r in self.recent_tool_records[:-1]
             if (now - getattr(r, "ts", now)) <= window
         ]
-        should, prompt = _r_catalog_should(tool_name, recent_tool_names=names)
+        should, prompt = _r_catalog_should(tool_name, recent_tool_names=names, files=files or [])
         if not should:
             return
         if mode == "shadow":
@@ -1777,6 +1807,45 @@ class HeadlessEnforcer:
         self._enqueue(prompt, f"R_CATALOG:{tool_name}", rule_id="R_CATALOG_before_artifact_create")
         _logger.info("[R_CATALOG %s] enqueued tool=%s", mode.upper(), tool_name)
 
+    def _check_r_primitive_choice(self, tool_name: str, files: list[str] | None):
+        """R_PRIMITIVE_CHOICE (v7.7 Gap 4) — SK-CREATE-NEXO-PRIMITIVE gate.
+
+        Flags Edit/Write of a NEW artefact file without a recent primitive-
+        choice probe. Does not duplicate R_CATALOG: R_CATALOG fires on
+        every artefact-path write without inventory consultation, while
+        this rule fires only when the file is genuinely new (no prior
+        Read / Grep / Edit on the same path).
+        """
+        if _r_primitive_should is None:
+            return
+        mode = self._guardian_rule_mode("R_PRIMITIVE_CHOICE")
+        if mode == "off":
+            return
+        window = 120.0
+        now = time.time()
+        names = [
+            r.tool for r in self.recent_tool_records[:-1]
+            if (now - getattr(r, "ts", now)) <= window
+        ]
+        records = [r for r in self.recent_tool_records[:-1]]
+        should, prompt = _r_primitive_should(
+            tool_name,
+            files=files or [],
+            recent_tool_names=names,
+            recent_tool_records=records,
+        )
+        if not should:
+            return
+        if mode == "shadow":
+            _logger.info("[R_PRIMITIVE_CHOICE SHADOW] would inject for %s", tool_name)
+            return
+        self._enqueue(
+            prompt,
+            f"R_PRIMITIVE_CHOICE:{tool_name}",
+            rule_id="R_PRIMITIVE_CHOICE",
+        )
+        _logger.info("[R_PRIMITIVE_CHOICE %s] enqueued tool=%s", mode.upper(), tool_name)
+
     def _check_r18(self, tool_name: str, tool_input):
         """R18 — suggest followup_complete on closure-class actions."""
         if _r18_should is None or _r18_format is None:
@@ -1934,6 +2003,29 @@ class HeadlessEnforcer:
         # open tool so the next task cycle re-opens the obligation.
         if name == "nexo_task_close":
             self.reset_task_cycle("nexo_task_open")
+
+        # v7.7 Gap 1 — autonomous detector for multi_step_task_detected.
+        # The event was dispatched by the map but nothing ever raised it.
+        # Heuristic: three or more edit/execute/delegate calls within the
+        # recent window (Edit/Write/Task/Bash-with-write-command) without
+        # a nexo_skill_match in between signals multi-step work that
+        # should consult skills first. We raise the event at most once per
+        # task cycle — skill_match clears it; task_close rearms it.
+        if not self._multi_step_event_fired:
+            edit_like = {"Edit", "Write", "Task"}
+            recent_edit_calls = sum(
+                1 for r in self.recent_tool_records[-10:] if r.tool in edit_like
+            )
+            if recent_edit_calls >= 3 and "nexo_skill_match" not in self.tools_called:
+                try:
+                    self.raise_event("multi_step_task_detected", {"recent_edits": recent_edit_calls})
+                except Exception:
+                    pass  # telemetry-style; never crash enforcement
+                self._multi_step_event_fired = True
+        if name == "nexo_skill_match" or name == "nexo_task_close":
+            # Both signals clear the multi-step flag so the next task
+            # cycle gets its own detection window.
+            self._multi_step_event_fired = False
         # Track the recent tool_use with the file paths it targets so Fase 2
         # Capa 2 rules (R13, future R19/R20) can inspect the write path.
         files = self._extract_files(tool_input)
@@ -2004,7 +2096,13 @@ class HeadlessEnforcer:
 
         # R-CATALOG (Plan 0.X.2) — nudge if we are about to create/open/add
         # without having consulted the live inventory in the last 60 s.
-        self._check_r_catalog(name)
+        self._check_r_catalog(name, files)
+
+        # v7.7 Gap 4 — R_PRIMITIVE_CHOICE. Runs AFTER R_CATALOG because
+        # R_CATALOG's prompt covers the generic inventory case; this one
+        # adds the specific primitive-decision reminder when a brand-new
+        # artefact file is being materialised via Edit/Write.
+        self._check_r_primitive_choice(name, files)
 
         # R18 — retroactive followup-complete suggestion on closure actions.
         self._check_r18(name, tool_input)
@@ -2161,11 +2259,26 @@ class HeadlessEnforcer:
 
     def reset_task_cycle(self, tool: str = "nexo_task_open"):
         """Called when a task_close lands, so the conditional counter for
-        the matching open-tool rearms for the next task. Without this,
-        the first task_open satisfies the condition forever — which is
-        exactly the "satisfied-by-once" semantics the checklist flagged.
+        the matching open-tool rearms for the next task.
+
+        v7.7 Gap 7.1 (checklist pass-2 hotfix): v7.6 only reset the
+        counter but left `tools_called` carrying `nexo_task_open` from
+        the previous cycle. That meant `_check_conditional`'s early
+        `if tool in self.tools_called: continue` short-circuit still
+        blocked the re-nudge forever. We now also drop the open-tool
+        from `tools_called` and clear its per-instance pin so the gate
+        genuinely re-arms for the next task cycle. `_tool_last_instance`
+        stays intact for the OTHER tools (per-instance semantics for
+        after_tool still rely on it).
         """
         self._conditional_counters[tool] = 0
+        if tool in self.tools_called:
+            self.tools_called.discard(tool)
+        # Clearing the per-instance pin lets future after_tool
+        # dependencies on this tool re-open too; the conditional rule is
+        # what the checklist focused on but the same "satisfied-by-once"
+        # defect applied to after_tool gates pointing at task_open.
+        self._tool_last_instance.pop(tool, None)
 
     def check_periodic(self):
         for entry in self._on_start:
@@ -2198,6 +2311,96 @@ class HeadlessEnforcer:
         # v7.6 conditional + deferred on_event reminders.
         self._check_conditional()
         self._check_on_event_pending()
+        # v7.8 — drain hook-emitted events (pre_compaction, post_compaction).
+        self._consume_pending_hook_events()
+
+    def _consume_pending_hook_events(self):
+        """v7.8 / v7.8.1 — drain queued hook events for THIS session only.
+
+        pre-compact.sh and post-compact.sh run in separate processes, so
+        they cannot call `raise_event()` directly. They append one NDJSON
+        row per event to `~/.nexo/runtime/data/pending_enforcer_events.ndjson`.
+
+        v7.8.1 (Francisco correction): the queue is GLOBAL across all
+        concurrent sessions, so the engine MUST filter by `self._session_id`
+        before consuming. The original v7.8 drain read every row, fired
+        `raise_event` for all of them, then truncated the whole file —
+        that let a session A enforcer eat events addressed to session B.
+        The fix:
+
+          * Read all rows.
+          * Split into (mine, others) by comparing row["session_id"] to
+            the engine's own `_session_id`.
+          * Fire `raise_event` for MY rows only.
+          * Rewrite the file with only the OTHERS (plus any rows whose
+            session_id we cannot parse — leave them for the next run).
+
+        This preserves the "no double-fire" invariant and also closes
+        the cross-session consumption bug.
+
+        Fail-closed: any parse/IO error is swallowed so a broken queue
+        cannot crash enforcement.
+        """
+        try:
+            import os
+            nexo_home = os.environ.get("NEXO_HOME", os.path.expanduser("~/.nexo"))
+            queue_path = os.path.join(nexo_home, "runtime", "data", "pending_enforcer_events.ndjson")
+            if not os.path.isfile(queue_path):
+                return
+            import json
+            try:
+                with open(queue_path, "r", encoding="utf-8") as fh:
+                    raw_lines = [ln.rstrip("\n") for ln in fh.readlines()]
+            except Exception:
+                return
+            if not raw_lines:
+                return
+            own_sid = str(self._session_id or "").strip()
+            mine: list[dict] = []
+            keep_raw: list[str] = []
+            for line in raw_lines:
+                s = line.strip()
+                if not s:
+                    continue
+                try:
+                    row = json.loads(s)
+                except Exception:
+                    # Preserve malformed lines so an unrelated parser
+                    # error does not silently drop another session's event.
+                    keep_raw.append(s)
+                    continue
+                row_sid = str((row or {}).get("session_id") or "").strip()
+                if own_sid and row_sid and row_sid == own_sid:
+                    mine.append(row)
+                elif not own_sid:
+                    # Engine has no session id yet (startup edge). Do
+                    # not consume anything — another session might own
+                    # these rows.
+                    keep_raw.append(s)
+                else:
+                    keep_raw.append(s)
+            # Rewrite the file with the rows this session did NOT claim.
+            try:
+                with open(queue_path, "w", encoding="utf-8") as fh:
+                    for kept in keep_raw:
+                        fh.write(kept + "\n")
+            except Exception:
+                # If the rewrite fails we still have the events cached in
+                # `mine`; we just live with a duplicate-risk for the next
+                # read (still bounded — raise_event is itself idempotent
+                # via its dedup tag).
+                pass
+            for row in mine:
+                event = (row or {}).get("event")
+                if not isinstance(event, str) or not event:
+                    continue
+                try:
+                    self.raise_event(event, row)
+                except Exception:
+                    pass
+        except Exception:
+            # Never crash on consumer errors.
+            pass
 
     def _check_on_event_pending(self):
         """Re-evaluate on_event rules with grace > 0 after message ticks.
@@ -2422,10 +2625,17 @@ def run_with_enforcement(
             if event_type == "assistant" and event.get("message", {}).get("content"):
                 for block in event["message"]["content"]:
                     if block.get("type") == "tool_use":
+                        # v7.7 Gap 7.3 — wire before_tool in the live
+                        # stream. Desktop already calls onBeforeToolCall
+                        # before onToolCall; Brain's stream was only
+                        # calling on_tool_call, silently skipping every
+                        # before_tool rule the map declared.
+                        enforcer.on_tool_call_before(block.get("name", ""), block.get("input"))
                         enforcer.on_tool_call(block.get("name", ""), block.get("input"))
             elif event_type == "content_block_start":
                 cb = event.get("content_block", {})
                 if cb.get("type") == "tool_use":
+                    enforcer.on_tool_call_before(cb.get("name", ""), cb.get("input"))
                     enforcer.on_tool_call(cb.get("name", ""), cb.get("input"))
 
             if event_type == "assistant" and not waiting_for_injection_response:

package/src/hooks/manifest.json

@@ -6,6 +6,7 @@
     { "event": "PreToolUse",       "handler": "src/hooks/pre_tool_use.py",    "critical": true  },
     { "event": "PostToolUse",      "handler": "src/hooks/post_tool_use.py",   "critical": false },
     { "event": "PreCompact",       "handler": "src/hooks/pre_compact.py",     "critical": true  },
+    { "event": "PostCompact",      "handler": "src/hooks/post_compact.py",    "critical": true  },
     { "event": "Stop",             "handler": "src/hooks/stop.py",            "critical": true  },
     { "event": "Notification",     "handler": "src/hooks/notification.py",    "critical": false },
     { "event": "SubagentStop",     "handler": "src/hooks/subagent_stop.py",   "critical": false }

package/src/hooks/post-compact.sh

@@ -22,22 +22,73 @@ if [ -f "$LOG_FILE" ]; then
     LOG_LINES=$(wc -l < "$LOG_FILE" | tr -d ' ')
 fi
 
-# Read checkpoint for the session that just compacted
-# PreCompact writes the SID to /tmp/nexo-compacting-sid
+# v7.8 — Read checkpoint for the EXACT session that compacted. Source
+# of truth is the NEXO_HOME-scoped sidecar PreCompact writes; /tmp is
+# gone (multiple conversations racing on /tmp was the root cause of
+# "otra conversación restauró por accidente"). If the exact SID is not
+# available or maps to a different Claude session than this invocation,
+# we FAIL-CLOSED: print a diagnostic Core Memory Block acknowledging
+# the drop and exit without injecting stale context.
 TARGET_SID=""
-if [ -f /tmp/nexo-compacting-sid ]; then
-    RAW_SID=$(cat /tmp/nexo-compacting-sid 2>/dev/null || echo "")
-    rm -f /tmp/nexo-compacting-sid
-    # Validate SID format: must be nexo-DIGITS-DIGITS
+# v7.8.1 — per-conversation sidecar. If CLAUDE_SESSION_ID is present
+# we read the token-specific file; otherwise (single-conv legacy path)
+# fall back to the global file. Either way, we rm ONLY the file we
+# actually consumed, never another session's.
+SAFE_CLAUDE_ID=""
+if [ -n "${CLAUDE_SESSION_ID:-}" ]; then
+    SAFE_CLAUDE_ID="${CLAUDE_SESSION_ID//[^a-zA-Z0-9._-]/_}"
+    COMPACT_STATE="$DATA_DIR/compacting/$SAFE_CLAUDE_ID.txt"
+else
+    COMPACT_STATE="$DATA_DIR/compacting-sid.txt"
+fi
+if [ -f "$COMPACT_STATE" ]; then
+    RAW_SID=$(cat "$COMPACT_STATE" 2>/dev/null || echo "")
+    rm -f "$COMPACT_STATE"
     if [[ "$RAW_SID" =~ ^nexo-[0-9]+-[0-9]+$ ]]; then
         TARGET_SID="$RAW_SID"
     fi
 fi
 
+# Cross-check: the SID we recover MUST belong to the Claude session
+# that fired this hook. If the env ships CLAUDE_SESSION_ID, resolve it
+# to a NEXO SID and require a match with the pre-compact sidecar.
+if [ -f "$NEXO_DB" ] && [ -n "${CLAUDE_SESSION_ID:-}" ]; then
+    ENV_SID=$(sqlite3 "$NEXO_DB" "
+        SELECT sid FROM sessions WHERE claude_session_id = '$CLAUDE_SESSION_ID' LIMIT 1
+    " 2>/dev/null || echo "")
+    if [ -z "$ENV_SID" ]; then
+        ENV_SID=$(sqlite3 "$NEXO_DB" "
+            SELECT sid FROM session_claude_aliases WHERE claude_session_id = '$CLAUDE_SESSION_ID' ORDER BY last_seen DESC LIMIT 1
+        " 2>/dev/null || echo "")
+    fi
+    if [ -n "$TARGET_SID" ] && [ -n "$ENV_SID" ] && [ "$TARGET_SID" != "$ENV_SID" ]; then
+        # Safer to restore nothing than to restore the wrong conv.
+        echo "<!-- NEXO post-compact: SID mismatch (sidecar=$TARGET_SID env=$ENV_SID); skipping rehydration to avoid cross-conv leak. -->"
+        # Still emit a post_compaction event so the engine sees the hook ran.
+        PENDING_EVENTS="$DATA_DIR/pending_enforcer_events.ndjson"
+        python3 -c "
+import json, os, time
+row = {'event': 'post_compaction', 'session_id': os.environ.get('ENV_SID',''),
+       'status': 'mismatch', 'sidecar_sid': os.environ.get('TARGET_SID',''),
+       'claude_session_id': os.environ.get('CLAUDE_SESSION_ID',''),
+       'timestamp': time.time()}
+try:
+    with open(os.environ['PENDING_EVENTS'], 'a', encoding='utf-8') as fh:
+        fh.write(json.dumps(row, ensure_ascii=False) + '\n')
+except Exception: pass
+" ENV_SID="$ENV_SID" TARGET_SID="$TARGET_SID" CLAUDE_SESSION_ID="${CLAUDE_SESSION_ID:-}" PENDING_EVENTS="$PENDING_EVENTS" >/dev/null 2>&1 || true
+        exit 0
+    fi
+    # If the sidecar was missing, trust the env-resolved SID.
+    if [ -z "$TARGET_SID" ] && [ -n "$ENV_SID" ]; then
+        TARGET_SID="$ENV_SID"
+    fi
+fi
+
 CHECKPOINT=""
 if [ -f "$NEXO_DB" ]; then
     if [ -n "$TARGET_SID" ]; then
-        # Read checkpoint for the specific session that compacted
+        # Read checkpoint for the specific session that compacted.
         CHECKPOINT=$(sqlite3 "$NEXO_DB" "
             SELECT sid, task, task_status, active_files, current_goal,
                    decisions_summary, errors_found, reasoning_thread,
@@ -46,16 +97,10 @@ if [ -f "$NEXO_DB" ]; then
             WHERE sid = '$TARGET_SID'
         " 2>/dev/null || echo "")
     fi
-    # Fallback: if no target SID or no checkpoint found, use latest
-    if [ -z "$CHECKPOINT" ]; then
-        CHECKPOINT=$(sqlite3 "$NEXO_DB" "
-            SELECT sid, task, task_status, active_files, current_goal,
-                   decisions_summary, errors_found, reasoning_thread,
-                   next_step, compaction_count
-            FROM session_checkpoints
-            ORDER BY updated_at DESC LIMIT 1
-        " 2>/dev/null || echo "")
-    fi
+    # v7.8: NO MORE latest-checkpoint fallback. Francisco flagged this
+    # explicitly — restoring the wrong conversation is worse than
+    # restoring nothing. We leave CHECKPOINT empty so the "Core memory
+    # block" prints a small diagnostic and exits cleanly.
 
     if [ -n "$CHECKPOINT" ]; then
         # Parse pipe-separated fields
@@ -178,10 +223,13 @@ print('**Guardrail:** skip option menus, reprioritization, summaries, and audits
 }
 HOOKEOF
     else
-        # No checkpoint — fallback to basic message
-        cat << 'HOOKEOF'
+        # v7.8 fail-closed: no checkpoint for the exact SID. We do NOT
+        # inject another conversation's context (that was the pre-v7.8
+        # bug). Minimal diagnostic so the operator can call
+        # nexo_heartbeat with the right SID if they want to continue.
+        cat << HOOKEOF
 {
-  "systemMessage": "Post-compaction: no prior checkpoint found. Call nexo_heartbeat to reconnect session state."
+  "systemMessage": "Post-compaction (SID=${TARGET_SID:-unknown}): no checkpoint for this exact session. Call nexo_heartbeat(sid='${TARGET_SID:-<run nexo_startup>}') to rehydrate — NEXO did NOT restore a different conversation's checkpoint to avoid cross-conv leaks."
 }
 HOOKEOF
     fi
@@ -192,3 +240,25 @@ else
 }
 HOOKEOF
 fi
+
+# v7.8 — emit post_compaction event for the engine consumer.
+PENDING_EVENTS="$DATA_DIR/pending_enforcer_events.ndjson"
+python3 -c "
+import json, os, sys, time
+target = os.environ.get('TARGET_SID', '')
+pending = os.environ.get('PENDING_EVENTS', '')
+if not pending:
+    sys.exit(0)
+row = {
+    'event': 'post_compaction',
+    'session_id': target,
+    'claude_session_id': os.environ.get('CLAUDE_SESSION_ID', ''),
+    'status': 'restored' if target else 'no_target',
+    'timestamp': time.time(),
+}
+try:
+    with open(pending, 'a', encoding='utf-8') as fh:
+        fh.write(json.dumps(row, ensure_ascii=False) + '\n')
+except Exception:
+    pass
+" TARGET_SID="$TARGET_SID" CLAUDE_SESSION_ID="${CLAUDE_SESSION_ID:-}" PENDING_EVENTS="$PENDING_EVENTS" >/dev/null 2>&1 || true

package/src/hooks/post_compact.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+"""PostCompact unified handler — delegates to post-compact.sh.
+
+The real work (checkpoint lookup, fail-closed cross-conv guard, Core
+Memory Block systemMessage emission, pending-event enqueue) lives in
+the shell script. This wrapper runs it, captures its stdout verbatim
+(so Claude Code gets the systemMessage JSON), and records an entry in
+hook_runs for auditability.
+
+Matches pre_compact.py shape — one .py handler per event so the
+manifest can keep a single clean row per hook type.
+"""
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+import time
+from pathlib import Path
+
+
+_DIR = Path(__file__).resolve().parent
+
+
+def _record(duration_ms: int, exit_code: int, session_id: str) -> None:
+    try:
+        sys.path.insert(0, str(_DIR.parent))
+        import hook_observability  # type: ignore
+        hook_observability.record_hook_run(
+            "post_compact",
+            duration_ms=duration_ms,
+            exit_code=exit_code,
+            session_id=session_id,
+        )
+    except Exception:
+        pass
+
+
+def main() -> int:
+    started = time.time()
+    script = _DIR / "post-compact.sh"
+    exit_code = 0
+    # Preserve stdout: Claude Code reads the JSON systemMessage line
+    # the shell script prints. We proxy it through so the runtime sees
+    # exactly what post-compact.sh emits.
+    if script.is_file():
+        try:
+            r = subprocess.run(
+                ["bash", str(script)], timeout=15, capture_output=True
+            )
+            if r.stdout:
+                sys.stdout.write(r.stdout.decode("utf-8", errors="replace"))
+                sys.stdout.flush()
+            exit_code = r.returncode
+        except Exception:
+            exit_code = 1
+    _record(
+        int((time.time() - started) * 1000),
+        exit_code,
+        os.environ.get("CLAUDE_SESSION_ID", ""),
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/src/hooks/pre-compact.sh

@@ -24,34 +24,62 @@ if [ -f "$LOG_FILE" ]; then
     LOG_LINES=$(wc -l < "$LOG_FILE" | tr -d ' ')
 fi
 
-# Enrich checkpoint: copy diary draft context into checkpoint if exists
-if [ -f "$NEXO_DB" ]; then
-    # Get latest active session's diary draft
-    LATEST_SID=$(sqlite3 "$NEXO_DB" "
-        SELECT sid FROM sessions ORDER BY last_update_epoch DESC LIMIT 1
+# v7.8 — Exact session targeting. Claude Code passes the external
+# session token through CLAUDE_SESSION_ID to every hook. We resolve
+# THAT token to the NEXO SID via session_claude_aliases (or direct
+# match on sessions.claude_session_id). LATEST_SID fallback is gone —
+# multi-conversation Desktop made it actively wrong, because the
+# "latest active" session frequently belongs to a different conv than
+# the one Claude Code is compacting in this hook invocation.
+TARGET_SID=""
+if [ -f "$NEXO_DB" ] && [ -n "${CLAUDE_SESSION_ID:-}" ]; then
+    TARGET_SID=$(sqlite3 "$NEXO_DB" "
+        SELECT sid FROM sessions WHERE claude_session_id = '$CLAUDE_SESSION_ID' LIMIT 1
     " 2>/dev/null || echo "")
+    if [ -z "$TARGET_SID" ]; then
+        TARGET_SID=$(sqlite3 "$NEXO_DB" "
+            SELECT sid FROM session_claude_aliases WHERE claude_session_id = '$CLAUDE_SESSION_ID' ORDER BY last_seen DESC LIMIT 1
+        " 2>/dev/null || echo "")
+    fi
+fi
 
-    if [ -n "$LATEST_SID" ] && [[ "$LATEST_SID" =~ ^nexo-[0-9]+-[0-9]+$ ]]; then
-        # Write SID to temp file so PostCompact knows which session compacted
-        echo "$LATEST_SID" > /tmp/nexo-compacting-sid
-        # Pull diary draft data into checkpoint
-        sqlite3 "$NEXO_DB" "
-            INSERT INTO session_checkpoints (sid, task, current_goal, updated_at)
-            SELECT s.sid, s.task, COALESCE(d.last_context_hint, s.task), datetime('now')
-            FROM sessions s
-            LEFT JOIN session_diary_draft d ON d.sid = s.sid
-            WHERE s.sid = '$LATEST_SID'
-            ON CONFLICT(sid) DO UPDATE SET
-                task = excluded.task,
-                current_goal = CASE
-                    WHEN excluded.current_goal != '' THEN excluded.current_goal
-                    ELSE session_checkpoints.current_goal
-                END,
-                updated_at = datetime('now')
-        " 2>/dev/null || true
-
-        # Flush the richer durable checkpoint state if milestone data exists.
-        NEXO_PRECOMPACT_SID="$LATEST_SID" HOOK_DIR="$HOOK_DIR" python3 -c "
+if [ -f "$NEXO_DB" ] && [ -n "$TARGET_SID" ] && [[ "$TARGET_SID" =~ ^nexo-[0-9]+-[0-9]+$ ]]; then
+    # v7.8.1 (Francisco correction): the sidecar is per-conversation now.
+    # A single global `compacting-sid.txt` let two near-concurrent
+    # compactions on two different conversations clobber each other's
+    # state. We key the sidecar by the Claude session token that fired
+    # this hook (unique per conversation in Desktop). If the env token
+    # is unset we keep writing the legacy global file so single-conv
+    # callers are unaffected.
+    mkdir -p "$DATA_DIR/compacting" 2>/dev/null || true
+    if [ -n "${CLAUDE_SESSION_ID:-}" ]; then
+        # Sanitise to a filesystem-safe token without paying a subshell
+        # per hook invocation.
+        SAFE_CLAUDE_ID="${CLAUDE_SESSION_ID//[^a-zA-Z0-9._-]/_}"
+        COMPACT_STATE="$DATA_DIR/compacting/$SAFE_CLAUDE_ID.txt"
+    else
+        COMPACT_STATE="$DATA_DIR/compacting-sid.txt"
+    fi
+    printf '%s\n' "$TARGET_SID" > "$COMPACT_STATE"
+
+    # Pull diary draft data into checkpoint for the EXACT session.
+    sqlite3 "$NEXO_DB" "
+        INSERT INTO session_checkpoints (sid, task, current_goal, updated_at)
+        SELECT s.sid, s.task, COALESCE(d.last_context_hint, s.task), datetime('now')
+        FROM sessions s
+        LEFT JOIN session_diary_draft d ON d.sid = s.sid
+        WHERE s.sid = '$TARGET_SID'
+        ON CONFLICT(sid) DO UPDATE SET
+            task = excluded.task,
+            current_goal = CASE
+                WHEN excluded.current_goal != '' THEN excluded.current_goal
+                ELSE session_checkpoints.current_goal
+            END,
+            updated_at = datetime('now')
+    " 2>/dev/null || true
+
+    # Flush the richer durable checkpoint state if milestone data exists.
+    NEXO_PRECOMPACT_SID="$TARGET_SID" HOOK_DIR="$HOOK_DIR" python3 -c "
 import os, sys
 sys.path.insert(0, os.path.abspath(os.path.join(os.environ['HOOK_DIR'], '..')))
 try:
@@ -63,7 +91,29 @@ try:
 except Exception:
     pass
 " 2>/dev/null || true
-    fi
+
+    # v7.8 — enqueue a `pre_compaction` event for the live engine to
+    # consume on the next tool call, so the map's on_event rule fires
+    # from the real stream instead of only via tests.
+    PENDING_EVENTS="$DATA_DIR/pending_enforcer_events.ndjson"
+    python3 -c "
+import json, os, sys, time
+target = os.environ.get('NEXO_PRECOMPACT_SID', '')
+pending = os.environ.get('PENDING_EVENTS', '')
+if not (target and pending):
+    sys.exit(0)
+row = {
+    'event': 'pre_compaction',
+    'session_id': target,
+    'claude_session_id': os.environ.get('CLAUDE_SESSION_ID', ''),
+    'timestamp': time.time(),
+}
+try:
+    with open(pending, 'a', encoding='utf-8') as fh:
+        fh.write(json.dumps(row, ensure_ascii=False) + '\n')
+except Exception:
+    pass
+" NEXO_PRECOMPACT_SID="$TARGET_SID" PENDING_EVENTS="$PENDING_EVENTS" CLAUDE_SESSION_ID="${CLAUDE_SESSION_ID:-}" >/dev/null 2>&1 || true
 fi
 
 # ── Layer 2: Emergency auto-diary before compaction ──────────────────

package/src/presets/guardian_default.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://nexo-brain.com/schemas/guardian-config-v1.json",
-  "version": "1.4.0",
-  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator. v1.4.0 (constructor-guardian-90 checklist): R15/R17/R22/R_CATALOG upgraded from soft to hard where false-positive telemetry was low enough; R34 identity_coherence raised from shadow to soft so identity denials surface an actual reminder instead of silent logging.",
+  "version": "1.5.0",
+  "description": "Default Guardian configuration. Copied to ~/.nexo/personal/config/guardian.json at `nexo init` / `nexo update` if no user config exists. If user config exists, merge keys NOT present in user config without overwriting user overrides. Core rules (R13, R14, R16, R25, R30) can only be shadow/soft/hard — mode=off is rejected by validator. v1.4.0 (constructor-guardian-90 pass 1): R15/R17/R22/R_CATALOG upgraded from soft to hard where FP telemetry was low; R34 raised from shadow to soft. v1.5.0 (pass 2): R11_plugin_load_pre_inventory upgraded from soft to hard; new R_PRIMITIVE_CHOICE (SK-CREATE-NEXO-PRIMITIVE gate) added at soft so it can be observed before hardening.",
   "enabled": true,
   "classifier_task_profile": "enforcer_classify",
   "classifier_tier": "muy_bajo",
@@ -23,7 +23,7 @@
     "R08_reminder_recurrence_conflict": "soft",
     "R09_artifact_create_dedup": "soft",
     "R10_workflow_open_without_task": "hard",
-    "R11_plugin_load_pre_inventory": "soft",
+    "R11_plugin_load_pre_inventory": "hard",
     "R12_cognitive_write_dedup": "soft",
     "R13_pre_edit_guard": "hard",
     "R14_correction_learning": "hard",
@@ -43,6 +43,7 @@
     "R25_nora_maria_read_only": "hard",
     "R30_pre_done_evidence_system_prompt": "hard",
     "R_CATALOG_before_artifact_create": "hard",
+    "R_PRIMITIVE_CHOICE": "soft",
     "R26_no_internal_jargon": "hard",
     "R27_concise_responses": "hard",
     "R28_correction_learning_system_prompt": "hard",

package/src/r_catalog.py

@@ -1,24 +1,30 @@
-"""R-CATALOG — Plan Consolidado 0.X.2.
+"""R-CATALOG — Plan Consolidado 0.X.2 + v7.7 Gap 3 expansion.
 
-Pre-create discovery probe: when the agent is about to create a resource
-(``nexo_*_create`` family) without having consulted any inventory tool in
-the same turn, R-CATALOG nudges it to search first.
+Pre-create discovery probe. Two trigger families:
 
-Rationale (Plan Consolidado §FASE 0.X): the Guardian should not re-teach
-what tools exist; the live catalog does that. But if the agent never
-reads the catalog before creating a new artefact, it skips discovery and
-produces duplicates (already-existing skills cloned as personal scripts,
-learnings with equivalent content, followups on resolved work, etc.).
+  (a) `nexo_*_create` / `_open` / `_add` — the original MCP-tool path.
+  (b) v7.7: `Edit` / `Write` writing into artefact-bearing paths
+      (skills/, plugins/, scripts/, personal scripts). The checklist
+      item "ampliar el ámbito del pre-probe de catálogo para cubrir
+      no solo nexo_*_create/_open/_add, sino también writes de
+      archivos que materializan skills/plugins/scripts/plantillas/
+      artefactos aunque no hayan pasado por un tool MCP de 'create'".
+
+Rationale: the Guardian should not re-teach what tools exist; the live
+catalog does that. But if the agent materialises a new skill / plugin /
+script by writing a file directly, without consulting inventory, it
+skips discovery and produces duplicates.
 
 Contract:
-  - Trigger tools: any tool matching ``nexo_*_create`` / ``_open`` / ``_add``.
-  - Discovery tools (any one resets the window): ``nexo_system_catalog``,
-    ``nexo_tool_explain``, ``nexo_skill_match``, ``nexo_skill_list``,
-    ``nexo_learning_search``, ``nexo_guard_check``.
-  - Window: 60s. Caller passes ``recent_tool_names`` already filtered to
+  - Trigger tools: `nexo_*_create` / `_open` / `_add` (always), or
+    `Edit` / `Write` when the file path lives under a recognised
+    artefact root.
+  - Discovery tools (any one resets the window): `nexo_system_catalog`,
+    `nexo_tool_explain`, `nexo_skill_match`, `nexo_skill_list`,
+    `nexo_learning_search`, `nexo_guard_check`, `nexo_personal_scripts_list`,
+    `nexo_plugin_list`.
+  - Window: 60s. Caller passes `recent_tool_names` already filtered to
     the last 60 seconds so the rule itself is time-agnostic.
-  - Dedup tag: the engine's _enqueue keys dedup by rule_id + tag so an
-    agent chaining two creates only gets nudged once per 60s.
 """
 from __future__ import annotations
 
@@ -34,8 +40,30 @@ DISCOVERY_TOOLS = frozenset({
     "nexo_skill_list",
     "nexo_learning_search",
     "nexo_guard_check",
+    # v7.7 Gap 3: inventory surfaces that count as "I checked what
+    # already exists before writing a new artefact".
+    "nexo_personal_scripts_list",
+    "nexo_plugin_list",
 })
 
+# Path fragments that classify a write as an "artefact creation" write,
+# even when it goes through plain Edit / Write instead of a dedicated
+# MCP tool. v7.7 Gap 3 coverage.
+ARTEFACT_PATH_FRAGMENTS = (
+    "/skills/",
+    "/clawhub-skill/",
+    "/.claude-plugin/",
+    "/src/plugins/",
+    "/personal/scripts/",
+    "/personal/skills/",
+    "/personal-scripts/",
+    "/.nexo/personal/scripts/",
+    "/.nexo/skills/",
+    "/templates/core-prompts/",
+    "/core-prompts/",
+    "/src/presets/",
+)
+
 INJECTION_PROMPT = render_core_prompt("r-catalog", tool="{tool}")
 
 
@@ -45,13 +73,30 @@ def _is_trigger_tool(tool_name) -> bool:
     return tool_name.endswith("_create") or tool_name.endswith("_open") or tool_name.endswith("_add")
 
 
+def _is_artefact_write(tool_name, files: Iterable[str] | None) -> bool:
+    """v7.7 Gap 3: a plain Edit/Write into an artefact-bearing path
+    counts as a trigger even without a *_create MCP tool."""
+    if tool_name not in ("Edit", "Write"):
+        return False
+    if not files:
+        return False
+    for path in files:
+        if not isinstance(path, str):
+            continue
+        for fragment in ARTEFACT_PATH_FRAGMENTS:
+            if fragment in path:
+                return True
+    return False
+
+
 def should_inject_r_catalog(
     tool_name,
     *,
     recent_tool_names: Iterable[str] | None,
+    files: Iterable[str] | None = None,
 ) -> tuple[bool, str]:
     """Return (inject, prompt). Never raises."""
-    if not _is_trigger_tool(tool_name):
+    if not _is_trigger_tool(tool_name) and not _is_artefact_write(tool_name, files):
         return False, ""
     if tool_name in DISCOVERY_TOOLS:
         return False, ""
@@ -63,6 +108,7 @@ def should_inject_r_catalog(
 
 __all__ = [
     "DISCOVERY_TOOLS",
+    "ARTEFACT_PATH_FRAGMENTS",
     "INJECTION_PROMPT",
     "should_inject_r_catalog",
 ]

package/src/r_primitive_choice.py

@@ -0,0 +1,111 @@
+"""R_PRIMITIVE_CHOICE — v7.7 Gap 4.
+
+Before materialising a NEW artefact (skill / plugin / personal script /
+template) via plain Edit / Write, the agent MUST consult SK-CREATE-
+NEXO-PRIMITIVE (or its equivalent signal — a recent `nexo_skill_match`
+/ `nexo_tool_explain` call) so skill-vs-plugin-vs-script-vs-schedule-
+vs-core-change is not improvised.
+
+Distinct from R_CATALOG (v7.7 Gap 3) which fires on EVERY write into
+an artefact-bearing path; R_PRIMITIVE_CHOICE fires only when the file
+is NEW (write without prior matching read/grep) so editing an existing
+skill to tweak a step is not reprimanded.
+
+Contract:
+  - Trigger: Edit/Write into artefact-bearing paths AND the file did
+    NOT appear in the recent tool record as a previous Read/Grep.
+  - Relief signal (any one in last 120s): `nexo_skill_match`,
+    `nexo_tool_explain`, Read or Grep of the same path, or
+    `nexo_skill_apply` referencing SK-CREATE-NEXO-PRIMITIVE.
+  - Default mode: soft (so the rule can be observed before hardening).
+"""
+from __future__ import annotations
+
+from typing import Iterable
+
+from core_prompts import render_core_prompt
+
+
+ARTEFACT_PATH_FRAGMENTS = (
+    "/skills/",
+    "/clawhub-skill/",
+    "/.claude-plugin/",
+    "/src/plugins/",
+    "/personal/scripts/",
+    "/personal/skills/",
+    "/personal-scripts/",
+    "/.nexo/personal/scripts/",
+    "/.nexo/skills/",
+    "/templates/core-prompts/",
+)
+
+RELIEF_TOOLS = frozenset({
+    "nexo_skill_match",
+    "nexo_tool_explain",
+    "nexo_skill_apply",
+    "Read",
+    "Grep",
+})
+
+
+INJECTION_PROMPT = render_core_prompt("r-primitive-choice", path="{path}")
+
+
+def _is_artefact_path(path: str) -> bool:
+    if not isinstance(path, str):
+        return False
+    return any(fragment in path for fragment in ARTEFACT_PATH_FRAGMENTS)
+
+
+def _file_previously_touched(path: str, recent_records) -> bool:
+    """True iff the same path was seen in a prior Read / Grep / Edit
+    call inside the recent window. The engine passes its
+    recent_tool_records list (each record has .tool and .files)."""
+    if not isinstance(path, str):
+        return False
+    for record in recent_records or []:
+        tool = getattr(record, "tool", "")
+        if tool not in ("Read", "Grep", "Edit"):
+            continue
+        files = getattr(record, "files", ())
+        for f in files or ():
+            if f == path:
+                return True
+    return False
+
+
+def should_inject_r_primitive(
+    tool_name,
+    *,
+    files: Iterable[str] | None,
+    recent_tool_names: Iterable[str] | None,
+    recent_tool_records,
+) -> tuple[bool, str]:
+    """Return (inject, prompt). Fail-closed on bad input → (False, "")."""
+    if tool_name not in ("Edit", "Write"):
+        return False, ""
+    file_list = [f for f in (files or []) if isinstance(f, str)]
+    if not file_list:
+        return False, ""
+    artefact_files = [f for f in file_list if _is_artefact_path(f)]
+    if not artefact_files:
+        return False, ""
+    # If any relief tool fired recently, rule is satisfied.
+    recent = set(recent_tool_names or [])
+    if recent & RELIEF_TOOLS:
+        return False, ""
+    # If the file appears to be an edit of an existing artefact (Read
+    # or Grep already touched the same path), treat as relief too —
+    # we only want to flag NEW artefact creation.
+    for f in artefact_files:
+        if _file_previously_touched(f, recent_tool_records):
+            return False, ""
+    return True, INJECTION_PROMPT.format(path=artefact_files[0])
+
+
+__all__ = [
+    "ARTEFACT_PATH_FRAGMENTS",
+    "RELIEF_TOOLS",
+    "INJECTION_PROMPT",
+    "should_inject_r_primitive",
+]

package/templates/core-prompts/r-primitive-choice.md

@@ -0,0 +1 @@
+[NEXO Protocol Enforcer] R_PRIMITIVE_CHOICE: you are about to write a new artefact under `{path}` without consulting SK-CREATE-NEXO-PRIMITIVE or an equivalent primitive-choice probe. Stop. Run `nexo_skill_match` with the phrase "create a new primitive" (or the equivalent in your language) and follow the skill's decision table before creating. skill vs plugin vs personal-script vs schedule vs core-change is a durable decision — do not improvise. Do not produce visible text for this reminder; act on it silently.

package/templates/core-prompts/r16-declared-done-question.md

@@ -1 +1 @@
-Does the assistant message below declare that a task is finished, completed, shipped, or already done? Answer yes only if the assistant is claiming completion of the current work. Answer no for status updates, mid-task progress reports, questions, or partial summaries.
+Does the assistant message below declare that a task is finished, completed, shipped, sent, delivered, published, deployed, released, fixed, resolved, merged, pushed, handed off, or otherwise closed on any plane (deploy, release, publish, email/message sent, PR merged, fix applied, task resolved)? Answer yes only if the assistant is claiming real completion of the current work (in any language — Spanish "listo/hecho/terminado/enviado/arreglado/desplegado/publicado/lanzado/resuelto/mergeado" counts equally). Answer no for status updates, mid-task progress reports, questions, partial summaries, or "I will now..." promises without execution in the same turn.