principles-disciple 1.116.0 → 1.118.0

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "principles-disciple",
   "name": "Principles Disciple",
   "description": "Evolutionary programming agent framework with strategic guardrails and reflection loops.",
-  "version": "1.116.0",
+  "version": "1.118.0",
   "activation": {
     "onCapabilities": [
       "hook"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "principles-disciple",
-  "version": "1.116.0",
+  "version": "1.118.0",
   "description": "Native OpenClaw plugin for Principles Disciple",
   "type": "module",
   "main": "./dist/bundle.js",

package/scripts/sync-plugin.mjs

@@ -923,6 +923,48 @@ function installTargetDependencies() {
     }
 }
 
+/**
+ * Verify injected workspace packages have their transitive dependencies installed.
+ * npm install --omit=dev in the target doesn't resolve deps of manually-copied packages,
+ * so transitive deps like @earendil-works/pi-agent-core may be missing after production install.
+ */
+function verifyInjectedWorkspaceDeps() {
+    const corePkgDir = join(INSTALL_DIR, 'node_modules', '@principles', 'core');
+    if (!existsSync(corePkgDir)) return;
+
+    const corePkgPath = join(corePkgDir, 'package.json');
+    if (!existsSync(corePkgPath)) return;
+
+    let corePkg;
+    try {
+        corePkg = JSON.parse(readFileSync(corePkgPath, 'utf-8'));
+    } catch (error) {
+        console.error(`  ❌ Failed to parse @principles/core/package.json: ${error.message}`);
+        process.exit(1);
+    }
+
+    const deps = corePkg.dependencies || {};
+    const missing = [];
+    for (const [dep, version] of Object.entries(deps)) {
+        if (!existsSync(join(INSTALL_DIR, 'node_modules', dep))) {
+            missing.push(`${dep}@${version}`);
+        }
+    }
+
+    if (missing.length === 0) return;
+
+    console.log(`  ⚠️  ${missing.length} transitive dependenc${missing.length === 1 ? 'y' : 'ies'} of @principles/core missing, installing...`);
+    try {
+        execSync(`npm install ${missing.join(' ')} --no-audit --no-fund --prefer-offline`, {
+            cwd: INSTALL_DIR,
+            stdio: 'pipe'
+        });
+        console.log('  ✅ Transitive dependencies installed');
+    } catch (error) {
+        console.warn(`  ⚠️  Failed to install transitive dependencies: ${error.message}`);
+    }
+}
+
 /**
  * Clean stale backups.
  */
@@ -1269,6 +1311,7 @@ function main() {
 
     injectLocalWorkspacePackages();
     installTargetDependencies();
+    verifyInjectedWorkspaceDeps();
     verifyPdCliShim();
 
     console.log('\n🔍 Verifying installed plugin can load native dependencies...');

package/src/core/rule-host.ts

@@ -1,11 +1,13 @@
 /**
  * Rule Host — Constrained execution layer for active code implementations
  *
- * PURPOSE: Load active code implementations from the principle-tree ledger,
- * execute them in a constrained node:vm context, and merge their decisions.
+ * PURPOSE: Load active code implementations from the principle-tree ledger
+ * AND from the activations table (code_tool_hook channel), execute them in a
+ * constrained node:vm context, and merge their decisions.
  *
  * ARCHITECTURE:
  *   - Constructor takes stateDir to access the principle-tree ledger
+ *   - Optional workspaceDir enables reading code_tool_hook activations from SQLite
  *   - evaluate(input) loads active code implementations and runs them
  *   - Each implementation executes in an isolated vm context with minimal helpers
  *   - Decision merge: block short-circuits, requireApproval collects, allow is implicit
@@ -27,6 +29,7 @@ import {
 import { loadEntrySource } from './code-implementation-storage.js';
 import { createRuleHostHelpers } from '@principles/core/runtime-v2';
 import { mergeDecisions } from '@principles/core/runtime-v2';
+import { SqliteConnection } from '@principles/core/runtime-v2';
 import { loadRuleImplementationModule } from './rule-implementation-runtime.js';
 import type {
   RuleHostInput,
@@ -39,13 +42,37 @@ import type { Implementation } from '../types/principle-tree-schema.js';
 import type { RuleHostLogger } from '@principles/core/runtime-v2';
 export type { RuleHostLogger } from '@principles/core/runtime-v2';
 
+export interface RuleHostOptions {
+  /** Workspace directory for SQLite access. When provided, RuleHost also loads code_tool_hook activations from the activations table. */
+  workspaceDir?: string;
+}
+
+/**
+ * Type guard for RuleHostMeta from untrusted module exports.
+ * Validates all four required string fields (EP-01: no `as` bypass at trust boundary).
+ */
+function isRuleHostMeta(value: unknown): value is RuleHostMeta {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false;
+  }
+  const v = value as Record<string, unknown>;
+  return (
+    typeof v['name'] === 'string' &&
+    typeof v['version'] === 'string' &&
+    typeof v['ruleId'] === 'string' &&
+    typeof v['coversCondition'] === 'string'
+  );
+}
+
 export class RuleHost {
   private readonly stateDir: string;
   private readonly logger: RuleHostLogger;
+  private readonly workspaceDir: string | null;
 
-  constructor(stateDir: string, logger: RuleHostLogger = console) {
+  constructor(stateDir: string, logger: RuleHostLogger = console, options?: RuleHostOptions) {
     this.stateDir = stateDir;
     this.logger = logger;
+    this.workspaceDir = options?.workspaceDir ?? null;
   }
 
   /**
@@ -72,11 +99,21 @@ export class RuleHost {
   }
 
   /**
-   * Load active code implementations from the ledger.
-   * Filters by type=code and lifecycleState=active, then attempts to
-   * compile each implementation's code asset via node:vm.
+   * Load active code implementations from the ledger AND the activations table.
+   *
+   * Sources (merged, deduplicated by implId):
+   *   1. principle-tree-ledger.json: implementations with lifecycleState='active' and type='code'
+   *   2. activations table: code_tool_hook channel activations (when workspaceDir is provided)
+   *
+   * This bridges the gap between RuleHostWriter (which records activation metadata in SQLite)
+   * and RuleHost enforcement (which previously only read from the ledger JSON file).
+   * See BUG-001 / ERR-011 / ERR-035.
    */
   private _loadActiveCodeImplementations(): LoadedImplementation[] {
+    const loaded: LoadedImplementation[] = [];
+    const seenImplIds = new Set<string>();
+
+    // Source 1: principle-tree-ledger.json (existing path)
     try {
       const activeAllTypes = listImplementationsByLifecycleState(
         this.stateDir,
@@ -86,17 +123,12 @@ export class RuleHost {
       // Filter to code-type implementations only
       const codeImpls = activeAllTypes.filter((impl) => impl.type === 'code');
 
-      if (codeImpls.length === 0) {
-        return [];
-      }
-
-      const loaded: LoadedImplementation[] = [];
-
       for (const impl of codeImpls) {
         try {
           const loadedImpl = this._loadSingleImplementation(impl);
-          if (loadedImpl) {
+          if (loadedImpl && !seenImplIds.has(loadedImpl.implId)) {
             loaded.push(loadedImpl);
+            seenImplIds.add(loadedImpl.implId);
           }
         } catch (loadError: unknown) {
           // Individual load failure: log and skip
@@ -105,14 +137,157 @@ export class RuleHost {
           );
         }
       }
-
-      return loaded;
     } catch (ledgerError: unknown) {
-      // Ledger access failure: log and return empty
+      // Ledger access failure: log and continue to activations table
       this.logger.warn?.(
         `[RuleHost] Failed to access ledger: ${String(ledgerError)}`
       );
-      return [];
+    }
+
+    // Source 2: activations table (code_tool_hook channel) — bridges BUG-001
+    if (this.workspaceDir) {
+      try {
+        const activationImpls = this._loadFromActivationsTable(this.workspaceDir);
+        for (const impl of activationImpls) {
+          if (!seenImplIds.has(impl.implId)) {
+            loaded.push(impl);
+            seenImplIds.add(impl.implId);
+          }
+        }
+      } catch (activationError: unknown) {
+        // Activations table access failure: log and continue with ledger-only results
+        this.logger.warn?.(
+          `[RuleHost] Failed to load code_tool_hook activations: ${String(activationError)}`
+        );
+      }
+    }
+
+    return loaded;
+  }
+
+  /**
+   * Load active code implementations from the activations table (code_tool_hook channel).
+   *
+   * For each activation record:
+   *   1. Query the pi_artifacts table for the artifact content
+   *   2. Parse content_json to extract implementationCode
+   *   3. Compile via loadRuleImplementationModule (same vm isolation as ledger path)
+   *
+   * This mirrors the PromptActivationReader pattern for SQLite access.
+   */
+  private _loadFromActivationsTable(workspaceDir: string): LoadedImplementation[] {
+    const sqliteConn = new SqliteConnection(workspaceDir);
+    try {
+      const db = sqliteConn.getDb();
+      const rows = db.prepare(`
+        SELECT a.activation_id, a.artifact_id, a.target_ref,
+               p.content_json, p.source_rule_id
+        FROM activations a
+        JOIN pi_artifacts p ON a.artifact_id = p.artifact_id
+        WHERE a.channel = 'code_tool_hook' AND a.deactivated_at IS NULL
+        ORDER BY a.activated_at ASC
+      `).all() as unknown;
+
+      if (!Array.isArray(rows)) {
+        this.logger.warn?.(
+          '[RuleHost] Activations table query returned non-array, skipping'
+        );
+        return [];
+      }
+
+      const loaded: LoadedImplementation[] = [];
+
+      for (const row of rows) {
+        if (!row || typeof row !== 'object') {
+          continue;
+        }
+        const r = row as Record<string, unknown>;
+        const activationId = typeof r['activation_id'] === 'string' ? r['activation_id'] : '';
+        const artifactId = typeof r['artifact_id'] === 'string' ? r['artifact_id'] : '';
+        const contentJson = typeof r['content_json'] === 'string' ? r['content_json'] : '';
+        const sourceRuleId = typeof r['source_rule_id'] === 'string' ? r['source_rule_id'] : null;
+
+        if (!activationId || !artifactId || !contentJson) {
+          this.logger.warn?.(
+            `[RuleHost] Activation row missing required fields, skipping`
+          );
+          continue;
+        }
+        try {
+          const content = JSON.parse(contentJson) as unknown;
+          if (!content || typeof content !== 'object' || Array.isArray(content)) {
+            this.logger.warn?.(
+              `[RuleHost] Activation ${activationId}: content_json is not an object, skipping`
+            );
+            continue;
+          }
+
+          const contentObj = content as Record<string, unknown>;
+          const implementationCode = contentObj['implementationCode'];
+          if (typeof implementationCode !== 'string' || implementationCode.length === 0) {
+            this.logger.warn?.(
+              `[RuleHost] Activation ${activationId}: no implementationCode in artifact, skipping`
+            );
+            continue;
+          }
+
+          const ruleId = typeof contentObj['ruleId'] === 'string'
+            ? contentObj['ruleId']
+            : (sourceRuleId ?? artifactId);
+
+          const implId = `act-impl-${activationId}`;
+          const moduleExports = loadRuleImplementationModule(implementationCode, implId);
+
+          if (!moduleExports || typeof moduleExports.evaluate !== 'function') {
+            this.logger.warn?.(
+              `[RuleHost] Activation ${activationId}: compiled module has no evaluate function, skipping`
+            );
+            continue;
+          }
+
+          const fallbackMeta: RuleHostMeta = {
+            name: implId,
+            version: '1',
+            ruleId,
+            coversCondition: 'all',
+          };
+          const meta: RuleHostMeta = isRuleHostMeta(moduleExports.meta)
+            ? moduleExports.meta
+            : fallbackMeta;
+
+          const rawEvaluate = moduleExports.evaluate as (
+            _input: RuleHostInput,
+            _helpers: ReturnType<typeof createRuleHostHelpers>
+          ) => RuleHostResult;
+
+          loaded.push({
+            implId,
+            ruleId,
+            meta,
+            evaluate: (input: RuleHostInput): RuleHostResult => {
+              const frozenHelpers = createRuleHostHelpers(input);
+              const result = rawEvaluate(input, frozenHelpers);
+              if (result.matched && (result.decision === 'block' || result.decision === 'requireApproval')) {
+                result.ruleId = ruleId;
+                result.principleId = meta.ruleId ?? ruleId;
+              }
+              return result;
+            },
+          });
+        } catch (loadError: unknown) {
+          this.logger.warn?.(
+            `[RuleHost] Failed to load activation ${activationId}: ${String(loadError)}`
+          );
+        }
+      }
+
+      return loaded;
+    } finally {
+      try {
+        sqliteConn.close();
+      } catch {
+        // best-effort cleanup
+      }
     }
   }
 

package/src/hooks/gate.ts

@@ -67,7 +67,7 @@ export function handleBeforeToolCall(
 
   // 3. Rule Host Evaluation — sole gate
   try {
-    const ruleHost = new RuleHost(wctx.stateDir, logger);
+    const ruleHost = new RuleHost(wctx.stateDir, logger, { workspaceDir: ctx.workspaceDir });
     const hostInput: RuleHostInput = {
       action: {
         toolName: event.toolName,

package/src/service/internalization-auto-consumer-service.ts

@@ -5,6 +5,8 @@ import {
   DreamerRunner,
   DefaultDreamerValidator,
   PiAiRuntimeAdapter,
+  L2AgentLoopAdapter,
+  loadLedger,
   OpenClawCliRuntimeAdapter,
   storeEmitter,
   resolveRuntimeConfigFromPdConfig,
@@ -13,6 +15,7 @@ import {
   InternalizationQueueReadModel,
   MVP_CORE_TASK_KINDS,
   type PDRuntimeAdapter,
+  type PdL2PrincipleReader,
 } from '@principles/core/runtime-v2';
 import { loadPdConfigForPlugin, loadFeatureFlagFromConfig } from '../core/pd-config-loader.js';
 import { SystemLogger } from '../core/system-logger.js';
@@ -169,15 +172,61 @@ export async function runConsumerCycle(
 
     let adapter: PDRuntimeAdapter;
     if (runtimeKind === 'pi-ai') {
-      adapter = new PiAiRuntimeAdapter({
-        provider: runtimeConfigResult.provider ?? 'openai',
-        model: runtimeConfigResult.model ?? 'gpt-4o',
-        apiKeyEnv: runtimeConfigResult.apiKeyEnv ?? 'OPENAI_API_KEY',
-        maxRetries: runtimeConfigResult.maxRetries,
-        timeoutMs: runtimeConfigResult.timeoutMs,
-        baseUrl: runtimeConfigResult.baseUrl,
-        workspace: workspaceDir,
-      });
+      // PRI-419: when l2_dreamer flag is on, route through the L2 multi-turn agent loop.
+      const l2Flag = loadFeatureFlagFromConfig(workspaceDir, 'l2_dreamer');
+      if (l2Flag.enabled) {
+        const stateDir = `${workspaceDir}/.state`;
+        const principleReader: PdL2PrincipleReader = {
+          listActivePrinciples: async () => {
+            try {
+              const ledger = loadLedger(stateDir);
+              const principles = ledger.tree.principles ?? {};
+              return Object.values(principles)
+                .filter(p => p.status === 'active' && typeof p.id === 'string' && typeof p.text === 'string')
+                .map(p => ({ id: p.id, statement: p.text }));
+            } catch (error) {
+              const reason = error instanceof Error ? error.message : String(error);
+              logger.warn(`[PD:AutoConsumer] L2 dreamer principle reader degraded: ${reason}`);
+              return [];
+            }
+          },
+        };
+        adapter = new L2AgentLoopAdapter(
+          {
+            provider: runtimeConfigResult.provider ?? 'openai',
+            model: runtimeConfigResult.model ?? 'gpt-4o',
+            apiKeyEnv: runtimeConfigResult.apiKeyEnv ?? 'OPENAI_API_KEY',
+            baseUrl: runtimeConfigResult.baseUrl,
+            workspace: workspaceDir,
+            totalBudgetMs: runtimeConfigResult.timeoutMs,
+          },
+          {
+            artifactReader: {
+              // Explicit adapter: PIArtifactRecord → PdL2ArtifactReader. The store returns
+              // PIArtifactRecord (with PIArtifactKind enum); map to the ArtifactSummary shape.
+              getArtifactById: async (id: string) => {
+                const r = await stateManager.piArtifactStore.getArtifactById(id);
+                return r ? { artifactId: r.artifactId, artifactKind: String(r.artifactKind), sourceTaskId: r.sourceTaskId, contentJson: r.contentJson, createdAt: r.createdAt } : null;
+              },
+              listBySourceTaskId: async (taskId: string) => {
+                const records = await stateManager.piArtifactStore.listBySourceTaskId(taskId);
+                return records.map(r => ({ artifactId: r.artifactId, artifactKind: String(r.artifactKind), sourceTaskId: r.sourceTaskId, contentJson: r.contentJson, createdAt: r.createdAt }));
+              },
+            },
+            principleReader,
+          },
+        );
+      } else {
+        adapter = new PiAiRuntimeAdapter({
+          provider: runtimeConfigResult.provider ?? 'openai',
+          model: runtimeConfigResult.model ?? 'gpt-4o',
+          apiKeyEnv: runtimeConfigResult.apiKeyEnv ?? 'OPENAI_API_KEY',
+          maxRetries: runtimeConfigResult.maxRetries,
+          timeoutMs: runtimeConfigResult.timeoutMs,
+          baseUrl: runtimeConfigResult.baseUrl,
+          workspace: workspaceDir,
+        });
+      }
     } else if (runtimeKind === 'openclaw-cli') {
       adapter = new OpenClawCliRuntimeAdapter({
         runtimeMode: runtimeConfigResult.openclawMode ?? 'default',