principles-disciple 1.61.0 → 1.63.0

package/src/hooks/gate.ts

@@ -1,45 +1,27 @@
 /**
- * Security Gate Hook - Orchestration Layer
+ * Security Gate Hook - Rule Host Only
  *
- * HOOK CHAIN PRIORITY (short-circuits on first block):
+ * This is the SINGLE AUTHORITATIVE orchestration path.
+ * All blocking logic is now dynamic via Rule Host — no hardcoded gates remain.
  *
+ * Flow:
  * 1. Early Return: Skip if not write/bash/agent tool or no workspace
- * 2. Thinking OS Checkpoint (P-10): Deep reflection enforcement
- * 3. GFI Gate: Fatigue index-based blocking
- * 4. Bash Mutation Detection: Heuristic for bash file modifications
- * 4.5. Rule Host: Active code implementation evaluation (Phase 12)
- * 5. Progressive Gate: EP tier-based access control
- * 6. Edit Verification (P-03): Exact/fuzzy match for edit operations
- *
- * IMPORTANT: This is the SINGLE AUTHORITATIVE orchestration path.
- * All policy modules (gfi-gate, progressive-trust-gate, rule-host) use the shared
- * `recordGateBlockAndReturn` helper to ensure consistent block persistence.
- *
- * Zero-width character detection is handled in bash-risk.ts.
+ * 2. Rule Host: Dynamic principle-based evaluation (sole gate)
  */
 
 import * as fs from 'fs';
 import * as path from 'path';
-import { isRisky, normalizePath, planStatus as getPlanStatus } from '../utils/io.js';
-import { normalizeProfile } from '../core/profile.js';
-import { estimateLineChanges } from '../core/risk-calculator.js';
+import { normalizePath, planStatus } from '../utils/io.js';
 import { WorkspaceContext } from '../core/workspace-context.js';
-import { checkThinkingCheckpoint } from './thinking-checkpoint.js';
-import { handleEditVerification } from './edit-verification.js';
-import { checkGfiGate } from './gfi-gate.js';
-import { checkProgressiveTrustGate } from './progressive-trust-gate.js';
 import { recordGateBlockAndReturn } from './gate-block-helper.js';
 import { RuleHost } from '../core/rule-host.js';
 import type { RuleHostInput } from '../core/rule-host-types.js';
 import type { PluginHookBeforeToolCallEvent, PluginHookToolContext, PluginHookBeforeToolCallResult, PluginLogger } from '../openclaw-sdk.js';
-import {
-  AGENT_TOOLS,
-  BASH_TOOLS_SET,
-  WRITE_TOOLS,
-} from '../constants/tools.js';
+import { AGENT_TOOLS, BASH_TOOLS_SET, WRITE_TOOLS } from '../constants/tools.js';
 import { getSession, hasRecentThinking } from '../core/session-tracker.js';
 import { getEvolutionEngine } from '../core/evolution-engine.js';
 import { EventLogService } from '../core/event-log.js';
+import { estimateLineChanges } from '../core/risk-calculator.js';
 
 export function handleBeforeToolCall(
   event: PluginHookBeforeToolCallEvent,
@@ -58,238 +40,122 @@ export function handleBeforeToolCall(
 
   const wctx = WorkspaceContext.fromHookContext(ctx);
 
-  // 2. Load Profile
-  const profilePath = wctx.resolve('PROFILE');
-  let profile = {
-    risk_paths: [] as string[],
-    gate: { require_plan_for_risk_paths: true },
-    progressive_gate: {
-      enabled: true,
-      plan_approvals: {
-        enabled: false,
-        max_lines_override: -1,
-        allowed_patterns: [] as string[],
-        allowed_operations: [] as string[],
-      }
-    },
-    edit_verification: {
-      enabled: true,
-      max_file_size_bytes: 10 * 1024 * 1024,
-      fuzzy_match_enabled: true,
-      fuzzy_match_threshold: 0.8,
-      skip_large_file_action: 'warn' as 'warn' | 'block',
-    },
-    thinking_checkpoint: {
-      enabled: false,  // Default OFF
-      window_ms: 5 * 60 * 1000,
-      high_risk_tools: ['run_shell_command', 'delete_file', 'move_file'],
-    }
-  };
-
-  if (fs.existsSync(profilePath)) {
-    try {
-      const rawProfile = JSON.parse(fs.readFileSync(profilePath, 'utf8'));
-      profile = normalizeProfile(rawProfile);
-    } catch (e) {
-      logger?.error?.(`[PD_GATE] Failed to parse PROFILE.json: ${String(e)}`);
-    }
-  }
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // POLICY STEP 1: Thinking OS Checkpoint (P-10)
-  // ─────────────────────────────────────────────────────────────────────────────
-  // Only enforced when thinking_checkpoint.enabled = true in PROFILE.json
-  const thinkingResult = checkThinkingCheckpoint(
-    event,
-    profile.thinking_checkpoint || {},
-    ctx.sessionId,
-    logger
-  );
-  if (thinkingResult) {
-    return thinkingResult;
-  }
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // POLICY STEP 2: GFI Gate - Hard Intercept
-  // ─────────────────────────────────────────────────────────────────────────────
-  // 根据 GFI (疲劳指数) 精细化拦截工具调用
-  // 注意：TIER 0 (只读工具) 已在早期过滤中放行，此处不检查
-  const gfiGateConfig = wctx.config.get('gfi_gate');
-  const gfiResult = checkGfiGate(event, wctx, ctx.sessionId, gfiGateConfig, logger);
-  if (gfiResult) {
-    return gfiResult;
-  }
-
-  // Merge pluginConfig (OpenClaw UI settings)
-  const configRiskPaths = (ctx.pluginConfig?.riskPaths as string[] | undefined) ?? [];
-  if (configRiskPaths.length > 0) {
-    profile.risk_paths = [...new Set([...profile.risk_paths, ...configRiskPaths])];
-  }
-
-  // 3. Resolve the target file path
+  // 2. Resolve the target file path
   let filePath = event.params.file_path || event.params.path || event.params.file || event.params.target;
 
   // Heuristic for bash mutation detection
   if (isBash && !filePath) {
-    const command = String(event.params.command || event.params.args || "");
+    const command = String(event.params.command || event.params.args || '');
     const mutationMatch = /(?:>|>>|sed\s+-i|rm|mv|mkdir|touch|cp)\s+(?:-[a-zA-Z]+\s+)*([^\s;&|<>]+)/.exec(command);
 
     if (mutationMatch) {
-       
-       
       filePath = mutationMatch[1];
     } else {
-      const hasRiskPath = profile.risk_paths.some(rp => command.includes(rp));
-      const isMutation = /(?:>|>>|sed|rm|mv|mkdir|touch|cp|npm|yarn|pnpm|pip|cargo)/.test(command);
-
-      if (hasRiskPath && isMutation) {
-        filePath = command;
-      } else {
-        return;
-      }
+      // Bash command without a clear file target — let it through to Rule Host
+      filePath = command;
     }
   }
 
   if (typeof filePath !== 'string') return;
 
   const relPath = normalizePath(filePath, ctx.workspaceDir);
-  const risky = (isBash && filePath.includes(' '))
-    ? profile.risk_paths.some(rp => filePath.includes(rp))
-    : isRisky(relPath, profile.risk_paths);
 
-  // ─────────────────────────────────────────────────────────────────────────────
-  // POLICY STEP 2.5: Rule Host Evaluation (Phase 12, D-01/D-03)
-  // ─────────────────────────────────────────────────────────────────────────────
-  // Inserted between GFI gate and Progressive Gate so principle rules can act
-  // before the capability-boundary fallback. Active code implementations run
-  // through a constrained vm context with minimal helpers only.
+  // 3. Rule Host Evaluation — sole gate
   try {
     const ruleHost = new RuleHost(wctx.stateDir, logger);
     const hostInput: RuleHostInput = {
       action: {
         toolName: event.toolName,
         normalizedPath: relPath,
-         
-         
         paramsSummary: _extractParamsSummary(event.params),
       },
       workspace: {
-        isRiskPath: risky,
-         
-         
+        isRiskPath: false, // Rule Host determines risk dynamically
         planStatus: _getPlanStatus(ctx.workspaceDir),
-         
-         
         hasPlanFile: _hasPlanFile(ctx.workspaceDir),
       },
       session: {
         sessionId: ctx.sessionId,
-         
-         
         currentGfi: _getCurrentGfi(ctx.sessionId),
-         
-         
         recentThinking: _hasRecentThinking(ctx.sessionId),
       },
       evolution: {
-         
-         
         epTier: _getEpTier(wctx.workspaceDir),
       },
       derived: {
         estimatedLineChanges: estimateLineChanges({ toolName: event.toolName, params: event.params }),
-         
-         
-        bashRisk: _getBashRisk(event, profile),
+        bashRisk: _getBashRisk(event),
       },
     };
 
     const hostResult = ruleHost.evaluate(hostInput);
-    if (hostResult?.decision === 'block' || hostResult?.decision === 'requireApproval') {
-      // C: Record rule_enforced event for matched rules
+
+    // Always emit rulehost_evaluated
+    try {
+      const eventLog = EventLogService.get(wctx.stateDir, logger as PluginLogger | undefined);
+      eventLog.recordRuleHostEvaluated({
+        toolName: event.toolName,
+        filePath: relPath,
+        matched: hostResult?.matched ?? false,
+        decision: hostResult?.decision ?? 'allow',
+        ruleId: hostResult?.ruleId,
+      });
+    } catch (evErr) {
+      logger?.warn?.(`[PD_GATE] Failed to record rulehost_evaluated: ${String(evErr)}`);
+    }
+
+    if (hostResult?.decision === 'block') {
       try {
         const eventLog = EventLogService.get(wctx.stateDir, logger as PluginLogger | undefined);
         eventLog.recordRuleEnforced({
           ruleId: hostResult.ruleId || 'unknown',
           principleId: hostResult.principleId || 'unknown',
-          enforcement: hostResult.decision === 'requireApproval' ? 'requireApproval' : 'block',
+          enforcement: 'block',
+          toolName: event.toolName,
+          filePath: relPath,
+        });
+        eventLog.recordRuleHostBlocked({
           toolName: event.toolName,
           filePath: relPath,
+          reason: hostResult.reason,
+          ruleId: hostResult.ruleId,
         });
       } catch (evErr) {
-        logger?.warn?.(`[PD_GATE] Failed to record rule_enforced event: ${String(evErr)}`);
+        logger?.warn?.(`[PD_GATE] Failed to record rule_enforced/rulehost_blocked: ${String(evErr)}`);
       }
 
-      const reason = hostResult.decision === 'requireApproval'
-        ? `[Rule Host] Approval required: ${hostResult.reason}`
-        : hostResult.reason;
       return recordGateBlockAndReturn(wctx, {
         filePath: relPath,
-        reason,
+        reason: hostResult.reason,
         toolName: event.toolName,
         sessionId: ctx.sessionId,
         blockSource: 'rule-host',
       }, logger);
     }
-  } catch (hostError: unknown) {
-    // D-08: Conservative degradation — log and continue to Progressive Gate
-    logger.warn?.(`[PD_GATE:RULE_HOST] Host evaluation failed, degrading conservatively: ${String(hostError)}`);
-  }
 
-  // ─────────────────────────────────────────────────────────────────────────────
-  // POLICY STEP 3: Progressive Trust Gate (Stage 1-4 access control)
-  // ─────────────────────────────────────────────────────────────────────────────
-  // IMPORTANT: This step does NOT return early on allow.
-  // We must continue to edit verification for ALL allowed operations.
-  if (profile.progressive_gate?.enabled) {
-    const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
-    const progressiveGateResult = checkProgressiveTrustGate(
-      event,
-      wctx,
-      relPath,
-      risky,
-      lineChanges,
-      logger,
-      ctx,
-      profile
-    );
-    if (progressiveGateResult) {
-      return progressiveGateResult;
-    }
-    // NOTE: Do NOT return here! Continue to edit verification.
-    // All allowed operations (regardless of EP tier) should still run edit verification.
-  } else {
-    // FALLBACK: Legacy Gate Logic (when progressive gate is disabled)
-    if (risky && profile.gate?.require_plan_for_risk_paths) {
-      const planStatus = getPlanStatus(ctx.workspaceDir);
-      if (planStatus !== 'READY') {
-        return recordGateBlockAndReturn(wctx, {
+    if (hostResult?.decision === 'requireApproval') {
+      try {
+        const eventLog = EventLogService.get(wctx.stateDir, logger as PluginLogger | undefined);
+        eventLog.recordRuleEnforced({
+          ruleId: hostResult.ruleId || 'unknown',
+          principleId: hostResult.principleId || 'unknown',
+          enforcement: 'requireApproval',
+          toolName: event.toolName,
           filePath: relPath,
-          reason: `No READY plan found in PLAN.md.`,
+        });
+        eventLog.recordRuleHostRequireApproval({
           toolName: event.toolName,
-          sessionId: ctx.sessionId,
-          blockSource: 'gate-legacy',
-        }, logger);
+          filePath: relPath,
+          reason: hostResult.reason,
+          ruleId: hostResult.ruleId,
+        });
+      } catch (evErr) {
+        logger?.warn?.(`[PD_GATE] Failed to record rule_enforced/rulehost_requireApproval: ${String(evErr)}`);
       }
     }
-  }
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // POLICY STEP 4: Edit Tool Verification (P-03)
-  // ─────────────────────────────────────────────────────────────────────────────
-  // This MUST run after all other gate checks for ALL tools.
-  // Edit verification ensures oldText matches the actual file content.
-  if (event.toolName === 'edit' && profile.edit_verification?.enabled !== false) {
-    const verifyResult = handleEditVerification(event, wctx, ctx, {
-      enabled: profile.edit_verification.enabled,
-      max_file_size_bytes: profile.edit_verification.max_file_size_bytes,
-      fuzzy_match_enabled: profile.edit_verification.fuzzy_match_enabled,
-      fuzzy_match_threshold: profile.edit_verification.fuzzy_match_threshold,
-      skip_large_file_action: profile.edit_verification.skip_large_file_action as 'warn' | 'block' | undefined,
-    });
-    if (verifyResult) {
-      return verifyResult; // Block or modify params
-    }
+  } catch (hostError: unknown) {
+    // D-08: Conservative degradation — log and allow on Rule Host failure
+    logger.warn?.(`[PD_GATE:RULE_HOST] Host evaluation failed, allowing conservatively: ${String(hostError)}`);
   }
 
   // All checks passed - allow the operation
@@ -297,9 +163,7 @@ export function handleBeforeToolCall(
 }
 
 // ---------------------------------------------------------------------------
-// Private helpers for building RuleHostInput snapshot
-// These are NOT passed to hosted implementations — they only populate the
-// frozen snapshot that implementations receive.
+// Private helpers
 // ---------------------------------------------------------------------------
 
 function _extractParamsSummary(params: Record<string, unknown>): Record<string, unknown> {
@@ -315,7 +179,7 @@ function _extractParamsSummary(params: Record<string, unknown>): Record<string,
 
 function _getPlanStatus(workspaceDir: string): 'NONE' | 'DRAFT' | 'READY' | 'UNKNOWN' {
   try {
-    const status = getPlanStatus(workspaceDir);
+    const status = planStatus(workspaceDir);
     if (status === 'READY') return 'READY';
     if (status === 'DRAFT') return 'DRAFT';
     if (status === '') return 'NONE';
@@ -360,12 +224,7 @@ function _getEpTier(workspaceDir: string): number {
   }
 }
 
- 
-function _getBashRisk(
-  event: PluginHookBeforeToolCallEvent,
-  _profile: { risk_paths: string[] }
-): 'safe' | 'normal' | 'dangerous' | 'unknown' {
- 
+function _getBashRisk(event: PluginHookBeforeToolCallEvent): 'safe' | 'normal' | 'dangerous' | 'unknown' {
   if (!BASH_TOOLS_SET.has(event.toolName)) return 'unknown';
   try {
     const command = String(event.params.command || event.params.args || '');

package/src/service/evolution-worker.ts

@@ -957,6 +957,16 @@ async function processEvolutionQueue(wctx: WorkspaceContext, logger: PluginLogge
                         if (presentPhases.length < requiredPhases.length) {
                             const missing = requiredPhases.filter(p => !phases[p]);
                             if (logger) logger.warn(`[PD:EvolutionWorker] Report for task ${task.id} incomplete — missing phases: ${missing.join(', ')} (present: ${presentPhases.length}/${requiredPhases.length})`);
+                            // PD-FUNNEL-1.1: Record incomplete_fields event BEFORE retry so funnel can see it.
+                            // The phase-completeness check requeues incomplete reports with continue; without
+                            // this record the funnel would have no signal for JSON-present-but-incomplete cases.
+                            if (eventLog) {
+                                eventLog.recordDiagnosticianReport({
+                                    taskId: task.id,
+                                    reportPath,
+                                    category: 'incomplete_fields',
+                                });
+                            }
                             // Treat as retryable failure: don't mark success, let retry logic kick in
                             reportParsed = false;
                             // Also delete the incomplete marker so next heartbeat re-runs the diagnostician

package/src/service/nocturnal-service.ts

@@ -104,6 +104,7 @@ import { registerSample } from '../core/nocturnal-dataset.js';
 import { getPrincipleState, setPrincipleState } from '../core/principle-training-state.js';
 import type { Implementation } from '../types/principle-tree-schema.js';
 import { validateNocturnalSnapshotIngress } from '../core/nocturnal-snapshot-contract.js';
+import { EventLogService } from '../core/event-log.js';
 
 
 // ---------------------------------------------------------------------------
@@ -522,9 +523,20 @@ function persistCodeCandidate(
     try {
       refreshPrincipleLifecycle(workspaceDir, stateDir);
     } catch (err) {
-       
       console.warn('[nocturnal-service] Lifecycle refresh failed after code candidate persistence:', err instanceof Error ? err.stack : err);
     }
+    // PD-FUNNEL-2.3: Emit nocturnal_code_candidate_created event
+    try {
+      const eventLog = EventLogService.get(stateDir, undefined);
+      eventLog.recordNocturnalCodeCandidateCreated({
+        implementationId,
+        artifactId,
+        ruleId: parsedArtificer.ruleId,
+        persistedPath: assetRoot,
+      });
+    } catch (evErr) {
+      console.warn(`[nocturnal-service] Failed to record nocturnal_code_candidate_created: ${String(evErr)}`);
+    }
     return {
       status: 'persisted_candidate',
       ruleResolution: {
@@ -1039,13 +1051,22 @@ export function executeNocturnalReflection(
     boundedAction: execResult.boundedAction,
   };
 
-   
-   
   let persistedPath: string;
   try {
     persistedPath = persistArtifact(workspaceDir, artifactWithBoundedAction);
     diagnostics.persisted = true;
     diagnostics.persistedPath = persistedPath;
+    // PD-FUNNEL-2.3: Emit nocturnal_artifact_persisted event
+    try {
+      const eventLog = EventLogService.get(stateDir, undefined);
+      eventLog.recordNocturnalArtifactPersisted({
+        artifactId: artifactWithBoundedAction.artifactId,
+        principleId: artifactWithBoundedAction.principleId,
+        persistedPath,
+      });
+    } catch (evErr) {
+      console.warn(`[nocturnal-service] Failed to record nocturnal_artifact_persisted: ${String(evErr)}`);
+    }
   } catch (err) {
     void recordRunEnd(stateDir, 'failed', { reason: `persistence error: ${String(err)}` }).catch((e) => {
       warn(`[nocturnal-service] Failed to record run end (persistence failed): ${String(e)}`);

package/src/service/subagent-workflow/nocturnal-workflow-manager.ts

@@ -41,6 +41,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { validateNocturnalSnapshotIngress } from '../../core/nocturnal-snapshot-contract.js';
 import { isSubagentRuntimeAvailable } from '../../utils/subagent-probe.js';
+import { EventLogService } from '../../core/event-log.js';
 
 // ─────────────────────────────────────────────────────────────────────────────
 // NocturnalResult Type Alias
@@ -290,6 +291,21 @@ export class NocturnalWorkflowManager implements WorkflowManager {
                         artifactId: result.diagnostics?.persistedPath,
                     });
                     this.completedWorkflows.set(workflowId, Date.now());
+                    // PD-FUNNEL-2.3: Emit nocturnal_dreamer_completed event
+                    const chainMode: 'trinity' | 'single-reflector' =
+                        result.trinityTelemetry ? 'trinity' : 'single-reflector';
+                    try {
+                        const eventLog = EventLogService.get(this.stateDir, this.logger as unknown as import('../../openclaw-sdk.js').PluginLogger);
+                        eventLog.recordNocturnalDreamerCompleted({
+                            workflowId,
+                            principleId: result.artifact?.principleId ?? 'unknown',
+                            sessionId: result.snapshot?.sessionId ?? 'unknown',
+                            candidateCount: result.trinityTelemetry?.candidateCount ?? 1,
+                            chainMode,
+                        });
+                    } catch (evErr) {
+                        this.logger.warn?.(`[PD:NocturnalWorkflow] Failed to record nocturnal_dreamer_completed: ${String(evErr)}`);
+                    }
                 } else {
                     const reason = result.noTargetSelected ? 'no_target_selected' : 'validation_failed';
                     const failuresSummary = result.validationFailures?.length > 0 

package/src/types/event-types.ts

@@ -23,7 +23,15 @@ export type EventType =
   | 'heartbeat_diagnosis'  // Heartbeat injected diagnostician tasks
   | 'diagnostician_report' // Diagnostician completed and wrote report
   | 'principle_candidate'  // Principle candidate created from report
-  | 'rule_enforced';       // Rule enforced (matched) during tool call
+  | 'rule_enforced'       // Rule enforced (matched) during tool call
+      // C: Nocturnal funnel stage events (PD-FUNNEL-2.3)
+      | 'nocturnal_dreamer_completed'
+      | 'nocturnal_artifact_persisted'
+      | 'nocturnal_code_candidate_created'
+      // C: RuleHost funnel events (PD-FUNNEL-2.4)
+      | 'rulehost_evaluated'
+      | 'rulehost_blocked'
+      | 'rulehost_requireApproval';
 
 export type EventCategory =
   | 'success'
@@ -42,7 +50,11 @@ export type EventCategory =
   | 'written'
   | 'injected'
   | 'created'
-  | 'matched';
+  | 'matched'
+      // C: New categories for RuleHost funnel (PD-FUNNEL-2.4) — completed/created already exist
+      | 'evaluated'   // Used by: rulehost_evaluated
+      | 'blocked'     // Used by: rulehost_blocked
+      | 'requireApproval';  // Used by: rulehost_requireApproval
 
 /**
  * Base event structure for JSONL logging.
@@ -237,6 +249,77 @@ export interface RuleEnforcedEventData {
   filePath: string;
 }
 
+// ============== Nocturnal Funnel Events (PD-FUNNEL-2.3) ==============
+
+/**
+ * nocturnal_dreamer_completed — Trinity Dreamer stage completed.
+ * Emitted from nocturnal-workflow-manager.ts after Trinity chain success.
+ */
+export interface NocturnalDreamerCompletedEventData {
+  workflowId: string;
+  principleId: string;
+  sessionId: string;
+  candidateCount: number;
+  chainMode: 'trinity' | 'single-reflector';
+}
+
+/**
+ * nocturnal_artifact_persisted — Artifact saved to .state/nocturnal/samples/.
+ * Emitted from nocturnal-service.ts persistArtifact() after atomicWriteFileSync.
+ */
+export interface NocturnalArtifactPersistedEventData {
+  artifactId: string;
+  principleId: string;
+  persistedPath: string;
+}
+
+/**
+ * nocturnal_code_candidate_created — Rule implementation candidate persisted.
+ * Emitted from nocturnal-service.ts persistCodeCandidate() after successful creation.
+ */
+export interface NocturnalCodeCandidateCreatedEventData {
+  implementationId: string;
+  artifactId: string;
+  ruleId: string;
+  persistedPath: string;
+}
+
+// ============== RuleHost Funnel Events (PD-FUNNEL-2.4) ==============
+
+/**
+ * rulehost_evaluated — RuleHost.evaluate() was called.
+ * Emitted from gate.ts for every evaluate() call (matched or not).
+ */
+export interface RuleHostEvaluatedEventData {
+  toolName: string;
+  filePath: string;
+  matched: boolean;
+  decision: 'allow' | 'block' | 'requireApproval';
+  ruleId?: string;
+}
+
+/**
+ * rulehost_blocked — Tool call was blocked by RuleHost.
+ * Emitted from gate.ts when hostResult.decision === 'block'.
+ */
+export interface RuleHostBlockedEventData {
+  toolName: string;
+  filePath: string;
+  reason: string;
+  ruleId?: string;
+}
+
+/**
+ * rulehost_requireApproval — Tool call requires approval by RuleHost.
+ * Emitted from gate.ts when hostResult.decision === 'requireApproval'.
+ */
+export interface RuleHostRequireApprovalEventData {
+  toolName: string;
+  filePath: string;
+  reason: string;
+  ruleId?: string;
+}
+
 // ============== Daily Statistics ==============
 
 export interface ToolCallStats {
@@ -335,6 +418,15 @@ export interface EvolutionStats {
   reportsIncompleteFields: number;
   principleCandidatesCreated: number;
   rulesEnforced: number;
+  // C: Nocturnal funnel counters (PD-FUNNEL-2.3)
+  nocturnalDreamerCompleted: number;
+  nocturnalTrinityCompleted: number;
+  nocturnalArtifactPersisted: number;
+  nocturnalCodeCandidateCreated: number;
+  // C: RuleHost funnel counters (PD-FUNNEL-2.4)
+  rulehostEvaluated: number;
+  rulehostBlocked: number;
+  rulehostRequireApproval: number;
 }
 
 export interface HookStats {
@@ -501,6 +593,15 @@ export function createEmptyDailyStats(date: string): DailyStats {
       reportsIncompleteFields: 0,
       principleCandidatesCreated: 0,
       rulesEnforced: 0,
+      // C: Nocturnal funnel counters (PD-FUNNEL-2.3)
+      nocturnalDreamerCompleted: 0,
+      nocturnalTrinityCompleted: 0,
+      nocturnalArtifactPersisted: 0,
+      nocturnalCodeCandidateCreated: 0,
+      // C: RuleHost funnel counters (PD-FUNNEL-2.4)
+      rulehostEvaluated: 0,
+      rulehostBlocked: 0,
+      rulehostRequireApproval: 0,
     },
     hooks: {
       total: 0,