docs: add human confirmation firewall research report

plugins/memory/holographic/__init__.py

@@ -26,7 +26,6 @@ from agent.memory_provider import MemoryProvider
 from tools.registry import tool_error
 from .store import MemoryStore
 from .retrieval import FactRetriever
-from .observations import ObservationSynthesizer
 
 logger = logging.getLogger(__name__)
 
@@ -38,29 +37,28 @@ logger = logging.getLogger(__name__)
 FACT_STORE_SCHEMA = {
     "name": "fact_store",
     "description": (
-        "Deep structured memory with algebraic reasoning and grounded observation synthesis. "
+        "Deep structured memory with algebraic reasoning. "
         "Use alongside the memory tool — memory for always-on context, "
-        "fact_store for deep recall, compositional queries, and higher-order observations.\n\n"
+        "fact_store for deep recall and compositional queries.\n\n"
         "ACTIONS (simple → powerful):\n"
         "• add — Store a fact the user would expect you to remember.\n"
         "• search — Keyword lookup ('editor config', 'deploy process').\n"
         "• probe — Entity recall: ALL facts about a person/thing.\n"
         "• related — What connects to an entity? Structural adjacency.\n"
         "• reason — Compositional: facts connected to MULTIPLE entities simultaneously.\n"
-        "• observe — Synthesized higher-order observations backed by supporting facts.\n"
         "• contradict — Memory hygiene: find facts making conflicting claims.\n"
         "• update/remove/list — CRUD operations.\n\n"
-        "IMPORTANT: Before answering questions about the user, ALWAYS probe/reason/observe first."
+        "IMPORTANT: Before answering questions about the user, ALWAYS probe or reason first."
     ),
     "parameters": {
         "type": "object",
         "properties": {
             "action": {
                 "type": "string",
-                "enum": ["add", "search", "probe", "related", "reason", "observe", "contradict", "update", "remove", "list"],
+                "enum": ["add", "search", "probe", "related", "reason", "contradict", "update", "remove", "list"],
             },
             "content": {"type": "string", "description": "Fact content (required for 'add')."},
-            "query": {"type": "string", "description": "Search query (required for 'search'/'observe')."},
+            "query": {"type": "string", "description": "Search query (required for 'search')."},
             "entity": {"type": "string", "description": "Entity name for 'probe'/'related'."},
             "entities": {"type": "array", "items": {"type": "string"}, "description": "Entity names for 'reason'."},
             "fact_id": {"type": "integer", "description": "Fact ID for 'update'/'remove'."},
@@ -68,12 +66,6 @@ FACT_STORE_SCHEMA = {
             "tags": {"type": "string", "description": "Comma-separated tags."},
             "trust_delta": {"type": "number", "description": "Trust adjustment for 'update'."},
             "min_trust": {"type": "number", "description": "Minimum trust filter (default: 0.3)."},
-            "min_confidence": {"type": "number", "description": "Minimum observation confidence (default: 0.6)."},
-            "observation_type": {
-                "type": "string",
-                "enum": ["recurring_preference", "stable_direction", "behavioral_pattern"],
-                "description": "Optional observation type filter for 'observe'.",
-            },
             "limit": {"type": "integer", "description": "Max results (default: 10)."},
         },
         "required": ["action"],
@@ -126,9 +118,7 @@ class HolographicMemoryProvider(MemoryProvider):
         self._config = config or _load_plugin_config()
         self._store = None
         self._retriever = None
-        self._observation_synth = None
         self._min_trust = float(self._config.get("min_trust_threshold", 0.3))
-        self._observation_min_confidence = float(self._config.get("observation_min_confidence", 0.6))
 
     @property
     def name(self) -> str:
@@ -187,7 +177,6 @@ class HolographicMemoryProvider(MemoryProvider):
             hrr_weight=hrr_weight,
             hrr_dim=hrr_dim,
         )
-        self._observation_synth = ObservationSynthesizer(self._store)
         self._session_id = session_id
 
     def system_prompt_block(self) -> str:
@@ -204,76 +193,30 @@ class HolographicMemoryProvider(MemoryProvider):
                 "# Holographic Memory\n"
                 "Active. Empty fact store — proactively add facts the user would expect you to remember.\n"
                 "Use fact_store(action='add') to store durable structured facts about people, projects, preferences, decisions.\n"
-                "Use fact_store(action='observe') to synthesize higher-order observations with evidence.\n"
                 "Use fact_feedback to rate facts after using them (trains trust scores)."
             )
         return (
             f"# Holographic Memory\n"
             f"Active. {total} facts stored with entity resolution and trust scoring.\n"
-            f"Use fact_store to search, probe entities, reason across entities, or synthesize observations.\n"
+            f"Use fact_store to search, probe entities, reason across entities, or add facts.\n"
             f"Use fact_feedback to rate facts after using them (trains trust scores)."
         )
 
     def prefetch(self, query: str, *, session_id: str = "") -> str:
-        if not query:
+        if not self._retriever or not query:
             return ""
-
-        parts = []
-        raw_results = []
         try:
-            if self._retriever:
-                raw_results = self._retriever.search(query, min_trust=self._min_trust, limit=5)
-        except Exception as e:
-            logger.debug("Holographic prefetch fact search failed: %s", e)
-            raw_results = []
-
-        observations = []
-        try:
-            if self._observation_synth:
-                observations = self._observation_synth.observe(
-                    query,
-                    min_confidence=self._observation_min_confidence,
-                    limit=3,
-                    refresh=True,
-                )
-        except Exception as e:
-            logger.debug("Holographic prefetch observation search failed: %s", e)
-            observations = []
-
-        if not raw_results and observations:
-            seen_fact_ids = set()
-            evidence_backfill = []
-            for observation in observations:
-                for evidence in observation.get("evidence", []):
-                    fact_id = evidence.get("fact_id")
-                    if fact_id in seen_fact_ids:
-                        continue
-                    seen_fact_ids.add(fact_id)
-                    evidence_backfill.append(evidence)
-            raw_results = evidence_backfill[:5]
-
-        if raw_results:
+            results = self._retriever.search(query, min_trust=self._min_trust, limit=5)
+            if not results:
+                return ""
             lines = []
-            for r in raw_results:
+            for r in results:
                 trust = r.get("trust_score", r.get("trust", 0))
                 lines.append(f"- [{trust:.1f}] {r.get('content', '')}")
-            parts.append("## Holographic Memory\n" + "\n".join(lines))
-
-        if observations:
-            lines = []
-            for observation in observations:
-                evidence_ids = ", ".join(
-                    f"#{item['fact_id']}" for item in observation.get("evidence", [])[:3]
-                ) or "none"
-                lines.append(
-                    f"- [{observation.get('confidence', 0.0):.2f}] "
-                    f"{observation.get('observation_type', 'observation')}: "
-                    f"{observation.get('summary', '')} "
-                    f"(evidence: {evidence_ids})"
-                )
-            parts.append("## Holographic Observations\n" + "\n".join(lines))
-
-        return "\n\n".join(parts)
+            return "## Holographic Memory\n" + "\n".join(lines)
+        except Exception as e:
+            logger.debug("Holographic prefetch failed: %s", e)
+            return ""
 
     def sync_turn(self, user_content: str, assistant_content: str, *, session_id: str = "") -> None:
         # Holographic memory stores explicit facts via tools, not auto-sync.
@@ -309,7 +252,6 @@ class HolographicMemoryProvider(MemoryProvider):
     def shutdown(self) -> None:
         self._store = None
         self._retriever = None
-        self._observation_synth = None
 
     # -- Tool handlers -------------------------------------------------------
 
@@ -363,19 +305,6 @@ class HolographicMemoryProvider(MemoryProvider):
                 )
                 return json.dumps({"results": results, "count": len(results)})
 
-            elif action == "observe":
-                synthesizer = self._observation_synth
-                if not synthesizer:
-                    return tool_error("Observation synthesizer is not initialized")
-                observations = synthesizer.observe(
-                    args.get("query", ""),
-                    observation_type=args.get("observation_type"),
-                    min_confidence=float(args.get("min_confidence", self._observation_min_confidence)),
-                    limit=int(args.get("limit", 10)),
-                    refresh=True,
-                )
-                return json.dumps({"observations": observations, "count": len(observations)})
-
             elif action == "contradict":
                 results = retriever.contradict(
                     category=args.get("category"),

plugins/memory/holographic/observations.py

@@ -1,249 +0,0 @@
-"""Higher-order observation synthesis for holographic memory.
-
-Builds grounded observations from accumulated facts and keeps them in a
-separate retrieval layer with explicit evidence links back to supporting facts.
-"""
-
-from __future__ import annotations
-
-import re
-from typing import Any
-
-from .store import MemoryStore
-
-_TOKEN_RE = re.compile(r"[a-z0-9_]+")
-_HIGHER_ORDER_CUES = {
-    "prefer",
-    "preference",
-    "preferences",
-    "style",
-    "pattern",
-    "patterns",
-    "behavior",
-    "behaviour",
-    "habit",
-    "habits",
-    "workflow",
-    "direction",
-    "trajectory",
-    "strategy",
-    "tend",
-    "usually",
-}
-
-_OBSERVATION_PATTERNS = [
-    {
-        "observation_type": "recurring_preference",
-        "subject": "communication_style",
-        "categories": {"user_pref", "general"},
-        "labels": {
-            "concise": ["concise", "terse", "brief", "short", "no fluff"],
-            "result_first": ["result-only", "result only", "outcome only", "quick", "quickly"],
-            "silent_ops": ["silent", "no status", "no repetitive status", "no questions"],
-        },
-        "summary_prefix": "Recurring preference",
-    },
-    {
-        "observation_type": "stable_direction",
-        "subject": "project_direction",
-        "categories": {"project", "general", "tool"},
-        "labels": {
-            "local_first": ["local-first", "local first", "local-only", "local only", "ollama", "own hardware"],
-            "gitea_first": ["gitea-first", "gitea first", "forge", "pull request", "pr flow", "issue flow"],
-            "ansible": ["ansible", "playbook", "role", "deploy via ansible"],
-        },
-        "summary_prefix": "Stable direction",
-    },
-    {
-        "observation_type": "behavioral_pattern",
-        "subject": "operator_workflow",
-        "categories": {"general", "project", "tool", "user_pref"},
-        "labels": {
-            "commit_early": ["commit early", "commits early", "commit after", "wip commit"],
-            "pr_first": ["open pr", "push a pr", "pull request", "pr immediately", "create pr"],
-            "dedup_guard": ["no dupes", "no duplicates", "avoid duplicate", "existing pr"],
-        },
-        "summary_prefix": "Behavioral pattern",
-    },
-]
-
-_TYPE_QUERY_HINTS = {
-    "recurring_preference": {"prefer", "preference", "style", "communication", "likes", "wants"},
-    "stable_direction": {"direction", "trajectory", "strategy", "project", "roadmap", "moving"},
-    "behavioral_pattern": {"pattern", "behavior", "workflow", "habit", "operator", "agent", "usually"},
-}
-
-
-class ObservationSynthesizer:
-    """Synthesizes grounded observations from facts and retrieves them by query."""
-
-    def __init__(self, store: MemoryStore):
-        self.store = store
-
-    def synthesize(
-        self,
-        *,
-        persist: bool = True,
-        min_confidence: float = 0.6,
-        limit: int = 10,
-    ) -> list[dict[str, Any]]:
-        facts = self.store.list_facts(min_trust=0.0, limit=1000)
-        observations: list[dict[str, Any]] = []
-
-        for pattern in _OBSERVATION_PATTERNS:
-            candidate = self._build_candidate(pattern, facts, min_confidence=min_confidence)
-            if not candidate:
-                continue
-
-            if persist:
-                candidate["observation_id"] = self.store.upsert_observation(
-                    candidate["observation_type"],
-                    candidate["subject"],
-                    candidate["summary"],
-                    candidate["confidence"],
-                    candidate["evidence_fact_ids"],
-                    metadata=candidate["metadata"],
-                )
-
-            candidate["evidence"] = self._expand_evidence(candidate["evidence_fact_ids"])
-            candidate["evidence_count"] = len(candidate["evidence"])
-            candidate.pop("evidence_fact_ids", None)
-            observations.append(candidate)
-
-        observations.sort(
-            key=lambda item: (item["confidence"], item.get("evidence_count", 0)),
-            reverse=True,
-        )
-        return observations[:limit]
-
-    def observe(
-        self,
-        query: str = "",
-        *,
-        observation_type: str | None = None,
-        min_confidence: float = 0.6,
-        limit: int = 10,
-        refresh: bool = True,
-    ) -> list[dict[str, Any]]:
-        if refresh:
-            self.synthesize(persist=True, min_confidence=min_confidence, limit=limit)
-
-        observations = self.store.list_observations(
-            observation_type=observation_type,
-            min_confidence=min_confidence,
-            limit=max(limit * 4, 20),
-        )
-        if not observations:
-            return []
-
-        if not query:
-            return observations[:limit]
-
-        query_tokens = self._tokenize(query)
-        is_higher_order = bool(query_tokens & _HIGHER_ORDER_CUES)
-        ranked: list[dict[str, Any]] = []
-
-        for item in observations:
-            searchable = " ".join(
-                [
-                    item.get("summary", ""),
-                    item.get("subject", ""),
-                    item.get("observation_type", ""),
-                    " ".join(item.get("metadata", {}).get("labels", [])),
-                ]
-            )
-            overlap = self._overlap_score(query_tokens, self._tokenize(searchable))
-            type_bonus = self._type_bonus(query_tokens, item.get("observation_type", ""))
-            if overlap <= 0 and type_bonus <= 0 and not is_higher_order:
-                continue
-            ranked_item = dict(item)
-            ranked_item["score"] = round(item.get("confidence", 0.0) + overlap + type_bonus, 3)
-            ranked.append(ranked_item)
-
-        if not ranked and is_higher_order:
-            ranked = [
-                {**item, "score": round(float(item.get("confidence", 0.0)), 3)}
-                for item in observations
-            ]
-
-        ranked.sort(
-            key=lambda item: (item.get("score", 0.0), item.get("confidence", 0.0), item.get("evidence_count", 0)),
-            reverse=True,
-        )
-        return ranked[:limit]
-
-    def _build_candidate(
-        self,
-        pattern: dict[str, Any],
-        facts: list[dict[str, Any]],
-        *,
-        min_confidence: float,
-    ) -> dict[str, Any] | None:
-        matched_fact_ids: set[int] = set()
-        matched_labels: dict[str, set[int]] = {label: set() for label in pattern["labels"]}
-
-        for fact in facts:
-            if fact.get("category") not in pattern["categories"]:
-                continue
-            haystack = f"{fact.get('content', '')} {fact.get('tags', '')}".lower()
-            local_match = False
-            for label, keywords in pattern["labels"].items():
-                if any(keyword in haystack for keyword in keywords):
-                    matched_labels[label].add(int(fact["fact_id"]))
-                    local_match = True
-            if local_match:
-                matched_fact_ids.add(int(fact["fact_id"]))
-
-        if len(matched_fact_ids) < 2:
-            return None
-
-        active_labels = sorted(label for label, ids in matched_labels.items() if ids)
-        confidence = min(0.95, 0.35 + 0.12 * len(matched_fact_ids) + 0.08 * len(active_labels))
-        confidence = round(confidence, 3)
-        if confidence < min_confidence:
-            return None
-
-        label_summary = ", ".join(label.replace("_", "-") for label in active_labels)
-        subject_text = pattern["subject"].replace("_", " ")
-        summary = (
-            f"{pattern['summary_prefix']}: {subject_text} trends toward {label_summary} "
-            f"based on {len(matched_fact_ids)} supporting facts."
-        )
-        return {
-            "observation_type": pattern["observation_type"],
-            "subject": pattern["subject"],
-            "summary": summary,
-            "confidence": confidence,
-            "metadata": {
-                "labels": active_labels,
-                "evidence_count": len(matched_fact_ids),
-            },
-            "evidence_fact_ids": sorted(matched_fact_ids),
-        }
-
-    def _expand_evidence(self, fact_ids: list[int]) -> list[dict[str, Any]]:
-        facts_by_id = {
-            fact["fact_id"]: fact
-            for fact in self.store.list_facts(min_trust=0.0, limit=1000)
-        }
-        return [facts_by_id[fact_id] for fact_id in fact_ids if fact_id in facts_by_id]
-
-    @staticmethod
-    def _tokenize(text: str) -> set[str]:
-        return set(_TOKEN_RE.findall(text.lower()))
-
-    @staticmethod
-    def _overlap_score(query_tokens: set[str], text_tokens: set[str]) -> float:
-        if not query_tokens or not text_tokens:
-            return 0.0
-        overlap = query_tokens & text_tokens
-        if not overlap:
-            return 0.0
-        return round(len(overlap) / max(len(query_tokens), 1), 3)
-
-    @staticmethod
-    def _type_bonus(query_tokens: set[str], observation_type: str) -> float:
-        hints = _TYPE_QUERY_HINTS.get(observation_type, set())
-        if not hints:
-            return 0.0
-        return 0.25 if query_tokens & hints else 0.0

plugins/memory/holographic/store.py

@@ -3,7 +3,6 @@ SQLite-backed fact store with entity resolution and trust scoring.
 Single-user Hermes memory store plugin.
 """
 
-import json
 import re
 import sqlite3
 import threading
@@ -74,28 +73,6 @@ CREATE TABLE IF NOT EXISTS memory_banks (
     fact_count INTEGER DEFAULT 0,
     updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );
-
-CREATE TABLE IF NOT EXISTS observations (
-    observation_id   INTEGER PRIMARY KEY AUTOINCREMENT,
-    observation_type TEXT NOT NULL,
-    subject          TEXT NOT NULL,
-    summary          TEXT NOT NULL,
-    confidence       REAL DEFAULT 0.0,
-    metadata_json    TEXT DEFAULT '{}',
-    created_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    updated_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    UNIQUE(observation_type, subject)
-);
-
-CREATE TABLE IF NOT EXISTS observation_evidence (
-    observation_id INTEGER REFERENCES observations(observation_id) ON DELETE CASCADE,
-    fact_id        INTEGER REFERENCES facts(fact_id) ON DELETE CASCADE,
-    evidence_weight REAL DEFAULT 1.0,
-    PRIMARY KEY (observation_id, fact_id)
-);
-
-CREATE INDEX IF NOT EXISTS idx_observations_type ON observations(observation_type);
-CREATE INDEX IF NOT EXISTS idx_observations_confidence ON observations(confidence DESC);
 """
 
 # Trust adjustment constants
@@ -151,7 +128,6 @@ class MemoryStore:
     def _init_db(self) -> None:
         """Create tables, indexes, and triggers if they do not exist. Enable WAL mode."""
         self._conn.execute("PRAGMA journal_mode=WAL")
-        self._conn.execute("PRAGMA foreign_keys=ON")
         self._conn.executescript(_SCHEMA)
         # Migrate: add hrr_vector column if missing (safe for existing databases)
         columns = {row[1] for row in self._conn.execute("PRAGMA table_info(facts)").fetchall()}
@@ -370,115 +346,6 @@ class MemoryStore:
             rows = self._conn.execute(sql, params).fetchall()
             return [self._row_to_dict(r) for r in rows]
 
-    def upsert_observation(
-        self,
-        observation_type: str,
-        subject: str,
-        summary: str,
-        confidence: float,
-        evidence_fact_ids: list[int],
-        metadata: dict | None = None,
-    ) -> int:
-        """Create or update a synthesized observation and its evidence links."""
-        with self._lock:
-            metadata_json = json.dumps(metadata or {}, sort_keys=True)
-            self._conn.execute(
-                """
-                INSERT INTO observations (
-                    observation_type, subject, summary, confidence, metadata_json
-                )
-                VALUES (?, ?, ?, ?, ?)
-                ON CONFLICT(observation_type, subject) DO UPDATE SET
-                    summary = excluded.summary,
-                    confidence = excluded.confidence,
-                    metadata_json = excluded.metadata_json,
-                    updated_at = CURRENT_TIMESTAMP
-                """,
-                (observation_type, subject, summary, confidence, metadata_json),
-            )
-            row = self._conn.execute(
-                """
-                SELECT observation_id
-                FROM observations
-                WHERE observation_type = ? AND subject = ?
-                """,
-                (observation_type, subject),
-            ).fetchone()
-            observation_id = int(row["observation_id"])
-
-            self._conn.execute(
-                "DELETE FROM observation_evidence WHERE observation_id = ?",
-                (observation_id,),
-            )
-            unique_fact_ids = sorted({int(fid) for fid in evidence_fact_ids})
-            if unique_fact_ids:
-                self._conn.executemany(
-                    """
-                    INSERT OR IGNORE INTO observation_evidence (observation_id, fact_id)
-                    VALUES (?, ?)
-                    """,
-                    [(observation_id, fact_id) for fact_id in unique_fact_ids],
-                )
-            self._conn.commit()
-            return observation_id
-
-    def list_observations(
-        self,
-        observation_type: str | None = None,
-        min_confidence: float = 0.0,
-        limit: int = 50,
-    ) -> list[dict]:
-        """List synthesized observations with expanded supporting evidence."""
-        with self._lock:
-            params: list = [min_confidence]
-            observation_clause = ""
-            if observation_type is not None:
-                observation_clause = "AND observation_type = ?"
-                params.append(observation_type)
-            params.append(limit)
-            rows = self._conn.execute(
-                f"""
-                SELECT observation_id, observation_type, subject, summary, confidence,
-                       metadata_json, created_at, updated_at,
-                       (
-                           SELECT COUNT(*)
-                           FROM observation_evidence oe
-                           WHERE oe.observation_id = observations.observation_id
-                       ) AS evidence_count
-                FROM observations
-                WHERE confidence >= ?
-                  {observation_clause}
-                ORDER BY confidence DESC, updated_at DESC
-                LIMIT ?
-                """,
-                params,
-            ).fetchall()
-
-            results = []
-            for row in rows:
-                item = dict(row)
-                try:
-                    item["metadata"] = json.loads(item.pop("metadata_json") or "{}")
-                except json.JSONDecodeError:
-                    item["metadata"] = {}
-                item["evidence"] = self._get_observation_evidence(int(item["observation_id"]))
-                results.append(item)
-            return results
-
-    def _get_observation_evidence(self, observation_id: int) -> list[dict]:
-        rows = self._conn.execute(
-            """
-            SELECT f.fact_id, f.content, f.category, f.tags, f.trust_score,
-                   f.retrieval_count, f.helpful_count, f.created_at, f.updated_at
-            FROM observation_evidence oe
-            JOIN facts f ON f.fact_id = oe.fact_id
-            WHERE oe.observation_id = ?
-            ORDER BY f.trust_score DESC, f.updated_at DESC
-            """,
-            (observation_id,),
-        ).fetchall()
-        return [self._row_to_dict(row) for row in rows]
-
     def record_feedback(self, fact_id: int, helpful: bool) -> dict:
         """Record user feedback and adjust trust asymmetrically.
 

research_human_confirmation_firewall.md

@@ -0,0 +1,515 @@
+# Human Confirmation Firewall: Research Report
+## Implementation Patterns for Hermes Agent
+
+**Issue:** #878  
+**Parent:** #659  
+**Priority:** P0  
+**Scope:** Human-in-the-loop safety patterns for tool calls, crisis handling, and irreversible actions
+
+---
+
+## Executive Summary
+
+Hermes already has a partial human confirmation firewall, but it is narrow.
+
+Current repo state shows:
+- a real **pre-execution gate** for dangerous terminal commands in `tools/approval.py`
+- a partial **confidence-threshold path** via `_smart_approve()` in `tools/approval.py`
+- gateway support for blocking approval resolution in `gateway/run.py`
+
+What is still missing is the core recommendation from this research issue:
+- **confidence scoring on all tool calls**, not just terminal commands that already matched a dangerous regex
+- a **hard pre-execution human gate for crisis interventions**, especially any action that would auto-respond to suicidal content
+- a consistent way to classify actions into:
+  1. pre-execution gate
+  2. post-execution review
+  3. confidence-threshold execution
+
+Recommendation:
+- use **Pattern 1: Pre-Execution Gate** for crisis interventions and irreversible/high-impact actions
+- use **Pattern 3: Confidence Threshold** for normal operations
+- reserve **Pattern 2: Post-Execution Review** only for low-risk and reversible actions
+
+The next implementation step should be a **tool-call risk assessment layer** that runs before dispatch in `model_tools.handle_function_call()`, assigns a score and pattern to every tool call, and routes only the highest-risk calls into mandatory human confirmation.
+
+---
+
+## 1. The Three Proven Patterns
+
+### Pattern 1: Pre-Execution Gate
+
+Definition:
+- halt before execution
+- show the proposed action to the human
+- require explicit approval or denial
+
+Best for:
+- destructive actions
+- irreversible side effects
+- crisis interventions
+- actions that affect another human's safety, money, infrastructure, or private data
+
+Strengths:
+- strongest safety guarantee
+- simplest audit story
+- prevents the most catastrophic failure mode: acting first and apologizing later
+
+Weaknesses:
+- adds latency
+- creates operator burden if overused
+- should not be applied to every ordinary tool call
+
+### Pattern 2: Post-Execution Review
+
+Definition:
+- execute first
+- expose result to human
+- allow rollback or follow-up correction
+
+Best for:
+- reversible operations
+- low-risk actions with fast recovery
+- tasks where human review matters but immediate execution is acceptable
+
+Strengths:
+- low friction
+- fast iteration
+- useful when rollback is practical
+
+Weaknesses:
+- unsafe for crisis or destructive actions
+- only works when rollback actually exists
+- a poor fit for external communication or life-safety contexts
+
+### Pattern 3: Confidence Threshold
+
+Definition:
+- compute a risk/confidence score before execution
+- auto-execute high-confidence safe actions
+- request confirmation for lower-confidence or higher-risk actions
+
+Best for:
+- mixed-risk tool ecosystems
+- day-to-day operations where always-confirm would be too expensive
+- systems with a large volume of ordinary, safe reads and edits
+
+Strengths:
+- best balance of speed and safety
+- scales across many tool types
+- allows targeted human attention where it matters most
+
+Weaknesses:
+- depends on a good scoring model
+- weak scoring creates false negatives or unnecessary prompts
+- must remain inspectable and debuggable
+
+---
+
+## 2. What Hermes Already Has
+
+## 2.1 Existing Pre-Execution Gate for Dangerous Terminal Commands
+
+`tools/approval.py` already implements a real pre-execution confirmation path for dangerous shell commands.
+
+Observed components:
+- `DANGEROUS_PATTERNS`
+- `detect_dangerous_command()`
+- `prompt_dangerous_approval()`
+- `check_dangerous_command()`
+- gateway queueing and resolution support in the same module
+
+This is already Pattern 1.
+
+Current behavior:
+- dangerous terminal commands are detected before execution
+- the user can allow once / session / always / deny
+- gateway sessions can block until approval resolves
+
+This is a strong foundation, but it is limited to a subset of terminal commands.
+
+## 2.2 Partial Confidence Threshold via Smart Approvals
+
+Hermes also already has a partial Pattern 3.
+
+Observed component:
+- `_smart_approve()` in `tools/approval.py`
+
+Current behavior:
+- only runs **after** a command has already been flagged by dangerous-pattern detection
+- uses the auxiliary LLM to decide:
+  - approve
+  - deny
+  - escalate
+
+This means Hermes has a confidence-threshold mechanism, but only for **already-flagged dangerous terminal commands**.
+
+What it does not yet do:
+- score all tool calls
+- classify non-terminal tools
+- distinguish crisis interventions from normal ops
+- produce a shared risk model across the tool surface
+
+## 2.3 Blocking Approval UX in Gateway
+
+`gateway/run.py` already routes `/approve` and `/deny` into the blocking approval path.
+
+This means the infrastructure for a true human confirmation firewall already exists in messaging contexts.
+
+That is important because the missing work is not "invent human approval from zero."
+The missing work is:
+- expand the scope from dangerous shell commands to **all tool calls that matter**
+- make the routing policy explicit and inspectable
+
+---
+
+## 3. What Hermes Still Lacks
+
+## 3.1 No Universal Tool-Call Risk Assessment
+
+The current approval system is command-pattern-centric.
+It is not yet a tool-call firewall.
+
+Missing capability:
+- before dispatch, every tool call should receive a structured assessment:
+  - tool name
+  - side-effect class
+  - reversibility
+  - human-impact potential
+  - crisis relevance
+  - confidence score
+  - recommended confirmation pattern
+
+Natural insertion point:
+- `model_tools.handle_function_call()`
+
+That function already sits at the central dispatch boundary.
+It is the right place to add a pre-dispatch classifier.
+
+## 3.2 No Hard Crisis Gate for Outbound Intervention
+
+Issue #878 explicitly recommends:
+- Pattern 1 for crisis interventions
+- never auto-respond to suicidal content
+
+That recommendation is not yet codified as a global firewall rule.
+
+Missing rule:
+- if a tool call would directly intervene in a crisis context or send outward guidance in response to suicidal content, it must require explicit human confirmation before execution
+
+Examples that should hard-gate:
+- outbound `send_message` content aimed at a suicidal user
+- any future tool that places calls, escalates emergencies, or contacts third parties about a crisis
+- any autonomous action that claims a person should or should not take a life-safety step
+
+## 3.3 No First-Class Post-Execution Review Policy
+
+Hermes has approval and denial, but it does not yet have a formal policy for when Pattern 2 is acceptable.
+
+Without a policy, post-execution review tends to get used implicitly rather than intentionally.
+
+That is risky.
+
+Hermes should define Pattern 2 narrowly:
+- only for actions that are both low-risk and reversible
+- only when the system can show the human exactly what happened
+- never for crisis, finance, destructive config, or sensitive comms
+
+---
+
+## 4. Recommended Architecture for Hermes
+
+## 4.1 Add a Tool-Call Assessment Layer
+
+Add a pre-dispatch assessment object for every tool call.
+
+Suggested shape:
+
+```python
+@dataclass
+class ToolCallAssessment:
+    tool_name: str
+    risk_score: float          # 0.0 to 1.0
+    confidence: float          # confidence in the assessment itself
+    pattern: str               # pre_execution_gate | post_execution_review | confidence_threshold
+    requires_human: bool
+    reasons: list[str]
+    reversible: bool
+    crisis_sensitive: bool
+```
+
+Suggested execution point:
+- inside `model_tools.handle_function_call()` before `orchestrator.dispatch()`
+
+Why here:
+- one place covers all tools
+- one place can emit traces
+- one place can remain model-agnostic
+- one place lets plugins observe or override the assessment
+
+## 4.2 Classify Tool Calls by Side-Effect Class
+
+Suggested first-pass taxonomy:
+
+### A. Read-only
+Examples:
+- `read_file`
+- `search_files`
+- `browser_snapshot`
+- `browser_console` read-only inspection
+
+Pattern:
+- confidence threshold
+- almost always auto-execute
+- human confirmation normally unnecessary
+
+### B. Local reversible edits
+Examples:
+- `patch`
+- `write_file`
+- `todo`
+
+Pattern:
+- confidence threshold
+- human confirmation only when risk score rises because of path sensitivity or scope breadth
+
+### C. External side effects
+Examples:
+- `send_message`
+- `cronjob`
+- `delegate_task`
+- smart-home actuation tools
+
+Pattern:
+- confidence threshold by default
+- pre-execution gate when score exceeds threshold or when context is sensitive
+
+### D. Critical / destructive / crisis-sensitive
+Examples:
+- dangerous `terminal`
+- financial actions
+- deletion / kill / restart / deployment in sensitive paths
+- outbound crisis intervention
+
+Pattern:
+- pre-execution gate
+- never auto-execute on confidence alone
+
+## 4.3 Crisis Override Rule
+
+Add a hard override:
+
+```text
+If tool call is crisis-sensitive AND outbound or irreversible:
+    requires_human = True
+    pattern = pre_execution_gate
+```
+
+This is the most important rule in the issue.
+
+The model may draft the message.
+The human must confirm before the system sends it.
+
+## 4.4 Use Confidence Threshold for Normal Ops
+
+For non-crisis operations, use Pattern 3.
+
+Suggested logic:
+- low risk + high assessment confidence -> auto-execute
+- medium risk or medium confidence -> ask human
+- high risk -> always ask human
+
+Key point:
+- confidence is not just "how sure the LLM is"
+- confidence should combine:
+  - tool type certainty
+  - argument clarity
+  - path sensitivity
+  - external side effects
+  - crisis indicators
+
+---
+
+## 5. Recommended Initial Scoring Factors
+
+A simple initial scorer is enough.
+It does not need to be fancy.
+
+Suggested factors:
+
+### 5.1 Tool class risk
+- read-only tools: very low base risk
+- local mutation tools: moderate base risk
+- external communication / automation tools: higher base risk
+- shell execution: variable, often high
+
+### 5.2 Target sensitivity
+Examples:
+- `/tmp` or local scratch paths -> lower
+- repo files under git -> medium
+- system config, credentials, secrets, gateway lifecycle -> high
+- human-facing channels -> high if message content is sensitive
+
+### 5.3 Reversibility
+- reversible -> lower
+- difficult but possible to undo -> medium
+- practically irreversible -> high
+
+### 5.4 Human-impact content
+- no direct human impact -> low
+- administrative impact -> medium
+- crisis / safety / emotional intervention -> critical
+
+### 5.5 Context certainty
+- arguments are explicit and narrow -> higher confidence
+- arguments are vague, inferred, or broad -> lower confidence
+
+---
+
+## 6. Implementation Plan
+
+## Phase 1: Assessment Without Behavior Change
+
+Goal:
+- score all tool calls
+- log assessment decisions
+- emit traces for review
+- do not yet block new tool categories
+
+Files to touch:
+- `tools/approval.py`
+- `model_tools.py`
+- tests for assessment coverage
+
+Output:
+- risk/confidence trace for every tool call
+- pattern recommendation for every tool call
+
+Why first:
+- lets us calibrate before changing runtime behavior
+- avoids breaking existing workflows blindly
+
+## Phase 2: Hard-Gate Crisis-Sensitive Outbound Actions
+
+Goal:
+- enforce Pattern 1 for crisis interventions
+
+Likely surfaces:
+- `send_message`
+- any future telephony / call / escalation tools
+- other tools with direct human intervention side effects
+
+Rule:
+- never auto-send crisis intervention content without human confirmation
+
+## Phase 3: General Confidence Threshold for Normal Ops
+
+Goal:
+- apply Pattern 3 to all tool calls
+- auto-run clearly safe actions
+- escalate ambiguous or medium-risk actions
+
+Likely thresholds:
+- score < 0.25 -> auto
+- 0.25 to 0.60 -> confirm if confidence is weak
+- > 0.60 -> confirm
+- crisis-sensitive -> always confirm
+
+## Phase 4: Optional Post-Execution Review Lane
+
+Goal:
+- allow Pattern 2 only for explicitly reversible operations
+
+Examples:
+- maybe low-risk messaging drafts saved locally
+- maybe reversible UI actions in specific environments
+
+Important:
+- this phase is optional
+- Hermes should not rely on Pattern 2 for safety-critical flows
+
+---
+
+## 7. Verification Criteria for the Future Implementation
+
+The eventual implementation should prove all of the following:
+
+1. every tool call receives a scored assessment before dispatch
+2. crisis-sensitive outbound actions always require human confirmation
+3. dangerous terminal commands still preserve their current pre-execution gate
+4. clearly safe read-only tool calls are not slowed by unnecessary prompts
+5. assessment traces can be inspected after a run
+6. approval decisions remain session-safe across CLI and gateway contexts
+
+---
+
+## 8. Concrete Recommendations
+
+### Recommendation 1
+Do **not** replace the current dangerous-command approval path.
+Generalize above it.
+
+Why:
+- existing terminal Pattern 1 already works
+- this is the strongest piece of the current firewall
+
+### Recommendation 2
+Add a universal scorer in `model_tools.handle_function_call()`.
+
+Why:
+- that is the first point where Hermes knows the tool name and structured arguments
+- it is the cleanest place to classify all tool calls uniformly
+
+### Recommendation 3
+Treat crisis-sensitive outbound intervention as a separate safety class.
+
+Why:
+- issue #878 explicitly calls for Pattern 1 here
+- this matches Timmy's SOUL-level safety requirements
+
+### Recommendation 4
+Ship scoring traces before enforcement expansion.
+
+Why:
+- you cannot tune thresholds you cannot inspect
+- false positives will otherwise frustrate normal usage
+
+### Recommendation 5
+Use Pattern 3 as the default policy for normal operations.
+
+Why:
+- full manual confirmation on every tool call is too expensive
+- full autonomy is too risky
+- Pattern 3 is the practical middle ground
+
+---
+
+## 9. Bottom Line
+
+Hermes should implement a **two-track human confirmation firewall**:
+
+1. **Pattern 1: Pre-Execution Gate**
+   - crisis interventions
+   - destructive terminal actions
+   - irreversible or safety-critical tool calls
+
+2. **Pattern 3: Confidence Threshold**
+   - all ordinary tool calls
+   - driven by a universal tool-call assessment layer
+   - integrated at the central dispatch boundary
+
+Pattern 2 should remain optional and narrow.
+It is not the primary answer for Hermes.
+
+The repo already contains the beginnings of this system.
+The next step is not new theory.
+It is to turn the existing approval path into a true **tool-call-wide human confirmation firewall**.
+
+---
+
+## References
+
+- Issue #878 — Human Confirmation Firewall Implementation Patterns
+- Issue #659 — Critical Research Tasks
+- `tools/approval.py` — current dangerous-command approval flow and smart approvals
+- `model_tools.py` — central tool dispatch boundary
+- `gateway/run.py` — blocking approval handling for messaging sessions

tests/plugins/memory/test_holographic_observations.py

@@ -1,96 +0,0 @@
-import json
-
-import pytest
-
-from plugins.memory.holographic import HolographicMemoryProvider
-from plugins.memory.holographic.store import MemoryStore
-
-
-@pytest.fixture()
-def store(tmp_path):
-    db_path = tmp_path / "memory.db"
-    s = MemoryStore(db_path=str(db_path), default_trust=0.5)
-    yield s
-    s.close()
-
-
-@pytest.fixture()
-def provider(tmp_path):
-    p = HolographicMemoryProvider(
-        config={
-            "db_path": str(tmp_path / "memory.db"),
-            "default_trust": 0.5,
-        }
-    )
-    p.initialize(session_id="test-session")
-    yield p
-    if p._store:
-        p._store.close()
-
-
-class TestObservationSynthesis:
-    def test_observe_action_persists_observation_with_evidence_links(self, provider):
-        fact_ids = [
-            provider._store.add_fact('User prefers concise status updates', category='user_pref'),
-            provider._store.add_fact('User wants result-only replies with no fluff', category='user_pref'),
-        ]
-
-        result = json.loads(
-            provider.handle_tool_call(
-                'fact_store',
-                {
-                    'action': 'observe',
-                    'query': 'What communication style does the user prefer?',
-                    'limit': 5,
-                },
-            )
-        )
-
-        assert result['count'] == 1
-        observation = result['observations'][0]
-        assert observation['observation_type'] == 'recurring_preference'
-        assert observation['confidence'] >= 0.6
-        assert sorted(item['fact_id'] for item in observation['evidence']) == sorted(fact_ids)
-
-        stored = provider._store.list_observations(limit=10)
-        assert len(stored) == 1
-        assert stored[0]['observation_type'] == 'recurring_preference'
-        assert stored[0]['evidence_count'] == 2
-        assert len(provider._store.list_facts(limit=10)) == 2
-
-    def test_observe_action_synthesizes_three_observation_types(self, provider):
-        provider._store.add_fact('User prefers concise updates', category='user_pref')
-        provider._store.add_fact('User wants result-only communication', category='user_pref')
-        provider._store.add_fact('Project is moving to a local-first deployment model', category='project')
-        provider._store.add_fact('Project direction stays Gitea-first for issue and PR flow', category='project')
-        provider._store.add_fact('Operator always commits early before moving on', category='general')
-        provider._store.add_fact('Operator pushes a PR immediately after each meaningful fix', category='general')
-
-        result = json.loads(provider.handle_tool_call('fact_store', {'action': 'observe', 'limit': 10}))
-        types = {item['observation_type'] for item in result['observations']}
-
-        assert {'recurring_preference', 'stable_direction', 'behavioral_pattern'} <= types
-
-    def test_single_fact_does_not_create_overconfident_observation(self, provider):
-        provider._store.add_fact('User prefers concise updates', category='user_pref')
-
-        result = json.loads(
-            provider.handle_tool_call(
-                'fact_store',
-                {'action': 'observe', 'query': 'What does the user prefer?', 'limit': 5},
-            )
-        )
-
-        assert result['count'] == 0
-        assert provider._store.list_observations(limit=10) == []
-
-    def test_prefetch_surfaces_observations_as_separate_layer(self, provider):
-        provider._store.add_fact('User prefers concise updates', category='user_pref')
-        provider._store.add_fact('User wants result-only communication', category='user_pref')
-
-        prefetch = provider.prefetch('What communication style does the user prefer?')
-
-        assert '## Holographic Observations' in prefetch
-        assert '## Holographic Memory' in prefetch
-        assert 'recurring_preference' in prefetch
-        assert 'evidence' in prefetch.lower()