feat(memory): add grounded observation synthesis layer

plugins/memory/holographic/__init__.py

@@ -26,6 +26,7 @@ from agent.memory_provider import MemoryProvider
 from tools.registry import tool_error
 from .store import MemoryStore
 from .retrieval import FactRetriever
+from .observations import ObservationSynthesizer
 
 logger = logging.getLogger(__name__)
 
@@ -37,28 +38,29 @@ logger = logging.getLogger(__name__)
 FACT_STORE_SCHEMA = {
     "name": "fact_store",
     "description": (
-        "Deep structured memory with algebraic reasoning. "
+        "Deep structured memory with algebraic reasoning and grounded observation synthesis. "
         "Use alongside the memory tool — memory for always-on context, "
-        "fact_store for deep recall and compositional queries.\n\n"
+        "fact_store for deep recall, compositional queries, and higher-order observations.\n\n"
         "ACTIONS (simple → powerful):\n"
         "• add — Store a fact the user would expect you to remember.\n"
         "• search — Keyword lookup ('editor config', 'deploy process').\n"
         "• probe — Entity recall: ALL facts about a person/thing.\n"
         "• related — What connects to an entity? Structural adjacency.\n"
         "• reason — Compositional: facts connected to MULTIPLE entities simultaneously.\n"
+        "• observe — Synthesized higher-order observations backed by supporting facts.\n"
         "• contradict — Memory hygiene: find facts making conflicting claims.\n"
         "• update/remove/list — CRUD operations.\n\n"
-        "IMPORTANT: Before answering questions about the user, ALWAYS probe or reason first."
+        "IMPORTANT: Before answering questions about the user, ALWAYS probe/reason/observe first."
     ),
     "parameters": {
         "type": "object",
         "properties": {
             "action": {
                 "type": "string",
-                "enum": ["add", "search", "probe", "related", "reason", "contradict", "update", "remove", "list"],
+                "enum": ["add", "search", "probe", "related", "reason", "observe", "contradict", "update", "remove", "list"],
             },
             "content": {"type": "string", "description": "Fact content (required for 'add')."},
-            "query": {"type": "string", "description": "Search query (required for 'search')."},
+            "query": {"type": "string", "description": "Search query (required for 'search'/'observe')."},
             "entity": {"type": "string", "description": "Entity name for 'probe'/'related'."},
             "entities": {"type": "array", "items": {"type": "string"}, "description": "Entity names for 'reason'."},
             "fact_id": {"type": "integer", "description": "Fact ID for 'update'/'remove'."},
@@ -66,6 +68,12 @@ FACT_STORE_SCHEMA = {
             "tags": {"type": "string", "description": "Comma-separated tags."},
             "trust_delta": {"type": "number", "description": "Trust adjustment for 'update'."},
             "min_trust": {"type": "number", "description": "Minimum trust filter (default: 0.3)."},
+            "min_confidence": {"type": "number", "description": "Minimum observation confidence (default: 0.6)."},
+            "observation_type": {
+                "type": "string",
+                "enum": ["recurring_preference", "stable_direction", "behavioral_pattern"],
+                "description": "Optional observation type filter for 'observe'.",
+            },
             "limit": {"type": "integer", "description": "Max results (default: 10)."},
         },
         "required": ["action"],
@@ -118,7 +126,9 @@ class HolographicMemoryProvider(MemoryProvider):
         self._config = config or _load_plugin_config()
         self._store = None
         self._retriever = None
+        self._observation_synth = None
         self._min_trust = float(self._config.get("min_trust_threshold", 0.3))
+        self._observation_min_confidence = float(self._config.get("observation_min_confidence", 0.6))
 
     @property
     def name(self) -> str:
@@ -177,6 +187,7 @@ class HolographicMemoryProvider(MemoryProvider):
             hrr_weight=hrr_weight,
             hrr_dim=hrr_dim,
         )
+        self._observation_synth = ObservationSynthesizer(self._store)
         self._session_id = session_id
 
     def system_prompt_block(self) -> str:
@@ -193,30 +204,76 @@ class HolographicMemoryProvider(MemoryProvider):
                 "# Holographic Memory\n"
                 "Active. Empty fact store — proactively add facts the user would expect you to remember.\n"
                 "Use fact_store(action='add') to store durable structured facts about people, projects, preferences, decisions.\n"
+                "Use fact_store(action='observe') to synthesize higher-order observations with evidence.\n"
                 "Use fact_feedback to rate facts after using them (trains trust scores)."
             )
         return (
             f"# Holographic Memory\n"
             f"Active. {total} facts stored with entity resolution and trust scoring.\n"
-            f"Use fact_store to search, probe entities, reason across entities, or add facts.\n"
+            f"Use fact_store to search, probe entities, reason across entities, or synthesize observations.\n"
             f"Use fact_feedback to rate facts after using them (trains trust scores)."
         )
 
     def prefetch(self, query: str, *, session_id: str = "") -> str:
-        if not self._retriever or not query:
+        if not query:
             return ""
+
+        parts = []
+        raw_results = []
         try:
-            results = self._retriever.search(query, min_trust=self._min_trust, limit=5)
-            if not results:
-                return ""
+            if self._retriever:
+                raw_results = self._retriever.search(query, min_trust=self._min_trust, limit=5)
+        except Exception as e:
+            logger.debug("Holographic prefetch fact search failed: %s", e)
+            raw_results = []
+
+        observations = []
+        try:
+            if self._observation_synth:
+                observations = self._observation_synth.observe(
+                    query,
+                    min_confidence=self._observation_min_confidence,
+                    limit=3,
+                    refresh=True,
+                )
+        except Exception as e:
+            logger.debug("Holographic prefetch observation search failed: %s", e)
+            observations = []
+
+        if not raw_results and observations:
+            seen_fact_ids = set()
+            evidence_backfill = []
+            for observation in observations:
+                for evidence in observation.get("evidence", []):
+                    fact_id = evidence.get("fact_id")
+                    if fact_id in seen_fact_ids:
+                        continue
+                    seen_fact_ids.add(fact_id)
+                    evidence_backfill.append(evidence)
+            raw_results = evidence_backfill[:5]
+
+        if raw_results:
             lines = []
-            for r in results:
+            for r in raw_results:
                 trust = r.get("trust_score", r.get("trust", 0))
                 lines.append(f"- [{trust:.1f}] {r.get('content', '')}")
-            return "## Holographic Memory\n" + "\n".join(lines)
-        except Exception as e:
-            logger.debug("Holographic prefetch failed: %s", e)
-            return ""
+            parts.append("## Holographic Memory\n" + "\n".join(lines))
+
+        if observations:
+            lines = []
+            for observation in observations:
+                evidence_ids = ", ".join(
+                    f"#{item['fact_id']}" for item in observation.get("evidence", [])[:3]
+                ) or "none"
+                lines.append(
+                    f"- [{observation.get('confidence', 0.0):.2f}] "
+                    f"{observation.get('observation_type', 'observation')}: "
+                    f"{observation.get('summary', '')} "
+                    f"(evidence: {evidence_ids})"
+                )
+            parts.append("## Holographic Observations\n" + "\n".join(lines))
+
+        return "\n\n".join(parts)
 
     def sync_turn(self, user_content: str, assistant_content: str, *, session_id: str = "") -> None:
         # Holographic memory stores explicit facts via tools, not auto-sync.
@@ -252,6 +309,7 @@ class HolographicMemoryProvider(MemoryProvider):
     def shutdown(self) -> None:
         self._store = None
         self._retriever = None
+        self._observation_synth = None
 
     # -- Tool handlers -------------------------------------------------------
 
@@ -305,6 +363,19 @@ class HolographicMemoryProvider(MemoryProvider):
                 )
                 return json.dumps({"results": results, "count": len(results)})
 
+            elif action == "observe":
+                synthesizer = self._observation_synth
+                if not synthesizer:
+                    return tool_error("Observation synthesizer is not initialized")
+                observations = synthesizer.observe(
+                    args.get("query", ""),
+                    observation_type=args.get("observation_type"),
+                    min_confidence=float(args.get("min_confidence", self._observation_min_confidence)),
+                    limit=int(args.get("limit", 10)),
+                    refresh=True,
+                )
+                return json.dumps({"observations": observations, "count": len(observations)})
+
             elif action == "contradict":
                 results = retriever.contradict(
                     category=args.get("category"),

plugins/memory/holographic/observations.py

@@ -0,0 +1,249 @@
+"""Higher-order observation synthesis for holographic memory.
+
+Builds grounded observations from accumulated facts and keeps them in a
+separate retrieval layer with explicit evidence links back to supporting facts.
+"""
+
+from __future__ import annotations
+
+import re
+from typing import Any
+
+from .store import MemoryStore
+
+_TOKEN_RE = re.compile(r"[a-z0-9_]+")
+_HIGHER_ORDER_CUES = {
+    "prefer",
+    "preference",
+    "preferences",
+    "style",
+    "pattern",
+    "patterns",
+    "behavior",
+    "behaviour",
+    "habit",
+    "habits",
+    "workflow",
+    "direction",
+    "trajectory",
+    "strategy",
+    "tend",
+    "usually",
+}
+
+_OBSERVATION_PATTERNS = [
+    {
+        "observation_type": "recurring_preference",
+        "subject": "communication_style",
+        "categories": {"user_pref", "general"},
+        "labels": {
+            "concise": ["concise", "terse", "brief", "short", "no fluff"],
+            "result_first": ["result-only", "result only", "outcome only", "quick", "quickly"],
+            "silent_ops": ["silent", "no status", "no repetitive status", "no questions"],
+        },
+        "summary_prefix": "Recurring preference",
+    },
+    {
+        "observation_type": "stable_direction",
+        "subject": "project_direction",
+        "categories": {"project", "general", "tool"},
+        "labels": {
+            "local_first": ["local-first", "local first", "local-only", "local only", "ollama", "own hardware"],
+            "gitea_first": ["gitea-first", "gitea first", "forge", "pull request", "pr flow", "issue flow"],
+            "ansible": ["ansible", "playbook", "role", "deploy via ansible"],
+        },
+        "summary_prefix": "Stable direction",
+    },
+    {
+        "observation_type": "behavioral_pattern",
+        "subject": "operator_workflow",
+        "categories": {"general", "project", "tool", "user_pref"},
+        "labels": {
+            "commit_early": ["commit early", "commits early", "commit after", "wip commit"],
+            "pr_first": ["open pr", "push a pr", "pull request", "pr immediately", "create pr"],
+            "dedup_guard": ["no dupes", "no duplicates", "avoid duplicate", "existing pr"],
+        },
+        "summary_prefix": "Behavioral pattern",
+    },
+]
+
+_TYPE_QUERY_HINTS = {
+    "recurring_preference": {"prefer", "preference", "style", "communication", "likes", "wants"},
+    "stable_direction": {"direction", "trajectory", "strategy", "project", "roadmap", "moving"},
+    "behavioral_pattern": {"pattern", "behavior", "workflow", "habit", "operator", "agent", "usually"},
+}
+
+
+class ObservationSynthesizer:
+    """Synthesizes grounded observations from facts and retrieves them by query."""
+
+    def __init__(self, store: MemoryStore):
+        self.store = store
+
+    def synthesize(
+        self,
+        *,
+        persist: bool = True,
+        min_confidence: float = 0.6,
+        limit: int = 10,
+    ) -> list[dict[str, Any]]:
+        facts = self.store.list_facts(min_trust=0.0, limit=1000)
+        observations: list[dict[str, Any]] = []
+
+        for pattern in _OBSERVATION_PATTERNS:
+            candidate = self._build_candidate(pattern, facts, min_confidence=min_confidence)
+            if not candidate:
+                continue
+
+            if persist:
+                candidate["observation_id"] = self.store.upsert_observation(
+                    candidate["observation_type"],
+                    candidate["subject"],
+                    candidate["summary"],
+                    candidate["confidence"],
+                    candidate["evidence_fact_ids"],
+                    metadata=candidate["metadata"],
+                )
+
+            candidate["evidence"] = self._expand_evidence(candidate["evidence_fact_ids"])
+            candidate["evidence_count"] = len(candidate["evidence"])
+            candidate.pop("evidence_fact_ids", None)
+            observations.append(candidate)
+
+        observations.sort(
+            key=lambda item: (item["confidence"], item.get("evidence_count", 0)),
+            reverse=True,
+        )
+        return observations[:limit]
+
+    def observe(
+        self,
+        query: str = "",
+        *,
+        observation_type: str | None = None,
+        min_confidence: float = 0.6,
+        limit: int = 10,
+        refresh: bool = True,
+    ) -> list[dict[str, Any]]:
+        if refresh:
+            self.synthesize(persist=True, min_confidence=min_confidence, limit=limit)
+
+        observations = self.store.list_observations(
+            observation_type=observation_type,
+            min_confidence=min_confidence,
+            limit=max(limit * 4, 20),
+        )
+        if not observations:
+            return []
+
+        if not query:
+            return observations[:limit]
+
+        query_tokens = self._tokenize(query)
+        is_higher_order = bool(query_tokens & _HIGHER_ORDER_CUES)
+        ranked: list[dict[str, Any]] = []
+
+        for item in observations:
+            searchable = " ".join(
+                [
+                    item.get("summary", ""),
+                    item.get("subject", ""),
+                    item.get("observation_type", ""),
+                    " ".join(item.get("metadata", {}).get("labels", [])),
+                ]
+            )
+            overlap = self._overlap_score(query_tokens, self._tokenize(searchable))
+            type_bonus = self._type_bonus(query_tokens, item.get("observation_type", ""))
+            if overlap <= 0 and type_bonus <= 0 and not is_higher_order:
+                continue
+            ranked_item = dict(item)
+            ranked_item["score"] = round(item.get("confidence", 0.0) + overlap + type_bonus, 3)
+            ranked.append(ranked_item)
+
+        if not ranked and is_higher_order:
+            ranked = [
+                {**item, "score": round(float(item.get("confidence", 0.0)), 3)}
+                for item in observations
+            ]
+
+        ranked.sort(
+            key=lambda item: (item.get("score", 0.0), item.get("confidence", 0.0), item.get("evidence_count", 0)),
+            reverse=True,
+        )
+        return ranked[:limit]
+
+    def _build_candidate(
+        self,
+        pattern: dict[str, Any],
+        facts: list[dict[str, Any]],
+        *,
+        min_confidence: float,
+    ) -> dict[str, Any] | None:
+        matched_fact_ids: set[int] = set()
+        matched_labels: dict[str, set[int]] = {label: set() for label in pattern["labels"]}
+
+        for fact in facts:
+            if fact.get("category") not in pattern["categories"]:
+                continue
+            haystack = f"{fact.get('content', '')} {fact.get('tags', '')}".lower()
+            local_match = False
+            for label, keywords in pattern["labels"].items():
+                if any(keyword in haystack for keyword in keywords):
+                    matched_labels[label].add(int(fact["fact_id"]))
+                    local_match = True
+            if local_match:
+                matched_fact_ids.add(int(fact["fact_id"]))
+
+        if len(matched_fact_ids) < 2:
+            return None
+
+        active_labels = sorted(label for label, ids in matched_labels.items() if ids)
+        confidence = min(0.95, 0.35 + 0.12 * len(matched_fact_ids) + 0.08 * len(active_labels))
+        confidence = round(confidence, 3)
+        if confidence < min_confidence:
+            return None
+
+        label_summary = ", ".join(label.replace("_", "-") for label in active_labels)
+        subject_text = pattern["subject"].replace("_", " ")
+        summary = (
+            f"{pattern['summary_prefix']}: {subject_text} trends toward {label_summary} "
+            f"based on {len(matched_fact_ids)} supporting facts."
+        )
+        return {
+            "observation_type": pattern["observation_type"],
+            "subject": pattern["subject"],
+            "summary": summary,
+            "confidence": confidence,
+            "metadata": {
+                "labels": active_labels,
+                "evidence_count": len(matched_fact_ids),
+            },
+            "evidence_fact_ids": sorted(matched_fact_ids),
+        }
+
+    def _expand_evidence(self, fact_ids: list[int]) -> list[dict[str, Any]]:
+        facts_by_id = {
+            fact["fact_id"]: fact
+            for fact in self.store.list_facts(min_trust=0.0, limit=1000)
+        }
+        return [facts_by_id[fact_id] for fact_id in fact_ids if fact_id in facts_by_id]
+
+    @staticmethod
+    def _tokenize(text: str) -> set[str]:
+        return set(_TOKEN_RE.findall(text.lower()))
+
+    @staticmethod
+    def _overlap_score(query_tokens: set[str], text_tokens: set[str]) -> float:
+        if not query_tokens or not text_tokens:
+            return 0.0
+        overlap = query_tokens & text_tokens
+        if not overlap:
+            return 0.0
+        return round(len(overlap) / max(len(query_tokens), 1), 3)
+
+    @staticmethod
+    def _type_bonus(query_tokens: set[str], observation_type: str) -> float:
+        hints = _TYPE_QUERY_HINTS.get(observation_type, set())
+        if not hints:
+            return 0.0
+        return 0.25 if query_tokens & hints else 0.0

plugins/memory/holographic/store.py

@@ -3,6 +3,7 @@ SQLite-backed fact store with entity resolution and trust scoring.
 Single-user Hermes memory store plugin.
 """
 
+import json
 import re
 import sqlite3
 import threading
@@ -73,6 +74,28 @@ CREATE TABLE IF NOT EXISTS memory_banks (
     fact_count INTEGER DEFAULT 0,
     updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );
+
+CREATE TABLE IF NOT EXISTS observations (
+    observation_id   INTEGER PRIMARY KEY AUTOINCREMENT,
+    observation_type TEXT NOT NULL,
+    subject          TEXT NOT NULL,
+    summary          TEXT NOT NULL,
+    confidence       REAL DEFAULT 0.0,
+    metadata_json    TEXT DEFAULT '{}',
+    created_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    updated_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(observation_type, subject)
+);
+
+CREATE TABLE IF NOT EXISTS observation_evidence (
+    observation_id INTEGER REFERENCES observations(observation_id) ON DELETE CASCADE,
+    fact_id        INTEGER REFERENCES facts(fact_id) ON DELETE CASCADE,
+    evidence_weight REAL DEFAULT 1.0,
+    PRIMARY KEY (observation_id, fact_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_observations_type ON observations(observation_type);
+CREATE INDEX IF NOT EXISTS idx_observations_confidence ON observations(confidence DESC);
 """
 
 # Trust adjustment constants
@@ -128,6 +151,7 @@ class MemoryStore:
     def _init_db(self) -> None:
         """Create tables, indexes, and triggers if they do not exist. Enable WAL mode."""
         self._conn.execute("PRAGMA journal_mode=WAL")
+        self._conn.execute("PRAGMA foreign_keys=ON")
         self._conn.executescript(_SCHEMA)
         # Migrate: add hrr_vector column if missing (safe for existing databases)
         columns = {row[1] for row in self._conn.execute("PRAGMA table_info(facts)").fetchall()}
@@ -346,6 +370,115 @@ class MemoryStore:
             rows = self._conn.execute(sql, params).fetchall()
             return [self._row_to_dict(r) for r in rows]
 
+    def upsert_observation(
+        self,
+        observation_type: str,
+        subject: str,
+        summary: str,
+        confidence: float,
+        evidence_fact_ids: list[int],
+        metadata: dict | None = None,
+    ) -> int:
+        """Create or update a synthesized observation and its evidence links."""
+        with self._lock:
+            metadata_json = json.dumps(metadata or {}, sort_keys=True)
+            self._conn.execute(
+                """
+                INSERT INTO observations (
+                    observation_type, subject, summary, confidence, metadata_json
+                )
+                VALUES (?, ?, ?, ?, ?)
+                ON CONFLICT(observation_type, subject) DO UPDATE SET
+                    summary = excluded.summary,
+                    confidence = excluded.confidence,
+                    metadata_json = excluded.metadata_json,
+                    updated_at = CURRENT_TIMESTAMP
+                """,
+                (observation_type, subject, summary, confidence, metadata_json),
+            )
+            row = self._conn.execute(
+                """
+                SELECT observation_id
+                FROM observations
+                WHERE observation_type = ? AND subject = ?
+                """,
+                (observation_type, subject),
+            ).fetchone()
+            observation_id = int(row["observation_id"])
+
+            self._conn.execute(
+                "DELETE FROM observation_evidence WHERE observation_id = ?",
+                (observation_id,),
+            )
+            unique_fact_ids = sorted({int(fid) for fid in evidence_fact_ids})
+            if unique_fact_ids:
+                self._conn.executemany(
+                    """
+                    INSERT OR IGNORE INTO observation_evidence (observation_id, fact_id)
+                    VALUES (?, ?)
+                    """,
+                    [(observation_id, fact_id) for fact_id in unique_fact_ids],
+                )
+            self._conn.commit()
+            return observation_id
+
+    def list_observations(
+        self,
+        observation_type: str | None = None,
+        min_confidence: float = 0.0,
+        limit: int = 50,
+    ) -> list[dict]:
+        """List synthesized observations with expanded supporting evidence."""
+        with self._lock:
+            params: list = [min_confidence]
+            observation_clause = ""
+            if observation_type is not None:
+                observation_clause = "AND observation_type = ?"
+                params.append(observation_type)
+            params.append(limit)
+            rows = self._conn.execute(
+                f"""
+                SELECT observation_id, observation_type, subject, summary, confidence,
+                       metadata_json, created_at, updated_at,
+                       (
+                           SELECT COUNT(*)
+                           FROM observation_evidence oe
+                           WHERE oe.observation_id = observations.observation_id
+                       ) AS evidence_count
+                FROM observations
+                WHERE confidence >= ?
+                  {observation_clause}
+                ORDER BY confidence DESC, updated_at DESC
+                LIMIT ?
+                """,
+                params,
+            ).fetchall()
+
+            results = []
+            for row in rows:
+                item = dict(row)
+                try:
+                    item["metadata"] = json.loads(item.pop("metadata_json") or "{}")
+                except json.JSONDecodeError:
+                    item["metadata"] = {}
+                item["evidence"] = self._get_observation_evidence(int(item["observation_id"]))
+                results.append(item)
+            return results
+
+    def _get_observation_evidence(self, observation_id: int) -> list[dict]:
+        rows = self._conn.execute(
+            """
+            SELECT f.fact_id, f.content, f.category, f.tags, f.trust_score,
+                   f.retrieval_count, f.helpful_count, f.created_at, f.updated_at
+            FROM observation_evidence oe
+            JOIN facts f ON f.fact_id = oe.fact_id
+            WHERE oe.observation_id = ?
+            ORDER BY f.trust_score DESC, f.updated_at DESC
+            """,
+            (observation_id,),
+        ).fetchall()
+        return [self._row_to_dict(row) for row in rows]
+
     def record_feedback(self, fact_id: int, helpful: bool) -> dict:
         """Record user feedback and adjust trust asymmetrically.
 

research_human_confirmation_firewall.md

@@ -1,515 +0,0 @@
-# Human Confirmation Firewall: Research Report
-## Implementation Patterns for Hermes Agent
-
-**Issue:** #878  
-**Parent:** #659  
-**Priority:** P0  
-**Scope:** Human-in-the-loop safety patterns for tool calls, crisis handling, and irreversible actions
-
----
-
-## Executive Summary
-
-Hermes already has a partial human confirmation firewall, but it is narrow.
-
-Current repo state shows:
-- a real **pre-execution gate** for dangerous terminal commands in `tools/approval.py`
-- a partial **confidence-threshold path** via `_smart_approve()` in `tools/approval.py`
-- gateway support for blocking approval resolution in `gateway/run.py`
-
-What is still missing is the core recommendation from this research issue:
-- **confidence scoring on all tool calls**, not just terminal commands that already matched a dangerous regex
-- a **hard pre-execution human gate for crisis interventions**, especially any action that would auto-respond to suicidal content
-- a consistent way to classify actions into:
-  1. pre-execution gate
-  2. post-execution review
-  3. confidence-threshold execution
-
-Recommendation:
-- use **Pattern 1: Pre-Execution Gate** for crisis interventions and irreversible/high-impact actions
-- use **Pattern 3: Confidence Threshold** for normal operations
-- reserve **Pattern 2: Post-Execution Review** only for low-risk and reversible actions
-
-The next implementation step should be a **tool-call risk assessment layer** that runs before dispatch in `model_tools.handle_function_call()`, assigns a score and pattern to every tool call, and routes only the highest-risk calls into mandatory human confirmation.
-
----
-
-## 1. The Three Proven Patterns
-
-### Pattern 1: Pre-Execution Gate
-
-Definition:
-- halt before execution
-- show the proposed action to the human
-- require explicit approval or denial
-
-Best for:
-- destructive actions
-- irreversible side effects
-- crisis interventions
-- actions that affect another human's safety, money, infrastructure, or private data
-
-Strengths:
-- strongest safety guarantee
-- simplest audit story
-- prevents the most catastrophic failure mode: acting first and apologizing later
-
-Weaknesses:
-- adds latency
-- creates operator burden if overused
-- should not be applied to every ordinary tool call
-
-### Pattern 2: Post-Execution Review
-
-Definition:
-- execute first
-- expose result to human
-- allow rollback or follow-up correction
-
-Best for:
-- reversible operations
-- low-risk actions with fast recovery
-- tasks where human review matters but immediate execution is acceptable
-
-Strengths:
-- low friction
-- fast iteration
-- useful when rollback is practical
-
-Weaknesses:
-- unsafe for crisis or destructive actions
-- only works when rollback actually exists
-- a poor fit for external communication or life-safety contexts
-
-### Pattern 3: Confidence Threshold
-
-Definition:
-- compute a risk/confidence score before execution
-- auto-execute high-confidence safe actions
-- request confirmation for lower-confidence or higher-risk actions
-
-Best for:
-- mixed-risk tool ecosystems
-- day-to-day operations where always-confirm would be too expensive
-- systems with a large volume of ordinary, safe reads and edits
-
-Strengths:
-- best balance of speed and safety
-- scales across many tool types
-- allows targeted human attention where it matters most
-
-Weaknesses:
-- depends on a good scoring model
-- weak scoring creates false negatives or unnecessary prompts
-- must remain inspectable and debuggable
-
----
-
-## 2. What Hermes Already Has
-
-## 2.1 Existing Pre-Execution Gate for Dangerous Terminal Commands
-
-`tools/approval.py` already implements a real pre-execution confirmation path for dangerous shell commands.
-
-Observed components:
-- `DANGEROUS_PATTERNS`
-- `detect_dangerous_command()`
-- `prompt_dangerous_approval()`
-- `check_dangerous_command()`
-- gateway queueing and resolution support in the same module
-
-This is already Pattern 1.
-
-Current behavior:
-- dangerous terminal commands are detected before execution
-- the user can allow once / session / always / deny
-- gateway sessions can block until approval resolves
-
-This is a strong foundation, but it is limited to a subset of terminal commands.
-
-## 2.2 Partial Confidence Threshold via Smart Approvals
-
-Hermes also already has a partial Pattern 3.
-
-Observed component:
-- `_smart_approve()` in `tools/approval.py`
-
-Current behavior:
-- only runs **after** a command has already been flagged by dangerous-pattern detection
-- uses the auxiliary LLM to decide:
-  - approve
-  - deny
-  - escalate
-
-This means Hermes has a confidence-threshold mechanism, but only for **already-flagged dangerous terminal commands**.
-
-What it does not yet do:
-- score all tool calls
-- classify non-terminal tools
-- distinguish crisis interventions from normal ops
-- produce a shared risk model across the tool surface
-
-## 2.3 Blocking Approval UX in Gateway
-
-`gateway/run.py` already routes `/approve` and `/deny` into the blocking approval path.
-
-This means the infrastructure for a true human confirmation firewall already exists in messaging contexts.
-
-That is important because the missing work is not "invent human approval from zero."
-The missing work is:
-- expand the scope from dangerous shell commands to **all tool calls that matter**
-- make the routing policy explicit and inspectable
-
----
-
-## 3. What Hermes Still Lacks
-
-## 3.1 No Universal Tool-Call Risk Assessment
-
-The current approval system is command-pattern-centric.
-It is not yet a tool-call firewall.
-
-Missing capability:
-- before dispatch, every tool call should receive a structured assessment:
-  - tool name
-  - side-effect class
-  - reversibility
-  - human-impact potential
-  - crisis relevance
-  - confidence score
-  - recommended confirmation pattern
-
-Natural insertion point:
-- `model_tools.handle_function_call()`
-
-That function already sits at the central dispatch boundary.
-It is the right place to add a pre-dispatch classifier.
-
-## 3.2 No Hard Crisis Gate for Outbound Intervention
-
-Issue #878 explicitly recommends:
-- Pattern 1 for crisis interventions
-- never auto-respond to suicidal content
-
-That recommendation is not yet codified as a global firewall rule.
-
-Missing rule:
-- if a tool call would directly intervene in a crisis context or send outward guidance in response to suicidal content, it must require explicit human confirmation before execution
-
-Examples that should hard-gate:
-- outbound `send_message` content aimed at a suicidal user
-- any future tool that places calls, escalates emergencies, or contacts third parties about a crisis
-- any autonomous action that claims a person should or should not take a life-safety step
-
-## 3.3 No First-Class Post-Execution Review Policy
-
-Hermes has approval and denial, but it does not yet have a formal policy for when Pattern 2 is acceptable.
-
-Without a policy, post-execution review tends to get used implicitly rather than intentionally.
-
-That is risky.
-
-Hermes should define Pattern 2 narrowly:
-- only for actions that are both low-risk and reversible
-- only when the system can show the human exactly what happened
-- never for crisis, finance, destructive config, or sensitive comms
-
----
-
-## 4. Recommended Architecture for Hermes
-
-## 4.1 Add a Tool-Call Assessment Layer
-
-Add a pre-dispatch assessment object for every tool call.
-
-Suggested shape:
-
-```python
-@dataclass
-class ToolCallAssessment:
-    tool_name: str
-    risk_score: float          # 0.0 to 1.0
-    confidence: float          # confidence in the assessment itself
-    pattern: str               # pre_execution_gate | post_execution_review | confidence_threshold
-    requires_human: bool
-    reasons: list[str]
-    reversible: bool
-    crisis_sensitive: bool
-```
-
-Suggested execution point:
-- inside `model_tools.handle_function_call()` before `orchestrator.dispatch()`
-
-Why here:
-- one place covers all tools
-- one place can emit traces
-- one place can remain model-agnostic
-- one place lets plugins observe or override the assessment
-
-## 4.2 Classify Tool Calls by Side-Effect Class
-
-Suggested first-pass taxonomy:
-
-### A. Read-only
-Examples:
-- `read_file`
-- `search_files`
-- `browser_snapshot`
-- `browser_console` read-only inspection
-
-Pattern:
-- confidence threshold
-- almost always auto-execute
-- human confirmation normally unnecessary
-
-### B. Local reversible edits
-Examples:
-- `patch`
-- `write_file`
-- `todo`
-
-Pattern:
-- confidence threshold
-- human confirmation only when risk score rises because of path sensitivity or scope breadth
-
-### C. External side effects
-Examples:
-- `send_message`
-- `cronjob`
-- `delegate_task`
-- smart-home actuation tools
-
-Pattern:
-- confidence threshold by default
-- pre-execution gate when score exceeds threshold or when context is sensitive
-
-### D. Critical / destructive / crisis-sensitive
-Examples:
-- dangerous `terminal`
-- financial actions
-- deletion / kill / restart / deployment in sensitive paths
-- outbound crisis intervention
-
-Pattern:
-- pre-execution gate
-- never auto-execute on confidence alone
-
-## 4.3 Crisis Override Rule
-
-Add a hard override:
-
-```text
-If tool call is crisis-sensitive AND outbound or irreversible:
-    requires_human = True
-    pattern = pre_execution_gate
-```
-
-This is the most important rule in the issue.
-
-The model may draft the message.
-The human must confirm before the system sends it.
-
-## 4.4 Use Confidence Threshold for Normal Ops
-
-For non-crisis operations, use Pattern 3.
-
-Suggested logic:
-- low risk + high assessment confidence -> auto-execute
-- medium risk or medium confidence -> ask human
-- high risk -> always ask human
-
-Key point:
-- confidence is not just "how sure the LLM is"
-- confidence should combine:
-  - tool type certainty
-  - argument clarity
-  - path sensitivity
-  - external side effects
-  - crisis indicators
-
----
-
-## 5. Recommended Initial Scoring Factors
-
-A simple initial scorer is enough.
-It does not need to be fancy.
-
-Suggested factors:
-
-### 5.1 Tool class risk
-- read-only tools: very low base risk
-- local mutation tools: moderate base risk
-- external communication / automation tools: higher base risk
-- shell execution: variable, often high
-
-### 5.2 Target sensitivity
-Examples:
-- `/tmp` or local scratch paths -> lower
-- repo files under git -> medium
-- system config, credentials, secrets, gateway lifecycle -> high
-- human-facing channels -> high if message content is sensitive
-
-### 5.3 Reversibility
-- reversible -> lower
-- difficult but possible to undo -> medium
-- practically irreversible -> high
-
-### 5.4 Human-impact content
-- no direct human impact -> low
-- administrative impact -> medium
-- crisis / safety / emotional intervention -> critical
-
-### 5.5 Context certainty
-- arguments are explicit and narrow -> higher confidence
-- arguments are vague, inferred, or broad -> lower confidence
-
----
-
-## 6. Implementation Plan
-
-## Phase 1: Assessment Without Behavior Change
-
-Goal:
-- score all tool calls
-- log assessment decisions
-- emit traces for review
-- do not yet block new tool categories
-
-Files to touch:
-- `tools/approval.py`
-- `model_tools.py`
-- tests for assessment coverage
-
-Output:
-- risk/confidence trace for every tool call
-- pattern recommendation for every tool call
-
-Why first:
-- lets us calibrate before changing runtime behavior
-- avoids breaking existing workflows blindly
-
-## Phase 2: Hard-Gate Crisis-Sensitive Outbound Actions
-
-Goal:
-- enforce Pattern 1 for crisis interventions
-
-Likely surfaces:
-- `send_message`
-- any future telephony / call / escalation tools
-- other tools with direct human intervention side effects
-
-Rule:
-- never auto-send crisis intervention content without human confirmation
-
-## Phase 3: General Confidence Threshold for Normal Ops
-
-Goal:
-- apply Pattern 3 to all tool calls
-- auto-run clearly safe actions
-- escalate ambiguous or medium-risk actions
-
-Likely thresholds:
-- score < 0.25 -> auto
-- 0.25 to 0.60 -> confirm if confidence is weak
-- > 0.60 -> confirm
-- crisis-sensitive -> always confirm
-
-## Phase 4: Optional Post-Execution Review Lane
-
-Goal:
-- allow Pattern 2 only for explicitly reversible operations
-
-Examples:
-- maybe low-risk messaging drafts saved locally
-- maybe reversible UI actions in specific environments
-
-Important:
-- this phase is optional
-- Hermes should not rely on Pattern 2 for safety-critical flows
-
----
-
-## 7. Verification Criteria for the Future Implementation
-
-The eventual implementation should prove all of the following:
-
-1. every tool call receives a scored assessment before dispatch
-2. crisis-sensitive outbound actions always require human confirmation
-3. dangerous terminal commands still preserve their current pre-execution gate
-4. clearly safe read-only tool calls are not slowed by unnecessary prompts
-5. assessment traces can be inspected after a run
-6. approval decisions remain session-safe across CLI and gateway contexts
-
----
-
-## 8. Concrete Recommendations
-
-### Recommendation 1
-Do **not** replace the current dangerous-command approval path.
-Generalize above it.
-
-Why:
-- existing terminal Pattern 1 already works
-- this is the strongest piece of the current firewall
-
-### Recommendation 2
-Add a universal scorer in `model_tools.handle_function_call()`.
-
-Why:
-- that is the first point where Hermes knows the tool name and structured arguments
-- it is the cleanest place to classify all tool calls uniformly
-
-### Recommendation 3
-Treat crisis-sensitive outbound intervention as a separate safety class.
-
-Why:
-- issue #878 explicitly calls for Pattern 1 here
-- this matches Timmy's SOUL-level safety requirements
-
-### Recommendation 4
-Ship scoring traces before enforcement expansion.
-
-Why:
-- you cannot tune thresholds you cannot inspect
-- false positives will otherwise frustrate normal usage
-
-### Recommendation 5
-Use Pattern 3 as the default policy for normal operations.
-
-Why:
-- full manual confirmation on every tool call is too expensive
-- full autonomy is too risky
-- Pattern 3 is the practical middle ground
-
----
-
-## 9. Bottom Line
-
-Hermes should implement a **two-track human confirmation firewall**:
-
-1. **Pattern 1: Pre-Execution Gate**
-   - crisis interventions
-   - destructive terminal actions
-   - irreversible or safety-critical tool calls
-
-2. **Pattern 3: Confidence Threshold**
-   - all ordinary tool calls
-   - driven by a universal tool-call assessment layer
-   - integrated at the central dispatch boundary
-
-Pattern 2 should remain optional and narrow.
-It is not the primary answer for Hermes.
-
-The repo already contains the beginnings of this system.
-The next step is not new theory.
-It is to turn the existing approval path into a true **tool-call-wide human confirmation firewall**.
-
----
-
-## References
-
-- Issue #878 — Human Confirmation Firewall Implementation Patterns
-- Issue #659 — Critical Research Tasks
-- `tools/approval.py` — current dangerous-command approval flow and smart approvals
-- `model_tools.py` — central tool dispatch boundary
-- `gateway/run.py` — blocking approval handling for messaging sessions

tests/plugins/memory/test_holographic_observations.py

@@ -0,0 +1,96 @@
+import json
+
+import pytest
+
+from plugins.memory.holographic import HolographicMemoryProvider
+from plugins.memory.holographic.store import MemoryStore
+
+
+@pytest.fixture()
+def store(tmp_path):
+    db_path = tmp_path / "memory.db"
+    s = MemoryStore(db_path=str(db_path), default_trust=0.5)
+    yield s
+    s.close()
+
+
+@pytest.fixture()
+def provider(tmp_path):
+    p = HolographicMemoryProvider(
+        config={
+            "db_path": str(tmp_path / "memory.db"),
+            "default_trust": 0.5,
+        }
+    )
+    p.initialize(session_id="test-session")
+    yield p
+    if p._store:
+        p._store.close()
+
+
+class TestObservationSynthesis:
+    def test_observe_action_persists_observation_with_evidence_links(self, provider):
+        fact_ids = [
+            provider._store.add_fact('User prefers concise status updates', category='user_pref'),
+            provider._store.add_fact('User wants result-only replies with no fluff', category='user_pref'),
+        ]
+
+        result = json.loads(
+            provider.handle_tool_call(
+                'fact_store',
+                {
+                    'action': 'observe',
+                    'query': 'What communication style does the user prefer?',
+                    'limit': 5,
+                },
+            )
+        )
+
+        assert result['count'] == 1
+        observation = result['observations'][0]
+        assert observation['observation_type'] == 'recurring_preference'
+        assert observation['confidence'] >= 0.6
+        assert sorted(item['fact_id'] for item in observation['evidence']) == sorted(fact_ids)
+
+        stored = provider._store.list_observations(limit=10)
+        assert len(stored) == 1
+        assert stored[0]['observation_type'] == 'recurring_preference'
+        assert stored[0]['evidence_count'] == 2
+        assert len(provider._store.list_facts(limit=10)) == 2
+
+    def test_observe_action_synthesizes_three_observation_types(self, provider):
+        provider._store.add_fact('User prefers concise updates', category='user_pref')
+        provider._store.add_fact('User wants result-only communication', category='user_pref')
+        provider._store.add_fact('Project is moving to a local-first deployment model', category='project')
+        provider._store.add_fact('Project direction stays Gitea-first for issue and PR flow', category='project')
+        provider._store.add_fact('Operator always commits early before moving on', category='general')
+        provider._store.add_fact('Operator pushes a PR immediately after each meaningful fix', category='general')
+
+        result = json.loads(provider.handle_tool_call('fact_store', {'action': 'observe', 'limit': 10}))
+        types = {item['observation_type'] for item in result['observations']}
+
+        assert {'recurring_preference', 'stable_direction', 'behavioral_pattern'} <= types
+
+    def test_single_fact_does_not_create_overconfident_observation(self, provider):
+        provider._store.add_fact('User prefers concise updates', category='user_pref')
+
+        result = json.loads(
+            provider.handle_tool_call(
+                'fact_store',
+                {'action': 'observe', 'query': 'What does the user prefer?', 'limit': 5},
+            )
+        )
+
+        assert result['count'] == 0
+        assert provider._store.list_observations(limit=10) == []
+
+    def test_prefetch_surfaces_observations_as_separate_layer(self, provider):
+        provider._store.add_fact('User prefers concise updates', category='user_pref')
+        provider._store.add_fact('User wants result-only communication', category='user_pref')
+
+        prefetch = provider.prefetch('What communication style does the user prefer?')
+
+        assert '## Holographic Observations' in prefetch
+        assert '## Holographic Memory' in prefetch
+        assert 'recurring_preference' in prefetch
+        assert 'evidence' in prefetch.lower()