NEXO 7.11.6 — Guardian false positives drop and Deep Sleep validates extraction shape

Published 2026-04-28. Patch release over v7.11.5 — three bugs from a tester report were re-checked against the current code/runtime, and only the still-live ones shipped here.

What was still broken on current code

The report came from a tester on an older install, so the first step was to re-check everything against the current repo and runtime. Three issues were still reproducible on 7.11.5:

• Guardian G4 still accepted some slash fragments as if they were real file paths.
• strict_protocol_write_without_task always stored severity=error, even when a fresh heartbeat proved the session was alive and simply missed task_open.
• Deep Sleep extraction still treated any syntactically valid JSON as success, even when the payload did not match the extraction contract.

Guardian G4: fewer fake paths reach protocol debt

src/hook_guardrails.py now filters more artifact shapes before they become debt:

• |, =, and ; are treated as path-artifact markers.
• Date-like slash fragments such as /04/2026 are rejected.
• Non-extension multi-segment slash tokens must exist on disk before they count as real paths.

That means quoted fragments, regex-style tokens, and date substrings stop reaching g4_guard_check_required or strict_protocol_write_without_task as if they were real edit targets.

Strict missing-task debt now distinguishes drift from total loss of protocol

Strict writes still block when there is no open protocol task. That part remains fail-closed. What changes is the stored debt severity: if the same session has a heartbeat in the last 5 minutes, the debt is now warn instead of error.

This does not relax enforcement. It simply stops dashboards and debt queues from mixing “session is clearly alive but skipped task_open” with “write came from a dead or untracked session”.

Deep Sleep now validates the real extraction contract

src/scripts/deep-sleep/extract.py already handled transport errors and raw JSON parse failures. The remaining gap was structural: a payload could parse as JSON and still be too degraded to trust.

v7.11.6 validates the live extraction contract itself before accepting success. The minimum shape now requires:

• session_id
• findings
• protocol_summary with the expected subkeys

If the payload parses but fails that contract, the run is now marked as deterministic json_schema failure and the raw output is persisted to debug-extract-*-json_schema.txt. That keeps partial payloads out of synthesis instead of silently smearing weak data into the next layer.

Validation

pytest -q tests/test_hook_guardrails.py tests/test_deep_sleep_extract.py

50 passed

Full changelog entry → · src/hook_guardrails.py · src/scripts/deep-sleep/extract.py