HexMem: store/version outbound action gate policies (for OpenClaw/agents)

[hexdaemon]

Context

We want a hard preflight gate for outbound actions (Slack/DM/Nostr/etc) that is fail-closed and enforces required memory reads/tool checks (MVRSA-style: reasons can stop action).

The enforcement belongs in the delivery pipeline (OpenClaw/agent host), but the rules should live in HexMem so they can evolve from experience without redeploying code.

Ask

Add a policy representation in HexMem for outbound action gating, including:

• actionKind + channel matching
• required memory/context queries (by topic)
• channel constraints (e.g. only respond when @mentioned)
• fail-open vs fail-closed per channel/action
• policy versioning + effective dates
• logging table for gate outcomes (allowed/blocked + reason + ctx digest)

Proposed Tables (sketch)

• policies (id, name, version, enabled, created_at, notes)
• policy_rules (policy_id, match_json, required_reads_json, constraints_json, behavior_json, priority)
• policy_runs (ts, policy_version, ctx_json, ctx_hash, result, reason, required_reads_done_json)

Link

Related issue (implementation/where to hook): hexdaemon/hexswarm#1

Acceptance

• Can query HexMem for the active outbound-gate policy given a context
• Can record a policy run outcome for later learning
  }