feat(profiler/behave_shell): G.2 operational.opsec_discipline

* careful — operator hits OPSEC_HISTORY_TOKENS AND tail-K commands
  include _CLEANUP_TOKEN_HASHES (re-imported from temporal.py).
* learning — history hit without cleanup-tail follow-through.
* careless — no history-clearing vocabulary at all.

Confidence 0.45 (small lexicon, soft); 0.30 below
MIN_COMMANDS_FOR_FULL_CONFIDENCE.

decnet/profiler/behave_shell/_features/__init__.py

@@ -33,6 +33,7 @@ from decnet.profiler.behave_shell._features.environmental import (
 )
 from decnet.profiler.behave_shell._features.operational import (
     objective,
+    opsec_discipline,
 )
 from decnet.profiler.behave_shell._features.temporal import (
     escalation_pattern,
@@ -85,4 +86,5 @@ FEATURES: tuple[FeatureFn, ...] = (
     keyboard_layout,
     numpad_usage,
     objective,
+    opsec_discipline,
 )

decnet/profiler/behave_shell/_features/operational.py

@@ -14,10 +14,18 @@ from decnet_behave_core.spec.envelope import Observation
 
 from decnet.profiler.behave_shell._ctx import SessionContext
 from decnet.profiler.behave_shell._features._emit import make_observation
-from decnet.profiler.behave_shell._intent import classify_intent
+from decnet.profiler.behave_shell._features.temporal import (
+    _CLEANUP_TOKEN_HASHES,
+)
+from decnet.profiler.behave_shell._intent import (
+    OPSEC_HISTORY_TOKENS,
+    classify_intent,
+)
 from decnet.profiler.behave_shell._thresholds import (
+    EXIT_BEHAVIOR_LOOKBACK_K,
     INTENT_FULL_CONFIDENCE_MIN,
     INTENT_MIN_COMMANDS,
+    MIN_COMMANDS_FOR_FULL_CONFIDENCE,
 )
 
 
@@ -60,3 +68,44 @@ def objective(ctx: SessionContext) -> Iterator[Observation]:
         value=value,
         confidence=confidence,
     )
+
+
+def opsec_discipline(ctx: SessionContext) -> Iterator[Observation]:
+    """Emit ``operational.opsec_discipline`` ∈ {careful, careless, learning}.
+
+    * ``careful`` — operator hits ``OPSEC_HISTORY_TOKENS`` AND the
+      tail-K (=``EXIT_BEHAVIOR_LOOKBACK_K``) commands include cleanup
+      vocabulary (locally re-derived; we do **not** read prior
+      observations).
+    * ``learning`` — operator hits ``OPSEC_HISTORY_TOKENS`` but does
+      NOT close with cleanup tokens. Half-discipline.
+    * ``careless`` — no ``OPSEC_HISTORY_TOKENS`` hits at all.
+
+    Skip emission when no commands. Confidence 0.45 (small lexicon,
+    soft); 0.30 below ``MIN_COMMANDS_FOR_FULL_CONFIDENCE`` (=5).
+    """
+    if not ctx.commands:
+        return
+    has_history = any(
+        c.first_token_hash in OPSEC_HISTORY_TOKENS for c in ctx.commands
+    )
+    tail = ctx.commands[-EXIT_BEHAVIOR_LOOKBACK_K:]
+    has_cleanup_tail = any(
+        c.first_token_hash in _CLEANUP_TOKEN_HASHES for c in tail
+    )
+    if not has_history:
+        value = "careless"
+    elif has_cleanup_tail:
+        value = "careful"
+    else:
+        value = "learning"
+    if len(ctx.commands) < MIN_COMMANDS_FOR_FULL_CONFIDENCE:
+        confidence = 0.30
+    else:
+        confidence = 0.45
+    yield make_observation(
+        ctx,
+        primitive="operational.opsec_discipline",
+        value=value,
+        confidence=confidence,
+    )

decnet/web/db/models/topology.py

@@ -31,7 +31,7 @@ class Topology(SQLModel, table=True):
     id: str = Field(default_factory=lambda: str(uuid4()), primary_key=True)
     name: str = Field(index=True, unique=True)
     mode: Literal["unihost", "agent"] = Field(
-        default="unihost", sa_column=Column("mode", String, nullable=False, default="unihost")
+        default="unihost", sa_column=Column("mode", String(16), nullable=False, default="unihost")
     )
     # When ``mode == "agent"``, pins this topology to a specific enrolled
     # worker.  ``None`` for unihost topologies (master-local deploy).
@@ -46,7 +46,7 @@ class Topology(SQLModel, table=True):
         "pending", "deploying", "active", "degraded", "failed", "tearing_down", "torn_down"
     ] = Field(
         default="pending",
-        sa_column=Column("status", String, nullable=False, default="pending", index=True),
+        sa_column=Column("status", String(32), nullable=False, default="pending", index=True),
     )
     status_changed_at: datetime = Field(
         default_factory=lambda: datetime.now(timezone.utc)
@@ -121,7 +121,7 @@ class TopologyDecky(SQLModel, table=True):
         "pending", "running", "failed", "torn_down", "degraded", "tearing_down", "teardown_failed"
     ] = Field(
         default="pending",
-        sa_column=Column("state", String, nullable=False, default="pending", index=True),
+        sa_column=Column("state", String(32), nullable=False, default="pending", index=True),
     )
     last_error: Optional[str] = Field(
         default=None, sa_column=Column("last_error", Text, nullable=True)
@@ -186,13 +186,13 @@ class TopologyMutation(SQLModel, table=True):
     )
     id: str = Field(default_factory=lambda: str(uuid4()), primary_key=True)
     topology_id: str = Field(foreign_key="topologies.id", index=True)
-    op: _MUTATION_OPS = Field(sa_column=Column("op", String, nullable=False, index=True))
+    op: _MUTATION_OPS = Field(sa_column=Column("op", String(32), nullable=False, index=True))
     payload: str = Field(
         sa_column=Column("payload", _BIG_TEXT, nullable=False, default="{}")
     )
     state: Literal["pending", "applying", "applied", "failed"] = Field(
         default="pending",
-        sa_column=Column("state", String, nullable=False, default="pending", index=True),
+        sa_column=Column("state", String(32), nullable=False, default="pending", index=True),
     )
     requested_at: datetime = Field(
         default_factory=lambda: datetime.now(timezone.utc), index=True