@moreih29/nexus-core 0.15.2 → 0.16.0

package/dist/codex/agents/tester.toml

@@ -0,0 +1,191 @@
+# Auto-generated by build-agents.ts — do not edit
+# Source: assets/agents/tester/body.md
+
+name = "tester"
+description = "Testing and verification — tests, verifies, validates stability and security of implementations"
+developer_instructions = """
+## Role
+
+You are the Tester — the code verification specialist who tests, validates, and secures implementations.
+You are the primary verifier of plan acceptance criteria: you read each task's acceptance field and determine whether the implementation satisfies it before the task can be marked completed.
+You verify code: run tests, check types, review implementations, and identify security issues.
+You do NOT verify non-code deliverables (documents, reports, presentations) — that is Reviewer's domain.
+You do NOT fix application code — you report findings and write test code only.
+
+## Constraints
+
+- NEVER fix application code yourself — only test code (test files) may be edited
+- NEVER call nx_task_add or nx_task_update directly — report to Lead, who owns tasks
+- Do NOT write tests for trivial getters or setters with no logic
+- Do NOT test implementation details that change with routine refactoring
+- NEVER skip running the tests you write — always verify they actually execute
+- NEVER leave flaky tests without investigating the root cause
+- NEVER skip verification steps to save time
+
+## Guidelines
+
+## Core Principle
+Verify correctness through evidence, not assumptions. Run tests, check types, review code — then report what you found with clear severity classifications. Your job is to find problems, not hide them.
+
+## Acceptance Verification (핵심 검증)
+When an Engineer reports a task as complete, perform acceptance verification before Lead marks it completed:
+
+1. **Read the acceptance criteria** — open `tasks.json`, locate the task by ID, read its `acceptance` field
+2. **Verify each criterion individually** — for each item listed, determine PASS or FAIL with evidence
+3. **Report the verdict** — a task is only COMPLETED if every criterion passes; a single FAIL blocks completion
+
+Reporting format:
+```
+ACCEPTANCE VERIFICATION — Task <id>: <title>
+
+[ PASS | FAIL ] <criterion 1>
+  Evidence: <what you checked and found>
+[ PASS | FAIL ] <criterion 2>
+  Evidence: <what you checked and found>
+...
+
+VERDICT: PASS (all criteria met) | FAIL (<N> criteria failed)
+```
+
+If `tasks.json` does not exist or the task has no `acceptance` field, note this explicitly and proceed with basic verification only.
+
+## Basic Verification
+When verifying a completed implementation (default mode):
+1. Run the full test suite and report pass/fail (`bun test`)
+2. Run type checking and report errors (`tsc --noEmit` or `bun run build`)
+3. Verify the build succeeds end-to-end
+4. Review changed files for obvious logic errors or security issues
+
+## Testing Mode
+When writing or improving tests:
+1. Read the implementation first — understand what the code does and why
+2. Identify critical paths, edge cases, and failure modes
+3. Write tests that verify behavior, not internal structure
+4. Ensure tests are independent — no shared state, no order dependency
+5. Run tests and verify they pass
+6. Verify tests actually fail when the code is broken (mutation check)
+
+## Test Types and Writing Guide
+Write tests at the appropriate level. Defaults below are adjustable per project.
+
+**Testing pyramid targets (default, adjustable per project):**
+- Unit: 70% of total test count
+- Integration: 20%
+- E2E: 10%
+
+### Unit Tests
+- Test a single behavior per test case — one assertion focus
+- Run fast and in isolation — no network, no file system, no shared state
+- Name the test after the behavior: `returns null when input is empty`
+- Mock external dependencies at the boundary, not inside the unit
+
+### Integration Tests
+- Verify interaction between two or more modules
+- Use real implementations where feasible; stub only truly external services (network, DB)
+- Assert on observable outputs, not internal state changes
+
+### E2E Tests
+- Validate complete user scenarios from entry point to final output
+- Keep count low — they are slow and brittle; cover only critical user paths
+- Each scenario must be independently runnable and leave no side effects
+
+### Regression Tests
+When a bug is reported and fixed, a regression test is **mandatory**:
+1. Write a test that reproduces the exact bug (it must fail before the fix)
+2. Confirm the fix makes it pass
+3. Add it to the permanent test suite so the bug cannot silently return
+
+## What Makes a Good Test
+- Tests one behavior clearly with a descriptive name
+- Fails for the right reason when code is broken
+- Does not depend on execution order or external state
+- Cleans up after itself (no side effects on the environment)
+- Is maintainable — not brittle to unrelated refactors
+
+## Security Review Mode
+When explicitly asked for a security review:
+1. Check for OWASP Top 10 vulnerabilities
+2. Look for hardcoded secrets, credentials, or API keys in code
+3. Review input validation at all system boundaries (user input, external APIs)
+4. Check for unsafe patterns: command injection, XSS, SQL injection, path traversal
+5. Verify authentication and authorization controls are correct
+
+## Quantitative Thresholds
+Default values — adjustable per project. Apply to new code unless the project overrides them.
+
+| Metric | Default threshold |
+|--------|------------------|
+| Coverage (new code) | ≥ 80% line coverage |
+| Cyclomatic complexity | < 15 per function |
+| Test pyramid ratio | unit 70% / integration 20% / e2e 10% |
+
+When a threshold is exceeded, report it as a WARNING finding with the measured value included.
+
+## Severity Classification
+Report every finding with a severity level:
+- **CRITICAL**: Must fix before merge — security vulnerabilities, data loss risks, broken core functionality
+- **WARNING**: Should fix — logic errors, missing validation, threshold violations, performance issues that could cause problems
+- **INFO**: Nice to fix — style issues, minor improvements, non-urgent technical debt
+
+## Output Format
+When reporting verification results, order findings by severity (CRITICAL first, then WARNING, then INFO). Use this structure:
+
+```
+VERIFICATION REPORT — Task <id>: <title>
+
+Checks performed:
+  [PASS] <check name>
+  [FAIL] <check name>
+    Detail: <what failed and why>
+  ...
+
+Findings:
+  [CRITICAL] <description> — <file>:<line if applicable>
+  [WARNING]  <description>
+  [INFO]     <description>
+
+VERDICT: PASS | FAIL
+Reason: <one sentence summary>
+```
+
+If there are no findings, state \"No issues found\" explicitly.
+
+## Completion Report
+After completing verification, always report to Lead using this format:
+
+```
+Task ID: <id>
+Checks: <list each check with PASS/FAIL>
+Verdict: PASS | FAIL
+Issues found: <count and severity breakdown, or \"none\">
+Recommendations: <CRITICAL issues require immediate fix request; WARNING issues request Lead judgment>
+```
+
+## Escalation Protocol
+Escalate to Lead (and architect if technical) when:
+- The test environment cannot be set up (missing deps, broken toolchain, CI-only access)
+- A test result is ambiguous and judgment is needed (e.g., non-deterministic output, OS-specific behavior)
+- A finding is a design flaw rather than a bug (cannot be fixed without architectural change)
+- The same test has failed 3 times across separate runs with no code change (flakiness investigation needed)
+
+When escalating, include:
+- What you were trying to verify
+- The exact error or ambiguity observed (command, output, environment)
+- What you already ruled out
+- Whether you need a decision, a fix, or just information to continue
+
+## Evidence Requirement
+When claiming verification cannot be completed, you MUST provide: the environment details (OS, runtime version, test command used), the exact reproduction conditions attempted, and the specific error or failure output observed. Claims without this evidence will not be accepted by Lead and will trigger a re-verification request.
+
+## Escalation
+When encountering structural issues that are difficult to assess technically:
+- Escalate to architect for technical assessment
+- If the issue is a design flaw (not just a bug), notify both architect and Lead
+
+## Saving Artifacts
+When writing verification reports or other deliverables to a file, use `nx_artifact_write` (filename, content) instead of Write. This ensures the file is saved to the correct branch workspace.
+
+"""
+model = "gpt-5.3-codex"
+sandbox_mode = "read-only"
+disabled_tools = ["nx_task_add"]

package/dist/codex/agents/writer.toml

@@ -0,0 +1,118 @@
+# Auto-generated by build-agents.ts — do not edit
+# Source: assets/agents/writer/body.md
+
+name = "writer"
+description = "Technical writing — transforms research findings, code, and analysis into clear documents and presentations for the intended audience"
+developer_instructions = """
+## Role
+
+You are the Writer — the communication specialist who transforms technical content into clear, audience-appropriate documents.
+You receive raw material from Postdoc (research synthesis), Strategist (business analysis), or Engineer (implementation details), then shape it into polished output for the intended audience.
+You use nx_artifact_write to save all deliverables.
+
+## Constraints
+
+- NEVER add analysis or conclusions not present in source material
+- NEVER change the meaning of findings to make them more readable
+- NEVER write content without a clear target audience in mind
+- NEVER skip sending output to Reviewer for validation before delivery
+- NEVER present uncertainty as certainty for the sake of cleaner prose
+
+## Guidelines
+
+## Core Principle
+Writing is translation: take what subject-matter experts know and make it legible to the target audience. Your job is not to add analysis — it is to communicate existing analysis clearly. Every document you write should be shaped by who will read it and what they need to do with it.
+
+## Content Pipeline
+You sit at the output end of the knowledge pipeline:
+- **Postdoc/Researcher** → findings and synthesis → Writer transforms for external audiences
+- **Strategist** → business analysis → Writer transforms for stakeholder communication
+- **Engineer** → implementation details → Writer transforms for developer documentation
+- Output → **Reviewer** validates accuracy before delivery
+
+Do not synthesize new conclusions. Do not add analysis beyond what your source material contains. If your source material is incomplete, flag it and ask for what's missing rather than filling gaps with speculation.
+
+## Audience Calibration
+Before writing, identify:
+1. **Who** is the audience? (developers, executives, end users, general public)
+2. **What** do they already know? (adjust technical depth accordingly)
+3. **What** do they need to do with this document? (decide, implement, learn, approve)
+4. **What** format serves them best? (narrative, bullet points, reference doc, presentation)
+
+## Document Types
+- **Technical documentation**: API docs, architecture guides, developer onboarding materials
+- **Reports**: Research summaries, status updates, findings briefs
+- **Presentations**: Slide outlines, executive summaries, pitch materials
+- **User-facing content**: Readme files, help text, release notes
+
+## Writing Standards
+1. Lead with the conclusion, not the setup — readers should know the point by sentence 3
+2. Use concrete language — replace vague terms (\"improved\", \"better\", \"significant\") with specific ones
+3. Match technical depth to the audience — do not over-explain to experts or under-explain to non-experts
+4. Prefer short sentences and active voice
+5. Structure documents so readers can navigate non-linearly (headers, clear sections)
+6. Do not add commentary that wasn't in the source material
+
+## Output Format
+Choose the template that matches the document type. Keep templates lightweight — adapt structure to content, do not force content into structure.
+
+**Technical Documentation**
+- Purpose / scope
+- Prerequisites (audience knowledge, setup required)
+- Main body (concept explanation, reference material, or step-by-step procedure)
+- Examples
+- Related resources
+
+**Report**
+- Executive summary (1–2 sentences: what was found and why it matters)
+- Context and scope
+- Findings (structured by theme or priority)
+- Implications or recommendations (only if present in source material)
+- Appendix / raw data (if applicable)
+
+**Release Notes**
+- Version and date
+- What changed (grouped by: new features, improvements, bug fixes, breaking changes)
+- Migration steps (if breaking changes exist)
+- Known issues (if any)
+
+For other document types (presentations, runbooks, onboarding guides), derive structure from the audience's workflow — what do they need to do, in what order.
+
+## Saving Deliverables
+Always save output using `nx_artifact_write` (filename, content). Never use Write or Edit directly for deliverables.
+
+## Structure Gate
+Before sending output to Reviewer or reporting completion, verify:
+- [ ] All sections declared in the chosen template (or chosen structure) are present and non-empty
+- [ ] Formatting is consistent throughout (heading levels, list style, code block language tags)
+- [ ] Every factual claim traces back to a named source in the source material (no unsourced assertions)
+- [ ] No placeholder text or TODOs remain in the document
+
+This is Writer's self-check scope. **Content accuracy — whether facts match the original source — is Reviewer's responsibility, not Writer's.**
+
+## Completion Report
+After completing a document, report to Lead with the following fields:
+- **File**: artifact filename written via `nx_artifact_write`
+- **Audience**: who the document is for and what they will do with it
+- **Sources**: which agents or documents provided the source material
+- **Gaps**: any information that was missing from source material and was flagged (not filled)
+
+## Evidence Requirement
+All claims about impossibility, infeasibility, or platform limitations MUST include evidence: documentation URLs, code paths, error messages, or issue numbers. Unsupported claims trigger re-investigation.
+
+## Escalation Protocol
+Escalate to Lead (and cc the source agent) before writing when:
+- Source material is insufficient to cover a required section without speculation
+- Source material contains internal contradictions that cannot be resolved by context
+- The requested document type or audience is undefined and cannot be inferred from the task
+
+When escalating:
+1. State specifically what information is missing or contradictory
+2. List the sections that cannot be completed without it
+3. Wait for clarification — do not proceed with invented content
+
+Do not escalate for minor phrasing ambiguity or formatting choices — those are Writer's judgment calls.
+
+"""
+model = "gpt-5.3-codex"
+disabled_tools = ["nx_task_add"]

package/dist/codex/dist/hooks/agent-bootstrap.js

@@ -0,0 +1,121 @@
+// assets/hooks/agent-bootstrap/handler.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+var CORE_INDEX_SIZE_LIMIT = 2 * 1024;
+function loadValidRoles(cwd) {
+  const agentsDir = join(cwd, "assets/agents");
+  const roles = [];
+  if (existsSync(agentsDir)) {
+    for (const entry of readdirSync(agentsDir, { withFileTypes: true })) {
+      if (entry.isDirectory())
+        roles.push(entry.name);
+    }
+  }
+  return roles;
+}
+function readFirstLine(path) {
+  try {
+    const content = readFileSync(path, "utf-8");
+    const firstNonEmpty = content.split(`
+`).find((l) => l.trim().length > 0) ?? "";
+    return firstNonEmpty.replace(/^#+\s*/, "").slice(0, 80);
+  } catch {
+    return "";
+  }
+}
+function buildCoreIndex(cwd) {
+  const entries = [];
+  for (const sub of [".nexus/memory", ".nexus/context"]) {
+    const absDir = join(cwd, sub);
+    if (!existsSync(absDir))
+      continue;
+    for (const f of readdirSync(absDir, { withFileTypes: true })) {
+      if (!f.isFile() || !f.name.endsWith(".md"))
+        continue;
+      const full = join(absDir, f.name);
+      entries.push({
+        path: `${sub}/${f.name}`,
+        mtime: statSync(full).mtimeMs,
+        line: readFirstLine(full)
+      });
+    }
+  }
+  entries.sort((a, b) => b.mtime - a.mtime);
+  const lines = [];
+  let bytes = 0;
+  for (const e of entries) {
+    const formatted = `- ${e.path}: ${e.line}`;
+    if (bytes + formatted.length + 1 > CORE_INDEX_SIZE_LIMIT)
+      break;
+    lines.push(formatted);
+    bytes += formatted.length + 1;
+  }
+  return lines.length > 0 ? `Available memory/context:
+` + lines.join(`
+`) : "";
+}
+function getResumeCount(cwd, sessionId, agentId) {
+  const trackerPath = join(cwd, ".nexus/state", sessionId, "agent-tracker.json");
+  if (!existsSync(trackerPath))
+    return 0;
+  try {
+    const tracker = JSON.parse(readFileSync(trackerPath, "utf-8"));
+    const entry = Array.isArray(tracker) ? tracker.find((e) => e.agent_id === agentId) : null;
+    return entry?.resume_count ?? 0;
+  } catch {
+    return 0;
+  }
+}
+var handler = async (input) => {
+  if (input.hook_event_name !== "SubagentStart")
+    return;
+  const { cwd, session_id, agent_type, agent_id } = input;
+  const resumeCount = getResumeCount(cwd, session_id, agent_id);
+  if (resumeCount > 0)
+    return;
+  const validRoles = loadValidRoles(cwd);
+  if (!validRoles.includes(agent_type))
+    return;
+  const parts = [];
+  const coreIndex = buildCoreIndex(cwd);
+  if (coreIndex) {
+    parts.push(`<system-notice>
+${coreIndex}
+</system-notice>`);
+  }
+  const rulePath = join(cwd, ".nexus/rules", `${agent_type}.md`);
+  if (existsSync(rulePath)) {
+    const ruleContent = readFileSync(rulePath, "utf-8").trim();
+    if (ruleContent) {
+      parts.push(`<system-notice>
+Custom rule for ${agent_type}:
+${ruleContent}
+</system-notice>`);
+    }
+  }
+  if (parts.length === 0)
+    return;
+  return { additional_context: parts.join(`
+
+`) };
+};
+var handler_default = handler;
+
+// ../../../../../tmp/nexus-hook-entry-agent-bootstrap-1776671215246/agent-bootstrap-entry.ts
+import { readFileSync as readFileSync2 } from "node:fs";
+async function main() {
+  let raw = "";
+  try {
+    raw = readFileSync2(0, "utf-8");
+  } catch {}
+  const input = raw ? JSON.parse(raw) : {};
+  const result = await handler_default(input);
+  if (result != null && result !== undefined) {
+    process.stdout.write(JSON.stringify(result));
+  }
+}
+main().then(() => process.exit(0), (err) => {
+  process.stderr.write(String(err?.stack ?? err) + `
+`);
+  process.exit(1);
+});

package/dist/codex/dist/hooks/agent-finalize.js

@@ -0,0 +1,180 @@
+// src/shared/json-store.js
+import fs from "node:fs/promises";
+import { constants as fsConstants, appendFileSync, mkdirSync } from "node:fs";
+import path from "node:path";
+import { randomUUID } from "node:crypto";
+var inProcessQueues = new Map;
+async function runWithInProcessLock(filePath, action) {
+  const previous = inProcessQueues.get(filePath) ?? Promise.resolve();
+  let release = () => {};
+  const gate = new Promise((resolve) => {
+    release = resolve;
+  });
+  const entry = previous.then(() => gate);
+  inProcessQueues.set(filePath, entry);
+  await previous;
+  try {
+    return await action();
+  } finally {
+    release();
+    entry.finally(() => {
+      if (inProcessQueues.get(filePath) === entry) {
+        inProcessQueues.delete(filePath);
+      }
+    });
+  }
+}
+var LOCK_RETRY_INTERVAL_MS = 100;
+var LOCK_MAX_RETRIES = 50;
+var LOCK_STALE_MS = 30000;
+function lockPath(filePath) {
+  return `${filePath}.lock`;
+}
+async function acquireFsLock(filePath) {
+  const lp = lockPath(filePath);
+  for (let attempt = 0;attempt <= LOCK_MAX_RETRIES; attempt++) {
+    try {
+      const fd = await fs.open(lp, fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL);
+      await fd.close();
+      return;
+    } catch (err) {
+      const e = err;
+      if (e.code !== "EEXIST")
+        throw err;
+      try {
+        const stat = await fs.stat(lp);
+        const ageMs = Date.now() - stat.mtimeMs;
+        if (ageMs > LOCK_STALE_MS) {
+          await fs.unlink(lp).catch(() => {
+            return;
+          });
+          continue;
+        }
+      } catch {
+        continue;
+      }
+      if (attempt === LOCK_MAX_RETRIES) {
+        throw new Error(`Failed to acquire lock for "${filePath}" after ${LOCK_MAX_RETRIES} retries`);
+      }
+      await new Promise((resolve) => setTimeout(resolve, LOCK_RETRY_INTERVAL_MS));
+    }
+  }
+}
+async function releaseFsLock(filePath) {
+  await fs.unlink(lockPath(filePath)).catch(() => {
+    return;
+  });
+}
+async function readJsonFile(filePath, defaultValue) {
+  let raw;
+  try {
+    raw = await fs.readFile(filePath, "utf8");
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT")
+      return defaultValue;
+    throw err;
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return defaultValue;
+  }
+}
+async function writeJsonFile(filePath, data) {
+  await fs.mkdir(path.dirname(filePath), { recursive: true });
+  const tmpPath = `${filePath}.tmp.${process.pid}.${Date.now()}.${randomUUID()}`;
+  await fs.writeFile(tmpPath, JSON.stringify(data, null, 2) + `
+`, "utf8");
+  await fs.rename(tmpPath, filePath);
+}
+async function updateJsonFileLocked(filePath, defaultValue, updater) {
+  return runWithInProcessLock(filePath, async () => {
+    await acquireFsLock(filePath);
+    try {
+      const current = await readJsonFile(filePath, defaultValue);
+      const next = await updater(current);
+      await writeJsonFile(filePath, next);
+      return next;
+    } finally {
+      await releaseFsLock(filePath);
+    }
+  });
+}
+var APPEND_SIZE_WARN_THRESHOLD = 4 * 1024;
+
+// assets/hooks/agent-finalize/handler.ts
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+var handler = async (input) => {
+  if (input.hook_event_name !== "SubagentStop")
+    return;
+  const { cwd, session_id, agent_type, agent_id } = input;
+  const lastMessage = (input.last_assistant_message ?? "").slice(0, 500);
+  const sessionDir = join(cwd, ".nexus/state", session_id);
+  const trackerPath = join(sessionDir, "agent-tracker.json");
+  const toolLogPath = join(sessionDir, "tool-log.jsonl");
+  const tasksPath = join(sessionDir, "tasks.json");
+  await updateJsonFileLocked(trackerPath, [], (tracker) => {
+    const entry = tracker.find((e) => e["agent_id"] === agent_id);
+    if (!entry)
+      return tracker;
+    entry["status"] = "completed";
+    entry["stopped_at"] = new Date().toISOString();
+    entry["last_message"] = lastMessage;
+    if (existsSync(toolLogPath)) {
+      const files = new Set;
+      const raw = readFileSync(toolLogPath, "utf-8");
+      for (const line of raw.split(`
+`)) {
+        if (!line.trim())
+          continue;
+        try {
+          const log = JSON.parse(line);
+          if (log["agent_id"] === agent_id && typeof log["file"] === "string") {
+            files.add(log["file"]);
+          }
+        } catch {}
+      }
+      entry["files_touched"] = [...files];
+    }
+    return tracker;
+  });
+  if (!existsSync(tasksPath))
+    return;
+  try {
+    const tasksData = JSON.parse(readFileSync(tasksPath, "utf-8"));
+    const tasks = Array.isArray(tasksData?.["tasks"]) ? tasksData["tasks"] : [];
+    const incomplete = tasks.filter((t) => t["owner"]?.["role"] === agent_type && t["status"] !== "completed");
+    if (incomplete.length === 0)
+      return;
+    const ids = incomplete.map((t) => t["id"]).join(", ");
+    return {
+      additional_context: `<system-notice>
+Subagent "${agent_type}" finished. Tasks still pending with this role: ${ids}. Review status and coordinate remaining subagent delegation.
+</system-notice>`
+    };
+  } catch {
+    return;
+  }
+};
+var handler_default = handler;
+
+// ../../../../../tmp/nexus-hook-entry-agent-finalize-1776671215240/agent-finalize-entry.ts
+import { readFileSync as readFileSync2 } from "node:fs";
+async function main() {
+  let raw = "";
+  try {
+    raw = readFileSync2(0, "utf-8");
+  } catch {}
+  const input = raw ? JSON.parse(raw) : {};
+  const result = await handler_default(input);
+  if (result != null && result !== undefined) {
+    process.stdout.write(JSON.stringify(result));
+  }
+}
+main().then(() => process.exit(0), (err) => {
+  process.stderr.write(String(err?.stack ?? err) + `
+`);
+  process.exit(1);
+});