hebbian 0.5.0 → 0.5.2

package/dist/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AAgBpF,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CACjD;AAqPD;;GAEG;AACH,wBAAgB,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,SAAO,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CA4BxF;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,WAAW,EAAE,CAEjD;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC"}
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AAgBpF,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CACjD;AAgQD;;GAEG;AACH,wBAAgB,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,SAAO,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CA4BxF;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,WAAW,EAAE,CAEjD;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC"}

package/dist/bin/hebbian.js

@@ -876,6 +876,9 @@ function growNeuron(brainRoot, neuronPath) {
     const counter = fireNeuron(brainRoot, neuronPath);
     return { action: "fired", path: neuronPath, counter };
   }
+  if (neuronPath.includes("..") || neuronPath.startsWith("/")) {
+    throw new Error(`Invalid neuron path: "${neuronPath}" (path traversal not allowed)`);
+  }
   const parts = neuronPath.split("/");
   const regionName = parts[0];
   if (!REGIONS.includes(regionName)) {
@@ -1645,7 +1648,16 @@ function error(res, message, status = 400) {
 async function readBody(req) {
   return new Promise((resolve4, reject) => {
     const chunks = [];
-    req.on("data", (chunk) => chunks.push(chunk));
+    let total = 0;
+    req.on("data", (chunk) => {
+      total += chunk.length;
+      if (total > MAX_BODY_BYTES) {
+        reject(new Error("Request body too large"));
+        req.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
     req.on("end", () => resolve4(Buffer.concat(chunks).toString("utf8")));
     req.on("error", reject);
   });
@@ -1835,7 +1847,7 @@ function getPendingReports() {
 function clearReports() {
   pendingReports.length = 0;
 }
-var lastAPIActivity, pendingReports;
+var lastAPIActivity, pendingReports, MAX_BODY_BYTES;
 var init_api = __esm({
   "src/api.ts"() {
     "use strict";
@@ -1852,6 +1864,7 @@ var init_api = __esm({
     init_constants();
     lastAPIActivity = Date.now();
     pendingReports = [];
+    MAX_BODY_BYTES = 1048576;
   }
 });
 
@@ -2145,6 +2158,8 @@ function extractCorrections(messages) {
     if (text.length < MIN_CORRECTION_LENGTH) continue;
     if (/^[\/!]/.test(text.trim())) continue;
     if (text.trim().endsWith("?")) continue;
+    if (/^<[a-zA-Z]/.test(text.trim())) continue;
+    if (/^Base directory for this skill:/i.test(text.trim())) continue;
     const correction = detectCorrection(text);
     if (correction) {
       corrections.push(correction);
@@ -2556,8 +2571,9 @@ function buildOutcomeSummary(brainRoot) {
   });
   for (const [neuron, s] of sorted) {
     const ratio = s.sessions > 0 ? (s.reverts / s.sessions).toFixed(2) : "0.00";
-    const trend = parseFloat(ratio) > 0.5 ? "\u2190 act on this" : parseFloat(ratio) > 0.3 ? "\u2190 watch" : "";
-    lines.push(`- ${neuron}: sessions=${s.sessions} reverts=${s.reverts} acceptances=${s.acceptances} contra_ratio=${ratio} ${trend}`);
+    const trend = parseFloat(ratio) > 0.5 ? "act on this" : parseFloat(ratio) > 0.3 ? "watch" : "";
+    const safePath = neuron.replace(/[\n\r#]/g, " ").trim();
+    lines.push(`- ${safePath}: sessions=${s.sessions} reverts=${s.reverts} acceptances=${s.acceptances} contra_ratio=${ratio} ${trend}`);
   }
   lines.push("");
   return lines.join("\n");
@@ -2621,12 +2637,27 @@ __export(evolve_exports, {
   runEvolve: () => runEvolve,
   validateActions: () => validateActions
 });
+import { existsSync as existsSync17, readFileSync as readFileSync9, writeFileSync as writeFileSync14 } from "fs";
+import { join as join18 } from "path";
 async function runEvolve(brainRoot, dryRun) {
   const apiKey = process.env.GEMINI_API_KEY;
   if (!apiKey) {
     console.error("\u274C GEMINI_API_KEY not set. Get one at https://aistudio.google.com/apikey");
     return { actions: [], executed: 0, skipped: 0, dryRun };
   }
+  if (!dryRun && process.env.EVOLVE_NO_COOLDOWN !== "1") {
+    const cooldownMs = (parseInt(process.env.EVOLVE_COOLDOWN_SECONDS ?? "60", 10) || 60) * 1e3;
+    const cooldownPath = join18(brainRoot, EVOLVE_COOLDOWN_FILE);
+    if (existsSync17(cooldownPath)) {
+      const lastRun = parseInt(readFileSync9(cooldownPath, "utf8").trim(), 10);
+      const elapsed = Date.now() - lastRun;
+      if (elapsed < cooldownMs) {
+        const remaining = Math.ceil((cooldownMs - elapsed) / 1e3);
+        console.log(`\u23F3 evolve cooldown: ${remaining}s remaining (use EVOLVE_NO_COOLDOWN=1 to bypass)`);
+        return { actions: [], executed: 0, skipped: 0, dryRun };
+      }
+    }
+  }
   const episodes = readEpisodes(brainRoot);
   const brain = scanBrain(brainRoot);
   const summary = buildBrainSummary(brain);
@@ -2657,6 +2688,7 @@ async function runEvolve(brainRoot, dryRun) {
   const executed = executeActions(brainRoot, actions);
   logEpisode(brainRoot, "evolve", "", `${executed} action(s) executed, ${skipped} skipped`);
   console.log(`\u{1F9E0} evolve: ${executed} action(s) executed, ${skipped} skipped`);
+  writeFileSync14(join18(brainRoot, EVOLVE_COOLDOWN_FILE), String(Date.now()), "utf8");
   return { actions, executed, skipped, dryRun: false };
 }
 function buildBrainSummary(brain) {
@@ -2679,8 +2711,12 @@ function buildBrainSummary(brain) {
   }
   return lines.join("\n");
 }
+function sanitizeForPrompt(text) {
+  const firstLine = (text.split("\n")[0] ?? "").trim();
+  return firstLine.replace(/^#+\s*/g, "").slice(0, 200);
+}
 function buildPrompt(summary, episodes, outcomeSummary) {
-  const episodeLines = episodes.length > 0 ? episodes.map((e) => `- [${e.ts}] ${e.type}: ${e.path} \u2014 ${e.detail}`).join("\n") : "(no recent episodes)";
+  const episodeLines = episodes.length > 0 ? episodes.map((e) => `- [${e.ts}] ${e.type}: ${e.path} \u2014 ${sanitizeForPrompt(e.detail)}`).join("\n") : "(no recent episodes)";
   const outcomeSection = outcomeSummary || "";
   return `You are the evolve engine for a hebbian brain \u2014 a filesystem-based memory system for AI agents.
 
@@ -2719,7 +2755,7 @@ Respond with a JSON array of actions:
 }
 async function callGemini(prompt, apiKey) {
   const model = process.env.EVOLVE_MODEL || DEFAULT_MODEL;
-  const url = `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent?key=${apiKey}`;
+  const url = `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent`;
   const body = {
     contents: [{ parts: [{ text: prompt }] }],
     generationConfig: {
@@ -2735,7 +2771,7 @@ async function callGemini(prompt, apiKey) {
     try {
       const res = await fetch(url, {
         method: "POST",
-        headers: { "Content-Type": "application/json" },
+        headers: { "Content-Type": "application/json", "x-goog-api-key": apiKey },
         body: JSON.stringify(body),
         signal: AbortSignal.timeout(API_TIMEOUT)
       });
@@ -2789,6 +2825,10 @@ function parseActions(text) {
 }
 function validateActions(actions, _brain) {
   return actions.filter((action) => {
+    if (action.path.includes("..") || action.path.startsWith("/")) {
+      console.log(`   \u26A0\uFE0F blocked: ${action.type} ${action.path} (path traversal)`);
+      return false;
+    }
     const region = action.path.split("/")[0];
     if (!region || PROTECTED_REGIONS.includes(region)) {
       console.log(`   \u{1F6E1}\uFE0F blocked: ${action.type} ${action.path} (protected region)`);
@@ -2850,7 +2890,7 @@ function actionIcon(type) {
       return "\u2753";
   }
 }
-var MAX_ACTIONS, PROTECTED_REGIONS, DEFAULT_MODEL, API_TIMEOUT, RETRY_DELAY;
+var MAX_ACTIONS, PROTECTED_REGIONS, DEFAULT_MODEL, API_TIMEOUT, RETRY_DELAY, EVOLVE_COOLDOWN_FILE;
 var init_evolve = __esm({
   "src/evolve.ts"() {
     "use strict";
@@ -2868,6 +2908,7 @@ var init_evolve = __esm({
     DEFAULT_MODEL = "gemini-2.0-flash-lite";
     API_TIMEOUT = 3e4;
     RETRY_DELAY = 5e3;
+    EVOLVE_COOLDOWN_FILE = "hippocampus/evolve_last_run";
   }
 });
 
@@ -2876,8 +2917,8 @@ var doctor_exports = {};
 __export(doctor_exports, {
   runDoctor: () => runDoctor
 });
-import { existsSync as existsSync17, readFileSync as readFileSync9, readdirSync as readdirSync11 } from "fs";
-import { join as join18 } from "path";
+import { existsSync as existsSync18, readFileSync as readFileSync10, readdirSync as readdirSync11 } from "fs";
+import { join as join19 } from "path";
 import { execSync as execSync4 } from "child_process";
 async function runDoctor(brainRoot) {
   let passed = 0, warnings = 0, failed = 0;
@@ -2907,7 +2948,7 @@ async function runDoctor(brainRoot) {
   console.log("\nnpm package");
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
-    const pkg = JSON.parse(readFileSync9(pkgPath, "utf8"));
+    const pkg = JSON.parse(readFileSync10(pkgPath, "utf8"));
     const local = pkg.version || "unknown";
     let remote = "";
     try {
@@ -2924,13 +2965,13 @@ async function runDoctor(brainRoot) {
     warn("Could not read package.json");
   }
   console.log("\nbrain structure");
-  if (!existsSync17(brainRoot)) {
+  if (!existsSync18(brainRoot)) {
     fail(`Brain not found at ${brainRoot}`, "hebbian init ./brain");
   } else {
     ok(`Brain root: ${brainRoot}`);
     for (const region of REGIONS) {
-      const regionDir = join18(brainRoot, region);
-      if (existsSync17(regionDir)) {
+      const regionDir = join19(brainRoot, region);
+      if (existsSync18(regionDir)) {
         ok(`Region: ${region}`);
       } else {
         warn(`Missing region: ${region}`, `mkdir -p ${regionDir}`);
@@ -2938,12 +2979,12 @@ async function runDoctor(brainRoot) {
     }
   }
   console.log("\nClaude Code hooks");
-  const settingsPath = join18(process.cwd(), ".claude", "settings.local.json");
-  if (!existsSync17(settingsPath)) {
+  const settingsPath = join19(process.cwd(), ".claude", "settings.local.json");
+  if (!existsSync18(settingsPath)) {
     warn("No .claude/settings.local.json found", "hebbian claude install");
   } else {
     try {
-      const settings = JSON.parse(readFileSync9(settingsPath, "utf8"));
+      const settings = JSON.parse(readFileSync10(settingsPath, "utf8"));
       const hooks = settings.hooks || {};
       const hasStop = Object.entries(hooks).some(
         ([event, entries]) => event === "Stop" && Array.isArray(entries) && entries.some(
@@ -2976,8 +3017,8 @@ async function runDoctor(brainRoot) {
   try {
     let total = 0;
     for (const region of REGIONS) {
-      const candidateDir = join18(brainRoot, region, "_candidates");
-      if (existsSync17(candidateDir)) {
+      const candidateDir = join19(brainRoot, region, "_candidates");
+      if (existsSync18(candidateDir)) {
         const entries = readdirSync11(candidateDir, { withFileTypes: true });
         const count = entries.filter((e) => e.isDirectory()).length;
         total += count;
@@ -3015,7 +3056,7 @@ var init_doctor = __esm({
 init_constants();
 import { parseArgs } from "util";
 import { resolve as resolve3 } from "path";
-var VERSION = "0.5.0";
+var VERSION = "0.5.2";
 var HELP = `
 hebbian v${VERSION} \u2014 Folder-as-neuron brain for any AI agent.