nexo-brain 1.2.1 → 1.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO \u2014 Cognitive co-operator for Claude Code. Atkinson-Shiffrin memory, semantic RAG, trust scoring, and metacognitive error prevention.",
   "bin": {

package/src/hooks/session-stop.sh

@@ -111,7 +111,7 @@ else
     cat << HOOKEOF
 {
   "decision": "block",
-  "reason": "STOP HOOK — MANDATORY POST-MORTEM before ending (do NOT ask permission, do NOT skip):\n\n## 1. SELF-CRITIQUE (MANDATORY — write to session diary)\nAnswer these questions in the self_critique field of nexo_session_diary_write:\n- Did the user have to ask me for something I should have detected or done on my own?\n- Did I wait for the user to tell me something I could have verified proactively?\n- Are there systems/states I can check next session without being asked?\n- Did I repeat an error that already had a registered learning?\n- What would I do differently if I repeated this session?\nIf any answer is YES — write the specific rule that would prevent repetition.\nIf the session was flawless, write 'No self-critique — clean session.'\n\n## 2. SESSION BUFFER\nIf the session was NOT trivial, append ONE JSON line to ${NEXO_HOME}/brain/session_buffer.jsonl:\n{\"ts\":\"YYYY-MM-DDTHH:MM:SS\",\"tasks\":[...],\"decisions\":[...],\"user_patterns\":[...],\"files_modified\":[...],\"errors_resolved\":[...],\"self_critique\":\"short summary\",\"mood\":\"focused|impatient|exploratory|frustrated|satisfied|neutral\",\"source\":\"claude\"}\n\n## 3. FOLLOWUPS\nIf there were deploys/cron changes/fixes — nexo_followup_create with verification date.\n\n## 4. PROACTIVE SEEDS\nWhat can I leave prepared so the next session starts doing useful work without the user asking?\n\n## 5. MARK COMPLETE\nWhen ALL of the above is done, run:\nbash -c 'mkdir -p ${NEXO_HOME}/operations && date +%s > ${NEXO_HOME}/operations/.postmortem-complete'\nThen say goodbye. The user will close again and the hook will approve."
+  "reason": "STOP HOOK — MANDATORY POST-MORTEM before ending (do NOT ask permission, do NOT skip):\n\n## 1. SELF-CRITIQUE (MANDATORY — write to session diary)\nAnswer these questions in the self_critique field of nexo_session_diary_write:\n- Did the user have to ask me for something I should have detected or done on my own?\n- Did I wait for the user to tell me something I could have verified proactively?\n- Are there systems/states I can check next session without being asked?\n- Did I repeat an error that already had a registered learning?\n- What would I do differently if I repeated this session?\nIf any answer is YES — write the specific rule that would prevent repetition.\nIf the session was flawless, write 'No self-critique — clean session.'\n\n## 2. SESSION BUFFER\nIf the session was NOT trivial, append ONE JSON line to ${NEXO_HOME}/brain/session_buffer.jsonl:\n{\"ts\":\"YYYY-MM-DDTHH:MM:SS\",\"tasks\":[...],\"decisions\":[...],\"user_patterns\":[...],\"files_modified\":[...],\"errors_resolved\":[...],\"self_critique\":\"short summary\",\"mood\":\"focused|impatient|exploratory|frustrated|satisfied|neutral\",\"source\":\"claude\"}\n\n## 3. FOLLOWUPS\nIf there were deploys/cron changes/fixes — nexo_followup_create with verification date.\n\n## 4. PROACTIVE SEEDS\nWhat can I leave prepared so the next session starts doing useful work without the user asking?\n\n## 5. MARK COMPLETE\nWhen ALL of the above is done, run:\nbash -c 'mkdir -p ${NEXO_HOME}/operations && date +%s > ${NEXO_HOME}/operations/.postmortem-complete'\nThe user will close again and the hook will approve.\n\nIMPORTANT: Do NOT say goodbye, do NOT say goodnight or any farewell. Just execute the steps and mark complete."
 }
 HOOKEOF
 fi

package/src/plugins/guard.py

@@ -9,6 +9,12 @@ from datetime import datetime, timedelta
 from db import get_db, find_similar_learnings, extract_keywords
 
 
+SCHEMA_CACHE_PATH = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
+                                  "nexo-mcp", "schema_cache.json")
+# Fallback: same dir as db
+if not os.path.exists(SCHEMA_CACHE_PATH):
+    SCHEMA_CACHE_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..", "schema_cache.json")
+
 
 def _load_schema_cache() -> dict:
     """Load cached DB schemas from schema_cache.json."""
@@ -111,8 +117,7 @@ def handle_guard_check(files: str = "", area: str = "", include_schemas: str = "
     ).fetchall()
     for r in rows:
         if r["id"] not in seen_ids:
-            seen_ids.add(r["id"])
-            result["universal_rules"].append({"id": r["id"], "rule": r["title"], "category": r["category"]})
+            result["universal_rules"].append({"id": r["id"], "rule": r["title"]})
 
     # 4. DB schemas if files contain SQL keywords
     if include_schemas_bool and file_list:
@@ -136,42 +141,16 @@ def handle_guard_check(files: str = "", area: str = "", include_schemas: str = "
             elif "cloud_sql" in cache and table in cache["cloud_sql"]:
                 result["schemas"][table] = cache["cloud_sql"][table]
 
-    # 5. Check for blocking rules — two paths:
-    #    (a) 5+ repetitions (existing behavior)
-    #    (b) Learning contains NUNCA/NEVER/PROHIBIDO and matches semantically (aggressive mode)
-    import re
-    BLOCKING_KEYWORDS = re.compile(
-        r'\bNUNCA\b|\bNEVER\b|\bPROHIBIDO\b|\bNO\s+\w+\b|\bFORBIDDEN\b|\bBLOCKING\b|\bSIEMPRE\b|\bALWAYS\b',
-        re.IGNORECASE
-    )
-    # Check both learnings and universal_rules for blocking
-    all_candidates = [(l, "learning") for l in result["learnings"]] + \
-                     [(u, "universal") for u in result["universal_rules"]]
-    blocking_seen = set()
-    for learning, source in all_candidates:
+    # 5. Check for blocking rules (5+ repetitions)
+    for learning in result["learnings"]:
         lid = learning["id"]
-        if lid in blocking_seen:
-            continue
         rep_count = conn.execute(
             "SELECT COUNT(*) as cnt FROM error_repetitions WHERE original_learning_id = ?",
             (lid,)
         ).fetchone()["cnt"]
-
-        # Path (a): 5+ repetitions
         if rep_count >= 5:
-            blocking_seen.add(lid)
             result["blocking_rules"].append({
-                "id": lid, "rule": learning["rule"], "repetitions": rep_count,
-                "reason": "repeated_error"
-            })
-            continue
-
-        # Path (b): Aggressive — learning TITLE contains prohibition keywords
-        if BLOCKING_KEYWORDS.search(learning["rule"]):
-            blocking_seen.add(lid)
-            result["blocking_rules"].append({
-                "id": lid, "rule": learning["rule"], "repetitions": rep_count,
-                "reason": "prohibition_keyword"
+                "id": lid, "rule": learning["rule"], "repetitions": rep_count
             })
 
     # 6. Area repetition rate
@@ -206,6 +185,15 @@ def handle_guard_check(files: str = "", area: str = "", include_schemas: str = "
             cog_top_k = 3
             cog_min_score = 0.65
 
+        # Somatic risk lowers threshold further
+        try:
+            risk_result = cognitive.somatic_get_risk(file_list, area)
+            if risk_result["max_risk"] > 0.5:
+                cog_min_score = min(cog_min_score, 0.4)
+                cog_top_k = max(cog_top_k, 5)
+        except Exception:
+            pass
+
         query_parts = []
         if file_list:
             query_parts.append(f"editing files: {', '.join(file_list[:5])}")
@@ -253,11 +241,7 @@ def handle_guard_check(files: str = "", area: str = "", include_schemas: str = "
     if result["blocking_rules"]:
         lines.append("BLOCKING RULES (resolve BEFORE writing):")
         for r in result["blocking_rules"]:
-            reason = r.get("reason", "repeated_error")
-            if reason == "prohibition_keyword":
-                lines.append(f"  #{r['id']} [PROHIBIT]: {r['rule']}")
-            else:
-                lines.append(f"  #{r['id']} ({r['repetitions']}x repeated): {r['rule']}")
+            lines.append(f"  #{r['id']} ({r['repetitions']}x repeated): {r['rule']}")
         lines.append("")
 
     if result["learnings"]:

package/src/rules/core-rules 2.json

@@ -1,329 +0,0 @@
-{
-  "_meta": {
-    "version": "1.0.0",
-    "description": "NEXO Brain Core System Rules — battle-tested behavioral rules that ship with every installation",
-    "created": "2026-03-26",
-    "source": "Consolidated from 6 months production use + multi-AI debate (Claude Opus + GPT-4o)",
-    "total_rules": 30,
-    "blocking": 25,
-    "advisory": 5
-  },
-  "categories": {
-    "integrity": {
-      "label": "Integrity",
-      "description": "Trust and truthfulness foundations",
-      "rules": [
-        {
-          "id": "I1",
-          "rule": "Never promise without scheduling a followup",
-          "why": "Verbal commitments evaporate. If you say 'I'll handle X', create a followup NOW or it won't happen.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "I2",
-          "rule": "Never push to the user what you can resolve yourself",
-          "why": "Install tools, call APIs, write scripts, use the browser. The user's time is the scarcest resource. Only ask when literally impossible.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "I3",
-          "rule": "Verify with evidence before claiming done",
-          "why": "Run the check, curl the URL, read the output. 'It should work' is not verification. Never claim a tool was called without calling it.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "I4",
-          "rule": "Be honest, not agreeable",
-          "why": "If the approach is wrong, say so. Sycophancy causes compounding errors. An ally says what you need to hear.",
-          "importance": 4,
-          "type": "advisory",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "I5",
-          "rule": "Never assume — verify dates, paths, schemas, state",
-          "why": "Wrong assumptions are the #1 source of production errors. Check the actual value before using it.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        }
-      ]
-    },
-    "execution": {
-      "label": "Execution",
-      "description": "How to act correctly and completely",
-      "rules": [
-        {
-          "id": "E1",
-          "rule": "Understand the full system before writing a line",
-          "why": "Trace the data flow end-to-end. Read the code that USES the data. If you can't explain what happens when X is called, you don't understand it yet.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "E2",
-          "rule": "Context before action — check learnings, guard, prior decisions",
-          "why": "The system has memory. Use it. Skipping prior context guarantees repeating past mistakes.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "E3",
-          "rule": "Task is not complete until documented",
-          "why": "Change log, learning if reusable, followup if needs verification. Undocumented work is lost work for the next session.",
-          "importance": 4,
-          "type": "advisory",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "E4",
-          "rule": "Audit before delivering — write, review, fix, THEN commit",
-          "why": "Self-review catches 80% of errors. Never commit the first draft.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "E5",
-          "rule": "If it fails, diagnose root cause — never retry blindly",
-          "why": "Same input produces same output. Change something or understand why before retrying.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "E6",
-          "rule": "Resolve the complete thread before stopping",
-          "why": "Don't fix layer 1 and leave layers 2-3 broken. Trace ALL failures in an issue before presenting results.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "E7",
-          "rule": "If you can resolve it now with available tools, do it — never defer",
-          "why": "Deferral is hidden delegation to the user's future self. Only create a followup when you genuinely need external input, an event, or future verification.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        }
-      ]
-    },
-    "memory": {
-      "label": "Memory & Learning",
-      "description": "How to store, retrieve, and maintain knowledge",
-      "rules": [
-        {
-          "id": "M1",
-          "rule": "Resolved error = registered learning, always",
-          "why": "Without a learning, the same error will be re-investigated from scratch. Learnings prevent re-work.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "M2",
-          "rule": "Repeated error with existing learning = worst failure mode",
-          "why": "The system already knew. Failing to check is a discipline failure, not a knowledge gap. Trust erodes fast.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "M3",
-          "rule": "Mark completions (followups, reminders) in the SAME turn",
-          "why": "Unmarked completions reappear as pending next session. Mark immediately, not later, not in batch.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "M4",
-          "rule": "Only persist what changes future behavior",
-          "why": "Gate at write time: stable preferences, decisions with trade-offs, repeatable errors with prevention, continuation context. Everything else is noise.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "M5",
-          "rule": "Log changes immediately after each edit, not at end of session",
-          "why": "Late logging means incomplete context. If the session crashes, the change is undocumented.",
-          "importance": 4,
-          "type": "advisory",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "M6",
-          "rule": "Do not accumulate followup debt",
-          "why": "3+ unresolved followups = context overload. Create or resolve in the same interaction. 'Later' without a date doesn't exist.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        }
-      ]
-    },
-    "delegation": {
-      "label": "Delegation",
-      "description": "How to delegate work to subagents safely",
-      "rules": [
-        {
-          "id": "D1",
-          "rule": "Never delegate without a context packet",
-          "why": "Subagents inherit zero session memory. Mandatory: learnings, schemas, guard output, user-stated facts, exit criteria. Without context = guaranteed errors.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "D2",
-          "rule": "Entity-specific rules go in per-entity config, never in shared code",
-          "why": "One user's business rule applied globally breaks all other users. Always ask: does this apply to everyone or just one?",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "D3",
-          "rule": "Subagent responses must be structured and concise (max 2000 chars)",
-          "why": "Large unstructured dumps waste the parent's context window. Results, not process.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "D4",
-          "rule": "Select model by task complexity",
-          "why": "Fast model for repetitive/simple tasks, powerful model for reasoning/code. Cost and quality optimization.",
-          "importance": 3,
-          "type": "advisory",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "D5",
-          "rule": "Run guard check for delegated work too — inject into subagent prompt",
-          "why": "Guard only protects what it sees. Delegation bypasses it unless you explicitly inject the results.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        }
-      ]
-    },
-    "communication": {
-      "label": "Communication",
-      "description": "How to interact with the user efficiently",
-      "rules": [
-        {
-          "id": "C1",
-          "rule": "Execute, don't narrate",
-          "why": "No 'let me...', 'I'll now...'. Just do it. Narration wastes tokens and attention.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "C2",
-          "rule": "Explanation depth proportional to complexity",
-          "why": "Simple change = one line. Architecture decision = full reasoning. Match the weight.",
-          "importance": 3,
-          "type": "advisory",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "C3",
-          "rule": "'Only investigate' means zero file changes",
-          "why": "Explicit boundary. When asked to research, report findings and wait for instructions.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "C4",
-          "rule": "Adapt tone to detected emotional state",
-          "why": "Frustration = ultra-concise, zero fluff. Flow = good moment to suggest improvements. Urgency = act immediately. Misalignment breaks trust.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        }
-      ]
-    },
-    "proactivity": {
-      "label": "Proactivity & User Protection",
-      "description": "How to be proactive without overstepping",
-      "rules": [
-        {
-          "id": "P1",
-          "rule": "Proactive within policy bounds; reactive outside them",
-          "why": "Act on what you're authorized to do. Ask for what you're not. Prevents both passivity and overreach.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "P2",
-          "rule": "Observe silently, modify only when policy allows",
-          "why": "Capture context always. But observing a problem is not permission to fix it. Awareness ≠ action.",
-          "importance": 4,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "P3",
-          "rule": "Never direct imperative verbs at the user when you can act instead",
-          "why": "Every 'go to...', 'open...', 'create...' directed at the user is stolen time. Rewrite with yourself as subject.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        },
-        {
-          "id": "P4",
-          "rule": "Blocker resolution: current tools → install → script → API → browser → THEN ask user",
-          "why": "Exhaust all self-help options before escalating. The user is the last resort, not the first.",
-          "importance": 5,
-          "type": "blocking",
-          "added_in": "1.0.0"
-        }
-      ]
-    }
-  },
-  "configurable_settings": [
-    {
-      "key": "autonomy",
-      "default": "balanced",
-      "options": ["conservative", "balanced", "full"],
-      "description": "How much the agent acts without asking"
-    },
-    {
-      "key": "communication",
-      "default": "balanced",
-      "options": ["concise", "balanced", "detailed"],
-      "description": "How much the agent explains"
-    },
-    {
-      "key": "honesty",
-      "default": "firm-pushback",
-      "options": ["firm-pushback", "mention-and-follow", "just-execute"],
-      "description": "How strongly the agent pushes back on bad ideas"
-    },
-    {
-      "key": "proactivity",
-      "default": "suggestive",
-      "options": ["reactive", "suggestive", "proactive"],
-      "description": "How much the agent anticipates needs"
-    },
-    {
-      "key": "error_handling",
-      "default": "brief-fix",
-      "options": ["brief-fix", "explain-and-learn"],
-      "description": "How the agent handles its own mistakes"
-    }
-  ]
-}

package/src/rules/migrate 2.py

@@ -1,207 +0,0 @@
-#!/usr/bin/env python3
-"""NEXO Brain Rules Migration System.
-
-Manages versioned core rules that ship with every installation.
-Handles adding new rules, removing deprecated ones, and updating
-the user's CLAUDE.md without touching their customizations.
-
-Usage:
-    from rules.migrate import migrate_rules
-    result = migrate_rules(nexo_home)  # Returns dict with changes applied
-"""
-
-import json
-import os
-import re
-from pathlib import Path
-from typing import Optional
-
-
-RULES_FILE = os.path.join(os.path.dirname(os.path.abspath(__file__)), "core-rules.json")
-VERSION_KEY = "rules_version"
-
-
-def load_core_rules() -> dict:
-    """Load the current core rules definition."""
-    with open(RULES_FILE, "r") as f:
-        return json.load(f)
-
-
-def get_installed_version(nexo_home: str) -> Optional[str]:
-    """Get the rules version currently installed in the user's NEXO home."""
-    version_file = os.path.join(nexo_home, "brain", "rules_version.json")
-    if not os.path.exists(version_file):
-        return None
-    try:
-        with open(version_file, "r") as f:
-            data = json.load(f)
-        return data.get("version")
-    except (json.JSONDecodeError, KeyError):
-        return None
-
-
-def save_installed_version(nexo_home: str, version: str, rule_ids: list[str]):
-    """Record which rules version and rule IDs are installed."""
-    version_file = os.path.join(nexo_home, "brain", "rules_version.json")
-    os.makedirs(os.path.dirname(version_file), exist_ok=True)
-    data = {
-        "version": version,
-        "installed_rule_ids": rule_ids,
-        "installed_at": _now_iso(),
-    }
-    with open(version_file, "w") as f:
-        json.dump(data, f, indent=2)
-
-
-def get_installed_rule_ids(nexo_home: str) -> list[str]:
-    """Get the list of rule IDs currently installed."""
-    version_file = os.path.join(nexo_home, "brain", "rules_version.json")
-    if not os.path.exists(version_file):
-        return []
-    try:
-        with open(version_file, "r") as f:
-            data = json.load(f)
-        return data.get("installed_rule_ids", [])
-    except (json.JSONDecodeError, KeyError):
-        return []
-
-
-def generate_rules_markdown(rules_data: dict) -> str:
-    """Generate the Operational Codex markdown from core-rules.json."""
-    lines = [
-        "## Operational Codex (NON-NEGOTIABLE)",
-        "",
-        "These rules are the behavioral foundation of every cognitive co-operator.",
-        "They are derived from real production failures and validated through multi-AI debate.",
-        f"Rules version: {rules_data['_meta']['version']}",
-        "",
-    ]
-
-    for cat_key, cat in rules_data["categories"].items():
-        lines.append(f"### {cat['label']}")
-        lines.append("")
-        for rule in cat["rules"]:
-            tag = "BLOCKING" if rule["type"] == "blocking" else "ADVISORY"
-            lines.append(f"**{rule['id']}. {rule['rule']}** [{tag}]")
-            lines.append(f"_{rule['why']}_")
-            lines.append("")
-
-    return "\n".join(lines)
-
-
-def find_codex_section(claude_md: str) -> tuple[int, int]:
-    """Find the start and end positions of the Operational Codex section in CLAUDE.md."""
-    # Look for the section header
-    start_pattern = r"## Operational Codex \(NON-NEGOTIABLE\)"
-    start_match = re.search(start_pattern, claude_md)
-    if not start_match:
-        return (-1, -1)
-
-    start = start_match.start()
-
-    # Find the next ## section header after the codex
-    rest = claude_md[start_match.end():]
-    next_section = re.search(r"\n## [A-Z]", rest)
-    if next_section:
-        end = start_match.end() + next_section.start()
-    else:
-        end = len(claude_md)
-
-    return (start, end)
-
-
-def migrate_rules(nexo_home: str, dry_run: bool = False) -> dict:
-    """Migrate rules to the latest version.
-
-    Compares installed rules version with current core-rules.json.
-    Adds new rules, removes deprecated ones, updates CLAUDE.md.
-
-    Args:
-        nexo_home: Path to NEXO home directory
-        dry_run: If True, show what would change without applying
-
-    Returns:
-        Dict with: version_from, version_to, added, removed, unchanged, dry_run
-    """
-    rules_data = load_core_rules()
-    current_version = rules_data["_meta"]["version"]
-    installed_version = get_installed_version(nexo_home)
-    installed_ids = set(get_installed_rule_ids(nexo_home))
-
-    # Collect all rule IDs from current version
-    current_ids = set()
-    for cat in rules_data["categories"].values():
-        for rule in cat["rules"]:
-            current_ids.add(rule["id"])
-
-    # Calculate diff
-    added = current_ids - installed_ids if installed_ids else current_ids
-    removed = installed_ids - current_ids if installed_ids else set()
-    unchanged = current_ids & installed_ids if installed_ids else set()
-
-    result = {
-        "version_from": installed_version or "none",
-        "version_to": current_version,
-        "added": sorted(added),
-        "removed": sorted(removed),
-        "unchanged": sorted(unchanged),
-        "total_rules": len(current_ids),
-        "dry_run": dry_run,
-    }
-
-    if installed_version == current_version and not added and not removed:
-        result["status"] = "up_to_date"
-        return result
-
-    if dry_run:
-        result["status"] = "changes_pending"
-        return result
-
-    # Apply: update the Operational Codex section in CLAUDE.md
-    claude_md_path = os.path.join(nexo_home, "CLAUDE.md")
-    if os.path.exists(claude_md_path):
-        with open(claude_md_path, "r") as f:
-            claude_md = f.read()
-
-        new_codex = generate_rules_markdown(rules_data)
-        start, end = find_codex_section(claude_md)
-
-        if start >= 0:
-            # Replace existing codex section
-            claude_md = claude_md[:start] + new_codex + "\n" + claude_md[end:]
-        else:
-            # Append codex after the first section
-            # Find the end of the first ## section
-            first_section_end = re.search(r"\n## ", claude_md[10:])
-            if first_section_end:
-                insert_pos = 10 + first_section_end.start()
-                claude_md = claude_md[:insert_pos] + "\n\n" + new_codex + "\n" + claude_md[insert_pos:]
-            else:
-                claude_md += "\n\n" + new_codex
-
-        with open(claude_md_path, "w") as f:
-            f.write(claude_md)
-
-    # Save version record
-    save_installed_version(nexo_home, current_version, sorted(current_ids))
-
-    result["status"] = "migrated"
-    return result
-
-
-def _now_iso() -> str:
-    from datetime import datetime
-    return datetime.utcnow().isoformat() + "Z"
-
-
-if __name__ == "__main__":
-    import sys
-    if len(sys.argv) < 2:
-        print("Usage: python migrate.py <nexo_home> [--dry-run]")
-        sys.exit(1)
-
-    home = sys.argv[1]
-    dry = "--dry-run" in sys.argv
-
-    result = migrate_rules(home, dry_run=dry)
-    print(json.dumps(result, indent=2))

package/src/scripts/nexo-watchdog.sh

@@ -1,645 +0,0 @@
-#!/bin/bash
-# ============================================================================
-# NEXO Watchdog — Health monitor with two-level auto-repair
-# ============================================================================
-# Monitors all NEXO core LaunchAgents, cron jobs, and infrastructure.
-# Level 1: Mechanical repair (launchctl bootstrap/kickstart, chmod)
-# Level 2: Launches NEXO CLI for intelligent diagnosis and fix
-#
-# Install: Add to LaunchAgents for periodic execution (every 5 min recommended)
-# ============================================================================
-set -uo pipefail
-
-# === PATHS ===
-HOME_DIR="$HOME"
-NEXO_DIR="$HOME_DIR/claude/nexo-mcp"
-OPS_DIR="$HOME_DIR/claude/operations"
-LOG_DIR="$HOME_DIR/claude/logs"
-LOG="$LOG_DIR/watchdog.log"
-STATUS_JSON="$OPS_DIR/watchdog-status.json"
-REPORT_TXT="$OPS_DIR/watchdog-report.txt"
-ALERT_FILE="$OPS_DIR/.watchdog-alert"
-FAIL_COUNT_FILE="$HOME_DIR/claude/scripts/.watchdog-fails"
-MAX_FAILS=3
-
-mkdir -p "$LOG_DIR" "$OPS_DIR"
-
-TS=$(date "+%Y-%m-%d %H:%M:%S")
-TS_EPOCH=$(date +%s)
-
-log() { echo "[$TS] $1" >> "$LOG"; }
-
-# ============================================================================
-# HELPER FUNCTIONS
-# ============================================================================
-
-UID_NUM=$(id -u)
-REPAIR_LOG="$LOG_DIR/watchdog-repairs.log"
-TOTAL_HEALED=0
-
-log_repair() { echo "[$TS] REPAIR: $1" >> "$REPAIR_LOG"; log "REPAIR: $1"; }
-
-is_loaded() {
-  launchctl list "$1" &>/dev/null
-}
-
-file_age() {
-  if [ -f "$1" ]; then
-    local mod_epoch
-    # macOS: stat -f %m, Linux: stat -c %Y
-    mod_epoch=$(stat -f %m "$1" 2>/dev/null || stat -c %Y "$1" 2>/dev/null || echo 0)
-    echo $(( TS_EPOCH - mod_epoch ))
-  else
-    echo 999999
-  fi
-}
-
-format_age() {
-  local secs=$1
-  if [ "$secs" -ge 999999 ]; then
-    echo "never"
-  elif [ "$secs" -ge 86400 ]; then
-    echo "$((secs / 86400))d $((secs % 86400 / 3600))h ago"
-  elif [ "$secs" -ge 3600 ]; then
-    echo "$((secs / 3600))h $((secs % 3600 / 60))m ago"
-  elif [ "$secs" -ge 60 ]; then
-    echo "$((secs / 60))m ago"
-  else
-    echo "${secs}s ago"
-  fi
-}
-
-check_errors() {
-  local logfile="$1"
-  if [ -f "$logfile" ] && [ -s "$logfile" ]; then
-    tail -50 "$logfile" 2>/dev/null | grep -cE "$ERROR_PATTERNS" 2>/dev/null || echo 0
-  else
-    echo 0
-  fi
-}
-
-process_running() {
-  if [ -n "$1" ]; then
-    pgrep -f "$1" > /dev/null 2>&1
-  else
-    return 1
-  fi
-}
-
-json_escape() {
-  echo "$1" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/ /g' | tr '\n' ' '
-}
-
-# ============================================================================
-# AUTO-REPAIR FUNCTIONS
-# ============================================================================
-
-try_repair_launchagent() {
-  local plist_id="$1"
-  local proc_grep="$2"
-  local plist_file="$HOME_DIR/Library/LaunchAgents/${plist_id}.plist"
-
-  # Repair 1: Not loaded — try to bootstrap
-  if ! is_loaded "$plist_id"; then
-    if [ -f "$plist_file" ]; then
-      launchctl bootstrap "gui/$UID_NUM" "$plist_file" 2>/dev/null
-      sleep 1
-      if is_loaded "$plist_id"; then
-        log_repair "$plist_id: bootstrapped successfully"
-        return 0
-      fi
-    fi
-    return 1
-  fi
-
-  # Repair 2: Loaded but process not running (KeepAlive) — kickstart
-  if [ -n "$proc_grep" ] && ! process_running "$proc_grep"; then
-    launchctl kickstart "gui/$UID_NUM/$plist_id" 2>/dev/null
-    sleep 2
-    if process_running "$proc_grep"; then
-      log_repair "$plist_id: kickstarted process '$proc_grep'"
-      return 0
-    fi
-  fi
-
-  return 1
-}
-
-try_repair_cron() {
-  local script="$1"
-
-  if [ -f "$script" ] && [ ! -x "$script" ]; then
-    chmod +x "$script"
-    if [ -x "$script" ]; then
-      log_repair "$script: made executable"
-      return 0
-    fi
-  fi
-
-  return 1
-}
-
-try_repair_backup() {
-  local backup_script="$NEXO_DIR/backup_cron.sh"
-  if [ -x "$backup_script" ]; then
-    "$backup_script" 2>/dev/null
-    sleep 1
-    local newest
-    newest=$(ls -t "$NEXO_DIR/backups/nexo-"*.db 2>/dev/null | head -1)
-    if [ -n "$newest" ]; then
-      local age
-      age=$(file_age "$newest")
-      if [ "$age" -lt 60 ]; then
-        log_repair "backup_cron.sh: ran successfully, fresh backup created"
-        return 0
-      fi
-    fi
-  fi
-  return 1
-}
-
-# ============================================================================
-# MONITOR REGISTRY — NEXO Core Services
-# ============================================================================
-# Format: NAME|PLIST_ID|LOG_STDOUT|LOG_STDERR|MAX_STALE_SECS|PROCESS_GREP|SCHEDULE_DESC
-#
-# Users can add custom monitors in ~/claude/config/watchdog-monitors.conf
-# (same format, one per line, # for comments)
-# ============================================================================
-MONITORS=(
-  "Auto-Close Sessions|com.nexo.auto-close-sessions|$HOME_DIR/claude/coordination/auto-close-stdout.log|$HOME_DIR/claude/coordination/auto-close-stderr.log|900||Every 5 min"
-  "Catchup|com.nexo.catchup|$HOME_DIR/claude/logs/catchup-stdout.log|$HOME_DIR/claude/logs/catchup-stderr.log|0||RunAtLoad once"
-  "Cognitive Decay|com.nexo.cognitive-decay|$HOME_DIR/claude/logs/cognitive-decay-stdout.log|$HOME_DIR/claude/logs/cognitive-decay-stderr.log|90000||Daily 3:00 AM"
-  "Evolution|com.nexo.evolution|$HOME_DIR/claude/logs/evolution-stdout.log|$HOME_DIR/claude/logs/evolution-stderr.log|0||Weekly Sun 3:00 AM"
-  "GitHub Monitor|com.nexo.github-monitor|$HOME_DIR/claude/logs/github-monitor-stdout.log|$HOME_DIR/claude/logs/github-monitor-stderr.log|90000||Daily 8:00 AM"
-  "Immune|com.nexo.immune|$HOME_DIR/claude/coordination/immune-stdout.log|$HOME_DIR/claude/coordination/immune-stderr.log|3600||Every 30 min"
-  "Postmortem|com.nexo.postmortem|$HOME_DIR/claude/logs/postmortem-stdout.log|$HOME_DIR/claude/logs/postmortem-stderr.log|90000||Daily 23:30"
-  "Prevent Sleep|com.nexo.prevent-sleep|||0|caffeinate|KeepAlive"
-  "Self Audit|com.nexo.self-audit|$HOME_DIR/claude/logs/self-audit-stdout.log|$HOME_DIR/claude/logs/self-audit-stderr.log|90000||Daily 7:00 AM"
-  "Sleep|com.nexo.sleep|$HOME_DIR/claude/coordination/sleep-stdout.log|$HOME_DIR/claude/coordination/sleep-stderr.log|90000||Daily 4:00 AM"
-  "Synthesis|com.nexo.synthesis|$HOME_DIR/claude/coordination/synthesis-stdout.log|$HOME_DIR/claude/coordination/synthesis-stderr.log|10800||Every 2 hours"
-)
-
-# Load user-defined monitors if file exists
-USER_MONITORS_FILE="$HOME_DIR/claude/config/watchdog-monitors.conf"
-if [ -f "$USER_MONITORS_FILE" ]; then
-  while IFS= read -r line; do
-    [[ "$line" =~ ^[[:space:]]*# ]] && continue
-    [[ -z "$line" ]] && continue
-    MONITORS+=("$line")
-  done < "$USER_MONITORS_FILE"
-fi
-
-# Cron jobs to check (NAME|SCRIPT|CHECK_PATH|MAX_STALE_SECS|SCHEDULE)
-CRON_MONITORS=(
-  "Backup Cron|$NEXO_DIR/backup_cron.sh|$NEXO_DIR/backups/|7200|Hourly"
-)
-
-# Error patterns to search in stderr logs (last 50 lines)
-ERROR_PATTERNS="Traceback|Error:|CRITICAL|FATAL|ModuleNotFoundError|PermissionError|FileNotFoundError|ConnectionRefused|Errno"
-
-# ============================================================================
-# RUN CHECKS
-# ============================================================================
-
-TOTAL_PASS=0
-TOTAL_WARN=0
-TOTAL_FAIL=0
-JSON_AGENTS=""
-REPORT_LINES=""
-FAILED_MONITORS=()  # Track failed monitors for Level 2 repair
-
-for monitor in "${MONITORS[@]}"; do
-  [[ "$monitor" =~ ^[[:space:]]*# ]] && continue
-  IFS='|' read -r name plist_id log_stdout log_stderr max_stale proc_grep schedule <<< "$monitor"
-
-  status="PASS"
-  details=""
-  loaded="unknown"
-  stale_age="n/a"
-  error_count=0
-  proc_alive="n/a"
-
-  # Check 1: LaunchAgent loaded?
-  if is_loaded "$plist_id"; then
-    loaded="yes"
-  else
-    loaded="no"
-    if try_repair_launchagent "$plist_id" "$proc_grep"; then
-      loaded="yes"
-      status="HEALED"
-      details="${details}Self-healed: bootstrapped. "
-      TOTAL_HEALED=$((TOTAL_HEALED + 1))
-    else
-      status="FAIL"
-      details="${details}Not loaded in launchctl (repair failed). "
-    fi
-  fi
-
-  # Check 2: Process alive? (only for KeepAlive / long-running)
-  if [ -n "$proc_grep" ]; then
-    if process_running "$proc_grep"; then
-      proc_alive="yes"
-    else
-      proc_alive="no"
-      if [ "$status" != "FAIL" ] && [ "$status" != "HEALED" ]; then
-        if try_repair_launchagent "$plist_id" "$proc_grep"; then
-          proc_alive="yes"
-          status="HEALED"
-          details="${details}Self-healed: kickstarted. "
-          TOTAL_HEALED=$((TOTAL_HEALED + 1))
-        else
-          status="WARN"
-          details="${details}Process '$proc_grep' not running (repair failed). "
-        fi
-      elif [ "$status" = "HEALED" ]; then
-        sleep 1
-        if process_running "$proc_grep"; then
-          proc_alive="yes"
-        else
-          details="${details}Process '$proc_grep' still not running after bootstrap. "
-        fi
-      fi
-    fi
-  fi
-
-  # Check 3: Log staleness
-  if [ -n "$log_stdout" ] && [ "$max_stale" -gt 0 ]; then
-    age=$(file_age "$log_stdout")
-    stale_age=$(format_age "$age")
-    if [ "$age" -gt $(( max_stale * 3 )) ]; then
-      status="FAIL"
-      details="${details}Log stale: $stale_age (limit: $(format_age "$max_stale")). "
-    elif [ "$age" -gt "$max_stale" ]; then
-      [ "$status" = "PASS" ] && status="WARN"
-      details="${details}Log slightly stale: $stale_age. "
-    fi
-  elif [ -n "$log_stdout" ]; then
-    if [ -f "$log_stdout" ]; then
-      age=$(file_age "$log_stdout")
-      stale_age=$(format_age "$age")
-    else
-      stale_age="no log file"
-    fi
-  fi
-
-  # Check 4: Errors in stderr log
-  if [ -n "$log_stderr" ]; then
-    error_count=$(check_errors "$log_stderr")
-    if [ "$error_count" -gt 5 ]; then
-      [ "$status" = "PASS" ] && status="WARN"
-      details="${details}${error_count} errors in recent stderr. "
-    fi
-  fi
-
-  [ -z "$details" ] && details="All checks passed"
-
-  case "$status" in
-    PASS|HEALED) TOTAL_PASS=$((TOTAL_PASS + 1)) ;;
-    WARN) TOTAL_WARN=$((TOTAL_WARN + 1)) ;;
-    FAIL)
-      TOTAL_FAIL=$((TOTAL_FAIL + 1))
-      FAILED_MONITORS+=("${name}|${plist_id}|${log_stdout}|${log_stderr}|${proc_grep}|${schedule}|${details}")
-      ;;
-  esac
-
-  # JSON
-  escaped_details=$(json_escape "$details")
-  json_item="    {\"name\":\"$name\",\"plist\":\"$plist_id\",\"status\":\"$status\",\"loaded\":\"$loaded\",\"process\":\"$proc_alive\",\"last_activity\":\"$stale_age\",\"stderr_errors\":$error_count,\"schedule\":\"$schedule\",\"details\":\"$escaped_details\"}"
-  [ -n "$JSON_AGENTS" ] && JSON_AGENTS="${JSON_AGENTS},
-${json_item}" || JSON_AGENTS="$json_item"
-
-  # Report
-  case "$status" in
-    PASS) icon="PASS" ;; HEALED) icon="HEAL" ;; WARN) icon="WARN" ;; FAIL) icon="FAIL" ;; *) icon="????" ;;
-  esac
-  REPORT_LINES="${REPORT_LINES}  [${icon}] ${name} (${schedule})
-         Loaded: ${loaded} | Process: ${proc_alive} | Last: ${stale_age} | Errors: ${error_count}
-         ${details}
-"
-done
-
-# --- Cron job checks ---
-CRON_JSON=""
-CRON_REPORT=""
-for cron_entry in "${CRON_MONITORS[@]}"; do
-  IFS='|' read -r name script check_path max_stale schedule <<< "$cron_entry"
-
-  c_status="PASS"
-  c_details=""
-  age_str="n/a"
-
-  if [ ! -x "$script" ]; then
-    if try_repair_cron "$script"; then
-      c_status="HEALED"
-      c_details="Self-healed: made executable. "
-      TOTAL_HEALED=$((TOTAL_HEALED + 1))
-    else
-      c_status="FAIL"
-      c_details="Script not executable or missing (repair failed). "
-    fi
-  fi
-
-  if [ -d "$check_path" ]; then
-    newest=$(ls -t "$check_path" 2>/dev/null | head -1)
-    if [ -n "$newest" ]; then
-      age=$(file_age "${check_path}${newest}")
-      age_str=$(format_age "$age")
-      if [ "$age" -gt $(( max_stale * 3 )) ]; then
-        c_status="FAIL"
-        c_details="${c_details}Output stale: $age_str. "
-      elif [ "$age" -gt "$max_stale" ]; then
-        [ "$c_status" = "PASS" ] && c_status="WARN"
-        c_details="${c_details}Output slightly stale: $age_str. "
-      fi
-    else
-      c_status="WARN"
-      c_details="${c_details}No output files found. "
-      age_str="no files"
-    fi
-  elif [ -f "$check_path" ]; then
-    age=$(file_age "$check_path")
-    age_str=$(format_age "$age")
-    if [ "$age" -gt $(( max_stale * 3 )) ]; then
-      c_status="FAIL"
-      c_details="${c_details}Output stale: $age_str. "
-    elif [ "$age" -gt "$max_stale" ]; then
-      [ "$c_status" = "PASS" ] && c_status="WARN"
-      c_details="${c_details}Output slightly stale: $age_str. "
-    fi
-  fi
-
-  [ -z "$c_details" ] && c_details="All checks passed"
-
-  case "$c_status" in
-    PASS|HEALED) TOTAL_PASS=$((TOTAL_PASS + 1)) ;;
-    WARN) TOTAL_WARN=$((TOTAL_WARN + 1)) ;;
-    FAIL) TOTAL_FAIL=$((TOTAL_FAIL + 1)) ;;
-  esac
-
-  escaped_details=$(json_escape "$c_details")
-  cron_item="    {\"name\":\"$name\",\"script\":\"$script\",\"status\":\"$c_status\",\"last_output\":\"$age_str\",\"schedule\":\"$schedule\",\"details\":\"$escaped_details\"}"
-  [ -n "$CRON_JSON" ] && CRON_JSON="${CRON_JSON},
-${cron_item}" || CRON_JSON="$cron_item"
-
-  case "$c_status" in
-    PASS) icon="PASS" ;; HEALED) icon="HEAL" ;; WARN) icon="WARN" ;; FAIL) icon="FAIL" ;; *) icon="????" ;;
-  esac
-  CRON_REPORT="${CRON_REPORT}  [${icon}] ${name} (${schedule})
-         Last output: ${age_str}
-         ${c_details}
-"
-done
-
-# ============================================================================
-# INFRASTRUCTURE CHECKS
-# ============================================================================
-
-# --- SQLite integrity ---
-SQLITE_STATUS="PASS"
-SQLITE_DETAIL=""
-INTEGRITY=$(sqlite3 "$NEXO_DIR/nexo.db" "PRAGMA integrity_check;" 2>/dev/null || echo "CORRUPT")
-if [ "$INTEGRITY" != "ok" ]; then
-  SQLITE_STATUS="FAIL"
-  SQLITE_DETAIL="Integrity check: $INTEGRITY"
-  log "CRITICAL: SQLite integrity check failed: $INTEGRITY"
-  TOTAL_FAIL=$((TOTAL_FAIL + 1))
-  # Save corrupt copy before restoring
-  cp "$NEXO_DIR/nexo.db" "$NEXO_DIR/nexo.db.corrupt.$(date +%s)" 2>/dev/null
-  LATEST_BACKUP=$(ls -t "$NEXO_DIR/backups/nexo-"*.db 2>/dev/null | head -1)
-  if [ -n "$LATEST_BACKUP" ]; then
-    cp "$LATEST_BACKUP" "$NEXO_DIR/nexo.db"
-    log "RESTORED from $LATEST_BACKUP"
-    SQLITE_DETAIL="${SQLITE_DETAIL}. Restored from backup."
-  fi
-else
-  SQLITE_DETAIL="Integrity OK"
-  TOTAL_PASS=$((TOTAL_PASS + 1))
-fi
-
-# --- Cognitive DB check ---
-COG_STATUS="PASS"
-COG_DETAIL=""
-COG_DB="$NEXO_DIR/cognitive.db"
-if [ -f "$COG_DB" ]; then
-  COG_INT=$(sqlite3 "$COG_DB" "PRAGMA integrity_check;" 2>/dev/null || echo "CORRUPT")
-  if [ "$COG_INT" != "ok" ]; then
-    COG_STATUS="FAIL"
-    COG_DETAIL="Cognitive DB integrity: $COG_INT"
-    TOTAL_FAIL=$((TOTAL_FAIL + 1))
-  else
-    COG_DETAIL="Integrity OK"
-    TOTAL_PASS=$((TOTAL_PASS + 1))
-  fi
-else
-  COG_STATUS="WARN"
-  COG_DETAIL="cognitive.db not found"
-  TOTAL_WARN=$((TOTAL_WARN + 1))
-fi
-
-# --- Backup freshness ---
-BACKUP_STATUS="PASS"
-BACKUP_DETAIL=""
-LATEST_BACKUP=$(ls -t "$NEXO_DIR/backups/nexo-"*.db 2>/dev/null | head -1)
-if [ -n "$LATEST_BACKUP" ]; then
-  BACKUP_AGE=$(file_age "$LATEST_BACKUP")
-  BACKUP_AGE_STR=$(format_age "$BACKUP_AGE")
-  if [ "$BACKUP_AGE" -gt 7200 ]; then
-    if try_repair_backup; then
-      BACKUP_STATUS="HEALED"
-      BACKUP_DETAIL="Self-healed: backup was stale ($BACKUP_AGE_STR), ran fresh backup"
-      TOTAL_HEALED=$((TOTAL_HEALED + 1))
-      TOTAL_PASS=$((TOTAL_PASS + 1))
-    else
-      BACKUP_STATUS="WARN"
-      BACKUP_DETAIL="Last backup: $BACKUP_AGE_STR (>2h, repair failed)"
-      TOTAL_WARN=$((TOTAL_WARN + 1))
-    fi
-  else
-    BACKUP_DETAIL="Last backup: $BACKUP_AGE_STR"
-    TOTAL_PASS=$((TOTAL_PASS + 1))
-  fi
-else
-  BACKUP_STATUS="FAIL"
-  BACKUP_DETAIL="No backups found"
-  TOTAL_FAIL=$((TOTAL_FAIL + 1))
-fi
-
-# ============================================================================
-# WRITE JSON STATUS
-# ============================================================================
-TOTAL=$((TOTAL_PASS + TOTAL_WARN + TOTAL_FAIL))
-OVERALL="PASS"
-[ "$TOTAL_WARN" -gt 0 ] && OVERALL="WARN"
-[ "$TOTAL_FAIL" -gt 0 ] && OVERALL="FAIL"
-
-cat > "$STATUS_JSON" <<JSONEOF
-{
-  "timestamp": "$TS",
-  "summary": {
-    "total": $TOTAL,
-    "pass": $TOTAL_PASS,
-    "warn": $TOTAL_WARN,
-    "fail": $TOTAL_FAIL,
-    "healed": $TOTAL_HEALED,
-    "overall": "$OVERALL"
-  },
-  "launch_agents": [
-$JSON_AGENTS
-  ],
-  "cron_jobs": [
-$CRON_JSON
-  ],
-  "infrastructure": {
-    "sqlite": {"status": "$SQLITE_STATUS", "detail": "$(json_escape "$SQLITE_DETAIL")"},
-    "cognitive_db": {"status": "$COG_STATUS", "detail": "$(json_escape "$COG_DETAIL")"},
-    "backups": {"status": "$BACKUP_STATUS", "detail": "$(json_escape "$BACKUP_DETAIL")"}
-  }
-}
-JSONEOF
-
-# ============================================================================
-# WRITE HUMAN-READABLE REPORT
-# ============================================================================
-cat > "$REPORT_TXT" <<REPORTEOF
-======================================================
-  NEXO WATCHDOG REPORT — $TS
-======================================================
-  PASS: $TOTAL_PASS  |  HEALED: $TOTAL_HEALED  |  WARN: $TOTAL_WARN  |  FAIL: $TOTAL_FAIL  |  TOTAL: $TOTAL
-  OVERALL: $OVERALL
-======================================================
-
--- LaunchAgents (${#MONITORS[@]}) ---------------------
-$REPORT_LINES
--- Cron Jobs ------------------------------------------
-$CRON_REPORT
--- Infrastructure -------------------------------------
-  [$SQLITE_STATUS] SQLite nexo.db: $SQLITE_DETAIL
-  [$COG_STATUS] Cognitive DB: $COG_DETAIL
-  [$BACKUP_STATUS] Backups: $BACKUP_DETAIL
-
--- End of Report --------------------------------------
-REPORTEOF
-
-# ============================================================================
-# ALERT FILE
-# ============================================================================
-if [ "$TOTAL_FAIL" -gt 0 ]; then
-  {
-    echo "timestamp=$TS"
-    echo "fail_count=$TOTAL_FAIL"
-    echo "warn_count=$TOTAL_WARN"
-    echo "failures:"
-    grep '\[FAIL\]' "$REPORT_TXT" | head -10 | sed 's/^/  /'
-  } > "$ALERT_FILE"
-  log "ALERT: $TOTAL_FAIL failures detected"
-else
-  rm -f "$ALERT_FILE"
-fi
-
-# ============================================================================
-# CONSECUTIVE FAILURE TRACKING
-# ============================================================================
-FAILS=$(cat "$FAIL_COUNT_FILE" 2>/dev/null || echo 0)
-if [ "$TOTAL_FAIL" -gt 0 ]; then
-  FAILS=$((FAILS + 1))
-  echo "$FAILS" > "$FAIL_COUNT_FILE"
-  if [ "$FAILS" -ge "$MAX_FAILS" ]; then
-    log "ALERT: $FAILS consecutive runs with failures"
-  fi
-else
-  echo "0" > "$FAIL_COUNT_FILE"
-fi
-
-# ============================================================================
-# LEVEL 2 AUTO-REPAIR: Launch NEXO for intelligent diagnosis
-# ============================================================================
-REPAIR_LOCK="$HOME_DIR/claude/scripts/.watchdog-nexo-repair.lock"
-REPAIR_COOLDOWN=1800  # 30 min between NEXO repair attempts
-
-if [ "$TOTAL_FAIL" -gt 0 ]; then
-  LOCK_AGE=999999
-  SKIP_REPAIR=false
-  if [ -f "$REPAIR_LOCK" ]; then
-    LOCK_AGE=$(file_age "$REPAIR_LOCK")
-    if [ "$LOCK_AGE" -lt "$REPAIR_COOLDOWN" ]; then
-      log "NEXO repair skipped: cooldown (${LOCK_AGE}s < ${REPAIR_COOLDOWN}s)"
-      SKIP_REPAIR=true
-    fi
-  fi
-
-  if ! $SKIP_REPAIR; then
-    # Collect failure details from tracked FAILED_MONITORS array
-    FAIL_DETAILS=""
-    for failed in "${FAILED_MONITORS[@]}"; do
-      IFS='|' read -r m_name m_plist m_stdout m_stderr m_proc m_sched m_details <<< "$failed"
-      STDERR_TAIL=""
-      if [ -n "$m_stderr" ] && [ -f "$m_stderr" ]; then
-        STDERR_TAIL=$(tail -20 "$m_stderr" 2>/dev/null | head -20)
-      fi
-      STDOUT_TAIL=""
-      if [ -n "$m_stdout" ] && [ -f "$m_stdout" ]; then
-        STDOUT_TAIL=$(tail -10 "$m_stdout" 2>/dev/null | head -10)
-      fi
-      FAIL_DETAILS="${FAIL_DETAILS}
---- ${m_name} (${m_plist}) ---
-Schedule: ${m_sched}
-Failure reason: ${m_details}
-Plist: ~/Library/LaunchAgents/${m_plist}.plist
-Process grep: ${m_proc}
-Stderr (last 20 lines):
-${STDERR_TAIL}
-Stdout (last 10 lines):
-${STDOUT_TAIL}
-"
-    done
-
-    if [ -n "$FAIL_DETAILS" ]; then
-      touch "$REPAIR_LOCK"
-      log "Launching NEXO Level 2 repair..."
-
-      REPAIR_PROMPT_FILE=$(mktemp /tmp/nexo-repair-XXXXXX.txt)
-      cat > "$REPAIR_PROMPT_FILE" <<NEXOPROMPT
-WATCHDOG LEVEL 2 REPAIR — Automated diagnostic session.
-
-The watchdog detected services that failed mechanical repair (launchctl bootstrap/kickstart).
-Your job: diagnose the root cause and fix it. Do NOT ask the user anything — resolve autonomously.
-
-FAILURES:
-${FAIL_DETAILS}
-
-STEPS:
-1. Read the plist file to understand the service configuration
-2. Check stderr/stdout logs for the actual error
-3. Fix the root cause (missing file, bad config, dependency issue, etc.)
-4. Reload the service and verify it is running
-5. Log what you did to ~/claude/logs/watchdog-repair-result.log
-
-CONSTRAINTS:
-- Do NOT modify CLAUDE.md or any protected file
-- Do NOT start interactive conversations
-- Keep it under 5 minutes
-- Log what you did to ~/claude/logs/watchdog-repair-result.log
-NEXOPROMPT
-
-      # Find claude CLI (may not be in PATH for cron/LaunchAgent)
-      CLAUDE_BIN=$(command -v claude 2>/dev/null || echo "$HOME_DIR/.claude/local/bin/claude")
-      if [ ! -x "$CLAUDE_BIN" ]; then
-        CLAUDE_BIN=$(find /usr/local/bin /opt/homebrew/bin "$HOME_DIR/.local/bin" "$HOME_DIR/.npm-global/bin" -name claude -type f 2>/dev/null | head -1)
-      fi
-
-      if [ -n "$CLAUDE_BIN" ] && [ -x "$CLAUDE_BIN" ]; then
-        nohup bash -c "\"$CLAUDE_BIN\" --print --dangerously-skip-permissions -p \"\$(cat '$REPAIR_PROMPT_FILE')\" >> '$LOG_DIR/watchdog-nexo-repair.log' 2>&1; rm -f '$REPAIR_PROMPT_FILE'" &
-        log "NEXO repair launched (PID: $!)"
-      else
-        log "NEXO repair ABORTED: claude CLI not found in PATH"
-        rm -f "$REPAIR_PROMPT_FILE"
-      fi
-    fi
-  fi
-fi
-
-# ============================================================================
-# LOG SUMMARY
-# ============================================================================
-log "Complete: PASS=$TOTAL_PASS HEALED=$TOTAL_HEALED WARN=$TOTAL_WARN FAIL=$TOTAL_FAIL"