nexo-brain 2.3.0 → 2.3.2

package/src/scripts/nexo-watchdog 2.sh

@@ -1,878 +0,0 @@
-#!/bin/bash
-# ============================================================================
-# NEXO Watchdog — Comprehensive health monitor for all NEXO services
-# Cron: */5 * * * * NEXO_HOME/scripts/nexo-watchdog.sh
-# ============================================================================
-# Monitors ALL LaunchAgents, cron jobs, and background processes.
-# Outputs: watchdog-status.json (machine), watchdog-report.txt (human),
-#          .watchdog-alert (if any FAIL detected)
-# ============================================================================
-set -uo pipefail
-
-# === PATHS ===
-HOME_DIR="$HOME"
-NEXO_HOME="${NEXO_HOME:-$HOME/.nexo}"
-NEXO_DIR="$NEXO_HOME"
-CORTEX_DIR="$NEXO_HOME/brain"
-OPS_DIR="$NEXO_HOME/operations"
-LOG_DIR="$NEXO_HOME/logs"
-LOG="$LOG_DIR/watchdog.log"
-STATUS_JSON="$OPS_DIR/watchdog-status.json"
-REPORT_TXT="$OPS_DIR/watchdog-report.txt"
-ALERT_FILE="$OPS_DIR/.watchdog-alert"
-HASH_REGISTRY="$NEXO_HOME/scripts/.watchdog-hashes"
-FAIL_COUNT_FILE="$NEXO_HOME/scripts/.watchdog-fails"
-MAX_FAILS=3
-
-mkdir -p "$LOG_DIR" "$OPS_DIR"
-
-TS=$(date "+%Y-%m-%d %H:%M:%S")
-TS_EPOCH=$(date +%s)
-
-log() { echo "[$TS] $1" >> "$LOG"; }
-
-# ============================================================================
-# MONITOR REGISTRY — Add new monitors here
-# ============================================================================
-# Format: NAME|PLIST_ID|LOG_STDOUT|LOG_STDERR|MAX_STALE_SECS|PROCESS_GREP|SCHEDULE_DESC
-#
-# MAX_STALE_SECS: how old stdout log can be before WARN.
-#   0 = skip staleness check (for one-shot or infrequent tasks)
-#   WARN at MAX_STALE_SECS, FAIL at 3x MAX_STALE_SECS
-# PROCESS_GREP: pattern to grep in ps (empty = skip process check)
-# ============================================================================
-# TYPE field: "core" = part of NEXO (goes to public repo), "personal" = user-specific
-# Format: NAME|PLIST_ID|LOG_STDOUT|LOG_STDERR|MAX_STALE_SECS|PROCESS_GREP|SCHEDULE_DESC|TYPE
-# Add your own monitors below. Core NEXO services are listed as examples.
-MONITORS=(
-  "Catchup|com.nexo.catchup|$NEXO_HOME/logs/catchup-stdout.log|$NEXO_HOME/logs/catchup-stderr.log|0||RunAtLoad once|core"
-  "Cognitive Decay|com.nexo.cognitive-decay|$NEXO_HOME/logs/cognitive-decay-stdout.log|$NEXO_HOME/logs/cognitive-decay-stderr.log|90000||Daily 3:00 AM|core"
-  "Evolution|com.nexo.evolution|$NEXO_HOME/logs/evolution-stdout.log|$NEXO_HOME/logs/evolution-stderr.log|0||Weekly Sun 3:00 AM|core"
-  "GitHub Monitor|com.nexo.github-monitor|$NEXO_HOME/logs/github-monitor-stdout.log|$NEXO_HOME/logs/github-monitor-stderr.log|90000||Daily 8:00 AM|core"
-  "Immune|com.nexo.immune|$NEXO_HOME/logs/immune-stdout.log|$NEXO_HOME/logs/immune-stderr.log|3600||Every 30 min|core"
-  "Postmortem|com.nexo.postmortem|$NEXO_HOME/logs/postmortem-stdout.log|$NEXO_HOME/logs/postmortem-stderr.log|90000||Daily 23:30|core"
-  "Prevent Sleep|com.nexo.prevent-sleep|||0|caffeinate|KeepAlive|core"
-  "Self Audit|com.nexo.self-audit|$NEXO_HOME/logs/self-audit-stdout.log|$NEXO_HOME/logs/self-audit-stderr.log|90000||Daily 7:00 AM|core"
-  "Sleep|com.nexo.sleep|$NEXO_HOME/logs/sleep-stdout.log|$NEXO_HOME/logs/sleep-stderr.log|90000||Daily 4:00 AM|core"
-  "Synthesis|com.nexo.synthesis|$NEXO_HOME/logs/synthesis-stdout.log|$NEXO_HOME/logs/synthesis-stderr.log|10800||Every 2 hours|core"
-  "Deep Sleep|com.nexo.deep-sleep|$NEXO_HOME/logs/deep-sleep-stdout.log|$NEXO_HOME/logs/deep-sleep-stderr.log|90000||Daily 4:30 AM|core"
-  "Followup Hygiene|com.nexo.followup-hygiene|$NEXO_HOME/logs/followup-hygiene-stdout.log|$NEXO_HOME/logs/followup-hygiene-stderr.log|604800||Weekly Sun 5:00 AM|core"
-  # Add your own personal monitors below (type "personal"):
-  # "My Service|com.nexo.my-service|$NEXO_HOME/logs/my-service.log||3600||Every 30 min|personal"
-)
-
-# Cron jobs to check (NAME|SCRIPT|CHECK_PATH|MAX_STALE_SECS|SCHEDULE)
-CRON_MONITORS=(
-  "Backup Cron|$NEXO_DIR/backup_cron.sh|$NEXO_DIR/backups/|7200|Hourly"
-)
-
-# Error patterns to search in stderr logs (last 50 lines)
-ERROR_PATTERNS="Traceback|Error:|CRITICAL|FATAL|ModuleNotFoundError|PermissionError|FileNotFoundError|ConnectionRefused|Errno"
-
-# ============================================================================
-# HELPER FUNCTIONS
-# ============================================================================
-
-UID_NUM=$(id -u)
-REPAIR_LOG="$LOG_DIR/watchdog-repairs.log"
-TOTAL_HEALED=0
-IS_MACOS=false
-[ "$(uname)" = "Darwin" ] && IS_MACOS=true
-
-log_repair() { echo "[$TS] REPAIR: $1" >> "$REPAIR_LOG"; log "REPAIR: $1"; }
-
-is_loaded() {
-  $IS_MACOS && launchctl list "$1" &>/dev/null
-}
-
-# ============================================================================
-# AUTO-REPAIR FUNCTIONS
-# ============================================================================
-
-try_repair_launchagent() {
-  $IS_MACOS || return 1
-  local plist_id="$1"
-  local proc_grep="$2"
-  local plist_file="$HOME_DIR/Library/LaunchAgents/${plist_id}.plist"
-
-  # Repair 1: Not loaded — try to bootstrap
-  if ! is_loaded "$plist_id"; then
-    if [ -f "$plist_file" ]; then
-      launchctl bootstrap "gui/$UID_NUM" "$plist_file" 2>/dev/null
-      sleep 1
-      if is_loaded "$plist_id"; then
-        log_repair "$plist_id: bootstrapped successfully"
-        return 0
-      fi
-    fi
-    return 1
-  fi
-
-  # Repair 2: Loaded but process not running (KeepAlive) — kickstart
-  if [ -n "$proc_grep" ] && ! process_running "$proc_grep"; then
-    launchctl kickstart "gui/$UID_NUM/$plist_id" 2>/dev/null
-    sleep 2
-    if process_running "$proc_grep"; then
-      log_repair "$plist_id: kickstarted process '$proc_grep'"
-      return 0
-    fi
-  fi
-
-  return 1
-}
-
-try_repair_cron() {
-  local script="$1"
-
-  # Repair: Script not executable — chmod it
-  if [ -f "$script" ] && [ ! -x "$script" ]; then
-    chmod +x "$script"
-    if [ -x "$script" ]; then
-      log_repair "$script: made executable"
-      return 0
-    fi
-  fi
-
-  return 1
-}
-
-try_reexecute_missed_cron() {
-  $IS_MACOS || return 1
-  # Re-execute a cron that missed its scheduled run
-  # Extracts ProgramArguments from the plist and runs them
-  local plist_id="$1"
-  local plist_file="$HOME_DIR/Library/LaunchAgents/${plist_id}.plist"
-
-  if [ ! -f "$plist_file" ]; then
-    log "Re-execute skipped: no plist for $plist_id"
-    return 1
-  fi
-
-  # Extract the full command from plist
-  local cmd
-  cmd=$(python3 -c "
-import plistlib, sys
-try:
-    with open('$plist_file', 'rb') as f:
-        d = plistlib.load(f)
-    args = d.get('ProgramArguments', [])
-    # Skip KeepAlive services (they should be running, not re-executed)
-    if d.get('KeepAlive'):
-        sys.exit(1)
-    # Skip services without a schedule (RunAtLoad only)
-    if not d.get('StartCalendarInterval') and not d.get('StartInterval'):
-        sys.exit(1)
-    print(' '.join(args))
-except:
-    sys.exit(1)
-" 2>/dev/null)
-
-  if [ -z "$cmd" ] || [ $? -ne 0 ]; then
-    return 1
-  fi
-
-  log "Re-executing missed cron: $plist_id → $cmd"
-  # Run in background with timeout (5 min max)
-  timeout 300 bash -c "$cmd" >> "$LOG_DIR/watchdog-reexec.log" 2>&1 &
-  local pid=$!
-
-  # Wait briefly and check if it started ok
-  sleep 2
-  if kill -0 "$pid" 2>/dev/null || wait "$pid" 2>/dev/null; then
-    log_repair "$plist_id: re-executed missed cron (PID $pid)"
-    return 0
-  else
-    log "Re-execute failed for $plist_id"
-    return 1
-  fi
-}
-
-try_verify_repair() {
-  $IS_MACOS || return 1
-  # After Level 2 repair, wait and verify the service is healthy
-  local plist_id="$1"
-  local log_stdout="$2"
-  local proc_grep="$3"
-  local max_wait=30
-
-  log "Verifying repair for $plist_id..."
-
-  # Check 1: Is it loaded?
-  if ! is_loaded "$plist_id"; then
-    log "Verify FAILED: $plist_id still not loaded"
-    return 1
-  fi
-
-  # Check 2: Process running? (for KeepAlive services)
-  if [ -n "$proc_grep" ]; then
-    local waited=0
-    while [ $waited -lt $max_wait ]; do
-      if process_running "$proc_grep"; then
-        log "Verify OK: $plist_id process running after ${waited}s"
-        return 0
-      fi
-      sleep 5
-      waited=$((waited + 5))
-    done
-    log "Verify FAILED: $plist_id process not running after ${max_wait}s"
-    return 1
-  fi
-
-  # Check 3: For scheduled crons, check if log was updated recently
-  if [ -n "$log_stdout" ] && [ -f "$log_stdout" ]; then
-    local age
-    age=$(file_age "$log_stdout")
-    if [ "$age" -lt 300 ]; then
-      log "Verify OK: $plist_id log updated ${age}s ago"
-      return 0
-    fi
-  fi
-
-  # If we get here for a scheduled service, it's loaded which is sufficient
-  log "Verify OK: $plist_id is loaded (scheduled service)"
-  return 0
-}
-
-try_repair_backup() {
-  local backup_script="$NEXO_DIR/backup_cron.sh"
-  if [ -x "$backup_script" ]; then
-    "$backup_script" 2>/dev/null
-    sleep 1
-    local newest
-    newest=$(ls -t "$NEXO_DIR/backups/nexo-"*.db 2>/dev/null | head -1)
-    if [ -n "$newest" ]; then
-      if $IS_MACOS; then local age=$(( TS_EPOCH - $(stat -f %m "$newest") )); else local age=$(( TS_EPOCH - $(stat -c %Y "$newest") )); fi
-      if [ "$age" -lt 60 ]; then
-        log_repair "backup_cron.sh: ran successfully, fresh backup created"
-        return 0
-      fi
-    fi
-  fi
-  return 1
-}
-
-file_age() {
-  if [ -f "$1" ]; then
-    local mod_epoch
-    if $IS_MACOS; then
-      mod_epoch=$(stat -f %m "$1" 2>/dev/null || echo 0)
-    else
-      mod_epoch=$(stat -c %Y "$1" 2>/dev/null || echo 0)
-    fi
-    echo $(( TS_EPOCH - mod_epoch ))
-  else
-    echo 999999
-  fi
-}
-
-format_age() {
-  local secs=$1
-  if [ "$secs" -ge 999999 ]; then
-    echo "never"
-  elif [ "$secs" -ge 86400 ]; then
-    echo "$((secs / 86400))d $((secs % 86400 / 3600))h ago"
-  elif [ "$secs" -ge 3600 ]; then
-    echo "$((secs / 3600))h $((secs % 3600 / 60))m ago"
-  elif [ "$secs" -ge 60 ]; then
-    echo "$((secs / 60))m ago"
-  else
-    echo "${secs}s ago"
-  fi
-}
-
-check_errors() {
-  local logfile="$1"
-  if [ -f "$logfile" ] && [ -s "$logfile" ]; then
-    local count
-    count=$(tail -50 "$logfile" 2>/dev/null | grep -cE "$ERROR_PATTERNS" 2>/dev/null) || true
-    echo "${count:-0}"
-  else
-    echo 0
-  fi
-}
-
-process_running() {
-  if [ -n "$1" ]; then
-    pgrep -f "$1" > /dev/null 2>&1
-  else
-    return 0
-  fi
-}
-
-# Escape strings for JSON
-json_escape() {
-  echo "$1" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/ /g' | tr '\n' ' '
-}
-
-# ============================================================================
-# RUN CHECKS
-# ============================================================================
-
-TOTAL_PASS=0
-TOTAL_WARN=0
-TOTAL_FAIL=0
-JSON_AGENTS=""
-REPORT_LINES=""
-FAILED_MONITORS=()  # Track failed monitors for Level 2 repair
-
-for monitor in "${MONITORS[@]}"; do
-  # Skip comment lines
-  [[ "$monitor" =~ ^[[:space:]]*# ]] && continue
-  IFS='|' read -r name plist_id log_stdout log_stderr max_stale proc_grep schedule mon_type <<< "$monitor"
-  mon_type="${mon_type:-core}"
-
-  status="PASS"
-  details=""
-  loaded="unknown"
-  stale_age="n/a"
-  error_count=0
-  proc_alive="n/a"
-
-  # Check 1: LaunchAgent loaded?
-  if is_loaded "$plist_id"; then
-    loaded="yes"
-  else
-    loaded="no"
-    # AUTO-REPAIR: try to bootstrap
-    if try_repair_launchagent "$plist_id" "$proc_grep"; then
-      loaded="yes"
-      status="HEALED"
-      details="${details}Self-healed: bootstrapped. "
-      TOTAL_HEALED=$((TOTAL_HEALED + 1))
-    else
-      status="FAIL"
-      details="${details}Not loaded in launchctl (repair failed). "
-    fi
-  fi
-
-  # Check 2: Process alive? (only for KeepAlive / long-running)
-  if [ -n "$proc_grep" ]; then
-    if process_running "$proc_grep"; then
-      proc_alive="yes"
-    else
-      proc_alive="no"
-      # AUTO-REPAIR: try to kickstart
-      if [ "$status" != "FAIL" ] && [ "$status" != "HEALED" ]; then
-        if try_repair_launchagent "$plist_id" "$proc_grep"; then
-          proc_alive="yes"
-          status="HEALED"
-          details="${details}Self-healed: kickstarted. "
-          TOTAL_HEALED=$((TOTAL_HEALED + 1))
-        else
-          status="WARN"
-          details="${details}Process '$proc_grep' not running (repair failed). "
-        fi
-      elif [ "$status" = "HEALED" ]; then
-        # Already healed by bootstrap, check if process came up
-        sleep 1
-        if process_running "$proc_grep"; then
-          proc_alive="yes"
-        else
-          details="${details}Process '$proc_grep' still not running after bootstrap. "
-        fi
-      fi
-    fi
-  fi
-
-  # Check 3: Log staleness + AUTO RE-EXECUTE missed crons
-  if [ -n "$log_stdout" ] && [ "$max_stale" -gt 0 ]; then
-    age=$(file_age "$log_stdout")
-    stale_age=$(format_age "$age")
-    if [ "$age" -gt $(( max_stale * 3 )) ]; then
-      # Severely stale — try to re-execute the missed cron
-      if try_reexecute_missed_cron "$plist_id"; then
-        status="HEALED"
-        details="${details}Self-healed: re-executed missed cron (was stale: $stale_age). "
-        TOTAL_HEALED=$((TOTAL_HEALED + 1))
-      else
-        status="FAIL"
-        details="${details}Log stale: $stale_age (limit: $(format_age "$max_stale")). Re-execute failed. "
-      fi
-    elif [ "$age" -gt "$max_stale" ]; then
-      [ "$status" = "PASS" ] && status="WARN"
-      details="${details}Log slightly stale: $stale_age. "
-    fi
-  elif [ -n "$log_stdout" ]; then
-    if [ -f "$log_stdout" ]; then
-      age=$(file_age "$log_stdout")
-      stale_age=$(format_age "$age")
-    else
-      stale_age="no log file"
-    fi
-  fi
-
-  # Check 4: Errors in stderr log
-  if [ -n "$log_stderr" ]; then
-    error_count=$(check_errors "$log_stderr")
-    if [ "$error_count" -gt 5 ]; then
-      [ "$status" = "PASS" ] && status="WARN"
-      details="${details}${error_count} errors in recent stderr. "
-    fi
-  fi
-
-  [ -z "$details" ] && details="All checks passed"
-
-  # HEALED counts as PASS for overall status
-  case "$status" in
-    PASS|HEALED) TOTAL_PASS=$((TOTAL_PASS + 1)) ;;
-    WARN) TOTAL_WARN=$((TOTAL_WARN + 1)) ;;
-    FAIL)
-      TOTAL_FAIL=$((TOTAL_FAIL + 1))
-      FAILED_MONITORS+=("${name}|${plist_id}|${log_stdout}|${log_stderr}|${proc_grep}|${schedule}|${mon_type}|${details}")
-      ;;
-  esac
-
-  # JSON
-  escaped_details=$(json_escape "$details")
-  json_item="    {\"name\":\"$name\",\"plist\":\"$plist_id\",\"status\":\"$status\",\"type\":\"$mon_type\",\"loaded\":\"$loaded\",\"process\":\"$proc_alive\",\"last_activity\":\"$stale_age\",\"stderr_errors\":$error_count,\"schedule\":\"$schedule\",\"details\":\"$escaped_details\"}"
-  [ -n "$JSON_AGENTS" ] && JSON_AGENTS="${JSON_AGENTS},
-${json_item}" || JSON_AGENTS="$json_item"
-
-  # Report
-  case "$status" in
-    PASS) icon="PASS" ;; HEALED) icon="HEAL" ;; WARN) icon="WARN" ;; FAIL) icon="FAIL" ;;
-  esac
-  REPORT_LINES="${REPORT_LINES}  [${icon}] ${name} (${schedule})
-         Loaded: ${loaded} | Process: ${proc_alive} | Last: ${stale_age} | Errors: ${error_count}
-         ${details}
-"
-done
-
-# --- Cron job checks ---
-CRON_JSON=""
-CRON_REPORT=""
-for cron_entry in "${CRON_MONITORS[@]}"; do
-  IFS='|' read -r name script check_path max_stale schedule <<< "$cron_entry"
-
-  c_status="PASS"
-  c_details=""
-  age_str="n/a"
-
-  # Check script exists and is executable
-  if [ ! -x "$script" ]; then
-    # AUTO-REPAIR: try chmod
-    if try_repair_cron "$script"; then
-      c_status="HEALED"
-      c_details="Self-healed: made executable. "
-      TOTAL_HEALED=$((TOTAL_HEALED + 1))
-    else
-      c_status="FAIL"
-      c_details="Script not executable or missing (repair failed). "
-    fi
-  fi
-
-  # Check output freshness
-  if [ -d "$check_path" ]; then
-    newest=$(ls -t "$check_path" 2>/dev/null | head -1)
-    if [ -n "$newest" ]; then
-      age=$(file_age "${check_path}${newest}")
-      age_str=$(format_age "$age")
-      if [ "$age" -gt $(( max_stale * 3 )) ]; then
-        c_status="FAIL"
-        c_details="${c_details}Output stale: $age_str. "
-      elif [ "$age" -gt "$max_stale" ]; then
-        [ "$c_status" = "PASS" ] && c_status="WARN"
-        c_details="${c_details}Output slightly stale: $age_str. "
-      fi
-    else
-      c_status="WARN"
-      c_details="${c_details}No output files found. "
-      age_str="no files"
-    fi
-  elif [ -f "$check_path" ]; then
-    age=$(file_age "$check_path")
-    age_str=$(format_age "$age")
-    if [ "$age" -gt $(( max_stale * 3 )) ]; then
-      c_status="FAIL"
-      c_details="${c_details}Output stale: $age_str. "
-    elif [ "$age" -gt "$max_stale" ]; then
-      [ "$c_status" = "PASS" ] && c_status="WARN"
-      c_details="${c_details}Output slightly stale: $age_str. "
-    fi
-  fi
-
-  [ -z "$c_details" ] && c_details="All checks passed"
-
-  case "$c_status" in
-    PASS|HEALED) TOTAL_PASS=$((TOTAL_PASS + 1)) ;;
-    WARN) TOTAL_WARN=$((TOTAL_WARN + 1)) ;;
-    FAIL) TOTAL_FAIL=$((TOTAL_FAIL + 1)) ;;
-  esac
-
-  escaped_details=$(json_escape "$c_details")
-  cron_item="    {\"name\":\"$name\",\"script\":\"$script\",\"status\":\"$c_status\",\"last_output\":\"$age_str\",\"schedule\":\"$schedule\",\"details\":\"$escaped_details\"}"
-  [ -n "$CRON_JSON" ] && CRON_JSON="${CRON_JSON},
-${cron_item}" || CRON_JSON="$cron_item"
-
-  case "$c_status" in
-    PASS) icon="PASS" ;; HEALED) icon="HEAL" ;; WARN) icon="WARN" ;; FAIL) icon="FAIL" ;;
-  esac
-  CRON_REPORT="${CRON_REPORT}  [${icon}] ${name} (${schedule})
-         Last output: ${age_str}
-         ${c_details}
-"
-done
-
-# ============================================================================
-# INFRASTRUCTURE CHECKS
-# ============================================================================
-
-# --- SQLite integrity ---
-SQLITE_STATUS="PASS"
-SQLITE_DETAIL=""
-INTEGRITY=$(sqlite3 "$NEXO_DIR/data/nexo.db" "PRAGMA integrity_check;" 2>/dev/null || echo "CORRUPT")
-if [ "$INTEGRITY" != "ok" ]; then
-  SQLITE_STATUS="FAIL"
-  SQLITE_DETAIL="Integrity check: $INTEGRITY"
-  log "CRITICAL: SQLite integrity check failed: $INTEGRITY"
-  TOTAL_FAIL=$((TOTAL_FAIL + 1))
-  LATEST_BACKUP=$(ls -t "$NEXO_DIR/backups/nexo-"*.db 2>/dev/null | head -1)
-  if [ -n "$LATEST_BACKUP" ]; then
-    cp "$LATEST_BACKUP" "$NEXO_DIR/data/nexo.db"
-    log "RESTORED from $LATEST_BACKUP"
-    SQLITE_DETAIL="${SQLITE_DETAIL}. Restored from backup."
-  fi
-else
-  SQLITE_DETAIL="Integrity OK"
-  TOTAL_PASS=$((TOTAL_PASS + 1))
-fi
-
-# --- Immutable file integrity ---
-IMMUTABLE_STATUS="PASS"
-IMMUTABLE_DETAIL=""
-if [ -f "$HASH_REGISTRY" ]; then
-  TAMPERED=0
-  while IFS='|' read -r filepath expected_hash; do
-    if [ -f "$filepath" ]; then
-      ACTUAL=$(shasum -a 256 "$filepath" | cut -d' ' -f1)
-      if [ "$ACTUAL" != "$expected_hash" ]; then
-        TAMPERED=$((TAMPERED + 1))
-        log "CRITICAL: Immutable file modified: $filepath"
-        LATEST_SNAP=$(ls -td "$NEXO_HOME/snapshots/"*/ 2>/dev/null | head -1)
-        if [ -n "$LATEST_SNAP" ] && [ -f "${LATEST_SNAP}files/${filepath#$HOME_DIR/}" ]; then
-          cp "${LATEST_SNAP}files/${filepath#$HOME_DIR/}" "$filepath"
-          log "RESTORED immutable file from snapshot"
-        fi
-      fi
-    fi
-  done < "$HASH_REGISTRY"
-  if [ "$TAMPERED" -gt 0 ]; then
-    IMMUTABLE_STATUS="FAIL"
-    IMMUTABLE_DETAIL="$TAMPERED immutable files tampered"
-    TOTAL_FAIL=$((TOTAL_FAIL + 1))
-    OBJECTIVE="$CORTEX_DIR/evolution-objective.json"
-    if [ -f "$OBJECTIVE" ]; then
-      python3 -c "
-import json
-with open('$OBJECTIVE') as f: d = json.load(f)
-d['evolution_enabled'] = False
-d['disabled_reason'] = 'Immutable file tampered — watchdog disabled Evolution'
-with open('$OBJECTIVE', 'w') as f: json.dump(d, f, indent=2)
-" 2>/dev/null
-      log "DISABLED Evolution due to immutable file tampering"
-    fi
-  else
-    IMMUTABLE_DETAIL="All files intact"
-    TOTAL_PASS=$((TOTAL_PASS + 1))
-  fi
-else
-  IMMUTABLE_DETAIL="No hash registry (skipped)"
-  TOTAL_PASS=$((TOTAL_PASS + 1))
-fi
-
-# --- Backup freshness ---
-BACKUP_STATUS="PASS"
-BACKUP_DETAIL=""
-LATEST_BACKUP=$(ls -t "$NEXO_DIR/backups/nexo-"*.db 2>/dev/null | head -1)
-if [ -n "$LATEST_BACKUP" ]; then
-  if $IS_MACOS; then BACKUP_AGE=$(( TS_EPOCH - $(stat -f %m "$LATEST_BACKUP") )); else BACKUP_AGE=$(( TS_EPOCH - $(stat -c %Y "$LATEST_BACKUP") )); fi
-  BACKUP_AGE_STR=$(format_age "$BACKUP_AGE")
-  if [ "$BACKUP_AGE" -gt 7200 ]; then
-    # AUTO-REPAIR: run backup now
-    if try_repair_backup; then
-      BACKUP_STATUS="HEALED"
-      BACKUP_DETAIL="Self-healed: backup was stale ($BACKUP_AGE_STR), ran fresh backup"
-      TOTAL_HEALED=$((TOTAL_HEALED + 1))
-      TOTAL_PASS=$((TOTAL_PASS + 1))
-    else
-      BACKUP_STATUS="WARN"
-      BACKUP_DETAIL="Last backup: $BACKUP_AGE_STR (>2h, repair failed)"
-      TOTAL_WARN=$((TOTAL_WARN + 1))
-    fi
-  else
-    BACKUP_DETAIL="Last backup: $BACKUP_AGE_STR"
-    TOTAL_PASS=$((TOTAL_PASS + 1))
-  fi
-else
-  BACKUP_STATUS="FAIL"
-  BACKUP_DETAIL="No backups found"
-  TOTAL_FAIL=$((TOTAL_FAIL + 1))
-fi
-
-# --- Cognitive DB check ---
-COG_STATUS="PASS"
-COG_DETAIL=""
-COG_DB="$NEXO_DIR/data/cognitive.db"
-if [ -f "$COG_DB" ]; then
-  COG_INT=$(sqlite3 "$COG_DB" "PRAGMA integrity_check;" 2>/dev/null || echo "CORRUPT")
-  if [ "$COG_INT" != "ok" ]; then
-    COG_STATUS="FAIL"
-    COG_DETAIL="Cognitive DB integrity: $COG_INT"
-    TOTAL_FAIL=$((TOTAL_FAIL + 1))
-  else
-    COG_DETAIL="Integrity OK"
-    TOTAL_PASS=$((TOTAL_PASS + 1))
-  fi
-else
-  COG_STATUS="WARN"
-  COG_DETAIL="cognitive.db not found"
-  TOTAL_WARN=$((TOTAL_WARN + 1))
-fi
-
-# ============================================================================
-# WRITE JSON STATUS
-# ============================================================================
-TOTAL=$((TOTAL_PASS + TOTAL_WARN + TOTAL_FAIL))
-OVERALL="PASS"
-[ "$TOTAL_WARN" -gt 0 ] && OVERALL="WARN"
-[ "$TOTAL_FAIL" -gt 0 ] && OVERALL="FAIL"
-
-cat > "$STATUS_JSON" <<JSONEOF
-{
-  "timestamp": "$TS",
-  "summary": {
-    "total": $TOTAL,
-    "pass": $TOTAL_PASS,
-    "warn": $TOTAL_WARN,
-    "fail": $TOTAL_FAIL,
-    "healed": $TOTAL_HEALED,
-    "overall": "$OVERALL"
-  },
-  "launch_agents": [
-$JSON_AGENTS
-  ],
-  "cron_jobs": [
-$CRON_JSON
-  ],
-  "infrastructure": {
-    "sqlite": {"status": "$SQLITE_STATUS", "detail": "$(json_escape "$SQLITE_DETAIL")"},
-    "cognitive_db": {"status": "$COG_STATUS", "detail": "$(json_escape "$COG_DETAIL")"},
-    "immutable_files": {"status": "$IMMUTABLE_STATUS", "detail": "$(json_escape "$IMMUTABLE_DETAIL")"},
-    "backups": {"status": "$BACKUP_STATUS", "detail": "$(json_escape "$BACKUP_DETAIL")"}
-  }
-}
-JSONEOF
-
-# ============================================================================
-# WRITE HUMAN-READABLE REPORT
-# ============================================================================
-cat > "$REPORT_TXT" <<REPORTEOF
-======================================================
-  NEXO WATCHDOG REPORT — $TS
-======================================================
-  PASS: $TOTAL_PASS  |  HEALED: $TOTAL_HEALED  |  WARN: $TOTAL_WARN  |  FAIL: $TOTAL_FAIL  |  TOTAL: $TOTAL
-  OVERALL: $OVERALL
-======================================================
-
--- LaunchAgents (${#MONITORS[@]}) ---------------------
-$REPORT_LINES
--- Cron Jobs ------------------------------------------
-$CRON_REPORT
--- Infrastructure -------------------------------------
-  [$SQLITE_STATUS] SQLite nexo.db: $SQLITE_DETAIL
-  [$COG_STATUS] Cognitive DB: $COG_DETAIL
-  [$IMMUTABLE_STATUS] Immutable Files: $IMMUTABLE_DETAIL
-  [$BACKUP_STATUS] Backups: $BACKUP_DETAIL
-
--- End of Report --------------------------------------
-REPORTEOF
-
-# ============================================================================
-# ALERT FILE
-# ============================================================================
-if [ "$TOTAL_FAIL" -gt 0 ]; then
-  {
-    echo "timestamp=$TS"
-    echo "fail_count=$TOTAL_FAIL"
-    echo "warn_count=$TOTAL_WARN"
-    echo "failures:"
-    grep '\[FAIL\]' "$REPORT_TXT" | head -10 | sed 's/^/  /'
-  } > "$ALERT_FILE"
-  log "ALERT: $TOTAL_FAIL failures detected"
-else
-  rm -f "$ALERT_FILE"
-fi
-
-# ============================================================================
-# CONSECUTIVE FAILURE TRACKING + NOTIFICATION
-# ============================================================================
-FAILS=$(cat "$FAIL_COUNT_FILE" 2>/dev/null || echo 0)
-if [ "$TOTAL_FAIL" -gt 0 ]; then
-  FAILS=$((FAILS + 1))
-  echo "$FAILS" > "$FAIL_COUNT_FILE"
-  if [ "$FAILS" -ge "$MAX_FAILS" ]; then
-    log "ALERT: $FAILS consecutive runs with failures"
-    # Configure your own notification method here (optional)
-    # Example: send email, Slack webhook, desktop notification, etc.
-    log "NOTIFICATION: $FAILS consecutive failures ($TOTAL_FAIL items FAIL)"
-  fi
-else
-  echo "0" > "$FAIL_COUNT_FILE"
-fi
-
-# ============================================================================
-# LEVEL 2 AUTO-REPAIR: Launch NEXO for intelligent diagnosis
-# ============================================================================
-# Only triggers if: (a) there are FAILs after mechanical repair, (b) no NEXO
-# repair is already running, (c) no interactive session is active (avoid conflict)
-REPAIR_LOCK="$NEXO_HOME/scripts/.watchdog-nexo-repair.lock"
-REPAIR_COOLDOWN=1800  # 30 min between NEXO repair attempts
-
-if [ "$TOTAL_FAIL" -gt 0 ]; then
-  # Check cooldown — don't spam NEXO invocations
-  LOCK_AGE=999999
-  SKIP_REPAIR=false
-  if [ -f "$REPAIR_LOCK" ]; then
-    if $IS_MACOS; then LOCK_AGE=$(( TS_EPOCH - $(stat -f %m "$REPAIR_LOCK" 2>/dev/null || echo 0) )); else LOCK_AGE=$(( TS_EPOCH - $(stat -c %Y "$REPAIR_LOCK" 2>/dev/null || echo 0) )); fi
-    if [ "$LOCK_AGE" -lt "$REPAIR_COOLDOWN" ]; then
-      log "NEXO repair skipped: cooldown (${LOCK_AGE}s < ${REPAIR_COOLDOWN}s)"
-      SKIP_REPAIR=true
-    fi
-  fi
-
-  if ! $SKIP_REPAIR; then
-    # Collect failure details from tracked FAILED_MONITORS array
-    FAIL_DETAILS=""
-    HAS_CORE_FAILS=false
-    for failed in ${FAILED_MONITORS[@]+"${FAILED_MONITORS[@]}"}; do
-      IFS='|' read -r m_name m_plist m_stdout m_stderr m_proc m_sched m_type m_details <<< "$failed"
-      STDERR_TAIL=""
-      if [ -n "$m_stderr" ] && [ -f "$m_stderr" ]; then
-        STDERR_TAIL=$(tail -20 "$m_stderr" 2>/dev/null | head -20)
-      fi
-      STDOUT_TAIL=""
-      if [ -n "$m_stdout" ] && [ -f "$m_stdout" ]; then
-        STDOUT_TAIL=$(tail -10 "$m_stdout" 2>/dev/null | head -10)
-      fi
-      [ "$m_type" = "core" ] && HAS_CORE_FAILS=true
-      FAIL_DETAILS="${FAIL_DETAILS}
---- ${m_name} (${m_plist}) [${m_type}] ---
-Schedule: ${m_sched}
-Type: ${m_type}
-Failure reason: ${m_details}
-Plist: ~/Library/LaunchAgents/${m_plist}.plist
-Process grep: ${m_proc}
-Stderr (last 20 lines):
-${STDERR_TAIL}
-Stdout (last 10 lines):
-${STDOUT_TAIL}
-"
-    done
-
-    # Only launch if we actually have fail details
-    if [ -n "$FAIL_DETAILS" ]; then
-      touch "$REPAIR_LOCK"
-      log "Launching NEXO Level 2 repair..."
-
-      # Build propagation instructions if core services failed
-      # Only the origin maintainer (user) propagates fixes to the public repo
-      PROPAGATE_BLOCK=""
-      # If you maintain a public NEXO repo, configure propagation here
-      NEXO_PUBLIC_REPO="${NEXO_PUBLIC_REPO:-}"
-      if $HAS_CORE_FAILS && [ -n "$NEXO_PUBLIC_REPO" ] && [ -d "$NEXO_PUBLIC_REPO/.git" ]; then
-        PROPAGATE_BLOCK="
-PROPAGATION (for [core] fixes ONLY):
-If your fix modifies a file under $NEXO_HOME/ (server.py, db/, plugins/, scripts/):
-1. Commit the fix locally with a descriptive message
-2. Copy the changed files (sanitized — no personal data) to $NEXO_PUBLIC_REPO/src/
-3. Bump patch version in $NEXO_PUBLIC_REPO/package.json
-4. Commit + push
-5. Create a GitHub release with gh release create
-Do NOT propagate fixes for [personal] services — those stay local only."
-      fi
-
-      # Write prompt to temp file (avoids heredoc quoting issues in subshell)
-      REPAIR_PROMPT_FILE=$(mktemp /tmp/nexo-repair-XXXXXXXX)
-      cat > "$REPAIR_PROMPT_FILE" <<NEXOPROMPT
-WATCHDOG LEVEL 2 REPAIR — Automated diagnostic session.
-
-The watchdog detected services that failed mechanical repair (launchctl bootstrap/kickstart).
-Your job: diagnose the root cause and fix it. Do NOT ask the user anything — resolve autonomously.
-
-Each failure is tagged [core] or [personal]:
-- [core] = part of NEXO public package — fix may need propagation to public repo
-- [personal] = user-specific service — fix stays local only
-
-FAILURES:
-${FAIL_DETAILS}
-
-STEPS:
-1. Read the plist file to understand the service configuration
-2. Check stderr/stdout logs for the actual error
-3. Fix the root cause (missing file, bad config, dependency issue, etc.)
-4. Reload the service and verify it is running
-5. Log what you did to $NEXO_HOME/logs/watchdog-repair-result.log
-${PROPAGATE_BLOCK}
-
-CONSTRAINTS:
-- Do NOT modify CLAUDE.md or any protected file
-- Do NOT start interactive conversations
-- Keep it under 5 minutes
-- Log what you did to $NEXO_HOME/logs/watchdog-repair-result.log
-NEXOPROMPT
-
-      # Launch NEXO in background with repair task
-      # Ensure claude CLI is in PATH (cron/LaunchAgent may have minimal PATH)
-      CLAUDE_BIN=$(command -v claude 2>/dev/null || echo "$HOME_DIR/.claude/local/bin/claude")
-      if [ ! -x "$CLAUDE_BIN" ]; then
-        CLAUDE_BIN=$(find /usr/local/bin /opt/homebrew/bin "$HOME_DIR/.local/bin" "$HOME_DIR/.npm-global/bin" -name claude -type f 2>/dev/null | head -1)
-      fi
-
-      if [ -n "$CLAUDE_BIN" ] && [ -x "$CLAUDE_BIN" ]; then
-        nohup bash -c "\"$CLAUDE_BIN\" --print --dangerously-skip-permissions -p \"\$(cat '$REPAIR_PROMPT_FILE')\" >> '$LOG_DIR/watchdog-nexo-repair.log' 2>&1; rm -f '$REPAIR_PROMPT_FILE'" &
-      else
-        log "NEXO repair ABORTED: claude CLI not found in PATH"
-        rm -f "$REPAIR_PROMPT_FILE"
-      fi
-
-      REPAIR_PID=$!
-      log "NEXO repair launched (PID: $REPAIR_PID)"
-
-      # Wait for repair to complete (max 5 min) then verify
-      (
-        wait_count=0
-        while kill -0 $REPAIR_PID 2>/dev/null && [ $wait_count -lt 60 ]; do
-          sleep 5
-          wait_count=$((wait_count + 1))
-        done
-
-        if [ $wait_count -ge 60 ]; then
-          log "NEXO repair timed out after 5 min"
-          kill $REPAIR_PID 2>/dev/null
-        else
-          log "NEXO repair completed. Verifying fixes..."
-          # Verify each failed monitor
-          VERIFY_PASS=0
-          VERIFY_FAIL=0
-          for failed in ${FAILED_MONITORS[@]+"${FAILED_MONITORS[@]}"}; do
-            IFS='|' read -r v_name v_plist v_stdout v_stderr v_proc v_sched v_type v_details <<< "$failed"
-            if try_verify_repair "$v_plist" "$v_stdout" "$v_proc"; then
-              VERIFY_PASS=$((VERIFY_PASS + 1))
-              log "VERIFY OK: $v_name"
-            else
-              VERIFY_FAIL=$((VERIFY_FAIL + 1))
-              log "VERIFY FAIL: $v_name — still broken after repair"
-            fi
-          done
-          log "Post-repair verification: $VERIFY_PASS passed, $VERIFY_FAIL failed"
-          echo "[$(date '+%Y-%m-%d %H:%M:%S')] Verification: $VERIFY_PASS OK, $VERIFY_FAIL FAIL" >> "$LOG_DIR/watchdog-nexo-repair.log"
-        fi
-      ) &
-    fi
-  fi
-fi
-
-# ============================================================================
-# LOG SUMMARY
-# ============================================================================
-log "Complete: PASS=$TOTAL_PASS HEALED=$TOTAL_HEALED WARN=$TOTAL_WARN FAIL=$TOTAL_FAIL"