npm - nexo-brain - Versions diffs - 2.3.1 → 2.4.0 - Mend

nexo-brain 2.3.1 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/README.md +12 -6
package/bin/nexo-brain.js +115 -21
package/bin/postinstall.js +22 -15
package/package.json +2 -2
package/src/auto_update.py +193 -5
package/src/crons/sync.py +5 -0
package/src/dashboard/app.py +9 -2
package/src/dashboard/templates/calendar.html +7 -5
package/src/dashboard/templates/dashboard.html +10 -3
package/src/dashboard/templates/inbox.html +10 -0
package/src/dashboard/templates/operations.html +64 -41
package/src/dashboard/templates/sessions.html +12 -1
package/src/db/_schema.py +20 -1
package/src/db/_skills.py +29 -4
package/src/hooks/capture-tool-logs.sh +41 -10
package/src/hooks/session-start.sh +4 -3
package/src/plugin_loader.py +14 -0
package/src/plugins/update.py +376 -26
package/src/scripts/deep-sleep/apply_findings.py +18 -3
package/src/scripts/deep-sleep/collect.py +38 -9
package/src/scripts/nexo-catchup.py +29 -4
package/src/scripts/nexo-daily-self-audit.py +21 -1
package/src/scripts/nexo-evolution-run.py +21 -1
package/src/scripts/nexo-postmortem-consolidator.py +34 -9
package/src/scripts/nexo-sleep.py +32 -10
package/src/scripts/nexo-synthesis.py +29 -9
package/src/scripts/nexo-update.sh +109 -7
package/src/scripts/nexo-watchdog.sh +103 -47
package/src/server.py +65 -1

package/src/plugins/update.py CHANGED Viewed

@@ -13,19 +13,71 @@ from pathlib import Path
 _THIS_DIR = Path(__file__).resolve().parent
 REPO_DIR = _THIS_DIR.parent.parent
 PACKAGE_JSON = REPO_DIR / "package.json"
-SRC_DIR = REPO_DIR / "src"
 NEXO_HOME = Path(os.environ.get("NEXO_HOME", str(Path.home() / ".nexo")))
 DATA_DIR = NEXO_HOME / "data"
 BACKUP_BASE = NEXO_HOME / "backups"
+# In packaged installs, update.py lives at ~/.nexo/plugins/update.py
+# so REPO_DIR would be ~/ (wrong). Detect this and fix paths.
+_PACKAGED_INSTALL = not (REPO_DIR / ".git").exists() and not (REPO_DIR / ".git").is_file()
+if _PACKAGED_INSTALL:
+    # In packaged mode, core .py files live directly in NEXO_HOME
+    SRC_DIR = NEXO_HOME
+else:
+    SRC_DIR = REPO_DIR / "src"
+def _find_npm_pkg_src() -> Path | None:
+    """Locate the nexo-brain npm package's src/ directory for requirements.txt."""
+    try:
+        result = subprocess.run(
+            ["npm", "root", "-g"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if result.returncode == 0:
+            npm_src = Path(result.stdout.strip()) / "nexo-brain" / "src"
+            if npm_src.is_dir():
+                return npm_src
+    except Exception:
+        pass
+    return None
+def _is_git_repo() -> bool:
+    """Check if REPO_DIR is a valid git repository."""
+    return (REPO_DIR / ".git").exists() or (REPO_DIR / ".git").is_file()
+def _refresh_installed_manifest():
+    """Copy source crons/ to NEXO_HOME/crons/ so catchup & watchdog stay current."""
+    try:
+        src_crons = SRC_DIR / "crons"
+        dst_crons = NEXO_HOME / "crons"
+        if src_crons.exists():
+            dst_crons.mkdir(parents=True, exist_ok=True)
+            for f in src_crons.iterdir():
+                if f.is_file():
+                    shutil.copy2(str(f), str(dst_crons / f.name))
+    except Exception:
+        pass
 def _read_version() -> str:
-    """Read version from package.json."""
+    """Read version from package.json or NEXO_HOME/version.json (packaged installs)."""
     try:
-        return json.loads(PACKAGE_JSON.read_text()).get("version", "unknown")
+        if PACKAGE_JSON.exists():
+            return json.loads(PACKAGE_JSON.read_text()).get("version", "unknown")
     except Exception:
-        return "unknown"
+        pass
+    # Packaged installs don't ship package.json — check version.json in NEXO_HOME
+    try:
+        version_file = NEXO_HOME / "version.json"
+        if version_file.exists():
+            return json.loads(version_file.read_text()).get("version", "unknown")
+    except Exception:
+        pass
+    return "unknown"
 def _git(*args, cwd=None) -> tuple[int, str, str]:
@@ -40,13 +92,28 @@ def _git(*args, cwd=None) -> tuple[int, str, str]:
     return result.returncode, result.stdout.strip(), result.stderr.strip()
+def _requirements_hash() -> str:
+    """Return a content hash of requirements.txt, or empty string if missing."""
+    import hashlib
+    req_file = SRC_DIR / "requirements.txt"
+    if not req_file.exists() and _PACKAGED_INSTALL:
+        npm_src = _find_npm_pkg_src()
+        if npm_src:
+            req_file = npm_src / "requirements.txt"
+    if req_file.exists():
+        return hashlib.sha256(req_file.read_bytes()).hexdigest()
+    return ""
 def _check_dirty() -> str | None:
-    """Return error message if src/ has uncommitted changes, else None."""
-    rc, out, _ = _git("status", "--porcelain", "--", "src/")
+    """Return error message if worktree has uncommitted changes, else None."""
+    if not _is_git_repo():
+        return None  # Not a git repo, skip dirty check
+    rc, out, _ = _git("status", "--porcelain")
     if rc != 0:
         return "Failed to check git status."
     if out:
-        return f"Uncommitted changes in src/:\n{out}\nCommit or stash before updating."
+        return f"Uncommitted changes:\n{out}\nCommit or stash before updating."
     return None
@@ -102,12 +169,51 @@ def _restore_databases(backup_dir: str):
                 break
+def _reinstall_pip_deps() -> str | None:
+    """Reinstall Python dependencies from requirements.txt into the managed venv."""
+    req_file = SRC_DIR / "requirements.txt"
+    if not req_file.exists() and _PACKAGED_INSTALL:
+        # In packaged mode, requirements.txt lives in the npm package's src/ dir
+        npm_src = _find_npm_pkg_src()
+        if npm_src:
+            req_file = npm_src / "requirements.txt"
+    if not req_file.exists():
+        return None  # No requirements file, skip
+    venv_pip = NEXO_HOME / ".venv" / "bin" / "pip"
+    if not venv_pip.exists():
+        venv_pip = NEXO_HOME / ".venv" / "bin" / "pip3"
+    if not venv_pip.exists():
+        # No venv, try system pip with --break-system-packages
+        try:
+            result = subprocess.run(
+                [sys.executable, "-m", "pip", "install", "--quiet", "-r", str(req_file), "--break-system-packages"],
+                capture_output=True, text=True, timeout=120,
+            )
+            if result.returncode != 0:
+                return f"pip install failed: {result.stderr or result.stdout}"
+        except Exception as e:
+            return f"pip install error: {e}"
+        return None
+    try:
+        result = subprocess.run(
+            [str(venv_pip), "install", "--quiet", "-r", str(req_file)],
+            capture_output=True, text=True, timeout=120,
+        )
+        if result.returncode != 0:
+            return f"pip install failed: {result.stderr or result.stdout}"
+    except Exception as e:
+        return f"pip install error: {e}"
+    return None
 def _run_migrations() -> str | None:
     """Run init_db() to apply pending migrations. Returns error or None."""
+    # In packaged mode, db/ lives in NEXO_HOME; in dev mode, in SRC_DIR
+    cwd = str(NEXO_HOME) if _PACKAGED_INSTALL else str(SRC_DIR)
     try:
         result = subprocess.run(
             [sys.executable, "-c", "import db; db.init_db()"],
-            cwd=str(SRC_DIR),
+            cwd=cwd,
             capture_output=True,
             text=True,
             timeout=30,
@@ -121,10 +227,12 @@ def _run_migrations() -> str | None:
 def _verify_import() -> str | None:
     """Verify server.py can be imported successfully."""
+    # In packaged mode, server.py lives in NEXO_HOME; in dev mode, in SRC_DIR
+    cwd = str(NEXO_HOME) if _PACKAGED_INSTALL else str(SRC_DIR)
     try:
         result = subprocess.run(
             [sys.executable, "-c", "import server"],
-            cwd=str(SRC_DIR),
+            cwd=cwd,
             capture_output=True,
             text=True,
             timeout=15,
@@ -136,27 +244,235 @@ def _verify_import() -> str | None:
     return None
+def _sync_hooks_to_home():
+    """Copy hook scripts from src/hooks/ to NEXO_HOME/hooks/ after update."""
+    import shutil
+    hooks_src = SRC_DIR / "hooks"
+    hooks_dest = NEXO_HOME / "hooks"
+    if not hooks_src.is_dir():
+        return
+    hooks_dest.mkdir(parents=True, exist_ok=True)
+    synced = 0
+    for f in hooks_src.iterdir():
+        if f.is_file() and f.suffix == ".sh":
+            dest = hooks_dest / f.name
+            shutil.copy2(str(f), str(dest))
+            os.chmod(str(dest), 0o755)
+            synced += 1
+    if synced:
+        print(f"[NEXO update] Synced {synced} hook(s) to {hooks_dest}", file=sys.stderr)
+def _backup_code_tree() -> tuple[str | None, str | None]:
+    """Snapshot NEXO_HOME code dirs before npm update. Returns (backup_dir, error)."""
+    timestamp = time.strftime("%Y-%m-%d-%H%M%S")
+    backup_dir = BACKUP_BASE / f"code-tree-{timestamp}"
+    # Directories and flat files that postinstall copies into NEXO_HOME
+    code_dirs = ["hooks", "plugins", "db", "cognitive", "dashboard", "rules", "crons", "scripts"]
+    code_files_glob = ["*.py", "requirements.txt"]
+    try:
+        backup_dir.mkdir(parents=True, exist_ok=True)
+        # Backup directories
+        for d in code_dirs:
+            src = NEXO_HOME / d
+            if src.is_dir():
+                shutil.copytree(src, backup_dir / d, dirs_exist_ok=True)
+        # Backup flat code files in NEXO_HOME root
+        for pattern in code_files_glob:
+            for f in NEXO_HOME.glob(pattern):
+                if f.is_file():
+                    shutil.copy2(f, backup_dir / f.name)
+        # Backup version.json
+        vf = NEXO_HOME / "version.json"
+        if vf.is_file():
+            shutil.copy2(vf, backup_dir / "version.json")
+    except Exception as e:
+        return None, f"Code tree backup failed: {e}"
+    return str(backup_dir), None
+def _restore_code_tree(backup_dir: str) -> str | None:
+    """Restore NEXO_HOME code dirs from a backup snapshot. Returns error or None."""
+    bdir = Path(backup_dir)
+    if not bdir.is_dir():
+        return f"Code tree backup dir not found: {backup_dir}"
+    try:
+        for item in bdir.iterdir():
+            dest = NEXO_HOME / item.name
+            if item.is_dir():
+                if dest.is_dir():
+                    shutil.rmtree(dest)
+                shutil.copytree(item, dest)
+            elif item.is_file():
+                shutil.copy2(item, dest)
+    except Exception as e:
+        return f"Code tree restore failed: {e}"
+    return None
+def _rollback_npm_package(target_version: str) -> str | None:
+    """Rollback nexo-brain npm package to a specific version.
+    Uses NEXO_SKIP_POSTINSTALL because we restore the code tree
+    from our own pre-update backup — no need for postinstall migration.
+    """
+    try:
+        result = subprocess.run(
+            ["npm", "install", "-g", f"nexo-brain@{target_version}"],
+            capture_output=True, text=True, timeout=120,
+            env={**os.environ, "NEXO_SKIP_POSTINSTALL": "1", "NEXO_HOME": str(NEXO_HOME)},
+        )
+        if result.returncode != 0:
+            return f"npm rollback failed: {result.stderr or result.stdout}"
+    except Exception as e:
+        return f"npm rollback error: {e}"
+    return None
+def _handle_packaged_update() -> str:
+    """Update a packaged (npm) install — no git repo available."""
+    old_version = _read_version()
+    # 1. Backup databases BEFORE any changes
+    backup_dir, backup_err = _backup_databases()
+    if backup_err:
+        return f"ABORTED at backup: {backup_err}"
+    # 2. Backup NEXO_HOME code tree BEFORE npm update
+    #    postinstall copies hooks/core/plugins/scripts into NEXO_HOME,
+    #    so we need a full snapshot to restore on failure.
+    code_backup_dir, code_err = _backup_code_tree()
+    if code_err:
+        return f"ABORTED at code tree backup: {code_err}"
+    # 3. Run npm update (postinstall.js will migrate NEXO_HOME in-place)
+    try:
+        result = subprocess.run(
+            ["npm", "update", "-g", "nexo-brain"],
+            capture_output=True, text=True, timeout=120,
+            env={**os.environ, "NEXO_HOME": str(NEXO_HOME)},
+        )
+        if result.returncode != 0:
+            # npm failed (including postinstall failures) — full rollback
+            if backup_dir:
+                _restore_databases(backup_dir)
+            if code_backup_dir:
+                _restore_code_tree(code_backup_dir)
+                # Reinstall pip deps from restored old requirements.txt
+                _reinstall_pip_deps()
+            rollback_err = _rollback_npm_package(old_version)
+            msg = f"ABORTED: npm update failed: {result.stderr or result.stdout}"
+            if rollback_err:
+                msg += f"\n  WARNING: npm rollback also failed: {rollback_err}"
+                msg += f"\n  Manual rollback: npm install -g nexo-brain@{old_version}"
+            return msg
+    except FileNotFoundError:
+        return "ABORTED: npm not found. Install Node.js to update packaged installs."
+    except Exception as e:
+        if backup_dir:
+            _restore_databases(backup_dir)
+        if code_backup_dir:
+            _restore_code_tree(code_backup_dir)
+            # Reinstall pip deps from restored old requirements.txt
+            _reinstall_pip_deps()
+        rollback_err = _rollback_npm_package(old_version)
+        msg = f"ABORTED: npm update error: {e}"
+        if rollback_err:
+            msg += f"\n  WARNING: npm rollback also failed: {rollback_err}"
+            msg += f"\n  Manual rollback: npm install -g nexo-brain@{old_version}"
+        return msg
+    new_version = _read_version()
+    if old_version == new_version:
+        return f"Already up to date (v{old_version}). No changes."
+    # 4. Post-npm verification steps
+    errors = []
+    # Reinstall pip deps for new version
+    pip_err = _reinstall_pip_deps()
+    if pip_err:
+        errors.append(f"pip deps: {pip_err}")
+    # Run migrations
+    mig_err = _run_migrations()
+    if mig_err:
+        errors.append(f"migrations: {mig_err}")
+    # Verify server can still import
+    verify_err = _verify_import()
+    if verify_err:
+        errors.append(f"verification: {verify_err}")
+    if errors:
+        # 5. Full rollback: restore code tree + DBs + pip deps + rollback npm package
+        if code_backup_dir:
+            tree_err = _restore_code_tree(code_backup_dir)
+        else:
+            tree_err = "no code tree backup available"
+        if backup_dir:
+            _restore_databases(backup_dir)
+        # Reinstall pip deps from the restored (old) requirements.txt
+        # so the venv matches the rolled-back code tree
+        pip_rollback_err = _reinstall_pip_deps() if not tree_err else None
+        rollback_err = _rollback_npm_package(old_version)
+        lines = [f"UPDATE FAILED (packaged install, v{old_version} -> v{new_version})"]
+        for err in errors:
+            lines.append(f"  ERROR: {err}")
+        lines.append(f"  Databases restored from: {backup_dir}")
+        if tree_err:
+            lines.append(f"  WARNING: code tree restore failed: {tree_err}")
+        else:
+            lines.append(f"  Code tree restored from: {code_backup_dir}")
+        if pip_rollback_err:
+            lines.append(f"  WARNING: pip deps rollback failed: {pip_rollback_err}")
+        elif not tree_err:
+            lines.append("  Python deps: reinstalled from old requirements.txt")
+        if rollback_err:
+            lines.append(f"  WARNING: npm rollback failed: {rollback_err}")
+            lines.append(f"  Manual rollback: npm install -g nexo-brain@{old_version}")
+        else:
+            lines.append(f"  npm package rolled back to v{old_version}")
+        lines.append("")
+        lines.append("Fix the errors above, then run nexo_update again.")
+        return "\n".join(lines)
+    lines = ["UPDATE SUCCESSFUL (packaged install)"]
+    lines.append(f"  Version: {old_version} -> {new_version}")
+    lines.append(f"  Backup: {backup_dir}")
+    lines.append("")
+    lines.append("MCP server restart needed to load new code.")
+    return "\n".join(lines)
 def handle_update(remote: str = "origin", branch: str = "main") -> str:
     """Pull latest NEXO code, backup databases, run migrations, and verify.
-    Full update flow:
-    1. Check for uncommitted changes in src/
+    Supports both git checkouts and packaged (npm) installs.
+    Full update flow (git):
+    1. Check for uncommitted changes in entire worktree
     2. Backup all .db files
     3. git pull
-    4. Run migrations if version changed
-    5. Verify server.py imports
-    6. Rollback on failure
+    4. Reinstall Python dependencies if version changed
+    5. Run migrations if version changed
+    6. Verify server.py imports
+    7. Rollback on failure (git reset --hard to saved commit)
     Args:
         remote: Git remote name (default: origin)
         branch: Git branch to pull (default: main)
     """
+    # Packaged install — no git repo
+    if not _is_git_repo():
+        return _handle_packaged_update()
     steps_done = []
     old_commit = None
     backup_dir = None
     try:
-        # Step 1: Check dirty
+        # Step 1: Check dirty (full worktree)
         dirty_err = _check_dirty()
         if dirty_err:
             return f"ABORTED: {dirty_err}"
@@ -164,6 +480,7 @@ def handle_update(remote: str = "origin", branch: str = "main") -> str:
         # Record current state
         old_version = _read_version()
+        old_req_hash = _requirements_hash()
         rc, old_commit, _ = _git("rev-parse", "HEAD")
         if rc != 0:
             return "ABORTED: Not a git repository or git not available."
@@ -180,39 +497,59 @@ def handle_update(remote: str = "origin", branch: str = "main") -> str:
             return f"ABORTED at git pull: {pull_err or pull_out}"
         steps_done.append("git-pull")
-        # Step 4: Check version change
+        # Step 4: Check version and dependency changes
         new_version = _read_version()
         version_changed = old_version != new_version
+        new_req_hash = _requirements_hash()
+        deps_changed = old_req_hash != new_req_hash
-        # Step 5: Run migrations if version changed
+        # Step 5: Reinstall pip dependencies if requirements.txt changed
+        if deps_changed or version_changed:
+            pip_err = _reinstall_pip_deps()
+            if pip_err:
+                raise RuntimeError(f"Pip install failed: {pip_err}")
+            steps_done.append("pip-deps")
+        # Step 6: Run migrations if version changed
         if version_changed:
             mig_err = _run_migrations()
             if mig_err:
                 raise RuntimeError(f"Migration failed: {mig_err}")
             steps_done.append("migrations")
-        # Step 6: Verify import
+        # Step 7: Verify import
         verify_err = _verify_import()
         if verify_err:
             raise RuntimeError(f"Verification failed: {verify_err}")
         steps_done.append("verify")
-        # Step 7: Sync crons with manifest
+        # Step 8: Sync crons with manifest
         cron_sync_result = ""
         try:
-            cron_sync_path = NEXO_CODE / "crons" / "sync.py"
+            cron_sync_path = SRC_DIR / "crons" / "sync.py"
             if cron_sync_path.exists():
-                import subprocess as _sp
-                r = _sp.run(
+                r = subprocess.run(
                     [sys.executable, str(cron_sync_path)],
                     capture_output=True, text=True, timeout=30,
-                    env={**os.environ, "NEXO_HOME": str(NEXO_HOME), "NEXO_CODE": str(NEXO_CODE)},
+                    env={**os.environ, "NEXO_HOME": str(NEXO_HOME), "NEXO_CODE": str(SRC_DIR)},
                 )
                 cron_sync_result = r.stdout.strip()
-                steps_done.append("cron-sync")
+                if r.returncode == 0:
+                    steps_done.append("cron-sync")
+                    # Refresh installed manifest only after successful sync
+                    _refresh_installed_manifest()
+                else:
+                    cron_sync_result = f"Cron sync failed (exit {r.returncode}): {r.stderr or r.stdout}"
         except Exception as e:
             cron_sync_result = f"Cron sync warning: {e}"
+        # Step 9: Sync hooks to NEXO_HOME
+        try:
+            _sync_hooks_to_home()
+            steps_done.append("hook-sync")
+        except Exception as e:
+            pass  # Non-critical, log in function
         # Build result
         if pull_out == "Already up to date.":
             return f"Already up to date (v{old_version}). No changes pulled."
@@ -224,22 +561,35 @@ def handle_update(remote: str = "origin", branch: str = "main") -> str:
             lines.append(f"  Version: {old_version} (unchanged)")
         lines.append(f"  Branch: {remote}/{branch}")
         lines.append(f"  Backup: {backup_dir}")
+        if "pip-deps" in steps_done:
+            lines.append("  Python deps: reinstalled")
         if version_changed:
             lines.append("  Migrations: applied")
         if "cron-sync" in steps_done:
             lines.append("  Crons: synced with manifest")
+        if "hook-sync" in steps_done:
+            lines.append("  Hooks: synced to NEXO_HOME")
         lines.append("")
         lines.append("MCP server restart needed to load new code.")
         return "\n".join(lines)
     except Exception as e:
-        # Rollback
+        # Rollback — use git checkout to saved commit (safer than reset --hard)
         rollback_lines = [f"UPDATE FAILED: {e}", "", "Rolling back..."]
         if old_commit and "git-pull" in steps_done:
+            # Full rollback: reset HEAD + index + worktree to old commit
             rc, _, err = _git("reset", "--hard", old_commit)
             if rc == 0:
-                rollback_lines.append(f"  Git: reset to {old_commit[:8]}")
+                rollback_lines.append(f"  Git: restored files to {old_commit[:8]}")
+                # Reinstall pip deps from the restored old requirements.txt
+                # so the venv matches the rolled-back code
+                if "pip-deps" in steps_done:
+                    pip_rb_err = _reinstall_pip_deps()
+                    if pip_rb_err:
+                        rollback_lines.append(f"  WARNING: pip deps rollback failed: {pip_rb_err}")
+                    else:
+                        rollback_lines.append("  Python deps: reinstalled from old requirements.txt")
             else:
                 rollback_lines.append(f"  Git rollback FAILED: {err}")

package/src/scripts/deep-sleep/apply_findings.py CHANGED Viewed

@@ -267,12 +267,27 @@ def create_skill(skill_data: dict) -> dict:
             return {"success": False, "error": f"Skill {skill_id} already exists", "id": skill_id}
         now = datetime.now().isoformat(timespec='seconds')
+        steps_json = json.dumps(steps) if isinstance(steps, list) else steps
+        gotchas_json = json.dumps(gotchas) if isinstance(gotchas, list) else gotchas
+        # Build markdown content from steps + gotchas
+        content_lines = [f"# {name}", "", description, "", "## Steps"]
+        for i, s in enumerate(steps if isinstance(steps, list) else json.loads(steps_json), 1):
+            content_lines.append(f"{i}. {s}")
+        gotchas_list = gotchas if isinstance(gotchas, list) else json.loads(gotchas_json)
+        if gotchas_list:
+            content_lines.extend(["", "## Gotchas"])
+            for g in gotchas_list:
+                content_lines.append(f"- {g}")
+        content = "\n".join(content_lines)
         conn.execute(
             """INSERT INTO skills
                (id, name, description, level, trust_score, tags, trigger_patterns,
-                source_sessions, linked_learnings, created_at, updated_at)
-               VALUES (?, ?, ?, 'draft', 50, ?, ?, ?, '[]', ?, ?)""",
-            (skill_id, name, description, tags, trigger_patterns, source_sessions, now, now),
+                source_sessions, linked_learnings, content, steps, gotchas, created_at, updated_at)
+               VALUES (?, ?, ?, 'draft', 50, ?, ?, ?, '[]', ?, ?, ?, ?, ?)""",
+            (skill_id, name, description, tags, trigger_patterns, source_sessions,
+             content, steps_json, gotchas_json, now, now),
         )
         conn.commit()
         conn.close()

package/src/scripts/deep-sleep/collect.py CHANGED Viewed

@@ -12,6 +12,7 @@ Environment variables:
 """
 import json
 import os
+import re
 import sqlite3
 import sys
 from datetime import datetime, timedelta
@@ -25,6 +26,32 @@ COGNITIVE_DB = NEXO_HOME / "data" / "cognitive.db"
 MIN_USER_MESSAGES = 3  # Skip trivial sessions
+# Patterns that indicate sensitive data (passwords, tokens, API keys, etc.)
+_SENSITIVE_PATTERNS = re.compile(
+    r'(?:'
+    r'sk-ant-[A-Za-z0-9_-]+'           # Anthropic API keys
+    r'|shpat_[A-Fa-f0-9]+'             # Shopify admin tokens
+    r'|shpss_[A-Fa-f0-9]+'             # Shopify shared secret
+    r'|sk-[A-Za-z0-9]{20,}'            # OpenAI-style keys
+    r'|ghp_[A-Za-z0-9]{36,}'           # GitHub PATs
+    r'|gho_[A-Za-z0-9]{36,}'           # GitHub OAuth tokens
+    r'|AIza[A-Za-z0-9_-]{35}'          # Google API keys
+    r'|ya29\.[A-Za-z0-9_-]+'           # Google OAuth tokens
+    r'|xox[bpsa]-[A-Za-z0-9-]+'        # Slack tokens
+    r'|EAAG[A-Za-z0-9]+'              # Meta/Facebook tokens
+    r'|[Pp]assword\s*[:=]\s*\S+'       # password: value or password=value
+    r'|[Ss]ecret\s*[:=]\s*\S+'         # secret: value
+    r'|[Tt]oken\s*[:=]\s*\S+'          # token: value
+    r'|[Aa]pi[_-]?[Kk]ey\s*[:=]\s*\S+'  # api_key: value
+    r')'
+)
+def _redact_sensitive(text: str) -> str:
+    """Replace sensitive patterns in text with [REDACTED]."""
+    return _SENSITIVE_PATTERNS.sub('[REDACTED]', text)
 # ── Transcript collection (kept from collect_transcripts.py) ──────────────
@@ -67,7 +94,7 @@ def extract_session(jsonl_path: Path) -> dict | None:
                         messages.append({
                             "role": "user",
                             "index": line_no,
-                            "text": content[:5000],
+                            "text": _redact_sensitive(content[:5000]),
                             "uuid": d.get("uuid", "")
                         })
                         user_msg_count += 1
@@ -83,16 +110,18 @@ def extract_session(jsonl_path: Path) -> dict | None:
                                 text_parts.append(block.get("text", ""))
                             elif block.get("type") == "tool_use":
                                 tool_input = block.get("input", {})
+                                raw_file = (
+                                    tool_input.get("file_path", "")
+                                    or str(tool_input.get("command", ""))[:100]
+                                ) if isinstance(tool_input, dict) else ""
                                 tool_uses.append({
                                     "tool": block.get("name", ""),
                                     "input_keys": list(tool_input.keys()) if isinstance(tool_input, dict) else [],
-                                    "file": (
-                                        tool_input.get("file_path", "")
-                                        or str(tool_input.get("command", ""))[:100]
-                                    ) if isinstance(tool_input, dict) else ""
+                                    "file": _redact_sensitive(raw_file)
                                 })
                     if text_parts:
                         combined = "\n".join(text_parts)[:5000]
+                        combined = _redact_sensitive(combined)
                         messages.append({
                             "role": "assistant",
                             "index": line_no,
@@ -332,12 +361,12 @@ def format_transcripts(sessions: list[dict]) -> str:
             role = "USER" if msg["role"] == "user" else "AGENT"
             idx = msg.get("index", "?")
             lines.append(f"\n[{role} @{idx}]")
-            lines.append(msg["text"])
+            lines.append(_redact_sensitive(msg["text"]))
         if session["tool_uses"]:
             lines.append(f"\n  -- Tool usage log --")
             for tu in session["tool_uses"]:
-                file_info = f" [{tu['file'][:80]}]" if tu.get("file") else ""
+                file_info = f" [{_redact_sensitive(tu['file'][:80])}]" if tu.get("file") else ""
                 lines.append(f"  - {tu['tool']}{file_info}")
     return "\n".join(lines)
@@ -447,12 +476,12 @@ def main():
             role = "USER" if msg["role"] == "user" else "AGENT"
             idx = msg.get("index", "?")
             lines.append(f"\n[{role} @{idx}]")
-            lines.append(msg["text"])
+            lines.append(_redact_sensitive(msg["text"]))
         if session["tool_uses"]:
             lines.append(f"\n  -- Tool usage log --")
             for tu in session["tool_uses"]:
-                file_info = f" [{tu['file'][:80]}]" if tu.get("file") else ""
+                file_info = f" [{_redact_sensitive(tu['file'][:80])}]" if tu.get("file") else ""
                 lines.append(f"  - {tu['tool']}{file_info}")
         session_text = "\n".join(lines)