nexo-brain 2.3.2 → 2.4.0

package/README.md

@@ -184,11 +184,11 @@ This means long sessions (8+ hours) feel like one continuous conversation instea
   "hooks": {
     "PreCompact": [{
       "matcher": "*",
-      "hooks": [{"type": "command", "command": "bash path/to/nexo/src/hooks/pre-compact.sh", "timeout": 10}]
+      "hooks": [{"type": "command", "command": "bash $NEXO_HOME/hooks/pre-compact.sh", "timeout": 10}]
     }],
     "PostCompact": [{
       "matcher": "*",
-      "hooks": [{"type": "command", "command": "bash path/to/nexo/src/hooks/post-compact.sh", "timeout": 10}]
+      "hooks": [{"type": "command", "command": "bash $NEXO_HOME/hooks/post-compact.sh", "timeout": 10}]
     }]
   }
 }
@@ -364,7 +364,13 @@ A web interface at `localhost:6174` with 6 interactive pages for visual insight
 | **Adaptive** | Personality signals, learned weights, and current mode |
 | **Sessions** | Active and historical sessions with timeline and diary entries |
 
-Built with FastAPI backend and D3.js frontend. Runs as a LaunchAgent, auto-starts with the system.
+Built with FastAPI backend and D3.js frontend. Dashboard files are installed to `NEXO_HOME/dashboard/` but must be started manually:
+
+```bash
+python3 ~/.nexo/dashboard/app.py
+```
+
+This opens `localhost:6174` in your browser. Add `--port 8080` to change the port or `--no-browser` to skip auto-opening.
 
 ## Full Orchestration System
 
@@ -499,9 +505,9 @@ atlas
 
 Under the hood, the alias runs:
 ```bash
-claude --append-system-prompt "You are NEXO. Run nexo_startup immediately, load context, greet the user." "."
+claude --dangerously-skip-permissions "."
 ```
-`--append-system-prompt` adds to the default system prompt without replacing it (preserves CLAUDE.md). The `"."` triggers the operator to start immediately.
+`--dangerously-skip-permissions` launches Claude Code with tool-use permissions pre-approved so the operator can act autonomously. The `"."` triggers the operator to start immediately. Operator behavior (startup, context, greeting) is defined in `~/.claude/CLAUDE.md`.
 
 That's it. No need to run `claude` manually. Your operator will greet you immediately — adapted to the time of day, resuming from where you left off if there's a previous session. No cold starts, no waiting for your input.
 
@@ -687,7 +693,7 @@ This replaces OpenClaw's default memory system with NEXO Brain's full cognitive
 
 ### Any MCP Client
 
-NEXO Brain works with any application that supports the MCP protocol. Configure it as an MCP server pointing to `server.py` in the code directory, with `NEXO_HOME` env var set.
+NEXO Brain works with any application that supports the MCP protocol. Configure it as an MCP server pointing to `server.py` inside `NEXO_HOME` (default `~/.nexo/server.py`), with the `NEXO_HOME` env var set to the same directory.
 
 ## Listed On
 

package/bin/nexo-brain.js

@@ -1880,22 +1880,33 @@ ${doScan ? `- Stack: ${Object.keys(profileData.code.languages || {}).slice(0, 5)
 
   // Detect shell and add alias
   const userShell = process.env.SHELL || "/bin/bash";
-  const rcFile = userShell.includes("zsh")
-    ? path.join(require("os").homedir(), ".zshrc")
-    : path.join(require("os").homedir(), ".bash_profile");
+  const homeDir = require("os").homedir();
+  const rcFiles = [];
 
-  let rcContent = "";
-  if (fs.existsSync(rcFile)) {
-    rcContent = fs.readFileSync(rcFile, "utf8");
+  if (userShell.includes("zsh")) {
+    rcFiles.push(path.join(homeDir, ".zshrc"));
+  } else {
+    // Bash: always write to .bash_profile (macOS login shells)
+    rcFiles.push(path.join(homeDir, ".bash_profile"));
+    // Also write to .bashrc (Linux interactive shells) — create if needed
+    const bashrc = path.join(homeDir, ".bashrc");
+    rcFiles.push(bashrc);
   }
 
-  if (!rcContent.includes(`alias ${aliasName}=`)) {
-    fs.appendFileSync(rcFile, `\n${aliasComment}\n${aliasLine}\n`);
-    log(`Added '${aliasName}' alias to ${path.basename(rcFile)}`);
-    log(`After setup, open a new terminal and type: ${aliasName}`);
-  } else {
-    log(`Alias '${aliasName}' already exists in ${path.basename(rcFile)}`);
+  for (const rcFile of rcFiles) {
+    let rcContent = "";
+    if (fs.existsSync(rcFile)) {
+      rcContent = fs.readFileSync(rcFile, "utf8");
+    }
+
+    if (!rcContent.includes(`alias ${aliasName}=`)) {
+      fs.appendFileSync(rcFile, `\n${aliasComment}\n${aliasLine}\n`);
+      log(`Added '${aliasName}' alias to ${path.basename(rcFile)}`);
+    } else {
+      log(`Alias '${aliasName}' already exists in ${path.basename(rcFile)}`);
+    }
   }
+  log(`After setup, open a new terminal and type: ${aliasName}`);
   console.log("");
 
   // Step 9: Generate CLAUDE.md template

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "2.3.2",
+  "version": "2.4.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO — Cognitive co-operator for Claude Code. Memory, emotional intelligence, overnight learning (Deep Sleep), cron management, trust scoring, and adaptive calibration.",
   "bin": {

package/src/dashboard/app.py

@@ -616,13 +616,20 @@ async def api_ops_execute(fid: str):
     if not row:
         return JSONResponse({"error": f"Followup {fid} not found"}, status_code=404)
     item = dict(row)
-    description = item["description"].replace('"', '\\"').replace("'", "\\'")
     if platform.system() != "Darwin":
         return JSONResponse(
             {"error": "This operation requires macOS (uses osascript to open Terminal)"},
             status_code=501,
         )
-    script = f'tell application "Terminal" to do script "claude \\"NEXO: execute followup #{fid} — {description}\\""'
+    # Security: avoid interpolating user-controlled data into shell commands.
+    # Write the followup ID to a temp file and pass a safe, fixed command to osascript.
+    import tempfile
+    tmp = tempfile.NamedTemporaryFile(mode="w", suffix=".txt", prefix="nexo-followup-", delete=False)
+    tmp.write(fid)
+    tmp.close()
+    # The claude command reads the followup ID from the temp file — no shell interpolation of description
+    claude_cmd = f'claude \\"NEXO: execute followup from file $(cat {tmp.name})\\"'
+    script = f'tell application "Terminal" to do script "{claude_cmd}"'
     subprocess.Popen(["osascript", "-e", script])
     return {"success": True, "followup_id": fid}
 

package/src/dashboard/templates/calendar.html

@@ -303,7 +303,7 @@
             btn.innerHTML = `<svg class="w-3 h-3 spin" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15"/></svg> Running`;
             btn.disabled = true;
             try {
-                const res = await fetch(`/api/followups/${id}/execute`, { method: 'POST' });
+                const res = await fetch(`/api/ops/execute/${id}`, { method: 'POST' });
                 const data = await res.json();
                 if (res.ok) {
                     btn.innerHTML = `<svg class="w-3 h-3" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2.5"><path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7"/></svg> Done`;
@@ -311,13 +311,15 @@
                     // Reload items in background
                     await loadCalendarData();
                 } else {
-                    btn.innerHTML = '✗ Failed';
+                    const errMsg = data.error || data.detail || 'HTTP ' + res.status;
+                    btn.innerHTML = '✗ ' + errMsg;
+                    btn.title = errMsg;
                     btn.className = btn.className.replace('bg-violet-600 hover:bg-violet-500', 'bg-red-700');
-                    setTimeout(() => { btn.innerHTML = originalHtml; btn.disabled = false; btn.className = btn.className.replace('bg-red-700', 'bg-violet-600 hover:bg-violet-500'); }, 2000);
+                    setTimeout(() => { btn.innerHTML = originalHtml; btn.title = ''; btn.disabled = false; btn.className = btn.className.replace('bg-red-700', 'bg-violet-600 hover:bg-violet-500'); }, 3000);
                 }
             } catch(e) {
-                btn.innerHTML = '✗ Error';
-                setTimeout(() => { btn.innerHTML = originalHtml; btn.disabled = false; }, 2000);
+                btn.innerHTML = '✗ ' + e.message;
+                setTimeout(() => { btn.innerHTML = originalHtml; btn.disabled = false; }, 3000);
             }
         }
 

package/src/dashboard/templates/dashboard.html

@@ -310,9 +310,16 @@
   async function fetchJSON(url) {
     try {
       const res = await fetch(url);
-      if (!res.ok) return null;
+      if (!res.ok) {
+        let detail = `HTTP ${res.status}`;
+        try { const b = await res.json(); detail = b.error || b.detail || detail; } catch {}
+        throw new Error(detail);
+      }
       return await res.json();
-    } catch { return null; }
+    } catch (err) {
+      console.error(`fetchJSON(${url}):`, err);
+      return null;
+    }
   }
 
   function getToday() {
@@ -387,7 +394,7 @@
         closeModal();
         loadDashboardData();
       } else {
-        showToast(data.error || 'Failed to create');
+        showToast(data.error || data.detail || 'Create failed (HTTP ' + res.status + ')');
       }
     } catch (err) {
       showToast('Error: ' + err.message);

package/src/dashboard/templates/inbox.html

@@ -245,6 +245,11 @@
         async function loadMessages() {
             try {
                 const res = await fetch('/api/inbox?limit=200');
+                if (!res.ok) {
+                    let detail = `HTTP ${res.status}`;
+                    try { const b = await res.json(); detail = b.error || b.detail || detail; } catch {}
+                    throw new Error(detail);
+                }
                 const data = await res.json();
                 messages = data.notes || [];
                 messages.sort((a, b) => new Date(a.created_at) - new Date(b.created_at));
@@ -281,6 +286,11 @@
                     headers: { 'Content-Type': 'application/json' },
                     body: JSON.stringify(body)
                 });
+                if (!res.ok) {
+                    let detail = `HTTP ${res.status}`;
+                    try { const b = await res.json(); detail = b.error || b.detail || detail; } catch {}
+                    throw new Error(detail);
+                }
                 const data = await res.json();
                 textarea.value = '';
                 cancelReply();

package/src/dashboard/templates/operations.html

@@ -368,9 +368,16 @@
   async function fetchJSON(url) {
     try {
       const res = await fetch(url);
-      if (!res.ok) return null;
+      if (!res.ok) {
+        let detail = `HTTP ${res.status}`;
+        try { const b = await res.json(); detail = b.error || b.detail || detail; } catch {}
+        throw new Error(detail);
+      }
       return await res.json();
-    } catch { return null; }
+    } catch (err) {
+      console.error(`fetchJSON(${url}):`, err);
+      return null;
+    }
   }
 
   // -----------------------------------------------------------------------
@@ -538,56 +545,72 @@
   // Actions
   // -----------------------------------------------------------------------
   async function completeItem(id, type) {
-    const url = type === 'reminder' ? '/api/reminders/' + id : '/api/followups/' + id;
-    const res = await fetch(url, {
-      method: 'PUT',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ status: 'COMPLETED' })
-    });
-    const data = await res.json();
-    if (data.success) {
-      showToast('Completed ' + id);
-      loadOpsData();
-    } else {
-      showToast(data.error || 'Failed', 'error');
+    try {
+      const url = type === 'reminder' ? '/api/reminders/' + id : '/api/followups/' + id;
+      const res = await fetch(url, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ status: 'COMPLETED' })
+      });
+      const data = await res.json();
+      if (data.success) {
+        showToast('Completed ' + id);
+        loadOpsData();
+      } else {
+        showToast(data.error || data.detail || 'Complete failed (HTTP ' + res.status + ')', 'error');
+      }
+    } catch (err) {
+      showToast('Complete error: ' + err.message, 'error');
     }
   }
 
   async function moveItem(id, direction) {
-    const res = await fetch('/api/ops/move', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ id, direction })
-    });
-    const data = await res.json();
-    if (data.success) {
-      showToast('Moved ' + id + ' to ' + (direction === 'to_followup' ? 'NEXO' : 'User'));
-      loadOpsData();
-    } else {
-      showToast(data.error || 'Failed to move', 'error');
+    try {
+      const res = await fetch('/api/ops/move', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ id, direction })
+      });
+      const data = await res.json();
+      if (data.success) {
+        showToast('Moved ' + id + ' to ' + (direction === 'to_followup' ? 'NEXO' : 'User'));
+        loadOpsData();
+      } else {
+        showToast(data.error || data.detail || 'Move failed (HTTP ' + res.status + ')', 'error');
+      }
+    } catch (err) {
+      showToast('Move error: ' + err.message, 'error');
     }
   }
 
   async function executeItem(id) {
-    const res = await fetch('/api/ops/execute/' + id, { method: 'POST' });
-    const data = await res.json();
-    if (data.success) {
-      showToast('Executing ' + id, 'info');
-    } else {
-      showToast(data.error || 'Failed', 'error');
+    try {
+      const res = await fetch('/api/ops/execute/' + id, { method: 'POST' });
+      const data = await res.json();
+      if (data.success) {
+        showToast('Executing ' + id, 'info');
+      } else {
+        showToast(data.error || data.detail || 'Execute failed (HTTP ' + res.status + ')', 'error');
+      }
+    } catch (err) {
+      showToast('Execute error: ' + err.message, 'error');
     }
   }
 
   function deleteItem(id, type) {
     pendingConfirmAction = async () => {
-      const url = type === 'reminder' ? '/api/reminders/' + id : '/api/followups/' + id;
-      const res = await fetch(url, { method: 'DELETE' });
-      const data = await res.json();
-      if (data.success) {
-        showToast('Deleted ' + id);
-        loadOpsData();
-      } else {
-        showToast(data.error || 'Failed', 'error');
+      try {
+        const url = type === 'reminder' ? '/api/reminders/' + id : '/api/followups/' + id;
+        const res = await fetch(url, { method: 'DELETE' });
+        const data = await res.json();
+        if (data.success) {
+          showToast('Deleted ' + id);
+          loadOpsData();
+        } else {
+          showToast(data.error || data.detail || 'Delete failed (HTTP ' + res.status + ')', 'error');
+        }
+      } catch (err) {
+        showToast('Delete error: ' + err.message, 'error');
       }
     };
     document.getElementById('confirm-message').textContent = 'Delete ' + id + '? This cannot be undone.';
@@ -693,10 +716,10 @@
         closeModal();
         loadOpsData();
       } else {
-        showToast(data.error || 'Failed', 'error');
+        showToast(data.error || data.detail || 'Save failed (HTTP ' + res.status + ')', 'error');
       }
     } catch (err) {
-      showToast('Error: ' + err.message, 'error');
+      showToast('Save error: ' + err.message, 'error');
     }
   }
 

package/src/dashboard/templates/sessions.html

@@ -120,6 +120,11 @@
 
             try {
                 const resp = await fetch(`/api/sessions?limit=${PAGE_SIZE}&offset=${offset}`);
+                if (!resp.ok) {
+                    let detail = `HTTP ${resp.status}`;
+                    try { const b = await resp.json(); detail = b.error || b.detail || detail; } catch {}
+                    throw new Error(detail);
+                }
                 const data = await resp.json();
                 const sessions = data.sessions || [];
 
@@ -136,13 +141,19 @@
                     btn.disabled = false;
                 }
             } catch (err) {
-                btn.textContent = 'Error — retry';
+                btn.textContent = 'Error: ' + err.message + ' — retry';
                 btn.disabled = false;
             }
         }
 
         async function init() {
             const resp = await fetch(`/api/sessions?limit=${PAGE_SIZE}&offset=0`);
+            if (!resp.ok) {
+                let detail = `HTTP ${resp.status}`;
+                try { const b = await resp.json(); detail = b.error || b.detail || detail; } catch {}
+                document.getElementById('sessions').innerHTML = `<p class="text-sm text-red-400 text-center py-8">Error loading sessions: ${detail}</p>`;
+                return;
+            }
             const data = await resp.json();
             const sessions = data.sessions || [];
             const container = document.getElementById('sessions');

package/src/db/_schema.py

@@ -358,6 +358,14 @@ def _m17_cron_runs(conn):
     _migrate_add_index(conn, "idx_cron_runs_started", "cron_runs", "started_at")
 
 
+def _m18_skills_steps(conn):
+    # content: the full procedure — markdown with steps, gotchas, notes.
+    # Can also reference a script file via file_path column.
+    _migrate_add_column(conn, "skills", "content", "TEXT DEFAULT ''")
+    _migrate_add_column(conn, "skills", "steps", "TEXT DEFAULT '[]'")
+    _migrate_add_column(conn, "skills", "gotchas", "TEXT DEFAULT '[]'")
+
+
 MIGRATIONS = [
     (1, "learnings_columns", _m1_learnings_columns),
     (2, "followups_reasoning", _m2_followups_reasoning),
@@ -376,6 +384,7 @@ MIGRATIONS = [
     (15, "core_rules_tables", _m15_core_rules_tables),
     (16, "skills_tables", _m16_skills_tables),
     (17, "cron_runs", _m17_cron_runs),
+    (18, "skills_steps_column", _m18_skills_steps),
 ]
 
 

package/src/db/_skills.py

@@ -39,8 +39,17 @@ def create_skill(
     linked_learnings: list | str = '[]',
     file_path: str = '',
     trust_score: int = TRUST_INITIAL,
+    steps: list | str = '[]',
+    gotchas: list | str = '[]',
+    content: str = '',
 ) -> dict:
-    """Create a new skill entry."""
+    """Create a new skill entry.
+
+    Content can be:
+    - Markdown with numbered steps (auto-generated from steps/gotchas if empty)
+    - A reference to a script file (set file_path)
+    - Free-form procedure description
+    """
     if level not in VALID_LEVELS:
         return {"error": f"level must be one of: {', '.join(sorted(VALID_LEVELS))}"}
 
@@ -48,15 +57,31 @@ def create_skill(
     trigger_json = json.dumps(trigger_patterns) if isinstance(trigger_patterns, list) else trigger_patterns
     sessions_json = json.dumps(source_sessions) if isinstance(source_sessions, list) else source_sessions
     learnings_json = json.dumps(linked_learnings) if isinstance(linked_learnings, list) else linked_learnings
+    steps_json = json.dumps(steps) if isinstance(steps, list) else steps
+    gotchas_json = json.dumps(gotchas) if isinstance(gotchas, list) else gotchas
+
+    # Auto-generate content from steps/gotchas if not provided
+    if not content and steps:
+        steps_list = steps if isinstance(steps, list) else json.loads(steps_json)
+        gotchas_list = gotchas if isinstance(gotchas, list) else json.loads(gotchas_json)
+        lines = [f"# {name}", "", description, "", "## Steps"]
+        for i, s in enumerate(steps_list, 1):
+            lines.append(f"{i}. {s}")
+        if gotchas_list:
+            lines.extend(["", "## Gotchas"])
+            for g in gotchas_list:
+                lines.append(f"- {g}")
+        content = "\n".join(lines)
 
     conn = get_db()
     conn.execute(
         """INSERT INTO skills
            (id, name, description, level, trust_score, file_path, tags,
-            trigger_patterns, source_sessions, linked_learnings)
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""",
+            trigger_patterns, source_sessions, linked_learnings, content, steps, gotchas)
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""",
         (skill_id, name, description, level, trust_score, file_path,
-         tags_json, trigger_json, sessions_json, learnings_json),
+         tags_json, trigger_json, sessions_json, learnings_json,
+         content, steps_json, gotchas_json),
     )
     conn.commit()
 

package/src/hooks/capture-tool-logs.sh

@@ -24,18 +24,32 @@ TODAY=$(date +%Y-%m-%d)
 LOG_FILE="$LOG_DIR/${TODAY}.jsonl"
 
 # Build and write record with python3 (faster than jq on macOS when cached)
+# Security: redact output of credential-related tools to avoid plaintext secrets in logs
 echo "$INPUT" | python3 -c "
-import json, sys
+import json, sys, re
 from datetime import datetime
 d = json.load(sys.stdin)
+tool_name = d.get('tool_name', 'unknown')
+
+tool_input = d.get('tool_input')
+tool_response = d.get('tool_response')
+
+# Redact tools that handle credentials/secrets
+SENSITIVE_TOOLS = ('credential', 'secret', 'token', 'password', 'apikey', 'api_key')
+if any(kw in tool_name.lower() for kw in SENSITIVE_TOOLS):
+    tool_response = '[REDACTED]'
+    # Also redact input values (keep keys for debuggability)
+    if isinstance(tool_input, dict):
+        tool_input = {k: '[REDACTED]' if k not in ('servicio', 'service', 'name', 'key') else v for k, v in tool_input.items()}
+
 record = {
     'timestamp': datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%SZ'),
     'session_id': d.get('session_id', 'unknown'),
-    'tool_name': d.get('tool_name', 'unknown'),
+    'tool_name': tool_name,
     'hook_event': d.get('hook_event_name', 'unknown'),
     'tool_use_id': d.get('tool_use_id'),
-    'tool_input': d.get('tool_input'),
-    'tool_response': d.get('tool_response'),
+    'tool_input': tool_input,
+    'tool_response': tool_response,
     'error': d.get('error')
 }
 print(json.dumps(record))

package/src/plugin_loader.py

@@ -87,6 +87,10 @@ def load_plugin(mcp, filename: str, plugins_dir: str | None = None) -> int:
     if not filename.endswith(".py"):
         filename += ".py"
 
+    # Reject path separators and traversal sequences before joining
+    if "/" in filename or "\\" in filename or ".." in filename:
+        raise ValueError(f"Invalid plugin filename (path separators or '..' not allowed): {filename}")
+
     if plugins_dir is not None:
         filepath = os.path.join(plugins_dir, filename)
         if not os.path.isfile(filepath):
@@ -106,6 +110,16 @@ def load_plugin(mcp, filename: str, plugins_dir: str | None = None) -> int:
                 f"Plugin not found in repo ({PLUGINS_DIR}) or personal ({PERSONAL_PLUGINS_DIR}): {filename}"
             )
 
+    # Security: reject path traversal — resolved path must stay inside allowed directories
+    real_path = os.path.realpath(filepath)
+    real_plugins = os.path.realpath(PLUGINS_DIR)
+    real_personal = os.path.realpath(PERSONAL_PLUGINS_DIR)
+    if not (real_path.startswith(real_plugins + os.sep) or real_path.startswith(real_personal + os.sep)):
+        raise ValueError(
+            f"Path traversal blocked: {filename!r} resolves to {real_path}, "
+            f"which is outside {real_plugins} and {real_personal}"
+        )
+
     module_name = f"plugins.{filename[:-3]}"
 
     # For personal plugins (outside repo), use spec_from_file_location

package/src/scripts/deep-sleep/apply_findings.py

@@ -267,12 +267,27 @@ def create_skill(skill_data: dict) -> dict:
             return {"success": False, "error": f"Skill {skill_id} already exists", "id": skill_id}
 
         now = datetime.now().isoformat(timespec='seconds')
+        steps_json = json.dumps(steps) if isinstance(steps, list) else steps
+        gotchas_json = json.dumps(gotchas) if isinstance(gotchas, list) else gotchas
+
+        # Build markdown content from steps + gotchas
+        content_lines = [f"# {name}", "", description, "", "## Steps"]
+        for i, s in enumerate(steps if isinstance(steps, list) else json.loads(steps_json), 1):
+            content_lines.append(f"{i}. {s}")
+        gotchas_list = gotchas if isinstance(gotchas, list) else json.loads(gotchas_json)
+        if gotchas_list:
+            content_lines.extend(["", "## Gotchas"])
+            for g in gotchas_list:
+                content_lines.append(f"- {g}")
+        content = "\n".join(content_lines)
+
         conn.execute(
             """INSERT INTO skills
                (id, name, description, level, trust_score, tags, trigger_patterns,
-                source_sessions, linked_learnings, created_at, updated_at)
-               VALUES (?, ?, ?, 'draft', 50, ?, ?, ?, '[]', ?, ?)""",
-            (skill_id, name, description, tags, trigger_patterns, source_sessions, now, now),
+                source_sessions, linked_learnings, content, steps, gotchas, created_at, updated_at)
+               VALUES (?, ?, ?, 'draft', 50, ?, ?, ?, '[]', ?, ?, ?, ?, ?)""",
+            (skill_id, name, description, tags, trigger_patterns, source_sessions,
+             content, steps_json, gotchas_json, now, now),
         )
         conn.commit()
         conn.close()

package/src/scripts/deep-sleep/collect.py

@@ -12,6 +12,7 @@ Environment variables:
 """
 import json
 import os
+import re
 import sqlite3
 import sys
 from datetime import datetime, timedelta
@@ -25,6 +26,32 @@ COGNITIVE_DB = NEXO_HOME / "data" / "cognitive.db"
 
 MIN_USER_MESSAGES = 3  # Skip trivial sessions
 
+# Patterns that indicate sensitive data (passwords, tokens, API keys, etc.)
+_SENSITIVE_PATTERNS = re.compile(
+    r'(?:'
+    r'sk-ant-[A-Za-z0-9_-]+'           # Anthropic API keys
+    r'|shpat_[A-Fa-f0-9]+'             # Shopify admin tokens
+    r'|shpss_[A-Fa-f0-9]+'             # Shopify shared secret
+    r'|sk-[A-Za-z0-9]{20,}'            # OpenAI-style keys
+    r'|ghp_[A-Za-z0-9]{36,}'           # GitHub PATs
+    r'|gho_[A-Za-z0-9]{36,}'           # GitHub OAuth tokens
+    r'|AIza[A-Za-z0-9_-]{35}'          # Google API keys
+    r'|ya29\.[A-Za-z0-9_-]+'           # Google OAuth tokens
+    r'|xox[bpsa]-[A-Za-z0-9-]+'        # Slack tokens
+    r'|EAAG[A-Za-z0-9]+'              # Meta/Facebook tokens
+    r'|[Pp]assword\s*[:=]\s*\S+'       # password: value or password=value
+    r'|[Ss]ecret\s*[:=]\s*\S+'         # secret: value
+    r'|[Tt]oken\s*[:=]\s*\S+'          # token: value
+    r'|[Aa]pi[_-]?[Kk]ey\s*[:=]\s*\S+'  # api_key: value
+    r')'
+)
+
+
+def _redact_sensitive(text: str) -> str:
+    """Replace sensitive patterns in text with [REDACTED]."""
+    return _SENSITIVE_PATTERNS.sub('[REDACTED]', text)
+
+
 # ── Transcript collection (kept from collect_transcripts.py) ──────────────
 
 
@@ -67,7 +94,7 @@ def extract_session(jsonl_path: Path) -> dict | None:
                         messages.append({
                             "role": "user",
                             "index": line_no,
-                            "text": content[:5000],
+                            "text": _redact_sensitive(content[:5000]),
                             "uuid": d.get("uuid", "")
                         })
                         user_msg_count += 1
@@ -83,16 +110,18 @@ def extract_session(jsonl_path: Path) -> dict | None:
                                 text_parts.append(block.get("text", ""))
                             elif block.get("type") == "tool_use":
                                 tool_input = block.get("input", {})
+                                raw_file = (
+                                    tool_input.get("file_path", "")
+                                    or str(tool_input.get("command", ""))[:100]
+                                ) if isinstance(tool_input, dict) else ""
                                 tool_uses.append({
                                     "tool": block.get("name", ""),
                                     "input_keys": list(tool_input.keys()) if isinstance(tool_input, dict) else [],
-                                    "file": (
-                                        tool_input.get("file_path", "")
-                                        or str(tool_input.get("command", ""))[:100]
-                                    ) if isinstance(tool_input, dict) else ""
+                                    "file": _redact_sensitive(raw_file)
                                 })
                     if text_parts:
                         combined = "\n".join(text_parts)[:5000]
+                        combined = _redact_sensitive(combined)
                         messages.append({
                             "role": "assistant",
                             "index": line_no,
@@ -332,12 +361,12 @@ def format_transcripts(sessions: list[dict]) -> str:
             role = "USER" if msg["role"] == "user" else "AGENT"
             idx = msg.get("index", "?")
             lines.append(f"\n[{role} @{idx}]")
-            lines.append(msg["text"])
+            lines.append(_redact_sensitive(msg["text"]))
 
         if session["tool_uses"]:
             lines.append(f"\n  -- Tool usage log --")
             for tu in session["tool_uses"]:
-                file_info = f" [{tu['file'][:80]}]" if tu.get("file") else ""
+                file_info = f" [{_redact_sensitive(tu['file'][:80])}]" if tu.get("file") else ""
                 lines.append(f"  - {tu['tool']}{file_info}")
 
     return "\n".join(lines)
@@ -447,12 +476,12 @@ def main():
             role = "USER" if msg["role"] == "user" else "AGENT"
             idx = msg.get("index", "?")
             lines.append(f"\n[{role} @{idx}]")
-            lines.append(msg["text"])
+            lines.append(_redact_sensitive(msg["text"]))
 
         if session["tool_uses"]:
             lines.append(f"\n  -- Tool usage log --")
             for tu in session["tool_uses"]:
-                file_info = f" [{tu['file'][:80]}]" if tu.get("file") else ""
+                file_info = f" [{_redact_sensitive(tu['file'][:80])}]" if tu.get("file") else ""
                 lines.append(f"  - {tu['tool']}{file_info}")
 
         session_text = "\n".join(lines)