nexo-brain 3.2.0 → 4.0.1

package/src/doctor/providers/runtime.py

@@ -41,6 +41,7 @@ PROTECTED_MACOS_ROOTS = (
 IMMUNE_FRESHNESS = 3600  # 1 hour (runs every 30 min)
 WATCHDOG_FRESHNESS = 3600  # 1 hour (runs every 30 min)
 DEFAULT_CRON_THRESHOLD = 7200  # Fallback when manifest data is unavailable
+AUXILIARY_CORE_LAUNCHAGENT_IDS = {"dashboard", "prevent-sleep", "tcc-approve"}
 SPECIAL_LAUNCHAGENT_IDS = {"prevent-sleep", "tcc-approve"}
 SPECIAL_ENV_NORMALIZE_IDS = SPECIAL_LAUNCHAGENT_IDS
 OPTIONALS_FILE = NEXO_HOME / "config" / "optionals.json"
@@ -466,6 +467,7 @@ def _recent_codex_conditioned_file_discipline_status(*, days: int = 7, max_files
 
     for file_mtime, path in files:
         cwd = ""
+        protocol_active = False
         protocol_files: set[str] = set()
         guard_files: set[str] = set()
         guard_ack = False
@@ -496,9 +498,15 @@ def _recent_codex_conditioned_file_discipline_status(*, days: int = 7, max_files
                     args = _parse_jsonish_arguments(payload.get("arguments"))
 
                     if name in {"mcp__nexo__nexo_task_open", "nexo_task_open"}:
+                        protocol_active = True
                         protocol_files.update(_extract_declared_file_targets(args, cwd))
                         continue
-                    if name in {"mcp__nexo__nexo_guard_check", "nexo_guard_check"}:
+                    if name in {
+                        "mcp__nexo__nexo_guard_check",
+                        "nexo_guard_check",
+                        "mcp__nexo__nexo_guard_file_check",
+                        "nexo_guard_file_check",
+                    }:
                         guard_files.update(_extract_declared_file_targets(args, cwd))
                         continue
                     if name in {"mcp__nexo__nexo_task_acknowledge_guard", "nexo_task_acknowledge_guard"}:
@@ -522,8 +530,10 @@ def _recent_codex_conditioned_file_discipline_status(*, days: int = 7, max_files
                         session_touches += 1
                         status["conditioned_touches"] += 1
                         normalized = _normalize_path_token(touched)
+                        has_protocol = protocol_active or normalized in protocol_files
+                        has_guard_review = normalized in guard_files
                         if operation == "read":
-                            if normalized not in protocol_files and normalized not in guard_files:
+                            if not has_protocol and not has_guard_review:
                                 status["read_without_protocol"] += 1
                                 age_seconds = (
                                     event_age_seconds
@@ -537,7 +547,7 @@ def _recent_codex_conditioned_file_discipline_status(*, days: int = 7, max_files
                                     {"kind": "read_without_protocol", "file": touched, "tool": name}
                                 )
                         elif operation in {"write", "delete"}:
-                            if normalized not in protocol_files:
+                            if not has_protocol and not has_guard_review:
                                 status["write_without_protocol"] += 1
                                 if operation == "delete":
                                     status["delete_without_protocol"] += 1
@@ -884,7 +894,7 @@ def _launchagent_schedule_expectations() -> dict[str, dict]:
 
 
 def _managed_launchagent_plists() -> list[tuple[str, Path]]:
-    ids = set(SPECIAL_LAUNCHAGENT_IDS)
+    ids = set(AUXILIARY_CORE_LAUNCHAGENT_IDS)
     for cron_id, expected in _launchagent_schedule_expectations().items():
         if expected.get("schedule_configured"):
             ids.add(cron_id)
@@ -897,6 +907,60 @@ def _managed_launchagent_plists() -> list[tuple[str, Path]]:
     return plists
 
 
+def _known_nexo_launchagent_ids() -> set[str]:
+    ids = set(AUXILIARY_CORE_LAUNCHAGENT_IDS)
+    for cron_id, expected in _launchagent_schedule_expectations().items():
+        if expected.get("schedule_configured"):
+            ids.add(cron_id)
+    try:
+        from db import init_db, list_personal_script_schedules
+
+        init_db()
+        for schedule in list_personal_script_schedules():
+            cron_id = str(schedule.get("cron_id", "") or "").strip()
+            if cron_id:
+                ids.add(cron_id)
+    except Exception:
+        pass
+    return ids
+
+
+def _discover_actual_nexo_launchagent_ids() -> tuple[set[str], dict[str, str]]:
+    ids: set[str] = set()
+    evidence: dict[str, str] = {}
+
+    if LAUNCH_AGENTS_DIR.is_dir():
+        for plist_path in sorted(LAUNCH_AGENTS_DIR.glob("com.nexo.*.plist")):
+            cron_id = plist_path.stem.removeprefix("com.nexo.")
+            ids.add(cron_id)
+            evidence.setdefault(cron_id, f"plist on disk: {plist_path}")
+
+    if platform.system() != "Darwin":
+        return ids, evidence
+
+    try:
+        result = subprocess.run(
+            ["launchctl", "list"],
+            capture_output=True,
+            text=True,
+            timeout=3,
+        )
+    except Exception:
+        return ids, evidence
+
+    for raw_line in (result.stdout or "").splitlines():
+        parts = raw_line.split()
+        if not parts:
+            continue
+        label = parts[-1].strip()
+        if not label.startswith("com.nexo."):
+            continue
+        cron_id = label.removeprefix("com.nexo.")
+        ids.add(cron_id)
+        evidence.setdefault(cron_id, f"loaded in launchctl: {label}")
+    return ids, evidence
+
+
 def _extract_launchctl_value(output: str, prefix: str) -> str | None:
     for line in output.splitlines():
         stripped = line.strip()
@@ -1462,6 +1526,58 @@ def check_launchagent_integrity(fix: bool = False) -> DoctorCheck:
     return check
 
 
+def check_launchagent_inventory() -> DoctorCheck:
+    """Check that every discovered com.nexo LaunchAgent is known to core or the personal registry."""
+    if platform.system() != "Darwin":
+        return DoctorCheck(
+            id="runtime.launchagent_inventory",
+            tier="runtime",
+            status="healthy",
+            severity="info",
+            summary="LaunchAgent inventory check skipped on non-macOS",
+        )
+
+    actual_ids, actual_evidence = _discover_actual_nexo_launchagent_ids()
+    if not actual_ids:
+        return DoctorCheck(
+            id="runtime.launchagent_inventory",
+            tier="runtime",
+            status="healthy",
+            severity="info",
+            summary="No com.nexo LaunchAgents discovered on this Mac",
+        )
+
+    known_ids = _known_nexo_launchagent_ids()
+    unknown_ids = sorted(actual_ids - known_ids)
+    if not unknown_ids:
+        return DoctorCheck(
+            id="runtime.launchagent_inventory",
+            tier="runtime",
+            status="healthy",
+            severity="info",
+            summary=f"LaunchAgent inventory aligned ({len(actual_ids)} discovered, all known to NEXO)",
+        )
+
+    evidence = [actual_evidence.get(cron_id, f"com.nexo.{cron_id}") for cron_id in unknown_ids[:10]]
+    return DoctorCheck(
+        id="runtime.launchagent_inventory",
+        tier="runtime",
+        status="degraded",
+        severity="warn",
+        summary=f"Unknown com.nexo LaunchAgents detected ({len(unknown_ids)})",
+        evidence=evidence,
+        repair_plan=[
+            "If it is a personal automation, register/sync it through nexo scripts sync/reconcile",
+            "If it is a core helper, add it to the core LaunchAgent inventory instead of leaving it implicit",
+            "If it is retired, boot it out and remove its plist through the owning flow rather than editing plists by hand",
+        ],
+        escalation_prompt=(
+            "There are active or installed com.nexo LaunchAgents that NEXO cannot explain from the core manifest, "
+            "auxiliary core services, or the personal script registry."
+        ),
+    )
+
+
 def check_skill_health(fix: bool = False) -> DoctorCheck:
     """Check executable skill consistency and approval state."""
     try:
@@ -1567,6 +1683,7 @@ def check_personal_script_registry(fix: bool = False) -> DoctorCheck:
             "Run nexo scripts reconcile so declared schedules are recreated through the official flow",
             "Use nexo doctor --tier runtime --fix to apply the safe reconcile path for declared schedules",
             "Keep personal scripts in NEXO_HOME/scripts so updates do not collide with core",
+            "Prefer ps- prefixed filenames for new personal scripts so ownership stays obvious at a glance",
         ],
         escalation_prompt=(
             "Personal script metadata, files, and personal cron schedules are out of sync. "
@@ -1957,21 +2074,32 @@ def check_codex_conditioned_file_discipline() -> DoctorCheck:
     if not repair_plan:
         repair_plan.append("Keep using managed Codex bootstrap so conditioned-file discipline remains visible in transcripts")
 
+    no_open_conditioned_debt = debt_summary["available"] and debt_summary["open_total"] == 0
     historical_read_only = (
-        audit["read_without_protocol"] > 0
+        no_open_conditioned_debt
+        and audit["read_without_protocol"] > 0
         and audit["write_without_protocol"] == 0
         and audit["write_without_guard_ack"] == 0
         and audit["delete_without_protocol"] == 0
         and audit["delete_without_guard_ack"] == 0
-        and debt_summary["available"]
-        and debt_summary["open_total"] == 0
+    )
+    historical_write_drift = (
+        no_open_conditioned_debt
         and audit.get("latest_violation_age_seconds") is not None
-        and float(audit["latest_violation_age_seconds"]) >= 7200
+        and float(audit["latest_violation_age_seconds"]) >= 172800
+        and audit["write_without_protocol"] > 0
+        and audit["write_without_guard_ack"] == 0
+        and audit["delete_without_protocol"] == 0
+        and audit["delete_without_guard_ack"] == 0
     )
 
     if audit["write_without_protocol"] or audit["write_without_guard_ack"]:
-        status = "critical"
-        severity = "error"
+        if historical_write_drift:
+            status = "healthy"
+            severity = "info"
+        else:
+            status = "critical"
+            severity = "error"
     elif historical_read_only:
         status = "healthy"
         severity = "info"
@@ -1989,7 +2117,7 @@ def check_codex_conditioned_file_discipline() -> DoctorCheck:
         severity=severity,
         summary=(
             "Historical Codex conditioned-file drift has no open protocol debt"
-            if historical_read_only
+            if historical_read_only or historical_write_drift
             else "Recent Codex sessions respect conditioned-file discipline"
             if status == "healthy"
             else "Recent Codex sessions are bypassing conditioned-file discipline"
@@ -2655,6 +2783,7 @@ def run_runtime_checks(fix: bool = False) -> list[DoctorCheck]:
         safe_check(check_automation_telemetry),
         safe_check(check_state_watchers),
         safe_check(check_release_artifact_sync),
+        safe_check(check_launchagent_inventory),
         safe_check(check_launchagent_integrity, fix=fix),
         safe_check(check_personal_script_registry, fix=fix),
         safe_check(check_skill_health, fix=fix),

package/src/hook_guardrails.py

@@ -14,6 +14,30 @@ from protocol_settings import get_protocol_strictness
 READ_LIKE_TOOLS = {"Read"}
 WRITE_LIKE_TOOLS = {"Edit", "MultiEdit", "Write"}
 DELETE_LIKE_TOOLS = {"Delete"}
+NEXO_CODE_ROOT = Path(os.environ.get("NEXO_CODE", str(Path(__file__).resolve().parent))).expanduser().resolve()
+LIVE_REPO_ROOT = NEXO_CODE_ROOT.parent if NEXO_CODE_ROOT.name == "src" else NEXO_CODE_ROOT
+PUBLIC_REPO_DIRS = {
+    ".claude-plugin",
+    ".github",
+    "bin",
+    "clawhub-skill",
+    "community",
+    "docs",
+    "hooks",
+    "openclaw-plugin",
+    "src",
+    "templates",
+    "tests",
+}
+PUBLIC_REPO_FILES = {
+    ".mcp.json",
+    "CHANGELOG.md",
+    "LICENSE",
+    "README.md",
+    "docker-compose.yml",
+    "package-lock.json",
+    "package.json",
+}
 
 
 def _operation_kind(tool_name: str) -> str:
@@ -30,6 +54,57 @@ def _normalize_file_path(path: str) -> str:
     return _normalize_path_token(str(Path(path)))
 
 
+def _resolve_runtime_path(path: str) -> Path:
+    candidate = Path(str(path or "")).expanduser()
+    if not candidate.is_absolute():
+        candidate = Path.cwd() / candidate
+    return candidate.resolve()
+
+
+def _is_relative_to(candidate: Path, root: Path) -> bool:
+    try:
+        candidate.relative_to(root)
+        return True
+    except ValueError:
+        return False
+
+
+def _automation_live_repo_guard_enabled() -> bool:
+    return (
+        os.environ.get("NEXO_AUTOMATION", "").strip() == "1"
+        and os.environ.get("NEXO_PUBLIC_CONTRIBUTION", "").strip() != "1"
+    )
+
+
+def _has_git_marker(root: Path) -> bool:
+    return (root / ".git").exists()
+
+
+def _is_public_repo_surface(candidate: Path) -> bool:
+    try:
+        relative = candidate.relative_to(LIVE_REPO_ROOT)
+    except ValueError:
+        return False
+
+    parts = relative.parts
+    if not parts:
+        return False
+    if parts[0] in PUBLIC_REPO_DIRS:
+        return True
+    return len(parts) == 1 and parts[0] in PUBLIC_REPO_FILES
+
+
+def _is_live_repo_path(path: str) -> bool:
+    if not str(path or "").strip():
+        return False
+    try:
+        if not _has_git_marker(LIVE_REPO_ROOT):
+            return False
+        return _is_public_repo_surface(_resolve_runtime_path(path))
+    except Exception:
+        return False
+
+
 def _extract_touched_files(tool_input) -> list[str]:
     files: list[str] = []
     if not isinstance(tool_input, dict):
@@ -166,19 +241,74 @@ def _ensure_protocol_debt(
     )
 
 
+def _collect_automation_live_repo_blocks(
+    conn,
+    *,
+    sid: str,
+    tool_name: str,
+    files: list[str],
+) -> list[dict]:
+    if not _automation_live_repo_guard_enabled():
+        return []
+    blocks: list[dict] = []
+    for filepath in files:
+        if not _is_live_repo_path(filepath):
+            continue
+        debt = _ensure_protocol_debt(
+            conn,
+            session_id=sid,
+            task_id="",
+            debt_type="automation_live_repo_write_blocked",
+            severity="error",
+            evidence=(
+                f"{tool_name} attempted on {filepath} from an automation session against the live NEXO repo. "
+                "Use an isolated checkout/worktree or the public contribution Draft PR flow instead."
+            ),
+            file_token=filepath,
+        )
+        blocks.append(
+            {
+                "file": filepath,
+                "task_id": "",
+                "debt_id": debt.get("id"),
+                "debt_type": "automation_live_repo_write_blocked",
+                "reason_code": "automation_live_repo",
+            }
+        )
+    return blocks
+
+
 def process_pre_tool_event(payload: dict) -> dict:
-    strictness = get_protocol_strictness()
     tool_name = str(payload.get("tool_name", "")).strip()
     op = _operation_kind(tool_name)
-    if strictness == "lenient":
-        return {"ok": True, "skipped": True, "reason": "lenient mode", "strictness": strictness}
     if op not in {"write", "delete"}:
-        return {"ok": True, "skipped": True, "reason": "operation not blocked", "strictness": strictness}
+        return {"ok": True, "skipped": True, "reason": "operation not blocked", "strictness": get_protocol_strictness()}
 
     tool_input = payload.get("tool_input")
     files = _extract_touched_files(tool_input)
+    strictness = get_protocol_strictness()
     conn = get_db()
     sid = _resolve_nexo_sid(conn, str(payload.get("session_id", "")))
+    automation_blocks = _collect_automation_live_repo_blocks(
+        conn,
+        sid=sid,
+        tool_name=tool_name,
+        files=files,
+    )
+    if automation_blocks:
+        return {
+            "ok": True,
+            "session_id": sid,
+            "tool_name": tool_name,
+            "operation": op,
+            "strictness": strictness,
+            "blocks": automation_blocks,
+            "status": "blocked",
+        }
+
+    if strictness == "lenient":
+        return {"ok": True, "skipped": True, "reason": "lenient mode", "strictness": strictness}
+
     blocks: list[dict] = []
 
     if not sid:
@@ -438,11 +568,14 @@ def format_pretool_block_message(result: dict) -> str:
     if not blocks:
         return ""
     strictness = str(result.get("strictness") or "strict")
-    header = (
-        "NEXO LEARNING MODE BLOCKED THIS EDIT:"
-        if strictness == "learning"
-        else "NEXO STRICT MODE BLOCKED THIS EDIT:"
-    )
+    if any(item.get("reason_code") == "automation_live_repo" for item in blocks):
+        header = "NEXO AUTOMATION SAFETY BLOCKED THIS EDIT:"
+    else:
+        header = (
+            "NEXO LEARNING MODE BLOCKED THIS EDIT:"
+            if strictness == "learning"
+            else "NEXO STRICT MODE BLOCKED THIS EDIT:"
+        )
     lines = [header]
     for item in blocks:
         file_note = item["file"] or "(unknown target)"
@@ -450,6 +583,11 @@ def format_pretool_block_message(result: dict) -> str:
             lines.append(
                 f"- Start the shared-brain session first: call `nexo_startup`, then `nexo_task_open`, before editing {file_note}."
             )
+        elif item.get("reason_code") == "automation_live_repo":
+            lines.append(
+                f"- {file_note}: automation sessions cannot write to the live NEXO repo. "
+                "Use an isolated checkout/worktree or the public contribution Draft PR flow."
+            )
         elif item.get("reason_code") == "guard_unacknowledged":
             lines.append(
                 f"- {file_note}: task {item['task_id']} still has blocking guard debt. Acknowledge it with `nexo_task_acknowledge_guard` before retrying."

package/src/hooks/pre-compact.sh

@@ -5,6 +5,7 @@
 # 2. Injects a systemMessage telling the operator to save any WIP via MCP tools
 set -uo pipefail
 
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
 NEXO_HOME="${NEXO_HOME:-$HOME/.nexo}"
 NEXO_DB="$NEXO_HOME/data/nexo.db"
 mkdir -p "$NEXO_HOME/data"
@@ -140,6 +141,23 @@ conn.execute('''
     VALUES (?, ?, '', ?, ?, 'auto-generated', 'auto', '', ?, 'pre-compact-hook')
 ''', (sid, decisions, pending, context_next, summary))
 conn.commit()
+
+# Layer 3: structured auto-flush for continuity and inspectability
+try:
+    import os
+    sys.path.insert(0, os.path.abspath(os.path.join('$HOOK_DIR', '..')))
+    import compaction_memory
+    compaction_memory.record_auto_flush(
+        session_id=sid,
+        task=task,
+        current_goal='',
+        log_file=log_file,
+        last_diary_ts=last_diary_ts,
+        source='pre-compact-hook',
+    )
+except Exception:
+    pass
+
 conn.close()
 " 2>/dev/null || true
 fi