nexo-brain 5.4.5 → 5.4.7

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "5.4.5",
+  "version": "5.4.7",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,9 +18,9 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `5.4.5` is the current packaged-runtime line: test isolation for tree_hygiene module + fake venv to prevent CI timeout — completes the publish workflow fix from v5.4.3.
+Version `5.4.7` is the current packaged-runtime line: tool-enforcement-map.json for Protocol Enforcer — canonical map of all 247 tools with enforcement metadata, plus verify script.
 
-Previously in `5.4.0`: runtime event bus at `~/.nexo/runtime/events.ndjson`, `nexo notify`, `nexo health --json`, `nexo logs --tail --json`, and a safe flat→nested migration for `calibration.json`.
+Previously in `5.4.6`: runtime dependency management in `nexo update` + daily auto-update cron.
 
 Start here:
 - [5-minute quickstart](docs/quickstart-5-minutes.md)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "5.4.5",
+  "version": "5.4.7",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",
@@ -60,6 +60,9 @@
   "scripts": {
     "postinstall": "node bin/postinstall.js"
   },
+  "runtimeDependencies": [
+    {"name": "@anthropic-ai/claude-code", "type": "npm-global", "optional": false}
+  ],
   "engines": {
     "node": ">=18"
   },

package/src/auto_update.py

@@ -2267,6 +2267,14 @@ def manual_sync_update(*, interactive: bool = False, allow_source_pull: bool = T
             sync_result["warnings"].append(
                 f"Preserved {len(copy_stats['script_conflicts'])} personal runtime script collision(s) in NEXO_HOME/scripts"
             )
+        # Update runtime dependencies (best-effort)
+        try:
+            from plugins.update import _update_runtime_dependencies, _format_dep_results
+            dep_results = _update_runtime_dependencies(progress_fn=progress_fn)
+            sync_result["runtime_dependencies"] = dep_results
+        except Exception:
+            pass  # Non-critical
+
         _emit_progress(progress_fn, "Runtime update completed.")
     except Exception as e:
         _emit_progress(progress_fn, "Update failed; restoring previous runtime state...")

package/src/cli.py

@@ -903,6 +903,17 @@ def _update(args):
                 print(f"  Personal schedules: {invalid} declarations need review")
             if result.get("pulled_source"):
                 print("  Source repo: pulled latest fast-forward before sync")
+            for dep in result.get("runtime_dependencies") or []:
+                dep_name = dep.get("name", "")
+                dep_status = dep.get("status", "")
+                if dep_status == "updated":
+                    print(f"  Dependencies: {dep_name} {dep.get('old_version')} -> {dep.get('new_version')}")
+                elif dep_status == "installed":
+                    print(f"  Dependencies: {dep_name} installed ({dep.get('new_version')})")
+                elif dep_status == "already_latest":
+                    print(f"  Dependencies: {dep_name} {dep.get('old_version')} (latest)")
+                elif dep_status == "failed":
+                    print(f"  WARNING: {dep_name} update failed: {dep.get('error', 'unknown')}")
             if choice.get("prompted"):
                 print(f"  Power policy: {runtime_power['format_power_policy_label'](choice.get('policy'))}")
             if power_result.get("message"):

package/src/crons/manifest.json

@@ -203,6 +203,18 @@
       "max_catchup_age": 0,
       "run_on_boot": true,
       "run_on_wake": true
+    },
+    {
+      "id": "auto-update",
+      "script": "scripts/nexo-auto-update.py",
+      "schedule": {"hour": 2, "minute": 0},
+      "description": "Daily auto-update — Brain + runtime dependencies",
+      "core": true,
+      "recovery_policy": "catchup",
+      "idempotent": true,
+      "max_catchup_age": 172800,
+      "run_on_boot": true,
+      "run_on_wake": true
     }
   ]
 }

package/src/plugins/update.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 """Update plugin — pull latest code, backup DBs, run migrations, verify."""
 import json
 import os
+import re
 import shutil
 import sqlite3
 import subprocess
@@ -321,6 +322,237 @@ def _reinstall_pip_deps() -> str | None:
     return None
 
 
+def _read_runtime_dependencies() -> list[dict]:
+    """Read runtimeDependencies from package.json."""
+    for candidate in (PACKAGE_JSON, NEXO_HOME / "package.json"):
+        try:
+            if candidate.is_file():
+                data = json.loads(candidate.read_text())
+                deps = data.get("runtimeDependencies")
+                if isinstance(deps, list):
+                    return deps
+        except Exception:
+            continue
+    # Fallback: check the npm-installed package's package.json
+    npm_src = _find_npm_pkg_src()
+    if npm_src:
+        pkg = npm_src.parent / "package.json"
+        try:
+            if pkg.is_file():
+                data = json.loads(pkg.read_text())
+                deps = data.get("runtimeDependencies")
+                if isinstance(deps, list):
+                    return deps
+        except Exception:
+            pass
+    return []
+
+
+_VALID_NPM_NAME = re.compile(r'^(@[a-z0-9\-_.]+/)?[a-z0-9\-_.]+$')
+
+
+def _validate_npm_name(name: str) -> bool:
+    """Validate that a package name follows npm naming conventions."""
+    return bool(name) and bool(_VALID_NPM_NAME.match(name)) and ".." not in name
+
+
+def _get_npm_global_version(package_name: str) -> str | None:
+    """Return the currently installed global npm package version, or None."""
+    try:
+        result = subprocess.run(
+            ["npm", "list", "-g", package_name, "--json", "--depth=0"],
+            capture_output=True, text=True, timeout=15,
+        )
+        # npm list returns exit 1 with valid JSON for peer dep issues;
+        # always try to parse the output regardless of returncode.
+        if result.stdout.strip():
+            data = json.loads(result.stdout)
+            deps = data.get("dependencies", {})
+            info = deps.get(package_name)
+            if info and isinstance(info, dict):
+                return info.get("version")
+    except subprocess.TimeoutExpired:
+        pass
+    except FileNotFoundError:
+        pass  # npm not installed
+    except Exception:
+        pass
+    return None
+
+
+def _get_npm_registry_version(package_name: str) -> str | None:
+    """Return the latest version of a package from the npm registry."""
+    try:
+        result = subprocess.run(
+            ["npm", "view", package_name, "version"],
+            capture_output=True, text=True, timeout=15,
+        )
+        if result.returncode == 0 and result.stdout.strip():
+            return result.stdout.strip()
+    except subprocess.TimeoutExpired:
+        pass
+    except FileNotFoundError:
+        pass  # npm not installed
+    except Exception:
+        pass
+    return None
+
+
+def _update_runtime_dependencies(progress_fn=None) -> list[dict]:
+    """Update all declared runtimeDependencies. Returns a list of result dicts.
+
+    Each result dict contains:
+        name: package name
+        old_version: version before update (or None if not installed)
+        new_version: version after update (or None on failure)
+        status: "updated" | "already_latest" | "installed" | "failed" | "skipped"
+        error: error message (only when status == "failed")
+    """
+    deps = _read_runtime_dependencies()
+    if not deps:
+        return []
+
+    results = []
+    for dep in deps:
+        name = dep.get("name", "")
+        dep_type = dep.get("type", "")
+        optional = dep.get("optional", False)
+
+        if not name or dep_type != "npm-global":
+            results.append({
+                "name": name or "(unknown)",
+                "old_version": None,
+                "new_version": None,
+                "status": "skipped",
+            })
+            continue
+
+        if not _validate_npm_name(name):
+            results.append({
+                "name": name,
+                "old_version": None,
+                "new_version": None,
+                "status": "failed",
+                "error": f"invalid npm package name: {name!r}",
+            })
+            continue
+
+        _emit_progress(progress_fn, f"Checking runtime dependency: {name}...")
+
+        old_version = _get_npm_global_version(name)
+        latest_version = _get_npm_registry_version(name)
+
+        if old_version is None:
+            # Not installed
+            if optional:
+                results.append({
+                    "name": name,
+                    "old_version": None,
+                    "new_version": None,
+                    "status": "skipped",
+                })
+                continue
+            # Install it
+            _emit_progress(progress_fn, f"Installing {name}...")
+            try:
+                r = subprocess.run(
+                    ["npm", "install", "-g", name],
+                    capture_output=True, text=True, timeout=120,
+                )
+                if r.returncode == 0:
+                    new_version = _get_npm_global_version(name)
+                    results.append({
+                        "name": name,
+                        "old_version": None,
+                        "new_version": new_version,
+                        "status": "installed",
+                    })
+                else:
+                    results.append({
+                        "name": name,
+                        "old_version": None,
+                        "new_version": None,
+                        "status": "failed",
+                        "error": r.stderr or r.stdout or "npm install failed",
+                    })
+            except subprocess.TimeoutExpired:
+                results.append({
+                    "name": name, "old_version": None, "new_version": None,
+                    "status": "failed", "error": "npm install timed out (120s)",
+                })
+            except Exception as e:
+                results.append({
+                    "name": name, "old_version": None, "new_version": None,
+                    "status": "failed", "error": str(e),
+                })
+            continue
+
+        # Already installed — check if update needed
+        if latest_version and old_version == latest_version:
+            results.append({
+                "name": name,
+                "old_version": old_version,
+                "new_version": old_version,
+                "status": "already_latest",
+            })
+            continue
+
+        # Update
+        _emit_progress(progress_fn, f"Updating {name} {old_version} -> {latest_version or 'latest'}...")
+        try:
+            r = subprocess.run(
+                ["npm", "update", "-g", name],
+                capture_output=True, text=True, timeout=120,
+            )
+            if r.returncode == 0:
+                new_version = _get_npm_global_version(name) or latest_version
+                results.append({
+                    "name": name,
+                    "old_version": old_version,
+                    "new_version": new_version,
+                    "status": "updated" if new_version != old_version else "already_latest",
+                })
+            else:
+                results.append({
+                    "name": name,
+                    "old_version": old_version,
+                    "new_version": old_version,
+                    "status": "failed",
+                    "error": r.stderr or r.stdout or "npm update failed",
+                })
+        except subprocess.TimeoutExpired:
+            results.append({
+                "name": name, "old_version": old_version, "new_version": old_version,
+                "status": "failed", "error": "npm update timed out (120s)",
+            })
+        except Exception as e:
+            results.append({
+                "name": name, "old_version": old_version, "new_version": old_version,
+                "status": "failed", "error": str(e),
+            })
+
+    return results
+
+
+def _format_dep_results(dep_results: list[dict]) -> list[str]:
+    """Format runtime dependency results as human-readable lines."""
+    lines = []
+    for dep in dep_results:
+        name = dep.get("name", "")
+        status = dep.get("status", "")
+        old_v = dep.get("old_version")
+        new_v = dep.get("new_version")
+        if status == "updated":
+            lines.append(f"  Dependencies: {name} {old_v} -> {new_v}")
+        elif status == "installed":
+            lines.append(f"  Dependencies: {name} installed ({new_v})")
+        elif status == "already_latest":
+            lines.append(f"  Dependencies: {name} {old_v} (latest)")
+        elif status == "failed":
+            lines.append(f"  WARNING: {name} update failed: {dep.get('error', 'unknown')}")
+    return lines
+
+
 def _run_migrations() -> str | None:
     """Run init_db() to apply pending migrations. Returns error or None."""
     # In packaged mode, db/ lives in NEXO_HOME; in dev mode, in SRC_DIR
@@ -709,6 +941,13 @@ def _handle_packaged_update(progress_fn=None) -> str:
     except Exception as e:
         hook_sync_warning = f"{e}"
 
+    # Update runtime dependencies (best-effort, never aborts)
+    dep_results: list[dict] = []
+    try:
+        dep_results = _update_runtime_dependencies(progress_fn=progress_fn)
+    except Exception:
+        pass  # Non-critical
+
     client_sync_warning = None
     _emit_progress(progress_fn, "Refreshing shared client configs...")
     clients_ok, client_sync_error = _sync_packaged_clients()
@@ -774,6 +1013,7 @@ def _handle_packaged_update(progress_fn=None) -> str:
         lines.append(f"  WARNING: hook sync: {hook_sync_warning}")
     if retired_runtime_files:
         lines.append(f"  Cleanup: removed {len(retired_runtime_files)} retired runtime file(s)")
+    lines.extend(_format_dep_results(dep_results))
     if not client_sync_warning:
         lines.append("  Clients: configured client targets synced")
     else:
@@ -907,7 +1147,16 @@ def handle_update(remote: str = "origin", branch: str = "main", progress_fn=None
         except Exception as e:
             pass  # Non-critical, log in function
 
-        # Step 10: Sync shared client configs
+        # Step 10: Update runtime dependencies (best-effort, never aborts)
+        dep_results: list[dict] = []
+        try:
+            dep_results = _update_runtime_dependencies(progress_fn=progress_fn)
+            if dep_results:
+                steps_done.append("runtime-deps")
+        except Exception:
+            pass  # Non-critical
+
+        # Step 11: Sync shared client configs
         try:
             _emit_progress(progress_fn, "Refreshing shared client configs...")
             from client_sync import sync_all_clients
@@ -947,8 +1196,12 @@ def handle_update(remote: str = "origin", branch: str = "main", progress_fn=None
             pass  # Non-critical, configs can be re-synced later
 
         # Build result
+        dep_summary_lines = _format_dep_results(dep_results)
         if pull_out == "Already up to date.":
-            return f"Already up to date (v{old_version}). No changes pulled."
+            msg = f"Already up to date (v{old_version}). No changes pulled."
+            if dep_summary_lines:
+                msg += "\n" + "\n".join(dep_summary_lines)
+            return msg
 
         lines = ["UPDATE SUCCESSFUL"]
         if version_changed:
@@ -967,6 +1220,7 @@ def handle_update(remote: str = "origin", branch: str = "main", progress_fn=None
             lines.append("  Hooks: synced to NEXO_HOME")
         if retired_runtime_files:
             lines.append(f"  Cleanup: removed {len(retired_runtime_files)} retired runtime file(s)")
+        lines.extend(dep_summary_lines)
         if "client-sync" in steps_done:
             lines.append("  Clients: configured client targets synced")
         lines.append("")

package/src/scripts/nexo-auto-update.py

@@ -1,6 +1,151 @@
 #!/usr/bin/env python3
-"""DEPRECATED: Updates are handled automatically by NEXO on startup."""
+"""
+NEXO Auto-Update — Daily automatic update of Brain + runtime dependencies.
+
+Runs once daily via LaunchAgent. Executes the same update flow as `nexo update`:
+- Brain itself (git pull or npm update)
+- Runtime dependencies declared in package.json runtimeDependencies
+
+Zero interaction required. Logs results to NEXO_HOME/logs/auto-update.log.
+Idempotent — safe to run multiple times.
+"""
+
+import fcntl
+import json
+import os
+import subprocess
 import sys
-print("This script is deprecated. NEXO auto-updates on startup.")
-print("To update manually, use the nexo_update MCP tool.")
-sys.exit(0)
+import time
+from pathlib import Path
+
+NEXO_HOME = Path(os.environ.get("NEXO_HOME", str(Path.home() / ".nexo")))
+_script_dir = Path(__file__).resolve().parent
+_repo_src = _script_dir.parent
+NEXO_CODE = Path(os.environ.get("NEXO_CODE", str(_repo_src) if (_repo_src / "server.py").exists() else str(NEXO_HOME)))
+if str(NEXO_CODE) not in sys.path:
+    sys.path.insert(0, str(NEXO_CODE))
+
+LOG_DIR = NEXO_HOME / "logs"
+LOG_FILE = LOG_DIR / "auto-update.log"
+LOCK_FILE = NEXO_HOME / "data" / "auto-update.lock"
+MAX_LOG_SIZE = 512 * 1024  # 512 KB
+
+
+def _log(msg: str):
+    ts = time.strftime("%Y-%m-%d %H:%M:%S")
+    line = f"[{ts}] {msg}\n"
+    LOG_DIR.mkdir(parents=True, exist_ok=True)
+    # Rotate if too large
+    if LOG_FILE.exists() and LOG_FILE.stat().st_size > MAX_LOG_SIZE:
+        rotated = LOG_FILE.with_suffix(".log.1")
+        try:
+            LOG_FILE.rename(rotated)
+        except Exception:
+            pass
+    with open(LOG_FILE, "a") as f:
+        f.write(line)
+
+
+def _acquire_lock():
+    """Acquire an exclusive lock to prevent concurrent updates."""
+    LOCK_FILE.parent.mkdir(parents=True, exist_ok=True)
+    lock_fd = open(LOCK_FILE, "w")
+    try:
+        fcntl.flock(lock_fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
+        return lock_fd
+    except (IOError, OSError):
+        lock_fd.close()
+        return None
+
+
+def main():
+    lock_fd = _acquire_lock()
+    if lock_fd is None:
+        _log("Skipped: another auto-update is already running.")
+        return 0
+
+    try:
+        _log("Auto-update started.")
+
+        # Use `nexo update --json` via CLI for the full update flow
+        nexo_bin = NEXO_HOME / "bin" / "nexo"
+        if not nexo_bin.exists():
+            # Try the npm global bin
+            try:
+                result = subprocess.run(
+                    ["which", "nexo"],
+                    capture_output=True, text=True, timeout=5,
+                )
+                if result.returncode == 0 and result.stdout.strip():
+                    nexo_bin = Path(result.stdout.strip())
+            except subprocess.TimeoutExpired:
+                pass
+            except Exception:
+                pass
+
+        if not nexo_bin.exists():
+            _log("ERROR: nexo CLI not found. Cannot auto-update.")
+            return 1
+
+        try:
+            result = subprocess.run(
+                [str(nexo_bin), "update", "--json"],
+                capture_output=True, text=True,
+                timeout=300,  # 5 minutes max
+                env={**os.environ, "NEXO_HOME": str(NEXO_HOME), "NEXO_CODE": str(NEXO_CODE)},
+            )
+        except subprocess.TimeoutExpired:
+            _log("ERROR: Auto-update timed out after 300s.")
+            return 1
+
+        if result.returncode != 0:
+            _log(f"ERROR: nexo update failed (exit {result.returncode}): {result.stderr or result.stdout}")
+            return 1
+
+        # Parse and log results
+        try:
+            data = json.loads(result.stdout)
+        except (json.JSONDecodeError, ValueError):
+            _log(f"Update completed but output was not JSON: {result.stdout[:500]}")
+            return 0
+
+        # Log Brain update status
+        mode = data.get("mode", "unknown")
+        if "Already up to date" in str(data.get("message", "")):
+            _log(f"Brain: already up to date ({mode} mode).")
+        else:
+            version_info = ""
+            if data.get("version"):
+                version_info = f" v{data['version']}"
+            _log(f"Brain: updated{version_info} ({mode} mode).")
+
+        # Log runtime dependency results
+        deps = data.get("runtime_dependencies") or []
+        for dep in deps:
+            name = dep.get("name", "")
+            status = dep.get("status", "")
+            if status == "updated":
+                _log(f"Dependency: {name} {dep.get('old_version')} -> {dep.get('new_version')}")
+            elif status == "installed":
+                _log(f"Dependency: {name} installed ({dep.get('new_version')})")
+            elif status == "already_latest":
+                _log(f"Dependency: {name} {dep.get('old_version')} (latest)")
+            elif status == "failed":
+                _log(f"Dependency WARNING: {name} failed: {dep.get('error', 'unknown')}")
+
+        _log("Auto-update completed successfully.")
+        return 0
+
+    except Exception as e:
+        _log(f"ERROR: Unexpected error: {e}")
+        return 1
+    finally:
+        try:
+            fcntl.flock(lock_fd, fcntl.LOCK_UN)
+            lock_fd.close()
+        except Exception:
+            pass
+
+
+if __name__ == "__main__":
+    sys.exit(main())