nexo-brain 6.0.3 → 6.0.5

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "6.0.3",
+  "version": "6.0.5",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,7 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `6.0.3` is the current packaged-runtime line: double-fix release. (1) `resonance_tiers.json` is now published to `~/.nexo/brain/resonance_tiers.json` — the public contract path defined by v6.0.0 and consumed by NEXO Desktop ≥ 0.12.0. Pre-v6.0.3 the installer wrote it to `~/.nexo/resonance_tiers.json`, so Desktop failed to start Claude with *"NEXO Brain contract missing"* on every fresh install and every update from 6.0.0 / 6.0.1 / 6.0.2 unless the user copied the file by hand. An idempotent migration in `auto_update.py` promotes legacy runtimes on `nexo update`. (2) `nexo_guard_check` now persists the caller's SID on every `guard_checks` row (env `NEXO_SID` → env `CLAUDE_SESSION_ID` via `sessions.external_session_id` → most-recently-updated `sessions` row). Pre-v6.0.3 it hardcoded `session_id=""`, so `hook_guardrails._session_has_guard_check` never matched and strict-protocol sessions tripped *"no guard_check seen for this session"* after every successful call.
+Version `6.0.5` is the current packaged-runtime line: the strict pre-tool guardrail no longer blocks `Edit`/`Write` with *"unknown target"* when Claude Code's `PreToolUse` payload omits `session_id`. `process_pre_tool_event` now falls back to `$NEXO_HOME/coordination/.claude-session-id` (written by the SessionStart hook) before giving up, so a user who already called `nexo_startup` + `nexo_task_open` + `nexo_guard_check` + `nexo_track` stops seeing the block storm that several Claude Code versions triggered in 6.0.2–6.0.4. Fail-closed semantics are preserved: if neither the payload nor the coordination file yields a session id the guardrail still blocks with `missing_startup`. Release also lands a new `.github/workflows/tests.yml` that runs the full `pytest` suite on every PR — the hook-guardrail regressions that shipped unnoticed in 6.0.2+ would have been caught by CI had this job existed then.
 
 Previously in `6.0.2`: adds the reserved caller prefix `personal/*` so scripts living in `~/.nexo/scripts/` can invoke the automation backend with their own caller id without editing `src/resonance_map.py`. New kwarg `tier` (`"maximo"` / `"alto"` / `"medio"` / `"bajo"`) on `run_automation_prompt`, `run_automation_interactive`, `nexo_helper.run_automation_text`, `nexo_helper.run_automation_json`, and `nexo-agent-run.py --tier`. Precedence for `personal/*` callers: explicit `tier=` → explicit `reasoning_effort=` → `calibration.preferences.default_resonance` → `DEFAULT_RESONANCE` (`alto`). Registered callers keep their behaviour unchanged. New guide: [`docs/personal-scripts-guide.md`](docs/personal-scripts-guide.md).
 

package/bin/nexo-brain.js

@@ -93,10 +93,50 @@ const RESONANCE_TIER_NAMES = ["maximo", "alto", "medio", "bajo"];
 const DEFAULT_RESONANCE_TIER = _RESONANCE_TIERS.default_tier || "alto";
 
 function isEphemeralInstall(nexoHome) {
-  const homeDir = require("os").homedir();
+  const os = require("os");
+  const homeDir = os.homedir();
   const allowEphemeral = process.env.NEXO_ALLOW_EPHEMERAL_INSTALL === "1";
   if (allowEphemeral) return false;
-  return nexoHome.startsWith("/tmp/") || homeDir.startsWith("/tmp/");
+
+  const normalize = (candidate) => {
+    if (!candidate) return "";
+    let resolved = String(candidate);
+    try {
+      resolved = fs.realpathSync.native(resolved);
+    } catch {
+      try {
+        resolved = fs.realpathSync(resolved);
+      } catch {
+        resolved = path.resolve(resolved);
+      }
+    }
+    return resolved.replace(/\\/g, "/").replace(/\/+$/, "");
+  };
+
+  const tempRoots = new Set();
+  for (const root of [os.tmpdir(), "/tmp", "/var/folders", "/private/var/folders"]) {
+    const normalized = normalize(root);
+    if (!normalized) continue;
+    tempRoots.add(normalized);
+    if (normalized === "/tmp") {
+      tempRoots.add("/private/tmp");
+    } else if (normalized === "/private/tmp") {
+      tempRoots.add("/tmp");
+    } else if (normalized.startsWith("/var/")) {
+      tempRoots.add(`/private${normalized}`);
+    } else if (normalized.startsWith("/private/var/")) {
+      tempRoots.add(normalized.replace(/^\/private/, ""));
+    }
+  }
+
+  const isWithin = (candidate, root) => (
+    candidate === root || candidate.startsWith(`${root}/`)
+  );
+
+  return [nexoHome, homeDir]
+    .map(normalize)
+    .filter(Boolean)
+    .some((candidate) => Array.from(tempRoots).some((root) => isWithin(candidate, root)));
 }
 
 const rl = readline.createInterface({
@@ -3325,7 +3365,10 @@ ${doScan ? `- Stack: ${Object.keys(profileData.code.languages || {}).slice(0, 5)
   schedule = await maybeConfigurePublicContribution(schedule, useDefaults);
   schedule = await maybeConfigureFullDiskAccess(schedule, useDefaults, python);
   const enabledOptionals = { dashboard: doDashboard, automation: schedule.automation_enabled !== false };
-  if (isEphemeralInstall(NEXO_HOME)) {
+  const smokeTestMode = process.env.NEXO_TESTING_SMOKE === "1";
+  if (smokeTestMode) {
+    log("Smoke test mode detected — skipping LaunchAgents installation.");
+  } else if (isEphemeralInstall(NEXO_HOME)) {
     log("Ephemeral HOME/NEXO_HOME detected — skipping LaunchAgents installation.");
   } else {
     installAllProcesses(platform, python, NEXO_HOME, schedule, LAUNCH_AGENTS, enabledOptionals);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "6.0.3",
+  "version": "6.0.5",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain \u2014 Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/agent_runner.py

@@ -457,16 +457,75 @@ def _interactive_target_cwd(target: str | os.PathLike[str]) -> str:
     return str(Path.cwd())
 
 
+def _resolve_interactive_model_and_effort(
+    caller: str,
+    backend: str,
+    *,
+    preferences: dict | None = None,
+    tier: str | None = None,
+) -> tuple[str, str]:
+    """Return ``(model, effort)`` for an interactive launch.
+
+    v6.0.4 — interactive launchers (nexo chat, dashboard followup) were
+    picking the command flags straight from ``client_runtime_profiles``
+    (config/schedule.json), ignoring the user's ``default_resonance``
+    preference in calibration.json. That meant Preferences → "Alto"
+    never reached ``nexo chat`` even though the same preference was
+    applied correctly in headless runs (run_automation_prompt) and in
+    NEXO Desktop (lib/claude-runtime.js).
+
+    Resolution order (mirrors run_automation_prompt):
+      1. resonance_map → (model, effort) for the registered caller,
+         honouring user_default and the explicit tier override.
+      2. If the resonance_map is unavailable or returns blanks, fall
+         back to ``client_runtime_profiles`` so we stay backward
+         compatible with pre-6.0.0 installs missing resonance_tiers.json.
+    """
+    profile = resolve_client_runtime_profile(backend, preferences=preferences)
+    model = ""
+    effort = ""
+    try:
+        from resonance_map import resolve_model_and_effort
+
+        user_default = ""
+        if isinstance(preferences, dict):
+            user_default = str(preferences.get("default_resonance") or "").strip()
+        explicit_tier = (tier or "").strip() or None
+        mapped_model, mapped_effort = resolve_model_and_effort(
+            caller,
+            backend,
+            user_default=user_default or None,
+            explicit_tier=explicit_tier,
+        )
+        if mapped_model:
+            model = mapped_model
+        if mapped_effort:
+            effort = mapped_effort
+    except Exception:
+        # resonance_map missing or caller not registered — fall back to the
+        # legacy client_runtime_profiles path so nothing explodes.
+        pass
+    if not model:
+        model = profile.get("model", "")
+    if not effort:
+        effort = profile.get("reasoning_effort", "")
+    return model, effort
+
+
 def build_interactive_client_command(
     *,
     target: str | os.PathLike[str],
     client: str | None = None,
     preferences: dict | None = None,
+    caller: str = "nexo_chat",
+    tier: str | None = None,
 ) -> tuple[str, list[str]]:
     prefs = preferences or load_client_preferences()
     selected = resolve_terminal_client(client, preferences=prefs)
     target_path = str(Path(target).expanduser())
-    profile = resolve_client_runtime_profile(selected, preferences=prefs)
+    resolved_model, resolved_effort = _resolve_interactive_model_and_effort(
+        caller, selected, preferences=prefs, tier=tier
+    )
     startup_prompt = _interactive_startup_prompt(selected)
 
     if selected == CLIENT_CLAUDE_CODE:
@@ -476,10 +535,10 @@ def build_interactive_client_command(
                 "Claude Code launcher not found in PATH. Install `claude` first."
             )
         cmd = [claude_bin]
-        if profile["model"]:
-            cmd.extend(["--model", profile["model"]])
-        if profile["reasoning_effort"]:
-            cmd.extend(["--effort", profile["reasoning_effort"]])
+        if resolved_model:
+            cmd.extend(["--model", resolved_model])
+        if resolved_effort:
+            cmd.extend(["--effort", resolved_effort])
         cmd.append("--dangerously-skip-permissions")
         if startup_prompt:
             cmd.append(startup_prompt)
@@ -495,10 +554,10 @@ def build_interactive_client_command(
         bootstrap_prompt = _load_client_bootstrap_prompt(CLIENT_CODEX)
         if bootstrap_prompt and not _codex_managed_initial_messages_enabled():
             cmd.extend(["-c", _codex_initial_messages_config(bootstrap_prompt)])
-        if profile["model"]:
-            cmd.extend(["-m", profile["model"]])
-        if profile["reasoning_effort"]:
-            cmd.extend(["-c", f'model_reasoning_effort="{profile["reasoning_effort"]}"'])
+        if resolved_model:
+            cmd.extend(["-m", resolved_model])
+        if resolved_effort:
+            cmd.extend(["-c", f'model_reasoning_effort="{resolved_effort}"'])
         cmd.extend(["-C", target_path])
         if startup_prompt:
             cmd.append(startup_prompt)
@@ -548,8 +607,14 @@ def run_automation_interactive(
     the interactive surface honours whatever the user selected.
     """
     prefs = preferences or load_client_preferences()
+    # v6.0.4 — caller+tier propagate into the builder so interactive launches
+    # honour default_resonance (previously ignored for nexo chat).
     resolved_client, cmd = build_interactive_client_command(
-        target=target, client=client, preferences=prefs
+        target=target,
+        client=client,
+        preferences=prefs,
+        caller=caller,
+        tier=(tier or "").strip() or None,
     )
     launch_env = os.environ.copy()
     if env:
@@ -616,10 +681,14 @@ def build_followup_terminal_shell_command(
     client: str | None = None,
     preferences: dict | None = None,
     cwd: str | os.PathLike[str] | None = None,
+    caller: str = "nexo_followup_terminal",
+    tier: str | None = None,
 ) -> tuple[str, str]:
     prefs = preferences or load_client_preferences()
     selected = resolve_terminal_client(client, preferences=prefs)
-    profile = resolve_client_runtime_profile(selected, preferences=prefs)
+    resolved_model, resolved_effort = _resolve_interactive_model_and_effort(
+        caller, selected, preferences=prefs, tier=tier
+    )
     prompt = f"NEXO: execute followup from file $(cat {followup_reference})"
 
     if selected == CLIENT_CLAUDE_CODE:
@@ -629,10 +698,10 @@ def build_followup_terminal_shell_command(
                 "Claude Code launcher not found in PATH. Install `claude` first."
             )
         cmd = [claude_bin]
-        if profile["model"]:
-            cmd.extend(["--model", profile["model"]])
-        if profile["reasoning_effort"]:
-            cmd.extend(["--effort", profile["reasoning_effort"]])
+        if resolved_model:
+            cmd.extend(["--model", resolved_model])
+        if resolved_effort:
+            cmd.extend(["--effort", resolved_effort])
         cmd.extend(["--dangerously-skip-permissions", prompt])
         return selected, shlex.join(cmd)
 
@@ -647,10 +716,10 @@ def build_followup_terminal_shell_command(
         bootstrap_prompt = _load_client_bootstrap_prompt(CLIENT_CODEX)
         if bootstrap_prompt and not _codex_managed_initial_messages_enabled():
             cmd.extend(["-c", _codex_initial_messages_config(bootstrap_prompt)])
-        if profile["model"]:
-            cmd.extend(["-m", profile["model"]])
-        if profile["reasoning_effort"]:
-            cmd.extend(["-c", f'model_reasoning_effort="{profile["reasoning_effort"]}"'])
+        if resolved_model:
+            cmd.extend(["-m", resolved_model])
+        if resolved_effort:
+            cmd.extend(["-c", f'model_reasoning_effort="{resolved_effort}"'])
         cmd.extend(["-C", target_cwd, prompt])
         return selected, shlex.join(cmd)
 

package/src/auto_update.py

@@ -18,7 +18,18 @@ import time
 from pathlib import Path
 
 from runtime_home import export_resolved_nexo_home, managed_nexo_home
-from tree_hygiene import is_duplicate_artifact_name
+
+try:
+    from tree_hygiene import is_duplicate_artifact_name
+except ModuleNotFoundError as exc:
+    if getattr(exc, "name", "") != "tree_hygiene":
+        raise
+
+    # Older installed runtimes may update into code that references
+    # tree_hygiene.py before that module has been copied over. Fall back
+    # to "no duplicate" so the update can complete and deliver the module.
+    def is_duplicate_artifact_name(_path) -> bool:
+        return False
 
 NEXO_HOME = export_resolved_nexo_home()
 DATA_DIR = NEXO_HOME / "data"

package/src/client_sync.py

@@ -542,9 +542,31 @@ CORE_HOOK_SPECS = [
     },
 ]
 
+# Claude Code can retain legacy managed hooks from older/plugin-style installs
+# or from transient test runtimes. Treat their handler basenames as managed so
+# the next sync prunes them instead of leaving broken duplicates behind.
 LEGACY_CORE_HOOK_IDENTITIES_BY_EVENT = {
+    "SessionStart": {
+        "session_start.py",
+    },
+    "Stop": {
+        "stop.py",
+    },
+    "UserPromptSubmit": {
+        "auto_capture.py",
+    },
     "PostToolUse": {
         "heartbeat-guard.sh",
+        "post_tool_use.py",
+    },
+    "PreCompact": {
+        "pre_compact.py",
+    },
+    "Notification": {
+        "notification.py",
+    },
+    "SubagentStop": {
+        "subagent_stop.py",
     },
 }
 
@@ -599,7 +621,7 @@ def _hook_identity(command: str) -> str:
     text = str(command or "")
     if ".session-start-ts" in text:
         return "session-start-ts"
-    match = re.search(r"([A-Za-z0-9._-]+\.sh)\b", text)
+    match = re.search(r"([A-Za-z0-9._-]+\.(?:sh|py))\b", text)
     if match:
         return match.group(1)
     return text.strip()

package/src/hook_guardrails.py

@@ -429,6 +429,38 @@ def _collect_automation_live_repo_blocks(
     return blocks
 
 
+def _read_claude_session_id_from_coordination() -> str:
+    """Fallback claude_session_id when Claude Code's PreToolUse payload omits it.
+
+    SessionStart hook writes the active Claude Code session UUID to
+    ``<NEXO_HOME>/coordination/.claude-session-id``. When the PreToolUse
+    payload omits ``session_id`` (observed across several Claude Code
+    versions), the pre-tool guardrail would lose correlation with the open
+    NEXO session and block every write with "unknown target" (learning
+    #411). Reading the coordination file restores the correlation without
+    relaxing fail-closed semantics: if the file is missing or empty the
+    caller still blocks.
+    """
+    candidates = []
+    nexo_home = os.environ.get("NEXO_HOME", "").strip()
+    if nexo_home:
+        candidates.append(Path(nexo_home).expanduser() / "coordination" / ".claude-session-id")
+    candidates.append(Path.home() / ".nexo" / "coordination" / ".claude-session-id")
+    seen: set[str] = set()
+    for path in candidates:
+        key = str(path)
+        if key in seen:
+            continue
+        seen.add(key)
+        try:
+            value = path.read_text().strip()
+        except (FileNotFoundError, OSError):
+            continue
+        if value:
+            return value
+    return ""
+
+
 def process_pre_tool_event(payload: dict) -> dict:
     tool_name = str(payload.get("tool_name", "")).strip()
     op = _operation_kind(tool_name)
@@ -439,7 +471,10 @@ def process_pre_tool_event(payload: dict) -> dict:
     files = _extract_touched_files(tool_input)
     strictness = get_protocol_strictness()
     conn = get_db()
-    sid = _resolve_nexo_sid(conn, str(payload.get("session_id", "")))
+    claude_sid = str(payload.get("session_id", "") or "").strip()
+    if not claude_sid:
+        claude_sid = _read_claude_session_id_from_coordination()
+    sid = _resolve_nexo_sid(conn, claude_sid)
     automation_blocks = _collect_automation_live_repo_blocks(
         conn,
         sid=sid,

package/src/plugin_loader.py

@@ -10,7 +10,17 @@ import time
 
 from db import get_db
 from fastmcp.tools import Tool
-from tree_hygiene import is_duplicate_artifact_name
+
+try:
+    from tree_hygiene import is_duplicate_artifact_name
+except ModuleNotFoundError as exc:
+    if getattr(exc, "name", "") != "tree_hygiene":
+        raise
+
+    # Keep older runtimes bootable long enough to receive tree_hygiene.py
+    # during update; duplicate filtering will resume once the module lands.
+    def is_duplicate_artifact_name(_path) -> bool:
+        return False
 
 SERVER_DIR = os.path.dirname(os.path.abspath(__file__))
 PLUGINS_DIR = os.path.join(SERVER_DIR, "plugins")

package/src/plugins/update.py

@@ -11,7 +11,18 @@ import time
 from pathlib import Path
 
 from runtime_home import export_resolved_nexo_home
-from tree_hygiene import is_duplicate_artifact_name
+
+try:
+    from tree_hygiene import is_duplicate_artifact_name
+except ModuleNotFoundError as exc:
+    if getattr(exc, "name", "") != "tree_hygiene":
+        raise
+
+    # Older packaged runtimes may import update.py before tree_hygiene.py
+    # has been copied in. Allow the update to finish so the missing module
+    # can be delivered by the same upgrade.
+    def is_duplicate_artifact_name(_path) -> bool:
+        return False
 
 # db_guard landed in v5.5.5. When plugins/update.py is imported from a runtime
 # that still ships the v5.5.4 tree (e.g. mid-upgrade), the import will fail —

package/src/resonance_map.py

@@ -173,6 +173,10 @@ USER_FACING_CALLERS: dict[str, str] = {
     "nexo_chat": USE_USER_DEFAULT_SENTINEL,
     "desktop_new_session": USE_USER_DEFAULT_SENTINEL,
     "nexo_update_interactive": USE_USER_DEFAULT_SENTINEL,
+    # v6.0.4 — dashboard "Open followup in Terminal" spawns a fresh
+    # interactive Claude/Codex session. Treat it like nexo_chat so the
+    # user's default_resonance preference flows through.
+    "nexo_followup_terminal": USE_USER_DEFAULT_SENTINEL,
 }
 
 # System-owned callers. Grouped thematically for readability.

package/src/script_registry.py

@@ -304,6 +304,10 @@ def _is_ignored(path: Path) -> bool:
     """Check if file should be ignored entirely."""
     if path.name in _IGNORED_FILES:
         return True
+    if re.search(r"\.bak(?:-[\w.-]+)?$", path.name, re.IGNORECASE):
+        return True
+    if path.name.endswith("~"):
+        return True
     if path.name.startswith("."):
         return True
     try: