nexo-brain 7.1.10 → 7.3.0

package/src/cli.py

@@ -1168,6 +1168,199 @@ def _recover(args):
     return _recover_cli_main(argv)
 
 
+def _rollback_f06(args):
+    """Revert the F0.6 layout migration using ``~/.nexo-pre-f06-snapshot``.
+
+    Safe two-stage swap: the current ``~/.nexo`` tree is renamed to a dated
+    backup (``~/.nexo-rollback-backup-YYYYMMDDHHMMSS``) BEFORE the snapshot is
+    restored in its place, so the operation never destroys state if it is
+    interrupted mid-way. LaunchAgents are booted out before the swap and
+    reloaded after (skip via ``--keep-agents-running``).
+    """
+    import json as _json
+    import shutil as _shutil
+    import subprocess as _subprocess
+    from datetime import datetime as _datetime
+    from pathlib import Path as _Path
+
+    nexo_home = _Path(os.environ.get("NEXO_HOME", str(_Path.home() / ".nexo")))
+    snapshot = _Path(str(nexo_home) + "-pre-f06-snapshot")
+    now_stamp = _datetime.now().strftime("%Y%m%d%H%M%S")
+    dry_run = bool(getattr(args, "dry_run", False))
+    emit_json = bool(getattr(args, "json", False))
+    assume_yes = bool(getattr(args, "yes", False))
+    keep_agents = bool(getattr(args, "keep_agents_running", False))
+
+    report: dict[str, object] = {
+        "nexo_home": str(nexo_home),
+        "snapshot": str(snapshot),
+        "snapshot_exists": snapshot.exists(),
+        "snapshot_is_dir": snapshot.is_dir() if snapshot.exists() else False,
+        "dry_run": dry_run,
+        "steps": [],
+        "status": "planned",
+    }
+
+    if not snapshot.exists() or not snapshot.is_dir():
+        report["status"] = "error_no_snapshot"
+        report["error"] = f"Pre-F0.6 snapshot not found at {snapshot}"
+        if emit_json:
+            print(_json.dumps(report, indent=2))
+        else:
+            print(f"ERROR: no pre-F0.6 snapshot at {snapshot}", file=sys.stderr)
+            print("       Rollback is only available immediately after a migration.", file=sys.stderr)
+        return 1
+
+    if nexo_home.exists():
+        backup_target = _Path(str(nexo_home) + f"-rollback-backup-{now_stamp}")
+        # Avoid collision if the operator retries in the same second.
+        collision_suffix = 0
+        while backup_target.exists():
+            collision_suffix += 1
+            backup_target = _Path(str(nexo_home) + f"-rollback-backup-{now_stamp}-{collision_suffix}")
+    else:
+        backup_target = None
+
+    agents_to_restart: list[_Path] = []
+    if not keep_agents:
+        agents_dir = _Path.home() / "Library" / "LaunchAgents"
+        if agents_dir.is_dir():
+            agents_to_restart = sorted(agents_dir.glob("com.nexo.*.plist"))
+
+    plan_steps: list[dict] = []
+    if agents_to_restart:
+        plan_steps.append({
+            "step": "bootout_launchagents",
+            "count": len(agents_to_restart),
+            "samples": [p.name for p in agents_to_restart[:5]],
+        })
+    if backup_target is not None:
+        plan_steps.append({
+            "step": "move_current_nexo_home_to_backup",
+            "from": str(nexo_home),
+            "to": str(backup_target),
+        })
+    plan_steps.append({
+        "step": "move_snapshot_to_nexo_home",
+        "from": str(snapshot),
+        "to": str(nexo_home),
+    })
+    if agents_to_restart:
+        plan_steps.append({
+            "step": "reload_launchagents",
+            "count": len(agents_to_restart),
+        })
+    report["steps"] = plan_steps
+
+    if dry_run:
+        report["status"] = "dry_run"
+        if emit_json:
+            print(_json.dumps(report, indent=2))
+        else:
+            print(f"nexo rollback f06 (DRY-RUN)")
+            print(f"  NEXO_HOME: {nexo_home}")
+            print(f"  snapshot:  {snapshot}")
+            if backup_target is not None:
+                print(f"  backup → {backup_target}")
+            if agents_to_restart:
+                print(f"  LaunchAgents to restart: {len(agents_to_restart)}")
+            print("  (no filesystem or launchctl changes were made)")
+        return 0
+
+    if not assume_yes:
+        if not (sys.stdin.isatty() and sys.stdout.isatty()):
+            print("ERROR: interactive confirmation required. Pass --yes to proceed non-interactively.", file=sys.stderr)
+            return 1
+        print("This will replace the current NEXO_HOME with the pre-F0.6 snapshot.")
+        print(f"  Current ~/.nexo → {backup_target if backup_target else '(nothing to back up, current missing)'}")
+        print(f"  Restored from snapshot → {nexo_home}")
+        if agents_to_restart:
+            print(f"  LaunchAgents affected: {len(agents_to_restart)}")
+        answer = input("Type 'ROLLBACK' to proceed: ").strip()
+        if answer != "ROLLBACK":
+            print("Aborted — exact token not typed.")
+            return 1
+
+    def _run_launchctl(cmd: list[str]) -> tuple[int, str]:
+        try:
+            proc = _subprocess.run(cmd, capture_output=True, text=True, timeout=30)
+            return proc.returncode, (proc.stderr or "").strip()
+        except _subprocess.TimeoutExpired as exc:
+            return 124, f"timeout: {exc}"
+        except FileNotFoundError:
+            return 127, "launchctl not found"
+        except Exception as exc:  # noqa: BLE001  — launchctl errors are varied
+            return 1, str(exc)
+
+    executed: list[dict] = []
+
+    if agents_to_restart and not keep_agents:
+        for plist in agents_to_restart:
+            rc, err = _run_launchctl(["launchctl", "unload", str(plist)])
+            executed.append({"op": "unload", "plist": str(plist), "rc": rc, "err": err})
+
+    if backup_target is not None:
+        try:
+            nexo_home.rename(backup_target)
+            executed.append({"op": "rename_home", "to": str(backup_target), "rc": 0})
+        except OSError as exc:
+            executed.append({"op": "rename_home", "to": str(backup_target), "rc": 1, "err": str(exc)})
+            report["status"] = "error_rename_home"
+            report["executed"] = executed
+            if emit_json:
+                print(_json.dumps(report, indent=2))
+            else:
+                print(f"ERROR: failed to move {nexo_home} → {backup_target}: {exc}", file=sys.stderr)
+                print("       No changes to snapshot. Current NEXO_HOME is intact.", file=sys.stderr)
+            return 1
+
+    try:
+        snapshot.rename(nexo_home)
+        executed.append({"op": "rename_snapshot", "to": str(nexo_home), "rc": 0})
+    except OSError as exc:
+        executed.append({"op": "rename_snapshot", "to": str(nexo_home), "rc": 1, "err": str(exc)})
+        # Best-effort rollback of the backup rename so the user isn't left without NEXO_HOME.
+        if backup_target is not None and backup_target.exists() and not nexo_home.exists():
+            try:
+                backup_target.rename(nexo_home)
+                executed.append({"op": "rollback_rename_home", "rc": 0})
+            except OSError as rexc:
+                executed.append({"op": "rollback_rename_home", "rc": 1, "err": str(rexc)})
+        report["status"] = "error_rename_snapshot"
+        report["executed"] = executed
+        if emit_json:
+            print(_json.dumps(report, indent=2))
+        else:
+            print(f"ERROR: failed to move snapshot → NEXO_HOME: {exc}", file=sys.stderr)
+        return 1
+
+    if agents_to_restart and not keep_agents:
+        for plist in agents_to_restart:
+            if not plist.exists():
+                # The snapshot may not have the same plist set; skip silently.
+                executed.append({"op": "load_skip_missing", "plist": str(plist), "rc": 0})
+                continue
+            rc, err = _run_launchctl(["launchctl", "load", str(plist)])
+            executed.append({"op": "load", "plist": str(plist), "rc": rc, "err": err})
+
+    report["status"] = "done"
+    report["executed"] = executed
+    if backup_target is not None:
+        report["backup_target"] = str(backup_target)
+
+    if emit_json:
+        print(_json.dumps(report, indent=2))
+    else:
+        print("nexo rollback f06: done")
+        print(f"  restored:  {nexo_home}")
+        if backup_target is not None:
+            print(f"  prior home saved at: {backup_target}")
+            print(f"    review and rm -rf {backup_target}  when you are sure.")
+        if agents_to_restart:
+            print(f"  LaunchAgents reloaded: {len(agents_to_restart)}")
+    return 0
+
+
 def _update(args):
     """Update the installed runtime.
 
@@ -2699,6 +2892,37 @@ def main():
                                 help="Skip the interactive confirmation prompt")
     recover_parser.add_argument("--json", action="store_true", help="JSON output")
 
+    # -- rollback --
+    rollback_parser = sub.add_parser(
+        "rollback",
+        help="Reverse a structural migration using a pre-change snapshot",
+    )
+    rollback_sub = rollback_parser.add_subparsers(dest="rollback_command")
+    rollback_f06_p = rollback_sub.add_parser(
+        "f06",
+        help="Revert the F0.6 layout migration using ~/.nexo-pre-f06-snapshot",
+    )
+    rollback_f06_p.add_argument(
+        "--dry-run",
+        action="store_true",
+        help="Show what would happen, do not mutate filesystem or LaunchAgents.",
+    )
+    rollback_f06_p.add_argument(
+        "--yes",
+        action="store_true",
+        help="Skip the interactive confirmation prompt.",
+    )
+    rollback_f06_p.add_argument(
+        "--json",
+        action="store_true",
+        help="Emit machine-readable JSON instead of text output.",
+    )
+    rollback_f06_p.add_argument(
+        "--keep-agents-running",
+        action="store_true",
+        help="Do not bootout / reload LaunchAgents. Advanced use; leaves stale services.",
+    )
+
     # -- clients --
     clients_parser = sub.add_parser("clients", help="Shared client config management")
     clients_sub = clients_parser.add_subparsers(dest="clients_command")
@@ -2998,6 +3222,11 @@ def main():
         return _update(args)
     elif args.command == "recover":
         return _recover(args)
+    elif args.command == "rollback":
+        if args.rollback_command == "f06":
+            return _rollback_f06(args)
+        rollback_parser.print_help()
+        return 0
     elif args.command == "clients":
         if args.clients_command == "sync":
             return _clients_sync(args)

package/src/client_sync.py

@@ -87,6 +87,9 @@ HOOK_TIMEOUTS_BY_EVENT = {
     "PreCompact": 15,
     "PostCompact": 15,
     "UserPromptSubmit": 5,
+    # PreToolUse is synchronous on every tool call — keep low. 8s gives room
+    # for DB lookups under load without stalling routine Edit/Write/Bash.
+    "PreToolUse": 8,
     "PostToolUse": 20,
     "Notification": 3,
     "SubagentStop": 10,

package/src/core_schedule_controls.py

@@ -5,6 +5,7 @@ from __future__ import annotations
 import json
 import os
 import platform
+from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any
 
@@ -209,6 +210,51 @@ def _save_core_schedule_overrides(overrides: dict[str, dict[str, Any]]) -> Path:
     return path
 
 
+def _audit_log_path() -> Path:
+    home = Path(os.environ.get("NEXO_HOME", str(Path.home() / ".nexo")))
+    # Prefer the F0.6 runtime/logs location with a legacy fallback so audit
+    # entries remain contiguous across installs that have not yet migrated.
+    new = home / "runtime" / "logs" / "core-schedule-overrides.log"
+    legacy = home / "logs" / "core-schedule-overrides.log"
+    if new.parent.is_dir() or not legacy.parent.is_dir():
+        return new
+    return legacy
+
+
+def _append_override_audit(
+    *,
+    name: str,
+    action: str,
+    previous: dict[str, Any],
+    current: dict[str, Any],
+    warning: str,
+    actor: str,
+) -> None:
+    """Append a single-line JSON audit record for a schedule override change.
+
+    Writes to ``~/.nexo/runtime/logs/core-schedule-overrides.log`` (or the
+    legacy location on pre-F0.6 installs). Best-effort only: a failed log
+    write never blocks the override itself.
+    """
+    try:
+        log_path = _audit_log_path()
+        log_path.parent.mkdir(parents=True, exist_ok=True)
+        record = {
+            "ts": datetime.now(timezone.utc).isoformat(timespec="seconds").replace("+00:00", "Z"),
+            "name": name,
+            "action": action,
+            "previous": previous,
+            "current": current,
+            "warning": warning or "",
+            "actor": actor or "cli",
+        }
+        with log_path.open("a", encoding="utf-8") as fh:
+            fh.write(json.dumps(record, ensure_ascii=False) + "\n")
+    except Exception:
+        # Audit logging is best-effort — never fail the operator action.
+        pass
+
+
 def _apply_calendar_override(base_cron: dict[str, Any], start_hour: str) -> dict[str, Any]:
     parsed = _parse_daily_at(start_hour)
     schedule = base_cron.get("schedule")
@@ -417,6 +463,7 @@ def set_core_schedule(
     interval_seconds: int | None = None,
     daily_at: str | None = None,
     clear: bool = False,
+    actor: str = "cli",
 ) -> dict[str, Any]:
     clean_name = _normalize_name(name)
     if clean_name in _TOGGLEABLE_AUTOMATIONS:
@@ -437,6 +484,7 @@ def set_core_schedule(
         }
 
     overrides = load_core_schedule_overrides()
+    previous_snapshot = dict(overrides.get(clean_name) or {})
     changed = False
     warning = ""
     if clear:
@@ -482,6 +530,24 @@ def set_core_schedule(
         }
 
     config_path = _save_core_schedule_overrides(overrides)
+
+    if changed:
+        current_snapshot = dict(overrides.get(clean_name) or {})
+        if clear:
+            audit_action = "clear"
+        elif not previous_snapshot:
+            audit_action = "set"
+        else:
+            audit_action = "update"
+        _append_override_audit(
+            name=clean_name,
+            action=audit_action,
+            previous=previous_snapshot,
+            current=current_snapshot,
+            warning=warning,
+            actor=actor,
+        )
+
     sync_result = _sync_core_crons_runtime()
     refreshed = get_core_schedule_status(clean_name)
     refreshed.update({

package/src/crons/manifest.json

@@ -192,6 +192,18 @@
       "run_on_boot": true,
       "run_on_wake": true
     },
+    {
+      "id": "guardian-metrics",
+      "script": "scripts/guardian_metrics_aggregate.py",
+      "schedule": {"hour": 2, "minute": 15},
+      "description": "Plan Consolidado 0.25 — daily aggregation of Guardian KPIs (capture rate, core rule violations, declared-done without evidence, false-positive correction, minutes between guard_check failures) from guardian-telemetry.ndjson to guardian-metrics.ndjson. Feeds Fase C gate + Guardian Proposals panel.",
+      "core": true,
+      "recovery_policy": "catchup",
+      "idempotent": true,
+      "max_catchup_age": 172800,
+      "run_on_boot": false,
+      "run_on_wake": false
+    },
     {
       "id": "auto-close-sessions",
       "script": "auto_close_sessions.py",

package/src/doctor/providers/boot.py

@@ -220,6 +220,193 @@ def check_config_parse() -> DoctorCheck:
     )
 
 
+def check_core_dev_packaged_install() -> DoctorCheck:
+    """Warn when ``~/.nexo/core-dev/`` exists on a packaged (non-dev) install.
+
+    Contract (see ``docs/f06-layout-contract.md`` §3): ``core-dev/`` is a
+    developer opt-in and MUST be absent on production installs. Its presence
+    on a packaged install is almost always a leftover from a dev environment
+    that was later repackaged, and silently keeps parallel code paths
+    discoverable through ``_classify_script_dir``. Doctor surfaces it so the
+    operator can confirm and remove.
+    """
+    import paths
+    core_dev = paths.core_dev_dir()
+    if not core_dev.exists():
+        return DoctorCheck(
+            id="boot.core_dev_absent_on_packaged",
+            tier="boot",
+            status="healthy",
+            severity="info",
+            summary="core-dev/ absent (expected on packaged installs)",
+        )
+    is_packaged = paths.core_dir().is_dir() and not (NEXO_HOME / "src").is_dir()
+    if not is_packaged:
+        return DoctorCheck(
+            id="boot.core_dev_absent_on_packaged",
+            tier="boot",
+            status="healthy",
+            severity="info",
+            summary="core-dev/ present on a dev install (contract allows this)",
+        )
+    try:
+        payload = [p.name for p in core_dev.iterdir()][:5]
+    except OSError:
+        payload = []
+    return DoctorCheck(
+        id="boot.core_dev_absent_on_packaged",
+        tier="boot",
+        status="degraded",
+        severity="warn",
+        summary="core-dev/ present on a packaged install — contract forbids this",
+        evidence=[f"Location: {core_dev}"] + [f"Entry: {n}" for n in payload],
+        repair_plan=[
+            f"Confirm with operator, then: rm -rf {core_dev}",
+        ],
+    )
+
+
+def check_dashboard_desktop_contract() -> DoctorCheck:
+    """Flag Dashboard LaunchAgent contradicting Desktop product surface.
+
+    Contract (see ``docs/f06-layout-contract.md`` §4):
+      - Terminal-only install → ``com.nexo.dashboard`` loaded.
+      - Desktop-managed install → ``com.nexo.dashboard`` unloaded.
+    Both signals disagreeing with the chosen product mode is a warn.
+    """
+    if sys.platform != "darwin":
+        return DoctorCheck(
+            id="boot.dashboard_desktop_contract",
+            tier="boot",
+            status="healthy",
+            severity="info",
+            summary="Non-darwin host — dashboard LaunchAgent contract does not apply",
+        )
+    agent_path = Path.home() / "Library" / "LaunchAgents" / "com.nexo.dashboard.plist"
+    agent_installed = agent_path.exists()
+    try:
+        from product_mode import enforce_desktop_product_contract  # type: ignore
+        desktop_contract = bool(enforce_desktop_product_contract())
+    except Exception:
+        desktop_contract = False
+
+    if desktop_contract and agent_installed:
+        return DoctorCheck(
+            id="boot.dashboard_desktop_contract",
+            tier="boot",
+            status="degraded",
+            severity="warn",
+            summary="Desktop product surface active but standalone dashboard LaunchAgent is installed",
+            evidence=[f"Plist: {agent_path}"],
+            repair_plan=[
+                f"launchctl unload {agent_path}",
+                f"rm {agent_path}",
+            ],
+        )
+    if not desktop_contract and not agent_installed:
+        return DoctorCheck(
+            id="boot.dashboard_desktop_contract",
+            tier="boot",
+            status="degraded",
+            severity="warn",
+            summary="Terminal-only install without a dashboard LaunchAgent",
+            evidence=["Expected plist missing: com.nexo.dashboard.plist"],
+            repair_plan=["nexo update  # re-materialize com.nexo.dashboard"],
+        )
+    return DoctorCheck(
+        id="boot.dashboard_desktop_contract",
+        tier="boot",
+        status="healthy",
+        severity="info",
+        summary="Dashboard LaunchAgent state matches the product surface contract",
+    )
+
+
+def check_f06_migration_consistency() -> DoctorCheck:
+    """Detect half-migrated F0.6 installs.
+
+    Contract (``docs/f06-layout-contract.md`` §6 rule 5):
+      - F0.6 marker + legacy runtime dirs populated → half-migration.
+      - No marker but canonical ``core/`` already populated → half-migration.
+      - Marker F0.6 with no legacy residue → healthy.
+      - No marker, no canonical ``core/``, pure legacy layout → healthy
+        (pre-F0.6 install waiting for ``nexo update``).
+
+    Half-migration is the scenario where ``paths.coordination_dir()`` (and
+    siblings) silently fall back to the legacy path on an install that
+    *should* be on F0.6. Doctor surfaces it so ``nexo update`` can be
+    asked to finish the job instead of the operator discovering later that
+    half their state lives in the wrong place.
+    """
+    import paths
+    marker = NEXO_HOME / ".structure-version"
+    marker_text = ""
+    if marker.is_file():
+        try:
+            marker_text = marker.read_text().strip().upper().split()[0]
+        except (OSError, IndexError):
+            marker_text = ""
+    is_f06_marked = marker_text.startswith("F0.6")
+
+    core_dir = paths.core_dir()
+    core_populated = core_dir.is_dir() and any(core_dir.iterdir()) if core_dir.exists() else False
+
+    # Legacy runtime dirs that MUST be gone (or be symlinks into canonical F0.6)
+    # once the migration has finished physically.
+    legacy_runtime_names = ("coordination", "data", "logs", "operations")
+    legacy_stragglers: list[str] = []
+    for name in legacy_runtime_names:
+        legacy_path = NEXO_HOME / name
+        if not legacy_path.exists():
+            continue
+        if legacy_path.is_symlink():
+            # A symlink pointing at the canonical runtime/<name> is the
+            # compat shim contract; that is acceptable.
+            continue
+        try:
+            has_content = any(legacy_path.iterdir())
+        except OSError:
+            has_content = False
+        if has_content:
+            legacy_stragglers.append(name)
+
+    if is_f06_marked and legacy_stragglers:
+        return DoctorCheck(
+            id="boot.f06_migration_consistency",
+            tier="boot",
+            status="critical",
+            severity="error",
+            summary="Half-migrated F0.6 install: marker present but legacy runtime dirs still populated",
+            evidence=[f"Marker: {marker_text}"] + [f"Legacy with content: {NEXO_HOME / n}" for n in legacy_stragglers],
+            repair_plan=[
+                "nexo update   # finish the F0.6 migration",
+                "# if update refuses, inspect manifest and consider: nexo rollback f06",
+            ],
+        )
+    if (not is_f06_marked) and core_populated:
+        return DoctorCheck(
+            id="boot.f06_migration_consistency",
+            tier="boot",
+            status="critical",
+            severity="error",
+            summary="Half-migrated F0.6 install: core/ populated but marker absent",
+            evidence=[f"Marker: {marker_text or '(absent)'}", f"core/ path: {core_dir}"],
+            repair_plan=[
+                "nexo update   # re-run migration to write the marker",
+            ],
+        )
+    return DoctorCheck(
+        id="boot.f06_migration_consistency",
+        tier="boot",
+        status="healthy",
+        severity="info",
+        summary=(
+            f"F0.6 marker consistent with layout (marker={marker_text or 'absent'}, "
+            f"legacy_stragglers={len(legacy_stragglers)})"
+        ),
+    )
+
+
 def run_boot_checks(fix: bool = False) -> list[DoctorCheck]:
     """Run all boot-tier checks."""
     checks = [
@@ -229,6 +416,9 @@ def run_boot_checks(fix: bool = False) -> list[DoctorCheck]:
         safe_check(check_wrapper_scripts),
         safe_check(check_python_runtime),
         safe_check(check_config_parse),
+        safe_check(check_core_dev_packaged_install),
+        safe_check(check_dashboard_desktop_contract),
+        safe_check(check_f06_migration_consistency),
     ]
 
     if fix:

package/src/evolution_cycle.py

@@ -19,6 +19,10 @@ from core_prompts import render_core_prompt
 NEXO_HOME = Path(os.environ.get("NEXO_HOME", str(Path.home() / ".nexo")))
 NEXO_CODE = Path(os.environ.get("NEXO_CODE", str(NEXO_HOME)))
 NEXO_DB = paths.db_path()
+# Evolution sandbox lives under the runtime root (equivalent to
+# ``paths.runtime_dir() / "sandbox"``). Kept as ``NEXO_HOME / sandbox /
+# workspace`` for backwards compatibility with existing installs that already
+# have a populated sandbox at this path. Do NOT relocate without a migration.
 SANDBOX_DIR = NEXO_HOME / "sandbox" / "workspace"
 SNAPSHOTS_DIR = paths.snapshots_dir()
 RESTORE_LOG = paths.logs_dir() / "snapshot-restores.log"