nexo-brain 7.12.0 → 7.12.1

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.12.0",
+  "version": "7.12.1",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,9 +18,9 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.12.0` is the current packaged-runtime line. Minor release — adds `nexo support-snapshot` for generic local runtime diagnostics and completes the silent-reminder hardening on the live Protocol Enforcer path. The new support collector emits one JSON bundle with version/platform metadata, runtime path presence, health-check output, and recent event/operation tails. In parallel, map-driven reminders (`nexo_startup`, `nexo_smart_startup`, `nexo_heartbeat`, `nexo_reminders`, `nexo_session_diary_*`, `nexo_stop`, `nexo_task_close`, compaction checkpoint prompts) now say explicitly that silence owns the entire reminder turn, and the headless enforcer upgrades any legacy `Do not produce visible text` copy defensively at enqueue time. Result: orphan assistant text such as “Esperando…” no longer leaks into Desktop after background protocol reminders with no fresh user message.
+Version `7.12.1` is the current packaged-runtime line. Patch release — Guardian G3 now sees SSH remote-write intent even when the shell payload arrives through pipe, heredoc, or stdin redirect, recent same-task Cortex decisions unlock the next matching G3 retry for a short TTL, and personal text automations now run as bare one-shots with short timeouts and overlap locks instead of spawning full agent sessions. Result: remote deploy/recovery flows stop dead-ending after `nexo_cortex_decide`, and short cron-owned text jobs stop hanging for hours or stacking parallel subprocesses.
 
-Previously in `7.11.6`: patch release — Guardian G4 now filters more false-positive slash fragments before they become debt, `strict_protocol_write_without_task` downgrades to `warn` when the session has a fresh heartbeat, and Deep Sleep extraction validates the real prompt contract instead of accepting any syntactically valid JSON. Validation so far: `50` targeted tests across hook guardrails and Deep Sleep extraction.
+Previously in `7.12.0`: minor release — adds `nexo support-snapshot` for generic local runtime diagnostics and completes the silent-reminder hardening on the live Protocol Enforcer path. The support collector emits one JSON bundle with version/platform metadata, runtime path presence, health-check output, and recent event/operation tails, while map-driven reminders (`nexo_startup`, `nexo_smart_startup`, `nexo_heartbeat`, `nexo_reminders`, `nexo_session_diary_*`, `nexo_stop`, `nexo_task_close`, compaction checkpoint prompts) now say explicitly that silence owns the entire reminder turn.
 
 Previously in `7.11.5`: patch release — Desktop-managed installs now block the standalone dashboard at the same product-mode layer as evolution, so `installation_live`, cron sync, and watchdog no longer disagree about whether `com.nexo.dashboard` should exist. Validation: `125` targeted tests across product-mode, cron sync, and doctor, plus a full pre-release wrapper (`2321 passed, 2 skipped, 1 xfailed, 4 xpassed`).
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.12.0",
+  "version": "7.12.1",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/hook_guardrails.py

@@ -191,6 +191,14 @@ _SFTP_BATCH_RE = re.compile(
     r"\bsftp\b(?:[^|&;]*\s)?-b\s+\S+",
     re.IGNORECASE,
 )
+_SSH_REMOTE_PIPE_RE = re.compile(
+    r"\|\s*ssh\b",
+    re.IGNORECASE,
+)
+_SSH_REMOTE_STDIN_RE = re.compile(
+    r"\bssh\b[^\n|&;]*(?:<\s*\S+|<<-?\s*(?:['\"]?[A-Za-z0-9_]+['\"]?))",
+    re.IGNORECASE,
+)
 
 
 def _classify_ssh_remote_write(command: str) -> str | None:
@@ -231,6 +239,10 @@ def _classify_ssh_remote_write(command: str) -> str | None:
         for pattern in _SSH_REMOTE_WRITE_VERBS:
             if pattern.search(trimmed):
                 return "ssh_remote_shell_write"
+    if _SSH_REMOTE_PIPE_RE.search(cmd):
+        return "ssh_remote_shell_write"
+    if _SSH_REMOTE_STDIN_RE.search(cmd):
+        return "ssh_remote_shell_write"
     return None
 
 
@@ -270,6 +282,64 @@ _PATH_ARTIFACT_RE = re.compile(
 )
 _DATE_LIKE_PATH_RE = re.compile(r"^/\d{1,4}/\d{1,4}(?:/\d{1,4})?$")
 _STRICT_WRITE_HEARTBEAT_WINDOW_SECONDS = 300
+_G3_CORTEX_AUTH_WINDOW_SECONDS = max(
+    60,
+    int(os.environ.get("NEXO_G3_CORTEX_AUTH_WINDOW_SECONDS", "900")),
+)
+_CORTEX_NEGATIVE_TOKENS = (
+    "abort",
+    "avoid",
+    "block",
+    "cancel",
+    "decline",
+    "defer",
+    "deny",
+    "do_not",
+    "dont",
+    "no_",
+    "not_now",
+    "reject",
+    "skip",
+    "wait",
+)
+_G3_CORTEX_GENERIC_APPROVAL_TOKENS = (
+    "allow",
+    "apply",
+    "approve",
+    "continue",
+    "deploy",
+    "execute",
+    "go_ahead",
+    "proceed",
+    "publish",
+    "retry",
+    "run",
+)
+_G3_CORTEX_FAMILY_TOKENS = {
+    "destructive": (
+        "chmod",
+        "cleanup",
+        "delete",
+        "drop",
+        "force",
+        "git_push",
+        "purge",
+        "remove",
+        "rm",
+        "truncate",
+        "wipe",
+    ),
+    "ssh": (
+        "deploy",
+        "remote",
+        "rsync",
+        "scp",
+        "sftp",
+        "ssh",
+        "sync",
+        "upload",
+    ),
+}
 
 # Single-segment ``/word`` candidates that match a small dictionary block-list
 # of confirmed false positives observed in the live debt log.
@@ -655,6 +725,7 @@ def _find_open_task_for_file(conn, sid: str, filepath: str) -> dict | None:
     target = _normalize_file_path(filepath)
     rows = conn.execute(
         """SELECT task_id, files, guard_has_blocking, guard_acknowledged, task_type, plan, unknowns,
+                  opened_at,
                   verification_step, opened_with_guard, must_change_log, must_verify
            FROM protocol_tasks
            WHERE session_id = ? AND status = 'open'
@@ -675,6 +746,7 @@ def _find_open_task_for_file(conn, sid: str, filepath: str) -> dict | None:
 def _find_any_open_task(conn, sid: str) -> dict | None:
     row = conn.execute(
         """SELECT task_id, files, guard_has_blocking, guard_acknowledged, task_type, plan, unknowns,
+                  opened_at,
                   verification_step, opened_with_guard, must_change_log, must_verify
            FROM protocol_tasks
            WHERE session_id = ? AND status = 'open'
@@ -685,6 +757,86 @@ def _find_any_open_task(conn, sid: str) -> dict | None:
     return dict(row) if row else None
 
 
+def _normalize_cortex_tokens(value: str) -> str:
+    return re.sub(r"[^a-z0-9]+", "_", str(value or "").lower()).strip("_")
+
+
+def _text_has_any_token(value: str, tokens: tuple[str, ...]) -> bool:
+    normalized = _normalize_cortex_tokens(value)
+    if not normalized:
+        return False
+    return any(token in normalized for token in tokens)
+
+
+def _cortex_choice_is_negative(value: str) -> bool:
+    return _text_has_any_token(value, _CORTEX_NEGATIVE_TOKENS)
+
+
+def _find_recent_cortex_authorization(
+    conn,
+    *,
+    sid: str,
+    task: dict | None,
+    gate_family: str,
+    pattern_name: str = "",
+) -> dict | None:
+    if not sid or not task:
+        return None
+    task_id = str(task.get("task_id") or "").strip()
+    if not task_id:
+        return None
+    params: list[object] = [
+        sid,
+        task_id,
+        f"-{_G3_CORTEX_AUTH_WINDOW_SECONDS} seconds",
+    ]
+    sql = (
+        """SELECT id, task_id, recommended_choice, selected_choice,
+                  recommended_reasoning, selection_reason, context_hint, created_at
+           FROM cortex_evaluations
+           WHERE session_id = ?
+             AND task_id = ?
+             AND created_at >= datetime('now', ?)"""
+    )
+    opened_at = str(task.get("opened_at") or "").strip()
+    if opened_at:
+        sql += " AND created_at >= ?"
+        params.append(opened_at)
+    sql += " ORDER BY created_at DESC, id DESC LIMIT 5"
+    try:
+        rows = conn.execute(sql, params).fetchall()
+    except sqlite3.OperationalError:
+        return None
+    family_tokens = _G3_CORTEX_FAMILY_TOKENS.get(gate_family, ())
+    pattern_tokens = tuple(
+        token for token in _normalize_cortex_tokens(pattern_name).split("_") if token
+    )
+    fallback_candidates: list[dict] = []
+    for row in rows:
+        item = dict(row)
+        choice = str(item.get("selected_choice") or item.get("recommended_choice") or "").strip()
+        if not choice or _cortex_choice_is_negative(choice):
+            continue
+        combined = " ".join(
+            [
+                choice,
+                str(item.get("selection_reason") or ""),
+                str(item.get("recommended_reasoning") or ""),
+                str(item.get("context_hint") or ""),
+            ]
+        )
+        if (
+            _text_has_any_token(choice, _G3_CORTEX_GENERIC_APPROVAL_TOKENS)
+            or _text_has_any_token(combined, family_tokens)
+            or _text_has_any_token(combined, pattern_tokens)
+        ):
+            return item
+        fallback_candidates.append(item)
+    if len(fallback_candidates) == 1:
+        return fallback_candidates[0]
+    return None
+
+
 def _find_any_open_workflow(conn, sid: str) -> dict | None:
     row = conn.execute(
         """SELECT run_id, protocol_task_id, current_step_key
@@ -1164,6 +1316,7 @@ def process_pre_tool_event(payload: dict) -> dict:
     if not claude_sid:
         claude_sid = _read_claude_session_id_from_coordination()
     sid = _resolve_nexo_sid(conn, claude_sid)
+    open_task = _find_any_open_task(conn, sid) if sid else None
     automation_blocks = _collect_automation_live_repo_blocks(
         conn,
         sid=sid,
@@ -1228,12 +1381,22 @@ def process_pre_tool_event(payload: dict) -> dict:
     if g3_mode in {"shadow", "hard"} and tool_name == "Bash":
         shell_command = _extract_bash_command(tool_input)
         destructive_pattern = _classify_destructive_intent(shell_command)
+        if destructive_pattern:
+            if _find_recent_cortex_authorization(
+                conn,
+                sid=sid,
+                task=open_task,
+                gate_family="destructive",
+                pattern_name=destructive_pattern,
+            ):
+                destructive_pattern = None
         if destructive_pattern:
             severity = "error" if g3_mode == "hard" else "warn"
+            task_id = str((open_task or {}).get("task_id") or "").strip()
             debt = _ensure_protocol_debt(
                 conn,
                 session_id=sid,
-                task_id="",
+                task_id=task_id,
                 debt_type="g3_destructive_command_requires_cortex",
                 severity=severity,
                 evidence=(
@@ -1253,7 +1416,7 @@ def process_pre_tool_event(payload: dict) -> dict:
                     "blocks": [
                         {
                             "file": "",
-                            "task_id": "",
+                            "task_id": task_id,
                             "debt_id": debt.get("id"),
                             "debt_type": "g3_destructive_command_requires_cortex",
                             "reason_code": "g3_destructive_blocked",
@@ -1283,12 +1446,22 @@ def process_pre_tool_event(payload: dict) -> dict:
     if g3_ssh_mode in {"shadow", "hard"} and tool_name == "Bash":
         shell_command = _extract_bash_command(tool_input)
         ssh_pattern = _classify_ssh_remote_write(shell_command)
+        if ssh_pattern:
+            if _find_recent_cortex_authorization(
+                conn,
+                sid=sid,
+                task=open_task,
+                gate_family="ssh",
+                pattern_name=ssh_pattern,
+            ):
+                ssh_pattern = None
         if ssh_pattern:
             severity = "error" if g3_ssh_mode == "hard" else "warn"
+            task_id = str((open_task or {}).get("task_id") or "").strip()
             debt = _ensure_protocol_debt(
                 conn,
                 session_id=sid,
-                task_id="",
+                task_id=task_id,
                 debt_type="g3_ssh_remote_write_requires_cortex",
                 severity=severity,
                 evidence=(
@@ -1309,7 +1482,7 @@ def process_pre_tool_event(payload: dict) -> dict:
                     "blocks": [
                         {
                             "file": "",
-                            "task_id": "",
+                            "task_id": task_id,
                             "debt_id": debt.get("id"),
                             "debt_type": "g3_ssh_remote_write_requires_cortex",
                             "reason_code": "g3_ssh_remote_write_blocked",

package/src/scripts/nexo-agent-run.py

@@ -50,6 +50,12 @@ def main(argv: list[str] | None = None) -> int:
     parser.add_argument("--timeout", type=int, default=AUTOMATION_SUBPROCESS_TIMEOUT, help="Timeout in seconds")
     parser.add_argument("--output-format", default="text", help="Requested output format")
     parser.add_argument("--allowed-tools", default="", help="Claude-style allowed tools contract")
+    parser.add_argument(
+        "--bare-mode",
+        choices=("auto", "on", "off"),
+        default="auto",
+        help="Bare mode for one-shot runs: auto|on|off.",
+    )
     parser.add_argument("--append-system-prompt", default="", help="Extra system prompt text")
     parser.add_argument("--append-system-prompt-file", default="", help="Read extra system prompt from a file")
     args = parser.parse_args(argv)
@@ -62,6 +68,11 @@ def main(argv: list[str] | None = None) -> int:
         return 1
 
     append_system_prompt = args.append_system_prompt or _read_text(args.append_system_prompt_file)
+    bare_mode = None
+    if args.bare_mode == "on":
+        bare_mode = True
+    elif args.bare_mode == "off":
+        bare_mode = False
 
     try:
         result = run_automation_prompt(
@@ -76,6 +87,7 @@ def main(argv: list[str] | None = None) -> int:
             output_format=args.output_format,
             append_system_prompt=append_system_prompt,
             allowed_tools=args.allowed_tools,
+            bare_mode=bare_mode,
         )
     except AutomationBackendUnavailableError as exc:
         print(str(exc), file=sys.stderr)

package/src/scripts/nexo_personal_automation.py

@@ -17,8 +17,11 @@ Both paths are probed so dev and live operators get identical behaviour.
 """
 from __future__ import annotations
 
+import inspect
 import os
+import re
 import sys
+import time
 from pathlib import Path
 
 
@@ -31,6 +34,12 @@ if str(_repo_src) not in sys.path:
 
 NEXO_HOME = Path(os.environ.get("NEXO_HOME", str(Path.home() / ".nexo")))
 DEFAULT_ALLOWED_TOOLS = "Read,Write,Edit,Glob,Grep,Bash,mcp__nexo__*"
+DEFAULT_SHORT_TEXT_ALLOWED_TOOLS = ""
+DEFAULT_SHORT_TEXT_TIMEOUT = max(
+    30,
+    int(os.environ.get("NEXO_PERSONAL_AUTOMATION_TIMEOUT", "180")),
+)
+_PROCESS_LOCK_COUNTS: dict[str, int] = {}
 
 # Templates live next to the code at repo time and at ``~/.nexo/templates``
 # once installed. Probe both and surface whichever exists first so the
@@ -50,14 +59,126 @@ except Exception:
 from nexo_helper import run_automation_text as _run_automation_text
 
 
+def _infer_personal_caller() -> str:
+    env_caller = str(os.environ.get("NEXO_AUTOMATION_CALLER") or "").strip()
+    if env_caller:
+        return env_caller
+    candidates: list[Path] = []
+    argv0 = str(sys.argv[0] or "").strip()
+    if argv0:
+        candidates.append(Path(argv0).expanduser())
+    current = Path(__file__).resolve()
+    for frame in inspect.stack()[1:]:
+        try:
+            path = Path(frame.filename).resolve()
+        except Exception:
+            continue
+        if path != current:
+            candidates.append(path)
+    for candidate in candidates:
+        parts = candidate.parts
+        if "personal" in parts and "scripts" in parts:
+            stem = candidate.stem.strip()
+            if stem:
+                return f"personal/{stem}"
+    if argv0:
+        stem = Path(argv0).stem.strip()
+        if stem and stem not in {"python", "python3", "-m"}:
+            return f"personal/{stem}"
+    return "agent_run/generic"
+
+
+def _caller_lock_path(caller: str) -> Path:
+    slug = re.sub(r"[^A-Za-z0-9_.-]+", "-", caller).strip("-") or "generic"
+    return NEXO_HOME / "runtime" / "locks" / "personal-automation" / f"{slug}.lock"
+
+
+def _read_lock_pid(path: Path) -> int:
+    try:
+        raw = path.read_text().splitlines()
+    except Exception:
+        return 0
+    if not raw:
+        return 0
+    try:
+        return int(raw[0].strip())
+    except Exception:
+        return 0
+
+
+def _pid_is_alive(pid: int) -> bool:
+    if pid <= 0:
+        return False
+    try:
+        os.kill(pid, 0)
+    except ProcessLookupError:
+        return False
+    except PermissionError:
+        return True
+    return True
+
+
+def _acquire_personal_caller_lock(caller: str) -> str:
+    clean = str(caller or "").strip()
+    if not clean.startswith("personal/"):
+        return ""
+    if _PROCESS_LOCK_COUNTS.get(clean, 0) > 0:
+        _PROCESS_LOCK_COUNTS[clean] += 1
+        return clean
+    pid = os.getpid()
+    lock_path = _caller_lock_path(clean)
+    lock_path.parent.mkdir(parents=True, exist_ok=True)
+    while True:
+        try:
+            fd = os.open(str(lock_path), os.O_CREAT | os.O_EXCL | os.O_WRONLY)
+        except FileExistsError:
+            existing_pid = _read_lock_pid(lock_path)
+            if existing_pid == pid:
+                _PROCESS_LOCK_COUNTS[clean] = 1
+                return clean
+            if existing_pid and _pid_is_alive(existing_pid):
+                raise RuntimeError(
+                    f"Automation caller {clean} already has a live run (pid {existing_pid})."
+                )
+            try:
+                lock_path.unlink()
+            except FileNotFoundError:
+                pass
+            continue
+        with os.fdopen(fd, "w", encoding="ascii") as handle:
+            handle.write(f"{pid}\n{int(time.time())}\n{clean}\n")
+        _PROCESS_LOCK_COUNTS[clean] = 1
+        return clean
+
+
+def _release_personal_caller_lock(caller: str) -> None:
+    clean = str(caller or "").strip()
+    if not clean.startswith("personal/"):
+        return
+    count = _PROCESS_LOCK_COUNTS.get(clean, 0)
+    if count > 1:
+        _PROCESS_LOCK_COUNTS[clean] = count - 1
+        return
+    _PROCESS_LOCK_COUNTS.pop(clean, None)
+    lock_path = _caller_lock_path(clean)
+    if _read_lock_pid(lock_path) == os.getpid():
+        try:
+            lock_path.unlink()
+        except FileNotFoundError:
+            pass
+
+
 def run_personal_automation_text(
     prompt: str,
     *,
     model: str = "",
     cwd: str = "",
-    timeout: int = 21600,
-    allowed_tools: str = DEFAULT_ALLOWED_TOOLS,
+    timeout: int = DEFAULT_SHORT_TEXT_TIMEOUT,
+    allowed_tools: str = DEFAULT_SHORT_TEXT_ALLOWED_TOOLS,
     append_system_prompt: str = "",
+    caller: str = "",
+    tier: str = "",
+    bare_mode: bool | None = True,
 ) -> str:
     """Run ``prompt`` through the configured NEXO automation backend.
 
@@ -68,18 +189,29 @@ def run_personal_automation_text(
     Every other kwarg passes through verbatim.
     """
     effective_model = model or _USER_MODEL or "opus"
-    return _run_automation_text(
-        prompt,
-        model=effective_model,
-        cwd=cwd or "",
-        timeout=timeout,
-        allowed_tools=allowed_tools,
-        append_system_prompt=append_system_prompt,
-    )
+    effective_caller = caller or _infer_personal_caller()
+    lock_token = _acquire_personal_caller_lock(effective_caller)
+    try:
+        return _run_automation_text(
+            prompt,
+            model=effective_model,
+            cwd=cwd or "",
+            timeout=timeout,
+            allowed_tools=allowed_tools,
+            append_system_prompt=append_system_prompt,
+            include_bootstrap=False,
+            caller=effective_caller,
+            tier=tier,
+            bare_mode=bare_mode,
+        )
+    finally:
+        _release_personal_caller_lock(lock_token)
 
 
 __all__ = [
     "DEFAULT_ALLOWED_TOOLS",
+    "DEFAULT_SHORT_TEXT_ALLOWED_TOOLS",
+    "DEFAULT_SHORT_TEXT_TIMEOUT",
     "NEXO_HOME",
     "run_personal_automation_text",
 ]

package/templates/nexo_helper.py

@@ -226,6 +226,7 @@ def run_automation_text(
     include_bootstrap: bool = True,
     caller: str = "",
     tier: str = "",
+    bare_mode: bool | None = None,
 ) -> str:
     """Run the configured NEXO automation backend and return text output.
 
@@ -264,6 +265,10 @@ def run_automation_text(
         cmd.extend(["--append-system-prompt", "\n\n".join(merged_system_prompt)])
     if allowed_tools:
         cmd.extend(["--allowed-tools", allowed_tools])
+    if bare_mode is True:
+        cmd.extend(["--bare-mode", "on"])
+    elif bare_mode is False:
+        cmd.extend(["--bare-mode", "off"])
 
     env = os.environ.copy()
     env.setdefault("NEXO_HOME", str(NEXO_HOME))
@@ -292,6 +297,7 @@ def run_automation_json(
     include_bootstrap: bool = True,
     caller: str = "",
     tier: str = "",
+    bare_mode: bool | None = None,
 ) -> dict:
     """Run the configured backend and return a parsed JSON object.
 
@@ -326,6 +332,10 @@ def run_automation_json(
         cmd.extend(["--append-system-prompt", "\n\n".join(merged_system_prompt)])
     if allowed_tools:
         cmd.extend(["--allowed-tools", allowed_tools])
+    if bare_mode is True:
+        cmd.extend(["--bare-mode", "on"])
+    elif bare_mode is False:
+        cmd.extend(["--bare-mode", "off"])
 
     env = os.environ.copy()
     env.setdefault("NEXO_HOME", str(NEXO_HOME))