nexo-brain 7.16.3 → 7.17.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.16.3",
+  "version": "7.17.0",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,9 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.16.3` is the current packaged-runtime line. Patch release over v7.16.2 - the headless runner guard opts out of the runtime-core blocking rule because actual writes on those paths are already blocked at the PreToolUse layer. The duplicated pre-emptive check no longer aborts sessions over plain mentions of core helper script paths.
+Version `7.17.0` is the current packaged-runtime line. Minor release over v7.16.3 - the headless runner pre-emptive guard becomes advisory: it surfaces learnings/schemas to the agent and logs to `guard_checks`, but never returns `blocked=True`. The PreToolUse hook is the authoritative gate at write time. This closes the family of bugs where heuristic path matches in the prompt aborted email-monitor sessions, followup-runner cycles, Deep Sleep synth, and postmortem-consolidation. Also rolls in the directory-path hardening planned for 7.16.4.
+
+Previously in `7.16.3`: patch release over v7.16.2 - the headless runner guard opts out of the runtime-core blocking rule because actual writes on those paths are already blocked at the PreToolUse layer.
 
 Previously in `7.16.0`: minor release over v7.15.2 - Brain adds Memory Observations v2: evidence-backed event capture, derived observations, update-safe backfill, MCP retrieval, dashboard visibility, and safer refusal when memory lacks evidence.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.16.3",
+  "version": "7.17.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/agent_runner.py

@@ -439,6 +439,11 @@ def _extract_runner_guard_paths(prompt: str, cwd: Path) -> list[str]:
 
     for match in re.findall(r"(?<![A-Za-z0-9_])(?:/[^\s'\"`<>]+|[A-Za-z]:\\[^\s'\"`<>]+)", text):
         cleaned = match.rstrip(".,);:]")
+        # Drop trailing slashes — `/tmp/` and friends are directories, not
+        # edit targets. Without this the followup-runner prompt's mention
+        # of `/tmp/` reached `handle_guard_check`, which tried to `open()`
+        # the directory and crashed the whole pre-emptive guard.
+        cleaned = cleaned.rstrip("/")
         if not cleaned or cleaned in exec_only_paths:
             continue
         found.add(cleaned)
@@ -461,17 +466,47 @@ def _extract_runner_guard_paths(prompt: str, cwd: Path) -> list[str]:
 
 
 def _run_headless_runner_guard(*, caller: str, cwd: Path, prompt: str, allowed_tools: str) -> dict:
+    """Pre-emptive runner guard — observational, never blocking.
+
+    The pre-emptive guard scans the *prompt text* for paths the agent might
+    edit. That is heuristic: it cannot tell whether a path will actually be
+    written, read, executed, or just mentioned in passing. Treating the
+    learnings/blocking-rules surfaced by that heuristic as hard blockers
+    has caused a year's worth of operational pain — every time a learning's
+    ``applies_to`` happens to match a path the prompt mentions for any
+    reason, every cron, every email-monitor session, every Deep Sleep
+    synth aborts with exit 2.
+
+    The authoritative gate is the PreToolUse hook
+    (``hook_guardrails._collect_runtime_core_write_blocks`` and the
+    learning-aware blocks alongside it). That layer fires only when the
+    agent *actually attempts* a Write/Edit, with severity ``error``, and
+    prevents the protected mutation. The pre-emptive guard's job is to
+    surface relevant learnings/schemas to the agent up front so it can
+    reason about them, plus log to ``guard_checks`` for observability —
+    not to abort the run on a regex match.
+
+    Therefore this function always returns ``blocked=False``. Errors from
+    ``handle_guard_check`` are also non-blocking; we let the run start so
+    the PreToolUse layer can do its job, and we log the unavailability for
+    diagnostics.
+    """
     if not _runner_mutating_tools_allowed(allowed_tools):
         return {"blocked": False, "skipped": "read_only_tools"}
     guard_paths = _extract_runner_guard_paths(prompt, cwd)
     if not guard_paths:
         return {"blocked": False, "skipped": "no_explicit_paths"}
+    summary = ""
     try:
         runtime_root = str(NEXO_HOME)
         if runtime_root and runtime_root not in sys.path:
             sys.path.insert(0, runtime_root)
         from plugins.guard import handle_guard_check  # type: ignore
 
+        # We still pass ``enforce_runtime_core_block="false"`` because that
+        # opt-out predates the advisory-only switch and other callers may
+        # still rely on it. With the advisory contract in place this flag
+        # is effectively redundant, but kept for back-compat.
         output = handle_guard_check(
             files=",".join(guard_paths),
             area=f"runner:{caller or 'headless'}",
@@ -479,17 +514,16 @@ def _run_headless_runner_guard(*, caller: str, cwd: Path, prompt: str, allowed_t
             include_schemas="true",
             enforce_runtime_core_block="false",
         )
+        summary = str(output or "")
     except Exception as exc:
-        return {
-            "blocked": True,
-            "summary": f"Runner guard unavailable: {exc}",
-            "paths": guard_paths,
-        }
-    blocked = "BLOCKING RULES" in str(output or "")
+        # Guard unavailable is observational, not blocking. The PreToolUse
+        # hook will catch any actual protected write at execute time.
+        summary = f"Runner guard unavailable: {exc}"
     return {
-        "blocked": blocked,
-        "summary": str(output or ""),
+        "blocked": False,
+        "summary": summary,
         "paths": guard_paths,
+        "advisory": True,
     }
 
 

package/src/plugins/guard.py

@@ -494,12 +494,24 @@ def handle_guard_check(
         all_tables = set()
         for filepath in file_list:
             try:
+                # Skip directories silently — the path extractor that calls
+                # us is permissive and can hand back paths that end in `/`
+                # (e.g. `/tmp/`) or that resolve to real directories. Opening
+                # one of those raises IsADirectoryError, which is an OSError
+                # subclass; the prior except only caught FileNotFoundError /
+                # PermissionError, so the exception propagated and the whole
+                # runner pre-emptive guard returned `blocked=True` with
+                # "Runner guard unavailable: [Errno 21] Is a directory".
+                # That is exactly what was killing the followup-runner every
+                # hour after 7.16.0.
+                if Path(filepath).is_dir():
+                    continue
                 with open(filepath, 'r', errors='ignore') as f:
                     content = f.read()
                 sql_keywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE TABLE']
                 if any(kw in content.upper() for kw in sql_keywords):
                     all_tables.update(_extract_table_names(content))
-            except (FileNotFoundError, PermissionError):
+            except (FileNotFoundError, PermissionError, IsADirectoryError, OSError):
                 continue
 
         cache = _load_schema_cache()