nexo-brain 7.16.3 → 7.17.1

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.16.3",
+  "version": "7.17.1",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.16.3` is the current packaged-runtime line. Patch release over v7.16.2 - the headless runner guard opts out of the runtime-core blocking rule because actual writes on those paths are already blocked at the PreToolUse layer. The duplicated pre-emptive check no longer aborts sessions over plain mentions of core helper script paths.
+Version `7.17.1` is the current packaged-runtime line. Patch release over v7.17.0 - the headless Claude CLI 2.1+ direct-JSON response shape is now handled: when the wrapper `{"result": ...}` is absent and the agent's answer is returned directly, `_extract_claude_telemetry` surfaces the full payload to the caller instead of an empty string. Fixes the daily morning-agent failure with "Morning agent returned invalid JSON output".
+
+Previously in `7.17.0`: minor release over v7.16.3 - the headless runner pre-emptive guard becomes advisory: it surfaces learnings/schemas to the agent and logs to `guard_checks`, but never returns `blocked=True`. The PreToolUse hook is the authoritative gate at write time.
+
+Previously in `7.16.3`: patch release over v7.16.2 - the headless runner guard opts out of the runtime-core blocking rule because actual writes on those paths are already blocked at the PreToolUse layer.
 
 Previously in `7.16.0`: minor release over v7.15.2 - Brain adds Memory Observations v2: evidence-backed event capture, derived observations, update-safe backfill, MCP retrieval, dashboard visibility, and safer refusal when memory lacks evidence.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.16.3",
+  "version": "7.17.1",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/agent_runner.py

@@ -94,15 +94,32 @@ def _extract_claude_telemetry(raw_stdout: str, *, requested_output_format: str)
             "warnings": ["backend did not return parseable JSON telemetry"],
         }
 
-    result_payload = payload.get("result", "")
+    # Two shapes can arrive in raw_stdout:
+    #   (a) Classic Claude CLI wrapper:
+    #       {"result": "<agent text or stringified JSON>", "usage": {...}, "total_cost_usd": N}
+    #   (b) Direct agent JSON (Claude CLI 2.1+ with bare_mode + output_format=json
+    #       + a prompt that requests raw JSON only). The wrapper is dropped and
+    #       the entire payload IS the agent's answer, e.g. {"subject":..., "body":...}.
+    # Pre-7.17.1 only handled (a): payload.get("result", "") returned "" in case (b),
+    # which left result.stdout empty for the caller. morning-agent then raised
+    # "Morning agent returned invalid JSON output" on every cron tick even though
+    # the agent had answered correctly and the answer was already persisted in
+    # automation_runs.metadata.raw. The branch below normalises both shapes.
+    if "result" in payload:
+        result_payload = payload["result"]
+        telemetry_payload = payload
+    else:
+        result_payload = payload
+        telemetry_payload = {}
+
     if requested_output_format and requested_output_format.lower() == "json" and not isinstance(result_payload, str):
         final_stdout = json.dumps(result_payload, ensure_ascii=False)
     else:
         final_stdout = result_payload if isinstance(result_payload, str) else json.dumps(result_payload, ensure_ascii=False)
 
-    usage = payload.get("usage") or {}
-    model_usage = payload.get("modelUsage") or {}
-    explicit_cost = payload.get("total_cost_usd")
+    usage = telemetry_payload.get("usage") or {}
+    model_usage = telemetry_payload.get("modelUsage") or {}
+    explicit_cost = telemetry_payload.get("total_cost_usd")
     if explicit_cost is None and isinstance(model_usage, dict):
         explicit_cost = sum(
             float((item or {}).get("costUSD") or 0.0)
@@ -439,6 +456,11 @@ def _extract_runner_guard_paths(prompt: str, cwd: Path) -> list[str]:
 
     for match in re.findall(r"(?<![A-Za-z0-9_])(?:/[^\s'\"`<>]+|[A-Za-z]:\\[^\s'\"`<>]+)", text):
         cleaned = match.rstrip(".,);:]")
+        # Drop trailing slashes — `/tmp/` and friends are directories, not
+        # edit targets. Without this the followup-runner prompt's mention
+        # of `/tmp/` reached `handle_guard_check`, which tried to `open()`
+        # the directory and crashed the whole pre-emptive guard.
+        cleaned = cleaned.rstrip("/")
         if not cleaned or cleaned in exec_only_paths:
             continue
         found.add(cleaned)
@@ -461,17 +483,47 @@ def _extract_runner_guard_paths(prompt: str, cwd: Path) -> list[str]:
 
 
 def _run_headless_runner_guard(*, caller: str, cwd: Path, prompt: str, allowed_tools: str) -> dict:
+    """Pre-emptive runner guard — observational, never blocking.
+
+    The pre-emptive guard scans the *prompt text* for paths the agent might
+    edit. That is heuristic: it cannot tell whether a path will actually be
+    written, read, executed, or just mentioned in passing. Treating the
+    learnings/blocking-rules surfaced by that heuristic as hard blockers
+    has caused a year's worth of operational pain — every time a learning's
+    ``applies_to`` happens to match a path the prompt mentions for any
+    reason, every cron, every email-monitor session, every Deep Sleep
+    synth aborts with exit 2.
+
+    The authoritative gate is the PreToolUse hook
+    (``hook_guardrails._collect_runtime_core_write_blocks`` and the
+    learning-aware blocks alongside it). That layer fires only when the
+    agent *actually attempts* a Write/Edit, with severity ``error``, and
+    prevents the protected mutation. The pre-emptive guard's job is to
+    surface relevant learnings/schemas to the agent up front so it can
+    reason about them, plus log to ``guard_checks`` for observability —
+    not to abort the run on a regex match.
+
+    Therefore this function always returns ``blocked=False``. Errors from
+    ``handle_guard_check`` are also non-blocking; we let the run start so
+    the PreToolUse layer can do its job, and we log the unavailability for
+    diagnostics.
+    """
     if not _runner_mutating_tools_allowed(allowed_tools):
         return {"blocked": False, "skipped": "read_only_tools"}
     guard_paths = _extract_runner_guard_paths(prompt, cwd)
     if not guard_paths:
         return {"blocked": False, "skipped": "no_explicit_paths"}
+    summary = ""
     try:
         runtime_root = str(NEXO_HOME)
         if runtime_root and runtime_root not in sys.path:
             sys.path.insert(0, runtime_root)
         from plugins.guard import handle_guard_check  # type: ignore
 
+        # We still pass ``enforce_runtime_core_block="false"`` because that
+        # opt-out predates the advisory-only switch and other callers may
+        # still rely on it. With the advisory contract in place this flag
+        # is effectively redundant, but kept for back-compat.
         output = handle_guard_check(
             files=",".join(guard_paths),
             area=f"runner:{caller or 'headless'}",
@@ -479,17 +531,16 @@ def _run_headless_runner_guard(*, caller: str, cwd: Path, prompt: str, allowed_t
             include_schemas="true",
             enforce_runtime_core_block="false",
         )
+        summary = str(output or "")
     except Exception as exc:
-        return {
-            "blocked": True,
-            "summary": f"Runner guard unavailable: {exc}",
-            "paths": guard_paths,
-        }
-    blocked = "BLOCKING RULES" in str(output or "")
+        # Guard unavailable is observational, not blocking. The PreToolUse
+        # hook will catch any actual protected write at execute time.
+        summary = f"Runner guard unavailable: {exc}"
     return {
-        "blocked": blocked,
-        "summary": str(output or ""),
+        "blocked": False,
+        "summary": summary,
         "paths": guard_paths,
+        "advisory": True,
     }
 
 

package/src/plugins/guard.py

@@ -494,12 +494,24 @@ def handle_guard_check(
         all_tables = set()
         for filepath in file_list:
             try:
+                # Skip directories silently — the path extractor that calls
+                # us is permissive and can hand back paths that end in `/`
+                # (e.g. `/tmp/`) or that resolve to real directories. Opening
+                # one of those raises IsADirectoryError, which is an OSError
+                # subclass; the prior except only caught FileNotFoundError /
+                # PermissionError, so the exception propagated and the whole
+                # runner pre-emptive guard returned `blocked=True` with
+                # "Runner guard unavailable: [Errno 21] Is a directory".
+                # That is exactly what was killing the followup-runner every
+                # hour after 7.16.0.
+                if Path(filepath).is_dir():
+                    continue
                 with open(filepath, 'r', errors='ignore') as f:
                     content = f.read()
                 sql_keywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE TABLE']
                 if any(kw in content.upper() for kw in sql_keywords):
                     all_tables.update(_extract_table_names(content))
-            except (FileNotFoundError, PermissionError):
+            except (FileNotFoundError, PermissionError, IsADirectoryError, OSError):
                 continue
 
         cache = _load_schema_cache()