nexo-brain 7.20.8 → 7.20.9

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.20.8",
+  "version": "7.20.9",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,9 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.20.8` is the current packaged-runtime line. Patch release over v7.20.7 — Local Context recognises Windows Mail package roots and Outlook Mac profile roots as bounded local-email sources instead of rejecting them as generic AppData / Group Containers.
+Version `7.20.9` is the current packaged-runtime line. Patch release over v7.20.8 — Local Context scans automatic roots at full operational depth, falls back to crontab when Linux/WSL systemd user timers fail, passes Windows AppData email roots into WSL, and blocks Google API keys before HTML cleaning.
+
+Previously in `7.20.8`: patch release over v7.20.7 — Local Context recognises Windows Mail package roots and Outlook Mac profile roots as bounded local-email sources instead of rejecting them as generic AppData / Group Containers.
 
 Previously in `7.20.7`: patch release over v7.20.6 — Local Context email-root bootstrap is deterministic across CI, WSL and migrated profiles while preserving macOS Mail.app, Windows Outlook, Thunderbird and NEXO email coverage.
 

package/bin/windows-wsl-bridge.js

@@ -93,6 +93,20 @@ function resolveLinuxEnv(env = process.env) {
   return linuxEnv;
 }
 
+function resolveWindowsHostPathEnv(env = process.env) {
+  const result = {};
+  for (const key of ["LOCALAPPDATA", "APPDATA"]) {
+    const value = String(env[key] || "").trim();
+    if (!value) continue;
+    if (isWindowsStylePath(value)) {
+      result[key] = toWslPath(value);
+    } else if (value.startsWith("/")) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
 function uniqueValues(values = []) {
   const seen = new Set();
   return values.filter((value) => {
@@ -242,6 +256,10 @@ function buildWslExecSpec({
   for (const [key, value] of Object.entries(linuxEnv)) {
     wslArgs.push(`${key}=${value}`);
   }
+  const windowsHostPathEnv = resolveWindowsHostPathEnv(env);
+  for (const [key, value] of Object.entries(windowsHostPathEnv)) {
+    wslArgs.push(`${key}=${value}`);
+  }
 
   // Build the staging shell script. Stages the bundle from /mnt/c (DrvFs/9P)
   // to /tmp (native ext4) BEFORE invoking node. Without staging, node hangs
@@ -296,6 +314,7 @@ function buildWslExecSpec({
     command: "wsl.exe",
     args: wslArgs,
     linuxEnv,
+    windowsHostPathEnv,
     managedLinuxPath,
     translatedScriptPath,
   };
@@ -338,6 +357,7 @@ module.exports = {
   probeWslUserHome,
   resolveLinuxEnv,
   resolveLinuxUserHome,
+  resolveWindowsHostPathEnv,
   runViaWsl,
   toWslPath,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.20.8",
+  "version": "7.20.9",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/crons/sync.py

@@ -20,6 +20,7 @@ import json
 import os
 import platform
 import plistlib
+import shlex
 import shutil
 import subprocess
 import sys
@@ -133,6 +134,8 @@ SCHEDULE_FILE = paths.config_dir() / "schedule.json"
 CORE_CRON_MANAGED_ENV = "NEXO_MANAGED_CORE_CRON"
 PERSONAL_CRON_MANAGED_ENV = "NEXO_MANAGED_PERSONAL_CRON"
 PERSONAL_CRON_ID_ENV = "NEXO_PERSONAL_CRON_ID"
+CRONTAB_BEGIN = "# >>> NEXO managed core crons >>>"
+CRONTAB_END = "# <<< NEXO managed core crons <<<"
 RETIRED_CORE_FILES = (
     Path("core") / "scripts" / "nexo-day-orchestrator.sh",
     Path("scripts") / "nexo-day-orchestrator.sh",
@@ -457,6 +460,106 @@ def build_plist(cron: dict) -> dict:
     return plist
 
 
+def _shell_join(args: list[str | Path]) -> str:
+    return " ".join(shlex.quote(str(arg)) for arg in args)
+
+
+def _cron_schedule(cron: dict) -> str | None:
+    if cron.get("keep_alive"):
+        return None
+    if "interval_seconds" in cron:
+        try:
+            seconds = int(cron["interval_seconds"])
+        except Exception:
+            return None
+        if seconds <= 0 or seconds % 60 != 0:
+            return None
+        minutes = max(1, seconds // 60)
+        return "* * * * *" if minutes == 1 else f"*/{minutes} * * * *"
+    if "schedule" in cron:
+        s = resolve_declared_schedule(cron)
+        hour, minute = int(s.get("hour", 0)), int(s.get("minute", 0))
+        weekday = "*"
+        if "weekday" in s:
+            raw_weekday = int(s["weekday"])
+            weekday = "0" if raw_weekday == 7 else str(raw_weekday)
+        return f"{minute} {hour} * * {weekday}"
+    return None
+
+
+def _linux_crontab_entry(cron: dict, exec_cmd: str, stdout_log: Path, stderr_log: Path) -> str | None:
+    schedule = _cron_schedule(cron)
+    if not schedule:
+        return None
+    env_prefix = " ".join(
+        f"{key}={shlex.quote(str(value))}"
+        for key, value in {
+            "HOME": Path.home(),
+            "NEXO_HOME": NEXO_HOME,
+            "NEXO_CODE": _runtime_code_dir(),
+            "PYTHONUNBUFFERED": "1",
+        }.items()
+    )
+    return f"{schedule} {env_prefix} {exec_cmd} >> {shlex.quote(str(stdout_log))} 2>> {shlex.quote(str(stderr_log))}"
+
+
+def _strip_managed_crontab_block(body: str) -> str:
+    lines = body.splitlines()
+    kept: list[str] = []
+    skipping = False
+    for line in lines:
+        if line.strip() == CRONTAB_BEGIN:
+            skipping = True
+            continue
+        if line.strip() == CRONTAB_END:
+            skipping = False
+            continue
+        if not skipping:
+            kept.append(line)
+    return "\n".join(kept).rstrip()
+
+
+def _install_linux_crontab_fallback(entries: list[str]) -> dict:
+    if not entries:
+        return {"ok": False, "error": "no_crontab_entries"}
+    if not shutil.which("crontab"):
+        return {"ok": False, "error": "crontab_missing"}
+
+    existing = subprocess.run(["crontab", "-l"], capture_output=True, text=True)
+    current_body = existing.stdout if existing.returncode == 0 else ""
+    unmanaged_body = _strip_managed_crontab_block(current_body)
+    managed_body = "\n".join([CRONTAB_BEGIN, *entries, CRONTAB_END])
+    next_body = f"{unmanaged_body}\n\n{managed_body}\n" if unmanaged_body else f"{managed_body}\n"
+
+    tmp_path = None
+    try:
+        with tempfile.NamedTemporaryFile("w", encoding="utf-8", delete=False) as fh:
+            tmp_path = fh.name
+            fh.write(next_body)
+        proc = subprocess.run(["crontab", tmp_path], capture_output=True, text=True)
+    finally:
+        if tmp_path:
+            try:
+                Path(tmp_path).unlink(missing_ok=True)
+            except Exception:
+                pass
+    if proc.returncode != 0:
+        return {"ok": False, "error": proc.stderr or proc.stdout or "crontab_install_failed"}
+    return {"ok": True, "entries": len(entries)}
+
+
+def _enable_systemd_user_units(units: list[str]) -> dict:
+    errors: list[str] = []
+    daemon = subprocess.run(["systemctl", "--user", "daemon-reload"], capture_output=True, text=True)
+    if daemon.returncode != 0:
+        errors.append(daemon.stderr or daemon.stdout or "systemctl daemon-reload failed")
+    for unit in units:
+        proc = subprocess.run(["systemctl", "--user", "enable", "--now", unit], capture_output=True, text=True)
+        if proc.returncode != 0:
+            errors.append(f"{unit}: {proc.stderr or proc.stdout or 'enable failed'}")
+    return {"ok": not errors, "errors": errors}
+
+
 def get_installed_nexo_crons() -> dict[str, Path]:
     """Return dict of cron_id → plist_path for installed NEXO crons."""
     installed = {}
@@ -670,6 +773,9 @@ def sync_linux(dry_run: bool = False):
             python_bin = p
             break
 
+    enable_units: list[str] = []
+    crontab_entries: list[str] = []
+
     for cron in manifest_crons:
         cron_id = cron["id"]
         script_src = _resolve_source_artifact(cron["script"])
@@ -683,9 +789,9 @@ def sync_linux(dry_run: bool = False):
             _copy_into_runtime(subdir_src)
 
         if script_type == "shell":
-            exec_cmd = f"/bin/bash {wrapper_dest} {cron_id} /bin/bash {script_dest}"
+            exec_cmd = _shell_join(["/bin/bash", wrapper_dest, cron_id, "/bin/bash", script_dest])
         else:
-            exec_cmd = f"/bin/bash {wrapper_dest} {cron_id} {python_bin} {script_dest}"
+            exec_cmd = _shell_join(["/bin/bash", wrapper_dest, cron_id, python_bin, script_dest])
 
         service_path = unit_dir / f"nexo-{cron_id}.service"
         timer_path = unit_dir / f"nexo-{cron_id}.timer"
@@ -734,6 +840,7 @@ StandardError=append:{stderr_log}
 
         service_path.write_text(service_content)
         if cron.get("keep_alive"):
+            enable_units.append(f"nexo-{cron_id}.service")
             log(f"  Installed keep_alive service: {cron_id}")
             continue
 
@@ -748,14 +855,25 @@ Persistent=true
 WantedBy=timers.target
 """
         timer_path.write_text(timer_content)
+        enable_units.append(f"nexo-{cron_id}.timer")
+        crontab_entry = _linux_crontab_entry(cron, exec_cmd, stdout_log, stderr_log)
+        if crontab_entry:
+            crontab_entries.append(crontab_entry)
         log(f"  Installed: {cron_id}")
 
     if not dry_run:
-        subprocess.run(["systemctl", "--user", "daemon-reload"], capture_output=True)
-        for cron in manifest_crons:
-            unit = f"nexo-{cron['id']}.service" if cron.get("keep_alive") else f"nexo-{cron['id']}.timer"
-            subprocess.run(["systemctl", "--user", "enable", "--now", unit], capture_output=True)
-        log("systemd units enabled.")
+        systemd_result = _enable_systemd_user_units(enable_units)
+        if systemd_result.get("ok"):
+            log("systemd units enabled.")
+        else:
+            log(f"WARNING: systemd user timers failed; installing crontab fallback: {systemd_result.get('errors')}")
+            fallback = _install_linux_crontab_fallback(crontab_entries)
+            if not fallback.get("ok"):
+                raise RuntimeError(
+                    "Linux cron activation failed: "
+                    f"systemd={systemd_result.get('errors')} crontab={fallback.get('error')}"
+                )
+            log(f"crontab fallback installed ({fallback.get('entries')} entries).")
 
     log("Sync complete.")
 

package/src/local_context/api.py

@@ -26,6 +26,9 @@ LOCAL_INDEX_LINUX_UNIT = "nexo-local-index.service"
 DEFAULT_LIVE_ASSET_LIMIT = int(os.environ.get("NEXO_LOCAL_INDEX_LIVE_ASSET_LIMIT", "2000") or "2000")
 DEFAULT_LIVE_DIR_LIMIT = int(os.environ.get("NEXO_LOCAL_INDEX_LIVE_DIR_LIMIT", "300") or "300")
 DEFAULT_LIVE_FILE_LIMIT = int(os.environ.get("NEXO_LOCAL_INDEX_LIVE_FILE_LIMIT", "1000") or "1000")
+DEFAULT_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_DEFAULT_DEPTH", "24") or "24")
+DEFAULT_EMAIL_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_EMAIL_ROOT_DEPTH", "24") or "24")
+DEFAULT_MOUNTED_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_MOUNTED_ROOT_DEPTH", "24") or "24")
 
 
 def ensure_ready() -> None:
@@ -91,6 +94,21 @@ def _dedupe_roots(roots: list[str]) -> list[str]:
     return result
 
 
+def _dedupe_root_specs(specs: list[tuple[str, int]]) -> list[tuple[str, int]]:
+    ordered: list[str] = []
+    depths: dict[str, int] = {}
+    for root, depth in specs:
+        normalized = norm_path(root)
+        if not normalized:
+            continue
+        if normalized not in depths:
+            ordered.append(normalized)
+            depths[normalized] = int(depth)
+        else:
+            depths[normalized] = max(depths[normalized], int(depth))
+    return [(root, depths[root]) for root in ordered]
+
+
 def _mounted_volume_roots() -> list[str]:
     candidates: list[Path] = []
     if sys.platform == "darwin":
@@ -156,23 +174,45 @@ def _local_email_roots() -> list[str]:
 
 
 def default_roots() -> list[str]:
+    return [root for root, _depth in default_root_specs()]
+
+
+def default_root_specs() -> list[tuple[str, int]]:
     home = Path.home()
     configured = os.environ.get("NEXO_LOCAL_INDEX_DEFAULT_ROOTS", "").strip()
     if configured:
-        return _dedupe_roots([item for item in configured.split(os.pathsep) if item.strip()])
-    return _dedupe_roots([str(home), *_local_email_roots(), *_mounted_volume_roots()])
+        return _dedupe_root_specs(
+            [(item, DEFAULT_ROOT_DEPTH) for item in configured.split(os.pathsep) if item.strip()]
+        )
+    return _dedupe_root_specs(
+        [(str(home), DEFAULT_ROOT_DEPTH)]
+        + [(root, DEFAULT_EMAIL_ROOT_DEPTH) for root in _local_email_roots()]
+        + [(root, DEFAULT_MOUNTED_ROOT_DEPTH) for root in _mounted_volume_roots()]
+    )
 
 
 def ensure_default_roots() -> dict:
-    existing_paths = {row["root_path"] for row in list_roots()}
+    existing = {row["root_path"]: row for row in list_roots()}
     created = []
-    for root in default_roots():
-        if root in existing_paths:
-            continue
+    updated = []
+    for root, depth in default_root_specs():
         candidate = Path(root).expanduser()
-        if candidate.exists() and candidate.is_dir():
-            created.append(add_root(str(candidate), mode="normal", depth=2))
-    return {"ok": True, "created": len(created), "roots": list_roots()}
+        if not candidate.exists() or not candidate.is_dir():
+            continue
+        existing_row = existing.get(norm_path(str(candidate)))
+        if existing_row:
+            current_depth = int(existing_row.get("depth") or 0)
+            if current_depth < depth:
+                conn = _conn()
+                conn.execute(
+                    "UPDATE local_index_roots SET depth=?, updated_at=? WHERE root_path=?",
+                    (depth, now(), existing_row["root_path"]),
+                )
+                conn.commit()
+                updated.append({"root_path": existing_row["root_path"], "depth": depth})
+            continue
+        created.append(add_root(str(candidate), mode="normal", depth=depth))
+    return {"ok": True, "created": len(created), "updated": len(updated), "roots": list_roots()}
 
 
 def _should_skip_mounted_root(candidate: Path) -> bool:
@@ -1348,7 +1388,7 @@ def process_jobs(*, limit: int = 100) -> dict:
             if job_type == "light_extraction":
                 text, metadata = extract_text(Path(row["path"]))
                 version_id = _latest_version_id(conn, asset_id)
-                if contains_secret(text):
+                if metadata.get("content_secret_detected") or contains_secret(text):
                     _mark_content_secret_assets(conn, [asset_id])
                     conn.execute(
                         "UPDATE local_index_jobs SET status='done', updated_at=?, last_error_code='content_secret_blocked' WHERE job_id=?",

package/src/local_context/extractors.py

@@ -41,6 +41,7 @@ SECRET_PATTERNS: tuple[re.Pattern, ...] = (
     re.compile(r"\bpk-(?:[a-z]+-)?[A-Za-z0-9_\-]{20,}\b"),
     re.compile(r"\b(ghp|gho|ghu|ghs|ghr|github_pat|glpat|xoxb|xoxp|shpat)_[A-Za-z0-9_]{16,}\b", re.I),
     re.compile(r"\b(AKIA|ASIA)[A-Z0-9]{16,}\b"),
+    re.compile(r"\bAIza[0-9A-Za-z_-]{30,}\b"),
     re.compile(r"\bey[A-Za-z0-9_-]{10,}\.ey[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b"),
     re.compile(r"-----BEGIN (?:RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----", re.I),
     re.compile(r"\b([A-Z][A-Z0-9_]*(?:TOKEN|SECRET|KEY|PASSWORD|PASS)\s*[:=]\s*)['\"]?[A-Za-z0-9._/+=\-]{12,}", re.I),
@@ -290,6 +291,8 @@ def extract_text(path: Path) -> tuple[str, dict]:
         text = _extract_xlsx(path)
     else:
         text = ""
+    if contains_secret(text):
+        metadata["content_secret_detected"] = True
     return clean_text(text), metadata
 
 

package/src/local_context/privacy.py

@@ -89,6 +89,13 @@ EMAIL_ATTACHMENT_SUFFIXES = {
 }
 
 EMAIL_EXTRACTABLE_SUFFIXES = {".eml", ".emlx", ".msg"}
+OUTLOOK_MAC_INVENTORY_SUFFIXES = {
+    ".olk15message",
+    ".olk15msgsource",
+    ".olk15msgattach",
+    ".olk15event",
+    ".olk15contact",
+}
 
 NOISY_PARTS = {
     "node_modules",
@@ -261,7 +268,7 @@ def is_allowed_local_email_file(path: str) -> bool:
             "appdata/local/packages/microsoft.windowscommunicationsapps",
         )
     ) or _is_inside_windows_mail_package(lowered) or _is_inside_outlook_mac_profile(lowered):
-        return suffix in {".eml", ".msg", ".pst", ".ost"}
+        return suffix in {".eml", ".msg", ".pst", ".ost"} | OUTLOOK_MAC_INVENTORY_SUFFIXES
     if _is_under_marker(lowered, ".thunderbird") or _is_under_marker(lowered, ".mozilla-thunderbird"):
         return suffix in {".eml", ".mbox", ""}
     return False