nexo-brain 7.20.9 → 7.20.11

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.20.9",
+  "version": "7.20.11",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.20.9` is the current packaged-runtime line. Patch release over v7.20.8 — Local Context scans automatic roots at full operational depth, falls back to crontab when Linux/WSL systemd user timers fail, passes Windows AppData email roots into WSL, and blocks Google API keys before HTML cleaning.
+Version `7.20.11` is the current packaged-runtime line. Patch release over v7.20.10 — Local Context now starts from real system volume roots plus mounted/removable/network volumes, filters system/cache/app/product artifacts, and injects relevant local evidence automatically into heartbeat, task-open and pre-action context.
+
+Previously in `7.20.10`: patch release over v7.20.9 — Local Context manual refreshes now reconcile automatic roots every time, so newly mounted disks and upgraded default roots are picked up immediately from Desktop's "comprobar cambios" path.
+
+Previously in `7.20.9`: patch release over v7.20.8 — Local Context scans automatic roots at full operational depth, falls back to crontab when Linux/WSL systemd user timers fail, passes Windows AppData email roots into WSL, and blocks Google API keys before HTML cleaning.
 
 Previously in `7.20.8`: patch release over v7.20.7 — Local Context recognises Windows Mail package roots and Outlook Mac profile roots as bounded local-email sources instead of rejecting them as generic AppData / Group Containers.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.20.9",
+  "version": "7.20.11",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/local_context/api.py

@@ -16,7 +16,7 @@ from db._schema import run_migrations
 from . import embeddings
 from .extractors import chunk_text, contains_secret, entities, extract_text, summarize
 from .logging import log_event, tail
-from .privacy import classify_path, is_queryable_path, should_extract, should_skip_file, should_skip_tree
+from .privacy import classify_path, is_local_email_tree, is_queryable_path, should_extract, should_skip_file, should_skip_tree
 from .util import content_hash, json_dumps, json_loads, norm_path, now, quick_fingerprint, redact_path, stable_id, system_label, tokenize
 
 LOCAL_INDEX_SERVICE_LABEL = "com.nexo.local-index"
@@ -29,6 +29,7 @@ DEFAULT_LIVE_FILE_LIMIT = int(os.environ.get("NEXO_LOCAL_INDEX_LIVE_FILE_LIMIT",
 DEFAULT_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_DEFAULT_DEPTH", "24") or "24")
 DEFAULT_EMAIL_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_EMAIL_ROOT_DEPTH", "24") or "24")
 DEFAULT_MOUNTED_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_MOUNTED_ROOT_DEPTH", "24") or "24")
+DEFAULT_SYSTEM_ROOT_DEPTH = int(os.environ.get("NEXO_LOCAL_INDEX_SYSTEM_ROOT_DEPTH", "24") or "24")
 
 
 def ensure_ready() -> None:
@@ -44,7 +45,7 @@ def _conn():
 def add_root(path: str, *, mode: str = "normal", depth: int | None = None) -> dict:
     conn = _conn()
     root_path = norm_path(path)
-    if should_skip_tree(root_path):
+    if should_skip_tree(root_path) and not _allow_explicit_blocked_root(root_path):
         log_event("warn", "root_rejected_private", "Root rejected by local memory privacy rules", path=redact_path(root_path))
         return {"ok": False, "error": "root_blocked_by_privacy", "root_path": root_path}
     depth_value = 2 if depth is None else int(depth)
@@ -141,6 +142,18 @@ def _mounted_volume_roots() -> list[str]:
     return roots
 
 
+def _system_volume_roots() -> list[str]:
+    if os.environ.get("NEXO_LOCAL_INDEX_DISABLE_SYSTEM_ROOTS", "").strip() in {"1", "true", "yes"}:
+        return []
+    if sys.platform == "darwin":
+        return ["/"]
+    if sys.platform.startswith("win"):
+        # Windows roots are discovered as mounted drive roots so mapped drives
+        # and removable disks share the same code path.
+        return []
+    return ["/"]
+
+
 def _local_email_roots() -> list[str]:
     home = Path.home()
     roots: list[Path] = [home / ".nexo" / "runtime" / "nexo-email"]
@@ -180,14 +193,15 @@ def default_roots() -> list[str]:
 def default_root_specs() -> list[tuple[str, int]]:
     home = Path.home()
     configured = os.environ.get("NEXO_LOCAL_INDEX_DEFAULT_ROOTS", "").strip()
-    if configured:
-        return _dedupe_root_specs(
-            [(item, DEFAULT_ROOT_DEPTH) for item in configured.split(os.pathsep) if item.strip()]
-        )
+    system_specs = [(root, DEFAULT_SYSTEM_ROOT_DEPTH) for root in _system_volume_roots()]
+    mounted_specs = [(root, DEFAULT_MOUNTED_ROOT_DEPTH) for root in _mounted_volume_roots()]
+    configured_specs = [(item, DEFAULT_ROOT_DEPTH) for item in configured.split(os.pathsep) if item.strip()]
+    base_specs = system_specs + mounted_specs + configured_specs
+    if not base_specs:
+        base_specs = [(str(home), DEFAULT_ROOT_DEPTH)]
     return _dedupe_root_specs(
-        [(str(home), DEFAULT_ROOT_DEPTH)]
+        base_specs
         + [(root, DEFAULT_EMAIL_ROOT_DEPTH) for root in _local_email_roots()]
-        + [(root, DEFAULT_MOUNTED_ROOT_DEPTH) for root in _mounted_volume_roots()]
     )
 
 
@@ -525,6 +539,15 @@ def _is_paused() -> bool:
     return _get_state("paused", "0") == "1"
 
 
+def _allow_explicit_blocked_root(path: str) -> bool:
+    # Test and controlled diagnostics may explicitly index a temporary fixture
+    # root while production root discovery still skips temp/system trees.
+    if os.environ.get("NEXO_LOCAL_INDEX_ALLOW_BLOCKED_ROOTS", "").strip().lower() not in {"1", "true", "yes"}:
+        return False
+    normalized = norm_path(path).replace("\\", "/").lower()
+    return any(marker in normalized for marker in ("/tmp/", "/var/folders/", "/private/var/folders/"))
+
+
 def _is_excluded(path: str, exclusions: list[str]) -> bool:
     value = norm_path(path)
     return any(value == item or value.startswith(item + os.sep) for item in exclusions)
@@ -535,6 +558,47 @@ def _path_prefix(path: str) -> str:
     return normalized + os.sep if normalized else os.sep
 
 
+def _is_nested_path(path: str, parent: str) -> bool:
+    value = norm_path(path)
+    base = norm_path(parent)
+    if not value or not base or value == base:
+        return False
+    if base == os.sep:
+        return value.startswith(os.sep)
+    return value.startswith(_path_prefix(base))
+
+
+def _is_discovered_mount_path(path: str) -> bool:
+    value = norm_path(path).replace("\\", "/").lower()
+    if not value:
+        return False
+    return (
+        value.startswith("/volumes/")
+        or value.startswith("/mnt/")
+        or value.startswith("/media/")
+        or value.startswith("/run/media/")
+        or (len(value) == 3 and value[1:] == ":/")
+        or (len(value) == 3 and value[1:] == ":\\")
+    )
+
+
+def _effective_scan_roots(roots: list[dict]) -> list[dict]:
+    active_roots = [root for root in roots if str(root.get("status") or "active") != "removed"]
+    parent_paths = [str(root.get("root_path") or "") for root in active_roots]
+    effective: list[dict] = []
+    for root in active_roots:
+        root_path = str(root.get("root_path") or "")
+        if _is_discovered_mount_path(root_path):
+            effective.append(root)
+            continue
+        if root_path and not is_local_email_tree(root_path) and any(
+            _is_nested_path(root_path, parent) for parent in parent_paths
+        ):
+            continue
+        effective.append(root)
+    return effective
+
+
 def _file_type(path: Path) -> str:
     if path.is_dir():
         return "folder"
@@ -1188,14 +1252,14 @@ def scan_once(*, limit: int | None = None) -> dict:
         log_event("info", "scan_skipped_paused", "Local memory scan skipped because indexing is paused")
         return {"ok": True, "paused": True, "roots": 0, "seen": 0, "changed": 0, "errors": 0, "partial": False}
     started = now()
-    roots = list_roots()
+    roots = _effective_scan_roots(list_roots())
     exclusions = [row["path"] for row in list_exclusions()]
     totals = {"roots": len(roots), "seen": 0, "changed": 0, "errors": 0, "partial": False}
     log_event("info", "scan_started", "Local memory scan started", roots=len(roots))
     for root in roots:
         root_path = Path(root["root_path"]).expanduser()
         root_id = int(root["id"])
-        if should_skip_tree(str(root_path)):
+        if should_skip_tree(str(root_path)) and not _allow_explicit_blocked_root(str(root_path)):
             conn.execute(
                 "UPDATE local_index_roots SET status='removed', last_scan_at=?, updated_at=? WHERE id=?",
                 (now(), now(), root_id),
@@ -1455,14 +1519,13 @@ def run_once(
     if _get_state("privacy_hygiene_v2", "0") != "1":
         local_index_privacy_hygiene(fix=True)
         _set_state("privacy_hygiene_v2", "1")
-    if root:
-        add_root(root)
-    elif (
+    if (
         os.environ.get("NEXO_LOCAL_INDEX_DISABLE_DEFAULT_ROOTS", "").strip() != "1"
         and os.environ.get("NEXO_SKIP_FS_INDEX", "").strip() != "1"
-        and not list_roots()
     ):
         ensure_default_roots()
+    if root:
+        add_root(root)
     live_result = reconcile_live_changes(
         asset_limit=live_asset_limit,
         dir_limit=live_dir_limit,

package/src/local_context/privacy.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os
 from pathlib import Path
 
 SENSITIVE_FILE_NAMES = {
@@ -124,6 +125,15 @@ NOISY_PARTS = {
     "target",
 }
 
+PRODUCT_ARTIFACT_PARTS = {
+    "brain-bundle",
+    "nexo desktop qa backups",
+    "nexo desktop qa.app",
+    "nexo desktop.app",
+    "nexo desktop beta.app",
+    "nexo desktop support.app",
+}
+
 TRANSIENT_PARTS = {"tmp", "temp"}
 
 PRIVATE_PROFILE_PARTS = {
@@ -184,10 +194,47 @@ SYSTEM_PARTS = {
     "windows",
     "program files",
     "program files (x86)",
-    "library/caches",
-    "system/library",
+}
+
+SYSTEM_PATH_MARKERS = {
+    "/bin",
+    "/cores",
+    "/dev",
+    "/library/caches",
+    "/library/logs",
+    "/private/tmp",
+    "/private/var/db",
+    "/private/var/folders",
+    "/private/var/log",
+    "/private/var/vm",
     "/proc",
+    "/run",
+    "/sbin",
     "/sys",
+    "/system",
+    "/tmp",
+    "/usr",
+    "/var/folders",
+    "/var/tmp",
+}
+
+TEMP_SYSTEM_PATH_MARKERS = {
+    "/private/var/folders",
+    "/tmp",
+    "/var/folders",
+    "/var/tmp",
+}
+
+HOME_PRIVATE_PROFILE_MARKERS = {
+    "library/application support",
+    "library/containers",
+    "library/group containers",
+    "library/keychains",
+    "library/logs",
+    "library/mail",
+    "library/messages",
+    "library/safari",
+    "library/saved application state",
 }
 
 
@@ -210,6 +257,33 @@ def _is_under_marker(lowered: str, marker: str) -> bool:
     return lowered.endswith("/" + marker) or f"/{marker}/" in lowered
 
 
+def _has_absolute_marker(lowered: str, marker: str) -> bool:
+    marker = "/" + marker.strip("/").lower()
+    return lowered == marker or lowered.endswith(marker) or f"{marker}/" in lowered
+
+
+def _is_system_path(path: str) -> bool:
+    lowered = _normalized(path)
+    parts = _parts(path)
+    if parts & SYSTEM_PARTS:
+        return True
+    matched_markers = {marker for marker in SYSTEM_PATH_MARKERS if _has_absolute_marker(lowered, marker)}
+    if not matched_markers:
+        return False
+    if (
+        matched_markers <= TEMP_SYSTEM_PATH_MARKERS
+        and os.environ.get("NEXO_LOCAL_INDEX_ALLOW_BLOCKED_ROOTS", "").strip().lower() in {"1", "true", "yes"}
+        and "pytest-" in lowered
+    ):
+        return False
+    return True
+
+
+def _is_app_bundle_path(path: str) -> bool:
+    lowered = _normalized(path)
+    return lowered.endswith(".app") or ".app/" in lowered
+
+
 def _is_inside_windows_mail_package(lowered: str) -> bool:
     return "/appdata/local/packages/microsoft.windowscommunicationsapps" in lowered
 
@@ -323,9 +397,12 @@ def is_sensitive_path(path: str) -> bool:
 def is_private_profile_path(path: str) -> bool:
     lowered = _normalized(path)
     parts = _parts(path)
-    if parts & PRIVATE_PROFILE_PARTS:
+    global_parts = PRIVATE_PROFILE_PARTS - HOME_PRIVATE_PROFILE_MARKERS
+    if parts & global_parts:
+        return True
+    if _contains_path_marker(lowered, global_parts):
         return True
-    if _contains_path_marker(lowered, PRIVATE_PROFILE_PARTS):
+    if (_is_home_hidden_path(path) or "/users/" in lowered) and _contains_path_marker(lowered, HOME_PRIVATE_PROFILE_MARKERS):
         return True
     name = Path(path).name.lower()
     if name in PROFILE_HIDDEN_FILE_NAMES:
@@ -346,8 +423,12 @@ def classify_path(path: str) -> tuple[int, str, str]:
         return 1, "sensitive_inventory_only", "sensitive_path"
     if is_private_profile_path(path):
         return 0, "private_profile_blocked", "private_profile_path"
-    if any(item in lowered for item in SYSTEM_PARTS):
+    if _is_system_path(path):
         return 0, "system_blocked", "system_path"
+    if parts & PRODUCT_ARTIFACT_PARTS:
+        return 1, "inventory_only", "product_artifact"
+    if _is_app_bundle_path(path):
+        return 1, "inventory_only", "app_bundle"
     if parts & NOISY_PARTS or _has_transient_project_part(path) or _has_hidden_dir_part(path):
         return 1, "inventory_only", "noisy_tree"
     return 2, "normal", "default"
@@ -358,11 +439,17 @@ def should_skip_tree(path: str) -> bool:
     parts = _parts(path)
     if is_local_email_tree(path):
         return False
-    if any(item in lowered for item in SYSTEM_PARTS):
+    if _is_system_path(path):
         return True
     if is_sensitive_path(path) or is_private_profile_path(path):
         return True
-    return bool(parts & NOISY_PARTS or _has_transient_project_part(path) or _has_hidden_dir_part(path))
+    return bool(
+        parts & PRODUCT_ARTIFACT_PARTS
+        or _is_app_bundle_path(path)
+        or parts & NOISY_PARTS
+        or _has_transient_project_part(path)
+        or _has_hidden_dir_part(path)
+    )
 
 
 def should_skip_file(path: str) -> bool:
@@ -370,11 +457,17 @@ def should_skip_file(path: str) -> bool:
     parts = _parts(path)
     if is_local_email_tree(path):
         return not is_allowed_local_email_file(path)
-    if any(item in lowered for item in SYSTEM_PARTS):
+    if _is_system_path(path):
         return True
     if is_sensitive_path(path) or is_private_profile_path(path):
         return True
-    return bool(parts & NOISY_PARTS or _has_transient_project_part(path) or _has_hidden_dir_part(path))
+    return bool(
+        parts & PRODUCT_ARTIFACT_PARTS
+        or _is_app_bundle_path(path)
+        or parts & NOISY_PARTS
+        or _has_transient_project_part(path)
+        or _has_hidden_dir_part(path)
+    )
 
 
 def is_queryable_path(path: str, privacy_class: str = "") -> bool:

package/src/plugins/protocol.py

@@ -42,6 +42,11 @@ from plugins.guard import handle_guard_check
 from protocol_settings import get_protocol_strictness
 from tools_sessions import handle_heartbeat
 
+try:
+    from tools_hot_context import append_local_context_evidence
+except Exception:  # pragma: no cover - local context is optional in early boot
+    append_local_context_evidence = None
+
 
 # ── R03 (Fase 2 Protocol Enforcer) evidence quality thresholds ────────
 # "evidence" supplied to nexo_task_close must be substantive when an
@@ -1320,6 +1325,14 @@ def handle_task_open(
         response_contract = dict(response_contract)
         response_contract["next_action"] = next_action
 
+    recent_excerpt = format_pre_action_context_bundle(recent_bundle, compact=True) if recent_bundle.get("has_matches") else ""
+    if append_local_context_evidence is not None:
+        recent_excerpt = append_local_context_evidence(
+            recent_excerpt,
+            " | ".join(part for part in [clean_goal, context_hint.strip()] if part),
+            limit=4,
+        )
+
     response = {
         "ok": True,
         "task_id": task["task_id"],
@@ -1351,8 +1364,8 @@ def handle_task_open(
         "response_contract": response_contract,
         "decision_support": decision_support,
         "recent_context": {
-            "has_matches": bool(recent_bundle.get("has_matches")),
-            "excerpt": format_pre_action_context_bundle(recent_bundle, compact=True) if recent_bundle.get("has_matches") else "",
+            "has_matches": bool(recent_bundle.get("has_matches") or recent_excerpt.strip()),
+            "excerpt": recent_excerpt,
         },
         "area_context": area_context if area_context.get("has_context") else None,
         "contract": {

package/src/tools_hot_context.py

@@ -15,6 +15,11 @@ from db import (
 )
 
 
+def append_local_context_evidence(rendered: str, query: str, *, limit: int = 4) -> str:
+    local_context = _format_local_context_evidence(query, limit=min(limit or 4, 4))
+    return f"{rendered}{local_context}" if local_context else rendered
+
+
 def _format_local_context_evidence(query: str, *, limit: int = 4) -> str:
     clean_query = (query or "").strip()
     if not clean_query:
@@ -40,6 +45,14 @@ def _format_local_context_evidence(query: str, *, limit: int = 4) -> str:
         summary = str(asset.get("summary") or "").strip()
         suffix = f" — {summary[:180]}" if summary else ""
         lines.append(f"- {display_path} ({asset.get('file_type', 'file')}, score={score}){suffix}")
+    chunks = result.get("chunks") or []
+    if chunks:
+        lines.append("Relevant excerpts:")
+        for chunk in chunks[:limit]:
+            text = " ".join(str(chunk.get("text") or "").split())
+            if not text:
+                continue
+            lines.append(f"- {text[:360]}")
     refs = result.get("evidence_refs") or []
     if refs:
         lines.append(f"Evidence refs: {', '.join(str(ref) for ref in refs[:limit])}")
@@ -160,8 +173,7 @@ def handle_pre_action_context(
         limit=limit,
     )
     rendered = format_pre_action_context_bundle(bundle)
-    local_context = _format_local_context_evidence(" | ".join(query_bits), limit=min(limit or 4, 4))
-    return f"{rendered}{local_context}" if local_context else rendered
+    return append_local_context_evidence(rendered, " | ".join(query_bits), limit=limit)
 
 
 def handle_recent_context_resolve(

package/src/tools_sessions.py

@@ -20,6 +20,11 @@ from db import (
     capture_context_event, maintain_memory_observations,
 )
 
+try:
+    from tools_hot_context import append_local_context_evidence
+except Exception:  # pragma: no cover - local context is optional during bootstrap
+    append_local_context_evidence = None
+
 try:
     from r14_correction_learning import detect_correction as _detect_correction_semantic
 except Exception:  # pragma: no cover - optional runtime dependency
@@ -707,6 +712,11 @@ def _handle_heartbeat_inner(sid: str, task: str, context_hint: str = '') -> str:
             if bundle.get("has_matches"):
                 parts.append("")
                 parts.append(format_pre_action_context_bundle(bundle, compact=True))
+            if append_local_context_evidence is not None:
+                local_rendered = append_local_context_evidence("", recent_query, limit=4).strip()
+                if local_rendered:
+                    parts.append("")
+                    parts.append(local_rendered)
         except Exception:
             pass