nexo-brain 7.23.2 → 7.23.4

package/src/automation_supervisor.py

@@ -83,6 +83,15 @@ class CronSpoolClassification:
     reason: str
 
 
+@dataclass(frozen=True)
+class EvolutionPolicyClassification:
+    status: str
+    severity: str
+    reason: str
+    launchagent_label: str = "com.nexo.evolution"
+    desktop_managed: bool = False
+
+
 def default_config() -> AutomationSupervisorConfig:
     home = Path(os.environ.get("NEXO_HOME", str(Path.home() / ".nexo")))
     if paths is not None:
@@ -120,7 +129,8 @@ def audit_automation(config: AutomationSupervisorConfig | None = None) -> dict[s
         now=now,
         warn_threshold=cfg.spool_warn_threshold,
     )
-    findings = _collect_findings(open_runs, launchagents, cron_spool)
+    evolution = classify_evolution_policy(cfg.manifest_path, cfg.launchagent_labels)
+    findings = _collect_findings(open_runs, launchagents, cron_spool, evolution)
 
     return {
         "ok": not any(item.get("severity") in TERMINAL_SEVERITIES for item in findings),
@@ -129,6 +139,7 @@ def audit_automation(config: AutomationSupervisorConfig | None = None) -> dict[s
         "open_runs": [asdict(item) for item in open_runs],
         "launchagents": [asdict(item) for item in launchagents],
         "cron_spool": [asdict(item) for item in cron_spool],
+        "evolution": asdict(evolution),
         "findings": findings,
         "summary": {
             "jobs": len(contracts),
@@ -140,6 +151,7 @@ def audit_automation(config: AutomationSupervisorConfig | None = None) -> dict[s
             "p1": sum(1 for item in findings if item.get("severity") == "P1"),
             "p2": sum(1 for item in findings if item.get("severity") == "P2"),
             "excluded_jobs": sorted(excluded),
+            "evolution_status": evolution.status,
         },
     }
 
@@ -369,21 +381,82 @@ def classify_cron_spool(
     return sorted(results, key=lambda item: (item.severity != "P1", item.cron_id))
 
 
+def classify_evolution_policy(
+    manifest_path: Path | None,
+    launchagent_labels: frozenset[str] | set[str] | list[str] | tuple[str, ...] | None,
+) -> EvolutionPolicyClassification:
+    try:
+        from product_mode import DESKTOP_EVOLUTION_DISABLED_REASON, desktop_product_requested
+
+        desktop_managed = bool(desktop_product_requested())
+        disabled_reason = DESKTOP_EVOLUTION_DISABLED_REASON
+    except Exception:
+        desktop_managed = False
+        disabled_reason = "Disabled by product policy"
+
+    if desktop_managed:
+        return EvolutionPolicyClassification(
+            status="disabled_by_policy",
+            severity="OK",
+            reason=disabled_reason,
+            desktop_managed=True,
+        )
+
+    manifest = _load_json(manifest_path, default={"crons": []})
+    entries = manifest.get("crons") if isinstance(manifest, Mapping) else []
+    evolution_entry = None
+    if isinstance(entries, list):
+        for entry in entries:
+            if isinstance(entry, Mapping) and _is_evolution(str(entry.get("id") or "")):
+                evolution_entry = entry
+                break
+    if not evolution_entry:
+        return EvolutionPolicyClassification(
+            status="unknown",
+            severity="P2",
+            reason="Brain standalone mode has no Evolution cron entry in the manifest",
+        )
+    label = str(evolution_entry.get("launchagent_label") or "com.nexo.evolution")
+    if launchagent_labels is None:
+        return EvolutionPolicyClassification(
+            status="unknown",
+            severity="P2",
+            reason="Brain standalone Evolution is declared, but LaunchAgent inventory was not supplied",
+            launchagent_label=label,
+        )
+    labels = {str(item) for item in launchagent_labels}
+    if label in labels:
+        return EvolutionPolicyClassification(
+            status="enabled_and_loaded",
+            severity="OK",
+            reason="Brain standalone Evolution is declared and loaded in the supplied inventory",
+            launchagent_label=label,
+        )
+    return EvolutionPolicyClassification(
+        status="enabled_but_not_loaded",
+        severity="P1",
+        reason="Brain standalone Evolution is declared but absent from the supplied inventory",
+        launchagent_label=label,
+    )
+
+
 def format_markdown(report: Mapping[str, Any]) -> str:
     summary = report.get("summary") if isinstance(report, Mapping) else {}
     findings = report.get("findings") if isinstance(report, Mapping) else []
+    evolution = report.get("evolution") if isinstance(report.get("evolution"), Mapping) else {}
     lines = [
-        "### G13 Automation supervisor sin Evolution",
+        "### Automation supervisor",
         "",
-        "| Area | Resultado |",
+        "| Area | Result |",
         "|---|---|",
         f"| Jobs no Evolution | {summary.get('jobs', 0)} |",
-        f"| Open runs clasificadas | {summary.get('open_runs', 0)} |",
-        f"| Cron-spool jobs con JSON | {summary.get('cron_spool_jobs', 0)} |",
-        f"| Hallazgos P1 | {summary.get('p1', 0)} |",
-        f"| Evolution excluido | {', '.join(summary.get('excluded_jobs') or []) or 'si'} |",
+        f"| Classified open runs | {summary.get('open_runs', 0)} |",
+        f"| Cron-spool jobs with JSON | {summary.get('cron_spool_jobs', 0)} |",
+        f"| P1 findings | {summary.get('p1', 0)} |",
+        f"| Evolution excluded from cron reconciliation | {', '.join(summary.get('excluded_jobs') or []) or 'yes'} |",
+        f"| Evolution policy | {evolution.get('status', 'unknown')} |",
     ]
-    lines.extend(["", "| Hallazgo | Severidad | Razon |", "|---|---|---|"])
+    lines.extend(["", "| Finding | Severity | Reason |", "|---|---|---|"])
     for item in findings or []:
         lines.append(
             "| {kind}:{key} | {severity} | {reason} |".format(
@@ -402,6 +475,7 @@ def _collect_findings(
     open_runs: Iterable[OpenRunClassification],
     launchagents: Iterable[LaunchAgentClassification],
     cron_spool: Iterable[CronSpoolClassification],
+    evolution: EvolutionPolicyClassification | None = None,
 ) -> list[dict[str, Any]]:
     findings: list[dict[str, Any]] = []
     for item in open_runs:
@@ -413,6 +487,8 @@ def _collect_findings(
     for item in cron_spool:
         if item.severity != "OK":
             findings.append({"kind": "cron_spool", "key": item.cron_id, **asdict(item)})
+    if evolution is not None and evolution.severity != "OK":
+        findings.append({"kind": "evolution", "key": evolution.launchagent_label, **asdict(evolution)})
     severity_order = {"P0": 0, "P1": 1, "P2": 2, "OK": 3}
     return sorted(findings, key=lambda item: (severity_order.get(str(item.get("severity")), 9), str(item.get("kind")), str(item.get("key"))))
 
@@ -422,7 +498,8 @@ def _load_open_cron_rows(db_path: Path | None) -> list[dict[str, Any]]:
         return []
     conn = None
     try:
-        conn = sqlite3.connect(str(db_path), timeout=2)
+        uri = db_path.resolve().as_uri() + "?mode=ro"
+        conn = sqlite3.connect(uri, timeout=2, uri=True)
         conn.row_factory = sqlite3.Row
         table = conn.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='cron_runs'").fetchone()
         if table is None:

package/src/backup_retention.py

@@ -0,0 +1,70 @@
+"""Machine-readable backup retention contracts."""
+from __future__ import annotations
+
+import json
+import subprocess
+import sys
+from pathlib import Path
+
+import paths
+
+
+def _pruner_script() -> Path:
+    script = Path(__file__).resolve().parent / "scripts" / "prune_runtime_backups.py"
+    if script.is_file():
+        return script
+    fallback = paths.core_scripts_dir() / "prune_runtime_backups.py"
+    if fallback.is_file():
+        return fallback
+    raise FileNotFoundError("prune_runtime_backups.py not found")
+
+
+def _run_pruner(
+    *,
+    root: Path | None = None,
+    apply: bool = False,
+    max_bytes: str | int | None = None,
+    delete_all_technical: bool = False,
+) -> dict:
+    command = [
+        sys.executable,
+        str(_pruner_script()),
+        "--root",
+        str(root or paths.backups_dir()),
+        "--json",
+    ]
+    if apply:
+        command.append("--apply")
+    if max_bytes is not None:
+        command.extend(["--max-bytes", str(max_bytes)])
+    if delete_all_technical:
+        command.append("--delete-all-technical")
+    proc = subprocess.run(command, capture_output=True, text=True, timeout=120)
+    try:
+        payload = json.loads(proc.stdout or "{}")
+    except json.JSONDecodeError:
+        payload = {"raw_stdout": proc.stdout}
+    payload["ok"] = proc.returncode == 0
+    payload["returncode"] = proc.returncode
+    payload["stderr"] = proc.stderr[-2000:]
+    return payload
+
+
+def backup_retention_plan(*, root: Path | None = None, max_bytes: str | int | None = None) -> dict:
+    """Return a deterministic dry-run retention plan."""
+    return _run_pruner(root=root, max_bytes=max_bytes, apply=False)
+
+
+def backup_retention_apply(
+    *,
+    root: Path | None = None,
+    max_bytes: str | int | None = None,
+    delete_all_technical: bool = False,
+) -> dict:
+    """Apply backup retention with the pruner's restore-point guard enabled."""
+    return _run_pruner(
+        root=root,
+        max_bytes=max_bytes,
+        apply=True,
+        delete_all_technical=delete_all_technical,
+    )

package/src/cli.py

@@ -52,8 +52,23 @@ import sys
 import time
 from pathlib import Path
 
+try:
+    from cognitive_paths import resolve_cognitive_db
+except ModuleNotFoundError as exc:
+    if getattr(exc, "name", "") != "cognitive_paths":
+        raise
+
+    def resolve_cognitive_db(*, for_write: bool = True, **_kwargs) -> Path:
+        """Fallback for older installed runtimes before update copies cognitive_paths.py."""
+        override = os.environ.get("NEXO_COGNITIVE_DB", "").strip()
+        if override:
+            return Path(override).expanduser()
+        target = paths.runtime_dir() / "cognitive" / "cognitive.db"
+        if for_write:
+            target.parent.mkdir(parents=True, exist_ok=True)
+        return target
 from runtime_home import export_resolved_nexo_home
-from runtime_versioning import build_mcp_status, clear_restart_required_marker
+from runtime_versioning import build_mcp_status, clear_restart_required_marker, record_mcp_client_probe
 try:
     from mcp_required_tools import BOOTSTRAP_REQUIRED_MCP_TOOLS, missing_required_tools
 except ModuleNotFoundError as exc:
@@ -290,6 +305,12 @@ def _mcp_probe(args) -> int:
             "elapsed_ms": int((time.monotonic() - started_at) * 1000),
             "stderr_tail": "\n".join(stderr_lines[-12:]),
         }
+        recorded = record_mcp_client_probe(client=client, probe=payload)
+        if recorded.get("ok"):
+            payload["client_ready"] = bool(recorded.get("last_probe_ok"))
+            payload["client_action"] = recorded.get("client_action", "ready")
+            payload["reason_code"] = recorded.get("reason_code", "ready")
+            payload["runtime_generation"] = recorded.get("last_seen_generation", "")
         return _print_json_or_text(payload, as_json=bool(getattr(args, "json", False)))
     except Exception as exc:
         payload = {
@@ -302,6 +323,12 @@ def _mcp_probe(args) -> int:
             "elapsed_ms": int((time.monotonic() - started_at) * 1000),
             "stderr_tail": "\n".join(stderr_lines[-20:]),
         }
+        recorded = record_mcp_client_probe(client=client, probe=payload)
+        if recorded.get("ok"):
+            payload["client_ready"] = False
+            payload["client_action"] = recorded.get("client_action", "reprobe")
+            payload["reason_code"] = recorded.get("reason_code", "mcp_probe_failed")
+            payload["runtime_generation"] = recorded.get("last_seen_generation", "")
         return _print_json_or_text(payload, as_json=bool(getattr(args, "json", False)))
     finally:
         if proc is not None:
@@ -324,6 +351,8 @@ def _mcp_clear_restart(args) -> int:
             client=getattr(args, "client", "") or "",
             installed_version=getattr(args, "installed_version", "") or "",
             process_version=getattr(args, "process_version", "") or "",
+            installed_fingerprint=getattr(args, "installed_fingerprint", "") or "",
+            process_fingerprint=getattr(args, "process_fingerprint", "") or "",
         ),
         as_json=bool(getattr(args, "json", False)),
     )
@@ -950,6 +979,19 @@ def _automations_status(args):
     return 0
 
 
+def _automations_reconcile(args):
+    from automation_reconciler import apply_reconciliation_plan, build_reconciliation_plan
+
+    plan = build_reconciliation_plan()
+    if bool(getattr(args, "apply", False)):
+        result = apply_reconciliation_plan(plan)
+        payload = {"ok": result.get("ok", False), "plan": plan, "apply": result}
+    else:
+        payload = plan
+    print(json.dumps(payload, indent=2, ensure_ascii=False))
+    return 0 if payload.get("ok", True) else 1
+
+
 def _automations_set_instructions(args):
     from script_registry import set_automation_instructions
 
@@ -1136,7 +1178,7 @@ def _scripts_run(args):
     # Only inject DB paths for core scripts
     if is_core:
         env["NEXO_DB"] = str(paths.db_path())
-        env["NEXO_COGNITIVE_DB"] = str(paths.data_dir() / "cognitive.db")
+        env["NEXO_COGNITIVE_DB"] = str(resolve_cognitive_db(for_write=True))
 
     # Timeout
     timeout = None
@@ -3617,6 +3659,13 @@ def main():
     automations_status_p.add_argument("name", help="Automation name or path")
     automations_status_p.add_argument("--json", action="store_true", help="JSON output")
 
+    automations_reconcile_p = automations_sub.add_parser(
+        "reconcile",
+        help="Build or apply the safe automation reconciliation plan",
+    )
+    automations_reconcile_p.add_argument("--apply", action="store_true", help="Apply only safe deterministic actions")
+    automations_reconcile_p.add_argument("--json", action="store_true", help="JSON output")
+
     automations_instructions_p = automations_sub.add_parser(
         "instructions",
         help="Set or clear operator extra instructions for an automation",
@@ -3891,6 +3940,8 @@ def main():
     mcp_clear_p.add_argument("--client", default="", help="Client label such as claude_desktop or codex")
     mcp_clear_p.add_argument("--installed-version", default="")
     mcp_clear_p.add_argument("--process-version", default="")
+    mcp_clear_p.add_argument("--installed-fingerprint", default="")
+    mcp_clear_p.add_argument("--process-fingerprint", default="")
     mcp_clear_p.add_argument("--json", action="store_true", help="JSON output")
 
     continuity_parser = sub.add_parser("continuity", help="Continuity snapshots and resume bundles")
@@ -4161,6 +4212,8 @@ def main():
             return _automations_reactivate(args)
         elif args.automations_command == "status":
             return _automations_status(args)
+        elif args.automations_command == "reconcile":
+            return _automations_reconcile(args)
         elif args.automations_command == "instructions":
             return _automations_set_instructions(args)
         elif args.automations_command == "schedule":

package/src/cognitive/_core.py

@@ -13,13 +13,14 @@ from datetime import datetime, timedelta
 from pathlib import Path
 from typing import Optional
 
-import paths
+from cognitive_paths import resolve_cognitive_db
 
 NEXO_HOME = os.environ.get("NEXO_HOME", os.path.expanduser("~/.nexo"))
-_cognitive_dir = paths.cognitive_dir()
+_cognitive_db_path = resolve_cognitive_db(for_write=True)
+_cognitive_dir = _cognitive_db_path.parent
 _cognitive_dir.mkdir(parents=True, exist_ok=True)
 
-COGNITIVE_DB = str(_cognitive_dir / "cognitive.db")
+COGNITIVE_DB = str(_cognitive_db_path)
 def _configured_embedding_dim() -> int:
     try:
         from local_models import get_local_model_spec

package/src/cognitive_paths.py

@@ -0,0 +1,194 @@
+"""Canonical cognitive.db path resolution and legacy shadow-DB guard."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+import shutil
+import sqlite3
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+import paths
+
+
+class CognitiveDbPathConflict(RuntimeError):
+    """Raised when canonical and legacy cognitive DBs could both receive writes."""
+
+
+def _configured_override() -> Path | None:
+    value = os.environ.get("NEXO_COGNITIVE_DB", "").strip()
+    return Path(value).expanduser() if value else None
+
+
+def canonical_cognitive_dir() -> Path:
+    return paths.runtime_dir() / "cognitive"
+
+
+def canonical_cognitive_db_path() -> Path:
+    override = _configured_override()
+    if override is not None:
+        return override
+    return canonical_cognitive_dir() / "cognitive.db"
+
+
+def legacy_cognitive_db_paths() -> list[Path]:
+    canonical = canonical_cognitive_db_path()
+    candidates = [
+        paths.runtime_dir() / "data" / "cognitive.db",
+        paths.legacy_data_dir() / "cognitive.db",
+        paths.home() / "cognitive" / "cognitive.db",
+    ]
+    unique: list[Path] = []
+    seen: set[str] = set()
+    for candidate in candidates:
+        try:
+            key = str(candidate.resolve())
+            canonical_key = str(canonical.resolve())
+        except Exception:
+            key = str(candidate)
+            canonical_key = str(canonical)
+        if key == canonical_key or key in seen:
+            continue
+        seen.add(key)
+        unique.append(candidate)
+    return unique
+
+
+def _sha256(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def _sqlite_signature(path: Path) -> dict[str, Any]:
+    if not path.exists():
+        return {"exists": False}
+    signature: dict[str, Any] = {
+        "exists": True,
+        "path": str(path),
+        "size_bytes": path.stat().st_size,
+        "sha256": _sha256(path),
+    }
+    try:
+        conn = sqlite3.connect(f"file:{path}?mode=ro", uri=True)
+        rows = conn.execute(
+            "SELECT type, name, sql FROM sqlite_master "
+            "WHERE name NOT LIKE 'sqlite_%' ORDER BY type, name"
+        ).fetchall()
+        user_version = conn.execute("PRAGMA user_version").fetchone()[0]
+        conn.close()
+        schema_blob = json.dumps(rows, sort_keys=True, default=str)
+        signature.update({
+            "sqlite_ok": True,
+            "user_version": int(user_version or 0),
+            "schema_sha256": hashlib.sha256(schema_blob.encode("utf-8")).hexdigest(),
+            "tables": [row[1] for row in rows if row[0] == "table"],
+        })
+    except Exception as exc:
+        signature.update({
+            "sqlite_ok": False,
+            "sqlite_error": str(exc)[:240],
+        })
+    return signature
+
+
+def _migration_marker_path() -> Path:
+    return paths.runtime_state_dir() / "cognitive-db-migration.json"
+
+
+def _write_migration_marker(source: Path, target: Path) -> None:
+    marker = {
+        "at": datetime.now(timezone.utc).isoformat(),
+        "source": str(source),
+        "target": str(target),
+        "source_sha256": _sha256(source) if source.exists() else "",
+        "target_sha256": _sha256(target) if target.exists() else "",
+        "legacy_retained": True,
+    }
+    marker_path = _migration_marker_path()
+    marker_path.parent.mkdir(parents=True, exist_ok=True)
+    marker_path.write_text(json.dumps(marker, indent=2, sort_keys=True) + "\n", encoding="utf-8")
+
+
+def audit_cognitive_db_paths() -> dict[str, Any]:
+    canonical = canonical_cognitive_db_path()
+    canonical_sig = _sqlite_signature(canonical)
+    legacy = [
+        {
+            "path": str(candidate),
+            "signature": _sqlite_signature(candidate),
+        }
+        for candidate in legacy_cognitive_db_paths()
+    ]
+    existing_legacy = [entry for entry in legacy if entry["signature"].get("exists")]
+    divergent = [
+        entry for entry in existing_legacy
+        if canonical_sig.get("exists")
+        and entry["signature"].get("sha256")
+        and entry["signature"].get("sha256") != canonical_sig.get("sha256")
+    ]
+    if divergent:
+        status = "error"
+        reason = "canonical_and_legacy_diverge"
+    elif not canonical_sig.get("exists") and existing_legacy:
+        status = "warning"
+        reason = "legacy_only"
+    elif existing_legacy:
+        status = "ok"
+        reason = "legacy_duplicate_retained"
+    else:
+        status = "ok"
+        reason = "canonical_only"
+    return {
+        "status": status,
+        "reason": reason,
+        "canonical": {"path": str(canonical), "signature": canonical_sig},
+        "legacy": legacy,
+        "migration_marker": str(_migration_marker_path()),
+    }
+
+
+def _first_existing_legacy() -> Path | None:
+    for candidate in legacy_cognitive_db_paths():
+        if candidate.is_file():
+            return candidate
+    return None
+
+
+def migrate_legacy_cognitive_db_if_needed() -> dict[str, Any]:
+    override = _configured_override()
+    if override is not None:
+        return {"migrated": False, "reason": "env_override", "path": str(override)}
+    canonical = canonical_cognitive_db_path()
+    if canonical.exists():
+        return {"migrated": False, "reason": "canonical_exists", "path": str(canonical)}
+    source = _first_existing_legacy()
+    if source is None:
+        return {"migrated": False, "reason": "no_legacy", "path": str(canonical)}
+    canonical.parent.mkdir(parents=True, exist_ok=True)
+    shutil.copy2(source, canonical)
+    _write_migration_marker(source, canonical)
+    return {"migrated": True, "reason": "legacy_copied", "source": str(source), "path": str(canonical)}
+
+
+def resolve_cognitive_db(*, for_write: bool = True, migrate: bool = True, create_parent: bool = True) -> Path:
+    """Return the cognitive DB path; block writes when legacy shadows diverge."""
+    target = canonical_cognitive_db_path()
+    if create_parent:
+        target.parent.mkdir(parents=True, exist_ok=True)
+    if migrate:
+        migrate_legacy_cognitive_db_if_needed()
+    audit = audit_cognitive_db_paths()
+    if for_write and audit["status"] == "error":
+        raise CognitiveDbPathConflict(
+            "Refusing to write cognitive.db while canonical and legacy databases diverge. "
+            f"Canonical: {audit['canonical']['path']}; legacy: "
+            + ", ".join(entry["path"] for entry in audit["legacy"] if entry["signature"].get("exists"))
+        )
+    return target
+

package/src/dashboard/app.py

@@ -30,6 +30,7 @@ if _PARENT not in sys.path:
     sys.path.insert(0, _PARENT)
 
 from agent_runner import AgentRunnerError, build_followup_terminal_shell_command
+from cognitive_paths import resolve_cognitive_db
 import paths
 
 TEMPLATES_DIR = Path(__file__).resolve().parent / "templates"
@@ -200,7 +201,7 @@ class ChatMessage(BaseModel):
 
 def _cognitive_db():
     """Direct connection to cognitive.db."""
-    db_path = Path(os.environ.get("NEXO_COGNITIVE_DB") or str(paths.data_dir() / "cognitive.db"))
+    db_path = resolve_cognitive_db(for_write=True)
     conn = sqlite3.connect(str(db_path))
     conn.row_factory = sqlite3.Row
     return conn