nexo-brain 7.23.5 → 7.23.7

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.23.5",
+  "version": "7.23.7",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,9 +18,9 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.23.5` is the current packaged-runtime line. Patch over v7.23.4 - `nexo update` keeps external CLI maintenance summary copy in English.
+Version `7.23.6` is the current packaged-runtime line. Patch over v7.23.5 - `nexo update` clears safe legacy `cognitive.db` shadows and keeps superseded archives under runtime backup retention.
 
-Previously in `7.23.4`: patch over v7.23.3 - release tags now fail closed when npm publication fails and OpenClaw lockfile metadata stays synchronized with the release version.
+Previously in `7.23.5`: patch over v7.23.4 - `nexo update` keeps external CLI maintenance summary copy in English.
 
 Previously in `7.23.3`: patch over v7.23.2 - Followup runner skips DONE terminal statuses so already-finished followups do not re-enter executable batches.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.23.5",
+  "version": "7.23.7",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/auto_update.py

@@ -32,6 +32,7 @@ except ModuleNotFoundError as exc:
             sys.path.insert(0, core_path)
     from product_mode import enforce_desktop_product_contract
 from runtime_home import export_resolved_nexo_home, managed_nexo_home
+from cognitive_paths import cleanup_legacy_cognitive_db_artifacts
 
 try:
     from tree_hygiene import is_duplicate_artifact_name
@@ -4747,6 +4748,17 @@ def _run_runtime_post_sync(dest: Path = NEXO_HOME, progress_fn=None) -> tuple[bo
     except Exception as exc:
         actions.append(f"legacy-personal-brain-db-stubs-warning:{exc.__class__.__name__}")
 
+    try:
+        cognitive_cleanup = cleanup_legacy_cognitive_db_artifacts(dry_run=False)
+        removed = len(cognitive_cleanup.get("removed", []) or [])
+        archived = len(cognitive_cleanup.get("archived", []) or [])
+        if removed:
+            actions.append(f"legacy-cognitive-db-duplicates-removed:{removed}")
+        if archived:
+            actions.append(f"legacy-cognitive-db-archived:{archived}")
+    except Exception as exc:
+        actions.append(f"legacy-cognitive-db-warning:{exc.__class__.__name__}")
+
     try:
         _emit_progress(progress_fn, "Applying Desktop product contract...")
         contract = enforce_desktop_product_contract(source="runtime_post_sync")

package/src/cognitive_paths.py

@@ -7,6 +7,7 @@ import json
 import os
 import shutil
 import sqlite3
+import tarfile
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any
@@ -68,10 +69,12 @@ def _sha256(path: Path) -> str:
 def _sqlite_signature(path: Path) -> dict[str, Any]:
     if not path.exists():
         return {"exists": False}
+    stat = path.stat()
     signature: dict[str, Any] = {
         "exists": True,
         "path": str(path),
-        "size_bytes": path.stat().st_size,
+        "size_bytes": stat.st_size,
+        "mtime_epoch": stat.st_mtime,
         "sha256": _sha256(path),
     }
     try:
@@ -101,6 +104,10 @@ def _migration_marker_path() -> Path:
     return paths.runtime_state_dir() / "cognitive-db-migration.json"
 
 
+def _cleanup_marker_path() -> Path:
+    return paths.runtime_state_dir() / "cognitive-db-cleanup.jsonl"
+
+
 def _write_migration_marker(source: Path, target: Path) -> None:
     marker = {
         "at": datetime.now(timezone.utc).isoformat(),
@@ -115,6 +122,190 @@ def _write_migration_marker(source: Path, target: Path) -> None:
     marker_path.write_text(json.dumps(marker, indent=2, sort_keys=True) + "\n", encoding="utf-8")
 
 
+def _append_cleanup_marker(event: dict[str, Any]) -> None:
+    marker_path = _cleanup_marker_path()
+    marker_path.parent.mkdir(parents=True, exist_ok=True)
+    payload = {
+        "at": datetime.now(timezone.utc).isoformat(),
+        **event,
+    }
+    with marker_path.open("a", encoding="utf-8") as handle:
+        handle.write(json.dumps(payload, sort_keys=True) + "\n")
+
+
+def _sidecar_paths(db_path: Path) -> list[Path]:
+    return [db_path, Path(f"{db_path}-wal"), Path(f"{db_path}-shm")]
+
+
+def _existing_sidecars(db_path: Path) -> list[Path]:
+    return [path for path in _sidecar_paths(db_path) if path.exists()]
+
+
+def _wal_has_uncheckpointed_data(db_path: Path) -> bool:
+    wal_path = Path(f"{db_path}-wal")
+    try:
+        return wal_path.is_file() and wal_path.stat().st_size > 0
+    except OSError:
+        return True
+
+
+def _canonical_supersedes_legacy(canonical_sig: dict[str, Any], legacy_sig: dict[str, Any]) -> bool:
+    if not canonical_sig.get("exists") or not legacy_sig.get("exists"):
+        return False
+    if not canonical_sig.get("sqlite_ok") or not legacy_sig.get("sqlite_ok"):
+        return False
+    if float(canonical_sig.get("mtime_epoch") or 0) < float(legacy_sig.get("mtime_epoch") or 0):
+        return False
+    canonical_tables = set(canonical_sig.get("tables") or [])
+    legacy_tables = set(legacy_sig.get("tables") or [])
+    if canonical_tables and legacy_tables and not legacy_tables.issubset(canonical_tables):
+        return False
+    return True
+
+
+def _remove_paths(paths_to_remove: list[Path]) -> list[str]:
+    removed: list[str] = []
+    for path in paths_to_remove:
+        try:
+            if path.exists():
+                path.unlink()
+                removed.append(str(path))
+        except FileNotFoundError:
+            continue
+    return removed
+
+
+def _archive_and_remove_legacy_db(
+    legacy_db: Path,
+    *,
+    canonical_sig: dict[str, Any],
+    legacy_sig: dict[str, Any],
+    reason: str,
+) -> dict[str, Any]:
+    files = _existing_sidecars(legacy_db)
+    backup_root = paths.create_backup_dir("legacy-cognitive-db")
+    backup_dir = Path(backup_root)
+    archive_path = backup_dir / "cognitive-legacy.tar.gz"
+    manifest_path = backup_dir / "manifest.json"
+    with tarfile.open(archive_path, "w:gz") as archive:
+        for file_path in files:
+            archive.add(file_path, arcname=file_path.name)
+    with tarfile.open(archive_path, "r:gz") as archive:
+        archived_names = sorted(archive.getnames())
+    archive_sha = _sha256(archive_path)
+    manifest = {
+        "reason": reason,
+        "source": str(legacy_db),
+        "archived_files": [str(path) for path in files],
+        "archive": str(archive_path),
+        "archive_sha256": archive_sha,
+        "archive_members": archived_names,
+        "canonical": canonical_sig,
+        "legacy": legacy_sig,
+    }
+    manifest_path.write_text(json.dumps(manifest, indent=2, sort_keys=True) + "\n", encoding="utf-8")
+    removed = _remove_paths(files)
+    paths.finalize_backup_snapshot(backup_dir)
+    _append_cleanup_marker({
+        "action": "archive_superseded_legacy",
+        "source": str(legacy_db),
+        "archive": str(archive_path),
+        "archive_sha256": archive_sha,
+        "removed": removed,
+        "reason": reason,
+    })
+    return {
+        "path": str(legacy_db),
+        "action": "archived",
+        "archive_path": str(archive_path),
+        "manifest_path": str(manifest_path),
+        "removed": removed,
+        "reason": reason,
+    }
+
+
+def cleanup_legacy_cognitive_db_artifacts(*, dry_run: bool = False) -> dict[str, Any]:
+    """Remove or archive safe legacy cognitive DB shadows.
+
+    Identical legacy duplicates are deleted directly. Divergent legacy DBs are
+    only archived when the canonical DB is valid, newer, and has a compatible
+    schema. Ambiguous cases are left in place so write callers still block.
+    """
+    override = _configured_override()
+    report: dict[str, Any] = {
+        "ok": True,
+        "dry_run": dry_run,
+        "removed": [],
+        "archived": [],
+        "skipped": [],
+        "errors": [],
+    }
+    if override is not None:
+        report["skipped"].append({"reason": "env_override", "path": str(override)})
+        return report
+
+    canonical = canonical_cognitive_db_path()
+    canonical_sig = _sqlite_signature(canonical)
+    if not canonical_sig.get("exists"):
+        report["skipped"].append({"reason": "canonical_missing", "path": str(canonical)})
+        return report
+    if not canonical_sig.get("sqlite_ok"):
+        report["ok"] = False
+        report["skipped"].append({"reason": "canonical_not_sqlite_ok", "path": str(canonical)})
+        return report
+
+    for legacy_db in legacy_cognitive_db_paths():
+        legacy_sig = _sqlite_signature(legacy_db)
+        if not legacy_sig.get("exists"):
+            continue
+        files = _existing_sidecars(legacy_db)
+        if _wal_has_uncheckpointed_data(legacy_db):
+            report["skipped"].append({"path": str(legacy_db), "reason": "legacy_wal_has_data"})
+            continue
+        if legacy_sig.get("sha256") == canonical_sig.get("sha256"):
+            item = {
+                "path": str(legacy_db),
+                "action": "removed-identical-duplicate",
+                "files": [str(path) for path in files],
+            }
+            if not dry_run:
+                item["removed"] = _remove_paths(files)
+                _append_cleanup_marker({
+                    "action": "remove_identical_duplicate",
+                    "source": str(legacy_db),
+                    "removed": item["removed"],
+                    "legacy_sha256": legacy_sig.get("sha256"),
+                })
+            report["removed"].append(item)
+            continue
+        if _canonical_supersedes_legacy(canonical_sig, legacy_sig):
+            if dry_run:
+                report["archived"].append({
+                    "path": str(legacy_db),
+                    "action": "would-archive-superseded-legacy",
+                    "reason": "canonical_newer_schema_compatible",
+                })
+                continue
+            try:
+                report["archived"].append(_archive_and_remove_legacy_db(
+                    legacy_db,
+                    canonical_sig=canonical_sig,
+                    legacy_sig=legacy_sig,
+                    reason="canonical_newer_schema_compatible",
+                ))
+            except Exception as exc:
+                report["ok"] = False
+                report["errors"].append({"path": str(legacy_db), "error": str(exc)})
+            continue
+        report["skipped"].append({
+            "path": str(legacy_db),
+            "reason": "divergent_requires_manual_review",
+            "canonical_mtime_epoch": canonical_sig.get("mtime_epoch"),
+            "legacy_mtime_epoch": legacy_sig.get("mtime_epoch"),
+        })
+    return report
+
+
 def audit_cognitive_db_paths() -> dict[str, Any]:
     canonical = canonical_cognitive_db_path()
     canonical_sig = _sqlite_signature(canonical)
@@ -173,7 +364,14 @@ def migrate_legacy_cognitive_db_if_needed() -> dict[str, Any]:
     canonical.parent.mkdir(parents=True, exist_ok=True)
     shutil.copy2(source, canonical)
     _write_migration_marker(source, canonical)
-    return {"migrated": True, "reason": "legacy_copied", "source": str(source), "path": str(canonical)}
+    cleanup = cleanup_legacy_cognitive_db_artifacts()
+    return {
+        "migrated": True,
+        "reason": "legacy_copied",
+        "source": str(source),
+        "path": str(canonical),
+        "cleanup": cleanup,
+    }
 
 
 def resolve_cognitive_db(*, for_write: bool = True, migrate: bool = True, create_parent: bool = True) -> Path:
@@ -183,6 +381,7 @@ def resolve_cognitive_db(*, for_write: bool = True, migrate: bool = True, create
         target.parent.mkdir(parents=True, exist_ok=True)
     if migrate:
         migrate_legacy_cognitive_db_if_needed()
+        cleanup_legacy_cognitive_db_artifacts()
     audit = audit_cognitive_db_paths()
     if for_write and audit["status"] == "error":
         raise CognitiveDbPathConflict(
@@ -191,4 +390,3 @@ def resolve_cognitive_db(*, for_write: bool = True, migrate: bool = True, create
             + ", ".join(entry["path"] for entry in audit["legacy"] if entry["signature"].get("exists"))
         )
     return target
-

package/src/dashboard/app.py

@@ -31,7 +31,9 @@ if _PARENT not in sys.path:
 
 from agent_runner import AgentRunnerError, build_followup_terminal_shell_command
 from cognitive_paths import resolve_cognitive_db
+from email_contract import email_contract_snapshot
 import paths
+from tools_credentials import public_credential_records
 
 TEMPLATES_DIR = Path(__file__).resolve().parent / "templates"
 STATIC_DIR = Path(__file__).resolve().parent / "static"
@@ -1985,8 +1987,9 @@ async def api_artifacts():
 @app.get("/api/email")
 async def api_email_stats():
     conn = _email_db()
+    contract = email_contract_snapshot()
     if not conn:
-        return {"error": "Email DB not found", "stats": {}}
+        return {"error": "Email DB not found", "stats": {}, "contract": contract}
     total = conn.execute("SELECT COUNT(*) FROM emails").fetchone()[0]
     processed = conn.execute("SELECT COUNT(*) FROM emails WHERE status='processed'").fetchone()[0]
     pending = conn.execute("SELECT COUNT(*) FROM emails WHERE status='pending'").fetchone()[0]
@@ -1998,7 +2001,17 @@ async def api_email_stats():
         "FROM emails GROUP BY thread_id ORDER BY last_email DESC LIMIT 15"
     ).fetchall()]
     conn.close()
-    return {"stats": {"total": total, "processed": processed, "pending": pending}, "recent": recent, "threads": threads}
+    return {
+        "stats": {"total": total, "processed": processed, "pending": pending},
+        "recent": recent,
+        "threads": threads,
+        "contract": contract,
+    }
+
+
+@app.get("/api/email/contract")
+async def api_email_contract():
+    return email_contract_snapshot()
 
 
 # ---------------------------------------------------------------------------
@@ -2007,16 +2020,21 @@ async def api_email_stats():
 
 @app.get("/api/credentials")
 async def api_credentials():
-    db = _db()
-    conn = db.get_db()
-    rows = conn.execute("SELECT service, key, notes, created_at, updated_at FROM credentials ORDER BY service, key").fetchall()
-    creds = [dict(r) for r in rows]
+    creds = public_credential_records()
     services = {}
     for c in creds:
-        services.setdefault(c["service"], []).append({"key": c["key"], "notes": c.get("notes", "")})
+        services.setdefault(c["service"], []).append(
+            {"key": c["key"], "notes": c.get("notes", ""), "backend": c.get("backend", "db")}
+        )
     return {"credentials": creds, "services": services, "total": len(creds)}
 
 
+@app.get("/api/change-log/retention")
+async def api_change_log_retention():
+    db = _db()
+    return db.change_log_retention_policy()
+
+
 # ---------------------------------------------------------------------------
 # Backups
 # ---------------------------------------------------------------------------

package/src/db/__init__.py

@@ -154,7 +154,8 @@ from db._entities import (
 
 # Episodic memory
 from db._episodic import (
-    cleanup_old_changes, log_change, search_changes, update_change_commit, auto_resolve_followups,
+    cleanup_old_changes, change_log_retention_days, change_log_retention_policy,
+    log_change, search_changes, update_change_commit, auto_resolve_followups,
     cleanup_old_decisions, log_decision, update_decision_outcome,
     get_memory_review_queue, find_decisions_by_context_ref, search_decisions,
     cleanup_old_diaries, write_session_diary,

package/src/db/_episodic.py

@@ -1,22 +1,45 @@
 from __future__ import annotations
 """NEXO DB — Episodic module."""
-import datetime, time, json
+import datetime, time, json, os
 from db._core import get_db, now_epoch, _multi_word_like
 from db._fts import fts_upsert, fts_search
 
 # ── Change Log ───────────────────────────────────────────────────
 
-def cleanup_old_changes(retention_days: int = 90) -> int:
+DEFAULT_CHANGE_LOG_RETENTION_DAYS = 90
+
+
+def change_log_retention_days() -> int:
+    """Return the configured change-log retention window in days."""
+    raw = os.environ.get("NEXO_CHANGE_LOG_RETENTION_DAYS", str(DEFAULT_CHANGE_LOG_RETENTION_DAYS))
+    try:
+        return max(1, int(raw))
+    except (TypeError, ValueError):
+        return DEFAULT_CHANGE_LOG_RETENTION_DAYS
+
+
+def change_log_retention_policy() -> dict:
+    """Public contract for change-log cleanup and its FTS side effects."""
+    return {
+        "retention_days": change_log_retention_days(),
+        "env": "NEXO_CHANGE_LOG_RETENTION_DAYS",
+        "default_retention_days": DEFAULT_CHANGE_LOG_RETENTION_DAYS,
+        "applies_to": ["change_log", "unified_search:source=change"],
+    }
+
+
+def cleanup_old_changes(retention_days: int | None = None) -> int:
     """Delete change_log entries older than retention_days. Returns count deleted."""
     conn = get_db()
+    days = change_log_retention_days() if retention_days is None else max(1, int(retention_days))
     # Get IDs before deleting so we can clean FTS
     ids = [str(r[0]) for r in conn.execute(
         "SELECT id FROM change_log WHERE created_at < datetime('now', ?)",
-        (f"-{retention_days} days",)
+        (f"-{days} days",)
     ).fetchall()]
     cursor = conn.execute(
         "DELETE FROM change_log WHERE created_at < datetime('now', ?)",
-        (f"-{retention_days} days",)
+        (f"-{days} days",)
     )
     for cid in ids:
         conn.execute("DELETE FROM unified_search WHERE source = 'change' AND source_id = ?", (cid,))
@@ -668,15 +691,30 @@ def read_session_diary(session_id: str = '', last_n: int = 3, last_day: bool = F
     # Excludes: cron jobs, auto-closed crons (0 heartbeats or "Minimal diary").
     if include_automated:
         source_clause = ""
+        source_params = ()
     else:
+        automated_sources = (
+            "auto-close",
+            "cron",
+            "system",
+            "automation",
+            "deep-sleep",
+            "daily-self-audit",
+            "self-audit",
+            "watchdog",
+            "followup-runner",
+            "script",
+        )
+        placeholders = ",".join("?" for _ in automated_sources)
         source_clause = (
             " AND ("
-            "  (source = 'claude' AND summary NOT LIKE '[AUTO-%')"
+            f"  (COALESCE(source, '') NOT IN ({placeholders}) AND summary NOT LIKE '[AUTO-%')"
             "  OR (source = 'auto-close'"
             "      AND mental_state NOT LIKE '%0 heartbeats%'"
             "      AND mental_state NOT LIKE '%Minimal diary%')"
             ")"
         )
+        source_params = automated_sources
 
     if session_id:
         rows = conn.execute(
@@ -688,12 +726,12 @@ def read_session_diary(session_id: str = '', last_n: int = 3, last_day: bool = F
             f"SELECT * FROM session_diary "
             f"WHERE created_at >= datetime('now', '-36 hours'){domain_clause}{source_clause} "
             f"ORDER BY {_diary_order_sql()}",
-            domain_params
+            domain_params + source_params
         ).fetchall()
     else:
         rows = conn.execute(
             f"SELECT * FROM session_diary WHERE 1=1{domain_clause}{source_clause} ORDER BY {_diary_order_sql()} LIMIT ?",
-            domain_params + (last_n,)
+            domain_params + source_params + (last_n,)
         ).fetchall()
     return [dict(r) for r in rows]
 

package/src/email_contract.py

@@ -0,0 +1,106 @@
+from __future__ import annotations
+
+"""Email runtime contract: account config is separate from monitor events."""
+
+import sqlite3
+from pathlib import Path
+
+import paths
+from db import get_db
+
+
+def _table_exists(conn, table: str) -> bool:
+    row = conn.execute(
+        "SELECT 1 FROM sqlite_master WHERE type='table' AND name=? LIMIT 1",
+        (table,),
+    ).fetchone()
+    return row is not None
+
+
+def _count(conn, sql: str, params: tuple = ()) -> int:
+    try:
+        return int(conn.execute(sql, params).fetchone()[0])
+    except Exception:
+        return 0
+
+
+def _email_event_db_path() -> Path:
+    return paths.nexo_email_dir() / "nexo-email.db"
+
+
+def _accounts_config_snapshot() -> dict:
+    conn = get_db()
+    exists = _table_exists(conn, "email_accounts")
+    out = {
+        "store": "nexo.db",
+        "table": "email_accounts",
+        "table_exists": exists,
+        "total": 0,
+        "enabled": 0,
+        "agent_accounts": 0,
+        "operator_accounts": 0,
+        "with_credentials": 0,
+        "missing_credentials": 0,
+    }
+    if not exists:
+        return out
+
+    rows = [dict(row) for row in conn.execute("SELECT * FROM email_accounts").fetchall()]
+    out["total"] = len(rows)
+    out["enabled"] = sum(1 for row in rows if int(row.get("enabled") or 0) == 1)
+    out["agent_accounts"] = sum(1 for row in rows if (row.get("account_type") or "").lower() == "agent")
+    out["operator_accounts"] = sum(1 for row in rows if (row.get("account_type") or "").lower() == "operator")
+    out["with_credentials"] = sum(
+        1
+        for row in rows
+        if (row.get("credential_service") or "").strip() and (row.get("credential_key") or "").strip()
+    )
+    out["missing_credentials"] = out["total"] - out["with_credentials"]
+    return out
+
+
+def _event_store_snapshot(email_db_path: str | Path | None = None) -> dict:
+    path = Path(email_db_path) if email_db_path else _email_event_db_path()
+    out = {
+        "store": str(path),
+        "db_exists": path.is_file(),
+        "emails_table": False,
+        "email_events_table": False,
+        "total_emails": 0,
+        "total_events": 0,
+        "pending": 0,
+        "processed": 0,
+    }
+    if not path.is_file():
+        return out
+
+    conn = sqlite3.connect(str(path))
+    conn.row_factory = sqlite3.Row
+    try:
+        out["emails_table"] = _table_exists(conn, "emails")
+        out["email_events_table"] = _table_exists(conn, "email_events")
+        if out["emails_table"]:
+            out["total_emails"] = _count(conn, "SELECT COUNT(*) FROM emails")
+            out["pending"] = _count(conn, "SELECT COUNT(*) FROM emails WHERE status='pending'")
+            out["processed"] = _count(conn, "SELECT COUNT(*) FROM emails WHERE status='processed'")
+        if out["email_events_table"]:
+            out["total_events"] = _count(conn, "SELECT COUNT(*) FROM email_events")
+    finally:
+        conn.close()
+    return out
+
+
+def email_contract_snapshot(email_db_path: str | Path | None = None) -> dict:
+    """Return the explicit split between email account config and monitor events."""
+    accounts = _accounts_config_snapshot()
+    events = _event_store_snapshot(email_db_path)
+    return {
+        "contract": {
+            "layers": ["accounts_config", "event_store"],
+            "conflated": False,
+            "accounts_config": "nexo.db/email_accounts",
+            "event_store": "runtime/nexo-email/nexo-email.db",
+        },
+        "accounts_config": accounts,
+        "event_store": events,
+    }

package/src/scripts/prune_runtime_backups.py

@@ -92,6 +92,7 @@ TECHNICAL_PREFIXES = (
     "desktop-local-install-",
     "packaged-code-f06-conflicts-",
     "legacy-shim-conflicts-",
+    "legacy-cognitive-db-",
     "legacy-personal-brain-db-stubs-",
     "legacy-root-db-stubs-",
     "codex-live-sync-",

package/src/server.py

@@ -105,7 +105,17 @@ from plugins.episodic_memory import handle_session_diary_read, handle_session_di
 from plugins.cards import handle_card_match
 from plugins.skills import handle_skill_match
 from plugins.workflow import (
+    handle_goal_get,
+    handle_goal_list,
+    handle_goal_open,
+    handle_goal_update,
+    handle_workflow_compensation,
+    handle_workflow_get,
+    handle_workflow_handoff,
+    handle_workflow_list,
     handle_workflow_open,
+    handle_workflow_replay,
+    handle_workflow_resume,
     handle_workflow_update,
 )
 from plugin_loader import load_all_plugins, load_plugin, remove_plugin, list_plugins
@@ -816,6 +826,115 @@ def nexo_workflow_update(
     )
 
 
+@mcp.tool
+def nexo_goal_open(
+    sid: str,
+    title: str,
+    objective: str = "",
+    parent_goal_id: str = "",
+    priority: str = "normal",
+    next_action: str = "",
+    success_signal: str = "",
+    owner: str = "",
+    shared_state: str = "{}",
+) -> str:
+    """Open a durable goal so objectives survive sessions."""
+    return handle_goal_open(
+        sid,
+        title,
+        objective,
+        parent_goal_id,
+        priority,
+        next_action,
+        success_signal,
+        owner,
+        shared_state,
+    )
+
+
+@mcp.tool
+def nexo_goal_update(
+    goal_id: str,
+    status: str = "",
+    title: str = "",
+    objective: str = "",
+    parent_goal_id: str = "",
+    next_action: str = "",
+    success_signal: str = "",
+    blocker_reason: str = "",
+    owner: str = "",
+    shared_state: str = "",
+) -> str:
+    """Update a durable goal with active/blocked/completed state."""
+    return handle_goal_update(
+        goal_id,
+        status,
+        title,
+        objective,
+        parent_goal_id,
+        next_action,
+        success_signal,
+        blocker_reason,
+        owner,
+        shared_state,
+    )
+
+
+@mcp.tool
+def nexo_goal_get(goal_id: str, include_runs: bool = False) -> str:
+    """Read one durable goal and optionally include linked workflow runs."""
+    return handle_goal_get(goal_id, include_runs)
+
+
+@mcp.tool
+def nexo_goal_list(status: str = "", include_closed: bool = False, limit: int = 20) -> str:
+    """List durable goals."""
+    return handle_goal_list(status, include_closed, limit)
+
+
+@mcp.tool
+def nexo_workflow_get(run_id: str, include_steps: bool = True, checkpoint_limit: int = 8) -> str:
+    """Read the full durable workflow state."""
+    return handle_workflow_get(run_id, include_steps, checkpoint_limit)
+
+
+@mcp.tool
+def nexo_workflow_handoff(
+    run_id: str,
+    actor: str,
+    next_action: str = "",
+    handoff_note: str = "",
+    shared_state: str = "",
+    new_owner: str = "",
+) -> str:
+    """Record a durable workflow handoff."""
+    return handle_workflow_handoff(run_id, actor, next_action, handoff_note, shared_state, new_owner)
+
+
+@mcp.tool
+def nexo_workflow_compensation(run_id: str, checkpoint_limit: int = 10) -> str:
+    """Return the compensation plan for a partially completed workflow."""
+    return handle_workflow_compensation(run_id, checkpoint_limit)
+
+
+@mcp.tool
+def nexo_workflow_resume(run_id: str) -> str:
+    """Summarize the next actionable step for a workflow run."""
+    return handle_workflow_resume(run_id)
+
+
+@mcp.tool
+def nexo_workflow_replay(run_id: str, limit: int = 20) -> str:
+    """Replay recent checkpoints for a workflow run."""
+    return handle_workflow_replay(run_id, limit)
+
+
+@mcp.tool
+def nexo_workflow_list(status: str = "", include_closed: bool = False, limit: int = 20) -> str:
+    """List durable workflow runs."""
+    return handle_workflow_list(status, include_closed, limit)
+
+
 @mcp.tool
 def nexo_status(keyword: str = "") -> str:
     """List active sessions. Filter by keyword if provided."""

package/src/tools_credentials.py

@@ -18,12 +18,73 @@ before persisting. The agent should never mint a BYOK entry on its own.
 
 import json
 import os
+import re
 from pathlib import Path
 
 from db import create_credential, update_credential, delete_credential, get_credential, list_credentials, get_db
 
 
 BYOK_SERVICE = "byok"
+REDACTED_SECRET_NOTE = "[redacted: secret-like note]"
+SECRET_NOTE_PATTERNS = (
+    re.compile(r"\b(?:npm|ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{16,}\b"),
+    re.compile(r"\bgithub_pat_[A-Za-z0-9_]{20,}\b"),
+    re.compile(r"\bsk-[A-Za-z0-9_-]{20,}\b"),
+    re.compile(r"\bxox[baprs]-[A-Za-z0-9-]{20,}\b"),
+    re.compile(r"\b(?:api[_-]?key|secret|token|password|passwd|pwd)\s*[:=]\s*\S+", re.IGNORECASE),
+    re.compile(r"\bBearer\s+[A-Za-z0-9._~+/=-]{20,}\b", re.IGNORECASE),
+    re.compile(r"\b[A-Za-z0-9+/=_-]{40,}\b"),
+)
+
+
+def credential_note_has_secret(notes: str) -> bool:
+    """Detect notes that appear to contain a credential value."""
+    clean = (notes or "").strip()
+    if not clean:
+        return False
+    return any(pattern.search(clean) for pattern in SECRET_NOTE_PATTERNS)
+
+
+def redact_credential_notes(notes: str) -> str:
+    """Return notes safe for list/dashboard surfaces."""
+    clean = notes or ""
+    if credential_note_has_secret(clean):
+        return REDACTED_SECRET_NOTE
+    return clean
+
+
+def public_credential_records(service: str = "") -> list[dict]:
+    """List credential metadata from DB and BYOK without leaking values."""
+    requested = (service or "").strip()
+    records: list[dict] = []
+
+    if requested != BYOK_SERVICE:
+        for row in list_credentials(requested if requested else None):
+            records.append(
+                {
+                    "service": row.get("service", ""),
+                    "key": row.get("key", ""),
+                    "notes": redact_credential_notes(row.get("notes") or ""),
+                    "created_at": row.get("created_at", ""),
+                    "updated_at": row.get("updated_at", ""),
+                    "backend": "db",
+                }
+            )
+
+    if requested in ("", BYOK_SERVICE):
+        for row in _byok_get(""):
+            records.append(
+                {
+                    "service": row.get("service", BYOK_SERVICE),
+                    "key": row.get("key", ""),
+                    "notes": redact_credential_notes(row.get("notes") or ""),
+                    "created_at": "",
+                    "updated_at": "",
+                    "backend": "byok_local",
+                }
+            )
+
+    return records
 
 
 def _credential_exists(service: str, key: str) -> bool:
@@ -193,6 +254,11 @@ def handle_credential_create(service: str, key: str, value: str, notes: str = ''
             "connect the provider there (the UI validates the key with the "
             "provider before saving)."
         )
+    if credential_note_has_secret(notes):
+        return (
+            "ERROR: Credential notes look like they contain a secret. "
+            "Put the secret in value, and keep notes operational only."
+        )
     # ── R02 (Fase 2 Protocol Enforcer): reject exact (service, key) duplicates ──
     force_flag = str(force or "").strip().lower() in {"1", "true", "yes", "on"}
     if not force_flag and _credential_exists(service, key):
@@ -223,6 +289,11 @@ def handle_credential_update(service: str, key: str, value: str = '', notes: str
             "ERROR: BYOK credentials are not editable from the agent. "
             "Ask the user to update the connection in NEXO Desktop > Settings > Connections."
         )
+    if credential_note_has_secret(notes):
+        return (
+            "ERROR: Credential notes look like they contain a secret. "
+            "Put the secret in value, and keep notes operational only."
+        )
     result = update_credential(
         service,
         key,
@@ -264,17 +335,14 @@ def handle_credential_list(service: str = '') -> str:
     Listing without ``service`` only returns DB entries (the historical
     behaviour). Pass ``service='byok'`` to list the BYOK filesystem store.
     """
-    if service == BYOK_SERVICE:
-        results = _byok_get("")
-        label = "BYOK"
-    else:
-        results = list_credentials(service if service else None)
-        label = service if service else "ALL"
+    results = public_credential_records(service)
+    label = service if service else "ALL"
     if not results:
         return f"CREDENTIALS {label.upper()}: No entries."
     lines = [f"CREDENTIALS {label.upper()} ({len(results)}):"]
     for r in results:
         notes = r.get("notes") or ""
         suffix = f" — {notes}" if notes else ""
-        lines.append(f"  {r['service']}/{r['key']}{suffix}")
+        backend = r.get("backend") or "db"
+        lines.append(f"  {r['service']}/{r['key']} ({backend}){suffix}")
     return "\n".join(lines)