nexo-brain 7.23.6 → 7.23.8

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.23.6",
+  "version": "7.23.7",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.23.6",
+  "version": "7.23.8",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/dashboard/app.py

@@ -31,7 +31,9 @@ if _PARENT not in sys.path:
 
 from agent_runner import AgentRunnerError, build_followup_terminal_shell_command
 from cognitive_paths import resolve_cognitive_db
+from email_contract import email_contract_snapshot
 import paths
+from tools_credentials import public_credential_records
 
 TEMPLATES_DIR = Path(__file__).resolve().parent / "templates"
 STATIC_DIR = Path(__file__).resolve().parent / "static"
@@ -1985,8 +1987,9 @@ async def api_artifacts():
 @app.get("/api/email")
 async def api_email_stats():
     conn = _email_db()
+    contract = email_contract_snapshot()
     if not conn:
-        return {"error": "Email DB not found", "stats": {}}
+        return {"error": "Email DB not found", "stats": {}, "contract": contract}
     total = conn.execute("SELECT COUNT(*) FROM emails").fetchone()[0]
     processed = conn.execute("SELECT COUNT(*) FROM emails WHERE status='processed'").fetchone()[0]
     pending = conn.execute("SELECT COUNT(*) FROM emails WHERE status='pending'").fetchone()[0]
@@ -1998,7 +2001,17 @@ async def api_email_stats():
         "FROM emails GROUP BY thread_id ORDER BY last_email DESC LIMIT 15"
     ).fetchall()]
     conn.close()
-    return {"stats": {"total": total, "processed": processed, "pending": pending}, "recent": recent, "threads": threads}
+    return {
+        "stats": {"total": total, "processed": processed, "pending": pending},
+        "recent": recent,
+        "threads": threads,
+        "contract": contract,
+    }
+
+
+@app.get("/api/email/contract")
+async def api_email_contract():
+    return email_contract_snapshot()
 
 
 # ---------------------------------------------------------------------------
@@ -2007,16 +2020,21 @@ async def api_email_stats():
 
 @app.get("/api/credentials")
 async def api_credentials():
-    db = _db()
-    conn = db.get_db()
-    rows = conn.execute("SELECT service, key, notes, created_at, updated_at FROM credentials ORDER BY service, key").fetchall()
-    creds = [dict(r) for r in rows]
+    creds = public_credential_records()
     services = {}
     for c in creds:
-        services.setdefault(c["service"], []).append({"key": c["key"], "notes": c.get("notes", "")})
+        services.setdefault(c["service"], []).append(
+            {"key": c["key"], "notes": c.get("notes", ""), "backend": c.get("backend", "db")}
+        )
     return {"credentials": creds, "services": services, "total": len(creds)}
 
 
+@app.get("/api/change-log/retention")
+async def api_change_log_retention():
+    db = _db()
+    return db.change_log_retention_policy()
+
+
 # ---------------------------------------------------------------------------
 # Backups
 # ---------------------------------------------------------------------------

package/src/db/__init__.py

@@ -154,7 +154,8 @@ from db._entities import (
 
 # Episodic memory
 from db._episodic import (
-    cleanup_old_changes, log_change, search_changes, update_change_commit, auto_resolve_followups,
+    cleanup_old_changes, change_log_retention_days, change_log_retention_policy,
+    log_change, search_changes, update_change_commit, auto_resolve_followups,
     cleanup_old_decisions, log_decision, update_decision_outcome,
     get_memory_review_queue, find_decisions_by_context_ref, search_decisions,
     cleanup_old_diaries, write_session_diary,

package/src/db/_episodic.py

@@ -1,22 +1,45 @@
 from __future__ import annotations
 """NEXO DB — Episodic module."""
-import datetime, time, json
+import datetime, time, json, os
 from db._core import get_db, now_epoch, _multi_word_like
 from db._fts import fts_upsert, fts_search
 
 # ── Change Log ───────────────────────────────────────────────────
 
-def cleanup_old_changes(retention_days: int = 90) -> int:
+DEFAULT_CHANGE_LOG_RETENTION_DAYS = 90
+
+
+def change_log_retention_days() -> int:
+    """Return the configured change-log retention window in days."""
+    raw = os.environ.get("NEXO_CHANGE_LOG_RETENTION_DAYS", str(DEFAULT_CHANGE_LOG_RETENTION_DAYS))
+    try:
+        return max(1, int(raw))
+    except (TypeError, ValueError):
+        return DEFAULT_CHANGE_LOG_RETENTION_DAYS
+
+
+def change_log_retention_policy() -> dict:
+    """Public contract for change-log cleanup and its FTS side effects."""
+    return {
+        "retention_days": change_log_retention_days(),
+        "env": "NEXO_CHANGE_LOG_RETENTION_DAYS",
+        "default_retention_days": DEFAULT_CHANGE_LOG_RETENTION_DAYS,
+        "applies_to": ["change_log", "unified_search:source=change"],
+    }
+
+
+def cleanup_old_changes(retention_days: int | None = None) -> int:
     """Delete change_log entries older than retention_days. Returns count deleted."""
     conn = get_db()
+    days = change_log_retention_days() if retention_days is None else max(1, int(retention_days))
     # Get IDs before deleting so we can clean FTS
     ids = [str(r[0]) for r in conn.execute(
         "SELECT id FROM change_log WHERE created_at < datetime('now', ?)",
-        (f"-{retention_days} days",)
+        (f"-{days} days",)
     ).fetchall()]
     cursor = conn.execute(
         "DELETE FROM change_log WHERE created_at < datetime('now', ?)",
-        (f"-{retention_days} days",)
+        (f"-{days} days",)
     )
     for cid in ids:
         conn.execute("DELETE FROM unified_search WHERE source = 'change' AND source_id = ?", (cid,))
@@ -668,15 +691,30 @@ def read_session_diary(session_id: str = '', last_n: int = 3, last_day: bool = F
     # Excludes: cron jobs, auto-closed crons (0 heartbeats or "Minimal diary").
     if include_automated:
         source_clause = ""
+        source_params = ()
     else:
+        automated_sources = (
+            "auto-close",
+            "cron",
+            "system",
+            "automation",
+            "deep-sleep",
+            "daily-self-audit",
+            "self-audit",
+            "watchdog",
+            "followup-runner",
+            "script",
+        )
+        placeholders = ",".join("?" for _ in automated_sources)
         source_clause = (
             " AND ("
-            "  (source = 'claude' AND summary NOT LIKE '[AUTO-%')"
+            f"  (COALESCE(source, '') NOT IN ({placeholders}) AND summary NOT LIKE '[AUTO-%')"
             "  OR (source = 'auto-close'"
             "      AND mental_state NOT LIKE '%0 heartbeats%'"
             "      AND mental_state NOT LIKE '%Minimal diary%')"
             ")"
         )
+        source_params = automated_sources
 
     if session_id:
         rows = conn.execute(
@@ -688,12 +726,12 @@ def read_session_diary(session_id: str = '', last_n: int = 3, last_day: bool = F
             f"SELECT * FROM session_diary "
             f"WHERE created_at >= datetime('now', '-36 hours'){domain_clause}{source_clause} "
             f"ORDER BY {_diary_order_sql()}",
-            domain_params
+            domain_params + source_params
         ).fetchall()
     else:
         rows = conn.execute(
             f"SELECT * FROM session_diary WHERE 1=1{domain_clause}{source_clause} ORDER BY {_diary_order_sql()} LIMIT ?",
-            domain_params + (last_n,)
+            domain_params + source_params + (last_n,)
         ).fetchall()
     return [dict(r) for r in rows]
 

package/src/email_contract.py

@@ -0,0 +1,106 @@
+from __future__ import annotations
+
+"""Email runtime contract: account config is separate from monitor events."""
+
+import sqlite3
+from pathlib import Path
+
+import paths
+from db import get_db
+
+
+def _table_exists(conn, table: str) -> bool:
+    row = conn.execute(
+        "SELECT 1 FROM sqlite_master WHERE type='table' AND name=? LIMIT 1",
+        (table,),
+    ).fetchone()
+    return row is not None
+
+
+def _count(conn, sql: str, params: tuple = ()) -> int:
+    try:
+        return int(conn.execute(sql, params).fetchone()[0])
+    except Exception:
+        return 0
+
+
+def _email_event_db_path() -> Path:
+    return paths.nexo_email_dir() / "nexo-email.db"
+
+
+def _accounts_config_snapshot() -> dict:
+    conn = get_db()
+    exists = _table_exists(conn, "email_accounts")
+    out = {
+        "store": "nexo.db",
+        "table": "email_accounts",
+        "table_exists": exists,
+        "total": 0,
+        "enabled": 0,
+        "agent_accounts": 0,
+        "operator_accounts": 0,
+        "with_credentials": 0,
+        "missing_credentials": 0,
+    }
+    if not exists:
+        return out
+
+    rows = [dict(row) for row in conn.execute("SELECT * FROM email_accounts").fetchall()]
+    out["total"] = len(rows)
+    out["enabled"] = sum(1 for row in rows if int(row.get("enabled") or 0) == 1)
+    out["agent_accounts"] = sum(1 for row in rows if (row.get("account_type") or "").lower() == "agent")
+    out["operator_accounts"] = sum(1 for row in rows if (row.get("account_type") or "").lower() == "operator")
+    out["with_credentials"] = sum(
+        1
+        for row in rows
+        if (row.get("credential_service") or "").strip() and (row.get("credential_key") or "").strip()
+    )
+    out["missing_credentials"] = out["total"] - out["with_credentials"]
+    return out
+
+
+def _event_store_snapshot(email_db_path: str | Path | None = None) -> dict:
+    path = Path(email_db_path) if email_db_path else _email_event_db_path()
+    out = {
+        "store": str(path),
+        "db_exists": path.is_file(),
+        "emails_table": False,
+        "email_events_table": False,
+        "total_emails": 0,
+        "total_events": 0,
+        "pending": 0,
+        "processed": 0,
+    }
+    if not path.is_file():
+        return out
+
+    conn = sqlite3.connect(str(path))
+    conn.row_factory = sqlite3.Row
+    try:
+        out["emails_table"] = _table_exists(conn, "emails")
+        out["email_events_table"] = _table_exists(conn, "email_events")
+        if out["emails_table"]:
+            out["total_emails"] = _count(conn, "SELECT COUNT(*) FROM emails")
+            out["pending"] = _count(conn, "SELECT COUNT(*) FROM emails WHERE status='pending'")
+            out["processed"] = _count(conn, "SELECT COUNT(*) FROM emails WHERE status='processed'")
+        if out["email_events_table"]:
+            out["total_events"] = _count(conn, "SELECT COUNT(*) FROM email_events")
+    finally:
+        conn.close()
+    return out
+
+
+def email_contract_snapshot(email_db_path: str | Path | None = None) -> dict:
+    """Return the explicit split between email account config and monitor events."""
+    accounts = _accounts_config_snapshot()
+    events = _event_store_snapshot(email_db_path)
+    return {
+        "contract": {
+            "layers": ["accounts_config", "event_store"],
+            "conflated": False,
+            "accounts_config": "nexo.db/email_accounts",
+            "event_store": "runtime/nexo-email/nexo-email.db",
+        },
+        "accounts_config": accounts,
+        "event_store": events,
+    }

package/src/runtime_versioning.py

@@ -832,12 +832,15 @@ def resolve_restart_required(
     reason = ""
     client_action = ""
     marker_clients = dict(marker.get("clients") or {})
+    client_acknowledged = False
     fingerprint_usable = bool(installed_fp) and bool(process_fp) and process_fp != "unknown"
 
     if marker.get("required"):
-        restart_required = True
-        reason = "marker_required"
         client_action = str(marker_clients.get(client) or "")
+        client_acknowledged = bool(client and client_action == "ok")
+        if not client_acknowledged:
+            restart_required = True
+            reason = "marker_required"
     if marker.get("corrupt"):
         restart_required = True
         reason = "marker_corrupt"
@@ -847,7 +850,12 @@ def resolve_restart_required(
         # fingerprint change and therefore never reach this branch.
         restart_required = True
         reason = reason or "fingerprint_mismatch"
-    elif marker.get("required") and marker_fp and (not process_fp or process_fp == "unknown"):
+    elif (
+        marker.get("required")
+        and not client_acknowledged
+        and marker_fp
+        and (not process_fp or process_fp == "unknown")
+    ):
         restart_required = True
         reason = reason or "process_fingerprint_missing"
     elif not fingerprint_usable and installed and process and installed != process:
@@ -856,7 +864,7 @@ def resolve_restart_required(
         # mismatch check so we never leave a stale process running unnoticed.
         restart_required = True
         reason = reason or "version_mismatch"
-    elif client and client_action == "ok":
+    elif client_acknowledged:
         restart_required = False
         reason = ""
 

package/src/server.py

@@ -105,7 +105,17 @@ from plugins.episodic_memory import handle_session_diary_read, handle_session_di
 from plugins.cards import handle_card_match
 from plugins.skills import handle_skill_match
 from plugins.workflow import (
+    handle_goal_get,
+    handle_goal_list,
+    handle_goal_open,
+    handle_goal_update,
+    handle_workflow_compensation,
+    handle_workflow_get,
+    handle_workflow_handoff,
+    handle_workflow_list,
     handle_workflow_open,
+    handle_workflow_replay,
+    handle_workflow_resume,
     handle_workflow_update,
 )
 from plugin_loader import load_all_plugins, load_plugin, remove_plugin, list_plugins
@@ -816,6 +826,115 @@ def nexo_workflow_update(
     )
 
 
+@mcp.tool
+def nexo_goal_open(
+    sid: str,
+    title: str,
+    objective: str = "",
+    parent_goal_id: str = "",
+    priority: str = "normal",
+    next_action: str = "",
+    success_signal: str = "",
+    owner: str = "",
+    shared_state: str = "{}",
+) -> str:
+    """Open a durable goal so objectives survive sessions."""
+    return handle_goal_open(
+        sid,
+        title,
+        objective,
+        parent_goal_id,
+        priority,
+        next_action,
+        success_signal,
+        owner,
+        shared_state,
+    )
+
+
+@mcp.tool
+def nexo_goal_update(
+    goal_id: str,
+    status: str = "",
+    title: str = "",
+    objective: str = "",
+    parent_goal_id: str = "",
+    next_action: str = "",
+    success_signal: str = "",
+    blocker_reason: str = "",
+    owner: str = "",
+    shared_state: str = "",
+) -> str:
+    """Update a durable goal with active/blocked/completed state."""
+    return handle_goal_update(
+        goal_id,
+        status,
+        title,
+        objective,
+        parent_goal_id,
+        next_action,
+        success_signal,
+        blocker_reason,
+        owner,
+        shared_state,
+    )
+
+
+@mcp.tool
+def nexo_goal_get(goal_id: str, include_runs: bool = False) -> str:
+    """Read one durable goal and optionally include linked workflow runs."""
+    return handle_goal_get(goal_id, include_runs)
+
+
+@mcp.tool
+def nexo_goal_list(status: str = "", include_closed: bool = False, limit: int = 20) -> str:
+    """List durable goals."""
+    return handle_goal_list(status, include_closed, limit)
+
+
+@mcp.tool
+def nexo_workflow_get(run_id: str, include_steps: bool = True, checkpoint_limit: int = 8) -> str:
+    """Read the full durable workflow state."""
+    return handle_workflow_get(run_id, include_steps, checkpoint_limit)
+
+
+@mcp.tool
+def nexo_workflow_handoff(
+    run_id: str,
+    actor: str,
+    next_action: str = "",
+    handoff_note: str = "",
+    shared_state: str = "",
+    new_owner: str = "",
+) -> str:
+    """Record a durable workflow handoff."""
+    return handle_workflow_handoff(run_id, actor, next_action, handoff_note, shared_state, new_owner)
+
+
+@mcp.tool
+def nexo_workflow_compensation(run_id: str, checkpoint_limit: int = 10) -> str:
+    """Return the compensation plan for a partially completed workflow."""
+    return handle_workflow_compensation(run_id, checkpoint_limit)
+
+
+@mcp.tool
+def nexo_workflow_resume(run_id: str) -> str:
+    """Summarize the next actionable step for a workflow run."""
+    return handle_workflow_resume(run_id)
+
+
+@mcp.tool
+def nexo_workflow_replay(run_id: str, limit: int = 20) -> str:
+    """Replay recent checkpoints for a workflow run."""
+    return handle_workflow_replay(run_id, limit)
+
+
+@mcp.tool
+def nexo_workflow_list(status: str = "", include_closed: bool = False, limit: int = 20) -> str:
+    """List durable workflow runs."""
+    return handle_workflow_list(status, include_closed, limit)
+
+
 @mcp.tool
 def nexo_status(keyword: str = "") -> str:
     """List active sessions. Filter by keyword if provided."""

package/src/tools_credentials.py

@@ -18,12 +18,73 @@ before persisting. The agent should never mint a BYOK entry on its own.
 
 import json
 import os
+import re
 from pathlib import Path
 
 from db import create_credential, update_credential, delete_credential, get_credential, list_credentials, get_db
 
 
 BYOK_SERVICE = "byok"
+REDACTED_SECRET_NOTE = "[redacted: secret-like note]"
+SECRET_NOTE_PATTERNS = (
+    re.compile(r"\b(?:npm|ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{16,}\b"),
+    re.compile(r"\bgithub_pat_[A-Za-z0-9_]{20,}\b"),
+    re.compile(r"\bsk-[A-Za-z0-9_-]{20,}\b"),
+    re.compile(r"\bxox[baprs]-[A-Za-z0-9-]{20,}\b"),
+    re.compile(r"\b(?:api[_-]?key|secret|token|password|passwd|pwd)\s*[:=]\s*\S+", re.IGNORECASE),
+    re.compile(r"\bBearer\s+[A-Za-z0-9._~+/=-]{20,}\b", re.IGNORECASE),
+    re.compile(r"\b[A-Za-z0-9+/=_-]{40,}\b"),
+)
+
+
+def credential_note_has_secret(notes: str) -> bool:
+    """Detect notes that appear to contain a credential value."""
+    clean = (notes or "").strip()
+    if not clean:
+        return False
+    return any(pattern.search(clean) for pattern in SECRET_NOTE_PATTERNS)
+
+
+def redact_credential_notes(notes: str) -> str:
+    """Return notes safe for list/dashboard surfaces."""
+    clean = notes or ""
+    if credential_note_has_secret(clean):
+        return REDACTED_SECRET_NOTE
+    return clean
+
+
+def public_credential_records(service: str = "") -> list[dict]:
+    """List credential metadata from DB and BYOK without leaking values."""
+    requested = (service or "").strip()
+    records: list[dict] = []
+
+    if requested != BYOK_SERVICE:
+        for row in list_credentials(requested if requested else None):
+            records.append(
+                {
+                    "service": row.get("service", ""),
+                    "key": row.get("key", ""),
+                    "notes": redact_credential_notes(row.get("notes") or ""),
+                    "created_at": row.get("created_at", ""),
+                    "updated_at": row.get("updated_at", ""),
+                    "backend": "db",
+                }
+            )
+
+    if requested in ("", BYOK_SERVICE):
+        for row in _byok_get(""):
+            records.append(
+                {
+                    "service": row.get("service", BYOK_SERVICE),
+                    "key": row.get("key", ""),
+                    "notes": redact_credential_notes(row.get("notes") or ""),
+                    "created_at": "",
+                    "updated_at": "",
+                    "backend": "byok_local",
+                }
+            )
+
+    return records
 
 
 def _credential_exists(service: str, key: str) -> bool:
@@ -193,6 +254,11 @@ def handle_credential_create(service: str, key: str, value: str, notes: str = ''
             "connect the provider there (the UI validates the key with the "
             "provider before saving)."
         )
+    if credential_note_has_secret(notes):
+        return (
+            "ERROR: Credential notes look like they contain a secret. "
+            "Put the secret in value, and keep notes operational only."
+        )
     # ── R02 (Fase 2 Protocol Enforcer): reject exact (service, key) duplicates ──
     force_flag = str(force or "").strip().lower() in {"1", "true", "yes", "on"}
     if not force_flag and _credential_exists(service, key):
@@ -223,6 +289,11 @@ def handle_credential_update(service: str, key: str, value: str = '', notes: str
             "ERROR: BYOK credentials are not editable from the agent. "
             "Ask the user to update the connection in NEXO Desktop > Settings > Connections."
         )
+    if credential_note_has_secret(notes):
+        return (
+            "ERROR: Credential notes look like they contain a secret. "
+            "Put the secret in value, and keep notes operational only."
+        )
     result = update_credential(
         service,
         key,
@@ -264,17 +335,14 @@ def handle_credential_list(service: str = '') -> str:
     Listing without ``service`` only returns DB entries (the historical
     behaviour). Pass ``service='byok'`` to list the BYOK filesystem store.
     """
-    if service == BYOK_SERVICE:
-        results = _byok_get("")
-        label = "BYOK"
-    else:
-        results = list_credentials(service if service else None)
-        label = service if service else "ALL"
+    results = public_credential_records(service)
+    label = service if service else "ALL"
     if not results:
         return f"CREDENTIALS {label.upper()}: No entries."
     lines = [f"CREDENTIALS {label.upper()} ({len(results)}):"]
     for r in results:
         notes = r.get("notes") or ""
         suffix = f" — {notes}" if notes else ""
-        lines.append(f"  {r['service']}/{r['key']}{suffix}")
+        backend = r.get("backend") or "db"
+        lines.append(f"  {r['service']}/{r['key']} ({backend}){suffix}")
     return "\n".join(lines)