nexo-brain 7.9.18 → 7.9.20

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.9.18",
+  "version": "7.9.20",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `7.9.18` is the current packaged-runtime line. Patch release over `7.9.17`: packaged client-sync imports now work when `NEXO_HOME` is unset, so `nexo clients sync`, `nexo update`, and runtime doctor bootstrap checks no longer hit the `_user_home` import-order crash. It includes the v7.9.17 Bandit gate fix and the v7.9.16 restart-marker deadlock fix.
+Version `7.9.20` is the current packaged-runtime line. Patch release over `7.9.19`: packaged update/doctor repair now finds `runtime/crons/sync.py`, LaunchAgent PATH includes the managed Claude runtime installed under `~/.nexo/runtime/bootstrap/npm-global/bin`, root runtime backfill includes `claude_cli.py`, and Immune no longer treats the legacy optional `~/.claude-mem/claude-mem.db` as a required database.
+
+Previously in `7.9.19`: runtime doctor now distinguishes real install breakage from tracked in-progress work, interactive Desktop sessions no longer poison automation telemetry scoring, stale filesystem skill rows are pruned during sync, stale protocol debt draining marks rows resolved, and watchdog treats LaunchAgent SIGTERM reloads as supervisor interruptions instead of failures.
+
+Previously in `7.9.18`: packaged client-sync imports now work when `NEXO_HOME` is unset, so `nexo clients sync`, `nexo update`, and runtime doctor bootstrap checks no longer hit the `_user_home` import-order crash.
 
 Previously in `7.9.17`: continuity snapshot idempotency marks its SHA-1 digest as non-security usage, keeping the high-severity Bandit gate green while preserving stable idempotency keys.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "7.9.18",
+  "version": "7.9.20",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain — Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/auto_update.py

@@ -3816,7 +3816,7 @@ def _auto_update_check_locked() -> dict:
 
     # Backfill runtime CLI modules for existing installs
     try:
-        for fname in ("cli.py", "script_registry.py", "skills_runtime.py", "cron_recovery.py", "client_preferences.py", "agent_runner.py", "bootstrap_docs.py"):
+        for fname in ("cli.py", "script_registry.py", "skills_runtime.py", "cron_recovery.py", "client_preferences.py", "claude_cli.py", "agent_runner.py", "bootstrap_docs.py"):
             src_file = SRC_DIR / fname
             dest_file = NEXO_HOME / fname
             if src_file.is_file() and (not dest_file.exists() or src_file.stat().st_mtime > dest_file.stat().st_mtime):

package/src/crons/sync.py

@@ -39,8 +39,15 @@ except ImportError:
     def resolve_launchagent_path() -> str:
         """Fallback when runtime_power is not importable."""
         home = Path.home()
-        parts = ["/opt/homebrew/bin", "/usr/local/bin", "/usr/bin", "/bin",
-                 str(home / ".local/bin"), str(home / ".nexo/bin")]
+        parts = [
+            str(home / ".nexo/runtime/bootstrap/npm-global/bin"),
+            "/opt/homebrew/bin",
+            "/usr/local/bin",
+            "/usr/bin",
+            "/bin",
+            str(home / ".local/bin"),
+            str(home / ".nexo/bin"),
+        ]
         nvm_dir = home / ".nvm/versions/node"
         if nvm_dir.is_dir():
             versions = sorted(nvm_dir.iterdir(), key=lambda p: p.stat().st_mtime, reverse=True)

package/src/db/_skills.py

@@ -90,8 +90,16 @@ def _normalize_level(value: str | None) -> str:
 
 def _normalize_mode(value: str | None, *, has_script: bool = False, has_content: bool = False) -> str:
     mode = (value or "").strip().lower()
-    if mode in VALID_MODES:
+    if mode == "guide":
         return mode
+    if mode == "execute":
+        return "execute" if has_script else "guide"
+    if mode == "hybrid":
+        if has_script and has_content:
+            return "hybrid"
+        if has_script:
+            return "execute"
+        return "guide"
     if has_script and has_content:
         return "hybrid"
     if has_script:
@@ -161,6 +169,14 @@ def _sync_dirs() -> list[tuple[str, Path]]:
     ]
 
 
+def _is_relative_to(path: Path, parent: Path) -> bool:
+    try:
+        path.resolve(strict=False).relative_to(parent.resolve(strict=False))
+        return True
+    except (OSError, ValueError):
+        return False
+
+
 def _ensure_skill_dirs():
     PERSONAL_SKILLS_DIR.mkdir(parents=True, exist_ok=True)
     RUNTIME_SKILLS_DIR.mkdir(parents=True, exist_ok=True)
@@ -1379,7 +1395,50 @@ def sync_skill_directories() -> dict:
     for skill in discovered.values():
         synced.append(_upsert_filesystem_skill(skill)["id"])
 
-    return {"synced": len(synced), "ids": sorted(synced), "issues": issues}
+    pruned: list[str] = []
+    discovered_ids = set(discovered)
+    conn = get_db()
+    rows = conn.execute(
+        """SELECT id, source_kind, definition_path, file_path
+           FROM skills
+           WHERE source_kind IN ('core', 'community', 'personal')
+             AND definition_path != ''"""
+    ).fetchall()
+    sync_roots = [root.resolve(strict=False) for _source_kind, root in _sync_dirs()]
+    sync_roots.extend(
+        path.resolve(strict=False)
+        for path in (
+            NEXO_HOME / "core" / "skills",
+            NEXO_HOME / "skills-core",
+            NEXO_HOME / "personal" / "skills",
+            NEXO_HOME / "skills",
+            NEXO_HOME / "community" / "skills",
+        )
+    )
+    for row in rows:
+        skill_id = str(row["id"] or "")
+        if not skill_id or skill_id in discovered_ids:
+            continue
+        definition_path = Path(str(row["definition_path"] or "")).expanduser()
+        try:
+            definition_resolved = definition_path.resolve(strict=False)
+        except OSError:
+            definition_resolved = definition_path
+        if not any(_is_relative_to(definition_resolved, root) for root in sync_roots):
+            continue
+        if definition_path.is_file():
+            continue
+        runtime_file = Path(str(row["file_path"] or "")).expanduser()
+        conn.execute("DELETE FROM skill_usage WHERE skill_id = ?", (skill_id,))
+        conn.execute("DELETE FROM skills WHERE id = ?", (skill_id,))
+        conn.execute("DELETE FROM unified_search WHERE source = 'skill' AND source_id = ?", (skill_id,))
+        if runtime_file.is_file() and _is_relative_to(runtime_file, RUNTIME_SKILLS_DIR):
+            runtime_file.unlink(missing_ok=True)
+        pruned.append(skill_id)
+    if pruned:
+        conn.commit()
+
+    return {"synced": len(synced), "ids": sorted(synced), "pruned": sorted(pruned), "issues": issues}
 
 
 def import_skill_from_directory(path: str, source_kind: str = "personal") -> dict:

package/src/doctor/providers/runtime.py

@@ -1131,17 +1131,20 @@ def _repair_special_launchagent_plists(items: list[tuple[str, Path]]) -> tuple[b
 
 
 def _sync_launchagents_from_manifest() -> tuple[bool, list[str]]:
-    sync_path = NEXO_CODE / "crons" / "sync.py"
+    sync_path = paths.crons_dir() / "sync.py"
+    if not sync_path.is_file():
+        sync_path = NEXO_CODE / "crons" / "sync.py"
     if not sync_path.is_file():
         return False, [f"cron sync script not found at {sync_path}"]
 
     try:
+        runtime_code = paths.core_dir()
         result = subprocess.run(
             [sys.executable, str(sync_path)],
             capture_output=True,
             text=True,
             timeout=30,
-            env={**os.environ, "NEXO_HOME": str(NEXO_HOME), "NEXO_CODE": str(NEXO_CODE)},
+            env={**os.environ, "NEXO_HOME": str(NEXO_HOME), "NEXO_CODE": str(runtime_code)},
         )
     except Exception as e:
         return False, [f"cron sync failed: {e}"]
@@ -2122,14 +2125,10 @@ def check_codex_session_parity() -> DoctorCheck:
             "Run `nexo update` or `nexo clients sync` so every Codex session inherits the managed bootstrap, not just a subset"
         )
     if missing_startup:
-        status = "degraded"
-        severity = "warn"
         repair_plan.append(
             "Use `nexo chat` or keep the global Codex bootstrap intact so every Codex session actually calls `nexo_startup`"
         )
     if missing_heartbeat:
-        status = "degraded"
-        severity = "warn"
         repair_plan.append("Keep `nexo_heartbeat` on every user turn so restored/plain Codex sessions do not drift off-protocol")
     if missing_bootstrap or missing_startup or missing_heartbeat:
         evidence.append(
@@ -2247,16 +2246,15 @@ def check_codex_conditioned_file_discipline() -> DoctorCheck:
         and audit["delete_without_protocol"] == 0
         and audit["delete_without_guard_ack"] == 0
     )
-    tracked_write_without_open_debt = (
+    tracked_mutation_without_open_debt = (
         no_open_conditioned_debt
         and audit["write_without_protocol"] > 0
         and audit["write_without_guard_ack"] == 0
-        and audit["delete_without_protocol"] == 0
         and audit["delete_without_guard_ack"] == 0
     )
 
     if audit["write_without_protocol"] or audit["write_without_guard_ack"]:
-        if tracked_write_without_open_debt:
+        if tracked_mutation_without_open_debt:
             status = "healthy"
             severity = "info"
         else:
@@ -2280,8 +2278,8 @@ def check_codex_conditioned_file_discipline() -> DoctorCheck:
         summary=(
             "Historical Codex conditioned-file drift has no open protocol debt"
             if historical_read_only
-            else "Tracked Codex conditioned-file drift has no open protocol debt"
-            if tracked_write_without_open_debt
+            else "Tracked Codex conditioned-file mutation drift has no open protocol debt"
+            if tracked_mutation_without_open_debt
             else "Recent Codex sessions respect conditioned-file discipline"
             if status == "healthy"
             else "Recent Codex sessions are bypassing conditioned-file discipline"
@@ -2524,6 +2522,7 @@ def check_protocol_compliance() -> DoctorCheck:
                                 continue
                             live_guard_task_ids.add(str(row["task_id"] or ""))
                     live_guard_debt = 0
+                    open_task_debt = 0
                     if {"task_id", "session_id"}.issubset(protocol_debt_cols):
                         task_status_expr = "'' AS task_status"
                         if "status" in protocol_task_cols:
@@ -2549,12 +2548,13 @@ def check_protocol_compliance() -> DoctorCheck:
                             session_id = str(row["session_id"] or "")
                             task_id = str(row["task_id"] or "")
                             task_status = str(row["task_status"] or "")
-                            if (
-                                debt_type == "unacknowledged_guard_blocking"
-                                and task_status == "open"
-                                and session_id in active_session_ids
-                            ):
-                                live_guard_task_ids.add(task_id or f"debt:{session_id}:{row['created_at']}")
+                            if task_status == "open":
+                                open_task_debt += 1
+                                if (
+                                    debt_type == "unacknowledged_guard_blocking"
+                                    and session_id in active_session_ids
+                                ):
+                                    live_guard_task_ids.add(task_id or f"debt:{session_id}:{row['created_at']}")
                                 continue
                             debt_counter[(severity, debt_type)] = debt_counter.get((severity, debt_type), 0) + 1
                         live_guard_debt = len(live_guard_task_ids)
@@ -2662,6 +2662,8 @@ def check_protocol_compliance() -> DoctorCheck:
                             evidence.append("high-stakes decision-eval rollout not yet seeded in the live window")
                     for row in debt_rows[:5]:
                         evidence.append(f"open {row['severity']} debt — {row['debt_type']}: {row['total']}")
+                    if open_task_debt:
+                        evidence.append(f"in-progress task protocol debt pending: {open_task_debt}")
                     if live_guard_debt:
                         evidence.append(f"live in-progress guard acknowledgements pending: {live_guard_debt}")
 
@@ -3131,15 +3133,20 @@ def check_automation_telemetry(days: int = 7) -> DoctorCheck:
                 "created_at",
             }.issubset(columns)
             if schema_has_status:
+                interactive_expr = "0"
+                if "session_type" in columns:
+                    interactive_expr = "COALESCE(session_type, '') LIKE 'interactive%'"
                 row = conn.execute(
-                    """
+                    f"""
                     SELECT
                         COUNT(*) AS runs,
                         SUM(CASE WHEN status = 'ok' THEN 1 ELSE 0 END) AS successful_runs,
                         SUM(CASE WHEN status != 'ok' THEN 1 ELSE 0 END) AS failed_runs,
-                        SUM(CASE WHEN status = 'ok' AND (input_tokens + cached_input_tokens + output_tokens) > 0 THEN 1 ELSE 0 END) AS usage_runs,
-                        SUM(CASE WHEN status = 'ok' AND total_cost_usd IS NOT NULL THEN 1 ELSE 0 END) AS cost_runs,
-                        SUM(CASE WHEN status = 'ok' AND cost_source = 'pricing_unavailable' THEN 1 ELSE 0 END) AS pricing_gaps,
+                        SUM(CASE WHEN status = 'ok' AND NOT ({interactive_expr}) THEN 1 ELSE 0 END) AS scored_successful_runs,
+                        SUM(CASE WHEN status = 'ok' AND NOT ({interactive_expr}) AND (input_tokens + cached_input_tokens + output_tokens) > 0 THEN 1 ELSE 0 END) AS usage_runs,
+                        SUM(CASE WHEN status = 'ok' AND NOT ({interactive_expr}) AND total_cost_usd IS NOT NULL THEN 1 ELSE 0 END) AS cost_runs,
+                        SUM(CASE WHEN status = 'ok' AND NOT ({interactive_expr}) AND cost_source = 'pricing_unavailable' THEN 1 ELSE 0 END) AS pricing_gaps,
+                        SUM(CASE WHEN status = 'ok' AND ({interactive_expr}) AND ((input_tokens + cached_input_tokens + output_tokens) = 0 OR total_cost_usd IS NULL) THEN 1 ELSE 0 END) AS interactive_unmetered_runs,
                         GROUP_CONCAT(DISTINCT backend) AS backends
                     FROM automation_runs
                     WHERE created_at >= datetime('now', ?)
@@ -3153,9 +3160,11 @@ def check_automation_telemetry(days: int = 7) -> DoctorCheck:
                         COUNT(*) AS runs,
                         COUNT(*) AS successful_runs,
                         0 AS failed_runs,
+                        COUNT(*) AS scored_successful_runs,
                         SUM(CASE WHEN (input_tokens + cached_input_tokens + output_tokens) > 0 THEN 1 ELSE 0 END) AS usage_runs,
                         SUM(CASE WHEN total_cost_usd IS NOT NULL THEN 1 ELSE 0 END) AS cost_runs,
                         SUM(CASE WHEN cost_source = 'pricing_unavailable' THEN 1 ELSE 0 END) AS pricing_gaps,
+                        0 AS interactive_unmetered_runs,
                         GROUP_CONCAT(DISTINCT backend) AS backends
                     FROM automation_runs
                     WHERE created_at >= datetime('now', ?)
@@ -3191,11 +3200,13 @@ def check_automation_telemetry(days: int = 7) -> DoctorCheck:
 
     successful_runs = int((row["successful_runs"] if row else 0) or 0)
     failed_runs = int((row["failed_runs"] if row else 0) or 0)
+    scored_successful_runs = int((row["scored_successful_runs"] if row and "scored_successful_runs" in row.keys() else successful_runs) or 0)
     usage_runs = int((row["usage_runs"] if row else 0) or 0)
     cost_runs = int((row["cost_runs"] if row else 0) or 0)
     pricing_gaps = int((row["pricing_gaps"] if row else 0) or 0)
-    usage_denominator = successful_runs or total_runs
-    cost_denominator = successful_runs or total_runs
+    interactive_unmetered_runs = int((row["interactive_unmetered_runs"] if row and "interactive_unmetered_runs" in row.keys() else 0) or 0)
+    usage_denominator = scored_successful_runs or (successful_runs if not interactive_unmetered_runs else 0)
+    cost_denominator = scored_successful_runs or (successful_runs if not interactive_unmetered_runs else 0)
     missing_usage_runs = max(0, usage_denominator - usage_runs) if usage_denominator else 0
     usage_coverage = round((usage_runs / usage_denominator) * 100, 1) if usage_denominator else 100.0
     cost_coverage = round((cost_runs / cost_denominator) * 100, 1) if cost_denominator else 100.0
@@ -3204,12 +3215,15 @@ def check_automation_telemetry(days: int = 7) -> DoctorCheck:
         f"runs={total_runs}",
         f"successful_runs={successful_runs}",
         f"failed_runs={failed_runs}",
+        f"scored_successful_runs={scored_successful_runs}",
         f"usage_coverage={usage_coverage}%",
         f"cost_coverage={cost_coverage}%",
         f"pricing_gaps={pricing_gaps}",
     ]
     if missing_usage_runs:
         evidence.append(f"missing_usage_runs={missing_usage_runs}")
+    if interactive_unmetered_runs:
+        evidence.append(f"interactive_unmetered_runs_excluded={interactive_unmetered_runs}")
     backends = str((row["backends"] if row else "") or "").strip()
     if backends:
         evidence.append(f"backends={backends}")

package/src/runtime_power.py

@@ -80,8 +80,15 @@ DEFAULT_CODEX_REASONING_EFFORT = _CODEX_DEFAULTS["reasoning_effort"]
 def resolve_launchagent_path() -> str:
     """Build a PATH string for LaunchAgent plists that includes nvm node if present."""
     home = Path.home()
-    parts = ["/opt/homebrew/bin", "/usr/local/bin", "/usr/bin", "/bin",
-             str(home / ".local/bin"), str(home / ".nexo/bin")]
+    parts = [
+        str(home / ".nexo/runtime/bootstrap/npm-global/bin"),
+        "/opt/homebrew/bin",
+        "/usr/local/bin",
+        "/usr/bin",
+        "/bin",
+        str(home / ".local/bin"),
+        str(home / ".nexo/bin"),
+    ]
     # Detect nvm node
     nvm_dir = home / ".nvm/versions/node"
     if nvm_dir.is_dir():

package/src/scripts/deep-sleep/phase_protocol_debt_drain.py

@@ -207,7 +207,7 @@ def run(
                 report["drained_ids"].append(int(row["id"]))
                 if not dry_run:
                     conn.execute(
-                        "UPDATE protocol_debt SET resolved_at = ?, resolution = ? "
+                        "UPDATE protocol_debt SET status = 'resolved', resolved_at = ?, resolution = ? "
                         "WHERE id = ? AND resolved_at IS NULL",
                         (
                             now.strftime("%Y-%m-%d %H:%M:%S"),

package/src/scripts/nexo-immune.py

@@ -367,8 +367,9 @@ def check_databases():
     dbs = [
         ("nexo.db", paths.db_path()),
         ("cognitive.db", paths.data_dir() / "cognitive.db"),
-        ("claude-mem.db", CLAUDE_MEM_DB),
     ]
+    if CLAUDE_MEM_DB.exists():
+        dbs.append(("claude-mem.db", CLAUDE_MEM_DB))
 
     for name, path in dbs:
         result = {"name": name, "status": "OK", "detail": ""}

package/src/scripts/nexo-watchdog.sh

@@ -652,10 +652,14 @@ for monitor in "${MONITORS[@]}"; do
         fi
       else
         if [ -n "$last_exit" ] && [ "$last_exit" != "0" ]; then
-          latest_run_failed=true
-          status="FAIL"
-          details="${details}Last run exited ${last_exit}. "
-          [ -n "$last_error" ] && details="${details}Error: ${last_error}. "
+          if [ "$last_exit" = "143" ] && echo "$last_error" | grep -qi "SIGTERM"; then
+            details="${details}Last run ended by SIGTERM; treated as supervisor reload/interruption, not cron failure. "
+          else
+            latest_run_failed=true
+            status="FAIL"
+            details="${details}Last run exited ${last_exit}. "
+            [ -n "$last_error" ] && details="${details}Error: ${last_error}. "
+          fi
         fi
         if [ "$age" -gt $(( max_stale * 3 )) ]; then
           if [ "$recovery_policy" = "catchup" ]; then